Go to listing page

Cyware Daily Threat Intelligence, April 29, 2019

Cyware Daily Threat Intelligence, April 29, 2019

Share Blog Post

Phishing continues to be a favorite attack vector for cyber crooks to infiltrate computers and steal personal data. Lately, security researchers have uncovered a new type of phishing attack that takes advantage of the browser's behavior in order to steal users’ personal information. Dubbed ‘inception bar’, the attack takes advantage of the fact that Chrome browser on mobile hides the address bar when a user scrolls down. This allows the attackers to exploit the browser’s UI and replace the real URL with a fake one.

The past 24 hours saw the return of the prolific AZORult info-stealing trojan. The malware has been found to be distributed via a fake PC cleaner - named G-Cleaner - for Windows. Once the fake PC Cleaner is installed, it downloads the main components on C Drive and later extracts a random file that is used to run the malware. AZORult trojan is capable of stealing a user’s browser password, FTP client password, cryptocurrency wallet, desktop files and much more.

In another major cyberespionage incident, a recently discovered BabyShark malware has been found targeting nuclear and cryptocurrency firms along with two other malware. The malware are tracked as  KimJongRAT and PCRat. They are delivered as secondary payloads.

Top Breaches Reported in the Last 24 Hours

Docker Hub database hacked
Unauthorized access to a Docker Hub database has exposed sensitive information of approximately 190,000 users. The exposed information includes some usernames and hashed passwords, as well as tokens for GitHub and Bitbucket repositories. Upon learning the matter, the company has revoked GitHub tokens and access keys. It has also asked its users to change their passwords and review their GitHub & Bitbucket accounts.  

University of Alaska data breach
The University of Alaska is notifying students, staff, and parents about a potential data breach incident that occurred last year. The university reported that the incident occurred between January 31, 2018 and February 15, 2018 when hackers gained unauthorized access to some email accounts. The compromised email accounts contained a wide variety of personal information. The information stolen in the incident includes an individual’s name, ID number, date of birth, digital signature, driver’s license number, username, and password.

Florida electoral system hacked in 2016
Russian hackers had gained access to one of Florida’s electoral system in an attempt to alter voter data in 2016. The hackers used spear phishing technique to mimic emails of ‘VR Systems’, the company that sells the electronic voting equipment. The email offered instructions about voting equipment in the form of a malicious attachment.  

Top Malware Reported in the Last 24 Hours

‘inception bar’ phishing method
A new type of phishing attack that makes use of the browser’s behavior has been uncovered lately. Dubbed as ‘inception bar’, the attack is used to spoof a legitimate website in the mobile version of Chrome. This occurs when a user scrolls down in an effort to give more space to the web page. The inception bar attack takes advantage of the fact that Chrome on mobile hides the address bar when scrolling. This allows the attackers to exploit the browser’s UI and replace the URL bar with a fake after the real one is hidden.       

BabyShark malware
Researchers have found that attackers are delivering two more malware along with BabyShark malware in recent cyber espionage campaigns. The campaigns are conducted with an intention to infiltrate secrets from nuclear industries and steal money from cryptocurrency firms. The two malware that are delivered as secondary payloads are KimJongRAT and PCRat. They are referred to as ‘Cowboys’.

AZORult trojan returns
Security researchers have uncovered a fake Windows PC Cleaner that is being used to drop AZORult banking trojan. The fake PC Cleaner is detected as G-Cleaner or Garbage Cleaner. When the program is installed, it downloads the main components of the fake PC cleaner and saves them to the C:\ProgramData\Garbage Cleaner. Later, it extracts a random file to the %Temp% folder and executes the malware.   

Analysis of RobbinHood ransomware
RobbinHood is an emerging ransomware that is targeting companies by compromising their computer networks. It spreads through hacked remote desktop services. Once installed on a victim’s system, the ransomware stops the operation of Windows services and disconnects all network shares from the computer. After the encryption process, it displays a ransom note demanding 3 Bitcoins per affected system or 13 Bitcoins for the entire network.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Oracle Weblogic Server
Oracle has released a security alert about a flaw found in its WebLogic Server. The vulnerability can allow a hacker to take over the targeted systems by remotely executing commands without authorization. The bug is tracked as CVE-2019-2725 and affects versions and of WebLogic Server. Oracle strongly recommends users to apply updates that are covered under Premier Support or Extended Support phases of the Lifetime Support Policy.

iLnkP2P vulnerabilities expose IoT devices
Two critical security flaws in iLnkP2P communications technology have exposed millions of IoT devices to eavesdropping, credential theft, and remote compromise. The vulnerabilities are tracked as CVE-2019-11219 and CVE-2019-11220. The flaws can allow a potential attacker to establish a direct connection to IoT devices without any authorization.

ISC patches bugs in BIND
The Internet System Consortium (ISC) has patched multiple bugs in its Berkeley Internet Name Domain (BIND). The vulnerabilities are detected as CVE-2019-6467, CVE-2019-6468, and CVE-2018-5743. These flaws, if exploited, could allow a denial of service attack.

Top Scams Reported in the Last 24 Hours

Bitcoin phone scam
The Police Department of the City of Berkeley is warning residents of phone scams that involve Bitcoins. The scammers call the targets and inform them that they are under an investigation for a drug trafficking case. Following which, they demand money from the victims in order to remove their name from the cases and avoid arrest. It was found that the criminals involved in this scam were devising several ways to mask their own telephone numbers with official numbers. The police officials have urged residents to be wary of such scam calls. In a report from the FBI, it has been found that scammers are increasingly targeting people over 50 to steal Bitcoin and other cryptocurrencies.   


robbinhood ransomware
docker hub database
azorult trojan
babyshark malware
bitcoin phone scam

Posted on: April 29, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.