Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing May 27, 2024

The highly anticipated Windows launch of the Arc browser has come under attack. Cybercriminals are bombarding users with malicious Google ads, tricking users into downloading trojanized installers through typosquatted domains and malicious ads. A new ATM malware, EU ATM Malware, threatens Europe's banking sector with an alleged 99% ATM compromise. Priced at $30,000, it offers full automation, flexible payment, and manual operation, raising significant concerns.

In other news, a cybercrime group used fake antivirus websites mimicking Avast, Bitdefender, and Malwarebytes to distribute info-stealers. First reported in April, these sites hosted sophisticated malware such as SpyNote, Lumma, and StealC, disguised as legitimate AV products.

Top Malware Reported in the Last 24 Hours

Google ads campaign targets Arc browser

Cybercriminals exploited the Arc browser's Windows launch by running malicious Google Ads that redirected users to typo-squatted domains mimicking the official site. These sites delivered trojanized installers from MEGA, downloading additional malware payloads like 'bootstrap.exe' and 'JRWeb.exe,' likely info-stealers. The malware uses Python executables to inject code into legitimate processes for command and control operations.

Fake antivirus sites distribute malware

Trellix researchers identified fake antivirus websites distributing info-stealers. These sites mimicked legitimate products from Avast, Bitdefender, and Malwarebytes. The malicious domains hosted APK, EXE, and Inno setup installer files. These files deployed the SpyNote trojan, Lumma information stealer, and StealC info-stealer, respectively, requesting elevated permissions like reading SMS messages, installing and deleting apps, taking screenshots, and more.

Fake Minesweeper hides malicious scripts

Adversaries deployed a Python clone of Microsoft’s Minesweeper to conceal malicious scripts targeting European and U.S. financial institutions. Attributed to UAC-0188, the attacks use legitimate code to hide Python scripts that download SuperOps RMM, providing unauthorized access. Emails prompt recipients to download a 33MB .SCR file from Dropbox, containing both Minesweeper and malicious Python code. CERT-UA identifies at least five breaches in financial institutions.

New ATM malware threatens European ATMs

A new ATM malware family, named EU ATM Malware, was advertised in the cybercrime underground. It reportedly threatens Europe's banking industry, claiming to compromise 99% of European ATMs and 60% globally. It purportedly targets machines from major vendors like Diebold Nixdorf and NCR. Experts shared the malware's full automation, simplifying deployment, offering various payment options, and more. The malware's manual operation mode adds to its versatility, heightening concerns.

Top Vulnerabilities Reported in the Last 24 Hours

Cisco addresses critical SQL injection bug

A critical SQL injection flaw, CVE-2024-20360, in its Firepower Management Center (FMC) Software's web-based management interface. The flaw allowed authenticated attackers with at least Read Only user credentials to execute arbitrary commands on the OS, elevate privileges to root, and access database data. No workarounds were available at the time of reporting. The issue doesn't affect Adaptive Security Appliance (ASA) Software or Firepower Threat Defense (FTD) Software.

Critical alert for WordPress plugin flaws

SingCERT issued a critical alert warning against nine plugins, including Copymatic, Pie Register, and Hash Form Drag & Drop Form Builder, which were found to be affected by critical flaws like arbitrary file uploads and SQL injection. Their exploitation could lead to unauthorized access and data compromise. SingCERT advises users to apply patches and adopt robust security measures promptly.

Related Threat Briefings