Cyware Daily Threat Intelligence November 6, 2018

Security researchers at Palo Alto Networks have come across a new Powershell backdoor malware dubbed as POWERSHORE. The malware is used to conduct attacks against European organizations. It is delivered via two spear-phishing emails. The first email is used only for reconnaissance. This is followed by a second phishing email that contains a remote template which if downloaded delivers a first stage payload. 

SearchPageInstaller (SPI) - a piece of adware that has been around since at least 2017 - has been found to be linked with the use of mitmproxy. It injects advertisements into the top of the HTML document returned from a user's search to generate revenues for hackers. In order to do this, the malware first enables both HTTP and HTTPS proxies on compromised machines.

Researchers have come across a new malware campaign that combines legitimate Windows files such as WMI and CertUtil to target Brazilians. The banking malware is distributed via a phishing email that appears to come from the national postal service of Brazil. The email contains a bogus tracking code and a link to download a ZIP file. 

Security researchers have found a zero-day exploit in the Microsoft Edge Browser that can trigger remote code execution attacks. The newly discovered zero-day exploit was found with the help of the Wadi Fuzzer utility. The extent of the RCE attacks largely depends on the privileged level of the account logged in. 

Security researchers have discovered two new security flaws dubbed as 'BleedingBit'in the Bluetooth chips. When exploited, the flaws could allow attackers to compromised enterprise networks. The two critical vulnerabilities are related to the use of Bluetooth Low Energy (BLE) chips manufactured by Texas Instruments.

Critical vulnerabilities have been discovered in the solid-state drives used by Samsung and other crucial companies. The flaws have been found both the internal and external storage devices. The first flaw (CVE-2018-12037) is due to the absence of cryptographic binding between the assigned cryptographic key and the password provided by the user. The second flaw (CVE-2018-12038) occurs because of unprotected key information, which can be overwritten with an encrypted variant.

Scammers in Macau have fine-tuned their modus operandi. They are now targeting senior citizens who have not registered for online banking. Here, the scammer convinces an elderly citizen - who relies on conventional banking methods - to register for online banking and tricks him/her into revealing their personal details. This enables the fraudster to gain easy access to conduct banking transactions on the victim's behalf. 

Scammers have created a fake Vote411[.]com website in order to target US voters. Vote411[.]org is a popular voter information website that explains a voter on how to vote and gives candidate details. The fake website redirects people to a page telling them that their devices are infected with a virus and that they need to call on a phone number available on the page. It's unclear if the scammers are conducting the attack for political espionage.