Cyware Daily Threat Intelligence

Daily Threat Briefing • Feb 28, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Feb 28, 2024
WarZone RAT is back in the picture as security experts spotted its advertisement on hacking forums. The development comes nearly two weeks after the FBI announced the seizure of several of its internet domains. Separately, Xeno RAT has landed on GitHub, being disseminated via Discord CDN. Tax-themed scams have also arrived targeting Mexicans with the previously unseen TimbreStealer malware. In addition to that, other increasingly prevalent malware in the cyber underworld nowadays are Abyss Locker and DCRat.
Another WordPress plugin making the headlines is LiteSpeed Cache. It allows unauthenticated users to execute cross-site scripting attacks, potentially leading to privilege escalation. Meanwhile, a new variant of the AMOS Stealer, dubbed Atomic, has surfaced as a fresh crypto threat.
For detailed Cyber Threat Intel, click ‘Read More.’
Pharmaceutical giant hit by cyberattack
Pharma giant Cencora, formerly AmerisourceBergen, disclosed a cyberattack that resulted in data theft from its corporate IT systems. Financial and operational impacts are yet to be determined. The firm asserted that the attack was unrelated to the Optum Change Healthcare ransomware incident. Notably, there's no indication of the perpetrator, and no ransomware group has claimed responsibility.
BlackCat claims two victims, one confirmed
The BlackCat ransomware group attacked Verbraucherzentrale Hessen, a consumer advice center in Germany. Verbraucherzentrale Hessen confirmed the attack on its IT infrastructure, leading to temporary accessibility issues. Meanwhile, doubts arise regarding the group’s claim of targeting Electro Marteix, SL in Spain, as no evidence of an attack was found.
Xeno RAT released on GitHub
The highly sophisticated Xeno RAT has been openly shared on GitHub by its creator, moom825. Compatible with Windows 10 and 11, this RAT offers a wide array of features for remote system management, including a SOCKS5 reverse proxy, real-time audio recording, and a hidden virtual network computing (hVNC) module. Notably, Xeno RAT is built from scratch, providing a unique approach to RAT development, and includes a builder for crafting customized malware variants.
**New WarZone RAT v3 raises concerns **
Security experts noted an updated WarZone RAT (v3) being advertised on hacking forums. It boasts enhanced features like the "Smart Updater" for stealthy tool updates and the ability to uninstall old files when the news is executed successfully. Its new capabilities include client control, file management, and remote system control, empowering attackers with extensive control over compromised systems.
TimbreStealer targets Mexicans
Mexican users have been facing tax-themed phishing attacks distributing TimbreStealer, a sophisticated Windows malware. The threat actors use geofencing and other evasive techniques to avoid detection and target various sectors. The malware includes checks to detect sandbox environments, embedded modules for decryption, and the ability to harvest a wide range of data.
Abyss Locker use gains traction
Windows and Linux systems are under attack from Abyss Locker, a variant of HelloKitty ransomware, revealed FortiGuard Labs. Detected in July 2023, Abyss Locker’s Windows variant surfaced in January 2024, followed by a Linux version. The ransomware employs specific actions to ensure successful encryption while sparing certain files and directories for system operability. Its infection vector remains unspecified to date.
Nation-state actors using WINELOADER backdoor
Zscaler's ThreatLabz discovered a targeted attack by SPIKEDWINE involving a suspicious PDF masquerading as an invitation letter from the Ambassador of India. The PDF contains the previously undocumented WINELOADER backdoor and targets European diplomats with advanced tactics. Threat actor exploits geopolitical relations, utilizing compromised infrastructure and themes related to wine.
New AMOS variant spotted
Bitdefender researchers uncovered a new variant of the AMOS Stealer, dubbed Atomic, targeting macOS systems. This variant combines features of information stealers, keyloggers, and cryptocurrency mining tools. It utilizes Python and Apple Script code to target browser files, system information, and crypto wallets. Bitdefender has provided Indicators of Compromise to aid in detection and mitigation efforts.
Privilege escalation bug in WordPress plugin
A security vulnerability (CVE-2023-40000) was disclosed in the LiteSpeed Cache plugin for WordPress, allowing unauthenticated users to escalate privileges via a single HTTP request. The cross-site scripting vulnerability stems from inadequate user input sanitization and output escaping in the update_cdn_status() function. It could allow unauthenticated users to extract sensitive data.