Threat Report

Thursday September 19th 2019

In this week’s threat report we’re covering a variety of topics. Summer is over and the fall malspam campaigns have arrived, multiple open databases have led to a loss of valuable data, and a wiry new malware dropper jumps into action. Let’s get this party started.

Summer vacation is over for Emotet

Emotet infected hosts began communicating with command and control infrastructure, which pushed updates to the bots, and started a new malspam campaign on 9/16/19 after taking summer off.

Emotet was discovered in 2014 as a banking Trojan, but has evolved over the years. The malware gets a foothold on a host, which prepares it for further infections. In some cases, this has been ransomware.

Emotet behavior changes frequently, but generally starts with a spam campaign containing malicious documents and ends with an Emotet infected host.


The following URLs were known to host Emotet payloads. Typically, these indicators are a threat for a short period of time. Compromised domains hosting Emotet payloads are valid for hours not days.



You should review your network logs and DNS logs for these domains and URLs, especially for September 16th.

In addition to this activity, we also found some Emotet IP indicators on Pastebin indicating earlier Emotet activity on or before 9/11/19.

Open databases on both sides

This week a medical company and a malware company have something in common, they both lost control of some valuable data.

Picture archiving and communication system (PACS) are used in the healthcare sector to store and serve medical information retrieved from imaging devices such as X-Ray, CT, or MRI machines. They use the Digital Imaging and Communications in Medicine (DICOM) standard to transmit, store, retrieve, print, process, and display medical imaging data.

Greenbone Networks identified 590 PACS servers that could be reached over the internet and allowed retrieving about 24.3M patient records, which included 400M x-rays.

Most records included the following personal and medical details:

  • First name and surname
  • Date of birth
  • Date of examination
  • Scope of the investigation
  • Type of imaging procedure
  • Attending physician
  • Institute/clinic
  • Number of generated images

On the flip side, cybercriminals behind Gootkit left their MongoDB databases exposed online without a password.

Gootkit is a banking trojan information stealer known for video grabbing skills. Main functions include stealing passwords, payment card numbers, cookie files, and other data from browsers and browser history.

The exposure was discovered by Bob Diachenko, who was able to download all of the exposed data. According to Diachenko’s findings, Gootkit operation is much smaller than other malware organizations like Emotet or TrickBot.

Gootkit operators focus their attention on smaller geographical areas as opposed to massive email spam campaigns.

The databases were indexed by various IoT search engines. The two exposed MongoDB servers contained data from three sub-botnets, for a total of 38,653 infected hosts.

Approximately 15K individual payment card entries were discovered in the form of “Luhnforms,” which contained the site where the payment card data was collected, browser and PC details, and the payment card details themselves, which were stored in plaintext.

In a file named “Windowscredentials,” the malware logged username and credentials for sites where users had registered an account or had logged in while the malware was active.

The usernames and passwords were stored in cleartext and totaled to 2,385,472 entries, although there may be duplicates.

The databases also contained configuration files containing links to other Gootkit modules that when downloaded would improve the malware’s features.

The databases also revealed cookie files, screenshots of users’ screens, and technical details about the host machine, including internal and public IP address, hostname, domain name, CPU details, memory details, if the system was a VM or not, ISP name, OS details, OS install date, MAC address, browser details, and more.

It is unclear if the Gootkit operators detected Diachenko’s presence during the discovery or if their server take-down resulted from routine processes.

Exposed MangoDB server at Lumin PDF

In addition to those two cases of exposed databases, we have even more data lost. ZDNet reported that the details of over 24.3M Lumin PDF users were leaked on a hacking forum.

The hacker said Lumin PDF failed to respond after multiple notifications over the past few months. The hacker published the company’s user database as a 4.06GB CSV file containing records om 24,386,039 Lumin PDF users.

The majority of user records on the CSV file contains full names, email addresses, gender, (language) locale settings, and a hashed password string or Google access token.

Most entries had Google access token included confirming that most Lumin PDF is using the service as an add-in Google Drive app. However, for 118,746 users, the leaked Lumin PDF data contained Bcrypt hashed passwords strings. The hacker wrote on the forum and claimed to have taken the data from an unsecured MongoDB database in April 2019.

“Vendor was contacted multiple times but ignored all the queries. The data was later destroyed by ransomware, and the server was taken down soon after,” the hacker said.

ZDNet notified Lumin PDF about the incident. Lumin PDF CEO, Max Ferguson, replied to ZDNet’s request for comment after the publication of the article. The company said it plans to publish a blog post and disclose the security breach to its users.

Lumin PDF said that the leaked tokens had expired but users can make sure the tokens are useless by revoking the Lumin PDF app’s permissions and then reconnecting the app to their Google account.

Wiry Jumper springs into action

A new malware dropper dubbed WiryJMPer has been observed infecting computers with Netwire RAT payload, hidden between two benign binaries, and using an obfuscation technique to prevent analysis and detection from security software.

WiryJMPer is a dropper with unusual obfuscation that uses two benign binaries with superfluous jumps and dead branches sandwiched between the binaries to hide its virtual machine, protecting its Netwire RAT payload.

The first stage of the payload innocently appears as a regular WinBin2Iso binary with a suspiciously large .rsrc section. Then, an unresponsive WinBin2Iso window will be displayed which gets almost instantly replaced by a new ABBC Coin wallet window. According to Avast, the combination of control flow obfuscation and low-level code abstraction made the analysis of the malware’s workflow rather tedious.

The WiryJMPer dropper also attempts to gain persistence on compromised systems by adding a shortcut in the startup folder pointing to its original binary.

The malware used the same course of action with a WinBin2Iso binary patched to unpack Netwire RAT and other binary, leading to legitimate cryptocurrency wallets via the decoy payload.

Paul Scott

Paul Scott
Has 6 Gold Stars