Hackers using fake Swift emails to deploy Adwind RAT, steal bank credentials in new phishing scam

Hackers are using malicious emails disguised as important Swift messages to spread the cross-platform remote access trojan (RAT) Adwind. According to Comodo Group's Threat Research Lab, the spam messages claim to contain important information regarding a "wire bank transfer to your designated bank account" from the Swift network, the global banking industry's payments messaging system. The phishing email prompts users to review an attached document to check the details and make sure there are no discrepancies regarding the transfer. The seemingly secure document, however, actually contains the Adwind malware that is capable of exfiltrating data from the infected computer, modifying the system registry and more. Comodo researchers note that using phony Swift emails is particularly effective given that money and bank account affairs often trigger an emotional response from people. Using such lures significantly raises the possibility of recipients falling for the malicious bait and clicking through, they noted.


Hackers now exploiting Word documents to display 'innocent' videos that secretly mine cryptocurrency

Hackers have been found exploiting Microsoft Word documents to deliver cryptojacking scripts to hijack victims' computers and secretly mine cryptocurrency. Security researchers at Israel-based Votiro said the attack abuses Microsoft Word's Online Video feature that allows users to insert remote videos directly into documents without having to embed them or provide a link to a third-party service.Due to insufficient sanitisation, threat actors have been using this new feature to insert cryptojacking scripts that silently exhaust a victim's CPU and mine Monero coins in the background while the video plays. One of the recent concerns in the Internet realm is the threat of cryptocurrency mining via the browser. As these attacks are usually JavaScript based, they are easy and quick to implement. The Internet Explorer frame fits perfectly for this scenario, as users can be tricked into watching an 'innocent' video while, in the background, their CPU is being exhausted - Deceptively simple 12-minute video on cryptocurrency was able to hijack 99% of the victim's CPU for cryptomining.

uTorrent Bug Allows Malicious Webpages to Control the Software

A Google security researcher has uncovered a bug in uTorrent that can let a hacker hijack the software to deliver malware. The problem mainly affects uTorrent Web, the newer version of the popular BitTorrent client, which contains a serious remote code execution bug, according to Google researcher Tavis Ormandy. He discovered a flaw in the way uTorrent communicates data and stores an authentication token. A webpage loaded over a browser could be rigged to steal the token, and gain complete control over the uTorrent service. Once you have the secret, you can just change the directory torrents are saved to, and then download any file anywhere. It doesn't help that by default uTorrent Web is configured to automatically run on startup. With control over the client, a webpage's owner could direct the software to download a piece of malware. The malware can then be delivered into a Windows PC's startup folder, which will load the program on the next boot up. All that's needed is to trick a victim into visiting the malicious website.

Tinder security flaw granted account access with just a phone number

Security researchers at Appsecure found a way to access anyone's Tinder account via their phone number. The exploit took advantage of a software flaw in both the dating app's login process as well as the Facebook API that it's based on. The issues have been fixed since but represent a pretty big security lapse. Both the vulnerabilities were fixed by Tinder and Facebook quickly. When you are logging into Tinder, you have the option of using your phone number, which is then passed along to Facebook's Account Kit for authentication to Tinder. The Appsecure folks found that they could get a valid access token with an API request to Facebook's Account Kit using a phone number. In addition, Tinder's login system wasn't checking these access tokens to make sure they matched the associated user's client ID, which means that any valid access token could let someone log in to your Tinder account.

MacOS Trojan First Detected in 2016 Continues to Bypass AV Engines

Despite being shared online over two years ago, most of the AV engines are unable to detect Coldroot RAT, a Mac malware. The trojan was first uploaded on GitHub back in 2016 as a joke to “play with Mac users,” and now works on all three major desktop operating systems. This Mac malware can silently and remotely control a vulnerable computer. However, AV firms are yet to notice it. While Coldroot had started as a joke, it has since been optimized and is currently in active distribution. The new and improved Mac malware was discovered in a fake Apple audio driver and can take screen captures, start and end processes, start a remote desktop session, search and upload new files, and remotely shut down the operating system. Hiding as a document, the malware demands admin access, after which it will silently install and contact its command and control server for further instructions. It remains unclear if this is the same thing that was uploaded on GitHub in 2016 or someone else has picked up the code and modified it with more features. However, the new Coldroot RAT still includes the contact details of its initial author potentially to leave false flags behind.

Windows 10 bug let malware bypass security scans using a null character

A bug in the Anti-Malware Scan Interface in Windows 10 could allow malware to go undetected in scans if the code contained a null character. Introduced with Windows 10, the Anti-Malware Scan Interface (AMSI) is a security apparatus that acts as a go-between for applications and your anti-virus. It allows applications to check if the files they're using are safe by sending them to be checked by the anti-virus. One of the most important roles of AMSI is to check executable files on start-up and to scan further resources that may be opened by an application after start-up. It's essentially useful given a growing trend among malicious actors to circumvent the traditional signature-based anti-virus engines by masquerading their attacks through the use of PowerShell scripts running on otherwise legitimate applications.

Cyber Security training from QA

QA have uniquely positioned themselves to help solve the Cyber skills gap from our CyberFirst and Cyber Apprenticeship programmes and Cyber Academies to Cyber Challenges, Training and Certifications and Consultancy for Cyber Security.

They offer end-to-end Cyber training and certifications from Cyber Awareness to deep dive Cyber Programmes and solutions; from Cyber Investigations, Cyber Crisis Management, Proactive Security to Offensive Defence. QA only employ world leading Cyber trainers who have the expertise to deliver bespoke Cyber solutions, GCHQ accredited courses and proudly the CyberFirst programme. This is all to support in tackling the UK's National Cyber Security skills shortage.

QA also have state-of-the-art CyberLabs, where companies can simulate real-life Cyber-attacks on their infrastructure, helping them to prevent & combat breaches without risking their own network.

Take a look at QA's CyberLabs

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

Useful links

Cyber Pulse: Edition 1

Cyber Pulse: Edition 2