Go to listing page

Cyware Daily Threat Intelligence, April 30, 2019

Cyware Daily Threat Intelligence, April 30, 2019

Share Blog Post

Cybercriminals are back with two most prolific malware - Emotet and GandCrab - to create more chaos in the cyber world. Security researchers have uncovered new insights about attackers who are using a new variant of Emotet to compromise IoT devices and routers as first-layer Command-and-Control servers. The malware is dropped using a malware downloader named Powload, that comes in the form of a ZIP file attached within a phishing email.

GandCrab v5.2, on the other hand, is being distributed alongside a new variant of AESDDoS botnet by exploiting a recently patched vulnerability in Confluence Server and Data Center. The vulnerability is tracked as CVE-2019-3396 and exists in the Widget Connector macro component. The new variant of AESDDoS botnet is capable of launching five different types of DDoS attacks along with stealing system information.

Talking about breaches, an unprotected database has exposed the personal information of 80 million US households. The vulnerable database contained 24 GB data including full names, income brackets, marital status and other entries which were related to US households.

Top Breaches Reported in the Last 24 Hours

BEC attack steals $1.75 million
Hackers have stolen $1.75 million from the Saint Ambrose Catholic Parish, Ohio in a BEC attack. The attack was discovered on April 17 after payments related to the church's Vision 2020 project were not received by a contractor. It was found that the crooks hacked the Parish’s email system via a phishing attack. The hackers were then able to trick the staff that the contractor had changed their bank, thus deceiving them into wiring the funds to a fraudulent bank.

Unprotected database leaks 80 million
An unprotected database has impacted up to 65% (80 million) of US households. The database contained around 24 GB data and was hosted by a Microsoft cloud server. It exposed full names, marital status, income bracket and age of US citizens. The exposed data also includes the number of people living in each household.   

Watertown Daily Times under attack
The Watertown Daily times was under a cyber attack on April 28, 2019. This disrupted the printing and distribution of the Sunday newspaper. The incident was discovered after IT staff discovered that servers and computers were infected with a malware virus that encrypted files. Upon learning the incident, the IT staff worked late hours to build a new server to run the machine.

Top Malware Reported in the Last 24 Hours

GandCrab returns with a new malware
Malicious actors are exploiting a recently patched vulnerability in Confluence Server and Data Center to distribute GandCrab v5.2 ransomware and a new variant of AESDDoS botnet. The vulnerability is tracked as CVE-2019-3396 and exists in the Widget Connector macro component. The flaw can be used to perform server-side template injection, path traversal and remote code execution on affected systems.

Emotet trojan makes a comeback
The operators of Emotet trojan are using a new variant of the malware to take over routers and IoT devices in order to protect the banking botnet. According to researchers, the gang has been using hacked routers and IoT devices as proxies since last month. The idea behind this is that a Windows computer infected with Emotet would send all the data acquired from infected hosts to nearby routers and IoT devices. By doing this, the Emotet gang intents to hide the real location of their command infrastructure. 

ElectrumDoSMiner botnet
Threat actors are using an undocumented malware downloader called Trojan.BeamWinHTTP to drop a botnet detected as ElectrumDoSMiner. The largest concentration of the botnet is in the Asia Pacific region, Brazil and Peru. In total, 152,000 machines have been affected by ElectrumDoSMiner. This has allowed the threat actors to steal over $4.6 million from users of the popular Electrum Bitcoin wallet.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable WooCommerce Checkout Manager plugin
An arbitrary file upload vulnerability in WooCommerce Checkout Manager WordPress plugin has affected over 60,000 sites. The flaw can be exploited by unauthenticated remote attackers if users have enabled the ‘Categorize Uploaded Files’ in the plugin settings. Users should look out for wccs_upload_file_func, order_id and order_id as indicators of compromise to identify if their sites are compromised or not. The flaw can allow attackers to upload malicious files to the affected site, modify data or gain administrative access. In order to stay safe, users are advised to update the vulnerable versions of the plugin with version 4.3 as soon as possible.

NTP can be exploited
The Network Time Protocol (NTP) can be used as an alternative covert communication channel. It may also be used to carry data, and as such, it is open to exploitation. The protocol can be abused by malware in order to hide network traffic between the client (infected computer) and server (command and control). The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks

Top Scams Reported in the Last 24 Hours

TSS campaign freeze user’s browser
A new technical support scam campaign has been discovered that makes use of iframes in combination with basic pop-up authentication to freeze a user’s browser. Since this technique is new and unfamiliar, it can allow attackers to evade detection. The campaign particularly uses a legitimate or well-known brand like Microsoft to lure its victims. The fake URL looks like a typical Microsoft tech support page, with several functions hidden within. Once the user enters the fake URL into the web address, it displays two pop-up windows. Clicking on the ‘Cancel’ only leads back to the URL whereas clicking on ‘Close’ and ‘OK’ buttons does not perform any action.


electrumdosminer botnet
bec attack
emotet trojan
aesddos botnet
gandcrab v52

Posted on: April 30, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite