Cyware Daily Threat Intelligence, April 30, 2020

Share Blog Post

The prolific Aggah campaign, which was previously believed to be associated with the Gorgon APT group, has been upgraded with additional attack vectors. The new campaign delivers a variety of RATs like Agent Tesla, njRAT, and Nanocore RAT as final payloads of the infection process.

A new Android malware called EventBot has been found targeting Android phone users in an attempt to steal passwords for banking apps and cryptocurrency wallets. The malware is capable of siphoning off passwords from over 200 banking and cryptocurrency apps.

The notorious Trickbot trojan also made a comeback in a phishing campaign that leveraged the  Family and Medical Leave Act (FMLA) to create a lure around COVID-19. The trojan was distributed via emails that appeared to come from the US Department of Labor (DoL)

Top Breaches Reported in the Last 24 Hours

Online services leak email data
Websites of multiple online services and products have been found leaking email data of their customers to third-party advertising and analytics companies like Google, Facebook, Twitter, Mixpanel, and Drawbridge. The affected websites include,,,, Mailchimp’s,, and 

Chegg attacked
A data breach at Chegg allowed attackers to steal 700 records associated with current and former employees. Those records included individuals’ PII.

Top Malware Reported in the Last 24 Hours

New Trickbot campaign
A new Trickbot campaign that targets email recipients with fake messages purporting to come from the U.S. Department of Labor (DoL), has been uncovered. The campaign leverages the  Family and Medical Leave Act (FMLA) to create a lure around COVID-19, in order to distribute the trojan. 

Upgraded Aggah campaign
Researchers have observed a new version of Aggah malspam campaign that delivers a variety of trojans like Agent Tesla, njRAT, and Nanocore RAT. The trojans are distributed through malicious Microsoft Office documents included in spam emails. This upgraded version of the campaign uses an additional .NET binary to disable protection and detection mechanisms on infected points.

New EventBot Android malware
EventBot is a newly discovered Android malware that targets banking apps and cryptocurrency wallets. The malware masquerades as legitimates apps like Adobe Flash or Microsoft Word. The malware is capable of siphoning off passwords for more than 200 banking and cryptocurrency apps like PayPal, Coinbase, CapitalOne, and HSBC.  

Top Vulnerabilities Reported in the Last 24 Hours

Salt configuration tool patches flaws
The Salt configuration tool has patched two vulnerabilities - CVE-2020-11651 and CVE-2020-11652 in the new version of Salt 3000,2. The flaws exposed Salt installations to attackers, which could be abused to take control of the tool.

Chrome 81.0.4044.129 released
Google has released Chrome version  81.0.4044.129 to address two use-after-free vulnerabilities - CVE-2020-6461 and CVE-2020-6462. While the former exists in storage, the latter exists within task scheduling.

Flawed LMS plugins
Three e-learning WordPress plugins - LearnPress, LearnDash, and LifterLMS - were found to be riddled with security flaws that could permit students and unauthenticated users to pilfer personal information of registered users. The flaws could also be exploited to attain teacher-level privileges. The LMS systems have released patches to address the issues.     


lifterlms plugin
agent tesla malware
nanocore rat
eventbot android malware
latest trickbot campaign
learnpress plugin
aggah campaign

Posted on: April 30, 2020

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!