Cyware Daily Threat Intelligence, October 07, 2020

Share Blog post

Malware obfuscation techniques are taking a new shape with the abuse of legitimate services. Researchers have found a new form of fileless attack, called Kraken, that leverages Windows Error Reporting (WER) service as part of its evasion strategy. The attack starts with a spear-phishing email that contains a zip file.

Furthermore, a widespread malware campaign that makes use of legitimate Pastebin sites to obscure and host malware has been discovered in the last 24 hours. Among the malware identified in the campaign are AgentTesla, LimeRAT, and Redline Stealer.

A new botnet dubbed HEH has also been uncovered in the last 24 hours. It is capable of wiping all data from infected systems such as routers, servers, and IoT devices.

Top Breaches Reported in the Last 24 Hours

Chowbus breached
Chowbus food delivery service has been breached after a threat actor gained unauthorized access to 800,000 user records. The stolen data contained names, email addresses, phone numbers, and mailing addresses of customers. The hack came to light after numerous customers complained of receiving a mysterious email titled ‘Chowbus data’ that stated ‘Download Chowbus data here.’

Top Malware Reported in the Last 24 Hours

A new version of PoetRAT
A new version of PoetRAT has been found targeting Azerbaijan public sector and other important organizations. The campaign leverages malicious documents that pretend to be from government officials. This has enabled attackers to obtain access to sensitive documents from compromised systems.

New HEH botnet
A newly discovered HEH botnet is capable of wiping all data from infected systems such as routers, servers, and IoT devices. The botnet spreads via brute-force attacks against interconnected systems. The botnet has been detected on the following CPU architectures - x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III), and PPC.

New Kraken attack
A new fileless attack called Kraken abuses Windows Error Reporting (WER) service as a defense evasion mechanism. The attack starts through a spear-phishing email that contains a zip file. Within the zip file, there lies a malicious document that pretends to include information about compensation rights for workers.

Emotet on the rise
CISA has issued an alert to warn about rising Emotet attacks since August. The agency reveals that multiple state and local governments in the U.S. have been targeted by the trojan in the past two months. The attacks are carried out through phishing emails.

Obscuring through Pastebin site
Researchers have identified multiple malware campaigns relying on legitimate paste services like paste.nrecom.net to host malicious payloads. These paste sites enable attackers, such as Agent Tesla, to hide their malicious code in plain sight.

Top Vulnerabilities Reported in the Last 24 Hours

Patches released for Android
The October 2020 security updates for Android include patches for a total of 48 vulnerabilities. Twenty-two of these flaws have a high-severity rating. One of the critical-severity flaws affects Qualcomm components. Other impacted components include Android runtime, Framework, and Media Framework. 

 Tags

agenttesla
windows error reporting wer service
limerat trojan
kraken
redline stealer
heh botnet

Posted on: October 08, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!