Cyware Daily Threat Intelligence, October 01, 2020

Share Blog post

The last 24 hours in the cyber ecosystem revolved around new malware variants. The variants in questions are related to InterPlanetary Storm botnet and  Android/SpyC23.A spyware. While the new version of InterPlanetary Storm comes with fresh obfuscation techniques and ability to target Mac and Android devices, the new version of Android/SpyC23.A is capable of recording calls, stealing Whatsapp and Telegram messages, and capturing screenshots.

The notorious LokiBot was also observed in a unique phishing attack campaign that used shortened URLs as part of its evasion strategy. The phishing emails included a PowerPoint attachment that caused the download of the malware.

Top Breaches Reported in the Last 24 Hours

Kylie Cosmetics breached
Makeup company, Kylie Cosmetics, has warned customers that their personal information may have been compromised in the recent Shopify data breach incident. According to Shopify, the compromised data included basic contact details such as email, name, and address, as well as order details.

Top Malware Reported in the Last 24 Hours

LokiBot returns
Spammers are using a technique of generating URLs in phishing attacks to evade detection by email filters. The phishing email is titled "URGENT: REQUEST FOR OFFER (University of Auckland)..." and arrives with an attached PowerPoint file containing macros. Once the file is launched, it connects to a malicious URL with the help of Windows executable, mshta.exe. The final stage of the attack process results in the download of LokiBot malware.

A new variant of Android/SpyC23.A
Researchers have uncovered a new version of Android/SpyC23.A spyware used by the APT-C-23 threat group against targets in the Middle East. Among the new capabilities possessed by the malware variant are reading notifications from messaging apps, call recording, and screen recording. It is distributed via a fake ‘DigitalApps’ store.

Newly discovered Linkury operation
A newly discovered Linkury adware campaign has been found distributing a browser hijacker, SafeFinder widget, that is designed to spread malware. The widget is advertised as a way to perform safe searches on the internet, to trick unsuspecting users. The campaign leverages Chrome, Firefox, and Safari to launch the browser hijacker.

New InterPlanetary Storm botnet
A new variant of the InterPlanetary Storm botnet has been discovered, which comes with fresh detection-evasion tactics and now targets Mac and Android devices. The malware spreads via brute-force attacks on devices with Secure Shell (SSH).

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable remote access software
Several flaws discovered in two popular industrial remote access software solutions can be exploited to break into a company’s network, tamper with data, or steal highly sensitive trade secrets. The affected software are created by B&R Automation and mbConnect Line. While mbConnect has fixed the issues in newer versions of the product, there is no update on products from B&R Automation.

Top Scams Reported in the Last 24 Hours

Phishing attack
A threat actor group, dubbed TA2552, is leveraging Netflix and Amazon brands as lures to target Microsoft 365 users in Spain. The attack campaign, which has been active since July 2020, uses phishing emails that include a link to a fake Office 365 login page. The ultimate goal is to silently steal data or to intercept password reset messages from other accounts. As part of the campaign, the group had previously used messages with Mexican tax and government themes.

BEC scam detected
The FBI is investigating an ongoing BEC campaign in which $15 million have been stolen from at least 150 victims. The campaign uses social engineering techniques to impersonate senior executives using Microsoft Office 365 email services. So far, a majority of these attacks have targeted organizations in the U.S.

 Tags

lokibot trojan
ta2552
bec campaigns
linkury operation
interplanetary storm botnet

Posted on: October 01, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!