Cyware Daily Threat Intelligence
Daily Threat Briefing • Jun 18, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jun 18, 2024
Lurking in the shadows of cyberspace, a new wave of malware distribution campaigns has emerged, deftly wielding the guise of Google Chrome, Word, and OneDrive errors. These deceptive tactics are meticulously crafted to hoodwink unsuspecting users into executing malicious PowerShell "fixes," unwittingly inviting a cascade of malware into their systems.
Meanwhile, a new variant of the Diamorphine rootkit has surfaced, brandishing the ability to unload its kernel module and execute arbitrary commands. Discovered roaming free and undetected, this variant poses a significant threat to systems running Linux kernel version 5.19.17.
In another corner of the digital realm, VMware disclosed two vulnerabilities of critical severity within vCenter Server. These flaws, tied to the DCE/RPC protocol, open the door to remote code execution by malevolent actors, directly impacting virtual machine management.
Fake Chrome errors to malicious PowerShell
A new malware distribution campaign has been observed using fake Google Chrome, Word, and OneDrive errors to trick users into running malicious PowerShell "fixes" that install malware. Threat actors behind ClearFake, ClickFix, and TA571 are involved. The attacks involve compromised websites, fake browser updates, and email-based infection chains. The malware payloads include DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer. The attackers utilize social engineering to prompt users to take action without considering the risks, and they exploit the lack of awareness about the dangers of executing PowerShell commands.
**Velvet Ant used F5 BIG-IP malware **
The Chinese cyberespionage group Velvet Ant used custom malware to target F5 BIG-IP appliances to breach target networks and gain persistent access for espionage purposes. The threat actor exploited vulnerabilities in the appliances, established multiple footholds within the target organization's network, and deployed malware such as PlugX RAT. The group demonstrated agility and deep understanding of the target's network infrastructure, evading detection from traditional log monitoring solutions.
New Diamorphine rootkit variant in the wild
Researchers spotted a new Diamorphine variant that introduces device functionality for unloading the rootkit kernel module and executing arbitrary commands via magic packets. Impersonating the X_Tables module of Netfilter allows the rootkit to communicate between user mode and kernel mode without raising suspicions. The variant was found undetected in-the-wild and poses a threat to systems running Linux kernel version 5.19.17.
Cisco Webex DLL Sideloading
Cybercriminals are tricking users into downloading password-protected archive files containing trojanized copies of popular software like the Cisco Webex Meetings App. When users extract and execute the "Setup.exe" file, it covertly loads a stealthy malware loader called Hijack Loader (also known as DOILoader or IDAT Loader). Hijack Loader acts as a conduit to drop Vidar Stealer, an information-stealing malware that can siphon sensitive credentials from web browsers. The malware also employs techniques to bypass User Account Control (UAC) and exploit the CMSTPLUA COM interface for privilege escalation, adding itself to Windows Defender's exclusion list for defense evasion.
Two critical bugs in VMware vCenter
VMware by Broadcom disclosed critical-rated flaws, CVE-2024-37079 and CVE-2024-37080, in vCenter Server, which could allow remote code execution by malicious actors. The flaws are related to the DCE/RPC protocol and impact the management of virtual machines. A patched version of vCenter Server and Cloud Foundation is available, but older versions of vSphere may be affected and remain unfixed. Additionally, a local privilege escalation vulnerability, CVE-2024-37081, has been identified.