Cyware Daily Threat Intelligence, December 18, 2019

Share Blog post

Cybersecurity threats have continued to evolve as threat actors come up with a variety of new malware. Recently, researchers have come across multiple new malware families, namely Dudell, Dacls, and Poison Frog, that were used in the recent cyberespionage campaigns. While Dudell was used by the Rancor threat actor group to target Cambodian government organizations between December 2018 and January 2019, Dacls was used by Lazarus hacking group to target Linux and Windows devices. On the other hand, the Poison Frog backdoor is a creation of the notorious OilRig threat group that was distributed via fake Cisco AnyConnect application.

Security experts also observed an ongoing industrial cyber espionage campaign called Gangnam Industrial Style that has targeted more than 200 manufacturing and other industrial firms primarily located in South Korea. The attack leverages industry sector-themed spear-phishing emails and a combination of free tools to steal confidential information through a new variant of Separ malware.

Top Breaches Reported in the Last 24 Hours

Lifelabs pays attackers to recover stolen data
Canada’s leading provider of laboratory diagnostics and testing services, LifeLabs, has admitted to paying attackers to retrieve information on over 15 million of its customers. The compromised data included names, home addresses, email addresses, usernames, passwords, and health card numbers.

Grand Haven’s record stolen
Private medical records of more than 4,000 patients at Grand Haven may have been improperly accessed by a hospital employee for over more than three years - between May 2016 and October 2019. The affected data includes patients’ names, dates of birth, Social Security numbers, Medicare or Medicaid numbers, and insurance information.

University malware infection
A malware infection at Justus Liebig University Giessen in Giessen, Hesse, Germany had affected its IT and server infrastructure. This network has been down since December 8, 2019, and due to requirements of the German Law, the University could not share the new passwords to staff and students through personal email addresses. Therefore, it has asked more than 38,000 individuals to queue up with a piece of paper and ID card to get a new password.

Top Malware Reported in the Last 24 Hours

Gangnam APT campaign
At least 200 critical infrastructure equipment manufacturers in South Korea have fallen victim to a campaign called Gangnam Industrial Style. The APT group behind the campaign used industry sector-themed spear-phishing emails and a combination of free tools to steal confidential information through a new variant of Separ malware.

Dacls RAT
Researchers have spotted a new RAT dubbed Dacls, that was used by the Lazarus APT group to target both Windows and Linux devices. The functionalities of the malware include command execution, file management, process management, test network access, C2 connection agent and network scanning. The malware spreads by exploiting the Atlassian Confluence CVE-2019-3396 vulnerability.

Poison Frog malware
Researchers have uncovered a new backdoor called ‘Poison Frog’ being used by the OilRig threat actor group. The new executable which is written in C# comes with multiple issues. For instance, one sample did not execute because it used command for ‘Poweeershell.exe’ instead of ‘Powershell.exe’ while others still had the PDB path inside their binary. The malware disguised as fake Cisco AnyConnect application to propagate on victims’ systems.

Dudell malware
A Chinese-linked hacking group called Rancor had used a new malware strain dubbed Dudell to target Cambodian government organizations between December 2018 and January 2019. In addition, researchers also uncovered the group using another unique malware family called Derusbi during the same time period. Dudell was delivered as a weaponized decoy Microsoft Excel document designed to run malicious macros on the target systems. On the other hand, Derusbi is a backdoor trojan that loads additional modules to augment its functionality.

Top Vulnerabilities Reported in the Last 24 Hours

WhatsApp fixes a bug
WhatsApp has addressed a severe bug that could have allowed a malicious group member to crash the messaging app for all members of the same group. An attacker can trigger the vulnerability by sending a maliciously crafted message to a targeted group. The issue resides in XMPP, a communication protocol for instant messaging.

Portainer team fixes critical flaws
Seven critical vulnerabilities found in Portainer UI have been fixed by the team recently. The flaws addressed include two cross-site scripting vulnerabilities, a path traversal vulnerability, authorization bypass, and unrestricted host filesystem access.

Vulnerable PLCs
Nine critical vulnerabilities in PLCs made by WAGO can be exploited remotely for arbitrary code execution and DoS attacks. The flaws affect WAGA PFC100 and PFC200 series PLCs. Six of the nine flaws have been addressed by the vendor with a firmware update.

Vulnerable Acer, ASUS software
Vulnerabilities discovered in Acer and ASUS software preinstalled on most PCs could lead to privilege escalation and the execution of arbitrary payloads. The flaws are tracked as CVE-2019-18670 and CVE-2019-19235. While the first affects Acer Quick Access, the second flaw impacts the ASUS ATK Package.   

Top Scams Reported in the Last 24 Hours

Royal Mail text scam
Britishers have reported a new scam that purports to be from Royal Mail. The email tricks victims into handing over their card details for a free iPhone 11 Pro. The phishing message reads: "There is an item waiting to be confirmed. You took one of the spots on our Currys' XMAS-list.” It also includes a link that takes the victim to a website having the Currys/PC World logo. The website prompts the victim to share their personal details and pay a small fee of $2.62 for insured shipping.

Sextortion scam
Scammers are back with a new sextortion scam that threatens victims of releasing their inappropriate videos if a ransom amount is not paid. The scammers send phishing emails to recipients claiming that they have planted a remote control malware to capture both browser screenshots and stolen webcam footage. To make it look real and scary, the scammers also provide an old and previously used password by the recipient.


 Tags

portainer
gangnam industrial style
dacls rat
poison frog
dudell malware

Posted on: December 18, 2019



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.