Weekly Summary (2017 Week-46)


  • Di5s3nSi0N: A hacker group that hacked the official website Amaq of Islamic State (Isis) group and exposed 2000 email addresses of the subscribers news agency.
  • Anonymous Italy: The Italian subgroup of infamous hacker group Anonymous claims dump sensitive information of Italian government on Pastebin and Mega.nz.

Data Breaches:

  • Fasten Inc.: Ride hailing service exposed details of more than one (1) million customers using Fasten mobile app and thousands of drivers. The data was exposed via misconfigured Apache Hive database that was hosted on the internet. The data was contained after notification from MacKeeper.
  • Forever 21: Popular fashion retailer reported unauthorized access to their systems in some of the locations. The retailer operates  815 stores in 57 countries but the number of affected locations were not disclosed. The incident likely affected transactions occurred between March and October 2017.
  • Australian Broadcasting Corporation: Another instance of improperly configured Amazon Web Services S3 bucket exposing sensitive details.


  • Agent Tesla: A security researcher using twitter handle JAMESWT_MHT reported that a malware named Agent Tesla is being dropped via malicious Word documents, spreading via spam emails.
  • BankBot: An android based Trojan named BankBot was recently found to be uploaded on Google Play store masquerading as android app for Cryptocurrencies Market Prices. This Trojan is a banking malware that overlays user screen when he/she attempts to open a banking application thus can steal victim’s banking credentials.
  • IcedID: A dropper malware named Emotet has recently been discovered to drop a banking malware named IcedID. IcedID, discovered in September 2017, is capable of targeting banking institutions, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the United States (U.S) and United Kingdom (U.K). IcedID includes a wide range of functionalities such as stealing banking credentials or dropping another malware payloads.
  • Reaver: A recently discovered malware that shares infrastructure similarities with a Chinese malware, SunOrcal. The SunOrcal malware was found to target Taiwan and Hong Kong based users in 2016. Notable feature of Reaver is that it drops a malware payload that hides itself as Windows Control Panel (CPL) file. Three versions of this malware Reaver 1.0, Reaver 2.0 and Reaver 3.0 have been seen in the wild.
  • ExpensiveWall: Trojanized applications found on the Google Play store that includes payloads for ExpensiveWall Android malware. The malware was disguised as legitimate applications named as Delicate Keyboard”, “Secret Notepad” or “Super Emoticon”. So far the malicious applications were installed in 50,000 mobile users.
  • Cryptomix ransomware: A new variant of this ransomware was recently discovered. The variant is named as “XZZX” based on the extension it uses for encrypted files. The new variant also used same encryption techniques as the earlier one.
  • GlobeImposter ransomware: A new variant of this ransomware was recently discovered. This variant adds ‘.kimchenyn” extension to the infected files.
  • Hancitor: Spam emails campaign themed as Fax delivering malware payloads Hancitor/Pony/EvilPony/Zeus Panda.
  • Grabos: New Android malware found masquerading as music player apps on Google Play store. 144 Trojanized apps on Google Play store since July, 2017 has been associated with this malware.
  • AsiaHitGroup: Android Trojan that targets users in Asian countries. The trojanized apps in Google Play Store were masquerading alarm clock app, QR scanner app, compass app, photo editor app, Internet speed test app, or file explorer app.
  • Alina POS: The Point of Sale malware was found targeting restaurants in United States. The recent variants of this malware analyzed by the researchers were compiled using Microsoft Visual C ++ 8. This malware scrapes memory of the infected machine to find credit card details swiped with the POS machine connected with the infected machine.
  • FallChill and Volgmer: A report from US-CERT (United States Computer Emergency Readiness Team) exposed two (2) malware payloads used by a hacker group named Hidden Cobra.
  • Agent.BKY: A new multi stage Android malware with advanced evasive features. The malware includes various encrypted payloads to prevent analysis and the infected is done in four stages to prevent detection and analysis.
  • Emotet: Re-emergence of banking Trojan with new evasive techniques. The new variants includes various anti-sandboxing checks. Additionally these payloads calls an API function, “CreateTimerQueueTimer” that is triggered for every 1000 milliseconds to ensure that the payload is properly executing in infected machine.
    • In another instance Emotet banking malware was found to be dropped via spam emails themed as Money transfer notifications.
  • Vulture Stealer: A new malware that targets Brazilian users via spam emails. The malware is an information stealer with multiple components including a loader, a Google chrome plugin and Banload banking Trojan.


  • AVGater: A vulnerability that affects quarantine feature several anti-virus products. This vulnerability allows a hacker to escalate privileges on a hacked machine. The vulnerability was discovered by an information security auditor at Kapsch Group Corporation based out of Austria. Few security vendors which are affected by this vulnerability include Malwarebytes, EmsiSoft, Trend Micro, most of the affected companies have issued patches for the vulnerability.
  • Huddle office collaboration tool: A security flaw in office collaboration tool named “Huddle”. Huddle is a cloud based online tool for file sharing, internal and external collaboration of documents. This flaw reportedly exposed confidential documents belonging to large corporations including KPMG firm and BBC. The Huddle tool is also used in several other companies and government agencies such as UK Home Office, Cabinet Office, Revenue & Customs and multiple branches of the NHS.
  • CVE-2017-11882: A critical remote code execution (RCE) vulnerability found in MS Office. Notably the vulnerability went unnoticed for a long period of seventeen (17) years. The vulnerability existed in eqnedt32.exe, an executable component for Microsoft Equation Editor which is used in MS Office documents for inserting and editing equations. This a legacy component is still present in the MS Office suite for backward compatibility. A possible solution to prevent exploitation of this vulnerability is disabling Equation Editor component from the Windows registry if not used by the user.
  • BlueBorne: The infamous Bluetooth vulnerability is capable of affecting Google Home and Amazon Echo device. The google home devices can be targeted by Information leak vulnerability in Android’s Bluetooth stack (CVE-2017-0785). Whereas Amazon echo devices were vulnerable to two (2) vulnerabilities Remote code execution in the Linux Kernel (CVE-2017-1000251) and Information leak vulnerability in the SDP Server (CVE-2017-1000250)


  • Seamless malvertising campaign: Seamless malvertising campaign have been active since long time. Recently the infection chain in this campaign was found to deliver Ramnit and AZORult malware payloads.
  • MuddyWater: Targeted cyber espionage attacks against Middle East by hacker group named MuddyWater. The attacks were conducted between February and October 2017. Initially the attacks were thought to be associated with an infamous attacker group named FIN7 however, recently researchers suspect that the attacks were conducted by a different group. The victims of these attacks were present in India, Pakistan and the USA.
  • Phishing campaign delivering DNSMessenger: A phishing campaign was observed delivering DNSMessenger malware by exploiting Office DDE feature. DNSMessenger is a Remote Administration Trojan (RAT) that uses DNS TXT queries to communicate with its command and control (C&C) server. DDE exploitation is a recently discovered technique affecting Microsoft Office products. An uptick in usage of this exploit by hackers is recently observed.

Leave a Reply

Your email address will not be published. Required fields are marked *