Go to listing page

Cyware Daily Threat Intelligence, May 07, 2020

Cyware Daily Threat Intelligence, May 07, 2020

Share Blog Post

Web skimming attacks continue to be a headache for online retailers. In one of the most complex and innovative campaigns detected, a hacker group had created a fake favicon portal to hide their skimming operation. As part of the trick, according to researchers, the portal served as a legitimate favicon file for all pages of a website, except for the ones that contained checkout forms. 

Talking more about evasion techniques, the operators of EVILNUM have enhanced the anti-analysis of the trojan to target the financial sector. The primary characteristics of the trojan include uploading and downloading files, harvesting cookies, and running arbitrary commands. 

A new ransomware called ColdLock that has hit several organizations in Taiwan has also come to notice in the past 24 hours. The ransomware shares similarities with Lockergoga, Freeing, and EDA2 ransomware.

Top Breaches Reported in the Last 24 Hours

Unacademy suffers a breach
The online learning platform, Unacademy, has suffered a breach after hackers gained access to their database and started selling the account information of about  22 million users. The incident came to light on May 3, 2020, when the hackers began selling the database containing the account information for $2,000.   

Fresenius Group attacked
Europe’s largest private hospital operator, Fresenius Group,  had fallen victim to a Snake ransomware attack. The incident affected several computers, limiting some operations of the company. The ransomware operators have held the IT systems and data hostage in exchange for digital currency.

Microsoft’s GitHub ransacked
A hacker going by the name Shiny Hunters has claimed to have stolen over 500GB of data from Microsoft’s private GitHub repositories. The stolen data appears to mostly code samples, test projects, an eBook, and other generic items. Based on the file stamps in the leaked files, the breach may have occurred on March 28, 2020.     

Top Malware Reported in the Last 24 Hours

Cereal botnet
For almost eight years, the operators behind Cereal botnet silently hijacked D-Link NVRs and NAS devices with the sole purpose of connecting to online websites and downloading anime videos. The botnet exploited a vulnerability residing in the SMS feature of the D-Link firmware to take control of devices.    

EVILNUM trojan updated
The EVILNUM trojan has been updated with better evasion capabilities. The malware, which is active since February 2019, is used by a group of hackers targeting the financial sector. The primary characteristics of the trojan include uploading and downloading files, harvesting cookies, and running arbitrary commands. 

New ColdLock ransomware
A newly discovered ColdLock ransomware has hit several organizations in Taiwan. The ransomware shares similarities with Lockergoga, Freeing, and EDA2 ransomware. It uses the AES algorithm to encrypt files and later appends them with .locked extension.  

Decryptor for GoGoogle ransomware
Researchers have found a decryption key for GoGoogle ransomware which is written in the Go language. The ransomware, first spotted in April 2020, uses the XOR-based algorithm to encrypt files and generates .google extension to append the encrypted files. 

New variant of Dacls trojan
A new variant of Dacls trojan has been found targeting the Mac operating system. This trojan variant is distributed via a malicious two-factor authentication application called MinaOTP, mostly used by Chinese speakers. 

Web skimmer
Hackers have created a fake icon hosting website to hide a web skimming operation. The attack has been active for almost four years and is used to steal payment card data from hacked websites. 

Dodgy add-ons
Some 11 dodgy add-ons masquerading as legit crypto-wallet extensions have been spotted stealing users’ crypto-wallet credentials. Google has removed eight of these fake add-ons from Chrome Web Store.  
Top Vulnerabilities Reported in the Last 24 Hours

RCE flaw in 3S’ CODESYS
An exploitable code execution vulnerability in 3s’ CODESYS Control SoftPLC runtime system has been detected. The flaw, tracked as CVE-2020-6081, can allow an attacker to send a malicious packet to victim machines. 3S’ CODESYS has released patches to fix the vulnerability. 

Facebook fixes a bug
Facebook has fixed a major problem that caused a large number of iOS applications to crash for more than three hours on Wednesday. The bug impacted some of the biggest iOS apps like TikTok, Spotify, Tinder, Venmo, GrubHub, Doordash, Soundcloud, and Pinterest. 

Top Scams Reported in the Last 24 Hours

SilverTerrier scammers
The Nigerian BEC actors tracked as SilverTerrier has switched to COVID-19-themed lures from January 30, 2020, to target a large array of organizations, including the US healthcare. The threat actors have sent over 170 spearphishing emails to different entities in the US, the UK, Australia, Canada, and Italy. These phishing emails were used to disperse various infostealers like AgentTesla, NanoCore, LokiBot, and FormBook.

Fake Webex cert errors
A series of phishing attacks are using fake Webex Meeting SSL cert errors to steal users’ account credentials. The targeted recipients are asked to verify their accounts, by clicking on a link, as they are blocked by the administrator because of cert errors. This redirects the victims to a phishing page designed to steal credentials.


cereal botnet
fresenius group
coldlock ransomware
favicon file
skimming operation

Posted on: May 07, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.