<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=156961&amp;fmt=gif">
19 March Threat Thursday

#ThreatThursday | 19th March 2020 | Cyber Security Updates

Threat Thursday’s weekly rundown of viruses, vulnerabilities and vile viral campaigns is back once again.

This week: Cookie Thief scavenges for crumbs, while phishing attackers continue to exploit the global pandemic.

C is For Cookie, and That’s Good Enough for CookieThief

A cookie-stealing trojan is targeting Android users, obtaining root privileges on the victim’s device and gobbling up cookies from their browsers and social media accounts. With these, cyber criminals were able to access their victims’ accounts without the need to so much as enter a password.

Cookie Thief – which is winning no prizes for imaginative naming – was revealed by Kaspersky earlier this week, and while it has so far only claimed 1000 victims, the number is said to be rising. It appears that Cookie Thief is actually just one component of a larger spam campaign, as Kaspersky detail in their report, here.

As Kaspersky explains, Cookie Thief relies on no existing vulnerabilities in Facebook or Android web browsers; however it does rely on the installation of a backdoor, which would need to be installed onto the phone during the supply chain process, or snuck in via vulnerabilities in the Android OS. Another hurdle to Cookie Thief’s infiltration method is Facebook’s own protection; the social media giant blocks instant access to accounts via cookie the moment it detects suspicious activity. Kaspersky discovered that Cookie Thief needs to access a proxy server, likely set up by the malware’s developers, to bypass this protection. 

It’s a spotty kind of malware then, reliant on several smart yet rudimentary workarounds to get going. Yet Kaspersky anticipates further infections and for the number of victims to continue to grow. As always, the best protection is regular phone updates and a reputable anti-virus – none of that free, no-name nonsense that clogs up the Google Play store.

RATS Campaign Leaps onto Coronavirus Fears

In 1348, rats were instrumental in the spreading of an utterly vicious plague. Now, in 2020, a vicious plague is helping the spread of RATS.

Yes, the ongoing threat of Covid-19 continues to support the efforts of phishing campaigns, this time one codenamed “Vicious Panda” by researchers at Check Point Research. The campaign is thought to originate from China, with emails originally sent in the Mongolian language and purporting to be sent on behalf of the Mongolian Ministry of Foreign Affairs. Claiming to be an update on a surge in Coronavirus infections, the document has since been translated into English and is thought to be targeting governments and organisations worldwide.

Attached to the dodgy email is a Microsoft Word .rft document, which begins an infection chain when opened. This infection chain is a slow and cautious one, prioritising stealth and deploying numerous techniques to avoid detection. The final payload is the RAT malware, which is capable of accessing, editing and deleting files and their registries, as well as taking a screenshot of the infected device’s screen.

As businesses make changes to their working environments to combat the Coronavirus’s spread, many of us will be receiving emails from a wealth of third parties, updating us on their response strategy. Our advice would be to stay vigilant; carefully monitor all your emails and check for any bogus domain names. We’re going to be fighting off more than one virus in the next few months, it seems.

What Does PXJ Stand For? Holding Your Systems Hostage, For a Start

A ransomware whose code seems wholly unique from other Ransomware strains has reared its ugly head.

PXJ, discovered by IBM’s X-Force Iris, is also known as XVFXGW; we’ll spare you any speculation on what those acronyms stand for. The names, chosen by Iris, reflect both on this new strain’s encrypted file extensions (.pxj) and the email addresses used in the ransomware’s accompanying ransom note (xvfxgw3929@protonmail.com and xvfxgw213@decoymail.com).

While one of the two discovered strains does make use of an existing open-source packer in its code, the other’s is unique, sharing no code with any other known ransomware. Despite that uncertainty, PXJ works much like any other Ransomware. Encrypted files, threatening letters, and a demand for monetary payment to decrypt all files – all present and correct.

PXJ arrives amidst the cyber security sector’s own warnings of Ransomware’s rising tide. There’s a reason these campaigns are becoming so prevalent, and it’s because they’re so effective and wide-reaching. If you haven’t already got some serious cyber security in place our advice remains the same; don’t ever assume you’re too small a target, and get yourself protected.


…in terms of code names and threat campaign titles, this week’s Threat Thursday has been an absolute smorgasbord of peculiar monikers. With so many of us stuck working from home and your humble Threat Thursday writer penning this week’s blog from the kitchen table, I thought it’d be fun to grade each of them on the quality of their names. Humour me, guys, I’ve only spoken to my cat all week.

Cookie ThiefDespite some smart workarounds to Android and Facebook protections, it’s clear that not half as much effort went into naming Cookie Thief. Like Ronseal, Cookie Thief does exactly what it says on the tin, but is considerably less fun than watching the renowned wood paint dry. 1/10.

Vicious PandaPandas, nature’s rebuttal against the theories of Darwinism, are anything but vicious; if anything, their woefully inefficient diet of bamboo and celibacy makes a mockery of the entire genus Ursidae. Points for optimism, though. 5/10.

PXJ / XVFXGWThese acronyms don’t even have the decency to discount any full title without the word ‘xylophone’ eventually making an appearance. 3/10

X-Force IrisX-Force Iris conjures an image of armour-clad militants rappelling down the side of a building and smashing through the window of a lone hacker, mere seconds before he hits the ‘send’ button on an elaborate phishing campaign. It’s a stark contrast to X-Force Iris’s more muted role of combing expertly through malicious code, but I wouldn’t say I’m any less grateful. 9/10.

 With that, the curtain closes on another Threat Thursday. As always, we’ll be back next week with more on the latest cyber security threats. Until then – stay safe, stay healthy and look after one another. 

Something Smell a Bit Phishy?

Our FREE Phishing Assessment tests and supports up to 50 of your users, plus it provides all the stats and training that your staff need.


Would you like to comment, or leave your thoughts?

Recent Posts