Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   July 1st,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

FakeSpy Masquerades as Postal Service Apps Around the World

A new campaign is up and running using newly improved, significantly more powerful malware as compared to previous versions. FakeSpy is under active development and is evolving rapidly; new versions are released every week with additional evasion techniques and capabilities. The analysis shows that the threat actor behind the FakeSpy malware is a Chinese-speaking group, commonly referred to as "Roaming Mantis". Learn more >

Glupteba: Hidden Malware Delivery in Plain Sight

About a month ago, researchers noticed a spike in the number of samples belonging to the same malware campaign, most of them with the filename app.exe. This malware, which turned out to belong to a family called Glupteba, spreads using EternalBlue, and downloads additional payloads. Glupteba malware does something novel: It uses the bitcoin blockchain as a communications channel to receive updated configuration information. Learn more >

US Local Government Services Targeted by New Magecart Credit Card Skimming Attack

Eight cities across three states in the United States have fallen victim to a Magecart card skimming attack. In these attacks, their websites were compromised to host credit card skimmers that passed on the credit card information of residents to cybercriminals. These sites all appear to have built using Click2Gov, a web-based platform meant for use by local governments. Learn more >

Bundlore (macOS) mm-install-macos

The mm-install-macos variant of the Bundlore family of macOS adware has been around for many years in many variations and delivery methods. Recently, an alternative with a novel installation method was discovered. Although most of the installation details were the same or similar to the other samples analyzed, these new samples modified the sudoers file on the infected system to remove the password requirement for privilege escalation. The malware also utilizes a form of obfuscation not observed before in this family, hiding compressed data in a resource fork on a downloaded script file. Learn more >

Chinese malware used in attacks against Australian orgs

The Australian government released an advisory late last week about increased cyber activity from a state actor against networks belonging to its agencies and companies in the country. Behind the attack is a “sophisticated” adversary that relies on slightly modified proof-of-concept exploit code for yesteryear vulnerabilities, the government says. An unofficial blame finger points to China. The attacker targets public-facing infrastructure with remote code execution exploits, a frequent choice being unpatched versions of Telerik user interface (UI).   Learn more >  

Chinese bank forced western companies to install malware-laced tax software

A Chinese bank has forced at least two western companies to install malware-laced tax software on their systems, cyber-security firm Trustwave said in a report published today. The two companies are a UK-based technology/software vendor and a major financial institution, both of which had recently opened offices in China. Trustwave, who was providing cyber-security services for the UK software vendor, said it identified the malware after observing suspicious network requests originating its customer's network.   Learn more >  

XORDDoS, Kaiji Botnet Malware Variants Target Exposed Docker Servers

Researchers from TrendMicro have recently detected variants of two existing Linux botnet malware types targeting exposed Docker servers; these are XORDDoS malware and Kaiji DDoS malware. Having Docker servers as their target is a new development for both XORDDoS and Kaiji; XORDDoS is known for targeting Linux hosts on cloud systems, while recently discovered Kaiji first reported affecting internet of things (IoT) devices. Attackers usually used botnets to perform brute-force attacks after scanning for open Secure Shell (SSH) and Telnet ports. Learn more >

Discord modified to steal accounts by new NitroHack malware

New malware is being distributed that pretends to be a hack that gets you the premium Discord Nitro service for free but instead steals user tokens saved in the various browsers, credit card information, and then tries to spread it to others. When you have an open platform like Discord that makes it easy to modify the JavaScript files utilized by the client, threat actors commonly abuse it to modify the client to perform malicious behavior.   Learn more >  

Demo Free Trial MSSP