Cyware Daily Threat Intelligence

Daily Threat Briefing • May 30, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • May 30, 2024
A game emulator was rigged by cybercriminals for users to download the emulator from a specific website, unknowingly installing the XMRig CoinMiner. Once executed, the malicious program uses PowerShell to self-replicate, adding itself to the Windows Registry and Task Scheduler for persistence. Additionally, a new campaign was found targeting Brazilian banking customers with AllaSenha, a variant of AllaKore RAT that uses Azure cloud as C2 infrastructure. Initial access is likely via phishing. The malware steals credentials and 2FA codes, while harboring connections to Latin American threat actors.
LightSpy, known for targeting Android and iOS, now has a macOS version. With 28 plugins, it brings the capability to perform extensive data exfiltration, with Windows, Linux, and router implants hinted. Additionally, attackers were observed abusing a zero-day vulnerability in Check Point VPNs, enabling remote access to enterprise networks.
CoinMiner distributed via game emulator
ASEC detected the distribution of XMRig CoinMiner through a game emulator for a popular gaming console. When users downloaded the emulator from a specific website, a compressed file containing the emulator and a Readme.txt file was provided. The actual emulator installation file is disguised for deploying the CoinMiner. Upon execution, the installer creates and runs the CoinMiner using PowerShell commands.
XWorm malware disguised as adult games
ASEC uncovered another attack campaign camouflaging XWorm v5.6 malware as adult games spread through webhards in South Korea. The malware, masquerading as a legitimate game, executes upon pressing "Game Play!" and persists by copying itself to the Windows folder and adding registry entries. It ultimately performs malicious activities, such as keylogging and data exfiltration, by injecting itself into legitimate processes.
Advanced malware attack by Andariel APT
One more report by ASEC discovered Andariel APT attacks targeting South Korean organizations across educational, manufacturing, and construction sectors using keyloggers, info stealers, and proxy tools. A key malware the group uses includes Nestdoor RAT, which enables remote system control, and Dora RAT, developed in Go language for reverse shell and file operations. In one instance, the malware payload was distributed via compromised Apache Tomcat servers and disguised as legitimate software.
Brazilian banks face AllaKore RAT’s variant
A new campaign targets Brazilian banks with AllaSenha, a custom variant of the AllaKore RAT, leveraging Azure cloud infrastructure. The attack begins with malicious LNK files disguised as PDFs, hosted on WebDAV servers. The BPyCode launcher downloads Python binaries, executing a Python script that loads ExecutorLoader to inject AllaSenha into a legitimate process. AllaSenha steals banking credentials and captures 2FA codes, posing a significant threat.
LightSpy’s attack surface expanded to macOS
The LightSpy surveillance framework, previously known for targeting Android and iOS, has now extended its reach to macOS. Utilized in attacks across the Asia-Pacific region, the modular framework steals various data from mobile devices. A ThreatFabric report unveiled the macOS implant, highlighting its infection chain and operational mechanisms. Exploiting WebKit flaws, the malware gains root access, establishing persistence and enabling comprehensive data exfiltration.
Malware spread through Stack Overflow
Cybercriminals adopted a new tactic to distribute malware by answering questions on Stack Overflow and promoting a malicious PyPI package disguised as an API management tool. Named 'pytoileur,' the package is part of the 'Cool package' campaign targeting Windows users. Threat actors provide unsuspecting developers with links to install the package, which, when executed, downloads and runs an info-stealer disguised as an EXE file.
Zero day exploitation in Check Point VPNs
Researchers recently discovered attempts to breach enterprise networks through Check Point VPNs affected by a zero-day vulnerability, CVE-2024-24919. The bug allowed threat actors to access sensitive information from network security gateways. Check Point initially released a hotfix to address password-only logins but later identified the underlying vulnerability. Mnemonic reported seeing attacks exploiting the flaw since April 30.
Critical flaws uncovered in Eclipse ThreadX
Humanativa Group discovered multiple security issues in Eclipse ThreadX, an IoT real-time operating system, which could lead to memory corruption and arbitrary code execution. A buffer overflow bug tracked as CVE-2024-2214, arises from a missing array size check. Meanwhile, CVE-2024-2212 resulted from unchecked parameters in FreeRTOS compatibility API. CVE-2024-2452 affected the NetX Duo TCP/IP network stack, leading to integer wraparounds and heap buffer overflows.