Go to listing page

Cyware Daily Threat Intelligence, September 24, 2019

Cyware Daily Threat Intelligence, September 24, 2019

Share Blog Post

Money making by cybercriminals through malicious apps, shows no sign of signs of abating. In a new revelation, Google has removed from its Play Store around 25 malicious apps that were involved in pushing unwanted ads to victims’ devices. The purpose of these apps was to generate revenue for the bad actors.

The past 24 hours saw two new massive attack campaigns in the US and Kuwait respectively. The China-based APT10 threat actor group is believed to have infected at least 17 US utility firms with LookBack trojan. These firms were attacked for a period of five months between April and August of 2019.

In another incident, several shipping and transportation organizations in Kuwait have been targeted with various backdoor tools in a campaign called xHunt. The campaign was carried out between May and June 2019. The tools used in the campaigns include Sakabota, Hisoka, Netero, and Killua.

Top Breaches Reported in the Last 24 Hours

CCH affected by ransomware
A ransomware attack at Campbell County Health (CCH) in Gillette, Wyoming, resulted in service disruptions, such as lack of outpatient lab, respiratory therapy, and radiology exams. This caused the hospital to cancel some surgeries and admissions of new patients. CCH is working to restore its affected systems.

CafePress admits data breach
CafePress has acknowledged that it was affected by a data breach in February. It has sent emails to all its customers, stating the information that was lost in the incident included customer names, emails, physical addresses, phone numbers, and unencrypted passwords.

Websites vandalized
The websites of around a dozen Kansas counties were vandalized by hackers in early August. The homepages of the sites were changed with cryptic messages, along with an image of Mecca. Due to the cyberattacks, government information posted on the affected websites weren’t accessible to citizens. The affected websites were taken down within 10 minutes of the discovery of the incident and restored over the next several hours.

Top Malware Reported in the Last 24 Hours

Dtrack malware
Dtrack is a banking malware that was first discovered in summer 2018. The malware targets a victim’s ATMs with an intention to steal the card information. The malware is operated by the infamous Lazarus threat actor group. Apart from stealing card information, Dtrack is also capable of keylogging, retrieving browser history, gathering IP addresses, list all running processes, and listing all files on all available disk volumes.

xHunt campaign
Researchers have unearthed a new attack campaign that targeted transportation and shipping organizations in Kuwait. Dubbed as xHunt, the campaign was carried out between May and June 2019, using a backdoor tool named Hisoka. Apart from this, other backdoor tools like Sakabota, Netero, and Killua, were used to conduct the campaign.

Emotet found in malspam campaign
A malspam campaign that uses news about Edward Snowden’s new book ‘Permanent Record’ as a lure has been found distributing the notorious Emotet trojan. The campaign is conducted via emails written in English, Italian, Spanish, German, and French. The emails claim to contain a copy of the book in a Word document.

Malicious apps continue to rise
Another wave of malicious apps in the Play Store, that are capable of hiding themselves after installation and aggressively displaying full-screen ads has been discovered recently. This time researchers have uncovered a total of 25 malicious apps that have been downloaded for more than 2.1 million times. Google has removed these apps upon being informed.

Google Alerts misused
Bad actors are creating spam pages related to popular keywords in order to conduct scam or infect users with malware through Google Alerts. When a user clicks on one of these alerts, they will be redirected to a series of pages that could ultimately land them at a fake giveaway page, tech support scam, unwanted extension, or malware installers.

LookBack trojan
At least 17 US utility firms were infected with LookBack trojan for a five-month period between April 5 and August 29, 2019. The attacks are believed to be the work of the China-based APT10 threat actor group.

Zebrocy evolves
The Russia-based Fancy Bear threat actor group has returned in a new campaign targeting multiple government departments. The group has been found using an updated version of Zebrocy malware along with a new malware downloader which is written in Nim. The campaign is leveraging phishing emails to spread malware.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft releases update
Microsoft has released an emergency out-of-band security update to fix two critical issues. While one of them is a zero-day vulnerability in the Internet Explorer scripting engine, the other is a bug in Microsoft Defender. The zero-day vulnerability is related to remote code execution.

Vulnerable D-Link DNS-320 ShareCenter
A remote code execution vulnerability in D-Link DNS-320 ShareCenter NAS devices can enable attackers to access all application commands with root permission. The flaw affects the versions prior to 2.05.B10. D-Link has released a patch to fix the issue.

Top Scams Reported in the Last 24 Hours

Phishing scam  
Threat actors are impersonating Barclays bank in a new phishing scam in an attempt to steal users’ credentials. The email asks the recipients to update their personal details as a part of online security measures. It also includes a link that redirects the victims to a page designed to steal login credentials and personal details. Users should be wary of such emails and contact directly the bank.


d link dns 320 sharecenter
lookback trojan
xhunt campaign
emotet trojan

Posted on: September 24, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite