Cyware Daily Threat Intelligence, April 29, 2020

Share Blog post

With most people now having to stay at home, pirated streaming services and sites are witnessing huge traction during the COVID-19 pandemic. However, these online streaming sites can be dangerous as malicious actors have started prying on them to conduct cryptocurrency mining. They are injecting malicious VBAScript into ZIP files disguised as movies to launch cryptominers.

Details about a new botnet called LeetHozer botnet have also emerged in the last 24 hours. It has been found that the botnet borrows its code from the Moobot family and Reporter and Loader mechanism from Mirai botnet.
     
A sophisticated cyberespionage campaign called PhantomLance, that has been active since 2015, has also been detected in the last 24 hours. The campaign, which is still active, is being used to target Android users in Southeast Asia.

Top Breaches Reported in the Last 24 Hours

Usenet service providers affected
Two Usenet service providers - UseNeXT and Usenet.nl - have shut down their websites following security breach incidents. It is reported that the incidents have led to the compromise of names, billing addresses, payment details (IBAN and account number), and other information of users.

CivicSmart hit
A company that sells smart parking meters, CivicSmart, has been hit by Sodinokibi ransomware. The attackers have managed to steal 159 GB data after the attack. According to reports, the attack took place in March.

Top Malware Reported in the Last 24 Hours

New LeetHozer botnet
Security researchers discovered a new LeetHozer botnet that shares code with the Moobot family. The sample has borrowed some of Mirai’s Reporter and Loader mechanism. The botnet begins its infection process by exploiting a vulnerability that starts the telnetd service in a targeted device.

PhantomLance campaign
Kaspersky has shared findings of a sophisticated PhantomLance campaign that has been active since 2015 and is still ongoing. The campaign, which is attributed to the OceanLotus APT group, features multiple versions of a complex spyware designed to collect victims’ data. These spyware apps are distributed via Google Play Store.

Cryptocurrency mining
Microsoft has warned that malicious actors are targeting users through pirate streaming services and movie piracy sites. They are inserting malicious VBScript into ZIP files disguised as movie downloads to conduct mining of cryptocurrencies.

Top Vulnerabilities Reported in the Last 24 Hours

Adobe fixes critical flaws
Adobe has released security updates for 35 vulnerabilities affecting its Illustrator, Magento, and Bridge. A majority of these flaws affect Adobe Bridge. The most severe vulnerabilities could enable remote code execution on affected systems.

Google discloses Zero-click bug
Google’s Project Zero researchers have identified six vulnerabilities in Image I/O and another eight bugs in OpenEXR, which are built into several of Apple’s operating systems. Some of these flaws can be exploited for remote code execution in a 0click attack scenario.

Critical DoS flaw
A critical DoS vulnerability discovered in Inductive Automation’s Ignition Gateway could allow hackers to cause disruption on the plant floor. The flaw is tracked as CVE-2020-10641 and rated ‘Critical’ on the CVSS scale. It has been addressed with the release of version 8.0.10 of the software.

Top Scams Reported in the Last 24 Hours

Fake antivirus expiration scam
Scammers are running a fake antivirus scam to trick users into buying malicious software. The scam is promoted via a phishing email that has a subject line, “WARNING: Anti-Virus Can Expire " Sun, 26 Apr 2020””. It includes a link stating, "Your Protection Can Expire TODAY!".

Phone scam
Scammers have been found calling users by spoofing a bank’s real number as part of a new identity theft scam. The purpose of this scam is to steal account details from victims and siphon off their funds.

 Tags

civicsmart
usenext
leethozer botnet
usenetnl
phantomlance campaign
moobot

Posted on: April 29, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!