Go to listing page

Cyware Daily Threat Intelligence, September 27, 2019

Cyware Daily Threat Intelligence, September 27, 2019

Share Blog Post

The notorious Trickbot trojan, which has been around since 2016, is back with new tricks up its sleeve. This time the trojan has been found containing a spamming module that is capable of harvesting the victim’s address book to later use it to spam new victims. Security researchers have found that threat actors are using phishing emails to spread this new Trickbot variant.

The past 24 hours also saw the emergence of two new malware - Whiteshadow and Nodersok. While Whiteshadow is distributed in the form of a set of Microsoft Office macros, Nodersok relies on PowerShell to install itself on the infected host.

Talking about major security updates, Cisco has released security fixes to address multiple critical and high-severity vulnerabilities affecting its products. This includes its Unified Computing products and IOS & IOS-XE network automation software. These vulnerabilities could be exploited to take control of systems.

Top Breaches Reported in the Last 24 Hours

DoorDash’s breach affects 4.9 million people
Food delivery platform DoorDash has confirmed a data breach affecting 4.9 million customers, workers and merchants. The incident occurred due to unauthorized third-party access on May 4, 2019. The compromised information includes names, emails, delivery addresses, phone numbers, hashed and salted passwords. Driver’s license numbers of nearly 100,000 delivery executives have also been exposed in the breach.

The city of Charlottesville attacked
The city of Charlottesville is notifying about 10,700 of its current and former utility billing customers about a data breach. The city discovered the data breach while looking into an unrelated phishing scam and launched its investigation in May. The compromised information includes social security numbers, addresses, and driver's license numbers.

Top Malware Reported in the Last 24 Hours
TrickBot trojan evolves
A new phishing campaign targeting a supplier for a logistics provider has been found distributing a new variant of TrickBot trojan. The email appears to come from a company that manufactures and distributes electrical components. It includes an attachment, which if opened, initiates the download of the trojan. The new trojan variant includes spamming modules that can be used to harvest the victim’s address book to later use it to spam new victims.

Whiteshadow downloader
A new malware downloader named Whiteshadow has been found to be delivered in multiple campaigns. It uses detection evasion techniques and Microsoft SQL queries to drop malicious payloads onto compromised machines. It is distributed in the form of a set of Microsoft Office macros.

Nodersok malicious campaign
Security researchers have uncovered a new fileless malicious campaign named Nodersok. The campaign is used to infect Windows computers with a Node.js-based malware, called Nodersok, that will turn the infected devices into proxies. The malware has been used to attack thousands of machines in the last few weeks.

REvil ransomware
A new spam campaign that is targeting Chinese recipients is underway. The campaign is used to distribute REvil or Sodinokibi ransomware to users. The malware is distributed via spam emails purporting to be from DHL, stating that the delivery of the package has been delayed. It includes a document wherein the recipient is required to fill in their correct address. However, the document is actually the trigger point for the download of REvil ransomware.

Fake gambling apps
Hundreds of fake gambling-related apps have been removed from the App Store and Google Play Store following the discovery of their malicious activities. These apps are also available on third-party sites. Although these apps had different descriptions, they shared similarities in their suspicious behavior. These apps were designed in such a way that they bypassed both Google’s and Apple’s vetting process.

Top Vulnerabilities Reported in the Last 24 Hours

Cisco releases security updates
Cisco has released security updates to address a dozen of high-severity vulnerabilities affecting the widely deployed Cisco IOS and IOS XE network automation software. The vulnerabilities affect its industrial routers and grid routers. One of these is a flaw tracked as CVE-2019-12648 The vulnerability could enable unauthenticated remote attackers to access the guest Operating System (Guest OS) as the root user. It has a CVSS score of 3.0. The company has also issued security fixes for vulnerabilities affecting its Unified Computing products.

Apple releases updates
Apple has released a second ‘Supplemental Update’ for macOS Mojave 10.14.6 along with other security updates for High Sierra. The issue related to macOS Mojave is listed as CVE-2019-8641 and allows unauthenticated users to cause unexpected application termination or arbitrary code execution in unpatched Macs.

Top Scams Reported in the Last 24 Hours

Facebook scam
The Better Business Bureau is warning the public about a phishing scam that is targeting Facebook users. The scam reaches the users in the form of a direct message. It includes a link to a video, asking ‘Is this you?’. To make it look less suspicious, the message appears to come from people that are in the users’ friend list. The scam has been designed to steal personal information from users. The link included in the message is actually a clone of the Facebook login page.


revil ransomware
trickbot trojan

Posted on: September 27, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.