Cyware Daily Threat Intelligence
Daily Threat Briefing • June 14, 2024
Researchers have lifted the veil on a quintet of insidious campaigns aimed at Android users, orchestrated by the Arid Viper APT group. The threat actor has been deploying a three-tiered spyware, AridSpy, silently slipping through the cracks of digital defenses via meticulously crafted websites. The target? A treasure trove of user data, ripe for espionage.
Meanwhile, enter the Kimsuky threat group, orchestrating a masterclass in cyber assault by exploiting a well-known vulnerability within the MS Office Equation Editor. This attack commences as soon as an unsuspecting user cracks open a compromised Office document. The equation editor unwittingly executes a malevolent script, setting off a chain reaction that downloads an arsenal of malware.
Amidst this digital mayhem, a critical XSS vulnerability has reared its ugly head in the SummerNote 0.8.18 WYSIWYG editor. This flaw is a digital Pandora’s box, enabling attackers to embed harmful scripts within otherwise trustworthy apps or websites.
Top Malware Reported in the Last 24 Hours
AridSpy: stealth in the sands
ESET researchers identified five campaigns targeting Android users with trojanized apps, most likely orchestrated by the Arid Viper APT group. These campaigns involve the distribution of a three-stage Android spyware named AridSpy through dedicated websites. The malware is primarily focused on espionage, targeting user data. The campaigns began in 2022 and three are still ongoing. The malware is distributed through websites impersonating various messaging apps, a job opportunity app, and a Palestinian Civil Registry app. The malicious apps have never been offered through Google Play and are downloaded from third-party sites. The malware has been detected in Palestine and Egypt.
Moonstone Sleet and npm malware alert!
A newly identified North Korean threat actor, Moonstone Sleet, is targeting the software supply chain by spreading malicious npm packages in public open source repositories. The group has targeted developers by spreading malicious npm packages and is differentiating itself from other North Korean actors by using new techniques such as single-package approaches. In Q2 2024, the Moonstone Sleet packages increased in complexity, with the addition of obfuscation and targeting of Linux systems.
NiceRAT? Not So Nice
Researchers identified ongoing usage of botnets to distribute NiceRAT that collects system information, browser data, and cryptocurrency wallets to leak to threat actors using Discord as a C2 server. Botnets are formed by distributing malware disguised as Windows or Microsoft Office license verification tools and free game servers. The malware creates NanoCore, which adds IAMP Service and SMTP Service to the Task Scheduler to maintain persistence. NanoCore has been used to distribute not only NiceRAT but also Nitol malware since 2019.
Top Vulnerabilities Reported in the Last 24 Hours
Critical Veeam Recovery Orchestrator bug
A proof-of-concept exploit has been released for a critical authentication bypass vulnerability, CVE-2024-29855, affecting Veeam Recovery Orchestrator (VRO). The exploit leverages a hardcoded JSON Web Token (JWT) secret, which can be used to generate valid JWT tokens. The security bulletin from Veeam suggests upgrading to patched versions and outlines the conditions required to exploit the flaw, but a researcher has shown that some of these requirements can be bypassed with relative ease. The vulnerability has been rated 9.0 on the CVSS scale and affects VRO versions 7.0.0.337 and 7.1.0.205 and older.
Kimsuky abuses MS Office Editor flaw
The Kimsuky threat group has been carrying out a sophisticated cyberattack by exploiting a known vulnerability (CVE-2017-11882) in the Microsoft Office Equation Editor, found ASEC. The attack begins when a user opens a compromised Office document, triggering the equation editor to execute a malicious script. The script downloads additional malware, including a keylogger, and records users' keystrokes and clipboard data.
XSS bug in SummerNote 0.8.18 WYSIWYG editor
A significant XSS vulnerability (CVE-2024-37629) has been found in the SummerNote 0.8.18 WYSIWYG editor. This vulnerability allows attackers to insert harmful executable scripts into trusted applications or websites. A security researcher discovered this vulnerability by testing the Code View function and successfully executed a malicious XSS payload. Over 10,000 web apps may be affected by this vulnerability, making users susceptible to persistent XSS issues.
Top Scams Reported in the Last 24 Hours
Scamming the scammers
Netcraft researchers used an AI chatbot based on OpenAI's ChatGPT to engage with scammers and cybercriminals. The chatbot was able to convince scammers to provide sensitive information, including bank account details at over 600 financial institutions in 73 countries. This allowed the researchers to gather valuable threat intelligence on the infrastructure and financial components used by cybercriminals. In one case, a scammer promising a $5 million inheritance sent details on 17 different accounts at 12 banks in an attempt to complete the transfer of an initial fee.