Lots of threat intelligence news updates in this week’s ShadowTalk episode with Jamie Collier, Adam Cook, and Viktoria Austin.

Top stories this week include:
– NCSC advising consumers on security precautions around smart cameras and baby monitors
– Banking Trojan steals Google Authenticator app codes
– Ransomware Attack on Epiq Legal Services
– Tesco Clubcard fraud warning
– Boots Advantage Card hit by cyber attack

Listen below 👇👇👇


Cloud Snooper bypasses firewall rules to control cloud servers

A new malware variant, “Cloud Snooper”, implements a unique combination of practices to evade detection and communicate with its C2 server by bypassing firewall rules. Cloud Snooper was observed using a kernel-level rootkit and a backdoor, which enabled attackers to gain access to, and remotely control, cloud computing servers. Based on the sophistication of the malware, it is realistically possible that it was developed by nation-state–linked operators. Cloud Snooper will likely be deployed again in the mid-term future, to gain access to servers and steal potentially sensitive data.


TrickBot gains ActiveX control, incites macro activation

A Windows 10 ActiveX control has been added to the “TrickBot” trojan to execute malicious macros in documents. The feature is used to create and execute the OSTAP JavaScript downloader, which acts as a dropper for the TrickBot payload without the need for user interaction after they enable macros. Malicious documents sent to targets typically contain an image to increase the perceived legitimacy and interest in the file, thereby increasing the chances that a user will enable macros. TrickBot has remained highly active in 2020 and this new feature highlights that its developers continue to improve the trojan’s capabilities; more TrickBot operations are likely in the mid-term future.


Karkoff malware linked to espionage attacks on Lebanese government

Cyber-security researchers identified a new sample of the “Karkoff” malware, linked to the Iranian state-associated threat actor “APT34”,  that targeted a Microsoft Exchange Server belonging to a Lebanon government entity. APT34 has been highly active in 2020, and predominantly targets the Middle East and the United States. Security researchers have suggested that Iranian threat actors may have increased their targeting against the United States following the killing of Iranian General Qasem Soleimani. Iranian threat actors will likely continue to target United States-based organizations, although this incident shows that they remain active in the Middle East.


For more details, read the full Weekly Intelligence Summary

Weekly Intelligence Summary 06 Mar 2020