Experts from Malwarebytes discovered a new strain of Mac malware, tracked as DarthMiner, that is a combination of two open-source programs. 

Experts from Malwarebytes discovered a new piece of Mac malware, tracked as DarthMiner, that is the combination of two open source tools.

The malware is distributed through Adobe Zii, an application supposedly helps in the piracy of various Adobe programs. In this case, attackers used a fake Adobe Zii software that was definitely not the real thing.

“Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—the EmPyre backdoor and the XMRig cryptominer—for the purpose of evil.” reads the analysis published by MalwareBytes.

“The malware was being distributed through an application named Adobe Zii.”

The fake Adobe Zii application was developed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named, that appears to be a version of Adobe Zii, most likely to appear as a harmless application. 

The Python script looks for the presence of Little Snitch, a commonly-used outgoing firewall, and halt the infection process if it is present.

Then the script opens a connection to an EmPyre backend that send arbitrary commands to a compromised Mac. Next, the backdoor downloads a script that fetches and installs the other components of the malware. The malware creates a launch agent named com.proxy.initialize.plist that keeps the backdoor open persistently by running exactly the same obfuscated Python script mentioned previously.

The malicious code also installs the XMRig cryptominer and creates a launch agent for it. 

The analysis of the code revealed another interesting feature, the code to download and install a root certificate for the mitmproxy tool.

“Interestingly, there’s code in that script to download and install a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including (with the aid of the certificate) encrypted “https” traffic. However, that code was commented out, indicating it was not active.” continues the analysis.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis,

“Please, in the future, do yourself a favor and don’t pirate software. The costs can be far higher than purchasing the software you’re trying to get for free,” Malwarebytes concludes.

Pierluigi Paganini

(Security Affairs – Mac malware, backdoor)

The post A new Mac malware combines a backdoor and a crypto-miner appeared first on Security Affairs.

The British teenager George Duke-Cohan (19) has been sentenced to three years in prison due to false bomb threats and carrying out DDoS attacks.A

Cohan was arrested in August by the U.K. National Crime Agency (NCA), the teenager, aka “7R1D3N7,” “DoubleParallax” and “optcz1,” was arrested on August 31 and pleaded guilty to three counts of making hoax bomb threats.

According to the investigator, the young man is the leader of the Apophis Squad, which is the hacking group that sent bomb threats to thousands of schools in the United Kingdom and the United States.

The group is also known for launching massive DDoS attacks against encrypted email provider ProtonMail, the popular investigator Brian Krebs, the DEF CON hacking conference, and government agencies worldwide.

The team was offering a DDoS-for-hire service that has many similarities with the booter implemented by the popular Lizard Squad hacking crew.

He has admitted making bomb threats to thousands of schools and a United Airlines flight traveling from the UK to San Francisco in August. in many cases resulting in evacuations. 
The NCA says the teenager, known online as “7R1D3N7,” “DoubleParallax” and “optcz1,” has also admitted making a prank call claiming that a United Airlines flight traveling from the U.K. to San Francisco had been hijacked by gunmen, including one carrying a bomb.

Cohan has now been sentenced to one year in prison for the bomb hoaxes targeting schools, and two years for the airport attack.

Unfortunately for the British youngster, he will face additional charges in the United States, even if the indictment has yet to be announced.

Before sentencing, the judge noted that Duke-Cohan’s early guilty pleas, his age, no prior criminal record and, to a limited extent, his “functioning deficiencies which have contributed to a diagnosis of autism,” were taken into consideration. However, these mitigating factors only helped his case to a certain degree.

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow.” said Judge Richard Foster

“You were playing a cat-and-mouse game with the authorities. You were playing a game for your own perverted sense of fun in full knowledge of the consequences.”

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow,” Judge Richard Foster said, quoted by the Daily Mail. “What you did was far removed from anything that could be described as naivety or a cry for help from a sick person.”

Pierluigi Paganini

(Security Affairs – cybercrime, DDoS)

The post Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS appeared first on Security Affairs.

The website was defaced last week via DNS hijack, attackers breached into associated registrar account and changed the DNS settings.

Attackers changed the defacement page a few times, they protested against the new Linux kernel developer code of conduct in a regrettable way with 
racial slurs and the image of an individual showing the anus.

The defacement page also includes links and a Twitter account (@kitlol5) believed to be under the control of the attacker.

The person who was operating the Twitter account posted a screenshot showing that they had access to the Network Solutions account of Michelle McLagan, who evidently owns, and modified the DNS settings.

“This evening someone got into my partner’s netsol account and pointed DNS to their own cloudflare account. The production env (web / db) wasn’t touched. DNS was simply pointing to another box.” 
one of the admins
wrote on Reddit.

“She’s working with netsol to prove ownership, etc.. and we’re hoping things will be cleared up in the morning.”

The hacker did not access the servers hosting and user data were not compromised.

How to prevent this kind of incident?

Administrators should enable multi-factor authentication (MFA) for their account.

“I think it was a combination of public whois info and no MFA that lead to this,” added the admin.

“There’s always one thing – they found the weakest link and exploited it.”

After the incident, admins have enabled MFA on all accounts.

Pierluigi Paganini

(Security Affairs – DNS hijack, hacking)

The post Hackers defaced with DNS hijack appeared first on Security Affairs.

Experts from security firm Wordfence discovered a Botnet of 20,000 WordPress Sites Infecting other WordPress installs.

Experts from security firm Wordfence uncovered a botnet composed of over 20,000 WordPress sites that is being used to compromise other websites running on the popular CMS and recruit them.  

“The threat actors (hackers) use a group of four command and control (C2) servers to send requests to over 14,000 proxy servers provided by a Russian proxy provider called best-proxies[.]ru.” reads the analysis published by WordFence.

“They use these proxies to anonymize the C2 traffic. The requests pass through the proxy servers and are sent to over 20,000 infected WordPress sites. Those sites are running an attack script which attacks targeted WordPress sites.”

The botnet is used by attackers to carry out brute force attacks against other WordPress sites, according to Wordfence Defiant Threat Intelligence team, the botnet has already generated over 5 million authentication requests. The botnet attempts XML-RPC authentication to other WordPress sites in order to access privileged accounts.

The XML-RPC interface allows users to remotely post content to a WordPress site using the WordPress or other APIs, it is located in the root directory of a WordPress install at the xmlrpc.php file.

Unfortunately, the XML-RPC interface doesn’t implement a rate limiting on the number of API requests that it is possible to submit, a gift for brute-force attackers. 

A close look at the malicious infrastructure allowed the experts to discover that hackers used four command and control servers that issue commands to the bots through proxy servers at the Russian service.  Experts identified over 14,000 proxy servers used by the botmaster to anonymize the traffic.

Once a WordPress site is compromised it will start carrying out brute force attacks against the XML-RPC interface of other websites. 

“We also noted that the User-Agent strings associated with these requests matched those used by applications commonly seen interacting with the XML-RPC interface, like wp-iphone and wp-android,” continues the analysis.

“Since these applications typically store credentials locally, it was unusual to see a significant amount of failed logins from them, which drew our attention. We identified over 20,000 WordPress slave sites that were attacking other WordPress sites.”

Brute force scripts used by the attackers accept POST input from the C2 servers, the request includes domains to target and word lists to use when performing the brute force attacks.

It is also possible to use new wordlists by providing URL to the script.

Wordfence reported its discovery to the authorities and is helping them to dismantle the WordPress botnet.

Pierluigi Paganini

(Security Affairs –WordPress Botnet, hacking)

The post WordPress botnet composed of +20k installs targets other sites appeared first on Security Affairs.

STOLEN PENCIL campaign – North Korea-linked APT group has been targeting academic institutions since at least May of this year.

North Korea-linked threat actors are targeting academic institutions with spear phishing attacks. The phishing messages include a link to a website where a decoy document that attempts to trick users into installing a malicious Google Chrome extension. 
Many of the victims of this campaign, tracked as STOLEN PENCIL, were at multiple universities had expertise in biomedical engineering. 

Attackers ensure persistence using off-the-shelf tools, but according to NetScout they had poor OPSEC (i.e. Korean keyboards, open web browsers in Korean, English-to-Korean translators).

“The ultimate motivation behind the attacks is unclear, but the threat actors are adept at scavenging for credentials. Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome extension.” reads the analysis published by the experts.

“Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access.”

Threat actors used many basic phishing pages, the more sophisticated of them targeted academia display a benign PDF in an IFRAME and redirected users to a “Font Manager” extension from the Chrome Web Store.

The malicious extension loads JavaScript from a separate site, experts only found a file containing legitimate jQuery code, likely because the threat actors replaced the malicious code to make hard the analysis. The malicious extension allows the attacker to read data from all the websites accessed by the victim, a circumstance that suggests attackers were looking to steal browser cookies and passwords. 

Experts pointed out that the attackers did not use a malware to compromise the targets, the STOLEN PENCIL attackers employed RDP to access the compromised systems, researchers observed remote access occurring daily from 06:00 to 09:00 UTC (01:00-04:00 EST).

STOLEN PENCIL attackers also used a compromised or stolen certificate to sign several PE files used in the campaign. The researchers observed two signed sets of tools, dubbed MECHANICAL and GREASE. The former logs keystrokes and replaces an Ethereum wallet address with the attackers’ ones, the latter adds a Windows administrator account to the system and would also enable RDP.

The security researchers also discovered a ZIP archive containing tools for port scanning, memory and password dumping, and other hacking activities. The list of the tools include KPortScan, PsExec, batch files for enabling RDP, Procdump, Mimikatz, the Eternal suite of exploits, and Nirsoft tools such as Mail PassView, Network Password Recovery, Remote Desktop PassView, SniffPass, and WebBrowserPassView.

The STOLEN PENCIL campaign likely represents only a small set of the threat actor’s activity. The use of basic techniques, off-the-shelf programs, the aforementioned cryptojacker, and the use of Korean language suggests the actor is of North Korean origin, the security researchers say. 

“While we were able to gain insight into the threat actor’s TTPs (Tools, Techniques, & Procedures) behind STOLEN PENCIL, this is clearly just a small window into their activity. Their techniques are relatively basic, and much of their toolset consists of off-the-shelf programs and living off the land. ” NetScout concludes. 

“This, along with the presence of the cryptojacker, is typical of DPRK tradecraft.  Additionally, the operators’ poor OPSEC exposes their Korean language, in both viewed websites and keyboard selections.” 

Pierluigi Paganini

(Security Affairs – STOLEN PENCIL, hacking)

The post STOLEN PENCIL campaign, hackers target academic institutions. appeared first on Security Affairs.

Europol announced the arrest of 168 people under the 
European Money Mule Action ‘EMMA 4′, a massive operation that resulted in the identification of 1,504 money mules. 

Europol announced that 168 people have been arrested under the ‘EMMA 4’, an international operation conducted by law enforcement. EMMA 4 lasted from September to November 2018. Law enforcement in 30 states identified 140 money mule organizers. 

Europol opened 837 criminal investigations, many of which are still ongoing, law enforcement arrested people in 20 states, 
The operation sees the participation of Europol, Eurojust, the European Banking Federation, and law enforcement from Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Greece, Germany, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Netherlands, Poland, Portugal, Romania, Slovenia, Spain, Sweden, Australia, Moldova, Norway, Switzerland, the United Kingdom and the United States.

The operation aimed at dismantling money laundering activities, in particular tackling ‘money mules’ rings that have e crucial role in the criminal activity. Global and European banks provided an essential support to the EMMA 4, Europol reported the participation of over 300 banks, 20 bank associations, and other financial institutions. The financial organization helped reporting 26,376 fraudulent money mule transactions, preventing a total loss of €36.1 million ($41.1 million). 

Money mules are essential for cash out of criminal activities and transfer stolen funds between accounts used to launder the money.

“Money mules are individuals who, often unwittingly, have been recruited by criminal organisations as money laundering agents to hide the origin of ill-gotten money.” reads the press release published by Europol.

“Tricked by the promise of easy money, mules transfer stolen funds between accounts, often in different States, on behalf of others and are usually offered a share of the funds that pass through their own accounts.”

Criminal organizations use to choose money moles among newcomers to a country or people who are unemployed or in economic distress. Unfortunately, the number of young people recruited as money mules is increasing, criminals are reaching them through social media, advertisement of fake jobs or get-rich-quick posts.

Youngsters have no perception of the crime they are carrying out transferring funds from an account to another.

“To raise awareness of this type of fraud, the money muling awareness campaign #DontBeAMule kicks off today across Europe. With awareness-raising material, available for download in 25 languages, the campaign will inform the public about how these criminals operate, how they can protect themselves and what to do if they become a victim.” concludes the press release.

“For the next week, international partners from law enforcement and judicial authorities, together with financial institutions, will be supporting the campaign at national level.”

Pierluigi Paganini

(Security Affairs –money mules, EMMA 4)

The post Europol identified 1504 money mules under EMMA 4 operation appeared first on Security Affairs.

Malware researchers at Yoroi – Cybaze Z-Lab analyzed the MuddyWater Infection Chain observed in a last wave of cyber attacks.


At the end of November, some Middle East countries have been targeted by a new wave of attacks related to the Iranian APT group known as “MuddyWater“: their first campaign was observed back in 2017 and more recently Unit42 researchers reported attacks in the ME area. The MuddyWater’s TTPs seem to be quite invariant during this time-period: they keep using spear-phishing emails containing blurred document in order to induce the target to enable the execution of VB-macro code, to infect the host with POWERSTAT malware.

Figure 1. Malicious document

According to the analysis of ClearSky Research Team and TrendMicro researchers, at the end of November, MuddyWater group hit Lebanon and Oman institutions and after a few days Turkish entities. The attack vector and the final payload of were the same: the usual macro-embedded document and the POWERSTAT backdoor respectively.

However, the intermediate stages were slightly different than usual.

The Yoroi-Cybaze Zlab researchers analyzed the file “Cv.doc”, the blurred resume used by MuddyWater during their Lebanon/Oman campaign.

Technical Analysis

When the victim enables the MACRO execution, the malicious code creates an Excel document containing the necessary code to download the next-stage of the malicious implant. At the same time, it shows a fake error popup saying the Office version is incompatible.

Figure 2. Fake error message

The macro code is decrypted before the execution with the following custom routine:

Figure 3. Macro decryption routine

After the deobfuscation of the code, it’s possible to identify the function used to create the hidden Excel document within the “x1” variable:

Figure 4. Creation of the hidden document

The macro placed into the new Excel downloads powershell code from an URL apparently referencing a PNG image file “http://pazazta[.]com/app/icon.png”. The downloaded payload is able to create three new local files:

  • C:WindowsTemptemp.jpg, containing Javascript code;
  • C:WindowsTempWindows.vbe, containing an encoded Visual Basic script;
  • C:ProgramDataMicrosoft.db, containing the encrypted final payload.
Figure 5. Downloaded Powershell code

As shown in the above figure, the first file to be executed is “Windows.vbe” which simply run the Javascript code contained into temp.jpg, using the CSCRIPT engine. After its decryption, it is possible to notice the JS purpose: delay the execution of another powershell payload.

Figure 6. Javascript code within “temp.jpg”

In fact, the next malicious stage is executed only when the “Math.round(ss) % 20 == 19” condition is met, otherwise it keeps re-executing itself. The “ss” variable stores the past seconds since 1 January 1970 00:00:00.

The final stage consists in the execution of the POWERSTATS backdoor contained into the “Microsoft.db” file. The backdoor contacts a couple of domain names: “hxxp://amphira[.com” and “hxxps://amorenvena[.com”, each one pointing to the same ip address (EU-LINODE-20141229 US).

Figure 7. POWERSTAT beaconing requests

One executed, the POWERSTAT malware sends generic information about the victim’s machine to the remote server through an encoded HTTP POST request:

Figure 8. Post request containing info about the victim machine

Then, it starts its communication protocol with the C2, asking for commands to execute on the compromised host.

The HTTP parameter “type” classifies the kind request performed by the malicious implant, during the analysis the following values have been observed:

  • info: used in POST request to send info about the victim;
  • live: used in POST request as ping mechanism;
  • cmd: used both in POST and GET requests. In the first case it sends the last command executed, in the second one it retrieves a new command from server;
  • res: used in a POST request to send the result of the last command that the malware has executed.

The parameter “id”, instead, uniquely identify the victim machine and it is calculated using the local system info, despite the sample analyzed by TrendMicro which uses only the hard drive serial number.  This identifier is also used to create a file into the “C:ProgramData” folder, used to store temporary information.

Figure 9. Victim id creation

Analyzing the code extracted and deobfuscated from the “Microsoft.db” file, it is possible to investigate the real capabilities of the POWERSTATS backdoor, identifying the functionalities supported by a malicious implant, such as:

  • upload: the malware downloads a new file from the specified URL;
  • cmd: the malware executes the specified command;
  • b64: the malware decodes and executes a base64 PowerShell script;
  • muddy: the malware creates a new encrypted file in “C:\ProgramDataLSASS” containing a powershell script and runs it.
Figure 10. Deobfuscated POWERSTATS code snippet


The malware implements more than one persistence mechanism. These mechanisms are triggered only in the final stage of the infection, once the POWERSTATS backdoor is executed. The persistence functionalities use simple and known techniques such as redundant registry keys within the “MicrosoftWindowsCurrentVerisonRun” location:

Figure 11. Registry key based persistence mechanism

And the creation of a scheduled task named “MicrosoftEdge”, started every day at 12 o’clock.

Figure 12. Scheduled task installed by the malware


This last campaign of the Iranian ATP group “MuddyWater“ shows a clear example of how hacking groups can leverage system’s tools and scripting languages to achieve their objectives, maintain a foothold within their target hosts and exfiltrate data. These attacks also leverage macro-embedded document as the initial vector, showing how this “well-known” technique can still represent a relevant threat, especially if carefully prepared and contextualized to lure specific victims.

Figure 13.  MuddyWaters’ Infection chain 

Technical details, including Indicator of compromise and Yara rules are reported in the analysis published on the Yoroi blog.

Pierluigi Paganini

(Security Affairs – MuddyWater, APT)

The post Experts at Yoroi – Cybaze Z-Lab analyzed MuddyWater Infection Chain appeared first on Security Affairs.

According to a report published by the Reuters, the massive Marriott data breach was carried out by Chinese state-sponsored hackers.

According to the Reuters, people investigating the Marriot data breach believe that it is the result of a cyberattack carried out by Chinese hackers.

Last week Marriott International announced that hackers compromised guest reservation database at its subsidiary Starwood hotels and stolen personal details of about 500 million guests.

Sources quoted by the media agency revealed that the attack was carried out by the Chinese intelligence to gather information.

“Hackers behind a massive breach at hotel group Marriott International Inc left clues suggesting they were working for a Chinese government intelligence gathering operation, according to sources familiar with the matter.” reads the article published by the Reuters.

“Private investigators looking into the breach have found hacking tools, techniques and procedures previously used in attacks attributed to Chinese hackers, said three sources who were not authorized to discuss the company’s private probe into the attack.”

The attribution of the Marriott data breach is based on the analysis of tactics, techniques, and procedures (TTPs) that were previously associated with Chinese APT groups.

In particular, Reuters’ sources admitted that some of the tools were exclusively used by Chinese attackers. The attribution is also difficult because the security breach occurred back in 2014, this means that since then other threat actors may have had access to the Starwood systems.

The relations between China and US are even more complicated, US Government accused in many circumstances Beijing of cyber espionage against Western entities.

Chinese authorities denied any involvement in the alleged cyber espionage operations.

“China firmly opposes all forms of cyber attack and cracks down on them in accordance with law,” Chinese Ministry of Foreign Affairs spokesman Geng Shuang told Reuters.”If offered evidence, the relevant Chinese departments will carry out investigations according to law.”

Starwood Data Breach

Marriott International has bought Starwood Hotels and Resorts Worldwide in 2016 for $13 billion. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.

According to the company, hackers accessed to the Starwood’s guest reservation system since 2014 and copied and encrypted the information.

The intrusion was detected on September 8 when a monitoring system found evidence regarding an attempt to access the Starwood guest reservation database in the United States. Two months later, on November 19, an investigation confirmed the intrusion into the archive containing “guest information relating to reservations at Starwood properties on or before September 10, 2018.”

Unknown hackers accessed personal information of nearly 327 million guests, compromised records include names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, arrival and departure information, reservation date.

Pierluigi Paganini

(Security Affairs – Marriot Data breach, hacking)

The post Evidence in Marriott’s subsidiary Starwood hack points out to China intel appeared first on Security Affairs.

Takuya Yoshida from Toyota’s InfoTechnology Center and his colleague Tsuyoshi Toyama are members of a Toyota team that developed the new tool, called PASTA (Portable Automotive Security Testbed).

PASTA is an open-source testing platform specifically designed for car hacking, it was developed to help experts to test cyber security features of modern vehicles.

At the BLACK HAT EUROPE 2018 held in London the duo presented the tool and confirmed that  Toyota plans to share the specifications on Github and will start selling the fully built system in Japan.

The PASTA car hacking tool is contained in an 8 kg portable briefcase, experts highlighted the delay of the automotive industry in developing cyber security for modern cars.

“The researchers integrated the tool with a driving simulator program, as well as with a model car to demonstrate some ways it can be used. PASTA also can be used for R&D purposes with real vehicles: that would allow a carmaker to test how a third party feature would affect the vehicle and its security, or reprogram firmware, for example.” reported DarkReading.


Source: Dark Reading

Giving a close look at pasta case, we can find four ECUs inside, as well as a console to run tests of the car system operation or to carry out attacks, for example injecting CAN messages.

“There was a delay in the development of cybersecurity in the automobile industry; [it’s] late,” explained Toyama.

Now automakers including Toyota are preparing for next-generation attacks, he said, but there remains a lack of security engineers that understand auto technology.

The tool allows researchers to test communications among components of the vehicle through CAN protocol as well as analyzed engine control units (ECUs) operate of the vehicles.

Watch out, the PASTA was not designed for hacking scenarios like the one presented by the security duo Charlie Miller and Chris Valasek in 2015 when they remotely hacked a Fiat Chrysler connected car.

PASTA implements a simulation for remote operation of vehicle components and features, including wheels, brakes, windows, and other car functionalities.

“It’s small and portable so users can study, research, and hack with it anywhere.” continues the expert.

PASTA supports connections to ODBII, RS232C ports, and a port for debugging or binary hacking.

“You can modify the programming of ECUs in C” as well, he said.

Among future improvements for PASTA there is the implementation of other connectivity features, including Ethernet, LIN, and CAN FD, Wi-Fi and of course Bluetooth.

You can download slides and the research paper from the following link:

• Download Presentation Slides
• Download White Paper

Pierluigi Paganini

(Security Affairs – car hacking, PASTA)

The post Toyota presented PASTA (Portable Automotive Security Testbed) Car-Hacking Tool appeared first on Security Affairs.

Ukraine is accusing Russian intelligence services of carrying out cyberattacks against one of its government organizations.

Ukraine’s security service SBU announced to have blocked a cyber attack launched by Russian intelligence aimed at breaching information and telecommunications systems used by the country’s judiciary.

Attackers launched a spear phishing attack using messages purporting to deliver accounting documents. The weaponized document included a strain of malware that was developed to disrupt the exfiltrate data and disrupt the Judiciary Systems.

Ukrainian government experts were able to determine the command and control (C&C) infrastructure that is using Russian IP addresses.

The attack was detected and neutralized thanks to the efforts of  result of collaboration between the State Service on Intellectual Property (SSIP) and the State Judicial Administration.

“Employees of the Security Service of Ukraine blocked the attempt of Russian special services to conduct a large-scale cyberattack on the information and telecommunication systems of the judiciary of Ukraine. Specialists of the SBU noted that the cyberattack began due to the sending by e-mail of counterfeit accounting documents infected by the virus.” reads the alert published by the SBU.

“After opening files on computers, malicious software for unauthorized interference with judicial information systems and theft of official information were hidden. Employees of the Security Service of Ukraine found that the detected virus program was connected from control-command servers that have, in particular, Russian IP addresses.”

In July, Ukraine ‘s SBU Security Service reportedly stopped VPNFilter attack at chlorine station, the malware infected the network equipment in the facility that supplies water treatment and sewage plants.

VPNFilter is a multi-stage, modular strain of malware that has a wide range of capabilities for both cyber espionage and sabotage purpose, it is originating from Russia.

Technical analysis of the code revealed many similarities with another nation-state malware, the BlackEnergy malware that was specifically designed to target ISC-SCADA systems and attributed to Russian threat actors. BlackEnergy is considered the key element in the attack aimed at Ukrainian power grid in 2015 and 2016, it was also involved in attacks against mining and railway systems in the country.

This week, Adobe released security updates for Flash Player that address two vulnerabilities, including a zero-day flaw, tracked as CVE-2018-15982, exploited in targeted attacks.

Experts observed the exploitation of the Flash zero-day exploit in an attack aimed at the FSBI “Polyclinic No. 2” of the Administrative Directorate of the President of the Russian Federation.

Once opened, the decoy document shows a questionnaire for personnel of the Moscow-based hospital, while the zero-day exploit is executed in the background.

Gigamon has also published a blog post describing the flaw and the attack, the experts pointed out that the decoy document in Russian language was submitted tVirusTotal from a Ukranian IP address. Qihoo 360 researchers observed the attack was launched just days after the Kerch Strait incident that occurred on November 25, when Russian Federal Security Service (FSB) border service coast guard boats fired upon and captured three Ukrainian Navy vessels that had attempted to pass from the Black Sea into the Sea of Azov through the Kerch Strait while on their way to the port of Mariupol.

Some of the injured crew members were taken to hospitals in Moscow and one of these hospitals could be the Polyclinic No. 2. Malicious documents involved in this attack were uploaded to VirusTotal from a Ukrainian IP address, which could indicate that Ukrainian cyberspies targeted the hospital to obtain information on the state of the crew members.

Pierluigi Paganini

(Security Affairs – Ukraine, Russia)

The post Ukraine’s SBU: Russia carried out a cyberattack on Judiciary Systems appeared first on Security Affairs.