Cyware Daily Threat Intelligence, March 12, 2020

Share Blog Post

Stolen banking credentials are a ripe asset for cybercriminals to launch fraudulent activities and steal money. Lately, researchers have unearthed a new campaign named ‘Operation Overtrap’ that is targeting Japanese online banking users. The purpose of the campaign is to steal victims’ banking credentials and is being carried out via a Bottle exploit kit and a new Cinobi banking trojan. Spam emails containing phishing links to banking websites are being used to trick users.

Two new malware named Trojan-Spy.AndroidOS.Cookiethie and PXJ ransomware were also discovered in the last 24 hours. While the former has been designed to transfer cookies used by the browser and Facebook app to the cybercriminals’ server, the later encrypts photos and images, databases, documents, videos, and other files on a victim’s device.

Talking about vulnerabilities, over 30 security flaws have been identified in devices made by WAGO. The flaws can be exploited by attackers for arbitrary code execution, command injection, DoS attacks, and information disclosure.

Top Breaches Reported in the Last 24 Hours

Whisper app leaks 900 million secrets
An unprotected database containing 900 million Whisper posts and all the metadata related to those posts was found online recently. Although no real names were exposed, but the data included users’ stated age, ethnicity, gender, hometown, nickname, and membership. The database was taken down on March 9, 2020, by Whisper after it learned from other sources.

Loss of data due to external hard drives
The Dutch government disclosed that it has lost two external hard disk storage devices that contained the personal data of more than 6.9 million organ donors. The drives included copies of all donor forms filed with Dutch Donor Register between February 1998 and June 2010.

Top Malware Reported in the Last 24 Hours

A new strain of Android malware called Trojan-Spy.AndroidOS.Cookiethie has been discovered by researchers. The main task of the malware is to acquire administrator rights on the victim device, and transfer cookies used by the browser and Facebook app to the cybercriminals’ server. Currently, the exact propagation process of the malware is unknown.

Phishing pages via YouTube redirects
A new phishing attempt that delivers phishing pages via YouTube redirects has been observed recently. The purpose of the phishing campaign is to steal credentials. The phishing emails originate from a newly registered fraud domain sharepointonline-po[.]com.

PXJ ransomware
PXJ, also called XVFXGW is a newly discovered ransomware that begins its malicious activities by disabling the users’ ability to recover any files from deleted stores and shadow copies. The ransomware PXJ derives its name from the file extension that is appended to encrypted files. According to the ransom note, that process includes encrypting photos and images, databases, documents, videos, and other files on the device.

Operation Overtrap campaign
Researchers have uncovered a new campaign called ‘Operation Overtrap’ that targets Japanese online banking users. The campaign has been active since April 2019 and is being carried out via spam emails. It makes use of a new Bottle exploit kit and a new Cinobi banking trojan to target users.

Rocket Loader skimmer
A new Rocket Loader skimmer that impersonates the Cloudflare library is being used to infect a number of e-commerce sites. The skimmer arrives in two languages - English and Portuguese. The attackers behind the skimmers are taking advantage of the fact that Google Chrome version 76 is no longer using the ‘https’ scheme.

Tricky web skimming domain
A meat delivery service owned by Cheney Bros. Inc. fell victim to a card skimming attack after hackers injected a shady domain inside the checkout and login pages for grandwesternsteaks[.]com. The malicious domain ‘htt[.]ps’ is hosted in Russia and is apparently present on nearly a dozen other sites including music, instrument retailer, a herbal pharmacy shop in Europe, and a business in Spain that sells programmable logic controllers.

Top Vulnerabilities Reported in the Last 24 Hours

Intel patches 27 vulnerabilities
Intel, this week, has released patches for 27 vulnerabilities impacting graphics drivers, FPGA, processors NUC, BlueZ, and other products. A total of 17 vulnerabilities affect its graphics drivers. The remaining ten vulnerabilities, are considered to be of medium severity and can result in an escalation of privilege, denial of service, or information disclosure.

Vulnerable Zyxel network software
Zyxel’s network management software is riddled with over 16 security flaws. This includes multiple backdoors, default credentials, and insecure memory storage. The flaws impact Zyxel CNM SecuManager versions 3.1.0 and 3.1.1. None of the vulnerabilities have been fixed at the moment. Therefore, users are advised to avoid using the product.

SAP releases updates
SAP has released 16 security notes and two updates to previously released patches as part of its March 2020 Patch Tuesday. The patched vulnerabilities include three Cross-Site Scripting (XSS) flaws, missing XML validation, missing authorization checks, and improper session expiration.

Vulnerabilities exposed in WAGO controllers
Thirty vulnerabilities identified in devices made by WAGO can be exploited by attackers for arbitrary code execution, command injection, DoS attacks, and information disclosure. WAGO has released patches for a few of the vulnerabilities and the remaining ones are expected to be fixed with a firmware update scheduled for the second quarter of 2020.


whisper app
intel vendor
trojan spyandroidoscookiethie
rocket loader skimmer
zyxel network software
operation overtrap campaign
pxj ransomware

Posted on: March 12, 2020

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!