Go to listing page

Cyware Daily Threat Intelligence, April 08, 2019

Cyware Daily Threat Intelligence, April 08, 2019

Share Blog Post

The powerful data-stealing TrickBot trojan never leaves a chance to surprise its operators. The highly-oppressive malware, which is continually developed to collect as much financial information as possible, has lately been observed targeting the prospective taxpayers in the United States. The malware is delivered via malicious macros that come embedded within Microsoft Excel documents. For this, the attackers are leveraging tax-themed phishing emails that spoof companies like Paychex and ADP.

While the cybersecurity ecosystem is constantly threatened by new ransomware attacks, security researchers have managed to crack a decryption key for the Planetary ransomware family. The ransomware family uses the names of planets as extensions to append the encrypted files. Thus, the decryption key works only if the victim has encrypted files and a copy of the ransom note.

However, that is not the case with the JNEC ransomware. Security experts have discovered that threat actors are exploiting a 19-year-old vulnerability in WinRAR to spread the ransomware. The bug exists specifically in UNACEV2.DLL - one of the WinRAR libraries - which is used to unzip .ace files.

Top Breaches Reported in the Last 24 Hours

UniCredit duped for $15 million
A UniCredit SpA employee in China has allegedly made off with $15 million by taking advantage of shared passwords of the firm’s clients and other internal security flaws. The convict had managed to steal the huge amount, without being detected, for over a period of three years. The UniCredit’s employee was alleged of using a group supervisor’s password to access clients’ accounts without authorization and later fabricated the transactions.

VoterVoice database leak
A misconfigured database at VoterVoice has leaked a trove of personal information of individuals who sent messages or participated in campaigns around hot political topics through the ‘grassroots advocacy system’. The information leaked in the incident includes email addresses, home addresses, phone numbers of the affected people. The leaky database also contained more than 300,000 unique email addresses.

Hoya corporation suffers an attack
Hoya Corporation, the leading manufacturer of optical products in Japan, has suffered a cyber attack in late February. This affected a large section of its factories in Thailand. The company revealed that hackers had deployed a malware to infect as many as 100 computers and mine cryptocurrencies illegally. 

Top Malware Reported in the Last 24 Hours

TrickBot trojan returns
The malicious TrickBot trojan is back in new tax-themed phishing campaigns targeting taxpayers in the United States. Cybercriminals have been found using phishing emails that impersonate payroll management firm Paychex and HR services company ADP to distribute the malware. Once the trojan is installed, it connects with the attacker’s C2 server to receive further commands as well as redirect victims to a malicious webpage to steal their banking credentials. 

Decryptor for Planetary ransomware
Emsisoft has released a decryption key to unlock the files encrypted by Planetary ransomware family. The malware family uses planet names such as .mira, .Neptune or .Pluto as extensions to append the encrypted files. For a successful decryption process, a victim is required to have a copy of the ransom note and encrypted files.

JNEC ransomware
Security researchers have discovered that cybercriminals are leveraging a 19-year-old WinRAR vulnerability to distribute JNEC ransomware. The bug exists in one of the WinRAR libraries named UNACEV2.DLL. Once the ransomware is installed, it generates a unique Gmail address for the victims in order to send the decryption key after the ransom is paid.
Top Vulnerabilities Reported in the Last 24 Hours

ACROS issues unofficial patches
ACROS Security’s 0patch has released unofficial security patches to address four vulnerabilities discovered in two Oracle Java Runtime Environment (RE). The flaws are internally tracked as 1779,1780, 1781 and 1782 by Google Project Zero experts. They have been rated as ‘medium’ on the severity scale.

Bug patched in Omron CX-Programmer
Omron has issued a security patch for a vulnerability in its CX-Programmer. Dubbed as CVE-2019-6556, the vulnerability could allow an attacker to execute code under the privileges of the application. It affects all the versions of CX-Programmer prior to v9.70. Users are urged to update their CX-Programmer to 9.71 version.

MikroTik fixes a security flaw
MikroTik has released a fix for a memory exhaustion bug in devices running RouterOS software. The vulnerability affects unpatched MikroTik equipment that routes IPv6 packets. Researchers recommend the network operators that switched to the IPv6 communications protocol to test and deploy the latest 6.43.14 and 6.44.2 versions of RouterOS.
Top Scams Reported in the Last 24 Hours
Sextortion scam
A new variant of sextortion scam has been spotted lately. These type of scams come with password-protected ZIP file attachments to scare the victims. The main goal of these sextortion scams is to scare the email recipients into making a payment. They threaten the victims of having inappropriate videos that were recorded while they were on porn sites. These emails come with subject lines like "RE: Case #48942113 xxx@domain[.]com You have been warned many times - 07/04/2019 10:57:20".  

Robocall scam
A new type of robocall scam that tricks users into revealing their Social Security Numbers is doing rounds lately. The scammers pretend to be a government official and call users to report that a suspicious activity associated with their social security number has been detected. They then prompt them to call back or speak to an agent in order to resolve the issue. Once the victim calls back, then they are tricked into providing their birth dates, bank account numbers, and social security numbers.


planetary ransomware
robocall scams
sextortion scam
jnec ransomware
trickbot trojan

Posted on: April 08, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite