Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jun 25, 2024

Amidst a whirlwind of digital espionage, SpyMax, an insidious Android RAT, has surfaced, targeting Telegram enthusiasts. It circumvents the need for rooted devices, simplifying the process for adversaries to extract private data and seize control of devices.

Concurrently, a critical vulnerability dubbed Probllama in the Ollama open-source AI Infrastructure Tool has been facilitating remote code execution. While a patch has been released, as of June 10, over 1,000 Ollama server instances remain perilously unpatched.

In a parallel breach of trust, the malware analysis service Any.Run became ensnared in a phishing scheme. An unsuspecting employee fell victim to a deceptive email, granting a hacker unauthorized access to their account. The intruder, exploiting this breach, disseminated additional phishing emails within the organization.

Top Malware Reported in the Last 24 Hours

Exposing Boolka’s BMANAGER trojan

Group-IB uncovered the operations of threat actor Boolka, who deploys sophisticated malware and engages in web attacks, exploiting vulnerabilities through SQL injection attacks since 2022. Boolka's malware delivery platform leverages the BeEF framework and the BMANAGER modular trojan to capture sensitive information from infected websites. Boolka's dynamic approach includes updating its scripts and using multiple domain names for malware attacks.

SpyMax targets Telegram users

SpyMax, an Android RAT, has been spotted targeting Telegram users. It does not require rooted devices, making it easier for threat actors to gather private information and control victims' devices. The malware pretends to be the Telegram app and requests Accessibility Service permission, acting as a trojan with keylogger capabilities. It collects location information and communicates with a C2 server to send compressed data and receive system commands and APK payload.

P2Pinfect evolves, deploys ransomware

The P2Pinfect malware has recently been updated to include a ransomware and cryptominer payload. The malware spreads via Redis and SSH, and relies on a peer-to-peer botnet for command and control. The update introduces a usermode rootkit, potentially indicating that P2Pinfect may be a botnet for hire. The ransomware payload encrypts files and demands payment in Monero, while the usermode rootkit hides the main binaries.

Top Vulnerabilities Reported in the Last 24 Hours

Multiple WordPress plugins compromised

A supply chain attack on WordPress plugins led to the compromise of five plugins, allowing attackers to create unauthorized admin accounts and inject SEO spam on affected websites. The affected plugins include Social Warfare, Blaze Widget, Wrapper Link Element, Contact Form 7 Multi-Step Addon, and Simply Show Hooks. The injected malware attempts to create a new administrative user account and sends those details back to an attacker-controlled server. The malware also injects malicious JavaScript into the footer of websites, which appears to add SEO spam throughout the website.

**Buggy Ollama **

A vulnerability in the Ollama open-source project for running LLMs, known as Probllama (CVE-2024-37032), was discovered by Wiz Research. The flaw enabled remote code execution and has been patched in version 0.1.34. Despite the patch being available, over 1,000 vulnerable Ollama server instances were still exposed as of June 10. The vulnerability was due to insufficient validation on the server side of the REST API provided by Ollama, allowing for potential compromise of the hosting environment.

GrimResource: a new command execution technique

A newly discovered command execution technique called GrimResource uses an unpatched Windows XSS flaw and specially crafted MSC files to deploy malware, such as Cobalt Strike. This technique bypasses security measures using JavaScript and .NET code to inject and execute the malware. The issue was reported to Microsoft in 2018, and the flaw remains unpatched, posing a significant threat. System administrators are advised to watch for specific file operations, executions, memory allocations, and file creations associated with this technique.

Top Scams Reported in the Last 24 Hours

Any.Run suffered phishing attack

The malware analysis service Any.Run experienced a phishing attack in which an employee fell for a phishing email, leading to a hacker gaining unauthorized access to the employee's account. The hacker then used the compromised account to send out phishing emails to other employees. Any.Run took immediate action to revoke the attacker's access and is investigating the incident as part of a business email compromise campaign.

Related Threat Briefings