Cyware Daily Threat Intelligence, October 03, 2019

Share Blog Post

Cybercriminals are no different than the rest of us when it comes to committing mistakes. Due to a major security lapse, security researchers have managed to pull back the curtain on Geost botnet which used 13 C2 servers to run hundreds of malicious domains. This was possible due to the attackers’ failure to encrypt the C2 servers and their chat sessions. The botnet has infected nearly 800,000 Android users in a massive cyberespionage campaign which was active since 2016.

Despite this, the past 24 hours saw the emergence of a new malicious campaign targeting organizations across the world. Dubbed as MasterMana Botnet, the campaign leverages a combination of pages hosted on, BlogSpot, and Pastebin to deliver Azorult and RevengeRAT malware. It is believed that a new Gorgon threat actor group is behind the campaign.

The past 24 hours also witnessed a major security update related to the infamous speculative execution-based side-channel attacks. Intel has published details about a new type of computer memory architecture dubbed Speculative-Access Protected Memory (SAPM) that can be used to protect against Meltdown, Spectre, L1TF, SGXSpectre, SWAPGSAttack, Zombieload, and MDS attacks.

Top Breaches Reported in the Last 24 Hours

Zendesk updates on data breach
Zendesk has disclosed a data breach that took place in 2016. The incident may have affected 10,000 users that had registered Zendesk Support and Chat accounts. The company has revealed that hackers may have accessed information from all categories of Zendesk users including customer agents, and end-users. The compromised information includes email addresses, names, hashed passwords, and phone numbers. Starting October 3, 2019, Zendesk plans to reset passwords for all users that registered before November 1, 2016.

Top Malware Reported in the Last 24 Hours

MasterMana Botnet campaign
An ongoing cybercrime campaign called ‘MasterMana Botnet’ is targeting organizations across the world. The operation had begun in December 2018 and appears financially motivated. Going by the tactics, techniques, and procedures, experts believe it to be the work of the Gorgon threat actor group. The campaign is used to deliver Azorult and RevengeRAT malware.

Cracking Geost botnet
In a major crackdown, security experts have managed to pull the plug on the operations of Geost botnet which used 13 C2 servers to run hundreds of malicious domains. The botnet was used by attackers to conduct a campaign that impacted nearly 800,000 Android users. It was used to steal banking details of customers of five banks located in Eastern Europe and Russia.

Sodinokibi backed by GandCrab affiliates
A new report reveals that some high-profile affiliates associated with GandCrab v5.2 are behind Sodinokibi ransomware. The REvil uses affiliates IDs and SubIDs in the same way as GandCrab. Earlier, it was found that the ransomware shared some code with GandCrab ransomware.

FTCode ransomware
An old PowerShell ransomware has resurfaced in a new spam distribution campaign aimed at Italian users. The ransomware is distributed through spam emails containing malicious Word docs. These spam emails pretend to be invoices, document scans and resumes.

Casbaneiro trojan
Casbaneiro is a banking trojan that has been designed to target Brazil users. The malware includes backdoor functionality and it abuses the vulnerabilities in legitimate tools and software for propagation. The capabilities of the malware include taking screenshots, capturing keystrokes, and restricting access to various websites.

Top Vulnerabilities Reported in the Last 24 Hours

Double-free vulnerability
WhatsApp for Android has been found to be vulnerable to a double-free vulnerability. The flaw could be exploited to remotely execute arbitrary code on the targeted device. The flaw affects WhatsApp versions prior to 2.19.230. The flaw has been addressed in the version 2.19.244.

SAPM Memory
Researchers from Intel have proposed a new type of computer memory that can be used to protect against speculative side-channel attacks. Dubbed as Speculative-Access Protected Memory (SAPM), it can mitigate Meltdown, Spectre, L1TF, SGXSpectre, SWAPGSAttack, Zombieload, MDS, and other similar attacks.

JamfPro flaw fixed
A flaw has been discovered in Jamf Pro management software. The Jamf Pro 10.15.1 update fixes a flaw that, depending upon the version being used, allows for file deletions or RCE. The flaw only impacts the Jamf Pro server prior to version 10.14.0. Companies running versions 9.4 through 10.13 are vulnerable to RCE. On version 10.14 through 10.15, attackers could delete files on the server, but not install or execute code.


revengerat malware
geost botnet
speculative access protected memory
mastermana botnet

Posted on: October 03, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!