ShadowTalk Update – 09.10.2018
September 10, 2018
In this week’s ShadowTalk, Richard Gold and Rafael Amado join Michael Marriott to discuss the latest Department of Justice complaint against an individual working for Chosun Expo, an alleged front for the North Korean state. The individual is accused of involvement in a host of campaigns, including attacks against Sony Pictures Entertainment, banks, defense contractors, and the many victims of the WannaCry ransomware variant. We discuss the most interesting revelations, outlining the different techniques used, and what this all means for organizations.
Simplistic Asacub takes top spot among mobile banking trojans
The Asacub banking trojan has emerged as the most active banking trojan of the past 12 months, surpassing other prolific variants including “Svpeng” and “Faketoken”. Its capabilities and distribution tactics are relatively simplistic, relying on social engineering to target users in Russia, the United States, Germany and former Soviet nations.
Ties alleged between APT10 and China’s security ministry
Individual members of the threat group APT10 (aka STONE PANDA) have allegedly been identified and associated with a department of China’s Ministry of State Security. Although the allegations do not cover all relevant details, the bloggers who released the incriminating information have previously provided valid information about another Chinese nation-state affiliated group. If accurate, the revelations represent a significant security breach regarding the threat group’s operations; an adjustment to, or cessation of, APT10 activity is a likely response.
MagentoCore script steals payment card data from e-commerce sites
A malicious script dubbed MagentoCore has been detected targeting e-commerce websites using the Magento payment platform to steal customers’ payment card information. The attackers responsible have successfully infected more than 7,300 individual shops to date, and are actively targeting 50-plus additional shops per day. The attacks demonstrate the same tactics as another financially motivated campaign conducted by the threat group “MageCart”, which has been active since 2015. That campaign and the MagentoCore attacks are likely operated by the same threat actors.
New Fallout exploit kit shows potential for popularity
Researchers at cyber-security company Nao Sec identified a new exploit kit, “Fallout”, which is closely related to the “Nuclear Pack” exploit kit. Fallout was observed on 29 Aug 2018 targeting the vulnerabilities CVE-2018-4878 and CVE-2018-8174. The exploit kit is customizable and will probably become a popular tool for threat actors due to its remote capabilities; there are no reports of Fallout having been used in a malicious attack to date.
To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.