Threat Report

In this week’s usually weekly threat report MageCart pops back on the scene with Macy’s, Phineas Phisher lands a suspected Cayman money laundering bank, Roboto botnet targets Webmin, and two new backdoors get the spotlighted.

MageCart goes card-skimming at Macy’s

Macy’s recently announced a data breach caused by implanted Magecart card-skimming code in Macy’s online payment portal. According to Macy’s notice, the company was alerted to a suspicious connection between macys.com and a card-skimming site. The skimming scripts were injected onto two pages of the Macy’s site. Macy’s customers that have placed orders online or submitted financial details into their wallets between October 7th and October 15th may have had their information stolen.

The injected card-skimming code intercepted customer information including first and last names, physical addresses, ZIP codes, and credit card information. Macy’s reports that the code was removed on the same day Macy’s was alerted to the issue, but they did not disclose how long the card-skimming Magecart code was in place.

It is unclear how many customers may have been involved in the Magecart skimming campaign. Macy’s reported that they had taken steps they “believe” will prevent unauthorized code from being added in the future.

Cayman National Bank heist by Phineas Fisher nets boo koo bucks

On November 17, 2019, the hacktivist group Phineas Fisher targeted the Cayman National Bank. The attackers stole money and documents and offered a $100,000 bounty to other hackers that carry out similarly motivated hacks. A Twitter account named “Distributed Denial of Secrets” said on November 16, 2019, that it was going to release copies of servers belonging to the Cayman National Bank.

Distributed Denial of Secrets claims that the Cayman National Bank was used for money laundering by Russian oligarchs and others, and that is why it published the bank’s confidential data. Distributed Denial of Secrets made it clear that it did not hack Cayman National but was instead hacked by Phineas Fisher. Cayman National has not acknowledged the leak. However, its services were unavailable on November 17th due to a major upgrade and maintenance program, which was probably to upgrade all those vulns they knew they had.

Domo Arigato Mr. Roboto

Security researchers identified that Linux servers running unpatched Webmin installations are being targeted by a new botnet dubbed “Roboto”. Roboto Botnet supports seven functions including reverse shell, self-uninstall, system command execution, harvesting & exfiltrating process and network information, run payloads from remote URLs, and launching DDoS attacks. In addition to Roboto’s main functions, it also exploits a Webmin remote code execution vulnerability, tracked as “CVE-2019-15107,” to drop its downloader module on Linux servers running vulnerable installations of Webmin.

The DDoS feature could launch attacks via different attack methods such as ICMP Flood, HTTP Flood, TCP Flood, and UDP Flood depending on the system permissions it can gain on the compromised Linux servers. System administrators are advised to monitor and block the Roboto botnet related IP addresses, URLs, and domain names to prevent potential attacks. The following indicators of compromise were released with this report.

Thank you very much, Mr. Roboto for helping me escape when I need to.

URLs

http://144.76.139.83/community/uploadxx/1461C493-38BF-4E72-B118-BE35839A8914/image[.]jpg
http://144.76.139.83/community/uploadxx/1461C493-38BF-4E72-B118-BE35839A8914/image2[.]jpg
http://citilink.dev6[.]ru/css/roboto[.]ttf
http://citilink.dev6[.]ru/css/roboto[.]ttc
http://190.114.240[.]194/boot

IPs

120.150.43[.]45
95.216.17[.]209
66.113.179[.]13
186.46.45[.]252
213.159.27[.]5

Backdoor the URIs PoC tool for Windows 10 Persistence

Backoori (“Backdoor the URIs”) is a Proof of Concept tool aimed to automate the fileless URI persistence technique in Windows 10 targets. Windows 10 URI schemes can be abused in order to maintain persistence via “living off the land.” Backoori generates a ready-to-launch PowerShell agent that will backdoor specific universal URI applications with fileless payloads of choice. The author has shared video demos of the following attack scenarios using the tool: user-triggered persistence, hijacking multiple Universal Apps, and user-triggered persistence via web attack surface.

Written in Go, Backoori was uploaded to GitHub by user giuliocomi on October 15, 2019, but the most recent version was released November 19, 2019.

ACBackdoor sets sights on Windows and Linux

A new multi-platform backdoor dubbed ACBackdoor affects Windows and Linux systems and allows attackers to run malicious code and binaries on the compromised machines. ACBackdoor provides arbitrary execution of shell commands, arbitrary binary execution, persistence, and update capabilities on the infected system.

Both operating system variants share the same command-and-control server, but the infection vectors they use are different. In the Windows version, the backdoor is pushed through malvertising with the Fallout Exploit Kit while for the Linux variant, researchers are unclear of the delivery vector used to deploy the malware.

After it infects a victim’s machine, ACBackdoor will start collecting system information including its architecture and MAC address. When the process is done, it will add a registry on Windows to gain persistence. Based on the report, it was unclear on the Linux variant establishes persistence.

In VirusTotal, the Windows variants have a higher detection rate than its Linux counterpart. Users and organizations must keep their systems up to date with the latest security patches and install third-party software that can track malicious related activities to prevent potential attacks. Enjoy some IoCs from the full report for your hunting.

IP Addresses

193.29.15[.]147
185.198.56[.]53

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Thursday November 14th 2019