Cyware Daily Threat Intelligence, January 22, 2020

Share Blog post

In the fast-paced world of cybersecurity, cybercriminals are always on the run, launching massive and sophisticated cyberattacks using new variants of existing malware. The last 24 hours saw the discovery of new variants of three malware - Muhstik, NetWire RAT, and SLoad. 
While the new version of Muhstik botnet has been uncovered to include a scanner to attack Tomato routers, the new NetWire RAT variant is targeting organizations via fake business emails.

Meanwhile, the new SLoad version 2.0 includes an anti-analysis trick that could identify and isolate analyst machines as actually infected machines. The malware also called Starslord, has the ability to track the stage of infection on every affected machine. It follows an attack chain similar to its previous version, with some updates, including dropping the dynamic list of C2 servers and uploading of screenshots.

Top Breaches Reported in the Last 24 Hours

Microsoft exposes 250 million call records
A new report from researchers has revealed that five unsecured Elasticsearch servers belonging to Microsoft had exposed nearly 250 million call center records last year. The records included phone conversations between service agents and customers dating back to 2005. The exposed records also included passwords stored in plain-text format. 

UPS Store customers’ data affected
Sensitive personal and financial information of UPS Store customers was exposed in a phishing incident between September 29, 2019, and January 13, 2020. The incident had affected roughly 100 local store locations. The types of personal information exposed varied for each person. However, the common breached data included government-issued identification, and financial and other types of information.

Oman’s SAOG affected
A ransomware attack has hit Oman United Insurance Company SAOG. The threat actors attacked their main server on January 1, 2020, and managed to encrypt some data. The company lost some data relating to the period from December 10, 2019, to January 1, 2020. Following the attack, the company’s online operations were suspended only for one day i.e on January 2, 2020.

Health Quest affected in a phishing incident
Health Quest is notifying some of its patients whose information might have been exposed in a phishing incident. The healthcare firm first learned of the incident in July 2018 when several employees fell for a phishing attack and thereby inadvertently disclosed their email account credentials to an unauthorized party.

Top Malware Reported in the Last 24 Hours

‘16Shop’ phishing kit
One of the most advanced phishing kits, 16Shop, has expanded its phish targets from Apple account holders and Amazon to now include PayPal. The goal of the phishing kit is to collect personal information including country-specific PII. The phishing kit includes three distinct anti-bot and anti-indexing features to evade detection from security vendors’ automated crawlers and web indexers.

SLoad 2.0
A new version of SLoad called 2.0 has been found relying on PowerShell scripts from fileless execution. The main purpose of the malware is to deliver more potent malware strains and to help its operators make money by providing pay-per-install space for other cybercriminal operations.

New Muhstik variant
A new variant of Muhstik botnet that includes a scanner to attack Tomato routers has been discovered by security researchers. The variant scans for the routers on TCP port 8080 and bypasses the admin web authentication by brute-forcing with default credentials. In Tomato routers, the default credentials are “admin:admin” and “root:admin”.

New NetWire variants
A new NetWire RAT variant has been spotted targeting organizations. The malware variant is delivered via fake business emails. Researchers claim that the emails are being sent from a small number of unique senders supposedly located in Germany.

Top Scams Reported in the Last 24 Hours

Citibank phishing scam
A new Citibank phishing scam is underway that utilizes a convincing domain, TLS certificates, and even requests OTP codes to trick customers into sharing their personal information. It is unknown how users are redirected to the phishing page but when they visit the update-citi.com landing page, they will be presented with a convincing Citibank login page.

FBI warns about spoofed websites
The Federal Bureau of Investigation has issued a notice warning about scammers using spoofed company websites and fake job listing to target job applicants. The potential victims are targeted via email, with cybercriminals posing as employees from different departments, including recruiters, talent acquisition, human resources, and department managers. The targets are later asked to pay a small amount for their training, and start-up equipment.

 Tags

16shop phishing kit
netwire rat
sload 20
muhstik botnet

Posted on: January 22, 2020

Get the Daily Threat Briefing delivered to your email!



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.



Join Thousands of Other Cyware Followers!