Threat Research

FortiGuard Labs Weekly Threat Update – Week of 25 October 2019

By Jeannette Jarvis | October 25, 2019

Each week, FortiGuard Labs publishes a Threat Brief to subscribers that profiles notable hot topics and threats that were discovered or discussed during the week. Here is a recap of what we are covering in this week’s Threat Brief:

  • The Remcos RAT is a lightweight, fast, and highly customizable Remote Administration Tool with a range of functionalities. Our FortiGuard Labs researchers analyzed several new spam samples caught in our proprietary spam monitoring system that were identified as another Remcos RAT campaign. We delve into an analysis of a victim's machine where Remcos was downloaded, installed, and executed to see what the variant does.

  • Our researchers recently ran across into an interesting tweet that led to a file that is likely part of a new BadPatch campaign. BadPatch is a tag used for a set of malware that was used in a campaign with possible ties to Gaza hackers that have been linked to an espionage campaign targeting the Middle East. In this analysis they dig into 'B3hpy', a new malware being used in this attack campaign.

  • We also review the ELECTRICFISH tool that is used to tunnel traffic between two IP endpoints, allowing the unauthorized export of data without raising any flags. It is believed that this is one of the tools used by APT38 to amass more than $100 million in illegally obtained funds.

  • The EternalBlue Downloader has previously been adapted to exploit common and/or major vulnerabilities, including the adoption of SMB and SQL brute-force attacks, an RDP vulnerability, as well as a LNK file vulnerability. This latest addition to the EternalBlue Downloader malware now includes the ability to search for and exploit the BlueKeep vulnerability. If a vulnerable system is found, the malware reports this information to a C2 server, which then provides instructions for downloading additional script files and binaries that can carry out the attack.

  • FortiGuard Labs is reporting increased detections for an Adobe ColdFusion vulnerability. ColdFusion is a web technology that was invented back in 1995 to allow for a simpler connection between an HTML page and a back-end database. By 1996, however, it had been turned into a full-featured IDE with a scripting language of its own. This latest vulnerability is an unrestricted file upload issue that, if properly exploited, could easily lead to remote code execution.

  • This week, industry researchers uncovered a criminal scheme whereby a trojanized Tor browser was used to fleece Darknet users of their bitcoins. An unknown criminal gang advertised the webpages for this trojanized Tor browser using spam messages on various Russian-language forums as well as on Pastebin. Over several months, the webpages received about 500,000 page views, and the gang was able to collect $40,000 in stolen bitcoins.

Read more details about these and other cybersecurity issues in our FortiGuard Labs Weekly Threat Intelligence Brief. Read this week's issue and subscribe to the weekly email distribution.

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolio

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.