Cyware Daily Threat Intelligence

Daily Threat Briefing • Jul 8, 2020
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jul 8, 2020
The last 24 hours witnessed a few ransomware happy ending cases. Security researchers have cracked the code for two recently discovered ransomware - EvilQuest and ArisLocker. While EvilQuest uses the RC2 algorithm, the ArisLocker uses the AES algorithm to encrypt victims’ files.
Talking about new malware developments, a new version of Lampion trojan that includes a VBS downloader file has been found targeting Portuguese and Brazilian users. The malware is distributed via spam emails.
Top Breaches Reported in the Last 24 Hours
Casino app leaks data
An unsecured Elasticsearch database was found leaking data of millions of Clubillion app users before it was secured. These records included personally identifiable information (PII), such as email addresses, private messages, and IP addresses of users.
New details about Magellan Health
The tally of Magellan Health data breach victims has reached 365,000 patients. The healthcare firm was affected by a ransomware attack in April 2020. The investigation determined that hackers had first installed the malware to steal employee credentials and later used them to gain access to the servers.
Top Malware Reported in the Last 24 Hours
Cerberus banking trojan
Cerberus banking trojan was found to be delivered via a malicious currency converter app - Calculadora de Moneda - that had over 10,000 downloads. The trojan targeted Android users in Spain. Once installed, it stole users’ login credentials.
Decryptor for EvilQuest ransomware
Researchers have created a decryptor for EvilQuest ransomware by cracking its encryption routine, which is based on the RC2 algorithm. The ransomware, which is distributed via torrent platforms and online forums, can install a keylogger and steal cryptocurrency wallet-related files from infected hosts.
Source code of ransomware found
Cyble’s researchers have discovered the source code of ArisLocker ransomware being distributed for free on the dark web. The ransomware uses the AES algorithm to encrypt the victim’s files.
A new variant of Lampion trojan
A new version of the Lampion trojan has been found targeting users from Portugal and Brazil. The trojan is distributed via spam emails and includes a VBS downloader file that is responsible for downloading two files from online clouds. These two files are meant for gaining persistence on the target machines.
Top Scams Reported in the Last 24 Hours
Cosmic Lynx’s BEC scams
Researchers have revealed that the Cosmic Lynx threat actor group is responsible for more than 200 BEC attacks since July 2019. The group typically impersonates the CEO of the target company and sends an email request to close an acquisition with an Asian company. The email further informs the target employee that an external legal counsel will help coordinate the payments for closing the deal. In the final stage of the attack, the threat actor group convinces the recipients to send payments to fake accounts in Hong Kong.
Coronavirus-related phishing
Cybercriminals have been found capitalizing on Brazil’s government assistance program related to the pandemic to trick citizens into sharing their personal details. In this attempt, the attackers have created over 693 malicious websites since March 2020.