News – April 2020


  • RagnarLocker ransomware hits EDP energy giant, asks for €10M

    April 14, 2020

    Attackers using the Ragnar Locker ransomware have encrypted the systems of Portuguese multinational energy giant Energias de Portugal (EDP) and are now asking for a 1580 BTC ransom ($10.9M or €9.9M). EDP Group is one of the largest European operators in the energy sector (gas and electricity) and the world’s 4th largest producer of wind energy. The company is present ...

  • Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns

    April 14, 2020

    Despite prior reporting by various sources indicating that some cyber threat attacker activity may subside in some respects during the COVID-19 pandemic, Unit 42 has observed quite the opposite with regard to COVID-19 themed threats, particularly in the realm of phishing attacks. While the various COVID-19 themed phishing campaigns observed by Unit 42 are numerous, this blog ...

  • Threat Spotlight: Gootkit Banking Trojan

    April 14, 2020

    Gootkit is a sophisticated banking Trojan which can perform various malicious activities such as: web injection, taking screenshots, video recording, email parsing, and so on. Gootkit emerged during the summer of 2014 but is still active, making it a viable threat to financial institutions to this day. BlackBerry most recently observed a Gootkit campaign via AZORult infostealer ...

  • Coronavirus Update App Leads to Project Spy Android and iOS Spyware

    April 14, 2020

    Trend Micro has discovered a potential cyberespionage campaign, which we have named Project Spy, that infects Android and iOS devices with spyware (detected by Trend Micro as AndroidOS_ProjectSpy.HRX and IOS_ProjectSpy.A, respectively). Project Spy uses the ongoing coronavirus pandemic as a lure, posing as an app called Coronavirus Updates. We also found similarities in two older samples ...

  • Overlay Malware Leverages Chrome Browser, Targets Banks and Heads to Spain

    April 14, 2020

    Researchers are warning of a remote overlay malware attack that leverages a fake Chrome browser plugin to target the accounts of banking customers in Spain. Grandoreiro is a type of remote overlay banking trojan, designed to help attackers overtake devices and display a full-screen overlay image when victim accesses their online banking account. In the background, meanwhile, the ...

  • APT41 Using New Speculoos Backdoor to Target Organizations Globally

    April 13, 2020

    On March 25, 2020, FireEye published a research blog regarding a global attack campaign operated by an espionage motivated adversary group known as APT41. This attack campaign was thought to have operated between January 20 and March 11, specifically targeting Citrix, Cisco, and Zoho network appliances via exploitation of recently disclosed vulnerabilities. Based on WildFire and AutoFocus ...

  • “Twin Flower” Campaign Jacks Up Network Traffic, Downloads Files, Steals Data

    April 13, 2020

    A campaign dubbed as “Twin Flower” (rough translation from Chinese) has been detected by Jinshan security researchers in a report published in Chinese. Trend Micro also analyzed related samples, which are detected as PUA.Win32.BoxMini.A, Trojan.JS.TWINFLOWER.A, and TrojanSpy.JS.TWINFLOWER.A. The files are believed to be downloaded unknowingly by users when visiting malicious sites or dropped into the system by ...

  • Travelex Pays $2.3M in Bitcoin to Hackers Who Hijacked Network in January

    April 10, 2020

    Travelex has paid out $2.3 million in Bitcoin to hackers to regain access to its global network after a malware attack at the new year knocked the global currency exchange offline and crippled its business during the month of January. The move—reported by the Wall Street Journal—may seem counterintuitive, as experts in the past have typically recommended that companies ...

  • Dutch police take down 15 DDoS services in a week

    April 10, 2020

    In a press release published today, Dutch police said they have successfully taken down 15 DDoS-for-hire services in the span of a week, as part of one of their most successful crackdowns against online DDoS service providers. The DDoS-for-hire websites, also known as DDoS booters or DDoS stressors, allowed users to sign up and launch DDoS ...

  • Hackers struggle morally and economically over Coronavirus

    April 9, 2020

    With the Coronavirus pandemic in full swing, threat actors are torn about how they should operate during the pandemic, and like everyone else, are also seeing a downturn in the underground hacker marketplace. In mid-March, BleepingComputer asked numerous ransomware operators whether they would stop targeting health care companies during the Coronavirus pandemic. Some operators stated they would no ...

  • Unique P2P Architecture Gives DDG Botnet ‘Unstoppable’ Status

    April 9, 2020

    The coin-mining botnet known as DDG has seen a flurry of activity since the beginning of the year, releasing 16 different updates over the course of the past three months. Most notably, its operators have adopted a proprietary peer-to-peer (P2P) mechanism that has turned the DDG into a highly sophisticated, “seemingly unstoppable” threat, according to ...

  • Copycat Site Serves Up Raccoon Stealer

    April 9, 2020

    Someone is targeting web denizens with a malicious, copycat Malwarebytes website, which serves up the Raccoon information stealer malware to unsuspecting visitors. According to the security firm itself, the attackers set up the domain “malwarebytes-freecom” with a domain registrar in Russia in late March. “We don’t expect to hear from either the registrar or hosting provider,” ...

  • FIN6 and TrickBot Combine Forces in ‘Anchor’ Attacks

    April 7, 2020

    Researchers say, two cybercriminal groups, FIN6 and the operators of the TrickBot malware, have paired up together to target several organizations with TrickBot’s malware framework called “Anchor.” The two threat groups joining forces is a “new and dangerous twist” in an existing trend of cybercrime groups working together, say researchers with IBM X-Force. The FIN6 group (also known as “ITG08”) has ...

  • Email provider got hacked, data of 600,000 users now sold on the dark web

    April 7, 2020

    The data of more than 600,000 Email.it users is currently being sold on the dark web, ZDNet has learned following a tip from one of our readers. “Unfortunately, we must confirm that we have suffered a hacker attack,” the Italian email service provider said in a statement to ZDNet on Monday. The Email.it hack came to light on Sunday, ...

  • Europol: Catching The Virus Cybercrime, Disinformation And The COVID-19 Pandemic

    April 6, 2020

    Cybercriminals have been among the most adept at exploiting the COVID-19 pandemic for the various scams and attacks they carry out. With a record number of potential victims staying at home and using online services across the European Union (EU) during the pandemic, the ways for cybercriminals seeking to exploit emerging opportunities and vulnerabilities have multiplied. Read ...

  • Apple Safari Flaws Enable One-Click Webcam Access

    April 6, 2020

    A security researcher has disclosed vulnerabilities in Apple’s Safari browser that can be used to snoop on iPhones, iPads and Mac computers using their microphones and cameras. To exploit the flaws in a real-world attack, all an attacker would need to do is convince a victim to click one malicious link. Security researcher Ryan Pickren has revealed ...

  • Analysis: Suspicious “Very Hidden” Formula on Excel 4.0 Macro Sheet

    April 6, 2020

    A malicious Microsoft Excel 4.0 Macro sheet with a suspicious formula that is set as “Very Hidden” was submitted by a customer and further analyzed by Trend Micro researchers. The sheet is not readily accessible via the Microsoft Excel User Interface (UI) due to a feature documented in the Microsoft website that allows users to hide sheets. ...

  • DarkHotel hackers use VPN zero-day to breach Chinese government agencies

    April 6, 2020

    Foreign state-sponsored hackers have launched a massive hacking operation aimed at Chinese government agencies and their employees. Attacks began last month, in March, and are believed to be related to the current coronavirus (COVID-19) outbreak. Chinese security-firm Qihoo 360, which detected the intrusions, said the hackers used a zero-day vulnerability in Sangfor SSL VPN servers, used to provide ...

  • Zero-Day Exploitation Increasingly Demonstrates Access to Money, Rather than Skill — Intelligence for Vulnerability Management, Part One

    April 6, 2020

    FireEye Mandiant Threat Intelligence documented more zero-days exploited in 2019 than any of the previous three years. While not every instance of zero-day exploitation can be attributed to a tracked group, we noted that a wider range of tracked actors appear to have gained access to these capabilities. Furthermore, we noted a significant increase over ...

  • Zoom concedes custom encryption is substandard as Citizen Lab pokes holes in it

    April 6, 2020

    Citizen Lab, a research group within the University of Toronto, has been able to drive a proverbial truck through the encryption used by video conferencing app Zoom. In a report where the group said the video platform was not suitable for sharing secrets nor government or business use, Citizen Lab found Zoom has been rolling its own encryption ...