Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jun 4, 2024

The dark web is abuzz with a new threat: Viper RAT, a formidable malware targeting Android devices. This digital predator boasts multi-grabber features, stealthy VNC control, and screen capture capabilities, making it a serious menace.

Meanwhile, FortiGuard Labs has uncovered a cyberattack exploiting Ukraine's geopolitical turmoil. This sophisticated assault uses an Excel file embedded with a VBA macro to deliver the notorious Cobalt Strike payload. Google rolled out its June 2024 Android security update, patching 37 vulnerabilities, including critical flaws in Qualcomm components, fortifying devices against escalating cyber dangers.

Top Malware Reported in the Last 24 Hours

New Viper RAT on dark web

A new malware called Viper RAT is being advertised on dark web forums. It offers a multi-grabber feature to steal credentials, emails, 2FA codes, wallets, and keys. It, furthermore, provides smooth hidden VNC control, screen capture, and the ability to unlock phones. Viper RAT targets Android devices regardless of hardware, posing a serious risk to users.

New banking trojan spotted

Cisco Talos has discovered a new banking trojan called CarnavalHeist targeting Brazilian users. CarnavalHeist begins with financial-themed spam emails that redirect users to malicious websites hosting the first-stage payload. The payload uses a combination of LNK files, batch scripts, and Python loaders to download and execute the final banking trojan DLL. The DLL uses overlay attacks to present fake login screens for Brazilian financial institutions and capture user credentials.

Cyberattack drops Cobalt Strike in Ukraine

FortiGuard Labs spotted a sophisticated cyberattack involving an Excel file embedded with a VBA macro designed to deploy a DLL file that ultimately delivers the Cobalt Strike payload. The attack targets systems in Ukraine, taking advantage of the country's geopolitical situation. To avoid detection and analysis, the attack employs various evasion techniques, such as location-based checks, encoded strings, self-deletion, and anti-debugging mechanisms.

Top Vulnerabilities Reported in the Last 24 Hours

Android patches 37 vulnerabilities

The June 2024 Android security update resolves 37 vulnerabilities, including multiple high-severity elevation of privilege bugs. The first part of the update (2024-06-01 patch level) addresses 19 flaws in the Framework and System components, with the most severe issue being a high-security vulnerability in the System component that could lead to local escalation of privilege. The second part of the update (2024-06-05 patch level) addresses an additional 18 vulnerabilities in Kernel, Imagination Technologies, Arm, MediaTek, and Qualcomm components, with three of the Qualcomm-specific flaws being critical.

PoC for critical Progress Telerik auth bypass

Researchers have published a PoC exploit script demonstrating a chained remote code execution vulnerability on Progress Telerik Report servers. The authentication bypass flaw (CVE-2024-4358, CVSS 9.8) allows the creation of admin accounts without checks. This issue was addressed in the Telerik Report Server 2024 Q2 10.1.24.514 update on May 15. The second flaw (CVE-2024-1800, CVSS 8.8) is a deserialization issue that allows remote authenticated attackers to execute arbitrary code on vulnerable servers. This issue was addressed in the Telerik® Report Server 2024 Q1 10.0.24.305 update on March 7.

New bugs in Zyxel NAS devices

Zyxel has released critical patches for command injection (CVE-2024-29972 and CVE-2024-29973), improper privilege management (CVE-2024-29975 and CVE-2024-29976), and remote code execution (CVE-2024-29974) vulnerabilities in its NAS326 and NAS542 products, despite the end-of-vulnerability support. Users of the affected NAS devices are strongly advised to immediately apply the provided patches to ensure protection against potential attacks.

Related Threat Briefings