ShadowTalk Update – 09.17.2018

ShadowTalk Update – 09.17.2018
Digital Shadows Analyst Team
Read More From Digital Shadows Analyst Team
September 17, 2018 | 2 Min Read

In this week’s ShadowTalk, Richard Gold and Simon Hall join Michael Marriott to discuss the latest spate of attacks by the threat actor known as Magecart. We dig into the history of Magecart, different approaches to web skimming, and provide advice on how organizations can best protect against this threat.

Fallout exploit kit identified distributing GandCrab ransomware

The Fallout exploit kit has distributed the GandCrab ransomware against entities in the Middle East via a malvertising campaign. The final payload of the exploit kit, which targeted CVE-2018-8174, was dependent on the victim’s operating system. Microsoft Windows users received the ransomware and macOS users were redirected to social engineering pages. This latest campaign’s use of a different payload and targeting of new geographies indicate an increase in Fallout’s capabilities. While the vulnerabilities exploited by Fallout remain the same as previously reported, the addition of GandCrab suggests that developers will likely add more exploits for ransomware-as-a-service attacks.

 

APT group Silence increases TTP capabilities, targets financial sector

The advanced persistent threat (APT) group Silence has significantly developed its tactics and tools since 2016. In attacks on financial institutions in over 25 countries, Silence has attempted to compromise interbank communication systems, ATMs and card processing platforms to steal information. The emergence of tools developed by Silence likely suggests an increase in the group’s capability and sophistication. Additional incidents involving custom tools, developed and operated by Silence, will likely be observed within the next six to twelve months.

 

Recently identified threat actor “PowerPool” exploits Windows zero-day vulnerability

A recently identified threat actor named PowerPool has exploited a previously identified Windows zero-day vulnerability. The threat group manipulated the vulnerability’s binary source code to escalate its privileges and subsequently replace a target file’s contents with malicious code. This file provides PowerPool with persistence within a system and can be remotely removed if detected. Additional technical details were unavailable at the time of writing. Historically, PowerPool has used unnamed backdoor variants for reconnaissance purposes; they likely used this methodology for this latest vulnerability. The use of a legitimate Windows utility allowed PowerPool to minimize their risk of detection and obfuscate their code delivery.

 

To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Related Posts

3 Phishing Trends Organizations Should Watch Out For

3 Phishing Trends Organizations Should Watch Out For

May 20, 2020 | 16 Min Read

It’s only May, and is it just me, or has this...
The 2020 Verizon Data Breach Investigations Report: One CISO’s View

The 2020 Verizon Data Breach Investigations Report: One CISO’s View

May 19, 2020 | 6 Min Read

Sadly, Marvel’s Black Widow release date was...
A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

May 14, 2020 | 10 Min Read

Q1 2020 was packed full of significant...