Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jan 27, 2022

Millions of routers and IoT devices are at risk of attacks as malware source code of BotenaGo has surfaced on GitHub. Researchers fear that this can be an opportunity for wannabe cybercriminal groups looking to get a headstart to leverage more than 30 exploits to target different IoT devices from multiple vendors including Linksys, D-Link, Netgear, and ZTE.

In other news, cybercriminals are actively targeting Android users worldwide as several new attack campaigns came to light in the last 24 hours. While Flubot and TeaBot trojan were found lurking within SMS messages and a fake app, respectively, to infect users globally, a premium subscription campaign that targeted over 100 million users was leveraged to steal funds from them. Meanwhile, researchers shared details about a recent Chaes trojan attack campaign that was distributed via over 800 websites.

Top Breaches Reported in the Last 24 Hours

German organizations targeted

An ongoing attack backed by the Chinese APT27 threat group is targeting German commercial organizations with the HyperBro RAT. The malware helps the threat actors to maintain persistence on the victims’ network by acting as a backdoor with remote administration capabilities. The threat actor has been exploiting flaws in Zoho AdSelf Service Plus software to breach the network.

New updates on StellarParticle campaign

Researchers have shed light on the StellarParticle attack campaign associated with the Cozy Bear aka APT29 threat actor group. Launched in 2020, the campaign was used to target multiple organizations using the Linux variant of GoldMax and a new implant dubbed TrailBlazer.

Phishing campaigns observed

Threat actors are using a new technique to bypass MFA in an attempt to widen the reach of their phishing campaigns. The campaign started with stealing credentials from targeted organizations located in Australia, Singapore, Indonesia, and Thailand. These stolen credentials were then used in the second phase of the campaign to expand their foothold within victim organizations.

Top Malware Reported in the Last 24 Hours

BotenaGo strikes again

Several variants of the BotenaGo botnet have been observed in a series of new attack campaigns targeting routers and IoT devices globally. This development comes after researchers found the malware source code uploaded to GitHub, allowing threat actors to create their own versions to launch attacks.

Konni RAT updates

The Konni RAT has recently received significant updates, according to researchers. While the RAT is being actively developed, some of its latest tactics include the addition of evasion capabilities. The malware has also transitioned from base64 encoding to AES encryption to its string for obfuscation purposes.

Chaes trojan targets Brazilian customers

In one of the attack campaigns observed in the last quarter of 2021, Chaes trojan was delivered via over 800 WordPress sites to target Brazilian customers of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago. The ultimate goal of the trojan is to steal credentials stored in Chrome and intercept logins of banking websites.

FluBot and TeaBot spotted

More than 100,000 malicious SMS messages attempting to distribute FluBot trojan via a new Scam Alert Feature were intercepted by researchers. The attacks were active in Australia, Germany, Poland, Spain, Austria, and Italy. In a different incident, the TeaBot trojan was found lurking on the Google Play Store in the form of a QR scanner app to infect Android users across the globe.

Skimmer code spotted

A skimmer that includes a function named ‘boms’ has been noticed on a large number of fake online stores. The skimmer is linked to the Magecart Group 7 threat actor group.

Top Vulnerabilities Reported in the Last 24 Hours

Flawed APKLeaks patched

The maintainers of APKLeaks issued a patch for a critical vulnerability that could be exploited for the remote execution of arbitrary code. The vulnerability is tracked as CVE-2021-21386 and has been issued a CVSS severity score of 9.3. The flaw has been resolved with the release of version 2.0.6 of APKLeaks.

Apple issues patches

Apple has addressed 13 patches for serious flaws in macOS and 10 flaws in iOS/iPadOS. They include fixes for two zero-day flaws, one of which may have been exploited in the wild. The zero-day in the question is tracked as CVE-2022-22587 and is related to a memory-corruption issue found in IOMobile Frame Buffer.

Top Scams Reported in the Last 24 Hours

Subscription scam affects over 100 million users

A premium subscription fraud campaign has targeted over 100 million Android users. Called Dark Herring, the campaign leveraged 470 Google Play Store apps to affect users, potentially causing a loss of hundreds of millions of dollars. The campaign was active in 70 countries and asked users to subscribe to premium services at a price of $15 per month.

Related Threat Briefings