Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks, scams, frauds, malware including Ransomware and DDoS, in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:



WordPress sites’ admin accounts under threat by new GoTrim Botnet 

Important information for all businesses using WordPress, a new GoTrim Botnet has been found attempting to break into WordPress sites’ admin accounts. The botnet is scanning and brute-forcing self-hosted websites using the WordPress content management system to gain control of targeted systems. 

The new campaign has been named GoTrim due to it being written in Go and using :::trim::: to split data to and from the C2 server. It uses a botnet network to perform brute-force attacks to login into the targeted web server, adding the machine to the growing network. 

Once they have broken in they then install a downloader PHP script designed to deploy the bot client from a hard-coded URL. However, GoTrim doesn’t have the capability on its own nor can it distribute other malware or maintain persistence in the infected system. 

The main purpose of the malware is to receive commands from an actor-controlled server, including performing brute-force attacks against WordPress and OpenCart. 

GoTrim alternatively functions in server mode where it starts a server and listens for requests sent by the threat actor through the C2 server, which can only happen when the breached system is connected to the internet. 

The botnet malware can mimic legitimate requests from the Mozilla Firefox browser on 64-bit Windows to bypass the anti-bot protections. 

In conclusion, this threat is one to watch with the brute-force and anti-bot techniques combined it could cause a lot of damage. 

SVG files use to smuggle QBot Malware onto Windows Systems 

New phishing attacks are using SVG images embedded in HTML email attachments to spread Qakbot Malware. Found by Cisco Talos the new method involves fraudulent emails featuring HTML attachments with encoded SVG images incorporating HTML script tags. 

This method uses legitimate features of HTML and Javascript run encoded malicious code within the lure attachment and assemble the payload on the machine. The idea is that the attacker evades email gateways by storing a binary in form of JavaScript that is decoded and downloaded when opened in a web browser. 

The JavaScript code comes into action when the victim opens the HTML attachment from the email, this creates a malicious ZIP archive and then presents the user with a dialog box to save the file. 

Furthermore, the ZIP archive is password protected meaning the user must enter a password displayed in the HTML attachment, which then extracts an IOS image to run the Qakbot Trojan.   

Researchers suggest this technique is likely to be adopted by more threat actors over time due to HTML’s smuggling ability. Having strong endpoint protection is the best way to prevent falling victim to one of these attacks.

Android malware campaign observed using money-lending apps to blackmail victims 

A previously observed Android malware campaign has been using money-lending apps to blackmail victims into paying attackers for the personal information stolen from their devices. The attacker uses the cross-platform Flutter framework to develop apps with malicious features and complicate the detection of malicious activity. 

None of all 33 apps used in the campaign have been distributed through the Google Play Store, they are only available on unofficial app stores, or sideloaded to the devices via smishing, compromised websites, rouge ads, or social media campaigns. Once the victim downloads the app they are prompted to grant permissions under the pretext of guaranteeing a loan, therefore gathering personal information. 

Data collected includes, GPS location, SMSes, contacts, call logs, files, photos, and audio recordings, this information is used to pressure victims into paying exceptionally high-interest rates on loans, and some even after the loan is repaid. 

The threat actors use victims’ sensitive information to harass them into paying with alarming threats such as revealing their personal information, calling their contacts, sending abusive messages. Although it’s unclear the scale of these attacks data shows these apps have over 100.000 downloads. 

These attacks are exploiting victims’ desperation for quick cash and putting people at risk of having their data exploited. 

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.