Go to listing page

Cyware Daily Threat Intelligence, April 28, 2020

Cyware Daily Threat Intelligence, April 28, 2020

Share Blog Post

In a world besieged by ransomware, here’s a piece of good news for victims affected by Shade aka Troldesh ransomware. The operators have released over 750,000 decryption keys as they announced their retirement. In other news, security researchers have uncovered a new variant of Black Rose Lucy ransomware that infects Android phones and demands a ransom of $500 by claiming that the files have been encrypted by the FBI.

A massive spear-phishing attack that has infected several U.S. universities with Hupigon RAT has also been noticed in the last 24 hours. The campaign leveraged adult dating as a lure to spread across colleges. The capabilities of the RAT include recording keystrokes, webcam monitoring, and giving attackers access to rootkit functionality. Researchers also unearthed a new Asnarök trojan that was used in an attack campaign that exploited the zero-day SQL injection vulnerability in Sophos firewall products.

Top Breaches Reported in the Last 24 Hours

Warwick university data breach
Warwick University came under fire after it reportedly failed to notify the affected individuals about a cyberattack that occurred last year. The incident had led to the compromise of personal information of students, staff, and volunteers participating in research studies.

8.6 million travel logs exposed
Sheffield City Council’s automatic number-plate recognition (ANPR) system had 8.6 million records of road journeys made by British people on the internet. The incident occurred as the system’s internal management dashboard was not secured with a password. The exposed data included number plates of vehicles and travel logs.

ExcuPharm hit by ransomware
ExecuPharm was hit by a ransomware attack on March 13, 2020. The attack had exposed employee personal data including Social Security numbers, taxpayer and bank account information, passport, and credit card details. It is reported that the attackers had later dumped the stolen data onto a dark web site.

Top Malware Reported in the Last 24 Hours

Shade ransomware shuts down
The operators behind the Shade ransomware have released over 750,000 decryption keys in a bid to shut down their operations. The ransomware had been active since 2014 and specifically avoided encrypting victims in Russia and other Commonwealth of Independent States (CIS) countries.

Widespread spear-phishing attack
Several U.S. universities have fallen victim to a widespread spear-phishing attack that used adult dating as a lure. The emails included pictures of women, which when clicked, resulted in the download of executables for the Hupigon RAT. The trojan’s capabilities include giving attackers access to rootkit functionality, webcam monitoring, and recording keystrokes.

New Asnarök trojan
It was recently discovered that attackers had exploited a zero-day SQL injection vulnerability in Sophos firewall products to launch attacks. Following the trail, a new study has concluded that the attack was used to deliver a newly discovered trojan named Asnarök to steal usernames and passwords.

New Black Rose Lucy ransomware variant
A new variant of Black Rose Lucy ransomware has been found infecting Android phones in an attempt to pressurize victims into paying a ransom of $500. The attackers behind the ransomware trick the victims into believing that encrypted files are the work of the FBI. The malware variant is distributed via social media links and messenger applications.

Outlaw botnet
The new Outlaw botnet is a work of the Outlaw hacking group that first appeared in 2018. The botnet uses brute force and SSH exploits to gain remote access to the target systems, including servers and IoT devices. The main components of the botnet include a variant of Shellbot, a Monero miner, and a Perl-based backdoor.

Top Vulnerabilities Reported in the Last 24 Hours

GDPR.EU fixes an issue
GDPR.EU website has fixed a security issue that exposed passwords and data from the git repository for several websites. The issue stemmed from the website’s .git folder that was readable by anyone online due to a misconfiguration. 

WordPress plugin bug
A cross-site request forgery (CSRF) vulnerability in Real-Time Find and Replace plugin can allow attackers to inject malicious code and create rogue admin accounts on a WordPress site. Therefore, WordPress site owners are urged to update the plugin to the latest version to stay safe. 

Top Scams Reported in the Last 24 Hours

Fake COVID-19 travel passes
Scammers are duping people into buying fake travel passes for Moscow at discount prices in the wake of the COVID-19 crisis. Researchers have tracked and disrupted 126 websites, Telegram channels, and social media accounts that were peddling the fake passes.

Fake Zoom meetings
Scammers are leveraging the popularity of Zoom in a new scam to steal the login credentials of users. The emails appear to come from HR and Payroll departments and ask the recipients to attend a fake meeting related to their performance in Q1 2020. The scam creates a sense of panic among the users by informing them about their termination or suspension if they fail to attend the meeting.

Fake delivery issue scam
A new wave of phishing scams that utilize a COVID-19 theme to impersonate well-known shipping carriers such as FedEx, UPS, and DHL, have come to notice recently. The scams use the delivery issue trick as a lure to dupe people into visiting malicious links or downloading malware.


warwick university
asnarok trojan
fake zoom meetings
outlaw botnet
black rose lucy ransomware

Posted on: April 28, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite