Cyware Daily Threat Intelligence, January 09, 2020

Share Blog Post

An evolved version of the 2018’s infamous Operation AppleJeus cyber-espionage campaign has come to notice in the past 24 hours. This time, the prolific Lazarus threat actor group has improved the attack and distribution techniques to infect victims based in the UK, Poland, Russia, and China. The notorious group is using new homemade malware - that are capable of evading detection - to target both Windows and macOS users. This new wave of attack campaign makes use of fake cryptocurrency trading websites with links to equally fake Telegram trading groups.

A new variant of MegaCortex ransomware and a new data-wiping Dustman malware have also been spotted in the past 24 hours. While the new MegaCortex v4 threatens the victim organization to leak their data online, the new Dustman wiper malware has been designed to delete data from infected computers. Security researchers indicate that Dustman is an evolved version of the recently discovered ZeroCleare malware.

Top Breaches Reported in the Last 24 Hours

The city of Las Vegas suffers an attack
The city of Las Vegas announced that it suffered a cyberattack on January 7, 2019. The incident has affected several computer systems. However, it is unclear whether any sensitive data was exposed. The city is taking extensive steps to protect its systems.

Another Click2Gov breach
The city of Bend recently revealed that it has fallen victim to a breached Click2Gov payment software. The incident may have compromised the payment card information of some 5,000 city utility customers who made one-time utility bill payments between August 30, 2019, and October 14, 2019.

Top Malware Reported in the Last 24 Hours

Dustman data-wiping malware
Iranian state-sponsored hackers have deployed a new strain of data-wiping malware on the network of Bahrain’s national oil company Bapco. The incident took place on December 29, 2019. Named Dustman, the malware is designed to delete data on infected computers. The malware appears to be an upgraded and more advanced version of the ZeroCleare wiper that was discovered last fall.

Operation AppleJeus sequel
In a sequel to the infamous Operation AppleJeus campaign, the Lazarus threat actor group has been found using homemade malware - capable of evading detection - to target Windows and macOS users. The attack campaign makes use of fake cryptocurrency trading websites with links to equally fake Telegram trading groups. The malware has been spotted in the wild on machines in the UK, Poland, Russia, and China.

MegaCortex version 4
The fourth version of MegaCortex ransomware which had first appeared in November 2019, has been found to be used in the wild. The current version threatens victimized organizations that their data will be leaked online if they do not pay the ransom. MegaCortex v4 continues to use the same anti-analysis and anti-decompilation techniques from v3.

RAT delivered
A hacker who goes by the online name of ‘Master X’ has been found leveraging malicious PowerPoint attachments to deliver the LokiBot info stealer or AzoRult RAT. The malicious attachments are distributed via phishing emails with a subject line ‘TT Remittance Advice’. The malicious attachments are ‘INVOO13433361.pss’ and ‘Blank slip.pss’.

Top Vulnerabilities Reported in the Last 24 Hours

Firefox 72.0.1 and Firefox ESR 68.4.1 released
Mozilla has released Firefox 72.0.1 and Firefox ESR 68.4.1 to patch a critical and actively exploited security vulnerability that could potentially allow attackers to execute code or trigger crashes on machines running vulnerable Firefox versions. Tracked as CVE-2019-11707, this type confusion vulnerability impacts web browser’s IonMonkey Just-In-Time (JIT) compiler.

TikTok vulnerabilities fixed
Several vulnerabilities discovered in TikTok have been fixed recently. These flaws could be exploited to take control over user accounts, delete videos, upload videos, make private or hidden videos public, and reveal personal information such as email addresses. Out of several flaws, two have been identified as SMS Link Spoofing and Open Redirection.

Top Scams Reported in the Last 24 Hours

Fake NBN call
Scammers are pretending to be from the National Broadband Network (NBN) and tricking users into revealing their personal details like bank account numbers. The scam usually involves an automated call that warns a resident that their landline and internet-connected services would be disconnected within 24 hours. If the listener presses the prompted number, they are forwarded to a human scammer who will request personal data. Users must be aware that they should not share their personal information or financial details over the phone and if they are unsure of the identity of the person they are speaking with.


dustman data wiping malware
firefox 7201
operation applejeus
megacortex ransomware

Posted on: January 09, 2020

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!