Go to listing page

Cyware Daily Threat Intelligence, May 24, 2019

Cyware Daily Threat Intelligence, May 24, 2019

Share Blog Post

Mirai, the powerful botnet that unleashed unprecedented DDoS attacks in 2016, has evolved much more. Over the years, the botnet has become more robust and sturdy in order to compromise a wide range of devices. Lately, security experts have uncovered a new variant of Mirai that leverages a total of 13 exploits to target routers and other IoT devices. Tracked as Backdoor.Linux.MIRAI.VWIPT, this new variant includes both DDoS and backdoor capabilities. It uses four different URLs to receive commands from the attackers and download malicious payloads.

A new variant of JasperLoader malware which drops various payloads onto the victim’s machines was also observed in the past 24 hours. The new version is used against Italian users and includes new anti-analysis mechanisms.

A new phishing campaign that pushes spam alerts customized to look like a missed call has also been reported in the past 24 hours. The campaign is carried out by using the Chrome browser’s icon as ‘Missed call’ alert that also includes an enticing message to lure users.

Top Breaches Reported in the Last 24 Hours

Computacenter hacked
Third-party mailbox used by Computacenter employees and contractors has been hacked and used in different phishing scams. The affected mailbox was used to deposit data from security clearance applications. The information compromised in this incident is speculated to include ID data, contact details, bank details, addresses, and employment history. The attack occurred after attackers gained unauthorized access to the mailbox which was later used to send phishing emails.

Shubert Organization suffers a breach
America’s oldest professional theatre company ‘The Shubert Organization’ has suffered a data breach. This has resulted in the compromise of several employees’ email accounts, which had customers’ names and credit card details. The incident came to light after the company’s executive detected some suspicious activity on an employee’s email account in February 2018.

Redtail CRM data breach
Confidential information of some financial clients that use Redtail Technology has been exposed recently. The data were stored in a file that did not have a password. The information compromised in the incident includes first and last names, physical addresses, birth dates, and Social Security numbers of the clients. Redtail has removed the affected file and has launched an investigating to understand the extent of the breach.  

Top Malware Reported in the Last 24 Hours

New Mirai variant
A new variant of Mirai called Backdoor.Linux.MIRAI.VWIPT has been discovered leveraging 13 exploits to target routers and IoT devices. The vulnerabilities are found in specific routers, surveillance products, and other devices. Some of these vulnerabilities have already been used by Mirai variants Omni & Yowai and Gafgyt variant Hakai.

New JasperLoader variant
JasperLoader malware has been evolved to include several anti-analysis mechanisms. The new variant is being used to target Italian users. The malware is delivered by fake PDF documents. It also includes the Kill switch mechanism, fallback C2 domain retrieval mechanism and a new bot registration & ID generation mechanism among others.

Video skimmers
Cybercriminals are adding audio skimmers to an automated teller machine (ATM) or point-of-sale systems to steal payment card details of users. These devices usually capture the data and store it in MP3 format after encrypting it. Lately, these skimmers have been upgraded to include a camera that can capture the card PIN number. Such devices are popular on the Russian-speaking underground forums because they can be easily installed.

Fake Trezor wallet app
A fake version of the hardware wallet app, Trezor has been discovered in the Google Play Store. It is being used to steal Bitcoins from users. It emerged on Play Store on May 1, 2019, and it contains details belonging to the real Trezor app. But the app does not contain anything related to the original Trezor.

Top Vulnerabilities Reported in the Last 24 Hours

Debian security updates
A security update has been released for the remote Debian host DLA-1794-1. The update addresses a vulnerability found in the libspring-security-2.0-java, which is a modular Java/J2EE application security framework. Likewise, a security update has also been issued for Debian DLA-1798-1. It addresses a Polymorphic Typing issue found in jackson-databind, which is a JSON library for Java.

.htaccess injector
Security researchers have detected instances of .htaccess code injection on several Joomla and WordPress websites. Due to this, the affected sites are redirecting visitors to the http[:]//portal-f[.]pw/XcTyTp advertisement website. Such techniques are used by bad actors to generate revenue from ad sites.

Top Scams Reported in the Last 24 Hours

Fake missed call alerts
Android users are being targeted in a new phishing scam that leverages Google Chrome and Android’s Notifications & Push APIs. The scammers are using the browser’s icon as ‘Missed call’ alert that includes a catchy message to lure users. The message announces that the user has either a reward or an iPhone XS waiting for them. Scammers are taking advantage of the scam to steal sensitive information from users.

Email Scam
New Zealand’s Ministry of Primary Industries (MPI) is warning customers about an email scam that impersonates the department. The subject line of the email reads: "Re: Notices to All MPI Registerd (sic) Exporters.” It asks the recipients to click on an attachment for corrections. The department has urged the customers not to open the attachment from such emails as they do not come from MPI. The users who have already clicked on the email or opened the attachment have been asked to change their login credentials.  


fake trezor wallet app
jasperloader malware
video skimmers
anti analysis mechanisms

Posted on: May 24, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.