Cyware Daily Threat Intelligence

Daily Threat Briefing • Apr 9, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Apr 9, 2024
Invoice-themed phishing is once again the conduit for a highly sophisticated multi-stage attack distributing VenomRAT, Remcos RAT, XWorm, NanoCore RAT, and a crypto wallet stealer. Flimsy security for WordPress sites continues to act as a hotbed for criminals. Thousands of WordPress sites were found hosting fake NFT and discount pop-ups, aiming to deceive visitors into connecting their wallets to crypto drainers, marking a significant escalation in cyber threats.
Moving on. Sahrawi Arab Democratic Republic activists are being targeted with a novel mobile malware, FlexStarling. Depending on the target's operating system, it serves either the FlexStarling APK for Android or redirects to a social media login page for credential harvesting. Additionally, a critical local privilege escalation bug has been resolved by the KernelCare team to safeguard CloudLinux users.
Multi-stage attack unleashes VenomRAT
Cybersecurity researchers unearthed a complex multi-stage attack leveraging invoice-themed phishing emails to disseminate a variety of malware, including VenomRAT, Remcos RAT, XWorm, NanoCore RAT, and a crypto wallet stealer. The attack employs Scalable Vector Graphics (SVG) file attachments to initiate the infection chain, with malware delivered via obfuscated batch scripts using tools like BatCloak and ScrubCrypt.
Malware campaign targets activists
A new threat actor, dubbed Starry Addax, is primarily targeting human rights activists supporting the Sahrawi Arab Democratic Republic cause using a malicious apk for Android. The app named FlexStarling imitates the application for Sahara Press Service (SPSRASD). The malware deploys additional malicious components and steals information from infected devices. Additionally, the attackers deploy credential-harvesting pages for Windows users disguised as popular media website logins.
Urgent patch issued for CloudLinux users
The KernelCare team has swiftly addressed CVE-2024-1086, a critical vulnerability impacting the Netfilter subsystem of the Linux kernel in CloudLinux environments. A patch has been released for CloudLinux 6h and CloudLinux 7, with manual updates available for users. The flaw poses a local privilege escalation risk and is easily exploitable, emphasizing the urgency of patching.
WordPress sites promote fake NFT scams and crypto drainers
Nearly 2,000 compromised WordPress websites were discovered displaying fraudulent NFT and discount pop-ups, aiming to deceive visitors into connecting their wallets to crypto drainers. Originally, scammers targeted approximately 1,000 sites, however, there were some challenges. Later, they deployed new scripts to turn visitors' browsers into tools for brute-forcing admin passwords on other sites, leading to more compromised sites displaying pop-ups promoting fake NFT offers and crypto discounts.
Voice messages harvest credential
ARC Labs dissected a phishing email tactic where targets were prompted to access a voice message via a link, concealing a credential harvesting scheme. The payload featured heavily obfuscated HTML data with embedded JavaScript within an SVG file. Using CryptoJS, the JavaScript dynamically decrypted encrypted content. Through code analysis, ARC Labs retrieved the decryption key, exposing the second-stage page and prompting credential entry.