Cyware Daily Threat Intelligence

Daily Threat Briefing • Apr 20, 2021
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Apr 20, 2021
The infamous Lazarus APT is on a roll in 2021. After launching a series of new malware from its kit, the North Korean hacker group has now come up with an evasion technique that was observed in a recent phishing attack. The technique involved concealing a malicious loader within the BMP image which ultimately deployed a RAT.
Meanwhile, the evolution in phishing campaigns targeting Facebook users has put researchers in worry. A worldwide scam that targets Facebook Messenger users across 80 countries has been launched in full force to harvest credentials. The catch is that the scam lures users with ads promoting fake versions of the Messenger app. Facebook is not alone, threat actors are also impersonating several other brands, such as Microsoft Store and Spotify, to distribute an information-stealing trojan called Ficker.
Top Breaches Reported in the Last 24 Hours
Update on Codecov breach
More details have emerged on the recent Codecov system breach. During the investigation, the U.S. federal authorities have linked the breach to the recent SolarWinds attack, which is attributed to the Russian Foreign Intelligence Service (SVR). Codecov had suffered a supply-chain attack that went undetected for over 2 months.
Top Malware Reported in the Last 24 Hours
Purple Fox malware attacks
Threat actors are leveraging brute force attacks to target the SMB protocol with an aim to distribute the Fox malware. The new SMB attack method is especially concerning as Purple Fox no longer requires user interaction to propagate.
Ficker malware
Threat actors are promoting sites impersonating Microsoft Store, Spotify, and an online document converter to distribute an information-stealing malware called Ficker. Using this malware, attackers can steal saved credentials in web browsers, desktop messaging clients (Pidgin, Steam, Discord), and FTP clients.
Top Vulnerabilities Reported in the Last 24 Hours
WordPress releases patches
WordPress has released version 5.7.1 of its popular CMS, which includes fixes for two security vulnerabilities. The flaws are tracked as CVE-2021-29447 and CVE-2021-29450. While the former is an XML External Entity vulnerability in the ID3 library in PHP 8, the latter affects REST API, leading to the loss of sensitive data.
Top Scams Reported in the Last 24 Hours
Facebook Messenger scam
Researchers have detected a large-scale scam campaign targeting Facebook Messenger users in over 80 countries. The ultimate goal of the campaign is to pilfer login credentials from users by distributing ads promoting a fake version of Facebook Messenger. The first incident of the scam came to the light in 2020. To draw users’ attention, fraudsters registered accounts with names mimicking the real Messenger app and used the official logo as their profile picture.
Google Alerts for scam
Google Alerts has long been abused for scams and malware attacks. The service is heavily used by scammers to redirect users to fake adult sites, fake dating apps, sweepstake scams, and unwanted browser extensions. Such attacks are launched by sending fake Google Alert URLs to unsuspicious users.