Chinese cybercriminals were reported using new malware variants in their espionage attacks against South Africa and Nepal. The campaign includes a new Linux version of the PingPull RAT and a never-before-seen backdoor called Sword2033. In other news, members of an international NGO located in China were being targeted by Evasive Panda’s flagship backdoor known as MgBot. Its unique way of distributing the payload includes legitimate updates for software developed by Chinese companies. Meanwhile, a notorious cybercriminal group from Iran has showcased its ability to expand their hacking capabilities with the new BellaCiao malware.

FIN7, the Russian cybercriminal group, was observed exploiting unpatched instances of Veeam Backup & Replication software to execute payloads on the compromised environment. The group abuses a missing authentication flaw in the Veeam software.

Top Malware Reported in the Last 24 Hours

ViperSoftX’s twist in evasion technique

There has been a significant number of victims in the consumer and enterprise sectors in Australia, Japan, and the U.S. after information-stealer ViperSoftX adopted new anti-detection capabilities. The enterprise sector made up over 40% of the total number of affected victims. The latest version of the info-stealer comes with the capability to steal passwords from two password managers such as KeePass 2 and 1Password.

Evasive Panda targets NGO employees

ESET researchers stumbled across an attack campaign by the Evasive Panda APT, wherein attackers are hijacking update channels of legitimate applications to infect victims with the MgBot malware. The campaign targeted users in the Gansu region of Guangdong and Jiangsu provinces, with a majority of them working for an international NGO. It was found that the malicious activity may have begun in 2020.

New PingPull variant and Sword2033

Unit 42 discovered a new version of the PingPull malware, designed by Alloy Taurus (aka Gallium), to cripple Linux systems. It is essentially an ELF file that only 3 out of 62 antivirus vendors flagged as malicious. During the investigation, the threat actor's infrastructure also blurted out the evidence of another backdoor used in the attack known as Sword2033.

Charming Kitten deploys BellaCiao

Iranian state-sponsored attacker group Charming Kitten introduced a new malware, named BellaCiao, to target individuals across Europe, the Middle East, the U.S., and India. Bitdefender Labs attached every sample of the malware to a distinct victim, suggesting that the group performed highly personalized attacks. The samples contained hardcoded details, such as the victim's company name, custom-made subdomains, or associated public IP address.

Top Vulnerabilities Reported in the Last 24 Hours

VMware fixes four bugs

VMware released updates to address multiple security vulnerabilities affecting its Workstation and Fusion software. There was a stack-based buffer-overflow vulnerability (CVE-2023-20869), an out-of-bounds read vulnerability (CVE-2023-20870), a local privilege escalation flaw (CVE-2023-2087), and an out-of-bounds read/write vulnerability (CVE-2023-20872). The flaws have been addressed in Workstation version 17.0.2 and Fusion version 13.0.2.

FIN7 exploits Veeam bug

A Veeam Backup process was seen carrying out a shell command to download and implement a PowerShell script abusing the Veeam Backup & Replication vulnerability, CVE-2023-27532. Further analysis revealed that the script was in fact the Powertrash in-memory dropper, a tool that has been previously used by FIN7. Consequently, the group deployed Diceloader, a backdoor also referred to as Lizar.