Go to listing page

Cyware Daily Threat Intelligence, February 18, 2020

Cyware Daily Threat Intelligence, February 18, 2020

Share Blog Post

Fake and malicious apps have become the latest channel for cybercriminals to drop malware and conduct malicious activities. There have been reports of threat actors using fake app installers to drop two notorious trojans - LokiBot and AZORult - in two different campaigns. While LokiBot is distributed via fake Epic Games launcher, the AZORult trojan leverages counterfeit ProtonVPN apps to infect victims. The purpose of using legitimate-looking fake apps is to evade detection by security solutions.

The past 24 hours also saw a security update for a serious vulnerability affecting the ThemeGrill Demo Importer WordPress theme plugin. The flaw can be exploited to wipe sites running vulnerable versions of the plugin and gain admin access to those sites.

Top Breaches Reported in the Last 24 Hours

PhotoSquared’s data breached
A popular photo app PhotoSquared had leaked over 10,000 records due to an unsecured Amazon Web Services storage bucket. The leaked records dated back to November 2016 and include user photos, order records, receipts, and shipping labels. The leak was fixed by PhotoSquared on February 14 after it was contacted by researchers.

Twitter account of FC Barcelona hacked
In its latest hack to expose vulnerabilities, the popular OurMine hacking group has hacked the official Twitter account of the FC Barcelona along with the accounts of the Olympics and the International Olympic Committee (IOC). Immediately after the hack, Twitter had locked both accounts. It is suspected that the hack occurred via a third-party platform.

Nextmotion leaks data
Medical imaging firm NextMotion had exposed almost 900,000 files due to a misconfigured Amazon S3 bucket. The leaked files included highly sensitive images, video files, and paperwork relating to plastic surgery, dermatological treatments and consultations performed by the clinic. Upon being alerted about the leak, the firm had quickly fixed the error by reconfiguring the S3 bucket’s settings to be more secure.

Idaho Credit Union reports breach
Idaho Central Credit Union has started informing some customers of two data breaches that impacted the financial institution. The first instance was noticed on November 5, 2019, after the firm detected some suspicious behavior. The compromised information included names, dates of birth, Social Security numbers, financial account information, tax identification numbers, and information on borrowers, liability, assets, employment, and income of individuals.

Top Malware Reported in the Last 24 Hours

LokiBot trojan returns
A new LokiBot campaign that aims to infect users by impersonating the launcher for Epic Games has been uncovered by researchers. The purpose behind the disguise is to help the trojan avoid detection by antivirus software. This fake downloader is distributed via spam phishing emails that are sent out in bulk to potential targets.

Blackout malware upgraded
A recent upgrade in the Ukrainian Blackout malware now includes the ability to steal SSH keys from victims’ machines. This new version is on sale on the Dark Web forums in the form of Malware-as-a-Service (MaaS). The malware is operated by the state-sponsored BlackEnergy gang.

AZORult makes a comeback
Researchers have detected a new campaign wherein attackers are making use of fake ProtonVPN installers to drop AZORult trojan. The campaign has been active since November 2019 and uses a domain that has been registered under the name protonvpn[.]store. Once the victim runs the implant, it collects the infected machine’s environment information and reports it to a C2 server located in Russia.

Google axes 500 malicious extensions
Google has removed over 500 Chrome extensions from the Chrome Web Store after they were found performing covert data exfiltration activities. Researchers disclosed that the threat actor behind the extensions has been using the same infrastructure for at least one or two years. The plugins also had nearly the same source code and all of them referenced to a ‘.com’ website.

Top Vulnerabilities Reported in the Last 24 Hours

Flawed WordPress plugin addressed
A serious flaw in the ThemeGrill Demo Importer WordPress theme plugin has been fixed with the release of the new version 1.6.2. The vulnerability can be exploited to wipe sites running vulnerable versions of the plugin and gain admin access to those sites. So far, the plugin has over 200,000 installations. The critical flaw, that exists for the past three years, affects versions 1.3.4 through 1.6.1 of the plugin and can be exploited only against those websites where the ThemeGrill theme plugin is activated.

Top Scams Reported in the Last 24 Hours

Coronavirus-themed phishing
The World  Health Organization (WHO) has issued a warning about ongoing Coronavirus-themed phishing attacks that impersonates the organization with an aim to steal information and deliver malware. The target users are sent phishing messages that ask them to share sensitive information like usernames and passwords. The message includes a link or a malicious attachment that redirects victims to a phishing landing page.

New email scam
A new email scam that threatens website owners to suspend their Google AdSense accounts is underway. This is done by flooding the target website with a large amount of bot traffic. This, in turn, triggers Google’s automated anti-fraud protection system that flags artificial inflation of traffic on a website. The scammers behind the newest scheme promise to resolve the issue in exchange for a payment of $5000 in bitcoins.


lokibot trojan
blackout malware
themegrill demo importer wordpress theme plugin

Posted on: February 18, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.