Cyware Daily Threat Intelligence
Daily Threat Briefing • May 28, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • May 28, 2024
Despite the authors shutting down operations for CatDDoS botnet in December 2023, new variants have since appeared. Security experts laid bare a novel attack campaign by CatDDoS operators, exploiting over 80 security flaws in various devices primarily in China, the U.S., and other countries.
Android users have come under attack from the Teabot malware. Researchers identified over 90 malicious apps on Google Play disguised as PDF and QR code readers. The malware steals banking data using overlay and accessibility techniques. Also, a sensitive bug was patched in a TP-Link gaming router model.
Botnet malware exploits 80+ security flaws
The CatDDoS malware botnet reportedly abused over 80 known vulnerabilities in nearly 300 devices over the past three months, targeting routers, networking gear, and other devices from vendors such as Cisco, Apache, and Huawei. This botnet is a Mirai variant and conducts DDoS attacks primarily in China, the U.S., and other major countries. It uses the ChaCha20 algorithm for encrypted C2 communications and shares similarities with other botnets like hailBot and VapeBot.
UAC-0006 targets Ukraine using SmokeLoader
CERT-UA uncovered two attack campaigns by threat actor UAC-0006 infecting accountants in Ukraine with SmokeLoader to steal credentials and facilitate unauthorized fund transfers. Distributed via emails, SmokeLoader injects malicious code into explorer.exe and downloads additional malware like TALESHOT and RMS on affected systems. The attackers use ZIP archives containing IMG files to deploy the malware.
Fake Android Apps deliver TeaBot
Zscaler ThreatLabz reported a surge in TeaBot malware infections targeting Android users, primarily in Europe, the U.S., South Korea, and Singapore. TeaBot, aka Anatsa, impersonates benign apps like PDF and QR code readers to deceive users into installing the malware. With over 70,000 installations, the malware exfiltrates sensitive banking credentials using overlays and Accessibility Services. TeaBot employs advanced evasion tactics, including environment checks and APK corruption, to avoid detection.
Critical bug found in TP-Link gaming router
Researchers at OneKey discovered a critical RCE bug, CVE-2024-5035, in the TP-Link Archer C5400X gaming router. This high-performance router contained a flaw in the "rftest" binary executed during startup. The bug allowed unauthenticated attackers to exploit command injection and buffer overflows on TCP ports 8888, 8889, and 8890. TP-Link addressed the issue by removing commands containing shell meta-characters in firmware version 1.1.1.7.
macOS Sonoma flaw risk privilege escalation
A newly discovered vulnerability in macOS Sonoma, CVE-2024-27842, involves privilege escalation and impacts the Universal Disk Format filesystem. This vulnerability leveraged IOCTL functions to execute arbitrary code with kernel privileges, leading to potential kernel panics. The PoC revealed that a buffer overflow condition is created by writing a 0x28-byte buffer into a 0x18-byte stack buffer.
Scams surge during Hajj pilgrimage
As millions of Muslims embark on the annual Hajj pilgrimage to Mecca, the Resecurity team highlighted various scams targeting pilgrims. These include fake travel agencies, online registration scams, and phishing campaigns exploiting official platforms like Nusuk. Scammers use fake websites, social media, and generative AI to steal personal information and money. Pilgrims are advised to research reputable services, verify credentials, and stay alert.