ALERTS APRIL 2024
HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY | March(16) April(92) May(99) June(94) July(88) August(112) SEPTEMBER(67)
DATE | NAME | CATEGORY | SUBCATE | INFO |
| 30.4.24 | New DragonForce Ransomware variant | ALERTS | Ransom | A new variant of ransomware called DragonForce has been observed using a leaked ransomware builder from the LockBit ransomware group. |
| 30.4.24 | Security vendor applications impersonated in recent malware campaign | ALERTS | Virus | Impersonating legitimate applications is a common tactic observed in attack campaigns. Among the simpler methods of impersonation is to convince a victim to execute content by leveraging a legitimate filename. |
| 30.4.24 | Ziraat Stealer disguised as data recovery tool | ALERTS | Virus | The Ziraat Stealer, a .NET infostealer, has been discovered masquerading as a Data Recovery tool. This malware is capable of extracting passwords and credentials from browsers, social media platforms, |
| 30.4.24 | Rising trend of FakeBat malware campaigns, exploiting MSIX installers and malvertising | ALERTS | Virus | Many campaigns involving the FakeBat malware have been reported recently, showing an increasing trend. FakeBat utilizes multiple delivery tactics, with malvertising being the primary strategy. |
| 27.4.24 | Multiple vulnerabilities in OpenMetadata | ALERTS | VULNEREBILITY | OpenMetadata is an open source metadata platform that can be used for data discovery, cataloging and collaboration. |
| 27.4.24 | KageNoHitobito ransomware | ALERTS | Ransom | KageNoHitobito ransomware came on the scene in March 2024. This is a no frills ransomware with basic old school functionality; file encryption (only on the local drive), drops ransom notes, and requires interaction with the attack group via Tor. |
| 27.4.24 | Brokewell mobile malware | ALERTS | Virus | Brokewell is a new mobile malware variant discovered in the wild. According to a recent report, the malware is delivered to Android users via a fake Google Chrome browser update package. |
| 27.4.24 | Amadey malware family remains an active threat in the landscape | ALERTS | Virus | Amadey is an infostealer variant enriched with additional functionalities allowing it to download and execute malicious payloads such as ransomware. |
| 25.4.24 | SSLoad and Cobalt Strike leveraged in compromised "Contact Form" campaign | ALERTS | APT | A new loader has emerged called SSLoad, distinct from SLoad. Reports reveal a campaign where attackers were observed abusing and sending malicious links via contact forms. |
| 25.4.24 | SpyNote campaign using Vietnam's National Public Service as bait | ALERTS | APT | SpyNote remote access trojan and its variants are proliferating globally, with groups and individuals employing various social engineering tactics to target mobile users. |
| 25.4.24 | APT43 exploits Dropbox in TutorialRAT distribution campaign | ALERTS | APT | The APT43 group has been observed distributing TutorialRAT by actively exploiting Dropbox cloud storage as a base for their attacks to evade threat monitoring. |
| 25.4.24 | CryptBot among the infostealer variants distributed in latest CoralRaider campaign | ALERTS | Virus | According to a recent report, three distinct infostealers variants Cryptbot, LummaC2 and Rhadamanthys have been distributed in a newly discovered campaign attributed to the threat actor known as CoralRaider. |
| 25.4.24 | Seedworm exploits Atera Agent in a spear-phishing Campaign | ALERTS | CAMPAIGN | Seedworm (also known as MuddyWater), is actively exploiting the legitimate remote monitoring and management (RMM) tool Atera Agent in its spear-phishing campaign. |
| 25.4.24 | Fake Job App Steals SMS Messages From Oil Industry Job Seekers | ALERTS | Mobil | Symantec has recently observed a malicious actor targeting mobile users who are looking for jobs in the oil industry. |
| 25.4.24 | More Fake MetaMask Android Apps Circulating, Targeting Users' Wallets | ALERTS | Virus | More fake MetaMask Android applications have been observed targeting mobile users' wallet via phishing tactics, all of which are being hosted on malicious domains mimicking MetaMask and leveraging typosquatting techniques. |
| 25.4.24 | GooseEgg, a post-explotation malware | ALERTS | Virus | Researchers at Microsoft have reported on ongoing activities of the Russian-based threat actor Forest Blizzard identified by Symantec as Swallowtail (aka STRONTIUM) utilizing a custom tool dubbed GooseEgg. |
| 23.4.24 | Kapeka backdoor | ALERTS | ALERTS | Kapeka is a recently identified backdoor variant leveraged in malicious campaigns targeted at various entities from Eastern Europe since at least 2022. |
| 23.4.24 | Sharpil RAT malware - possible precursor to Sharp Stealer | ALERTS | ALERTS | Sharpil is a new Remote Access Trojan (RAT) discovered in the threat landscape. This C#-based malware features basic infostealing functionality including system info collection and data gathering from various web browsers. |
| 22.4.24 | Core Werewolf APT group targets Russian defense organizations in espionage campaign | ALERTS | APT | Espionage activity of the Core Werewolf APT group targeting Russian defense organizations was observed around mid-April. |
| 22.4.24 | Megazord Ransomware | ALERTS | Ransom | Megazord ransomware is a Rust-based malware that targets healthcare, education, and government entities. |
| 22.4.24 | OfflRouter observed infecting Ukrainian DOC files | ALERTS | Virus | Threat researchers have recently discovered OfflRouter infections in various DOC files observed in the wild. |
| 20.4.24 | Coreid (aka Fin7) uses backdoor against US Automaker victims | ALERTS | APT | A recent report provided details of activity by the Coreid (aka Fin7) threat group in which victims in the US automaker industry were targeted. |
| 20.4.24 | APT Group exploits Web3 gaming hype in campaign for cryptocurrency earnings | ALERTS | APT | A campaign centered around imitating web3 gaming projects has been observed, likely operated by a Russian-language APT group aiming for potential cryptocurrency earnings by leveraging the allure of blockchain-based gaming. |
| 20.4.24 | Akira ransomware remains an active threat on the landscape | ALERTS | Ransom | Symantec Security Response is aware of the recent joint alert from CISA, the FBI, Europol's European Cybercrime Centre (EC3), and the Netherlands' National Cyber Security Centre (NCSC-NL) |
| 20.4.24 | XAgent spyware targeting iOS devices | ALERTS | Virus | An XAgent spyware targeting iOS devices has been identified, linked to the Swallowtail group (APT28). Primarily targeting political and government entities in Western Europe |
| 19.4.24 | Malware campaign distributing MadMxShell backdoor via masquerade websites | ALERTS | CAMPAIGN | A new backdoor called MadMxShell has surfaced as part of a malware campaign. The threat actors responsible for the campaign are hosting masquerade websites that impersonate legitimate IP scanner software sites. |
| 19.4.24 | CR4T malware implant distributed in the DuneQuixote campaign | ALERTS | Virus | Malicious campaign dubbed DuneQuixote has been reported to distribute new variants of the CR4T malware implant. The campaign targets various organizations and entities in the Middle East. |
| 19.4.24 | Mamont Android banking trojan | ALERTS | Virus | Mamont is a recently identified banking trojan for Android. The malware has been distributed disguised as a Google Chrome installer package. |
| 18.4.24 | Google Firebase and Clearbit abused in Phishing campaigns | ALERTS | CAMPAIGN | Phishing actors employ a plethora of tactics to make their phishing attempts more persuasive, ranging from hosting services to social engineering. |
| 18.4.24 | TP-Link Archer AX21 CVE-2023-1389 still being exploited by botnets | ALERTS | VULNEREBILITY | Last year an unauthenticated command injection vulnerability, CVE-2023-1389, was disclosed for the web management interface of the TP-Link Archer AX21 (AX1800) router. |
| 17.4.24 | CVE-2024-1852 - WordPress WP-Members Membership Plugin vulnerability | ALERTS | VULNEREBILITY | CVE-2024-1852 is a high severity cross-site scripting (XSS) vulnerability affecting WordPress WP-Members Membership Plugin. |
| 17.4.24 | SoumniBot - Android banking malware | ALERTS | Virus | SoumniBot is a new banking malware variant for Android. |
| 17.4.24 | Rincrypt Ransomware | ALERTS | Ransom | Rincrypt is one more run-of-the-mill ransomware variant recently observed on the threat landscape. When executed, it targets files with the specific extensions according to a pre-defined list. The malware appends the encrypted files with “.rincrypt” extension. |
| 17.4.24 | Tax-Themed phishing campaign deploys XWorm RAT | ALERTS | Virus | An email phishing campaign has been reported deploying the Remote Access Trojan (RAT) XWorm. |
| 17.4.24 | Risen Ransomware | ALERTS | Ransom | A ransomware actor known as "Risen" has been detected in the wild. According to their ransom note ($Risen_Note.txt and $risen_guide.hta), the threat actors appear to employ double-extortion tactics by threatening to sell or leak stolen information if the ransom payment is not made. |
| 16.4.24 | SteganoAmor campaign attributed to TA558 threat group | ALERTS | Group | A new malicious campaign dubbed as SteganoAmor has been attributed to the TA558 threat actor. |
| 16.4.24 | L00KUPRU Ransomware | ALERTS | Ransom | L00KUPRU is a new Xorist ransomware variant recently discovered in the wild. The malware encrypts user files and adds the .L00KUPRU extension to them. |
| 16.4.24 | SolarMarker malware campaign adapts with PyInstaller for obfuscation | ALERTS | Virus | A SolarMarker malware campaign has been observed utilizing PyInstaller to obfuscate first-stage PowerShell scripts instead of Inno Setup and PS2EXE, showcasing the adaptability of threat actors in evading detection mechanisms targeting SolarMarker. |
| 16.4.24 | Hive0051c malware campaign distributing GammaLoad in Ukraine | ALERTS | Virus | Hive0051c has been observed conducting a malware campaign distributing the GammaLoad malware in Ukraine. |
| 16.4.24 | FatalRAT Distributed Through Fake Cryptocurrency App Website | ALERTS | Virus | A new malicious campaign has been identified where the attackers attempt to distribute FatalRAT malware via a webpage masqueraded as a legitimate cryptocurrency application download website specifically designed for Chinese users. |
| 16.4.24 | Fake Anti Radar App SpyNote RAT Targets French Drivers | ALERTS | Virus | Speed cameras are quite prevalent in France, and their numbers have increased significantly over the years as part of road safety measures. |
| 16.4.24 | XploitSPY Android malware | ALERTS | Virus | An active malicious campaign dubbed "eXotic Visit" has been recently spreading a customized variant of the XploitSPY Android malware. |
| 13.4.24 | Signed backdoor found in screen mirroring software | ALERTS | Virus | A recent report identified a signed backdoor present in LaiXi Android screen mirroring software. According to the report, attackers abused the Microsoft Windows Hardware Compatibility Program to get the malware signed. |
| 12.4.24 | LightSpy malware implant | ALERTS | Virus | LightSpy is a modular surveillance tool with variants supporting both Android and iOS platforms. |
| 12.4.24 | Rhadamanthys malware deployments attributed to TA547 | ALERTS | Virus | A new Rhadamanthys infostealer deployment campaign attributed to the TA547 threat actor has been discovered in the wild. The campaign targets a wide range of industries in Germany. |
| 11.4.24 | Pupy RAT continues to be used in attacks against Linux systems | ALERTS | Virus | Pupy RAT continues to be leveraged in attacks conducted by miscellaneous threat operators. |
| 11.4.24 | Metasploit Meterpreter observed in attacks targeting vulnerable Redis servers | ALERTS | HACKING | Meterpreter is an advanced Metasploit attack payload leveraged in penetration testing that uses in-memory DLL injection stagers. |
| 11.4.24 | Nitrogen malware delivery campaign | ALERTS | CAMPAIGN | A new malicious campaign spreading the Nitrogen malware has been observed in the wild. The attack leverages malvertising techniques via Google Ads and the malware binaries are masqueraded as PuTTY or FileZilla software installers. |
| 9.4.24 | SpyNote mobile malware spread under the disguise of INPS Mobile application | ALERTS | Virus | A recent campaign targeted at mobile users in Italy has been distributing SpyNote malware under the disguise of the INPS Mobile application. |
| 9.4.24 | Nova Stealer among the malware variants distributed via Facebook ads advertising fake AI services | ALERTS | Virus | A new infostealer distribution campaign has been reported in the wild with attackers leveraging compromised Facebook accounts to advertise fake AI services impersonating well-known brands such as MidJourney, SORA AI, Evoto, ChatGPT-5 and DALL-E 3. |
| 8.4.24 | CVE-2023-7102, New Zero-Day vulnerability in Barracuda's ESG Appliance exploited | ALERTS | VULNEREBILITY | A Chinese threat actor, UNC4841, has been reported exploiting a new zero-day vulnerability identified as CVE-2023-7102 in Barracuda Email Security Gateway (ESG) appliances. |
| 8.4.24 | New phishing run spoofs International Card Services (ICS) | ALERTS | PHISHING | Symantec has observed a new wave of phish runs spoofing International Card Services BV to steal credentials. In this run, threat actors have not hyperlinked the phishing URL but included it in plain text along with the email content. |
| 8.4.24 | TISAK Ransomware | ALERTS | Ransom | TISAK is a new ransomware variant observed in the wild. The malware appears to be a strain of the Proxima/BlackShadow ransomware family. It encrypts user data and appends .Tisak extension to the files. |
| 8.4.24 | Spoofed Adobe Creative Cloud email notifications appear in phish runs | ALERTS | PHISHING | Adobe Creative Cloud provides a collection of applications for graphic design, video editing, web development, photography and more. |
| 8.4.24 | CVE-2023-41266 A path traversal vulnerability in Qlik Sense Enterprise under active exploitation | ALERTS | VULNEREBILITY | CVE-2023-41266 is a path traversal vulnerability affecting Qlik Sense Enterprise. If successfully exploited, this vulnerability allows an unauthenticated remote attacker to generate an anonymous session. |
| 8.4.24 | Xamalicious Android malware | ALERTS | Virus | Xamalicious is a backdoor malware targeting the Android platform. The malware is built using Xamarin framework which is an open source platform for creating apps with .NET and C#. |
| 8.4.24 | Binance Turkey Users Lured with MASAK Audit Scare | ALERTS | Crime | More Binance smishing is being observed around the world, and in a recent example, Symantec has observed an actor targeting Turkish Binance users. |
| 8.4.24 | Continuous activities of UAC-0099 threat group against Ukraine | ALERTS | Group | "UAC-0099" is a threat group known to be targeting Ukraine since at least mid-2022. In some of the recent campaigns the attackers have been leveraging self extracting RAR .SFX archives |
| 8.4.24 | Bandook malware - an older threat remains active in the wild | ALERTS | Virus | Bandook is a remote access trojan discovered way back in 2007. While it is quite an old malware family, new variants of Bandook reemerge in the wild with new distribution campaigns to this day. |
| 8.4.24 | Malicious SMS Targets BDO Unibank users | ALERTS | Virus | Banco De Oro (BDO) Unibank is the largest bank in the Philippines and among the top 20 banks in Southeast Asia. Over the past few weeks, |
| 8.4.24 | No Christmas Break for Agent Tesla: Riyad Bank Impersonated in a Malspam Campaign | ALERTS | Virus | Usually over Christmas there is somewhat less malware activity, but that does not mean there isn't any. Attacks from all fronts (e.g., email, drive downloads, vulnerabilities, etc.) keep on going |
| 8.4.24 | Truist Bank users targeted with new phishing emails | ALERTS | PHISHING | Truist Bank is one of the top U.S. commercial banks headquartered in Charlotte, North Carolina. Recently, Symantec has observed a new wave of phish runs spoofing Truist Bank services with fake account notifications. |
| 8.4.24 | MetaStealer distributed via malvertising | ALERTS | Virus | MetaStealer is an infostealer variant discovered back in 2022. It is known to be delivered via malspam campaigns as well as bundled with pirated software. |
| 8.4.24 | New variant of Chameleon Android malware allows for biometric authentication bypass | ALERTS | Virus | Chameleon is an Android banking malware that first emerged at the beginning of 2023 |
| 8.4.24 | Operation HamsaUpdate | ALERTS | Operation | Operation HamsaUpdate is a recently identified campaign targeting Israeli customers using F5’s network devices. |
| 8.4.24 | Fictitious OnlyFans premium mobile app revealed as SpyNote | ALERTS | Virus | OnlyFans' popularity worldwide has grown exponentially over the past few years. Positioned as a social media service, it has become a lucrative means of livelihood for many individuals. |
| 8.4.24 | Old MS Office vulnerability CVE-2017-11882 still leveraged for Agent Tesla delivery | ALERTS | VULNEREBILITY | CVE-2017-11882 is an older vulnerability affecting the Equation Editor component in Microsoft Office. Successful exploitation of this flaw might allow attackers for remote code execution on the infected machines. |
| 8.4.24 | Movable Type API CVE-2021-20837 vulnerability under active exploitation | ALERTS | VULNEREBILITY | CVE-2021-20837 is a critical (CVSS score 9.8) command injection vulnerability affecting Movable Type API. If successfully exploited, this vulnerability enables remote code execution. |
| 8.4.24 | GuLoader campaign: From Seoul to Brussels | ALERTS | Virus | GuLoader's prevalence remains unwavering, and Symantec continues to observe actors conducting campaigns worldwide. One particular case has caught our attention, as the actor exhibits behavior reminiscent of a locust colony, traversing from field to field. |
| 8.4.24 | Xray Ransomware | ALERTS | Ransom | Xray is yet another ransomware actor that has been observed in the threat landscape, targeting companies' servers and clients. Capability-wise, it's a generic ransomware that allows the actor to determine which folders to encrypt and which to skip. |
| 8.4.24 | New phishing run spoofs Mexican Postal Service (Correos de Mexico) | ALERTS | PHISHING | Symantec has observed a new wave of phish runs spoofing Mexican Postal Service (Correos de Mexico) to steal credentials. The email content is kept specific and mentions an undelivered package. |
| 8.4.24 | TA544 activities involving IDAT Loader | ALERTS | Virus | A new set of malicious activities attributed to the TA544 (aka Narwal Spider) threat group has been reported in the wild. This threat actor has been known to target various Italian organizations and entities in the past. |
| 8.4.24 | JaskaGO infostealer for Windows and macOS | ALERTS | Virus | JaskaGO is a new Go-based infostealer developed for both Windows and macOS platforms. The malware collects a wide range of data from the compromised machines including credentials, cookies, browser history, files from local folders, |
| 8.4.24 | Splunk Remote Code Execution (RCE) vulnerability CVE-2023-46214 | ALERTS | VULNEREBILITY | CVE-2023-46214 is a recently disclosed remote code execution (RCE) vulnerability affecting Splunk Enterprise platform. Due to a flaw in processing of user-supplied extensible stylesheet language transformations (XSLT), |
| 8.4.24 | Zimbra Collaboration XSS vulnerability CVE-2023-37580 | ALERTS | VULNEREBILITY | CVE-2023-37580 is a recently disclosed 0-day (CVSS score: 6.1) Cross-Site Scripting vulnerability affecting Zimbra Collaboration suite. |
| 8.4.24 | Play Ransomware - latest attacks against enterprises | ALERTS | Ransom | Symantec Security Response is aware of the recent CISA, FBI and ASD's ACSC alert regarding a number of recent targeted activities observed for the Play (aka PlayCrypt) ransomware. |
| 8.4.24 | "No One Was Home" themed Evri phishing emails are making the rounds | ALERTS | PHISHING | Evri is a parcel delivery company based in United Kingdom. As the holiday season has started, spoofed emails masqueraded as Evri parcel notifications have been observed. |
| 8.4.24 | CVE-2023-49070 Apache OFBiz RCE vulnerability | ALERTS | VULNEREBILITY | CVE-2023-49070 is a critical (CVSS score 9.8) pre-auth remote code execution vulnerability in Apache OFBiz. |
| 8.4.24 | African based telecommunications organizations targeted by Iranian Seedworm group | ALERTS | APT | The Symantec Threat Hunter Team, part of Broadcom, observed a recent campaign by the Seedworm threat actor group, targeting telecommunications organizations in North and East Africa. This activity, |
| 8.4.24 | Fake NordVPN Installer Delivering SecTopRAT | ALERTS | Virus | While monitoring for new stealers, Symantec has observed an actor who has set up a Telegram channel for a stealer dubbed Vortex. After following breadcrumbs, it appears that there are ongoing test-related activities. |
| 5.4.24 | New JsOutProx malware variant observed in campaigns targeted at financial sector | ALERTS | Virus | A new JsOutProx malware variant has been observed in recent campaigns targeted at financial sector in the Africa, the Middle East, South Asia, and Southeast Asia. JsOutProx RAT is attributed to a threat group known as Solar Spider. |
| 5.4.24 | Byakugan malware | ALERTS | Virus | Byakugan is a modular infostealer variant observed recently in the wild. The malware has been distributed under the disguise of a Adobe Reader installer. |
| 5.4.24 | Phorpiex malware campaign targets finance sector in Europe and North America | ALERTS | Virus | A malware campaign distributing Phorpiex botnet has been observed targeting entities in the finance sector across Europe and North America. |
| 5.4.24 | Indonesia – Wedding invites used as lure by an SMS thief | ALERTS | Spam | In mid-2023, an actor have been observed sending SMS messages to mobile users in Indonesia, enticing them to install an application posing as a wedding invitation. |
| 5.4.24 | Latrodectus malware | ALERTS | Virus | Latrodectus loader is a malware variant first discovered in November 2023. The malware has been recently distributed in malicious campaigns attributed to the TA577 and TA578 threat groups. |
| 5.4.24 | Backdoor code found in XZ Utils library | ALERTS | Virus | On March 29th a security alert was issued warning users about malicious backdoor code embedded in certain versions of XZ Utils, a popular library of data compression tools that is present in nearly every Linux distribution. |
| 5.4.24 | MacOS Users targeted with Infostealers | ALERTS | Virus | MacOS users continue to be targeted with infostealers via malicious advertisements and fake websites. In a recent campaign, a counterfeit website offering free group meeting scheduling software was observed. |
| 5.4.24 | TA588 continues espionage activities in Latin America | ALERTS | Group | The TA558 group, known for targeting various sectors across Latin America, has recently been observed employing spam emails with malicious attachments to distribute Venom RAT, a remote access trojan derived from Quasar RAT. |
| 5.4.24 | YouTube Hijacking: Rise in Attack Campaigns Distributing Infostealers | ALERTS | Hack | An increase in attack campaigns utilizing YouTube has been observed, with threat actors hijacking existing popular YouTube accounts to distribute Vidar and LummaC2 Infostealer malwares. |
| 3.4.24 | Napoli Ransomware | ALERTS | Ransom | Napoli, a variant of Chaos ransomware, has recently been discovered in the wild. The malware encrypts user files, adds the .napoli extension and also changes the desktop wallpaper on the infected endpoints. |
| 3.4.24 | Emergence of new Vultur banking trojan variant in mobile threat landscape | ALERTS | Virus | A newer version of the Vultur banking trojan for Android has been observed in the wild. This version features enhanced evasion techniques and advanced remote control capabilities. |
| 3.4.24 | Indonesian Businesses Targeted in an Agent Tesla Campaign | ALERTS | Virus | Symantec has recently observed an individual or group running a targeted malspam campaign against Indonesian organizations, although instances have been seen in neighboring countries. |