Gotham Security Daily Threat Alerts

By Nancy Rand
Posted in Security
On August 18, 2016

August 17, SecurityWeek – (International) Backdoor abuses TeamViewer to spy on victims. Dr. Web security researchers discovered a backdoor trojan, dubbed BackDoor.TeamViewrENT.1 and distributed under the name “Spy-Agent” was installing legitimate TeamViewer components on a compromised device to spy on victims in the U.S., Europe, and Russia, steal victims’ personal information, and to install other malicious programs on a device. Researchers found that the trojan disables error messaging for the TeamViewer process, changes the attributes of its files and the TeamViewer files to “system,” “hidden,” and “ready only”, and kills the TeamViewer process if the Microsoft Windows Task Manager or Process Explorer are detected in order to hide its presence on an infected device. Source

August 17, SecurityWeek – (International) User data leaked from analytics company Social Blade. Social Blade, a data provider for YouTube, Twitch, and Instagram accounts, confirmed that its Website and forum were hacked in August after LeakedSource researchers discovered that the details of 13,009 of the forum’s users and 273,806 of the Website’s users’ details were leaked, including email addresses, usernames, password hashes, and Internet Protocol (IP) addresses, among other information, after a malicious actor obtained a partial database dump by exploiting a vulnerability in the forum software. Social Blade reset all user passwords and shut down its forum. Source

August 16, Softpedia – (International) Chrome and Firefox attached by simple URL spoofing bug that facilitates phishing. A security researcher discovered a flaw affecting security features in Google Chrome and Mozilla Firefox can be exploited to spoof Universe Resource Locators (URLs) in the browser address bar after finding that Web browsers handle URLs written with mixed right-to-left (RTL) (Arabic) and left-to-right (LTR) (Roman) characters incorrectly, which confuses the browsers and forces them to switch parts of the URL, thereby tricking the user into thinking that they are accessing a different Website than the one they are on. The researcher stated a hacker running a phishing site can add a few Arabic characters onto a server’s Internet Protocol (IP) to change the domain of a legitimate Website and embed this URL in spam email, short message service (SMS), or instant messaging (IM) message in order to redirect an user to the malicious actor’s server. Source

August 16, SecurityWeek – (International) Vawtrak banking trojan uses SSL pinning, DGA. Fidelis security researchers discovered that a new version of the Vawtrak banking trojan includes a domain generation algorithm (DGA) that generates .ru domains using a pseudorandom number generator (PRNG) in the trojan’s loader, uses Hypertext Transfer Protocol Secure (HTTPS) to protect command and control (C&C) communications, and leverages certificate pinning, or secure sockets layer (SSL) pinning that helps the malware evade detection by enterprise security solutions that use their own certificates to intercept communications. Researches stated the trojan conducts checks based on the Common Name to identify the domain names associated with the certificate, and uses a public key from the initial inject carried out by the malware loader in order to ensure that no other certificates are accepted. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

Nancy Rand

Nancy Rand

Nancy has more than 20 years’ experience in information technology and security, solving business issues and implementing best-practice solutions that support organizational objectives. Her expertise includes leveraging, optimizing, and implementing diverse technology platforms, and management of large-scale technology projects.