Go to listing page

Cyware Daily Threat Intelligence, September 29, 2021

Cyware Daily Threat Intelligence, September 29, 2021

Share Blog Post

Uncertainty looms over Android users as several sneaky Android trojans emerge in the threat landscape.  While the new PixStealer and MalRhino malware were found using the Google Play Store to target banking users in Brazil, the newly discovered GriftHorse trojan stole a fortune from over 10 million users by masquerading as 200 different apps.

Dridex has been revamped to DoppelDridex that is being actively used in attack campaigns associated with the DOPPEL SPIDER group. A new version of FormBook infostealer has also been spotted in a new campaign that leverages the recent Office 365 zero-day vulnerability to deploy Cobalt Strike Beacon in the initial stage.

Top Breaches Reported in the Last 24 Hours

Afghan telecom provider affected
Chinese-state-sponsored threat actor group RedFoxtrot has stolen 4GB of data after breaching a major Afghan telecom provider Roshan. The exact content of the stolen data is unclear. The firm has also suffered two more infiltration attacks that deployed the PlugX RAT and Winnti malware.

Wintervivern campaign
Researchers have detected an active campaign that is associated with the Wintervivern threat actor group. The campaign targets European governments using an XLM macro that distributes a RAT.

Portpass exposes data
Vaccine passport app Portpass potentially exposed the personal information of more than 650,000 registered users on its website. The exposed information includes email addresses, names, blood types, phone numbers, and driver’s licenses of users.

Top Malware Reported in the Last 24 Hours

Two new banking malware
Two newly discovered Android malware—PixStealer and MalRhino—were found leveraging the apps on Google Play Store to target banking users in Brazil. While PixStealer disguised itself as a fake PagBank Cashback service app, the MalRhino masqueraded as a mobile token app for Brazil’s Inter bank. These apps have now been removed from the Play Store.

DoppelDridex trojan
DoppelDridex is a new variant of the Dridex trojan that is distributed via Slack and Discord CDNs. It is operated by a financially motivated adversary tracked as DOPPEL SPIDER. The malware variant has been associated with several recent phishing campaigns.

Nefarious FinSpy malware
The nefarious FinSpy has now been upgraded to enable propagation via UEFI bootkit. The new version has been spotted in an ongoing campaign targeting Android and iOS users in Myanmar. The spyware is capable of exfiltrating a variety of data including browser information, Microsoft product keys, search history, and Skype recordings.

FormBook upgraded
A new version of FormBook infostealer is being distributed by exploiting a recent Office 365 zero-day vulnerability tracked as CVE-2021-40444. The ongoing campaign uses an email with a malicious Word document attachment as the initial infection vector.

GriftHorse trojan
Researchers have uncovered a new campaign that distributes a new trojan, dubbed GriftHorse. The malware has infected around 10 million users across 70 countries. Over 200 applications spread across various categories, ranging from Tools and Entertainment to Personalization, Lifestyle, and Dating were designed to propagate the malware.

The rise in Ursnif attacks
Researchers have observed a spike in attacks linked with the Ursnif trojan. As many as 2,000 organizations were targeted with phishing emails written in the Italian language.

Top Scams Reported in the Last 24 Hours

Crypto scam
Security Service of Ukraine (SSU) experts took down an illegitimate network of call centers located in Lviv following the discovery of a scam. The perpetrators behind this scam used covert channels to get in touch with customers and deceived them in a fraudulent scheme for investing in cryptocurrency.

 Tags

malrhino
doppel spider
doppeldridex
wintervivern campaign
pixstealer

Posted on: September 29, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.