Cyware Daily Threat Intelligence, April 13, 2020

Share Blog post

Financial organizations have always been a hotbed for cybercrime. Lately, security researchers have spotted a new cyberespionage campaign that targets banks in Spain. Executed via COVID-19-themed videos, the campaign delivers Grandoreiro banking trojan that redirects victims to an infection zone.

A new variant of MBRLocker ransomware that uses a ‘security researchers prank’ to lockout users from their systems has also been observed in the past 24 hours. After infecting, it displays a screen that prompts the victims to purchase an antivirus, unlock code of which will be provided through an email handled by attackers.

The popular video-conferencing app, Zoom, came under the scanner again after a database containing 2300 usernames and passwords for Zoom accounts was put for sale on a dark web forum. These credentials belonged to organizations in various industries like banking, consultancy, healthcare, and software companies.

Top Breaches Reported in the Last 24 Hours

DESMI hit by a cyberattack
Global pump maker, DESMI, had shut all its systems following a cyberattack last week. It is currently working to restore its IT systems and plans to resume operation in a couple of days. The investigation is still ongoing and at this time, it is not clear as to which malware or threat actor group was behind the attack.

Zoom credentials on sale
A database containing more than 2,300 compromised Zoom credentials, was put up for sale on an underground forum. Some of the records included meeting IDs, names, and host keys. These credentials belonged to organizations in various industries like banking, consultancy, healthcare, and software companies.

Top Malware Reported in the Last 24 Hours

Grandoreiro malware
Researchers have come across a new attack campaign that delivers the Grandoreiro banking trojan to infect banking users in Spain. The malware is delivered via COVID-19-themed videos that trick users into running a concealed executable code. The purpose of the malware is to empty bank accounts of victims.

MBRLocker’s new attack
A new MBRLocker ransomware variant that uses security researchers’ prank to lockout users from their computers has been detected recently. Once the system is infected, it displays a message that includes the names of two well-known security researchers and asks the victim to buy an antivirus. The message further prompts that the victim can only unlock the antivirus using a code sent over the email.

Sodinokibi’s new stop
The crew behind Sodinokibi ransomware has planned to switch from Bitcoin to Monero cryptocurrency for ransom payments. The purpose of shifting to Monero payments through the anonymous Tor network is to hide the money trail from law enforcement agencies. To discourage the use of Bitcoin, the crooks have also increased the Bitcoin ransom amount by 10% of Monero coins.

Top Scams Reported in the Last 24 Hours

Bitcoin scam
A new Bitcoin scam that targets potential cryptocurrency investors has been found recently. The scam makes use of a fake report from the BBC that talks about Meghan Markle and Prince Harry finding a wealthy loophole. It promises the victims huge returns by investing in a cryptocurrency auto-trading program referred to as ‘Bitcoin Evolution’. To make it look convincing, the description also states that, “There isn't any different buying and selling app on the planet that performs on the 99.4% degree of accuracy that The Bitcoin Evolution is ready to hit."

 Tags

grandoreiro banking trojan
zoom credentials
mbrlockers ransomware
desmi
bitcoin evolution

Posted on: April 13, 2020

Get the Daily Threat Briefing delivered to your email!



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.



Join Thousands of Other Cyware Followers!