Go to listing page

Cyware Daily Threat Intelligence, May 06, 2019

Cyware Daily Threat Intelligence, May 06, 2019

Share Blog Post

Evading detection while spreading across the network has always been one of the primary objectives of malicious actors. To attain this, they are constantly improving existing malware. Lately, security researchers have discovered a new variant of Retefe banking trojan that uses stunnel encrypted tunneling mechanism to avoid detection by anti-virus software. The technique also helps the malware to secure its proxy redirection and command-and-control communications.

A new variant of the prolific Gh0stRAT trojan was also uncovered in the past 24 hours. The malware allows attackers to launch DDoS attacks. Other capabilities of the malware variant include collecting system information, installing registry keys for RDP and VPN credential theft.

In data breaches, an unprotected MongoDB database had leaked over 1.6 million records of AMC Networks. The exposed records belonged to two of the firm’s video streaming platforms - Sundance Now and Shudder. The publicly accessible database contained names, email addresses and subscription plan details of subscribers.

Top Breaches Reported in the Last 24 Hours

AMC Networks exposes 1.6 million records
An unprotected MongoDB database had exposed over 1.6 million records belonging to two video streaming platforms of AMC Networks. The affected streaming platforms were Sundance Now and Shudder. The publicly accessible database contained names, email addresses and subscription plan details of subscribers. It also contained 3,351 links to Stripe invoices, with names, emails and last 4 digits of credit cards. Upon learning the incident, the firm has taken down the database.

Airbnb user accounts hacked
Airbnb users are complaining of being locked out of their accounts following a hack. It is also reported that some of the accounts were completely deleted, with many of them unable to reset their passwords. Few users have also complained that their previous bookings had been canceled. In order to avoid falling victim to the attack, Airbnb users are advised to check their accounts for suspicious bookings or cancellations.

Git hosting services attacked
Git hosting services - GitHub, Bitbucket and GitLab - have been wiped off the Git source code and replaced with a ransom demand. The ransom note demands the victims to pay a ransom of 0.1 Bitcoin to recover the lost code. Almost 400 GitHub repositories have been affected in the attack. Meanwhile, Bitbucket has released a security advisory on preventing such malicious activities in the future.  

Top Malware Reported in the Last 24 Hours

MegaCortex ransomware
New ransomware called MegaCortex has been found targeting users in the US, Italy, Canada, Netherlands, Ireland, and France. The malware is probably linked with Emotet and Qbot trojans. While it is not clear how bad actors are gaining access to the network, victims have reported the attack originates from a compromised domain controller. In one case, the ransomware appended the encrypted files using .aes128ctr extension. 

New Gh0stRAT variant
A new variant of Gh0stRAT is allowing attackers to use unique commands in order to launch DDoS attacks. Some of the functionalities of the sample include webcam control, VPN credential theft and installing registry keys for RDP. The malware variant also collects system’s version information, socket name, processor count and memory status.  

New Retefe banking trojan
A new variant of Retefe trojan has been found using stunnel encrypted tunneling mechanism to evade detection by anti-virus software. The malware is used against Windows and macOS systems. It spreads either via fake shareware app called ‘‘Convert PDF to Word Plus 1.0’ or the Smoke Loader downloader. Its primary purpose is to redirect victims to fake bank pages for credential theft.

Top Vulnerabilities Reported in the Last 24 Hours 

Vulnerable PrinterLogic Print Management Software
A series of bugs have been uncovered in PrinterLogic Print Management Software. The flaws can allow an unauthenticated attacker to remotely execute arbitrary code with SYSTEM privileges. All versions up to are affected by the flaws. They are designated as CVE-2018-5408, CVE-2018-5409, and CVE-2019-9505.

Vulnerable Jenkins’ Plugins
Hundreds of plugins that extend Jenkins’ functionality have been found to contain multiple vulnerabilities. The flaws are mostly related to storing passwords in plain text and cross-site request forgery (CSRF). All the flaws have been assigned ‘low’ and ‘medium’ on the severity scale. Jenkins has released advisories for unpatched vulnerabilities to alert the users.

Flaws in IBM API Connect
Two vulnerabilities that could allow attackers to gain root-level privileges have been identified in IBM API Connect. The flaws are tracked as CVE-2019-4203 (Server-Side Request Forgery vulnerability) and CVE-2019-4202 (Remote Code Execution vulnerability). The flaws could enable an attacker to gain unauthorized access to API credentials, and use it to access the APIs.

Top Scams Reported in the Last 24 Hours

Extortion scam
Scammers are sending extortion emails to steal money from users. In the email, the scammers threaten to release an inappropriate video of recipients if they fail to pay a ransom of $1,500 in Bitcoins. The email goes on to say that the scammers stole all of the recipient’s passwords and contact lists while the latter was in the bathroom. 

TV license email scam
A fake TV license email is being sent to customers regarding payment issues. The email also solicits bank and personal details of customers. The scam used different types of email which highlighted the same payment issue, but with variations in formats and wordings. All these emails have a link to the same phishing website. Once the victims click on the fake website, they are redirected to a link that asks them to provide payment details. More than 5000 complaints have been registered against this issue in the past three months.


retefe banking trojan
gh0strat trojan
megacortex ransomware

Posted on: May 06, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite