We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jul 10, 2024

The threat landscape witnessed the re-emergence of the ViperSoftX malware, initially unearthed in 2020. The malware has resurfaced to exploit .NET to obscure its use of PowerShell commands. ViperSoftX's nefarious capabilities are extensive, encompassing the theft of system information, cryptocurrency wallet details, and more.

In its July Patch Tuesday, Microsoft released a series of critical security patches addressing vulnerabilities across a wide array of its products. Alarmingly, at least two of these vulnerabilities are currently being actively exploited.

Concurrently, a grand-scale fraud campaign, aptly dubbed Ticket Heist, has aimed its deceptive machinations at Russian-speaking individuals seeking tickets for prominent events, most notably the Paris Summer Olympics. This sophisticated scam utilizes 708 fraudulent websites, offering overpriced counterfeit tickets.

In a coordinated international effort, the ACSC, the CISA, and an array of global security agencies have issued an advisory detailing the TTPs employed by the state-sponsored cyber-espionage unit APT40, associated with the People's Republic of China.

Top Malware Reported in the Last 24 Hours

ViperSoftX variant abuses .NET runtime

ViperSoftX, first spotted in 2020, has recently reemerged with the ability to use the .NET CLR to obfuscate its use of PowerShell commands. The malware further disguises the PowerShell commands by hiding them within scripts generated by the freeware program AutoIt. This allows ViperSoftX to execute malicious functions while evading detection mechanisms that might otherwise flag standalone PowerShell activity. ViperSoftX is capable of stealing system information, cryptocurrency wallet details (and the coins they contain), clipboard contents, and other such data.

AsyncRAT distributed as ebooks

ASEC blog reports on the distribution of AsyncRAT malware disguised as an ebook, which uses various techniques like malicious scripts, compressed files, and scheduled tasks to infect systems and execute the remote access trojan. The compressed ebook file contains a malicious LNK file, a text file with a malicious PowerShell script, additional compressed files disguised as videos, and the actual ebook file. AsyncRAT possesses features such as anti-VM, anti-AV, maintaining persistence, and exfiltrating user information.

GuardZoo malware targets military personnel

An ongoing surveillance campaign has been found spreading the GuardZoo malware in the Middle East. The campaign has impacted over 450 victims in countries such as Egypt, Saudi Arabia, and Yemen, with the malware being distributed through WhatsApp and direct browser downloads. GuardZoo, with over 60 commands, can fetch additional payloads, upload files, and change C2 addresses, using dynamic DNS domains registered to YemenNet for its operations.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft’s July Patch Tuesday

Microsoft released critical security patches for Windows Hyper-V, MSHTML, .NET, Visual Studio, and other products, with at least two zero-day vulnerabilities already being actively exploited by attackers. One vulnerability (CVE-2024-38080) affects Windows Hyper-V and can allow system privileges to be gained, while the other (CVE-2024-38112) affects the MSHTML platform in Internet Explorer and requires user interaction for exploitation. Additionally, there are five critical Microsoft CVEs, including remote code execution bugs.

WordPress calendar plugin under attack

Hackers are targeting a vulnerability in the widely-used Modern Events Calendar WordPress plugin, which is present on over 150,000 websites, allowing them to upload arbitrary files and execute remote code. The vulnerability, CVE-2024-5441, allows hackers to upload malicious files due to a lack of file type validation in the plugin's 'set_featured_image' function. The vulnerability has a high severity score (CVSS v3.1: 8.8) and can be exploited by any authenticated user, including subscribers and registered members. If the plugin is set to allow event submissions from non-members (visitors without accounts), the vulnerability can be exploited without authentication.

New blast-RADIUS attack

The Blast-RADIUS attack is a newly discovered authentication bypass vulnerability in the RADIUS/UDP protocol. It allows attackers to manipulate RADIUS traffic and gain admin privileges on network devices without brute forcing passwords or stealing credentials. The attack exploits a new protocol bug (CVE-2024-3596) and an MD5 collision attack, enabling the forging of a valid response to authentication requests. Although end-users cannot protect against this attack, network operators are advised to upgrade to RADIUS over TLS, switch to "multihop" RADIUS deployments, and isolate RADIUS traffic from internet access for defense.

Universal Code Execution bug in browsers

Hackers can exploit a Universal Code Execution vulnerability in browsers that puts millions of users at risk. They can inject code into server-side interpreter languages like Java, Python, and PHP, leading to theft of information, money diversion, surveillance, and severe impact on organizations. The vulnerability allows bypassing the Same Origin Policy and browser sandbox by chaining messaging APIs in browsers and extensions. Researchers found vulnerable extensions through dataset queries and static code analysis, including one with 2 million users that allowed arbitrary DLL loading.

Top Scams Reported in the Last 24 Hours

Phishing campaign targets Indian Android users

A new phishing campaign targeting Android users in India is impersonating the Regional Transport Office (RTO) and using fake APKs. The campaign has expanded from initial SMS-based phishing attacks targeting bank customers to now using WhatsApp messages with themes like utility bills and government schemes. Threat actors are leveraging malware-as-a-service and hiding launcher activities to make the malware stealthier and harder to detect. The malware collects device information, contact lists, and SMS messages, sending them to a Telegram bot and using Firebase to retrieve phone numbers and texts for unauthorized SMS verification.

Beware of fake Olympic Games tickets

A large-scale fraud campaign called Ticket Heist is targeting Russian-speaking users seeking tickets for major events, particularly the Summer Olympics in Paris. The operation involves 708 convincing websites offering overpriced fake tickets for events like the Olympics, UEFA European Championship, and music concerts. The fraudsters use a consistent UI framework and inflated prices to deceive victims. Transactions are carried out through the Stripe payment platform to steal money from victims. The operation also targets Russian-speaking users with fake concert tickets.

Don’t get double scammed!

The Australian Competition and Consumer Commission (ACCC) issued a warning about scammers targeting previous scam victims with fake offers to help them recover their lost money. These scammers pose as trusted entities and request upfront fees or personal information. The ACCC has recorded 158 reports of such scams with total losses of over AU$2.9 million (~$1.9 million), with victims aged over 65 being the most frequent targets.

CISA Advisory

APT40 in action, warn agencies

The ACSC, the CISA, and multiple international security agencies published an advisory outlining the TTPs used by the People's Republic of China (PRC) state-sponsored cyber group known as APT40. The threat group has targeted Australian networks, conducted reconnaissance, exploited vulnerabilities, and compromised sensitive data. The group prefers exploiting vulnerable, public-facing infrastructure and using compromised devices, including small office/home office devices, as operational infrastructure. Mitigation strategies include prompt patching of internet-exposed devices, network segmentation, and implementation of the ASD Essential Eight Controls to prevent intrusions by APT40.

Related Threat Briefings