Weekly Summary (2017 Week-43)


  • Dragonfly: An Advanced Persistent Threat (APT) group that has been targeting government agencies and industries in the energy, nuclear, water, aviation, and critical manufacturing sectors. The campaign is active since May 2017 and likely still actively targeting companies. Instead of directly companies the hackers target third-party organizations that have access to company’s network. This is usually done by hackers as mid-size or small third party vendors do not have security practices as stringent as bigger corporate companies thus easy to gain access. This access is then used as pivot point to enter target’s network and identify and attack Industrial control system (ICS) or Supervisory Control and Data Acquisition (SCADA) systems.
    • UPDATE: ThreatPost later published a report claiming that the report from US-CERT includes several false positives.
  • Middle Eastern Adversaries: The adversary group that was known to use malware families KASPERAGENT and MICROPSIA in thier campaigns were observed to use new malware payloads in recent campaigns. The adversaries are using AutoIT based malware payloads for stealing information and reconnaissance activities.
  • APT28: Last week an APT28 campaign leveraging  CVE-2017-11292 was disclosed. This week Cisco Talos reported on another campaign that was intended to target security professionals. The decoy documents used in the phishing campaign included deceptive flyer relating to the Cyber Conflict U.S. conference (CyCon US).
  • TheDarkOverlord: A hacker group that has targeted several businesses (primarily education and healthcare related) in US and Europe to demand ransom. The group either steals information or encrypts systems of companies and then threatens them to delete the data or release sensitive files publicly if the demanded ransom is not paid. recently this week the group claims to compromise Austin Manual Therapy Associates.
  • Greenbug: An Iranian adversary group that is known to target middle-eastern government and private companies. This group has recently been registering typo-squatted and similar domains for several well known companies. Most likely that the group is planning for a massive campaign for targeting victims posing as these companies.

Data Breaches:

  • London Bridge Plastic Surgery (LBPS): Health care organization affected by a data breach likely by TheDarkOverLord, (infamous adversary group that is known to target several organizations). The adversaries are threatening hospital to pay ransom in order to prevent sensitive patients’ information (including details and nude pictures) from being released publicly.
  • APNIC: Asia Pacific Network Information Center (APNIC), which maintains Whois data for domains in Asia Pacific region accidentally exposed Whois database data during during the upgrade of APNIC’s whois database in June 2017. The exposed data includes hashed authentication credentials for APNIC whois maintainer and Incident Response Ream (IRT) objects.
  • Breach exposing details of South Africans: A massive data dump was found to include details of South African individuals. The exposed data includes  around 30 Million records including 2.2 distinct individuals. A researcher Troy Hunt, founder of “HaveIbeenPwned.com”, posted the headers for exposed data in a pastebin page to identify the victims company.
  • Equifax breach Update: Undisclosed security researcher(s) are claiming that they notified Equifax’s vulnerabilities last year, that might have been used by the adversaries to hack into companies’ system. Researchers said that the data was available publicly on internet and could have been downloaded by several other adversaries as well. They also alleged that the company’s negligence allowed adversaries to steal data.
    • Equifax stated that the vulnerabilities used in the massive breach (that exposed details of 145 Million US citizens and several other countries as well) were different from the ones reported by the researchers.
  • COL Financial: The financial organization in Philippines is investigated a potential data breach this week. The company suspected that they were compromised by unknown hackers after which they informed the required law agencies and conducted an investigation. Later company stated that client’s stock positions and portfolios were not affected.
  • Tarte Cosmetics: The  cosmetics company exposed personal details of around 2 million users via 2 misconfigured MongoDB databases. The databases were 3.8 GB and 4.9 GB in size and contained details of uses including their name, address, email address, purchase history and last 4-digits of credit card.
  • jQuery blog defacement: Hackers with handle “n3tr1x” and “str0ng” defaced the official blog of of jQuery.

Exploit Kits (EK):

  • Terror EK: Terror exploit kit this week was found to run a campaign to deliver SmokeLoader (downloader) that further downloads coin miners on infected machines.
    • Later during this week Terror EK was found to deliver SmokeLoader malware. This campaign has been active since between September and October and target victims via pop-up advertisements hosted on compromised/infected websites.
  • Rig EK:  Rig exploit kit campaign was found to deliver a variant of banking Trojan Ursnif/ISFB.
    • In another campaign during this week Rig EK was also observed to be used in seamless campaign distributing Ramnit Trojan.


  • AhMyth: Source code for Android RAT (Remote Access Trojan) released publicly online. The source code was observed to be resent on code sharing website github using account handle with same name (AhMyth).
  • Sockbot: An Android botnet malware that infected millions of devices creating a massive botnet. The malware is posing as genuine apps on Google play and third-party stores Symantec researchers observed at least eight such trojanized apps present on Google Play Store that have been so far downloaded by users ranging from 600,000 to 2.6 million. Most of these users were were present in United States, Russia, Ukraine, Brazil, and Germany. The apps were found to pose as add-on for well known android applications as Minecraft while in background connects to a command and control server to receive commands to perform malicious activities.
  • Sage Ransomware:  The ransomware was found to spread via spam emails during last week. Hackers used social engineering techniques to lure victims into downloading and executing the ransomware.
  • Reaper: A new IoT botnet targeting routers bu exploiting known vulnerabilities. Widely used products from several well-known sellers were targeted such as Dlink, Goahead, Netgear etc. A security vendor Check-point also published analysis of similar IoT botnet though the name of the botnet was not specified.
  • WonderBotnet: Another botnet discovered this week named WonderBotnet. The malware (bot) is spreading via a cracked application that claims to provide fake user accounts for Nextflix. This application once executed, downloads and executes the malware and retrieves its configurations from a dump posted on pastebin, text sharing website. The malware also includes a kill-switch that enables hackers to shutdown the botnet by issuing a command.
  • LokiBot: Primarily LokiBot was android banking Trojan however recently it was found that this malware includes several functionalities such as ransomware. The malware can overlay several banking applications and other well-known applications such as Skype, Outlook and WhatsApp.
  • Fake Poloniex app: Two fake version of Poloniex, a popular cryptocurrency exchange, were found on Google Play Store. These apps steals user’s credentials for Poloniex account and also tricks them to provide access of their google accounts to hackers.
  • Client Maximus: A banking Trojan that is now targeting Brazilian users. The campaign was first noted by IBM X-Force 2 weeks back but it is likely that the campaign is still active in Brazil.
  • WannaCry: Long after the massive outcry of the ransomware in May 2017, the ransomware was found in an attack against healthcare organization, FirstHealth. The hospital has claimed that the ransomware infected their computer systems in Carolinas and a number of doctors’ offices across the Sandhills.
  • Bad Rabbit: A massive ransomware campaign targeting companies was observed this week. Hackers used a ransomware named Bad Rabbit to compromise systems. The ware was first observed to target victims in Russian, Ukrainian, and other Eastern European countries. The ransomware manged to infect servers, workstations, and mail servers of at least three Russian media agencies. The victims were asked to pay 0.5 Bitcoins to decrypt their infected files, the ransom is supposed to be increased if victim fails to pay in first 40 hours of infection. The attacking theme used in this campaign was similar to NotPetya campaign, leveraging SMB vulnerabilities to move laterally in network of infected machine. Not Petya ransomware leveraged a vulnerability named EternalRomance to infect victims. Bad Rabbit also leveraged same exploit but the implementation of exploit differ from that in Not Petya.
    • Sources:
      • https://securingtomorrow.mcafee.com/mcafee-labs/badrabbit-ransomware-burrows-russia-ukraine/
      • https://www.bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/
      • http://blog.talosintelligence.com/2017/10/bad-rabbit.html
      • https://arstechnica.com/information-technology/2017/10/bad-rabbit-used-nsa-eternalromance-exploit-to-spread-researchers-say/
      • http://www.zdnet.com/article/bad-rabbit-ransomware-a-new-variant-of-petya-is-spreading-warn-researchers/
  • Tyrant: A ransomware targeting Iranian users disguised as a popular VPN app.
  • SnatchLoader: A downloader malware that is now used by adversaries to deliver Ramnit banking Trojan.
  • Retefe: A banking trojan named Retefe, spreading via spam emails tricking recipients by posing as Swiss tax administration.
  • HtpRAT: A Remote Access Trojan (RAT) seen to target South-Asian users. The adversary behind the RAT are allegedly Chinese. The RAT is spreading via spear phishing emails since 2016. Capable to perform anti-detection and anti-debugging checks before running the malware.


  • DUHK: A new vulnerability that can expose encrypted communications over VPN’s and web browser sessions. The vulnerability  affects devices using the ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded key. Since the algorithm is used to generate cryptographic keys that secure VPN connections and web browsing sessions, preventing third parties from reading intercepted communications. Thus all the applications using this are now vulnerable to the attacks exposing their keys.


  • IRCbot attack campaign: A campaign of attacks conducted by distributed denial of service (DDoS) botnet dubbed “IrcBot v1.0” were observed. This bot is a variant of IRCbot that was first observed in 2013. The campaign was intended to target websites running Apache or Nginx web servers via specially crafted HTTP POST requests.

Leave a Reply

Your email address will not be published. Required fields are marked *