Cyware Daily Threat Intelligence

Daily Threat Briefing • Jan 25, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jan 25, 2024
Using apps to take notes? One such utility app has come under the radar after cybercriminals cloned it to distribute a new Go-based malware loader, dubbed CherryLoader. It imitated the CherryTree note-taking app to trick victims. Speaking of malware threats, researchers from ASEC warned about VenomRAT and XMRig CoinMiner. While the RAT propagates via a malicious shortcut file disguised as a legitimate Word document, the XMRig CoinMiner spreads through game hack websites.
A Chinese threat group has reportedly been on a mission to deploy the NSPX30 backdoor via legitimate software updates since 2018. The attacks primarily target manufacturing, trading, and engineering companies, affecting individuals in China, Japan, and the U.K.
HPE discloses APT29 cybersecurity breach
Hewlett Packard Enterprise (HPE) revealed that a cybersecurity incident, involving infiltration into its cloud email environment, was attempted by the Russian APT29 group. The attackers had accessed and exfiltrated data from a small percentage of HPE mailboxes, including those belonging to individuals in cybersecurity, go-to-market, business segments, and other functions. The unauthorized access began in May 2023 and remained undetected for over six months.
Operational outage at fintech firm
EquiLend, a fintech firm, experienced a cyberattack that forced several of its systems offline, resorting employees to manual tasks. The company detected a technical issue on January 22, confirming the security incident, and stated that restoration may take several days.
Cyberattack hit Ukrainian critical infrastructure
Several state-owned critical infrastructure companies in Ukraine, including Naftogaz (oil and gas company), Ukrposhta (national postal service), and DSBT (transport safety agency), reported cyberattacks on their systems. The origins of the attacks and potential attribution remain unclear. A Russian group called the National Cyber Army claimed responsibility for the DSBT attack.
Major breach at Russian space research center
Pro-Ukraine hackers, known as the BO Team, targeted Russia's State Research Center on Space Hydrometeorology, also known as Planeta. The hackers claimed to have destroyed the center's database and valuable equipment, including 280 servers and two petabytes of information. The attack allegedly paralyzed the work of supercomputers and disrupted the station's air conditioning and power supply systems. The attackers also claimed to have cut off the internet at a Russian Arctic station.
Malware loader disguised as CherryTree App
Arctic Wolf Labs reported a new Go-based malware loader, CherryLoader, being used in recent intrusions. Camouflaged as the legitimate CherryTree note-taking app, the malware drops privilege escalation tools like PrintSpoofer or JuicyPotatoNG for additional exploitation. Its modular design enables threat actors to swap exploits without recompiling code. The loader is distributed through a RAR archive hosted on a specific IP address.
Chinese APT delivers NSPX30 implant
China-aligned threat actor Blackwood, active since at least 2018, has been linked to adversary-in-the-middle attacks using the NSPX30 backdoor implant. The attackers leverage legitimate software like Tencent QQ and WPS Office to deploy the sophisticated backdoor. The implant includes a dropper, installer, loaders, orchestrator, and backdoor components. It has capabilities like packet interception, keylogging, and screenshot capture.
**VenomRAT deployed via infected Office docs **
Attackers were observed weaponizing Office documents to distribute the VenomRAT (AsyncRAT) malware. The attack involves a malicious shortcut file disguised as a legitimate Word document. The downloaded file contains a malware downloader that fetches data from 'adb.dll' in a fileless format. The shellcode executed by VenomRAT performs keylogging, PC info leaks, and The shellcode executed by VenomRAT performs keylogging, PC info leaks, and takes additional commands from threat actors.
XMRig CoinMiner spread through game hacks
Experts at ASEC unearthed a campaign distributing the XMRig CoinMiner through a website offering game hacks for popular games. Users are prompted to disable the browser from blocking downloads and how to shut down anti-malware software, facilitating the installation of the malware. The uploaded compressed file includes a downloader that installs the CoinMiner and malware designed to disable anti-malware software, making it challenging for users to detect malicious activities.
Pwn2Own uncovers 39 zero-day bugs
The first automotive edition of the Initiative's (ZDI) Pwn2Own contest in Tokyo resulted in ethical hackers discovering nearly 40 zero-day vulnerabilities, including those in Tesla. Notable exploits include a three-bug chain against the Tesla Modem and other vulnerabilities in automotive systems. Vendors were given 90 days to fix the discovered vulnerabilities before public disclosure by ZDI.
Mozilla patches Firefox and Thunderbird flaws
In a security update for Firefox and Thunderbird, Mozilla released fixes for 15 vulnerabilities, including five rated as high severity. One of the high-severity flaws, CVE-2024-0741, involves an out-of-bounds write in the ANGLE graphics engine, which could lead to memory corruption and potential denial of service or arbitrary code execution. Mozilla also addressed medium-severity vulnerabilities that could result in crashes, bypass of Content Security Policy, permissions request bypass, privilege escalation, or HSTS policy bypass.
Pakistani attackers spray fake loan apps
Exploiting the increasing demand for digital financial services, Pakistani criminals are actively targeting Android users in India via fake loan applications. The malicious apps offer instant loans, tricking users into providing personal information and manipulating selfies for extortion. The threat actors demand money and threaten to share manipulated nude images. The app asks for minimal permissions, such as contacts, call logs, and camera access.