Go to listing page

Cyware Daily Threat Intelligence, June 19, 2020

Cyware Daily Threat Intelligence, June 19, 2020

Share Blog Post

In the fast-paced world of cybersecurity, cybercriminals are always on the run, launching massive and sophisticated cyberattacks. In the past 24 hours, a new variant of IcedID banking trojan that leverages steganography technique was found targeting US citizens. The new variant is distributed via phishing emails that use COVID-19 and the Family and Medical Leave Act (FMLA) keywords to lure victims. Moreover, the Ginp mobile malware made a comeback, only to expand its target group. This time the malware has been found targeting banking customers in Turkey.

Nearly 20,000 Wells Fargo customers were targeted in a phishing attack that was carried out via a fake calendar application invite. The phishing email prompted the victims to update their security keys to avoid suspension of their accounts. As a result, they were redirected to a spoofed login page of Wells Fargo designed to steal their personal details.

Top Breaches Reported in the Last 24 Hours

CSA Group attacked
In a fresh attack, researchers believed that the Maze ransomware group has goofed up by attacking a Puerto Rico-based management firm named CSA Group instead of the Toronto-based testing and certification firm, Canadian Standards Association (CSA). The attackers have released three zipped archives containing data allegedly stolen from the firm.

Top Malware Reported in the Last 24 Hours

New variant of IcedID
A new variant of the IcedID trojan has been found that notably embraces the steganography method to hide on infected systems. The malware variant is distributed via phishing emails that use COVID-19 and the Family and Medical Leave Act (FMLA) as keywords.

Ginp expands its operations
Ginp mobile malware has expanded its operations to target banking customers in Turkey. Several fake web pages impersonating legitimate banks in the country have been found by researchers. The malware had previously targeted banking users in Spain, Poland, and the United Kingdom.

New evasion technique
Hackers are using fake error logs to hide their malicious payloads in the form of ASCII characters. Researchers came across this trick while investigating an incident wherein the attackers had used a legitimate ‘BfeOnService.exe’ to deploy malware.

Malicious extensions
Around 111 malicious Chrome extensions capable of collecting sensitive user data have been flagged by researchers. Out of these, Google has removed 106 extensions from the Chrome Web Store. The primary connection between all the extensions was that they sent user data back to domains registered through the GalComm domain registrar.

Golang bots
Researchers have found an increasing number of SSH-targeting Golang bots. The two new bots uncovered are IRCflu and InterPlanetary Storm. They can be used against Android and Linux architectures.

Top Vulnerabilities Reported in the Last 24 Hours

Drupal patches flaws
Drupal has released updates for several vulnerabilities, including a remote code execution flaw that could allow attackers to execute arbitrary PHP code. The RCE flaw in question, tracked as CVE-2020-13664, can affect Drupal 8 and 9 installations.

Top Scams Reported in the Last 24 Hours

Wells Fargo impersonated
Threat actors are impersonating Wells Fargo’s security team and sending out phishing emails with calendar invites to steal employees’ personal details. So far, around 20,000 staff have been targeted in the attack. The emails claim that the targets have to update their security keys using instructions included within a .ics calendar file attachment. Once the victims click on the attachment, they are redirected to a fake phishing page of Wells Fargo that asks them to enter their username, password, PIN, and account number.


golang bots
wells fargo
malicious chrome extensions
icedid trojan
csa group

Posted on: June 19, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite