Cyware Daily Threat Intelligence

Daily Threat Briefing • October 20, 2022
Daily Threat Briefing • October 20, 2022
Banking trojan Ursnif has apparently moved on. In its latest attack chain, the malware has harnessed the power of connecting to a remote server to receive commands. Thus, implying that the operator behind it could aim to participate in ransomware operations in the future. Clicker, another malware, was spotted propagating via 16 malicious apps portraying as utility apps on the Google Play Store. Hackers have incorporated a randomized delay between downloading an app and activating with malicious missions to stay under the radar.
What’s more? SIM swapping took over an undisclosed number of Verizon customers, the firm has confirmed. It further added that an unauthorized third party accessed the last four digits of customers’ credit cards.
Data leakage in a popular open-source repos
About two million .git folders were found exposed to the public internet. Such folders contain project information, such as remote repository addresses and commit history logs, and other sensitive data. Researchers detected 1,931,148 IP addresses with live servers that had the folder structure accessible to the public. Over 31% of exposed .git folders were in the U.S., 8% in China, and 5% in Germany.
**Whitworth University discloses breach **
In a notification to the state attorney general’s office, Whitworth University has confirmed that a ransomware attack may have affected data for thousands of former and current students and staff. The incident supposedly impacted 5,182 individuals in Washington state. There was no clarification on whether the university paid a ransom or not.
With LDR4, Ursnif is no more a banking trojan
Ursnif has joined the likes of Emotet, Qakbot, and TrickBot by turning itself into a capable backdoor that drops next-stage payloads. The new variant, dubbed LDR4, has now been observed using recruitment and invoice-related email lures—as an initial intrusion vector—to download a maldoc, which fetches and launches the malware.
Clicker used for mobile ad fraud
McAfee identified 16 mobile apps laced with Clicker malware and had over 20 million cumulative downloads. The Clicker malware was seen masquerading as seemingly harmless utility apps, such as cameras, QR code readers, currency/unit converters, note-taking apps, and dictionaries. When inside a device, the malware covertly redirects victims to bogus websites and simulates ad clicks.
Domestic Kitten’s spyware campaign
A new mobile infection campaign involving Furball spyware has come to the light. It hides behind a fake translation app (sarayemaghale.apk) for an Iranian website that provides translated articles, journals, and books. The spyware, which Iranian threat actor Domestic Kitten owns, can help hackers access sensitive data, including contacts, files on external storage, basic system metadata, and more.
Flaw fixed in Azure Service Fabric
Microsoft addressed a bug affecting Azure Service Fabric clusters. The bug, tracked as CVE-2022-35829 and named FabriXss, is a spoofing vulnerability in SFX v1. Abusing the bug could let a cyberattacker gain full administrator permissions on Azure Service Fabric clusters. Microsoft assigned the bug ‘medium severity’ and noted that user interaction is required for exploitation.
Sim swapped for Verizon customers
Accounts of Verizon prepaid customers were compromised, exposing their phone numbers to cyber adversaries in a SIM-swapping scam. Investigation revealed that scammers could effectively transfer the victim's phone number to another device, allowing them to tamper with OTPs and impact victims’ other online accounts.