We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Nov 8, 2023

Today’s daily threat briefing starts with the discovery of a new macOS malware that targets cryptocurrency users. Named ObjCShellz, the malware has been attributed to the North Korea-based BlueNoroff APT group and is being used as part of the RustBucket campaign that was discovered earlier this year. A new malware dropper, dubbed SecuriDropper, has also come under the lens of researchers, for its ability to drop spyware and banking trojans by bypassing the security restrictions in Android 13.

There’s also information on a new GootLoader variant, a meticulously crafted PowerShell script that uses compromised WordPress sites for communications while evading detection. Meanwhile, organizations should stay alert for fake resumes that distribute LockBit 3.0 and Vidar infostealer.

Top Breaches Reported in the Last 24 Hours

USDoD leaks LinkedIn user data

A threat actor named USDoD leaked a scraped LinkedIn database, holding the personal information of over 35 million users. The data was dumped on the BreachForums cybercrime marketplace. The leaked data primarily includes full names, email addresses, and profile bios of users, with some screenshots showing that many of these email addresses belong to various government agencies worldwide.

Data breach at Marina Bay Sands

A data breach at Marina Bay Sands, Singapore, impacted the personal data of 665,000 customers. The incident was discovered on October 20 and the type of information accessed includes names, email addresses, mobile phone numbers, and country of residence of individuals. The luxury resort clarified that the Sands Rewards Club members have not been impacted by the incident.

Sumo Logic investigating a breach

Sumo Logic, a cloud-based machine data analytics company, is investigating a cybersecurity incident that involved the use of compromised credentials to access its AWS account. Upon detecting suspicious activity, the firm took immediate actions to secure its vulnerable infrastructure and reset potentially compromised credentials. Currently, there is no information on the customers impacted by the incident.

**Monero Project hacked to drain $437,000 **

A Monero Project maintainer disclosed that one of its wallets was hacked on September 01 to drain around $437,000 in Monero cryptocurrency. The funds were drained in nine separate transactions that took place in a couple of minutes. While the team is trying to determine the initial access vector of the attack, it claims that none of the project’s other wallets were affected.

Cambodian government targeted

At least 24 Cambodian government organizations were targeted as part of a long-term cyberespionage attack attributed to two prominent Chinese APT groups. Some of the impacted organizations included those in national defense, election, human rights, commerce, and natural resources.

$768,000 of crypto stolen from users

Microsoft removed from its store a fake Ledger Live app for cryptocurrency management, that enabled fraudsters to steal more than $768,000 worth of cryptocurrency assets. It remains unclear how many users are impacted by it. The fake app has been available on the store since October 19, with the fraud discovered on November 5.

Japan Aviation Electronics suffers a cyberattack

Japan Aviation Electronics disclosed that it was forced to shut down its website following a cyberattack. While no information leakage has been confirmed, some systems have been suspended for investigation, causing delays in sending and receiving emails. Meanwhile, the BlackCat ransomware gang has claimed responsibility by adding the firm’s name to its leak site.

Top Malware Reported in the Last 24 Hours

New ObjCShellz malware

ObjCShellz is a new macOS malware, which is likely being used by the North Korean BlueNoroff APT group to target cryptocurrency users. The malware is believed to be used as part of another BlueNoroff’s cyberespionage campaign, named RustBucket, which was discovered earlier this year. It is written in Objective-C language and is used as a remote shell to execute commands sent from C2 servers controlled by attackers.

Malicious Python packages discovered

Throughout the year, attackers have been found distributing malicious Python packages disguised as legitimate obfuscation tools to target developers. The latest package is named BlazeStealer which can steal a wide range of information, including passwords, host details, and keystrokes, from victims’ systems. The malware is also capable of encrypting files, potentially for ransom.

New SecuriDropper installs malware

A newly identified malware dropper, dubbed SecuriDropper, has been found using a session-based installer to bypass the ‘Restricted Settings’ feature in Android 13. It is being used to install spyware and banking trojans on compromised Android phones, with SpyNote malware and Ermac banking trojan observed so far. According to researchers, the dropper camouflages itself as a legitimate application, spanning from social apps to productivity tools, to evade detection during the infection process.

A new variant of GootLoader discovered

A new variant of the GootLoader malware called GootBot has been found facilitating lateral movement on compromised systems and evading detection. It is an obfuscated PowerShell script that connects to a compromised WordPress site to receive further commands and controls. Currently, the malware has been observed in multiple malvertising campaigns that leverage SEO-poisoned searches for themes, such as contracts, and legal forms, to trick users.

LockBit joins Vidar in a campaign

LockBit ransomware and Vidar infostealer are distributed via fake resumes in a new campaign to infect users. Once executed on a victim’s system, the malware connect to a Telegram channel named ‘twowheelfun’ for C2 communication. The executed version of ransomware is LockBit 3.0, which encrypts files on the user’s PC environment, excluding PE files.

Related Threat Briefings