Cyware Daily Threat Intelligence, March 19, 2020

Share Blog post

Cyber threats leveraging the ongoing ‘COVID-19’ scare are on the rise. In the past 24 hours alone, security experts have recorded various cyber incidents that used the deadly disease as a channel to spread malware. In one such campaign, threat actors were found impersonating the WHO to send emails containing a malicious e-book on protecting against COVID-19. On the other hand, the operators of TrickBot and Emotet trojans were spotted using fake news stories on the disease to stealthily distribute the malware.

That’s not all. A spyware called SpyMax was also uncovered being distributed via an application called ‘corona live 1.1’. It can access sensitive Android phone data and SMS messages, modify settings, provide a shell terminal, record audio, operate the camera, and more.

Talking about security updates, Adobe has released patches for 41 vulnerabilities affecting its various products. Six of these flaws are rated as ‘Critical’. The affected products include Adobe’s Genuine Integrity Service, Acrobat Reader, Photoshop, Experience Manager, ColdFusion 2016 and 2018 and Bridge.

Top Breaches Reported in the Last 24 Hours

Food delivery service attacked
Food delivery services in Germany ‘Takeaway.com’ (Lieferando.de) has suffered a DDoS attack. This has crippled the systems and processes of the company. The attackers are demanding a ransom of 2 bitcoins to stop the siege.

Top Malware Reported in the Last 24 Hours

Stantinko botnet evolves
Stantinko botnet has evolved to include a new cryptomining module and various obfuscation techniques. Out of these techniques, the most notable ones are obfuscation of strings and control-flow obfuscation.

A new version of Pysa ransomware
CERT France has revealed that some local governments have been infected with a new version of the Pysa ransomware. The ransomware strain was first spotted in October 2019. The first version of Pysa was spotted two months later, in December 2019. The latest one uses the .pysa file extension while appending the encrypted files.

Spark and EnigmaSpark backdoor
A cyberespionage group - named MoleRATs - which is active since at least 2012, has been found using a legitimate tool to shield their backdoor. The backdoor, referred to by the names of Spark and EnigmaSpark, were deployed in recent phishing campaigns. The hacker group uses a fake host header named after a known news site to hide signs of their executables.

Emotet and TrickBot leverage news stories
Experts have warned about new Coronavirus-themed attacks that are spreading Trickbot and Emotet trojans. These trojans are being distributed via fake news stories about the Coronavirus outbreak. Researchers found that the malware samples used text strings from CNN news stories in its description.

Fake e-book used as bait
Threat actors are impersonating the World Health Organization (WHO) to send a fake e-book as a lure to trick users. The e-book comes in the form of an attachment in the email that talks about guidance on how to stay safe from COVID-19. The catch here is that once the user clicks on the attachment, a downloader called GuLoader is unleashed. GuLoader is generally used to drop the FormBook trojan.

SpyMax
Threat actors are using an application named ‘corona live 1.1’ to deliver a spyware called SpyMax. The malware carries the same functionality as another surveillance-ware called SpyNote. It can access sensitive Android phone data and SMS messages, modify settings, provide a shell terminal, record audio, operate the camera and more. SpyMax is being used against individuals in Libya.

Top Vulnerabilities Reported in the Last 24 Hours

Adobe fixes 41 flaws
Adobe has released security updates to fix 41 vulnerabilities across its several products including its Genuine Integrity Service, Acrobat Reader, Photoshop, Experience Manager, ColdFusion 2016 and 2018 and Bridge. Six of these vulnerabilities have been rated as ‘Critical’.

Cisco fixes 5 security flaws
Cisco has fixed 5 security flaws in its SD-WAN software that could allow attackers to make unauthorized changes to the system and execute arbitrary commands. The flaws are tracked as CVE-2020-3265, CVE-2020-3266, CVE-2020-3264, CVE-2019-16010, and CVE-2019-16012. It affects Cisco products running the Cisco SD-WAN solution software release earlier than Release 19.2.2.

 Tags

trickbot malware
cisco sd wan
pysa ransomware
enigmaspark backdoor
spymax
stantinko botnet

Posted on: March 19, 2020

Get the Daily Threat Briefing delivered to your email!



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.



Join Thousands of Other Cyware Followers!