Cyware Daily Threat Intelligence December 11, 2017

Napoleon ransomware
This file-encrypting ransomware was earlier known as Blind has been identified recently with a .napoleon extension. In addition, there were some additional changes and also a bug fix that means files can no longer be decrypted by victims. When infiltrated, the ransomware checks the privileges with which it runs. If it has sufficient privileges, it deletes shadow copies.

Esif.exe CPU miner
The classified Potentially Unwanted Program (PUP) — Esif.exe CPU Miner — is reported to feature a corrupted version, which is found on compromised machines. The Esif.exe CPU Miner is a program that is used to make complex calculations and verify the exchange of a cryptocurrency called Bitcoin (BTC).

Java file extension ransomware
The file encoder Trojan — java file extension — is a modified version of a threat called Dharma ransomware. The ransomware features minimal changes to the code, but the payload is released in a new packaging, and there are new IP addresses, email accounts. Malware is delivered through macro-enabled documents that invite unsuspecting users into loading a weaponized macro script. Android vulnerability
The Android vulnerability aka Janus (CVE-2017-13156), allows attackers to modify the code of Android apps without affecting their signature. This allows them to distribute malicious update for the legitimate apps. An attacker can leverage these issues to gain sensitive information, execute arbitrary code or gain elevated privileges.

Internet security alert
The 'Internet Security Alert! Code: 055BCCAC9FEC' pop-up windows are not legitimate security warnings from Microsoft Corp. despite their appearance. The alert warns the user of a presence of virus on their system and display a Windows Technical Support number to call on. The warning is generated through browser extensions that are promoted through untrusted domains.

OpenSSL read/write error
The flow is related to an “error state” mechanism introduced with OpenSSL 1.0.2b. The mechanism is designed to trigger an immediate failure if there is an attempt to continue a handshake after a fatal error has occurred.