Cyware Daily Threat Intelligence, July 02, 2020

Share Blog post

The developers behind the TrickBot have once again upgraded the information stealer’s evasion capabilities. This time, the new trojan variant checks for screen resolution before proceeding with its infection process. If the computer screen resolution does not meet the trojan’s requirement, then it terminates.

The XMRig cryptocurrency miner and Alina PoS malware have also returned in the last 24 hours with their new versions. While the new variant of XMRig camouflages as system Windows Management Instrumentation (WMI) service, the latest version of Alina malware uses DNS tunneling to evade detection from antivirus.


Top Breaches Reported in the Last 24 Hours

Unsecured MongoDB
A hacker has uploaded ransom notes on 22,900 MongoDB databases that were left exposed online without passwords. The hacker is using an automated script to scan for unsecured MongoDB databases, wiping their content, and leaving a ransom note behind asking for a ransom of 0.015 bitcoin. The hacker is giving companies two days’ time to pay, after which they threaten to leak data and contact the victim’s local General Data Protection Regulation (GDPR) enforcement authority to report the data leak.

Top Malware Reported in the Last 24 Hours

Alina PoS malware
Alina PoS malware has returned with a new trick for stealing credit and debit card data. The malware is using the DNS tunneling method to exfiltrate the data.

TrickBot evolves
A new variant of TrickBot trojan has started to check the screen resolutions of victims to detect whether it is running in a virtual machine. In order to proceed with its infection process, the computer screen resolution should be 800x600 or 1024x768 otherwise it will terminate.

New XMRig variant
A new variant of XMRig that camouflages system WMI service has been found recently. Not only is its infection path concealed, but the new mining trojan variant also uses complex techniques to gain persistence on systems. Its main function is to download and install the mining program stored on GitHub.

Top Vulnerabilities Reported in the Last 24 Hours

RCE flaws in Apache
Apache Guacamole is vulnerable to several critical Reverse RDP vulnerabilities, including a few new vulnerabilities found in FreeRDP. These vulnerabilities can be exploited to successfully compromise computers and launch attacks on Guacamole gateway. It is recommended that all servers should be updated with the latest versions to prevent exploitation of these flaws.

RCE flaw in LEADTOOLS
Researchers found a remote code execution vulnerability in the LEADTOOLS toolkits. Tracked as CVE-2020-6089, the flaw exists in the ANI file format parser of Leadtools 20. It can be exploited by a specially-crafted ANI file, which in turn causes a buffer overflow.

A high-severity flaw in switches
Cisco Systems has warned of a high-severity flaw affecting more than a half-dozen of its small business switches. The flaw, identified as CVE-2020-3297, could allow remote attackers to access the switches management interfaces with administrative privileges. A firmware update to fix the issue has been released by Cisco.

Information disclosure flaw
An information disclosure vulnerability discovered in Mozilla Firefox can be exploited by tricking a user into visiting a specially crafted web page through the browser. The flaw. tracked as CVE-2020-12418, affects Firefox Nightly Version 78.0a1 x64 and Firefox Release Version 76.0.2 x64.

 Tags

alina pos malware
trickbot malware
unsecured mongodb
dns tunneling
xmrig cryptocurrency mining

Posted on: July 02, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!