Skip to main content

J2 CSC June 9th Weekly Briefing

Cybersecurity is about monitoring, detection, prevention and doing the right thing at the right time, this update proves this mantra - Be Vigilant -Keep Safe!


“Cryakl” variant Causes Chaos

Last Updated: 2017-06-09 09:20:25
Created: 2017-06-09 09:20:25

A Recent attack focused on endpoint protection specifically in terms of alarms – none were received during this incident.

A new variant “Cryakl” utilising a BruteForce attack of local admin accounts whereby the incident focussing purely on windows RDP and file shares.

Its vector of attack is through compromised RDP. The attacker connects directly to the affected machine (usually a server) and runs it from there.


Necurs Botnet Fuels Massive Spam Campaigns Spreading Jaff Ransomware

Last Updated: 2017-06-08 21:38:21
Created: 2017-06-08 21:38:21

Starting on May 11, 2017, Flashpoint analysts observed several large spam campaigns originating from the Necurs botnet that aim to dupe recipients into opening malicious attachments that infect their computers with “Jaff” ransomware. These spam campaigns feature a multi-stage infection chain including a PDF file, a malicious Microsoft Office document, and finally, the Jaff ransomware loader. This same infection chain has been utilized in the past to infect computers with the Dridex banking Trojan and Jaff’s predecessor, Locky ransomware.



Last Updated: 2017-06-08 15:09:32
Created: 2017-06-08 15:09:32

The Trojan uses the Windows Management Instrumentation Command-line (WMIC) to start processes remotely on other Windows computers.



Last Updated: 2017-06-08 15:05:48
Created: 2017-06-08 15:05:48

The Trojan may perform a man-in-the-middle (MitM) attack on the browser installed on the compromised computer.


Privileges and Credentials: Phished at the Request of Counsel

Last Updated: 2017-06-07 01:07:17
Created: 2017-06-07 01:06:55

In May and June 2017, a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. APT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent versions, APT19 added an application whitelisting bypass to the macro-enabled Microsoft Excel (XLSM) documents. At least one observed phishing lure delivered a Cobalt Strike payload.


Turlas watering hole campaign: An updated Firefox extension abusing Instagram

Last Updated: 2017-06-06 20:42:35
Created: 2017-06-06 20:42:35

Some of the tactics used in APT attacks die hard. A good example is provided by Turla’s watering hole campaigns. Turla, which has been targeting governments, government officials and diplomats for years –is still using watering hole techniques to redirect potentially interesting victims to their Command and Control infrastructure. In fact, they have been using them since at least 2014 with very few variations in their modus operandi.


RIG sends Ramnit payloads via VBScript CVE-2016-0189

Last Updated: 2017-06-02 19:20:29
Created: 2017-06-02 19:20:29

RIG exploit kit sends Ramnit payloads via VBScript CVE-2016-0189. 


Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads

Last Updated: 2017-06-02 16:37:21
Created: 2017-06-02 16:37:21
Author: AlienV

The “EternalBlue” exploit (MS017-010) was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block (SMB) protocol – this time to distribute Backdoor.Nitol and Trojan Gh0st RAT.


Sophisticated Google Play BankBot Trojan campaigns

Last Updated: 2017-05-31 16:13:00
Created: 2017-05-31 16:13:00

Throughout 2015 and 2016, Android banking Trojans were primarily distributed outside the Google Play Store by using SMSishing, phishing e-mails and rogue websites, often dropping APKs related to Adobe Flash Player. The focus of the Android banking malware in Google Play is different from any other Android malware we have investigated. Usually, Android banking malware is spread with the goal to convince users to install it based on the top rated app name and icon such as 'Super Mario Run', 'Flash Player' or 'WhatsApp'. The approach of the Google Play campaigns is different: everything is designed to gain the trust of the user. Even a fake Facebook profile to pretend to be an actual company, aided in this process. After the installation, the application does not immediately show its true colours, in fact the malicious activities are postponed for a couple of minutes so users can for example first use the app to open funny videos or watch the latest news.



  • Hits: 1044