Go to listing page

Cyware Daily Threat Intelligence, March 30, 2020

Cyware Daily Threat Intelligence, March 30, 2020

Share Blog Post

With each passing day, security experts continue to see an uptick in Coronavirus-themed phishing attacks. In one incident, attackers used the virus as a leverage to spread the Zeus Sphinx malware, while another campaign distributed the Remcos RAT. The Zeus Sphinx (aka Zloader) resurfaced after nearly three years of absence to infect online banking users in the US, Canada, and Australia. The emails sent in these attacks used a malicious document named ‘COVID-19 relief’.

On the other hand, the Remcos RAT took the advantage of the financial problems experienced by SMBs during the COVID-19 pandemic and lured the victims into opening malicious attachments camouflaged as disaster assistance grants and testing center vouchers.

Reports of bad actors exploiting two zero-day vulnerabilities in DrayTek routers also surfaced in the last 24 hours. The two remote code execution vulnerabilities can be exploited for command injection and they are related to the rtick and keyPath fields.

Top Breaches Reported in the Last 24 Hours

Voter info of over 4.9 million leaked
Around 1.04 GB voter information for more than 4.9 million Georgians, including the deceased, has been published on a hacking forum over the weekend. The information included full names, home addresses, dates of birth, ID numbers, and mobile numbers. It is claimed that the data originated from voters.cec.gov.ge, an official government portal to store voter registration records of Georgians.

Top Malware Reported in the Last 24 Hours

Zoom domains targeted
Researchers have uncovered that threat actors are actively registering new domains, with names similar to ‘Zoom’, to target businesses and individuals across the globe. These domains are later used to send malicious files that lead to the installation of the potentially unwanted InstallCore application on the victim’s computer.

Zeus Sphinx malware
The Zeus Sphinx malware has made a comeback to help its authors capitalize on the Coronavirus pandemic. The malware operators are using bobby-trapped files named ‘COVID-19 relief’ to trick online banking users in the US, Canada, and Australia. These files are delivered via emails that rely on the same theme.

Attackers deliver Remcos RAT
Attackers are attempting to deliver Remcos RAT payloads on systems of small businesses via phishing emails. They are taking advantage of the financial problems experienced by SMBs during the current COVID-19 pandemic to lure them into opening malicious attachments disguised as assistance grants and test center vouchers.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable DrayTek routers exploited
Threat actors have been exploiting two zero-day vulnerabilities affecting some DrayTek enterprise routers to perform a series of attacks. Both are remote code execution vulnerabilities, located in the /www/cgi-bin/mainfunction.cgi, and the corresponding Web Server program is /usr/sbin/lighttpd. DrayTek has fixed these bugs in its February 2020 update.

Top Scams Reported in the Last 24 Hours

Netflix phishing campaign
Netflix phishing campaign has seen a spike in Brazil, with users being asked to update their personal details to avoid suspension of accounts. Scammers use a legitimate-looking website of the online streaming service to make it more convincing.

Coronavirus-themed phishing
A new Coronavirus-themed-phishing campaign was discovered which sent messages purporting to be from a local hospital. The message informs victims that they need to be tested urgently as one of their colleagues, friends, or family members have tested positive for the virus. It urges the victims to download and print an attachment, which is actually a malicious payload.


installcore application
netflix phishing
draytek routers
remcos rat
zeus sphinx malware

Posted on: March 30, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite