Security News

Phishing scams pick up the phone and MikroTik routers watch and listen

Avast Security News Team, 7 September 2018

Bank phishing scam calls its victims, cryptojacker Rocke expands its arsenal, and MikroTik routers hacked to transmit their data.

Bank phishing scam phones it in

Many banking customers in Brazil woke up to a rude shock as the security module they installed as instructed turned out to be a trojan. Dubbed Camubot, the Trojan malware proudly sports banking logos and other branding, pretending to be a legit endpoint security update.

The attack works something like this — the perpetrator identifies and calls the victim, posing as a bank employee. The victim is instructed to visit a URL to verify if their security system is up-to-date. The verification (obviously) returns a negative result, after which the victim is guided to install an update. If the victim takes the bait, the installation wizard starts downloading a fake application that carries the Trojan. The name of the file as well as the URL changes for every attack to fend off suspicion.

Avast Security Evangelist Luis Corrons notes, “Attackers are taking social engineering techniques to the next level. Cybercriminals fooling users to install malware on their own computers is not new. However, calling them to guide them to install the malware is something new.” He adds that this type of attack, which requires so much of the criminal’s own time, is not scalable, though “their target victims are worth the effort, as they can potentially steal hundreds of thousands, if not millions, of dollars.”

Cryptojacker Rocke is on a roll  

Cybersecurity researchers have issued a warning against a new threat actor called Rocke, according to the name on the user’s Monero wallet, who uses Git repositories as delivery systems for advanced cryptojacking software. While Git repositories are Rocke’s primary M.O., the actor has lately broadened the toolsets used, bringing in browser-based miners, Trojans, and the Cobalt Strike malware.

The wider attack strategies don’t surprise Luis from Avast, who says, “Cryptomining is popular and will continue being popular in the near future, as will cryptocurrency like Monero, which is essentially anonymous, allowing cybercriminals to work with them safely. We have seen similar attack approaches in the past.”

Rocke was first discovered in April 2018 when users downloaded several files to the researchers’ Struts 2 honeypot from Gitee.com and GitLab.com respectively. The repositories contained a variety of files such as ELF executables, shell scripts, and text files, all of which executed several Monero-based cryptominers.

Barack Obama ransomware — yes, it can

Someone with a massive grudge against the former POTUS has released a ransomware script in his name that locks up a system’s .exe files. It then follows-up with a request for a monetary “tip” to have the files unlocked.

“This looks like an amateur attack,” comments Luis, “or perhaps a test trial. The fact that .exe files are the ones being targeted, instead of documents, photos, etc., is really not smart. What people are concerned about is their data. And in the cases where people pay the ransom, it’s  because they want to recover information they do not have anywhere else. That information is not in .exe files.”

Barack Obama’s Everlasting Blue Blackmail Virus, as it is being called, is distributed through spam and phishing campaigns. Typical ransomware attacks target documents and media, staying away from system files as that could result in a system crash with no potential payoff. The Obama ransomware, however, has no qualms against such consequences.The infected machine will also lose all shadow volume copies making file recovery much more difficult.

Spying eyes found in MikroTik routers

Researchers have discovered that almost 240,000 MikroTik routers have been hacked using a known vulnerability (CVE-2018-14847) which allows bad actors to see the traffic and data passing through the router in both directions.

Furthermore, over 7,500 of the routers were maliciously reprogrammed to forward all their traffic and data to other servers. Experts cannot discern a specific goal of the attacks, as there does not seem to be a pattern to the infected routers, which span across five different countries.

“A router is the gateway to our home,” Luis reminds us. “If an attacker compromises it, our entire network is at risk. It is essential to make sure all of our network devices are fully updated and, ideally, protected.”


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.