Cyware Daily Threat Intelligence, February 28, 2020

Share Blog post

Evading detection while continuing with the infection process is one of the primary goals of all malware attacks. Lately, threat actors have come up with sophisticated propagation processes to distribute different malware. The infamous Roaming Mantis threat actor group is found using whitelisting to spread new malware families, Fakeecop and Wroba.j, with the purpose of stealing more funds.

On the other hand, the notorious Remcos RAT is leveraging the deadly COVID-19 threat to spread across victims’ systems. Cybercriminals are using CoronaVirusSafetymeasure_pdf.exe to trick victims into downloading the malicious payload.

The past 24 hours saw Cisco patching eleven ‘high’ to ‘medium’ severity vulnerabilities found in its UCS Manager, FXOS, and NX-OS software. The most severe flaw, that can allow attackers to execute arbitrary code as root or cause a denial of service (DoS) condition on an affected device, exists in FXOS, and NX-OS software.

Top Breaches Reported in the Last 24 Hours

Straffic exposes 49 million email addresses
An Israeli marketing firm Straffic, had exposed 49 million unique email addresses due to mishandled authentication credentials for an Elasticsearch database. The database contained 140GB of contact details consisting of names, phone numbers, and postal addresses. The firm quickly took remedial steps to fix the issue. The sensitive data is no longer available online.

Lincoln health care company attacked
A Lincoln health care company, NRC Health, had suffered a ransomware attack on February 11, 2020. Upon discovery, the company immediately shut down its system to contain the attack. Currently, it is working to restore services for customers. The company has claimed that there is no evidence of any patient data being compromised.

Top Malware Reported in the Last 24 Hours

New Fakecop and Wroba.j malware
The Roaming Mantis threat actor group has improved its attack tactic to steal more funds while evading detection. The group is now using whitelisting to spread two new malware families: Fakeecop and Wroba.j.

COVID-19 themed malware
Researchers have discovered a suspicious CoronaVirusSafetymeasure_pdf.exe that carries the Remcos RAT. Once launched, the malware gains persistence on the infected device by adding a Startup Registry key. The stolen information is sent to a C2 server hosted at 66[.]154.98.108.

Fake Norton Lifelock phishing 
Cybercriminals are using a bogus Norton Lifelock document to fool victims into installing a RAT called NetSupport Manager. Under the pretext of a password-protected Norton Lifelock document, victims are asked to enable macros and type in a password that is provided in the phishing email. With the RAT, malicious operators intend to gain unauthorized access to victims’ systems.

Nemty ransomware
An ongoing malspam campaign using emails disguised as messages from secret lovers is delivering the Nemty ransomware. The subject lines of the emails are designed to lure recipients by using templates like "Don't tell anyone," "I love you," "Letter for you," "Will be our secret," and "Can't forget you."

Top Vulnerabilities Reported in the Last 24 Hours

Cisco issues patches
Cisco has released patches for 11 vulnerabilities impacting its UCS Manager, FXOS, and NX-OS software. The most severe flaw exists in FXOS and NX-OS and is tracked as CVE-2020-3172. The flaw can allow an unauthenticated attacker to execute arbitrary code as root. Apart from these fixes, Cisco has also published an advisory for a recently discovered Krook vulnerability that impacts devices containing Wi-Fi chips made by Broadcom and Cypress.

 Tags

nemty ransomware
nrc health
straffic
fakecop
fake norton lifelock
wrobaj malware
remcos rat

Posted on: February 28, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!