ALERTS MAY 2024


HOME  AI  APT  BOTNET  CAMPAIGN  CRIME  CRYPTOCURRENCY  EXPLOIT  HACKING  GROUP  OPERATION  PHISHING  RANSOM  SPAM  VIRUS  VULNEREBILITY  | March(16) April(92) May(99) June(94) July(88) August(112) SEPTEMBER(67)


DATE

NAME

CATEGORY

SUBCATE

INFO

31.5.24

Malicious activity by LilacSquid threat groupALERTSGROUP  A recently disclosed infostealing campaign attributed to the threat group known as LilacSquid has been active since at least 2021.

31.5.24

Unveiling cryptocurrency mining tactic of the 8220 GangALERTSCRYPTOCURRENCY  The 8220 Gang, a widely recognized threat actor based in China and driven by financial motives, has been active since 2017.

31.5.24

SmallTiger malware campaign reported targeting Korean companiesALERTSCAMPAIGN  A malware campaign distributing SmallTiger malware has been reported targeting Korean companies in the defence, automobile parts, and semiconductor manufacturing sectors.

30.5.24

BitRAT and Lumma Stealer spread as fake browser updatesALERTSVirusA new campaign delivering BitRAT and Lumma Stealer malware has been observed in the wild. The malware is spread via fake browser updates.

30.5.24

Metamorfo Banking TrojanALERTSVirusMetamorfo is a banking Trojan malware (aka Casbaneiro) that is spread through malspam campaigns luring users to click on HTML attachments.

30.5.24

Datebug updating toolkits with Golang to be cross-platformALERTSAPT  APT group Datebug, in operation since 2013, has been observed updating their toolkit with a new data exfiltration tool written in Golang created with the goal of targeting APAC governments and defense sectors.

30.5.24

NSIS-based packer usage observed in many common malware families ALERTSVirusThe Nullsoft Scriptable Install System (NSIS) is a commonly seen open source software used by cybercriminals for generating malware.

30.5.24

CatDDoS: A rising threat across multiple sectorsALERTSBOTNET  A rise in activity involving a Mirai distributed denial-of-service (DDoS) botnet variant called CatDDoS has been observed.

30.5.24

Mexican Telecom Continuously Impersonated by SpyNote ActorALERTSVirusSince at least October 2023, a SpyNote actor has been abusing the brand of a well-known and prominent telecommunications company in Mexico that operates extensively across Latin America and the Caribbean, serving millions of customers

30.5.24

AllaSenha - new AllaKore malware variantALERTSVirusAllaSenha is a new banking malware variant from the AllaKore RAT family that has recently been used in distribution campaigns targeted at banking users in Brazil.

30.5.24

Zonix RansomwareALERTSRANSOM  Zonix is a recently discovered ransomware variant from the Xorist malware family. The malware encrypts user files and appends the ".ZoN" extensions to them.

30.5.24

CVE-2024-32640 - SQL Injection vulnerability in Mura/Masa CMSALERTSVULNEREBILITY  CVE-2024-32640 is a recently disclosed SQL injection vulnerability affecting Mura/Masa CMS, which is an open source enterprise content management system.

30.5.24

Emergence of a new North Korean threat actor dubbed Moonstone SleetALERTSAPT  A recent emergence in the threat landscape involves a new North Korean actor dubbed Moonstone Sleet.

30.5.24

Fraudulent PDF Viewer Login Pages Phishing for User CredentialsALERTSPHISHING  A phishing campaign was recently observed where a malicious HTML attachment masquerading as a PDF Viewer login page prompts users to verify their password to access a document.

30.5.24

Agent Tesla: The Uninvited Guest at Indonesia's GEMASTIK 2024 EventALERTSVirusSymantec has recently observed a peculiar malspam campaign in Indonesia where the actor is running a sophisticated email scheme impersonating the School of Electrical Engineering and Informatics (STEI) at the Institut Teknologi Bandung (ITB) in Indonesia.

30.5.24

Red Akodon threat group recent activitiesALERTSVirusAccording to recent report published by SCITUM, Red Akodon is a new threat group conducting its malicious activities prevalently in Colombia since at least April 2024.

30.5.24

TXZ file extension: Evolution of malware distribution in email campaignsALERTSVirusThreat actors usually send malicious emails with attachments carrying a malicious payload, or they send out containers which include files like archives.

30.5.24

Gipy malware distributed under the disguise of AI voice generator toolsALERTSVirusA new malicious campaign spreading infostealing malware dubbed Gipy has been observed in the wild.

28.5.24

Embargo RansomwareALERTSRANSOM  Embargo is a new Rust-based ransomware variant identified in the wild. The malware encrypts user files and appends “.564ba1” extension to them.

28.5.24

Rising popularity of Arc browser overshadowed by malvertising campaignALERTSCAMPAIGN  The Arc browser, developed by The Browser Company, has been gaining a lot of popularity in the market, promising to personalize the way users browse the internet.

28.5.24

Phishing campaign targeting financial institutions impersonates medical centerALERTSPHISHING  A phishing campaign targeting European and US financial institutions has been reported. The attacks involve sending emails impersonating a medical center, with SCR files disguised as financial documents to trick victims into downloading and executing them.

28.5.24

Iluria StealerALERTSVirusThere have been reports of in-the-wild activity for a run-of-the-mill stealer known as Iluria. Like many other forks and variants of Discord Stealers, it is capable of stealing tokens, browser credentials, and payment information.

28.5.24

Rise of Fake AV websites hosting advanced malwareALERTSVirusRecently, there has been an increase in the number of fake antivirus (AV) websites pretending to be legitimate solutions.

28.5.24

CVE-2024-30268: XSS Vulnerability in CactiALERTSVULNEREBILITY  CVE-2024-30268 is a reflected cross-site scripting vulnerability in Cacti, a network monitoring and fault management framework.

28.5.24

CVE-2024-21793 and CVE-2024-26026 - two recent vulnerabilities affecting F5 BIG-IP Next Central Manager ALERTSVULNEREBILITY  CVE-2024-21793 and CVE-2024-26026 are two recently identified high severity vulnerabilities affecting the F5 BIG-IP Next Central Manager.

28.5.24

CVE-2020-17519: Directory Traversal Vulnerability in Apache FlinkALERTSVULNEREBILITY  The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a three-year-old directory traversal vulnerability (CVE-2020-17519) in Apache Flink to the Known Exploited Vulnerabilities Catalog

28.5.24

Android Bankbot impersonates Uzbekistan banksALERTSVirusIn recent days, mobile users in Uzbekistan have been targeted by an Android BankBot campaign where actors are disguising their malware as fictitious banking apps (Xalq Banki Credit.apk & Bank Ipak.apk)

25.5.24

Path Traversal Vulnerability in Nexus Repository CVE-2024-4956ALERTSVULNEREBILITY  CVE-2024-4956 is a path traversal vulnerability in Sonatype Nexus Repository 3. Nexus Repository is a widely used artifact repository manager.

25.5.24

Operation Diplomatic Specter: A Chinese APT campaign targeting political entities in multiple regionsALERTSAPT  An ongoing campaign dubbed Operation Diplomatic Specter, targeting political entities in the Middle East, Africa, and Asia, has been reported. A Chinese APT group behind the campaign has been leveraging rare email exfiltration techniques against compromised servers.

25.5.24

RustDoor malware exploits JAVS Viewer vulnerability in courtroom softwareALERTSVirusA Windows-based malware named RustDoor has been observed being distributed via a compromised audio-visual recording software package used in courtroom environments

23.5.24

Expanded operations of the Sharp Dragon APTALERTSAPT  As reported by Checkpoint, Sharp Dragon APT group (also formerly known as Sharp Panda) has been expanding its operations towards targets in Africa and in the Caribbean.

23.5.24

CVE-2024-29895 - Command Injection Vulnerability in CactiALERTSVULNEREBILITY  CVE-2024-29895 is a critical (CVSS score 10) command injection vulnerability affecting Cacti, which is a network monitoring and fault management framework.

23.5.24

Waltuhium GrabberALERTSHACKING  Waltuhium is an open-source infostealer that has been observed being shared in dark web forums. It is claimed to have features such as

23.5.24

GuLoader Impersonates an Italian Seafood DistributorALERTSVirusGuLoader, an advanced downloader, is showing no signs of stopping, and its prevalence continues to increase with more and more campaigns observed around the world.

23.5.24

CLOUD#REVERSER campaign leverages cloud storage for malware deliveryALERTSCAMPAIGN  A new campaign dubbed CLOUD#REVERSER has been reported to abuse various cloud storage repositories such as Dropbox or Google Drive for malware delivery and C&C purposes.

23.5.24

Acrid infostealer leverages “Heaven’s Gate” techniqueALERTSVirusAcrid is a recently identified C++-based infostealing malware. In its functionality, it is very similar to other infostealer variants present currently in the threat landscape

23.5.24

CVE-2023-43208 - NextGen Healthcare Mirth Connect RCE vulnerability exploited in the wildALERTSVULNEREBILITY  CVE-2023-43208 is a Remote Code Execution (RCE) vulnerability disclosed in October last year. The vulnerability affects NextGen Healthcare Mirth Connect prior to version 4.4.1,

23.5.24

GhostEngine malware terminates EDR agents and deploys coin minerALERTSVirusA multimodule malware dubbed GhostEngine has been observed in the wild. This malware leverages vulnerable drivers to terminate and delete known Endpoint Detection and Response (EDR) agents that would likely interfere with the deployed coin miner.

22.5.24

Smishing: Fake IRS Scare Tactic to Snatch Cryptowallets' 12-Word Recovery Phrases ALERTSPHISHING  Symantec has recently observed a malicious SMS campaign in the US targeting mobile users' cryptowallet 12-word recovery phrases. The actors are impersonating the IRS and using a scare tactic related to cryptocurrency holdings declaration. 

22.5.24

XWorm v5.6 malwareALERTSVirusA new v5.6 variant of the XWorm malware has been observed in the wild. The malware is distributed under the disguise of various applications, games or adult content, with the binaries spread through either online sharing repositories or via torrent downloads.

22.5.24

Malware campaign uses LNK files and MSBuild to likely deliver TinyTurla backdoorALERTSVirusA malware campaign utilizing malicious LNK files has been observed. The threat actors behind the campaign are using human rights seminar invitations and public advisories to lure users. Once lured, MSBuild is used to execute and deliver a fileless final payload.

22.5.24

Keyplug backdoor distributed against organizations in ItalyALERTSVirusA new campaign attributed to the Grayfly threat group (aka APT41) has been distributing the Keyplug modular malware to various organizations in Italy. As reported by Yoroi, this C++based malware comes in variants supporting both Windows and Linux platforms.

21.5.24

Deuterbear RAT targets Asia-Pacific in advanced cyber espionage campaignALERTSVirusA cyber espionage campaign has been reported targeting the Asia-Pacific region, involving the deployment of a remote access trojan (RAT) called Deuterbear

21.5.24

SamsStealer malwareALERTSVirusReports have emerged of a new infostealer, dubbed SamsStealer, circulating in the threat landscape.

21.5.24

Bank Mellat Users in Various Countries Targeted by FakeBank CampaignALERTSCAMPAIGN  Symantec has observed an Android FakeBank campaign targeting mobile users of a private Iranian bank known as Mellat, by posing as a fictitious banking app (Mellat.apk).

21.5.24

Vultur Malware Poses as Antivirus ALERTSVirusRecently, a Vultur campaign has been observed in which the actor is disguising it as a known antivirus mobile application (<company name>_Security.apk).

21.5.24

HiJackLoader gets new modules to lay lowALERTSVirusHijackLoader is a multi-stage loader that has recently seen some updates.

21.5.24

Antidot mobile malwareALERTSVirusAntidot is a recently discovered banking trojan for Android. The malware is distributed under the disguise of a Google Play update app.

21.5.24

Chaos Ransomware Lures Gamers with Fake Free Discord NitroALERTSRANSOM  As the Chaos Ransomware builder is widely available to the public, instances are observed on a daily basis around the world with both consumers and enterprises being targeted.

21.5.24

Synapse RansomwareALERTSRANSOM  Synapse is a ransomware written in C that can encrypt local files, files on removable drives, and files stored on network shares, with the capability of propagating to other systems on a network. Encrypted files will have the extension

21.5.24

Storm-1811 threat actor conducts Vishing attack via Quick Assist toolALERTSGROUP  Threat actor Storm-1811 has been reported carrying out a vishing (voice phishing) attack using the client management tool Quick Assist.

21.5.24

Springtail threat group uses new Linux backdoor in attacksALERTSAPT  In a newly released report, Symantec’s Threat Hunter Team sheds light on a recently discovered Linux backdoor developed by the North-Korean Springtail espionage group (aka Kimsuky).

16.5.24

New malware CuttlefishALERTSVirusA new malware dubbed Cuttlefish was reported to infect small office/home office and enterprise grade routers with the intent to monitor passing data traffic and discreetly exfiltrating only authentication related information such as usernames,

16.5.24

Remcos RAT expands functionality with PrivateLoader module ALERTSVirusRemcos RAT, a remote access Trojan, enables unauthorized remote control and surveillance of compromised systems. Recently, Remcos RAT was observed leveraging a PrivateLoader module to augment its functionality and persistence on the victim's machine.

16.5.24

Malicious Minecraft mod harvests data from Windows systemALERTSVirusMany gamers prefer to enhance their gaming experience with custom mods, such as those offering the Windows Borderless feature. This feature enables multitasking and seamless switching between applications, facilitating tasks like game recording.

16.5.24

Atomic Stealer (AMOS) among the malware variants spread in the GitCaught operationALERTSVirusA recent malicious campaign dubbed GitCaught has been reported to spread multiple infostealing payloads targeted at various platforms including macOS.

16.5.24

PureCrypter malware used in Mallox ransomware distribution campaignALERTSVirusPureCrypter loader has been used in a recent malicious campaign leading up to the delivery of Mallox ransomware payloads

16.5.24

Malicious Word Document Dropping DanaBot Malware ALERTSVirusA recent Danabot malspam campaign was observed being delivered via a Word document containing a malicious external link which if clicked will launch a series of events where additional executable files will get downloaded including a command prompt

15.5.24

Phorpiex botnet distributes LockBit Black Ransomware via email campaignALERTSBOTNET  A high-volume email campaign facilitated by the Phorpiex botnet, delivering LockBit Black ransomware, has been reported.

15.5.24

Dracula (Samurai) StealerALERTSVirusDracula (also known as Samurai Stealer) is an infostealing malware variant attributed to the threat group known as the Amnesia Team (aka Cerberus).

15.5.24

WaveStealer: New malware distributed on messaging platformsALERTSVirusWaveStealer, a newly emerged sophisticated malware tool, is being distributed on platforms like Telegram and Discord for purchase at a low cost.

15.5.24

FIN7 malware campaign exploiting Google AdsALERTSVirusA malware campaign exploiting Google Ads, attributed to the threat actor FIN7, has been reported in the wild.

15.5.24

Beast Ransomware and Vidar Infostealer delivered via disguised documentsALERTSRANSOM  Documents like copyright violation warnings and resumes were leveraged in a recent campaign to deliver ransomware and infostealer.

15.5.24

GCash Users Targeted in Latest Smishing ScamALERTSSPAM  Mobile wallets have transformed the financial landscape by providing convenience and accessibility, but they also present lucrative targets for cybercriminals as Symantec continues to observe a flurry of smishing around the world. 

15.5.24

Trinity RansomwareALERTSRANSOM  According to a recent research published by Cyble, Trinity is a newly identified ransomware variant believed to be an updated version of the “2023Lock” ransomware.

15.5.24

Malspam campaign delivers ASyncRAT by way of multiple scriptsALERTSVirusIn a recently observed campaign, multiple scripts were used to deliver the ASyncRAT payload. Initiated by an HTML email attachment, victims would be compromised by various non-PE files to deliver and establish persistence of ASyncRAT.

15.5.24

Black Basta ransomware attacks target the healthcare sectorALERTSRANSOM  Symantec Security Response is aware of the recent joint alert from CISA, the FBI, Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) regarding a number of targeted activities observed for the Black Basta ransomware

15.5.24

A Mining Trojan called Hidden ShovelALERTSVirusResearchers uncovered a new mining trojan dubbed "Hidden Shovel", discovered through network security monitoring.

12.5.24

CVE-2024-24506 - LimeSurvey Community Edition XSS vulnerabilityALERTSVULNEREBILITY  CVE-2024-24506 is a recently disclosed Cross Site Scripting (XSS) vulnerability affecting LimeSurvey Community Edition version 5.3.32.

12.5.24

CVE-2024-1313 - BOLA vulnerability in GrafanaALERTSVULNEREBILITY  CVE-2024-1313 is a recently disclosed Broken Object-Level Authorization (BOLA) vulnerability affecting Grafana, which is a open-source data visualization web application.

10.5.24

Exploitation of Ivanti Pulse Secure vulnerabilities for Mirai botnet deliveryALERTSExploit  In January of this year, Ivanti reported two vulnerabilities, CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection), affecting Ivanti Connect Secure and Ivanti Policy Secure Gateways.

10.5.24

Malware campaign targeting Windows and MS Office users via software cracksALERTSVirusA malware campaign distributing RATs and coinminers via cracks for popular software, specifically targeting users of Windows and MS Office software, has been observed.

10.5.24

Coper Actors Abuse LiveChat CDN in Ongoing Fake Chrome TacticALERTSVirusSymantec continues to observe daily instances of Coper malware disguised as a fake Chrome Android application. This tactic is not new having been in use for some time now.

10.5.24

Malspam campaign: Password protected archive hosted on GitHub leads to AsyncRATALERTSCAMPAIGN 
Over the past two weeks, Symantec has observed an actor leveraging a peculiar attack chain to distribute highly obfuscated payload onto compromised systems. The attacks start with malicious emails containing a malicious PDF, DOCX, or SVG file (REMITIRA A TRAVES DEL SERVICIO POSTAL AUTORIZADO.docx, Radicado juridico 23156484.svg, and 99-DEMANDA .docx).

10.5.24

Russian bulletproof hosting services exploited for malicious activities, SocGholish malware campaignsALERTSExploitThe use of Russian bulletproof hosting services for hosting malicious activities, including command-and-control (C2) servers and phishing pages distributing SocGholish malware, has been reported.

10.5.24

Malicious Minecraft Mods: zEus stealer targets gamersALERTSVirusA malware campaign targeting Minecraft players has been reported, where custom packages promising to enhance the game's appearance are actually distributing the zEus stealer.
9.5.24Malicious Minecraft Mods: zEus stealer targets gamersALERTSVirusA malware campaign targeting Minecraft players has been reported, where custom packages promising to enhance the game's appearance are actually distributing the zEus stealer.
9.5.24Continuous Distribution of RokRAT MalwareALERTSVirusAPT37 (ScarCruft) continues to distribute RokRAT malware via LNK files particularly targeting South Korean users. The malware, disguised within a genuine document will execute PowerShell commands after activation.
9.5.24Gadfly buzzes inboxes with new phishing campaignALERTSCAMPAIGN  Symantec has recently observed an uptick in phishing campaigns being delivered out of Gadfly (aka TA577).
9.5.24Hunt Ransomware - another Dharma/Crysis variantALERTSRANSOM  Hunt is another Dharma/Crysis ransomware variant discovered recently in the wild. The malware encrypts user files and appends .hunt extension to them alongside of a unique victim ID and the threat actor email address.
9.5.24CVE-2024-27956 - WP-Automatic Plugin SQL Injection vulnerability exploited in the wildALERTSVULNEREBILITY  CVE-2024-27956 is a recently disclosed critical (CVSS score 9.8) SQL injection (SQLi) vulnerability in WP-Automatic plugin prior to version 3.92.1.
9.5.24Shinra RansomwareALERTSRANSOM  Shinra, a recently discovered ransomware variant from the Proton malware family, encrypts files and appends the ".SHINRA3" extension while renaming file names to random strings.
9.5.24CVE-2024-2389 - Command Injection vulnerability affecting Progress FlowmonALERTSVULNEREBILITY  CVE-2024-2389, a recently disclosed critical vulnerability with a CVSS score of 10, affects Progress Flowmon, a widely used network performance monitoring tool.
9.5.24Increase of Lockbit ransomware attacksALERTSRANSOM  Earlier in February this year the Lockbit ransomware family was targeted in a coordinated disruption operation called "Operation Cronos" that saw multiple members of this ransomware gang arrested, assets taken and a decryption tool released publicly.
7.5.24CVE-2024-4040 - CrushFTP vulnerability exploited in the wildALERTSVULNEREBILITY  CVE-2024-1852 is a recently disclosed injection vulnerability affecting CrushFTP versions before 10.7.1 and 11.1.0.
7.5.24Counterfeit Revenue Agency page distributing VBlogger malwareALERTSVirusA malware campaign involving a counterfeit Revenue Agency webpage hosted on an Italian domain has been reported.
7.5.24Cuckoo: A new macOS malware targeting music ripping applicationsALERTSVirusA new macOS malware dubbed Cuckoo has been reported. This malware is distributed through websites that offer applications for ripping music from streaming services.
7.5.24Android malware used in targeted attack against Indian defense forcesALERTSVirusA socially engineered delivery through WhatsApp was leveraged to reportedly target Indian defense forces with a new Android malware by presenting itself as a defense-related application.

3.5.24

NiceCurl and TameCat custom backdoors leveraged by Damselfly APTALERTSAPT  NiceCurl and TameCat are two custom backdoor variants recently leveraged in malicious campaigns attributed to the Damselfly APT (also known as APT42).

3.5.24

TesseractStealer malware leverages OCR engine for information extractionALERTSVirusTesseractStealer is an infostealer recently distributed by variants of the ViperSoftX malware. This malware leverages Tesseract (an open source OCR engine) in an effort to extract text from user image files.

3.5.24

A recent Darkgate malspam campaignALERTSCAMPAIGN  The infection chain for this campaign initiates from an email file with an HTML attachment.

3.5.24

Latest macOS Adload variant focuses on detection evasionALERTSVirusA recent report by SentinelOne outlines changes observed to a recent macOS malware Adload. The most recent variants of this malware family come with capabilities allowing it to evade the latest Apple XProtect signatures.

3.5.24

Old dogs teaching new tricks to ZLoaderALERTSVirusZLoader, a modular trojan, has implemented anti-analysis capabilities that appear to be lifted from the ZeuS source code.

3.5.24

Goldoon botnetALERTSBOTNET  According to a recent report from FortiGuard Labs, a new botnet variant dubbed Goldoon has been observed in the wild.

3.5.24

BirdyClient malware leverages Microsoft Graph API for C&C communicationALERTSVirusAn increasing number of threats have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services.

3.5.24

DarkGate loader continues to be actively distributedALERTS DarkGate loader malware has been a very actively distributed within the last year. Numerous email campaigns have leveraged various attack chains to deliver the DarkGate payload.

3.5.24

Dwphon mobile malwareALERTSVirusDwphon is a recently identified malware variant targeting the Android platform. 

3.5.24

SpyNote using Central Bank of Kazakhstan as a lureALERTSVirusNo countries or financial institutions are exempt from having their brands abused to lure mobile users into installing Android malware—a trend that continues to grow.

3.5.24

GuLoader campaign targeting industries in Russian-speaking countriesALERTSCAMPAIGN  An actor has been observed running two email campaigns with different social engineering tactics that lead to Guloader. Both campaigns target industries in Russian-speaking countries such as Russia, Belarus, Kyrgyzstan, and Kazakhstan.