Cyware Daily Threat Intelligence, August 27, 2019

Share Blog Post

Malware authors are constantly developing existing malware in order to launch more catastrophic attacks worldwide. The infamous TA505 threat actor group which has been active since 2014, has now expanded its malicious operations to new countries such as Turkey, Serbia, Romania, Korea, Canada, the Czech Republic, and Hungary. Security experts have observed that the attackers are using new variants of ServHelper backdoor and FlawedAmmyy RAT to launch the attacks. These malware variants are distributed via phishing emails with subjects pertaining to ‘invoices’ or ‘payments.’

In a major security update, Apple has released iOS 12.4.1 to address a critical jailbreak vulnerability that affected iPhones and iPads updated with iOS 12.4 version. The flaw could allow hackers or malicious applications to execute arbitrary code on a target device with the highest level of privileges.

The past 24 hours also saw a major phishing scam related to iPhone X. The scammers leveraged Google calendar invitation to inform users of winning an iPhone X as a prize. The calendar invitation message included a link that contained the location of the Apple Store from where the prize could be claimed. However, the main intention of the scammers was either to steal users’ passwords or spread malware.

Top Breaches Reported in the Last 24 Hours

Insecure BioWatch website 
Reports claim that the Department of Homeland Security stored sensitive data from the nation’s bioterrorism defense program BioWatch on an insecure website. Government documents state that the website was vulnerable to attacks by hackers for over a decade. The data includes the locations of some BioWatch air samplers, which are installed at subway stations and other public locations in more than 30 U.S. cities. 

DHB suffers an attack
Capital & Coast District Health Board (DHS) staff members have been targeted in an email scam. The scam led to thousands of fake emails being sent from the compromised addresses. DHB confirmed that no private or patient information had been compromised as a result of the scam. DHB states that the incident was a case of human error, and not a system issue. 

MGH suffers a data breach
Massachusetts General Hospital (MGH) has notified nearly 10,000 people about unauthorized third-party access to their information. The breached data included first and last names, certain demographic information (such as marital status, sex, race, ethnicity), dates of birth, and dates of visits of patients.  

Top Malware Reported in the Last 24 Hours

Decryptor for Syrk ransomware
Emsisoft has released a new free decryption tool for the lately discovered Syrk ransomware. The ransomware masquerades as a free game hack tool for Fortnite. Once installed, it disables the installed antivirus software and attempts to encrypt and delete files in the Pictures, Desktop and Documents folders. It uses the AES-256 algorithm to encrypt files.  

New ServHelper and FlawedAmmyy
TA505 threat actor group has modified the ServHelper backdoor and FlawedAmmyy RAT with new capabilities. These new malware variants are distributed through spoofed emails to target organizations in countries like Turkey, Serbia, Romania, Korea, Canada, the Czech Republic, and Hungary.

Quasar RAT
Researchers have discovered a new phishing campaign distributing Quasar RAT. The malware is propagated via fake resume attachments. It is capable of opening remote desktop connections, keylogging, stealing credentials, taking screenshots, recording video from webcams, downloading or exfiltrating files, and managing processes on infected machines.

xHelper malware
Android/Trojan.Dropper.xHelper is a new Android trojan that spreads via a legitimate-looking fake game app found on Google Play Store. The app in the question is New2048HD which has little more than 10 downloads. The malware is available in two variants: full-stealth and semi-stealth.

Top Vulnerabilities Reported in the Last 24 Hours

Apple releases iOS 12.4.1
Apple has released an emergency patch iOS 12.4.1 to fix a critical jailbreak vulnerability that affected iPhones and iPads updated with the previous iOS 12.4 version. The vulnerability, tracked as CVE-2019-8605, could allow hackers or malicious applications to execute arbitrary code on a target device with the highest level of privileges. 

Instagram account takeover attack
A security researcher has identified a critical vulnerability that could have been exploited to hack Instagram accounts. The researcher discovered the flaw while analyzing Instagram’s password recovery system for mobile devices. Following the discovery, the Facebook team has fixed the issue in Instagram.

Vulnerable QEMU
A vulnerability in QEMU can allow malicious actors to perform a virtual machine escape. This can enable attackers to break out of guest operating systems and attack the host operating system that QEMU runs on. The vulnerability is detected as CVE-2019-14378 and relies on networking implementation in QEMU.

Top Scams Reported in the Last 24 Hours

Imposter scam
IRS is warning users about a new imposter scam that is used to spread malware and steal sensitive information from users. The scammers are impersonating IRS agents and sending tax payment-related emails to potentially gain access to people’s computers. The email claims to contain information about their refunds, electronic returns or online accounts. In order to claim the amount, the recipients are asked to click on a link that closely resembles

Calendar invitation spam
Users are bombarded with unwanted calendar invitation spams in a new phishing campaign. The spam invitation informs the recipient of winning an Apple iPhone X. In order to claim the prize, the user is asked to check the location of the Apple Store by visiting the link provided in the invitation spam message.


massachusetts general hospital mgh
servhelper backdoor
syrk ransomware
ta505 threat actor
flawedammyy rat

Posted on: August 27, 2019

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!