Shadow Talk Update – 05.07.2018

Shadow Talk Update – 05.07.2018
Digital Shadows Analyst Team
Read More From Digital Shadows Analyst Team
May 7, 2018 | 3 Min Read

In this week’s episode Shadow Talk, it’s a vulnerability extravaganza. We cover malicious use of legitimate software, as APT28 is attributed to hijacking LoJack and Blackrouter delivered via AnyDesk software. Vulnerabilities found (and exploited) in GPON home routers, and Loki Bot exploits two remote code execution vulnerabilities in Microsoft Office (CVE-2017-8570 and CVE-2018-0802).

Microsoft Office flaws exploited to deliver Loki Bot

Distributors of the Loki Bot information-stealing malware are exploiting two remote code execution (RCE) vulnerabilities in Microsoft Office: CVE-2017-8570 and CVE-2018-0802. CVE-2018-0802 is associated with another flaw (CVE-2017-11882), and only devices that have applied the patches for that vulnerability can be exploited in the new attacks. Because Loki Bot is widely available on online criminal forums, there has been no attribution for the recent activity. Proof of concept (PoC) code has been released online, which has highly likely enabled attackers to target both vulnerabilities.

Cyber incident affects Mexican inter-bank money transfers

News service Bloomberg reported that three Mexican banks were forced to use contingency plans for monetary transfers after a cyber “incident” affected connections with the Interbank Electronic Payment System (SPEI). The SPEI is a nearly real-time hybrid settlement system that enables transfers between participating banks, and is operated by Mexico’s central bank (Banco de México). At the time of writing, few details of any intrusions are publicly available. Attacks targeting specific banks and their internal systems are often conducted by threat actors with a good knowledge of banking payment infrastructure. This incident followed a failed attack on a Mexican bank’s SWIFT platform in January 2018.

GravityRAT evades detection for two years

A previously unreported RAT, dubbed GravityRAT, allegedly targeted organizations in India, and has been under development for the past two years. GravityRAT has similar functionality to pre-existing RATs, including file extraction and RCE. GravityRAT evaded detection for multiple years despite the C2 infrastructure remaining static throughout its evolution. This likely indicates that there were a few attacks against organizations, and that it was unlikely to have represented a significant threat.

Rubella Macro Builder crimeware kit used in banking malware campaigns

Malware distributors have been using a new crimeware kit, called Rubella Macro Builder, for attacks. The kit is available to rent from Russian-language criminal forums at a relatively low price, and offers a range of functions pertaining to payload execution and encryption. The attack vector relies on social engineering, in sending emails with malicious Microsoft documents attached: an unsophisticated but consistently popular distribution method. Since its emergence in February 2018, the kit has undergone modification and developments, and more improvements are highly likely in the short term.



Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

It’s even easier to initiate takedowns in SearchLight

It’s even easier to initiate takedowns in SearchLight

August 12, 2020 | 3 Min Read

When faced with infringing content, phishing...
Escrow systems on cybercriminal forums: The Good, the Bad and the Ugly

Escrow systems on cybercriminal forums: The Good, the Bad and the Ugly

August 11, 2020 | 15 Min Read

Just a few short months ago, the...
Saving the SOC from overload by operationalizing digital risk protection

Saving the SOC from overload by operationalizing digital risk protection

August 5, 2020 | 4 Min Read

As you may have seen last week, the latest...