Last Week In Blockchain and Cybersecurity News – March 3, 2020

Malicious Actors Produce Coronavirus-Themed Malware

Some cybercriminals have been taking advantage of the Coronavirus hysteria by distributing Remcos RAT and malware payloads on targets’ computers. Operating under a phishing campaign, the criminals disguise the malicious file under a PDF that promises Coronavirus safety measures.

Cybaze/Yoroi ZLAb initially discovered the suspicious file after it entered the company’s file analysis service. Research by the security team has revealed that the executable file is an obfuscated Remcos RAT dropper that runs together with a VBS file executing the malware.

According to BleepingComputer, “The malware will also gain persistence on the infected device by adding a Startup Registry key at HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce which allows it to restart itself after the computer is restarted”

After the malware is set up, it captures the victim’s keystrokes and logs them in a log.dat file in a temporary local \onedriv folder.



Other threat actors have conducted similar attacks, such as the  Coronavirus-themed Microsoft Office document discovered by the MalwareHunterTeam. The Office document contains malicious macros that drop a backdoor into a victim’s computer. The backdoor allows the attacker to keylog the victim and take screenshots on his or her behalf.



Read more here

Microsoft Releases Patch for CVE-2020-0688 Remote Code Execution Vulnerability

Last week, Microsoft released a patch for a remote code execution vulnerability for all versions of its Microsoft Exchange server. The vulnerability affects the Exchange Control Panel (ECP) component of the Exchange servers. Until the most recent patch, all exchange servers provided the same validation key and algorithm in their web.config files.

This vulnerability allows a malicious actor to send a specially crafted payload to the server and have it execute an embedded command. Due to this flaw, one could use the same validation key and algorithm to craft a serialized __VIEWSTATE request-parameter with an integrated command as well as a valid key to execute code as SYSTEM. Researchers quickly produced proof of concept (POC) exploits for the vulnerability and posted them onto Github.



According to TrustedSec, the following pages are vulnerable to the attack:

  • /ecp/default.aspx

  • /ecp/PersonalSettings/HomePage.aspx

  • /ecp/PersonalSettings/HomePage.aspx4E

  • /ecp/Organize/AutomaticReplies.slab

  • /ecp/RulesEditor/InboxRules.slab

  • /ecp/Organize/DeliveryReports.slab

  • /ecp/MyGroups/PersonalGroups.aspx

  • /ecp/MyGroups/ViewDistributionGroup.aspx

  • /ecp/Customize/Messaging.aspx

  • /ecp/Customize/General.aspx

  • /ecp/Customize/Calendar.aspx

  • /ecp/Customize/SentItems.aspx

  • /ecp/PersonalSettings/Password.aspx

  • /ecp/SMS/TextMessaging.slab

  • /ecp/TroubleShooting/MobileDevices.slab

  • /ecp/Customize/Regional.aspx

  • /ecp/MyGroups/SearchAllGroups.slab

  • /ecp/Security/BlockOrAllow.aspx

Indicators of compromise and more can be found here

New Gmail Scanning Capabilities Block Over 99.9% of Threats

Last week, Google announced that the updated scanning capabilities within Gmail have been able to detect and block more than 99.9% of threats that target Gmail users. In total, the malware scanner processes over 300 billion attachments every week.

Google published a report, providing numerous statistics about the scanner. The company states that 63 percent of the malicious documents the scanner blocks differ from day to day, and malicious documents account for 58 percent of the malware targeting Gmail users.



Google’s new scanner uses a deep-learning model trained with TFX (TensorFlow Extended) alongside a custom-developed document analyzer. The technique parses documents, identifies common attack patterns, extract macros, and conducts many other actions.



Google states that it will expand the utilization of artificial intelligence to stay ahead of attacks and further analyze malicious files.

Get more information here

Ghostcat Bug Impacts All Apache Tomcat Versions Released in the Last 13 Years

Chaitin Tech, a Chinese cybersecurity firm, has discovered a vulnerability that affects all Apache Tomcat versions from the last 13 years.

The weaknesses lie in AJP, which is the Apache JServ Protocol used to exchange data with nearby Apache HTTPD web servers or Tomcat instances. The vulnerability allows an attacker to read “app configuration files and steal passwords or API tokens. Additionally, it opens the ability to write files to a server, such as backdoors or web shells. However, the Ghostcat “write” attack is only possible if any app hosted on the Tomcat server allows users to upload files.

The vulnerability affects all 6.x, 7.x, 8.x, and 9.x Tomcat versions. Patches are available for Tomcat 7,8, and 9, but not the 6.x version (which reached its end of life in 2016). Chaitin Tech released an update to its XRAY Tool, providing the functionality to scan networks for vulnerable Tomcat servers.

The vulnerability, CVE-2020-1938, already has multiple proof-of-concept attacks [12345] (ZDNet) open for anyone to use. We recommend that organizations and individuals update their Tomcat servers as soon as possible.

Read more here

New Strain of Cerberus Android Banking Trojan Can Steal Google Authenticator Codes

Researchers at ThreatFabric are warning about a new strain of Android Malware that steals one-time passcodes (OTP) generated through Google Authenticator. The malware-as-a-service organization, Cerberus, has implemented features within its RAT to allow its operators full control over infected devices.

According to SecurityAffairs, the malware can conduct the following actions:

  • taking screenshots

  • recording audio

  • recording keylogs

  • sending, receiving, and deleting SMSes,

  • stealing contact lists

  • forwarding calls

  • collecting device information

  • Tracking device location

  • stealing account credentials,

  • disabling Play Protect

  • downloading additional apps and payloads

  • removing apps from the infected device

  • pushing notifications

  • locking device’s screen

report published by ThreatFabric explains that the malware abuses accessibility privileges, usually grabs content, and then sends that content to a malicious C2 server. As always, the best method to limit a malware infection like this is to practice proper cybersecurity hygiene.

Read more here

Leave a Reply

Your email address will not be published. Required fields are marked *