Weekly Summary (2017 Week-42)


  • BlackOasis: APT group that uses zero day vulnerabilities to target victims recently observed using CVE-2017-11292.
  • Leviathan: Cyber espionage group that targets organizations and high-value personnel in defense and government sector via spear-phishing campaigns.
  • APT28: Now exploiting CVE-2017-11292. The malicious payloads were created hurriedly in attempt to leverage vulnerability before target companies patch the vulnerable software.

Data Breaches:

  • Pizza Hut data breach: Users who used website and mobile application during 28-hour period (from the morning of October 1, 2017 – midday on October 2, 2017) affected. Payment card details exposed. Notification Letter from Pizza Hut.
  • Hyatt Data breach: Data breach at selected locations exposed payments card details of customers who visited affected locations (including Pune India) between March 18, 2017 and July 2, 2017. Hyatt provided notification to affected users with list of all affected locations. Countries affected includes People’s Republic of China, Korea, Japan, Europe, India, Southeast Asia, Pacific, United States United States and few others.
  • Far Eastern International Bank (FEIB): Malware payloads associated with Lazarus group used to target FEIB.
  • Chase Brexton: Phishing attack exposed 16K patient’s information.
  • Namaste Health Care: Ransomware attack health care.
  • Catholic United Financial: Data breach at financial company.
  • Data dump found that likely exposed details of millions: After analysis by various researchers it is speculated that the data belongs to GoVault, platform operated by Dracore.

Exploit Kits (EK):


  • Coalabot: HTTP DDoS bot based on code for August Stealer . Available for sale @ $300.
  • DarkComet RAT: Microsoft Word documents -> exploits CVE-2012-0158 -> downloads malicious HTA file -> executes PowerShell -> downloads DarkComet RAT campaign.
  • Orcus RAT: Microsoft Word documents (VBA/macros enabled) -> exploits CVE-2017-8759 -> downloads malicious HTA file -> executes PowerShell -> Orcus RAT payload.
  • CryptoMix Ransomware: New variant of the CryptoMix ransomware infecting users. Encrypted files renamed with .x1881 extension. Includes functionality to infect users even in offline mode.
  • Sage 2.2 ransomware: Ransomware dropped via Blank Slate malspam campaign. The campaign previously delivered Locky ransomware variant with .asasin extension. Two delivery methods:
    • Spam email -> Zipped attachment -> contains another zip file (different name) -> downloads JavaScript payload -> downloads and executes Sage 2.2 ransomware
    • Spam email -> Microsoft Word documents (VBA/macros enabled) -> downloads and executes Sage 2.2 ransomware
  • Sage ransomware: delivered via BlankSlate campaign.
  • Locky ransomware: Spam email -> Zipped attachment -> contains another zip file (different name) -> downloads JavaScript payload -> downloads and executes Locky ransomware
  • Malvertising on Equifax and TransUnion: A third party JavaScript used on websites of credit reporting websites Equifax and TransUnion redirected users to malicious pages. The websites were secured immediately after detection.
  • Crimeware kit: Malware toolkit to target ATM machines available for sale on underground forums.
  • Locky/Ykcol campaign: Message from KM_C224e themed malspam.
  • Zberp and Atmos banking Trojan: Neutrino bot, aka Kasidet, campaign delivering banking Trojans Zberp and Atmos.
  • Remcos and NjRAT: Spear phishing campaigns against several embassies of various European countries and finally delivering Remcos and NjRAT.
  • Hacker’s Door: Chinese backdoor hitting victims again.
  • In-browser crypto-currency miners: A new technique trending among hackers enabling them to mine crypto currencies by executing JavaScript in browsers.
  • WaterMiner: An Evasive crypto currency miner.
  • Magniber: New ransomware targeting South Koreans via Magnitude Exploit Kit.
  • Proton RAT: Supply-chain attacks delivering Proton RAT.
  • TrickBot: Efax themed malspam campaign delivering banking Trojan.
  • Ursnif: New evasive techniques used by banking Trojan.
  • HydraPOS: Targeted campaign against Brazilian POS systems.


One thought on “Weekly Summary (2017 Week-42)

Leave a Reply

Your email address will not be published. Required fields are marked *