Cyware Daily Threat Intelligence
Daily Threat Briefing • August 22, 2022
Over 200 infected PyPI and npm packages have been spotted dropping cryptominers after breaking into Linux machines. The packages were observed penetrating Linux systems and installing crypto mining software XMRig. There’s a lot going on in the crypto industry and the enigmatic malware mutations make it even more challenging. Of late, a cybercriminal group has been stealing cryptocurrencies from users of General Bytes, a Bitcoin ATM manufacturer.
A new scam is doing the round wherein cybercriminals are using AWS to generate phishing pages to manipulate victims into blurting out their credentials, all while bypassing the security systems in place.
Top Malware Reported in the Last 24 Hours
PyPI and NPM packages wreck havoc
Researchers reported 241 malicious packages making their way into Python and npm repositories. A majority of these packages typosquat top libraries, thereby duping developers into downloading those. Every malicious package downloads a Bash script on Linux systems that run cryptominers. Some of the open-source libraries and commands that the hackers imitated include React, argparse, and AIOHTTP.
Raccoon and NetSupport RAT on WordPress
Sucuri experts unearthed JavaScript injections targeting WordPress sites by displaying fake DDoS Protection pages to users. Upon clicking on a button, users are redirected to install “security_install.iso’ file that leads victims to download the NetSupport RAT and Raccoon Stealer info-stealing trojan. The latter can not only steal your credentials but also compromise crypto wallets.
Escanor: New malware for PC and Android systems
Resecurity, a cybersecurity firm, discovered a new RAT, dubbed Escanor, being advertised on the dark web and Telegram messenger. The malware is currently available for PCs and Android-based systems. It features an HVNC module and an exploit builder to weaponize MS Office and Adobe PDF documents to deliver malicious code.
Top Vulnerabilities Reported in the Last 24 Hours
A ChromeOS issue needs patching
Microsoft shared technical details on a high-severity ChromeOS bug tracked as CVE-2022-2587 and described as an out-of-bounds write. The issue resides in the CRAS component and could be triggered using malformed metadata associated with songs. It could be exploited for causing DoS conditions and, in limited cases, for attempting an RCE attack.
Zero-day in BTC ATM systems
Hackers exploited a previously undisclosed flaw in the systems of Bitcoin ATM manufacturer General Bytes to steal cryptocurrency from users. The zero-day flaw in the Crypto Application Server (CAS) admin interface was exploited to create an admin user remotely. However, it's unclear how many servers were infiltrated and how much cryptocurrency was stolen by scammers.
Top Scams Reported in the Last 24 Hours
AWS-based phishing campaign
A new phishing campaign, hosted through AWS domains, is sending unsuspecting users a standard password expiration email and other emails to create a sense of urgency. The scam would take responding users to their company’s fake page, auto-populated with their email IDs. If users happen to proceed with entering their passwords, it would reach the cybercriminal’s server.