ALERTS AUGUST 2024
HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY | March(16) April(92) May(99) June(94) July(88) August(112) SEPTEMBER(67)
DATE | NAME | CATEGORY | SUBCATE | INFO |
31.8.24 | Corona Mirai variant distributed via vulnerability exploitation | BOTNET | Mirai malware variant dubbed Corona has been recently distributed via exploitation of a command injection vulnerability (CVE-2024-7029) in AVTECH IP camera devices. The botnet also attempts to exploit some older vulnerabilities including CVE-2017-17215 in Huawei Routers and CVE-2014-8361 affecting Realtek. The botnet once deployed will attempt to connect additional hosts via open Telnet ports. The dropped payload might be used by the attackers for a wide variety of DDoS attacks or command execution on the affected devices. | |
31.8.24 | LummaC2 Stealer variant spread via PowerShell execution | VIRUS | LummaC2 infostealer has been reported as being distributed in a recent campaign leveraging obfuscated PowerShell commands. LummaC2 is a C-based infostealing malware often sold under the Malware-as-a-Service (MaaS) model. This malware primary functionality is to steal confidential data from the infected endpoints and exfiltrate it to the C2 servers controlled by the attackers. | |
31.8.24 | Middle East targeted by malware using fake Palo Alto VPN | VIRUS | A malware campaign targeting organizations in the Middle East has been reported, where attackers use a fake Palo Alto GlobalProtect VPN client to deceive users. This malware employs advanced techniques, including a cleverly disguised command-and-control (C2) infrastructure and tools like Interactsh to communicate with specific hostnames and monitor infection progress. It can execute PowerShell commands, manage processes, and encrypt data. Additionally, it incorporates sophisticated evasion techniques to bypass sandboxing and avoid detection. | |
31.8.24 | VIRUS | X-FILES is a stealer malware written in C that is actively advertised on underground forums, with ongoing enhancements. Like many other infostealers, it aims to steal and exfiltrate sensitive information from infected systems including browser data, cookies, passwords, autofill data, credit card information, and cryptocurrency wallet details. The malware includes features such as a customizable logging system, Telegram notifications, and automated updates, along with security measures like GEO-blocking for CIS countries and regular stub cleaning to evade detection. Additionally, upcoming features like VNC configuration collection and automated password decryption suggest continuous development, making X-FILES a significant threat to organizations. | ||
31.8.24 | CVE-2024-38653 - XXE vulnerability in Ivanti Avalanche | VULNEREBILITY | CVE-2024-38653 is a high severity (CVSS score 7.5) XML External Entity (XXE) vulnerability affecting SmartDeviceServer in Ivanti Avalanche, which is an enterprise endpoint management solution allowing for centralized device management within an organization. A successful exploitation of this vulnerability could allow a remote unauthenticated attacker to read files on the vulnerable server. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system. | |
31.8.24 | Iranian threat actor Elfin deploys 'Tickler' backdoor | VIRUS | Iranian threat actor Elfin (aka APT33, Peach Sandstorm) has been observed deploying a new custom multi-stage backdoor dubbed Tickler. This malware has targeted government, defense, satellite, and oil and gas sectors in the U.S. and the United Arab Emirates (UAE). The actor has conducted password spray attacks against thousands of organizations and utilized Microsoft Azure infrastructure for command-and-control (C&C), operating through fraudulent, attacker-controlled Azure subscriptions. | |
31.8.24 | Phishing campaign targets Japan Labor Union Workers | PHISHING | A phishing campaign targeting Japanese workers affiliated with labor unions has been observed. The e-crime actor is impersonating 労働金庫 (Rōdō Kinko), commonly known as Rokin, and the 全国労働金庫協会 (National Association of Labour Banks or Zenkoku Rōdō Kinko Kyōkai), which are part of Japan's unique financial system designed to serve the financial needs of workers. The email (subject:【労働金庫】【要返信】お客様の直近の取引における重要な確認について) warns about suspicious transactions and urging the recipient to verify their account via fraudulent links – an attempt designed to steal personal information. | |
29.8.24 | A new Snake Keylogger variant | VIRUS | A new Snake Keylogger malware variant has been reported by the researchers from Fortinet. The malware is spread via phishing in form of malicious .xls attachments. The distributed Excel files contain an exploit for an old WordPad RTF vulnerability CVE-2017-0199. The attackers also leverage .hta files, VBscript and PowerShell code within the attack chain of this campaign. Snake Keylogger is a .NET-based infostealer capable of stealing various confidential data including system information, credentials, keystrokes, clipboard and more. The collected data is sent back to the attackers via SMTP protocol. | |
29.8.24 | Advanced dropper distributes 'Angry Stealer' infostealer via Telegram | VIRUS | An advanced dropper binary has been identified, designed to deploy an information stealer known as 'Angry Stealer,' which is actively promoted on Telegram and other online platforms. Angry Stealer targets sensitive data such as browser information, cryptocurrency wallets, VPN credentials, and system details, exfiltrating this data via Telegram. Angry Stealer appears to be based on 'Rage Stealer,' sharing identical code and functionality. The dropper executes two payloads: the primary, 'Stepasha.exe,' for data theft, and the secondary, 'MotherRussia.exe,' which may serve as a builder tool for creating malicious executables. | |
29.8.24 | Godzilla webshell deployment campaign | CAMPAIGN | A new Godzilla webshell deployment campaign has been reported in the wild. The attackers are targeting organizations running ASP.NET instances with vulnerable environment settings and leverage ViewState function to distribute malicious webshells into the victim's environment. Godzilla webshell is delivered in form of a .jar file and is used to execute remote commands or shellcode and to download additional payloads. | |
29.8.24 | Czech Republic officials hit by malware campaign using NATO-themed lures | VIRUS | A malware campaign targeting government and military officials in the Czech Republic has been reported. The threat actor behind this operation is believed to have Russian origins and heavily relied on open-source offensive tools. To lure victims, they used NATO-themed decoy documents and executed a multistage attack chain that included a malicious batch script, a Rust-based loader, and post-exploitation C2 frameworks such as Havoc, Sliver, and Freeze. To evade detection and maintain persistence on compromised systems, advanced techniques including ETW patching, process injection, and encrypted payloads were utilized. | |
29.8.24 | Critical vulnerability CVE-2023-22527 exploited for cryptomining activities | VULNEREBILITY | According to reports, the critical vulnerability CVE-2023-22527 is actively being exploited in the wild. This vulnerability is a severe OGNL injection flaw in Atlassian Confluence Data Center and Server. Threat actors are exploiting it for cryptojacking, transforming compromised systems into cryptomining networks. The attack vector includes deploying shell scripts and XMRig miners while maintaining persistence through cron jobs. | |
29.8.24 | US voters targeted in phishing campaign | PHISHING | With the US Presidential Election just a few months away and the press reporting allegations of cyber intrusions affecting the campaigns, we reviewed new domains registered between 1 May and 12 August 2024 containing strings "harris", "walz", or "trump" in the domain. Domains with "vance" in them were excluded due to that string being found in many English words and domains unrelated to the election. Our research revealed 216 domains with phishing behavior and 66 domains hosting malicious content that are likely related to the Democratic or Republican candidates. | |
29.8.24 | Rocinante mobile malware | Rocinante is a malware variant observed prevalently in campaigns targeted at mobile users in Brazil. Functionality-wise Rocinante has the ability to steal information via keylogging, initiate remote access sessions, simulate swipe movements or touche events on the infected device. The malware might also be leveraged for phishing attacks by displaying bogus login websites and thus targeting the theft of banking credentials. Rocinante can communicate with the attackers infrastructure through either HTTP protocol or via Web Sockets and exfiltrate the collected data. | ||
29.8.24 | Emerging loader Emmental spreads malware via disguised binaries | VIRUS | A loader called Emmental has been detected in use, being distributed in disguised Windows binaries since February 2024. This loader employs HTA files and utilizes traditional email phishing tactics, including fake videos, to target organizations worldwide. It has been part of several campaigns globally using the Bunny.net CDN provider and WebDAV servers to distribute various malware payloads, such as CryptBot, AsyncRAT, Lumma, Meduza stealer, Xworm, and SectopRAT. The functionality of this tool matches the capabilities advertised in underground markets. | |
29.8.24 | New macOS variant of the HZ RAT backdoor emerges | VIRUS | A new macOS variant of the HZ RAT backdoor has been discovered in the wild. According to recent reports, the malware is targeting users of the enterprise messenger DingTalk and the messaging platform WeChat. The malware has some basic functionality to collect information about the infected machines, user information from WeChat and DingTalk applications as well as user data stored in the Google Password Manager, among others. The collected information is send back to the C2 servers controlled by the attackers and possibly used later in future attacks. | |
27.8.24 | Phishing campaign targeting users in Asia Pacific regions | CAMPAIGN | Symantec has recently observed a phishing campaign targeting users in Asia Pacific regions. This campaign utilizes HTML files that post the ill-gotten credentials to 3rd party hosting services, in this case nocodeform[.]io. The messages are delivered from either a 'postmaster' or 'MAILER-DAEMON' address in an effort to obscure themselves. | |
27.8.24 | SVG-Based Phishing Campaign Hits LATAM Industries Email Credentials | CAMPAIGN | In early August, Symantec observed an actor targeting multiple companies in Latin America across the retail, legal, dairy, finance, energy, and automobile manufacturing sectors. The goal was to collect email credentials, which are likely to fuel the initial access broker markets and lead to further compromises with varying impacts, including financial theft, cyber espionage, and ransomware attacks. | |
27.8.24 | Phishing campaign targets VPN users with Cheana Infostealer malware | CAMPAIGN | A phishing campaign targeting users downloading VPN software has been reported. As part of the campaign, a phishing site masquerading as a WarpVPN provider is hosted to distribute stealer malware for different operating system platforms. The malware, dubbed Cheana Stealer, collects and exfiltrates various types of information such as in-browser stored data, cookies, passwords, cryptocurrency wallets, and cryptocurrency browser extensions. The Linux and macOS versions have the additional capability of stealing SSH keys and Keychain data. | |
27.8.24 | Dolphin Loader: The new malware-as-a-service threat exploiting RMM tools | VIRUS | Dolphin Loader is a new Malware-as-a-Service (MaaS) loader that was first observed in July 2024 being sold on Telegram. It is used to distribute various malware payloads, such as SectopRAT, LummaC2, and Redline, primarily through drive-by downloads. | |
27.8.24 | Attackers Spreading Malware via Infected Websites | VIRUS | Researchers have discovered malware that spreads by disguising itself as a browser update on infected websites. When users visit these sites, they are prompted to download a malicious file posing as a browser update for Chrome or Firefox. These files can be in various formats like EXE, ZIP, APPX, or VHD. The VHD file contains a hidden shortcut (LNK) that executes PowerShell commands and connects to the attacker's C2 server. | |
27.8.24 | SpyNote Variant Lurks In South Africa Impersonating Two Major Banks | VIRUS | Symantec has recently identified a variant of the SpyNote Android Remote Access Trojan in South Africa's mobile threat landscape. A threat actor is impersonating two major financial institutions, Nedbank and Absa, in an attempt to lure users into installing the malware on their devices, leading to financial losses due to unauthorized transactions, identity theft, and the compromise of sensitive personal information. | |
27.8.24 | Cthulhu Stealer | VIRUS | Researchers have recently observed another malware-as-a-service (MaaS) that targets Mac users dubbed Cthulhu. This malware gets delivered as a disk image (DMG) with platform-specific binaries and developed in GoLang. It masquerades as legitimate software to trick users into opening the DMG, then uses macOS's 'osascript' tool to prompt for their password and gain unauthorized access. | |
24.8.24 | Peaklight downloader malware activity reported | VIRUS | Peaklight is a new PowerShell-based downloader variant identified by researchers from Mandiant. The malware has been used in recent campaigns distributing various payloads including Lumma infostealer, ShadowLadder and CryptBot. The attackers leverage malicious .lnk files disguised as video files as well as JavaScript droppers within the multi-staged attack chain. | |
24.8.24 | CVE-2024-4885 - Progress Software WhatsUp Gold RCE vulnerability | VULNEREBILITY | CVE-2024-4885 is a recently disclosed critical (CVSS score 9.8) unauthenticated remote code vulnerability affecting Progress Software WhatsUp Gold, which is a network monitoring software. The exploitation of the bug might allow unauthenticated attackers to execute arbitrary commands with iisapppool/nmconsole privileges. | |
24.8.24 | Sedexp Linux malware uses udev rules for persistence | VIRUS | Sedexp is a recently identified threat affecting Linux environments. Sedexp malware has been reported to leverage udev rules for the purpose of establishing persistence on the infected machine. Udev is a device manager system on Linux that allows for management of device nodes in the /dev directory. | |
24.8.24 | PG_MEM - malware targeting PostgreSQL servers for cryptomining | VIRUS | PG_MEM is a new malware variant observed recently in the wild. The campaign distributing this malware leverages brute force attacks against vulnerable PostgreSQL database servers. Once the attackers obtain access to the server, an attempt is made to establish persistence by creating a new privileged account. Later on, the threat actors initiate system discovery and deliver the PG_MEM dropper payload that ultimately delivers a XMRig cryptominer to the infected machine. | |
23.8.24 | CMoon: A .NET-based malware worm in Russian gas sector | VIRUS | CMoon, a .NET-based malware worm, was discovered on the website of a compromised Russian gasification and gas supply company. This malware disguises itself as legitimate regulatory documents and replaces various website links with links to malicious executables. | |
23.8.24 | Casbaneiro in the UAE: Impersonating Sharjah Ports Authority | GROUP | In cybersecurity, ports and related authorities are high-value targets for threat actors due to their integral roles in global supply chains and connections to industries such as transportation, logistics, energy, and government sectors. Crooks often disguise themselves as port authorities to lure other industries into phishing scams or social engineering attacks. | |
23.8.24 | NGate - a novel Android malware able to relay NFC data to the attackers | VIRUS | A new campaign leveraging Android malware dubbed NGate has been targeting users of Czech banks. NGate uses a novel technique to relay NFC (near field communication) data from the victims' payment cards via the compromised Android phones and over to the attackers' devices. | |
23.8.24 | North Korean group puNK exploits Windows shortcuts to deploy Lilith RAT | VIRUS | A previously unidentified North Korean threat actor group dubbed puNK has been detected using Windows shortcut (LNK) files to distribute malware. When executed, these LNK files download AutoIt scripts from the attacker’s server, which subsequently fetch the final payload, the Lilith RAT. The Lilith RAT, written in C++, is an open-source remote control software that facilitates additional remote operations. | |
23.8.24 | Insom ransomware | RANSOM | Insom malware is the latest variant from the Makop ransomware family. The malware encrypts user files and appends .Insom extension to the renamed file names. A unique victim ID and a malware developers' email address is also appended to the file name. The malware has the functionality to remove volume shadow copies from the infected endpoint. | |
23.8.24 | Toll Road Smishing Scams Increasingly Target U.S. Drivers | PHISHING | The U.S. has an extensive network of toll roads, bridges, and tunnels, and toll services are used to fund the maintenance and development of infrastructure without relying solely on state and federal taxes. | |
23.8.24 | TodoSwift: New macOS threat masquerading as a PDF | VIRUS | A new macOS malware dubbed TodoSwift has been identified as disguising itself as a PDF download. The threat actor, likely from North Korea, employs a dropper application developed using Swift/SwiftUI. The dropper deceives users by presenting a seemingly legitimate PDF related to Bitcoin pricing. | |
23.8.24 | North Korean-based threat actor develops MoonPeak RAT | VIRUS | MoonPeak is a somewhat recently discovered remote access Trojan (RAT) which has been attributed to North Korean-based threat actors. This RAT is a variant of the open-source XenoRAT malware and has seen multiple evolutions. Cisco Talos researchers have published an analysis of MoonPeak along with related threat actor infrastructure. | |
21.8.24 | Quasar RAT (aka BlotchyQuasar) Malspam Targeting Italian Banks | VIRUS | Threat researchers have recently observed an email spam campaign spreading Quasar RAT malware which is primarily targeting Italy. The campaign uses deceptive emails that mimic official communications from the Ministry of the Interior, complete with their logos. While the malware and C2 servers remain the same, the URLs for downloading the malicious files have been updated. The malware specifically targets users of certain Italian banks. | |
21.8.24 | Cybercriminals' Relentless Use of Fake CVs to Breach Corporate Defenses | CRIME | There is a long list of social engineering tactics in the cybersecurity world, and while it is always fluctuating, some methods are well-established such as sending fake CVs. This tactic involves emailing a fake Curriculum Vitae (CV) and motivation letter, often targeting HR departments or managers. | |
21.8.24 | QWERTY Stealer: New infostealer variant | VIRUS | QWERTY is a newly discovered infostealer variant observed being hosted on a Linux-based virtual private server located in Germany with limited service exposure. The malware is capable of performing various checks for the presence of debugging or virtualized environments before execution and has the capability to download additional payloads. QWERTY targets the extraction of system information and data stored in various web browsers, and subsequently exfiltrates the collected information to the C2 servers controlled by the attackers. | |
21.8.24 | Styx Stealer malware | VIRUS | Styx Stealer is a new infostealing malware variant discovered by the researchers from Checkpoint. The malware has the functionality to exfiltrate various data from Chromium-based browsers including cookies, credentials, banking details, cryptocurrency wallets, files with pre-defined extensions, Telegram and Discord sessions, among others. Styx Stealer is believed to be based off an older infostealer variant known as Phemedrone Stealer. The malware is advertised online and sold via a subscription model. Styx employs several sandbox evasion and anti-analysis techniques including check for running debugging tools or for processes associated with virtual environments. | |
21.8.24 | New Msupedge backdoor employs communication via DNS traffic | VIRUS | A previously unseen backdoor (Backdoor.Msupedge) utilizing an infrequently seen technique was deployed in an attack against a university in Taiwan. The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic. While the technique is known and has been used by multiple threat actors, it is nevertheless something that is not often seen. | |
21.8.24 | A new and emerging malware dubbed UULoader | ALERTS | VIRUS | Recent research has observed a malware campaign with an increase in the use of malicious .msi files, which, while not common, are known as a method of malware distribution. The new malware strain identified is 'UULoader,' used to deliver next-stage payloads such as Gh0st RAT and Mimikatz. It is distributed through malicious installers disguised as legitimate applications, primarily targeting Korean and Chinese-speaking users. |
20.8.24 | RedLine Stealer Impersonates Oil and Gas Company, Targets Key Sectors in Vietnam | VIRUS | Symantec has recently observed a RedLine Stealer malspam campaign in which an actor is impersonating a leading oil and gas company in Vietnam specializing in exploration and production activities. Both local and international companies in Vietnam across various sectors - including oil and gas, industrial, electrical and HVAC manufacturers, paint, chemical, and hotel industries - are being targeted. | |
20.8.24 | Ailurophile Infostealer | VIRUS | Ailurophile is a new PHP-based infostealer variant recently identified in the wild. The malware is advertised online and sold via a subscription model. Ailurophiles' capabilities include theft of data stored in browsers including auto-fill information, cookies, credentials, banking details, browsing history and cryptocurrency wallets. The infostealer can also exfiltrate data files from the compromised machines according to a predefined search criteria such as keywords in filenames or specific extensions. | |
20.8.24 | Fake Apps target Indian government's PM Kisan Yojana beneficiaries | VIRUS | The PM Kisan Yojana is a historic initiative by the Indian government that is currently benefiting around eight crore farmers across India. Every year, eligible farmers receive a total of INR 6,000, which is distributed in three equal installments of INR 2,000 each. To avail the benefits, one needs to register online via the official PMKSNY website. After registering for the PM Kisan Yojana, many farmers need assistance with updating their information on the registration form, including their Aadhaar number (a 12-digit individual identification number which serves as proof of identity and proof of address for residents of India), bank account details, and mobile number. | |
20.8.24 | Hawk Eye Ransomware | RANSOM | A ransomware actor that goes by the name "Hawk Eye" has been observed in the wild. Files that have been successfully encrypted are appended with a random 4-character extension. The ransom note (read_it.txt) is dropped in various folders, and the desktop wallpaper is changed to a white hawk on a black background. According to the content of the ransom note, double extortion is leveraged, meaning that in addition to encrypting files, the attackers inform users that data has been exfiltrated and will be leaked or sold if the ransom is not paid. | |
20.8.24 | Crypto Investment Scams Posing as Tesla | CRYPTOCURRENCY | A recent report reveals that attackers are exploiting Tesla's name to promote cryptocurrency scams. These scammers have registered domains containing 'Tesla' to deceive users into visiting malicious links. The links lead to the download of a harmful Android application, which is promoted on social platforms such as YouTube and Telegram. | |
20.8.24 | Threat actor Damselfly conducts campaigns against the U.S. and Israel | APT | Damselfy (aka APT42, Charming Kitten) is a well established Iranian-based threat actor. The group has routinely attacked high value targets in both the U.S. and Israel. The main goal of these attacks is to steal credentials from entities such as NGOs and academic, government, and defense/military organizations to further Iran's own military and political ideals. Observed credential phishing campaigns use socially engineered lures and leverage links, fake sites and publicly available services like Dropbox, OneDrive, and those offered by Google. | |
20.8.24 | BANSHEE Infostealer | VIRUS | Just this month, a new macOS malware called "BANSHEE Stealer" was discovered, created by Russian threat actors. It affects both x86_64 and ARM64 macOS systems and poses a significant threat by targeting crucial system information, browser data, and cryptocurrency wallets. | |
20.8.24 | New Gafgyt botnet variant observed in the wild | BOTNET | A new Gafgyt botnet variant has been observed in the wild. The malware is spread in a distribution campaign targeting endpoints with weak SSH credentials that deploys two distinct ELF binaries. One of the files is a Go-based Gafgyt binary with various capabilities including system discovery, command execution, scan for exposed SSH/Telnet access and brute force attack execution against the targeted systems. The second binary is a XMRig cryptominer used to mine the Monero cryptocurrency. | |
20.8.24 | New ValleyRAT malware distribution campaign | VIRUS | A new ValleyRAT malware distribution campaign targeted at Chinese speakers has been reported by researchers from Fortinet. The attackers behind this campaign rely on various components including shellcode being executed for reflective DLL loading and a beaconing module used for fetching of additional components. The payload of the campaign - ValleyRAT is a multi-staged malware variant with capabilities including monitoring of user activities, screenshot grabbing, plugin execution, arbitrary file download and others. | |
20.8.24 | Cyclops Go-based malware | VIRUS | Cyclops is a recently identified Go-based malware implant and a likely successor to the BellaCiao malware family. The known malware binary masquerades as "Microsoft SqlServer.exe" executable in an attempt to impersonate SQL server update file and to possibly be deployed on otherwise vulnerable server instances. Cyclops allows the attackers to exfiltrate files from the infected machines as well as run arbitrary files on the infected instances. Once deployed, Cyclops initiates a HTTP service reachable via a SSH tunnel, that allows the operators to initiate commands on the targeted system. | |
16.8.24 | Pupy RAT distributed in recent UTG-Q-010 APT campaign | VIRUS | Pupy RAT malware has been reported to be distributed in a new campaign attributed to the UTG-Q-010 threat group. The attackers leverage phishing messages containing cryptocurrency lures or emails masqueraded as job resumes. The attack chain involves the use of malicious .lnk files with an embedded DLL loader, ending up in Pupy RAT payload deployment. Pupy is a Python-based Remote Access Trojan (RAT) with functionality for reflective DLL loading and in-memory execution, among others. | |
16.8.24 | Discovery of tools and batch scripts targeting Windows and Linux systems | HACKING | According to a recent DFIR report, a range of threat actor tools has been found that can bypass security defenses like Windows Defender and Malwarebytes, delete backups, and disable systems. Among the discovered tools were Ngrok for proxy services and SystemBC, along with two well-known command-and-control frameworks: Sliver and PoshC2. The most recent activity was detected in August 2024. | |
16.8.24 | Malspam attacks target AnyDesk and Microsoft Teams | VIRUS | Researchers recently found another campaign which starts with an email bomb and then involves a phone call via Microsoft Teams. The attacker persuades victims to download AnyDesk, a remote access tool, which allows them to take control of the victim's computer. Once they have control, the attacker runs malicious payloads and steals data from the system. | |
16.8.24 | New macOS malware uses SwiftUI and OpenDirectory API for credential theft | VIRUS | A new multi-stage macOS stealer malware has been recently reported. The malware exhibits many traits such as the following: | |
16.8.24 | .shop gTLD becomes a new favorite to spread waves of cryptocurrency spam emails | SPAM | Lately, .shop gTLD has been heavily abused by threat actors to spread cryptocurrency spam emails. Shop gTLD (generic top-level domain) was launched in 2016 and is specially designed for online shopping or e-commerce platforms and can be used by retailers and e-commerce stores, among others. Symantec has observed persistent spam waves that entice email users to click on shortened URLs which in turn redirect to fake .shop gTLD domains hosting cryptocurrency related content. | |
16.8.24 | Datablack ransomware | RANSOM | Datablack is a new ransomware variant observed in the wild. The malware exhibits similarities to ransomware strains from the Proton malware family. Datablack encrypts user files and appends .Datablack extension to the renamed file name. The ransom note is dropped in form of a text file called #Recovery.txt, where attackers ask the victims to contact them via email addresses provided for further instructions regarding data decryption. The malware has the functionality to remove volume shadow copies from the infected machines and to disable the automatic repair options during the boot process. | |
16.8.24 | Gigabud mobile malware shows links to the Golddigger trojan | VIRUS | A new variant of the Gigabud Android malware has been observed in the wild. While the initial strain of this malware has been known since at least 2023, the distribution of the new variant has expanded and now it targets various countries across the world. The malware is often spread via phishing websites masqueraded as Google Play Store or sites impersonating various banks or governmental entities. The malware has various capabilities such as the collection of data about the infected device, exfiltration of banking credentials, collection of screen recordings, etc. Latest Gigabud variant shows certain similarities in code and leveraged techniques with another mobile family known as Golddigger. | |
16.8.24 | CVE-2024-38856 - Apache OFBiz Pre-Authentication RCE vulnerability | VULNEREBILITY | CVE-2024-38856 is a recently disclosed critical (CVSS score 9.8) pre-authentication remote code execution vulnerability affecting Apache OFBiz versions up to 18.12.14. The vulnerability originates from a flaw in the override view functionality. Once exploited it allows unauthenticated attackers with remote code execution via crafted requests. The application vendor has released a patch addressing this vulnerability in product version 18.12.15 or newer. | |
16.8.24 | Allarich Ransomware | RANSOM | A new ransomware dubbed Allarich has emerged recently in the ransomware landscape. It encrypts files, appending the ".allarich" extension to them, and changes the desktop wallpaper. After completing the encryption process, the ransomware generates a ransom note titled "README.txt." | |
16.8.24 | Phishing campaign impersonates Google Safety Centre | CAMPAIGN | A phishing campaign reportedly impersonating the Google Safety Centre is deceiving users into downloading a malicious file disguised as Google Authenticator. This file installs two types of malware: Latrodectus, a downloader that executes commands from a C&C server, and ACR Stealer, which employs Dead Drop Resolver to obscure its C&C server details. The campaign showcases advanced evasion techniques amid ongoing efforts to refine the malware. | |
16.8.24 | Actor240524's spear-phishing campaign targets Azerbaijan and Israel with ABCloader | GROUP | A spear-phishing campaign by a new threat actor, Actor240524, targeting Azerbaijan and Israel has been observed. Users are lured with disguised government official documents containing embedded VBA macros that deliver the ABCloader payload upon execution. ABCloader decrypts and loads an ABCsync DLL, which then communicates with the C2 server for remote commands. The malware employs anti-sandbox and anti-debug techniques to evade detection. | |
16.8.24 | Phishing Attack Delivers 0bj3ctivity Stealer via Discord CDN | PHISHING | A phishing attack has been reported involving the 0bj3ctivity Stealer, facilitated by the Ande Loader. The attack uses a Discord CDN link containing a malicious JavaScript file with an embedded PowerShell script to deploy additional payloads. The Ande Loader is used for both initial infection and persistence. The stealer exfiltrates sensitive data from browsers to either Telegram or a C2 server and includes anti-debug and anti-VM capabilities. | |
16.8.24 | Grayfly evolves its attack vectors with new loaders and tactics | VIRUS | Grayfly(also known as Earth Baku) has been observed expanding its reach from the Indo-Pacific region to a global scale, targeting sectors such as healthcare, media, government, education, and more. In a recent campaign, the threat actor leveraged public-facing applications like IIS servers for initial access and deployed the Godzilla webshell for control. The group has introduced new loaders, including StealthVector and StealthReacher, to stealthily launch backdoor components and added SneakCross as their latest modular backdoor. | |
16.8.24 | DeathGrip: Emergence of a new Ransomware-as-a-Service | RANSOM | A new Ransomware-as-a-Service (RaaS) called DeathGrip ransomware has emerged in the expanding ransomware threat landscape. Promoted through Telegram and other underground forums, DeathGrip RaaS offers aspiring threat actors on the dark web sophisticated ransomware tools, including LockBit 3.0 and Chaos builders. Their payloads, created using leaked ransomware builders, are already being observed in real-world attacks, enabling individuals with minimal technical skills to deploy fully developed ransomware attacks. | |
16.8.24 | Spoofed Australian Taxation Office (ATO) email notifications appear in phish runs | SPAM | The Australian Taxation Office (ATO) is Government of Australia's revenue collection authority. Recently, Symantec has observed phishing attempts mimicking ATO, enticing users to open fake notification emails. The email mentions that a notice of assessment requires user's immediate attention due to an ongoing scheduled maintenance. These fraudulent emails aim to trick users into clicking on phishing URLs. Upon clicking on the phish URLs presented in the email content, the victims are served with credential harvesting webpages. | |
16.8.24 | CVE-2024-40628/CVE-2024-40629 - JumpServer File Read and Upload vulnerabilities | VULNEREBILITY | CVE-2024-40628 and CVE-2024-40629 are recently disclosed file reading and uploading vulnerabilities affecting the JumpServer Ansible module. Successful exploitation of the flaw might allow low-privilege accounts with access to read/write files in the Celery container, posing both risk of sensitive information disclosure as well as potential arbitrary code execution within the context of the affected application. | |
16.8.24 | Phishers targeting users in South Korea with tax receipts | PHISHING | Symantec has observed a phishing campaign targeting users in South Korea. The attack attempts to impersonate major account firms sending tax receipts/invoices in order to lure recipients into opening the attachment. The attachment, likely in a bid to fool intended victims, also shares a name with the Nation Tax Service in South Korea, 'NTS_eTaxInvoice.html' | |
9.8.24 | English-Spanish Speaking Ransomware Actor Targets Linux Machines | RANSOM | Symantec has recently observed a Linux Ransomware variant binary that appears to be connected to a English and Spanish-speaking Double-extortion Ransomware actor. At this time, their modus-operandi remains unclear, but the ransomware exhibits the following behavior. | |
9.8.24 | Cryptocurrency-themed lure sites used for phishing attacks | CRYPTOCURRENCY | Threat actors are creating thousands of cryptocurrency-themed lure sites used for phishing attacks that target users of cryptocurrency wallet brands like MetaMask, WalletConnect, Coinbase, Trezor, Ledger, Bitget, Exodus, Phantom, and others. These actors are using free hosting services such as Gitbook and Webflow to create lure sites on crypto wallet typo-squatter subdomains like the following. | |
9.8.24 | New malspam campaigns delivering multiple Trojans | SPAM | A number of malspam campaigns were seen which delivered various Trojans by attempting to exploit an old Microsoft Office vulnerability. CVE-2017-0199 is still targeted to allow for execution of remote code from within an XLS file. The campaigns delivered a malicious XLS file with a link from which a remote HTA or RTF file would be executed to download the final payload. We observed GuLoader, Remcos RAT, and Sankeloader infostealer as payloads. | |
9.8.24 | Sora AI-themed branding used to distribute malware | AI | Threat Actors have created various phishing sites that impersonate official Sora platforms to lure victims into downloading files disguised as legitimate Sora software in order to distribute harmful payloads, including data stealers and cryptocurrency miners. When users attempt to install what is believed to be authentic application(s), the files trigger malicious processes that compromise the victim’s system. | |
9.8.24 | Phish emails impersonate UK's Health and Safety Executive (HSE) to lure email users | PHISHING | Health and Safety Executive (HSE) is a British public provider of health and safety solutions to various professionals and organizations. Lately, Symantec has observed phish runs that impersonate Health and Safety Executive (HSE) guidelines, especially the strategy outlined for 2022-2032, to steal credentials. | |
9.8.24 | New file-less ransomware variant Cronus discovered | RANSOM | A new file-less ransomware variant dubbed Cronus has been reported as part of a malware campaign. Users are lured with documents masquerading as PayPal receipts. These documents contain malicious embedded VBA macros that, when executed, download a PowerShell loader. The loader then uses reflective DLL loading to deploy the ransomware DLL, aiming to evade detection. | |
9.8.24 | RHADAMANTHYS Stealer Targeting Users in Israel | VIRUS | RHADAMANTHYS stealer, active since 2013 and offered as Malware-as-a-Service, recently began targeting Israeli users with Hebrew phishing emails containing a malicious RAR attachment. The RAR file, posing as a notification from "Calcalist" or "Mako," (two prominent businesses in Israel) extracts three components - a malicious executable, a DLL file, and a support file. Upon execution, RHADAMANTHYS employs anti-analysis techniques to avoid detection and initiates a multi-staged infection process to establish a presence on the compromised system. | |
8.8.24 | SbaProxy leveraged to hijack legitimate antivirus software | EXPLOIT | A recent report detailed how threat actors are leveraging a tool dubbed 'SbaProxy' disguised as a legitimate anti-virus software component to be able to create a proxy connection through a C2 server. The tool is distributed with malicious intent and in multiple formats such as DLLs, EXEs, and PowerShell scripts, which makes it challenging to detect due to its authentic look and advanced functionality. | |
8.8.24 | Lynx Ransomware | RANSOM | Lynx is another double-extortion ransomware actor that has been fairly active in recent weeks and has claimed multiple companies as victims on their website. They claim to have a strict policy against targeting governmental organizations, hospitals, non-profits, and other sectors vital to society. | |
8.8.24 | Malware campaign exploits secureserver.net domain to deploy banking trojan | CAMPAIGN | A new banking trojan malware campaign is exploiting the secureserver.net domain to target Spanish and Portuguese-speaking regions. The multistage attack begins with malicious URLs leading to an archive containing an obfuscated .hta file. | |
8.8.24 | Chameleon trojan targets hospitality Industry | VIRUS | A new Chameleon mobile banking Trojan campaign has been reported targeting the hospitality industry. Employees of a Canadian restaurant chain with international operations were lured by a deceptive app masquerading as a legitimate CRM application. | |
8.8.24 | Zola - a new Proton ransomware variant | RANSOM | Zola is a recently discovered variant from the Proton ransomware family. The ransomware is written in C++ and employs a multi-threaded encryption process. Upon encryption the malware appends .zola extension to the encrypted files. Zola will also attempt to encrypt files on any network devices if present. | |
8.8.24 | How Malicious Actors Are Leveraging Cloud Services | GROUP | The number of threat actors leveraging legitimate cloud services in their attacks has grown this year as attackers have begun to realize their potential to provide low-key and low-cost infrastructure. Traffic to and from well known, trusted services such as Microsoft OneDrive or Google Drive may be less likely to raise red flags than communications with attacker-controlled infrastructure. | |
8.8.24 | Italian campaign targeting certified email users delivers Vidar infostealer | CAMPAIGN | The Vidar infostealer has been observed as the payload of a recent malspam campaign targeting users in Italy. The campaign was distributed to users of certified email mailboxes and delivered a JavaScript downloader via a link in the email. The JavaScript was responsible for downloading and executing a PowerShell script which in turn leads to the final payload. | |
8.8.24 | Mispadu (aka URSA) Trojan Malware | VIRUS | Mispadu Stealer (aka Ursa) was recently observed in another malspam campaign targeting systems configured with Spanish or Portuguese as their language settings. Similar to their previous campaigns, a spam email themed as an overdue invoice serves as the initial vector, it then lures users to download a malicious ZIP file. | |
7.8.24 | XDSpy phishing campaign targets organizations in Russia and Moldova | PHISHING | A phishing malware campaign by a threat actor dubbed XDSpy has been reported targeting organizations in Russia and Moldova. The attack chains typically use spear-phishing emails with archive attachments containing agreement-related lures to deploy a primary malware module called XDDown. | |
7.8.24 | Spike in activity delivering Magniber ransomware | RANSOM | A spike in activity leading up to the infection with the Magniber ransomware has been observed in the wild. Attackers spreading this malware variant are known to leverage various delivery methods including malvertisements, delivery via cracked software installers or exploitation of known vulnerabilities, etc. | |
7.8.24 | OSX and Windows malware spread under the disguise of meeting or productivity software | VIRUS | Ongoing campaigns spreading malware under the disguise of meeting or productivity applications have been reported in the wild. Some recent examples include attacks masquerading under the productivity app called Wasper or the Clusee meeting application. | |
7.8.24 | HeadLace backdoor distributed by the Swallowtail APT | VIRUS | The latest research from Palo Alto reports on recent HeadLace backdoor distribution campaign being attributed to the Swallowtail APT (aka Fighting Ursa, APT28). The attackers have been leveraging car-for-sale phishing lures in efforts to distribute the malicious payloads. | |
7.8.24 | Persistent IRATA attacks in Italy | SPAM | Their modus operandi hasn't changed much over that period; they mainly leverage malicious SMS (smishing) messages containing URL redirections to their malicious apps as the vector of infection. They constantly rotate their social engineering tactics, with Symantec having observed multiple Italian financial services being abused for masquerading purposes. | |
7.8.24 | Are faxes still relevant? This credential harvesting campaign thinks so | CAMPAIGN | Symantec has recently observed a phishing campaign impersonating fax notifications. These notifications include subjects similar to 'Incoming Fax Delivered for user**@****.com' and instructs users to open the attached HTML and enter their credentials in order to view the fax. | |
7.8.24 | Lumma Stealer via Social Media and AI-Related Lure | VIRUS | There's been reports of a malvertising scam in which cybercriminals hijacked social media pages to promote fake AI photo editors, ultimately tricking users into downloading a prevalent but run-of-the-mill stealer known as Lumma. | |
7.8.24 | Trust (Crypto) Wallet users targeted with a new phishing wave | CRYPTOCURRENCY | Trust Wallet is a crypto wallet that provides its users services such as buying, selling, storing, swapping and managing their cryptocurrencies. Lately, Symantec has observed phish runs that impersonate Trust Wallet services and entice users to open fake notification emails. | |
7.8.24 | BITSLOTH Backdoor | VIRUS | BITSLOTH is a Windows backdoor that researcher have uncovered in Latin America that exploits the Background Intelligent Transfer Service (BITS) for command-and-control operations. According to the report, it has been developed over several years, can log keystrokes, capture screens, and gather extensive data. | |
3.8.24 | BlankBot Mobile banking trojan targeting Turkish users | VIRUS | BlankBot is a new mobile banking Trojan variant that has emerged on the threat landscape, primarily targeting Turkish users. BlankBot abuses Android Accessibility services to gain full control over and collect information from the infected device. | |
3.8.24 | NetSupport RAT Campaign | VIRUS | NetSupport Manager has been weaponized by threat actors to perform malicious activities and executes as a Remote Access Trojan (RAT). Over time various campaigns have been identified each instance building on the previous in attempts to evolve evasion techniques through multiple obfuscation updates. | |
3.8.24 | AutoIT scripts leveraged by the latest Konni RAT malware | VIRUS | Konni RAT malware observed in a recent distribution campaign has been leveraging AutoIT scripts for detection evasion. The attack chain includes the use of .LNK files contained within .zip archives. The .lnk shortcut files are often disguised as documents and have double extensions present, for example ".hwp.lnk". | |
3.8.24 | Spike of activity observed for the Neshuta malware | VIRUS | During the last month Symantec observed a spike of activity attributed to the Neshuta (aka Neshta) malware family. Neshuta is an older file infector variant that's been observed in the threat landscape space as early as 2005. It's main function is to prepend virus code to executable files and collect basic system information. | |
3.8.24 | Grayfly (aka APT41) threat group deploying ShadowPad and Cobalt Strike in a recent attacks | APT | As reported by researchers from Cisco Talos, Grayfly threat group (also known as APT41) has been deploying ShadowPad malware and Cobalt Strike beacons in a recent distribution campaign observed in Taiwan. The attackers have been reported to exploit an old and vulnerable version of Microsoft Office IME file (imecmnt.exe) for the purpose of second-stage loader and payload execution. | |
3.8.24 | Bloody Wolf delivers STRRAT malware | VIRUS | A malware campaign by the APT group dubbed Bloody Wolf targeting organizations in Kazakhstan has been reported. The attackers are sending phishing emails that impersonate the Ministry of Finance of the Republic of Kazakhstan and other agencies. | |
3.8.24 | Mandrake mobile spyware | VIRUS | A new variant of the Mandrake mobile spyware has been distributed via several apps hosted on the Google Play store. The oldest of the apps called AirFS was first uploaded to the store back in 2022 and remained available for download up until March this year. | |
3.8.24 | TgRAT malware returns with a Linux variant | VIRUS | TgRAT is a malware variant discovered back in 2022 and initially targeting the Windows systems. Earlier this month a Linux version of this RAT has been observed as being distributed in the wild. Upon infection of the targeted machine the malware is used to execute arbitrary commands/scripts, collect screenshots or extract user files from the compromised host. TgRAT is controlled by the attackers via a Telegram bot | |
2.8.24 | SARA Android Ransomware Targets Vietnamese Mobile Users in Fake App Scheme | RANSOM | Android lockers and ransomware were prevalent a couple of years ago, especially during the RansomLock craze. Today, while they remain in the mobile threat landscape, their prevalence has dwindled. These threats typically lock users out of their devices and display a ransom message, demanding payment to regain access with an unlock code. | |
2.8.24 | DeerStealer malware spread via fake Google Authenticator websites | VIRUS | A new malicious campaign distributing infostealer variant dubbed DeerStealer has been identified in the wild. The malware is spread under the disguise of fake Google Authenticator app and the malicious binary is hosted on the Github repository. | |
2.8.24 | SMS Stealer - extensive Android malware distribution campaign | VIRUS | An ongoing large-scale operation distributing a Android malware variant called SMS Stealer has been reported to infect mobile devices across the world. The campaign has been active since at least 2022 and targeting victims in 113 countries. | |
2.8.24 | ModiLoader malware campaign targeting Small and Medium-Sized Business (SMB) in Poland | VIRUS | Modiloader (aka DBatLoader) malware has been deployed in a recent campaigns targeting Small and Medium-Sized Business (SMB) in Poland, Italy and Romania. Modiloader has been spread via malicious email attachments in various file formats such as .img, .tar, .rar or .iso. Modiloader is a Delphi-based malware used to download and execute final payloads delivered to the compromised machines. The payload usually varies and the reported campaigns have been executing malware from Agent Tesla, Remcos or Formbook families. | |
2.8.24 | DoNot APT Targeting Pakistani Android Mobile Users | APT | APT-C-35 (aka DoNot APT Group) has been active in conducting cyberattacks since at least 2013. Recently, they have targeted Pakistani Android mobile users. Their attacks typically start with phishing campaigns, leading to the deployment of Android malware known as StealJob. The primary objective of these threat actors is to access confidential information and intellectual property. Their techniques include encryption and fileless malware to evade detection. | |
2.8.24 | Protection Highlight: Ransomware-as-a-Service Evolution, Impact, Mitigation | RANSOM | Malware evolution in the threat landscape is the singular reason cybersecurity professionals can’t rest, and Ransomware-as-a-Service (RaaS) is no different. From its first known form in 2012 as Reveton to the most recent inception of Eldorado ransomware, with early incidents reportedly raking in amounts of $400K USD a month to modern-day data breaches costing over $1M and sometimes far in excess of that figure. | |
2.8.24 | Leafperforator campaign exploits Pakistan’s Maritime Affairs documents to spread JavaScript malware | CAMPAIGN | A new malware campaign by the Leafperforator (also known as SideWinder) threat actor, utilizing enhanced tactics and techniques has been reported. This threat actor relies on spear-phishing emails and targets Asian countries. In the latest campaign, users are tricked with documents related to employee termination or salary cuts, leading them to open a disguised file. This file exploits a known security flaw (CVE-2017-0199) to establish contact with a malicious domain masquerading as Pakistan's Directorate General Ports and Shipping. The domain then retrieves an RTF file exploiting CVE-2017-11882, leading to the delivery of JavaScript malware. | |
2.8.24 | Phishing Campaign: Malicious HTML attachment mimics OneDrive to deploy malware Scripts | PHISHING | A new phishing campaign using image files that mimic a Microsoft OneDrive page has been reported. Users are targeted through phishing emails with HTML attachments. When these attachments are opened, they display an image resembling a OneDrive page and show an error indicating a connection issue with the OneDrive cloud service. | |
2.8.24 | Recent activities attributed to the UNC4393 threat group | GROUP | The threat actor dubbed UNC4393 has been active in the threat landscape since at least 2022. The group has been known to leverage a wide variety of malware variants and custom tools in their attacks including Basta ransomware, KnotWrap dropper, KnotRock tool, DawnCry dropper or the PortYard tunneler. | |
2.8.24 | Exela Stealer continues to be distributed in the wild | VIRUS | Exela Stealer is a Python-based malware initially discovered in the threat landscape just last year. New campaigns distributing this infostealer continue to be observed in the wild in recent weeks. | |
2.8.24 | Flame Stealer malware | VIRUS | Flame Stealer is a new C/C++based infostealing malware variant advertised for sale on Discord and Telegram. The malware has the functionality to collect and exfiltrate various information about the infected machine, Discord tokens, clipboard data, credentials, banking information and browser cookies, among others. | |