Cyber Security Training from QA

Cyber Pulse: Edition 14

Read the latest edition of Cyber Pulse, our roundup of Cyber news.

11 May 2018

TreasureHunter source code leaked for the masses to pillage PoS systems

The source code for the TreasureHunter point-of-sale (PoS) malware has been leaked online and may result in a fresh wave of attacks against retailers. The code, discovered and confirmed by Flashpoint researchers, has been released to the public through a Russian-speaking online forum. The same threat actor has also leaked the malware's GPU builder and administrator panel, which when compiled, offers those without specialized knowledge the opportunity to wreak havoc on target PoS systems. PoS malware, often small in size, is designed in order to target systems used in sales, including retail terminals. Once infected, malicious code will often covertly steal data -- such as credit card numbers -- and send this information to a command-and-control (C&C) server under an attacker's control. This stolen information may then be used to create clone cards and customer records stolen from PoS terminals may also be sold on for the purposes of identity theft. In the cases of Target and Home Depot, for example, millions of customer records were stolen, costing both companies millions of dollars in damages alone. The malware family has been on the radar since 2014. The original developer appears to be a Russian speaker with proficiency in the English language who developed TreasureHunter for the underground dump seller BearsInc. According to a FireEye investigation, the malware is the work of a threat actor dubbed Jolly Roger. TreasureHunter is a typical PoS malware variant. The malware targets Windows-based servers and PoS terminals, and once infected and executed, creates a registry which launches the malware at startup. The malicious code then scans PoS devices for track data and credit card information. These records are then collected and sent to a C&C server. It is not known why the source code has been leaked.

ZooPark Android Malware Tracks all Your Phone Activities

A malware can spy on nearly every Android smartphone function and steal passwords, photos, video, screenshots and data from WhatsApp, Telegram and other apps, Kaspersky Lab says. 'ZooPark' is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind the operation infect Android devices using several generations of malware, with the attackers including new features in each iteration. Security researchers at Kaspersky Lab label them from v1-v4, with v4 being the most recent version deployed in 2017. From the technical point of view, the evolution of ZooPark has shown notable progress: from the very basic first and second versions, the commercial spyware fork in its third version and then to the complex spyware that is version 4. This last step is especially interesting, showing a big leap from straightforward code functionality to highly sophisticated malware.

Hide and Seek Becomes First IoT Botnet Capable of Surviving Device Reboots

Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise. This is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device. The reset operation flushed the device's flash memory, where the device would keep all its working data, including IoT malware strains. Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies itself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT devices. By placing itself in this menu, the device's OS will automatically start the malware's process after the next reboot. The malware strain that achieved something that even the Mirai strain couldn't is called Hide and Seek (HNS) —also spelled Hide 'N Seek.

Gandcrab Ransomware Walks its Way onto Compromised Sites

Despite the recent decline in the prevalence of ransomware in the threat landscape, Cisco Talos has been monitoring the now widely distributed ransomware called Gandcrab. Gandcrab uses both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. While we've seen cryptocurrency miners overtake ransomware as the most popular malware on the threat landscape, Gandcrab is proof that ransomware can still strike at any time. While investigating a recent spam campaign Talos found a series of compromised websites that were being used to deliver Gandcrab. This malware is the latest in a long line of examples of why stopping malware distribution is a problem, and shows why securing websites is both an arduous and necessary task. As a clear example of how challenging resolving these issues can be, one of the sites — despite being shut down briefly — was seen serving Gandcrab not once, but twice, over a few days.

Windows CLI Apps Vulnerable to New Ctrl-Inject Process Injection Attack

Rotem Kerner, a security researcher with enSilo, has discovered a new process injection technique that can be abused by malicious actors to hide malware inside Windows-based CLI applications. The technique, named Ctrl-Inject, abuses the Windows "CtrlRoutine" function, used by command-line applications to assure keyboard-based interfacing between the user and the app. In a technical write-up published yesterday, Kerner described a way that a malicious actor could abuse this function to spawn malicious threads inside a legitimate CLI app's process and run malicious code. The main advantage of this technique over classic thread injection technique is that the remote thread is created by a trusted windows process, csrss.exe, which makes it much stealthier. Apps that could be abused via Ctrl-Inject include cmd.exe or powershell.exe, both standard applications on most Windows versions. Under normal circumstances, tampering with these apps' processes wouldn't be possible because of two Windows security protections such as Control Flow Guard and pointer encoding.

Internet Explorer hid a zero-day vulnerability

A zero-day vulnerability in Microsoft's Internet Explorer used to carry out targeted attacks by cybercriminals was discovered by security experts at Kaspersky Lab in late April. The firm originally detected a previously unknown exploit which after analysis turned out to be utilising the zero-day vulnerability CVE-2018-8174 for Internet Explorer. The cybercriminals utilising the exploit managed to download it into a Microsoft Word Document and this was the first known case of such a technique being employed. They were even able to successfully exploit a fully patched version of Microsoft Word. Upon deeper analysis of the exploit used by attackers, Kaspersky Lab revealed that the infection chain began with a victim receiving a malicious RTF Microsoft Office Document. Once the user opened the document, the second stage of the exploit, an HTML page with malicious code, was downloaded on their system. The code on the HTML page then triggered a memory corruption use-after-free (UAF) bug and finally the shellcode that downloads malicious payloads was executed.

Win32k Elevation of Privilege Vulnerability

Zero-day vulnerability (CVE-2018-8120) patched this month is a privilege-escalation flaw that occurred in the Win32k component of Windows when it fails to properly handle objects in computer memory. Successful exploitation of the flaw can allow attackers to execute arbitrary code in kernel mode, eventually allowing them to install programs or malware; view, edit or delete data; or create new accounts with full user rights. The vulnerability is rated "important," and only affects Windows 7, Windows Server 2008 and Windows Server 2008 R2. The issue has actively been exploited by threat actors, but Microsoft did not provide any detail about the in-the-wild exploits.

New Rowhammer Attack Can Hijack Computers Remotely Over the Network

Dubbed ‘Throwhammer,’ the newly discovered technique could allow attackers to launch Rowhammer attack on the targeted systems just by sending specially crafted packets to the vulnerable network cards over the local area network. Rowhammer is a severe issue with recent generation dynamic random access memory (DRAM) chips in which repeatedly accessing a row of memory can cause "bit flipping" in an adjacent row, allowing anyone to change the contents of computer memory. Security researchers detailed a proof-of-concept Rowhammer attack technique, dubbed GLitch, that leverages embedded graphics processing units (GPUs) to carry out Rowhammer attacks against Android devices. However, all previously known Rowhammer attack techniques required privilege escalation on a target device, meaning attackers had to execute code on targeted machines either by luring victims to a malicious website or by tricking them into installing a malicious app. Researchers have now found that sending malicious packets over LAN can trigger the Rowhammer attack on systems running Ethernet network cards equipped with Remote Direct Memory Access (RDMA), which is commonly used in clouds and data centers. Since RDMA-enabled network cards allow computers in a network to exchange data (with read and write privileges) in the main memory, abusing it to access host’s memory in rapid succession can trigger bit flips on DRAM.


Visit for more information on how they can help solve the Cyber Security skills gap.


Useful links

Cyber Pulse: Edition 13

Cyber Pulse: Edition 12

Cyber Pulse: Edition 11

Cyber Pulse: Edition 10

Cyber Pulse: Edition 9

Cyber Pulse: Edition 8

Cyber Pulse: Edition 7

Cyber Pulse: Edition 6

Cyber Pulse: Edition 5

Cyber Pulse: Edition 4

Cyber Pulse: Edition 3

Cyber Pulse: Edition 2

Cyber Pulse: Edition 1


Edited and compiled by


James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.