Cyware Daily Threat Intelligence

Daily Threat Briefing • Jun 5, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jun 5, 2024
Broadcom sent out a signal for trouble as the DarkCrystal RAT is being deployed via the popular messaging app Signal. The malware is targeting high-profile individuals in Ukraine. This RAT-tling development begins with a seemingly harmless message, leading to unauthorized access and more.
Meanwhile, a security researcher has uncovered a flaw in Kyber KEM. This timing leak, courtesy of the Clang compiler's optimizations, lets attackers ‘cache’ in on high-resolution attacks to potentially recover encryption keys.
Beware of headhunting scammers! The allure of remote jobs is being exploited by scammers, the FBI warned. These criminals post fake job ads, posing as recruiters to trick victims into a cryptocurrency scam.
HTML files deploy DarkGate malware
ASEC discovered phishing emails containing HTML attachments that prompt users to run malicious PowerShell commands. The emails disguise the attachments as MS Word documents and urge users to click a "How to fix" button, which then initiates the execution of a malicious PowerShell script. This script ultimately downloads and executes the DarkGate malware, posing a serious threat to systems.
TargetCompany now has a Linux variant
The TargetCompany ransomware group has developed a new Linux variant with a custom shell script for payload delivery, targeting VMware ESXi environments and exfiltrating victim information to two servers. This variant is designed to determine if the victim's machine is running in a VMWare ESXi environment, encrypt critical ESXi servers, and disrupt operations to increase the likelihood of ransom payments. The ransomware uses a custom shell script to download and execute the payload, exfiltrate victim information, and delete the payload, posing a significant challenge for defenders.
DarkCrystal RAT abuses Signal
Broadcom discovered that Signal Messenger is being exploited to deliver DarkCrystal RAT malware to high-profile targets. The targets include government officials, military personnel, and representatives of defense enterprises in Ukraine. The infection chain begins with the victim receiving a message containing an archive file, a password, and instructions on how to open it. When the user runs these files, their computer becomes infected with the DarkCrystal RAT malware, granting attackers unauthorized access to the system.
TikTok fixes zero-day bug
Attackers have recently hijacked high-profile TikTok accounts using a zero-day vulnerability in the social media platform's direct messages feature. Companies such as Sony and CNN, along with celebrity accounts like Paris Hilton's, were affected. The exploit used by the attackers does not require the targets to download any payload or click on embedded links.
Cisco patches Webex flaws
Cisco has released security patches to address vulnerabilities in its Webex video conferencing software that were exploited to expose sensitive German government meetings. An insecure direct object reference (IDOR) vulnerability allowed unauthorized access to meeting details, including discussions on military activities. Cisco stated that it has not observed any further attempts to obtain meeting data or metadata since the bugs were patched.
Vulnerability in Kyber KEM
A security researcher found an exploitable timing leak in the Kyber Key Encapsulation Mechanism (KEM) reference implementation. The vulnerability can occur when a compiler, specifically the Clang compiler, optimizes the code and silently undoes the measures taken to secure against side-channel attacks. This vulnerability could allow sophisticated local attackers to perform high-resolution cache attacks, target the branch predictor, or slow down the library to amplify the timing difference and recover the encryption key. While it has been patched by implementing the relevant conditional move as a function in a separate file, the researcher noted that other libraries based on the reference implementation may still be vulnerable.
Fake remote work ads for crypto fraud
The FBI has issued a warning about scammers posing as recruiters for legitimate companies, using fake remote job ads to steal cryptocurrency from job seekers. These work-from-home scams entice victims with easy tasks and a confusing compensation structure that requires cryptocurrency payments. Victims of such fraudulent activities are advised to report to the FBI Internet Crime Complaint Center (IC3) and provide transaction details associated with the scam.
Utility scams via Google Ads
A malicious campaign—ongoing since February—is targeting mobile users in the U.S. with fake utility bill ads. The scammers behind this campaign are based in Pakistan and have created numerous advertiser accounts on Google. The ads often do not lead to a landing page, but instead prompt the user to call a phone number, which connects them to the scammers.