Cyware Daily Threat Intelligence November 23, 2018

A new variant of Azorult Trojan was discovered being distributed via the Fallout EK via in a new spam campaign called FindMyName. The new Azorult variant uses API flooding, control flow flattening, and process hollowing techniques to evade detection. Among other things, the Trojan steals browser credentials, bitcoin wallets, Skype chat message, and collects files from the desktop.

A new variant of the Aurora ransomware, dubbed Zorro has been spotted in the wild. While Aurora used the .animus, .Aurora, .desu, and .ONI file extensions to encrypt files, Zorro uses the .aurora extension. Zorro is designed to check the geographic location of the targeted system and ensure that it does not infect users located in Russia. 

A new variant of the Rotexy malware was recently discovered that combines the capabilities of a banking malware and a ransomware. Between August to October 2018, Rotexy launched over 70,000 attacks, primarily against victims in Russia. However, the malware also targeted victims in Ukraine, Germany, Turkey and other nations.

A new Rowhammer attack dubbed ECCploit emerged recently. Rowhammer is a vulnerability in dynamic random access memory (DRAM) chips that can allow attackers to gain access to systems. The new Rowhammer attack can bypass Error-Correcting Code (ECC) protections built into DDR3 chips.

ECC is a type of memory storage included as a control mechanism with high-end RAM that works by protecting against rogue bit flips, like the ones caused by Rowhammer attacks.

A new Windows 10 update was issued out that addresses the Flash Player vulnerability (CVE-2018-15981). The bug is a Type Confusion vulnerability, which could allow attackers to create malicious files, host it on the web and then exploit those who visit the website. The flaw could also allow attackers to download and execute malware to vulnerable systems. Adobe and Microsoft were driven to quickly patch the bug after its code details were leaked online. The bug also affects Linux and MacOS systems.

Amazon acknowledged being hit by a data breach just days before Black Friday. The tech giant said that the breach was caused by a technical error on its website. The breach also exposed the names and email addresses of customers. A recent statement from the firm states that the breach may also have affected Indian customers as well. However, it is still unclear as to how many Amazon users have been impacted by the breach. Amazon customers, including those in India, are advised to filter Spam and install anti-virus software.

As holiday shoppers eagerly await the madness that is Black Friday, the Federal Bureau of Investigation (FBI) is warning online shoppers to beware of Black Friday scams. Cyber fraudsters are known to cleverly craft scams surrounding holidays and other important events, to trick users into divulging sensitive, personal and financial information. In this case, cybercriminals were spotted posting ads for sales and auctions offering products which they do not have access to in reality. Once a user clicks on the ads, he/she is redirected to a link that prompts the victim to enter in personal and payment card data. Fraudsters have also been spotted using services like WhatsApp to promote fake gift cards that coincide with known brands or new stores openings. These efforts are all aimed at harvesting users' data that can be used by cybercriminals to carry out identity theft and other crimes.