Cyware Daily Threat Intelligence, September 03, 2020

Share Blog post

The ever-evolving Emotet trojan has found a new way to sneak into systems. This time, the operators are using a malicious attachment that pretends to be from Windows 10 mobile operating system. Once installed, the trojan steals sensitive information from a victim’s system and later downloads additional malware such as TrickBot and QBot.

Researchers have unearthed two new malware - PyVil and Sepulcher - in the last 24 hours. Both are distributed via phishing emails and are capable of keylogging, collecting information, and taking screenshots from infected systems.

Top Breaches Reported in the Last 24 Hours

Schools attacked
Northumbria University is still struggling to cope with a cyberattack that forced it to close its entire campus in Newcastle upon Tyne. Works are underway to restore IT systems as quickly as possible. In another incident, Miami-Dade County Public School has suffered a DDoS attack that disrupted its distance learning platform.
  
Top Malware Reported in the Last 24 Hours

New PyVil RAT
PyVil is a new Python-scripted trojan capable of keylogging, taking screenshots, and collecting information from infected systems. The malware propagates by leveraging LNK file masquerading as a PDF. The file is sent via phishing emails that claim to contain identification documents associated with banking, including utility bills, credit card statements, and even drivers’ license photos.

New Sepulcher malware
A Chinese threat actor group, tracked as APT413, targeted European diplomatic entities and the Tibetan community with a new strain of Sepulcher malware. The malware was distributed through weaponized RTF attachment named ‘Covid’ to target Europeans and malicious PowerPoint attachment titled ‘TIBETANS BEING HIT BY DEADLY VIRUS THAT CARRIES A GUN and SPEAKS CHINESE’ to target Tibetans.

New details about Emotet
The Emotet malware is now using a malicious attachment that pretends to be from Windows 10 mobile operating system. The attachment includes malicious macros that result in the download and installation of Emotet on a victim’s computer. Once installed, the trojan steals a victim’s email to use in other spam campaigns and downloads other malware such as TrickBot and QBot.

Top Vulnerabilities Reported in the Last 24 Hours

Attackers abuse Google DNS over HTTPS
Attackers are abusing Google DNS-over-HTTPS protocol as a new evasion technique to distribute malware onto users’ computers. The suspicious domain identified in one such instance is ‘jqueryupdatejs[.]com’.

Cisco fixes a bug
Cisco has addressed a critical remote code execution bug in its Jabber for Windows software. The flaw, tracked as CVE-2020-3495, is caused by improper input validation of incoming message contents. It can allow remote attackers to execute arbitrary code on systems running unpatched Jabber version using maliciously-crafted Extensible Messaging and Presence Protocol (XMPP) messages.

 Top Scams Reported in the Last 24 Hours

Phishing scam
Scammers have been observed abusing Sharepoint and One Note documents to steal passwords from Microsoft Office 365 users. The scam relies on hacked email accounts of U.K engineering businesses, from which emails are sent to recipients. The emails include attachments, which if clicked, redirect recipients to a fake login page for One Note or Sharepoint.

 Tags

northumbria university
sepulcher rat
emotet trojan
extensible messaging and presence protocol xmpp
pyvil
dns over https

Posted on: September 03, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!