Cyware Daily Threat Intelligence, April 03, 2020

Share Blog post

Threat actors spawned a variety of COVID-19-themed phishing attacks in the past 24 hours to trick users across the globe. Two of these attacks impersonated the World Health Organization (WHO) to steal Microsoft login credentials and distribute the LokiBot Trojan, respectively. On the other hand, a third phishing attack relied on a Microsoft Office remote code execution vulnerability to propagate a new trojan dubbed ‘BlueTea Action’.

Amidst all these COVID-19-related attack campaigns, security researchers also came across a sophisticated cyberespionage campaign that was used to spread several notorious malware. This included the XMRig cryptominer, AZORult trojan, a variant of Remcos RAT, and DarkVNC backdoor trojan.

Top Breaches Reported in the Last 24 Hours

Data from OnlyFans on sale
Reports suggest that a massive database containing up to 4 terabytes of data from OnlyFans has been put up for sale on several hacking forums. The compromised data, which is on sale since January 24, 2020, includes photos and videos of adult film stars. 

Elasticsearch servers defaced
A hacker broke into and defaced more than 15000 Elasticsearch servers in the past two weeks. These servers were found left open on the internet without a password. The first intrusion had begun on March 24, 2020.

OGUsers hacked again
OGUsers, a popular hacking forum, disclosed a security breach that had enabled attackers to steal the details of more than 200,000 users. This was the second time that the forum was attacked in the past year.

Top Malware Reported in the Last 24 Hours

COVID-19-themed-phishing email
A new phishing email attack that leverages the ongoing COVID-19 disease has been found targeting individuals. The email appears to come from the World Health Organization (WHO) and uses a subject line, “HIGH-RISK: New confirmed cases in your city”. The body of the email urges the recipients to find out if there are cases of COVID-19 in their area by clicking on ‘Read on’. However, they are actually redirected to a fake Microsoft page that steals their login credentials.

LokiBot trojan returns
Another similar COVID-19-themed phishing email attack that is used to distribute LokiBot trojan, has been observed by researchers. The email pretends to be from the WHO, and includes an attachment entitled “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.zip.arj”. The subject line of the email reads, “Coronavirus disease (COVID-19) Important Communication[.].”

New BlueTea Action trojan
Researchers have come across a new strain of trojan called BlueTea Action that spreads via phishing emails related to COVID-19. The header of these emails goes as ‘The Truth of COVID-19’ and includes a malicious RTF file carrying the exploit for the CVE-2017-8570 vulnerability. Once the vulnerability is triggered, it executes the .SCT script to evade detection.

AZORult used in a complex campaign
A sophisticated attack campaign that distributes a wide range of malware such as XMRig, AZORult, a variant of Remcos RAT, and DarkVNC backdoor trojan, has been uncovered by security experts. The infection chain starts with a ZIP file, which contains an ISO disk image file. The campaign uses several obfuscation techniques to bypass antivirus software.

Office 365 voicemail lure
Cybercriminals are using an Office 365 voicemail lure to trick users into visiting phishing pages that steal their personal information. The phishing campaign uses the Cascading Style Sheets (CSS) tricks to bypass Secure Email Gateways (SEG) while preserving the normal appearance of the email to a recipient.
  
Top Vulnerabilities Reported in the Last 24 Hours

Faulty Contact Form 7 Datepicker plugin
Contact Form 7 Datepicker WordPress plugin is affected by a cross-site scripting (XSS) vulnerability that can allow attackers to create rogue admins or take over admin sessions. Therefore all Contact Form 7 Datepicker users are urged to immediately remove or deactivate the plugin from all sites it is installed on.

TicTocTrack fixes a bug
Australia-based kids’ smartwatch maker, TicTocTrack has fixed a bug that could have allowed hackers to spoof the location of a child as well as download the personal information of customers. It appears that the flaw arose due to code integrated into the watch.

25 flaws in Windows
Over 25 potential vulnerabilities, including some that could lead to elevation of privileges, have been found in Windows. The bugs impact the user interface win32 kernel component and affect all versions of Windows, including Windows 10. Researchers have released Proofs-of-Concept (PoCs) for 13 of the 25 vulnerabilities. Meanwhile, Microsoft has claimed to have addressed some of these issues through its security patches.

Flaws in Firefox and IE exploited
Two previously-known flaws in Firefox and Internet Explorer have been exploited by the DarkHotel group to launch attacks in Japan and China. While the exploited Firefox vulnerability is CVE-2019-17026, the Internet Explorer flaw is tracked as CVE-2020-0674. Both Mozilla and Microsoft have issued patches for the vulnerabilities affecting their web browsers. Therefore, users are advised to apply the updates as soon as possible.

Top Scams Reported in the Last 24 Hours

IRS warns about COVID-19 scams
The Internal Revenue Service (IRS) has urged taxpayers to be on the lookout for phishing emails related to Coronavirus as they can lead to tax-related fraud and identity theft. The agency has highlighted a few activities of scammers that can easily trick taxpayers into sharing their personal details or parting away with the money. Some of the scams include the use of words like ‘Stimulus Check’ or ‘Stimulus Payment’, mailing users with a bogus check, or asking victims to share their banking/personal data over the phone, email, or social media.

Quarantine text scam
Scammers are targeting people in London with fake fine notification texts that accuse victims of violating the country’s lockdown rules. The malicious texts have been designed to look genuine and appear to come from the UK government. Victims are asked to pay a fine of £35 for neglecting the rules on a particular day.

 Tags

azorult infostealer
covid 19 scams
lokibot trojan
darkhotel group
bluetea action trojan
tictoctrack

Posted on: April 03, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!