Cyware Daily Threat Intelligence
Daily Threat Briefing • Jun 11, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jun 11, 2024
From the depths of the digital domain, a new threat rises: ValleyRAT. Researchers recently uncovered a sophisticated campaign using an HTTP File Server to deliver the malware through multiple attack stages. ValleyRAT's latest iteration comes with enhanced device fingerprinting, clever bot ID generation, and new commands. Meanwhile, the More_eggs malware is back, targeting recruiters with phishing attacks. Believed to be the work of the Golden Chickens group, the modular malware now steals sensitive data by disguising itself as a job applicant's resume.
In other news, a critical flaw in Veeam Backup Enterprise Manager (VBEM), tracked as CVE-2024-29849, now has a public proof-of-concept (PoC) exploit. By sending a crafted VMware SSO token, attackers can impersonate admin users due to a lack of verification on the SSO service URL. Immediate upgrades are advised.
New ValleyRAT campaign detected
Zscaler ThreatLabz recently identified a new campaign delivering the latest version of ValleyRAT, which involves multiple stages. The campaign utilizes an HTTP File Server as the initial stage downloader to download the files required for subsequent attack stages. The downloader and loader employed in the campaign use various techniques, including anti-virus checks, DLL sideloading, and process injection. The ValleyRAT sample delivered includes modifications compared to a previously documented version, particularly in device fingerprinting, bot ID generation, and supported commands.
More_eggs malware targets recruiters
More_eggs is a modular backdoor capable of stealing sensitive data, believed to be the work of the threat actor group Golden Chickens (aka Venom Spider). Phishing attacks using the More_eggs malware are resurfacing, this time disguised as a job applicant's resume. A recent attack uncovered by eSentire targeted an unnamed industrial services company in May. The attackers responded to LinkedIn job postings with a link to a fake resume download site, leading to the download of a malicious Windows Shortcut file.
Data theft via malicious node on ComfyUI
A malicious node called "ComfyUI_LLMVISION" on the ComfyUI user interface was found stealing sensitive data from cryptocurrency users, including passwords, credit card details, and crypto wallet addresses. The node presents itself as a user-friendly extension but actually transfers the stolen data to an attacker's Discord server. By installing ComfyUI_LLMVISION, the Python package manager installs malicious versions of OpenAI and Anthropic libraries, running encoded PowerShell commands for downloading and running info-stealing malware.
**Exploit available for critical Veeam bug **
A PoC exploit for a critical authentication bypass flaw in Veeam Backup Enterprise Manager (VBEM), tracked as CVE-2024-29849, was publicly released. The exploit involves sending a specially crafted VMware single sign-on (SSO) token to the vulnerable service. The token contains an authentication request that impersonates an administrator user. Veeam does not verify the SSO service URL, allowing unauthorized access. While no in-the-wild exploitation has been reported, Veeam urged customers to upgrade to VBEM version 12.1.2.172.
Nvidia fixes GPU driver vulnerabilities
Nvidia has released software updates to fix high-severity vulnerabilities in its GPU drivers and virtual GPU (vGPU) software. The updates resolve five security defects, including three rated 'high severity' and two 'medium severity'. One of the most severe flaws, CVE?2024?0090, could allow attackers to execute arbitrary code or cause a DoS condition. The updates also address vulnerabilities that could lead to code execution, information disclosure, data tampering, and privilege escalation. Nvidia advises users to apply the updates promptly.
Arm Mali GPU kernel drivers patched
Arm issued a security bulletin warning of a memory-related vulnerability in Mali GPU kernel drivers. The vulnerability, tracked as CVE-2024-4610, is a use-after-free (UAF) flaw that affects all versions of Bifrost and Valhall drivers. Arm is aware of the vulnerability being actively exploited and recommends users to upgrade. The vulnerability was fixed in version r41p0 of the drivers, released on November 24, 2022. However, due to the complexity of the Android supply chain, users may experience delays in receiving patched drivers. Some impacted devices may no longer receive security updates.