We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jul 21, 2023

Cracked software appear legitimate but often contain hidden scripts that compromise system security and install malware. In a recent encounter, security researchers stumbled across a HotRat malware distribution campaign that cybercriminals were offering bundled as cracked programs and games. Furthermore, a report has revealed a significant surge in Mallox ransomware attacks in 2023, witnessing a YoY increase of approximately 174%. The group appears to be expanding its operations and recruiting affiliates on hacking forums.

BundleBot has emerged as another sophisticated malware with evasion techniques. With an aim to steal sensitive information, it targets various applications such as Telegram, Discord, and Facebook and collects data like account details, credit card information, and more.

Top Breaches Reported in the Last 24 Hours

Suzuki dealers blurt out data

Two Suzuki-authorized dealer websites leaked sensitive user and business data, including passwords and secret tokens. The affected dealerships are located in Brazil and Bahrain. The exposed data from the Suzuki dealerships included endpoint and secret information, MySQL databases, SMTP credentials, and application and third-party service keys. As of now, it remains uncertain whether any adversaries have succeeded in stealing any data.

Ransomware attack hits Mississippi

George County, Mississippi, suffered a significant ransomware attack that affected almost all government computers. The attack began with a phishing email disguised as a routine system update reminder, giving the ransomware group access to the county's systems. The attackers systematically encrypted data on personal office computers and servers in what was described as a highly coordinated "brute force attack."

Top Malware Reported in the Last 24 Hours

Ransomware activity on the rise

Mallox, a ransomware strain targeting Microsoft Windows systems, witnessed a 174% spike in activities, notably by exploiting numerous unsecured MS-SQL servers. Unit 42 researchers observed that the group uses brute force attacks, data exfiltration techniques, and tools like network scanners in its campaigns. Like other ransomware actors, Mallox follows the double extortion trend, claiming hundreds of victims across various industries such as manufacturing, professional and legal services, and wholesale and retail.

Water company drops SpyNote

McAfee’s mobile team identified a smishing campaign that targeted Japanese Android users by posing as a power and water infrastructure company. The fake SMS messages alerted recipients about payment problems and directed them to a phishing website to download the SpyNote malware. SpyNote is a known family of malware used for remote-controlled spying, exploiting accessibility services and administrator privileges to steal sensitive user information and two-factor authentication data.

Malicious promotion on Facebook

A new malware strain called BundleBot is being distributed via Facebook ads and compromised accounts, masquerading as program utilities, AI tools, or games. The malware uses .NET single-file deployment technique to evade detection. Once downloaded, it siphons sensitive information from compromised hosts, including data from web browsers, Discord tokens, Telegram data, and Facebook account details.

HotRat hides in rogue software

The distribution of cracked software continues to be an important vector for spreading malware, with attackers using AutoHotkey scripts to deploy malware variants like HotRat. The malware is commonly found in cracked Adobe and Microsoft software, video games, premium system utilities, and development tools. HotRat provides attackers with various capabilities, including stealing credentials, capturing screens, and installing additional malware.

Top Vulnerabilities Reported in the Last 24 Hours

Adobe ColdFusion fix

Adobe has issued additional patches for ColdFusion vulnerabilities, including one (CVE-2023-38205) that was being exploited in the wild by cybercriminals. Rapid7 confirmed attackers had exploited CVE-2023-29298, chaining it with CVE-2023-38203. Adobe's initial patch for CVE-2023-29298 was deemed incomplete and easily bypassed. While not confirmed, there are indications that CVE-2023-38203 may have also been exploited.

Sensitive bugs found in BMC software

Security company Eclypsium reported two new BMC&C security holes in AMI’s MegaRAC BMC software. The critical flaws include an authentication bypass issue, tracked as CVE-2023-34329, exploitable through spoofed HTTP headers, and a code injection flaw tracked as CVE-2023-34330. When combined, these vulnerabilities allow a remote attacker with network access to the BMC management interface, without credentials, to execute arbitrary code, potentially from the Internet if the interface is exposed.

Related Threat Briefings