Cyware Daily Threat Intelligence, May 12, 2020

Share Blog post

Malware authors often expand the capabilities of malware in an attempt to launch sophisticated attacks. In the past 24 hours, security experts have come across new variants of three existing trojans, namely, Astaroth, Zeus-sphinx, and Anubis. While the new variant of Zeus-Sphinx was widely distributed in the first quarter of 2020 via malspam featuring coronavirus relief payment updates, the new Astaroth version shared its C2 server via an URL hidden in a YouTube channel description. Meanwhile, the new variant of Anubis trojan, which is under active development, will allow attackers to get granular details of an infected device.

The terror of Maze ransomware was also witnessed in the last 24 hours. In its latest attack attempt, the notorious ransomware had tried to infect Pitney Bowes. However, the attack was partially successful as threat actors could only steal some data from the company.

Top Breaches Reported in the Last 24 Hours

Diebold Nixford hit
Diebold Niixford, a major provider of ATMs and payment technology for banks and retailers, has suffered a ransomware attack. While the company refuses the attack on ATMs or customer networks, the intrusion has only affected its corporate network. Early investigations determined that the attack was conducted using the ProLock ransomware.

Texas court suffers an attack
The Texas court system was hit by ransomware on May 8, 2020. Following the attack, the court blocked access to the branch network including websites and servers to prevent further movement of the malware. Meanwhile, it was found that the attack did not impact Texas’ individual trial court networks, and no sensitive data was compromised.

Maze ransomware attack
Global business services company, Pitney Bowes, recently thwarted an attack from Maze ransomware. However, the threat actors had stolen some data before the encryption process failed. Screenshots of stolen data were published on Pitney Bowes’ computers.

Iran prevents an attack
Iranian officials revealed that hackers damaged a small number of computers in a failed cyberattack against the port of Bandar Abbas. The attack had occurred last Friday. However, the details regarding the cyberattack remain unknown.

WeLeakData’s data on sale
The database stolen from the data breach marketplace called WeLeakData[.]com has been put up for sale on the dark web. The database includes the private conversations of hackers who used the site. It also contains login names, email addresses, hashed passwords, and IP addresses of site members.

ESET suffered a DDoS attack
A DDoS attack was launched against the ESET website through a malicious Android app. The incident had occurred in January 2020 and lasted for seven hours. ESET researchers had immediately identified the malicious app and reported it to Google.

Top Malware Reported in the Last 24 Hours

Zeus-Sphinx terror
Zeus-Sphinx version 2.0.8.9 has increased its spreading power in the first quarter of 2020 via malspam featuring coronavirus relief payment updates. First observed in late 2019, the latest version includes persistence mechanism and malware injection capabilities.

Anubis under development
The operators of Anubis trojan are in the process of enhancing the capabilities that are aimed at helping attackers closely monitor infected devices. The control panel of the trojan now includes new features, enabling fraudsters to pick and choose a device they want to steal data from and what services they want to target.

Astaroth trojan evolves
The Astaroth infostealer trojan has evolved to include a slew of anti-analysis and anti-sandbox techniques. One of its obfuscation techniques includes hiding the URL of its command and control (C2) server in the YouTube channel description.

BackConfig malware
Researchers have deciphered a new spearphishing attack campaign, which is active for the last four months. The campaign delivers the BackConfig malware via a weaponized Microsoft Excel document. The malware is being used to target government and military organizations in South Asia.
 
Top Vulnerabilities Reported in the Last 24 Hours

PoC for deserialization flaw
Trend Micro researchers have released technical details on how attackers can bypass a deserialization vulnerability (CVE-2020-2883) in the Oracle WebLogic Server. The company had issued a patch for the vulnerability in April 2020 Critical Patch Update.

Buggy plugins
Two high severity vulnerabilities found in the Page Builder WordPress plugin can let hackers create new admin accounts, plant backdoors, and ultimately take over the compromised websites. The flaws, tracked as Cross-Site Request Forgery (CSRF) vulnerabilities, affect all Page Builder versions up to 2.10.15 and has been fixed in the version 2.10.16.

 Tags

anubis malware
backconfig malware
astaroth trojan
deserialization flaw
maze ransomware
zeus sphinx

Posted on: May 12, 2020

Get the Daily Threat Briefing delivered to your email!



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.



Join Thousands of Other Cyware Followers!