Go to listing page

Cyware Daily Threat Intelligence, January 14, 2020

Cyware Daily Threat Intelligence, January 14, 2020

Share Blog Post

Malware attacks continue to dominate the cybersecurity world. In the past 24 hours, security researchers observed the return of several infamous malware, either in their original or new forms. The Emotet trojan made a comeback in a new malicious spam campaign that targets over eight countries. On the other hand, the Nemty ransomware operators were found creating a new website that would be used to dump the names of victims who refuse to cooperate with ransom demands.

Meanwhile, the new version of Ryuk ransomware has evolved to use the Wake-on-LAN feature to encrypt offline devices on a compromised network. The new version of Faketoken mobile Android trojan was also spotted draining victims’ bank account to fuel offensive text message campaigns across the world.

In other developments, a group named Ancient Tortoise was found impersonating a company’s CFO in an attempt to collect aging reports from accounts receiving specialists. These aging reports include the name of the customers who haven’t paid for goods or services they bought on credit.

Top Breaches Reported in the Last 24 Hours

Boing Boing hacked
The top blog site Boing Boing has been hacked. The website admitted that it had temporarily redirected readers to a page alerting about “dangerous malware”. Following the incident, all employees of the firm have changed their login credentials. They have also implemented many other security measures to ensure hackers cannot access the website.

Unsecured Elasticsearch
An unsecured Elasticsearch used by Peekaboo Moments mobile app has exposed multiple short videos and images of thousands of babies. The database contains more than 70 million log files and 100 GB of data. The information dates back to March 2019. The exposed data also includes email addresses and detailed device data.

Top Malware Reported in the Last 24 Hours

Emotet trojan returns
The infamous Emotet trojan is back after a three-week hiatus. The trojan has been found targeting over eighty countries with malicious spam campaigns. The campaign leverages phishing emails that pretend to be proof-of-delivery documents, reports, agreements, and statements. These emails include either attached documents or links that can be used to download them.

Nemty threatens to leak stolen data
After Maze and Sodinokibi ransomware, Nemty ransomware operators have planned to publish the stolen data of victim organizations that refuse to pay the ransom. The ransomware developers plan to create a website where they will dump the names of the victims if they do not receive the ransom demands.

Ryuk ransomware evolves
The evolved version of Ryuk ransomware is using the Wake-on-LAN (WoL) feature to turn on powered-off devices on a compromised network. This enables the ransomware to have a higher encryption rate. The malware, when executed, spawns subprocesses with the argument ‘8 LAN’. Using this argument, Ryuk actively scans for the device’s ARP table which is a list of known IP addresses on the network and their associated MAC addresses.

Faketoken trojan
Some 5,000 Android phones have been found to be infected by the new version Faketoken Android trojan. The trojan is used to drain its victims’ bank accounts to fuel offensive mass text campaigns targeting mobile devices from all over the world. Once installed on the victim’s device, Faketoken first checks if their bank accounts have enough money. It will then use the stolen payment cards to add credit to the victim’s mobile account.

Oski Stealer
Oski Stealer is a new malware that targets browser data, and crypto-wallets in the U.S. The malware is being advertised in underground cyber-forums, including several Russian forums. The malware’s capabilities include gathering sensitive information such as credentials, credit card numbers, wallet accounts and more. It has already managed to steal over 50,000 passwords.

Apple users targeted
Researchers have identified a phishing attack targeting iPhone users. The attack is initiated through a message that states their lost iPhone X has been found. The message includes a link for the recipient to track the location of their phone. The phishing domain is hosted on a Russian server.

Top Vulnerabilities Reported in the Last 24 Hours

Facebook patches a bug
Facebook has patched a bug that exposed the accounts of individuals who manage pages. The flaw came to notice after it was exploited against several high-profile pages. The targeted pages included the ones belonging to President Donald Trump, Canadian Prime Minister Justin Trudeau, activist Greta Thunberg, anonymous street artist Banksy, Anonymous hacktivists, and rapper Snoop Dogg. The issue may have had serious implications, particularly for page administrators who are trying to keep their identity secret.

Top Scams Reported in the Last 24 Hours

BEC scam
A group tracked as Ancient Tortoise is targeting accounts receiving specialists with an aim to collect aging reports and other info on customers. The aging reports are collections of outstanding invoices designed to help a company’s financial department keep track of customers who haven’t paid for goods or services they bought on credit. The Ancient Tortoise group can use the collected reports to conduct scams in later attack stages. In order to collect the aging report, the threat actor group impersonates the target company’s CFO and requests an updated aging report with up to date contact information for each of the customers who have unpaid invoices.


boing boing
nemty ransomware
oski stealer
emotet trojan
faketoken trojan

Posted on: January 14, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.