Cybersecurity Weekly Briefing November 21-27

ElevenPaths    27 November, 2020
Cybersecurity Weekly Briefing November 21-27

Qbot as a prelude to Egregor ransomware infections

Researchers at Group-IB security company have issued a statement claiming to have found activity linking the Qbot banking trojan (also known as QakBot, Pinkslipbot or Quakbot) to the distribution of Egregor ransomware. Qbot operators reportedly decided to migrate their operation (formerly associated with other ransomware families such as ProLock) to join Egregor, thus seeking a greater number of victims. In the three months of activity since the creation of the ransomware in September 2020, Egregor has managed to compromise a total of 69 companies, mainly in the manufacturing (28.9%) and retail (14.5%) sectors, being one of the most active families since Maze closed its operations last month. Also, since Emotet decided to retake the distribution of TrickBot in September, Qbot operators have had to distribute without its help, through their own phishing campaigns that attach malicious Microsoft Excel documents.

More info:

Vulnerability in cPanel 2FA authentication

Security researchers at Digital Defense have discovered a major security flaw in cPanel, a popular software package used by web hosting companies to manage their clients’ websites. The flaw discovered could allow attackers to elude two-factor authentication(2FA) for cPanel accounts using brute force attacks, with a temporary cost of just a few minutes. Digital Defense has privately reported the flaw to the cPanel team and according to their security advisory, the 2FA authentication flaw would have been fixed in cPanel & WebHost Manager (WHM),, and software. Users should not disable the 2FA feature for their cPanel accounts due to this bug but should request that their web hosting providers update their cPanel installation to the latest version.

More details:

New version and new campaign of Trickbot malware

The agent behind Trickbot has launched the 100version of the malware, which includes new features to avoid detection. Among the new features, Trickbot can now inject its malicious DLL directly from memory into the legitimate Windows executable “wermgr.exe”. Additionally, Trickbot operators have launched a new recognition tool, called Lightbot, used to search the network for high-value targets. The most recent malspam campaign carried out by the group aims to distribute this tool. The content of the mails used as a pretext are similar to those responsible for spreading BazarLoader. They pretend to come from human resources or legal departments, refer to customer complaints or contract terminations and include an attachment containing a javascript file running Lightbot’s Powershell script. The tool is intended to perform a superficial recognition to determine the value of the victim. Among the information collected is the computer name, hardware information, username, Windows version, Windows domain driver list, Windows PDC, IP addresses, DNS, network card type, and a list of installed programs.

More info:

Leave a Reply

Your email address will not be published.