We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence, November 28, 2024

shutterstock 2280083047 (1)

Daily Threat Briefing Nov 28, 2024

Hackers are rewriting the rules of game development with malicious intent. By embedding the GodLoader malware into assets of the popular Godot game engine, attackers have compromised over 17,000 systems globally. Disguised within GitHub repositories, the malware steals credentials, installs crypto miners, and targets developers and gamers alike.

WhatsApp’s trust is being turned against its users. The PixPirate malware, which began in Brazil, now spans countries like India, Italy, and Mexico. Spreading through social engineering on YouTube and malicious WhatsApp messages, it manipulates contacts, creates spam groups, and exploits its victims' trust in the messaging platform.

Unpatched software remains an open door for cybercriminals. A critical authentication bypass flaw in ProjectSend is enabling attackers to upload webshells and remotely access servers. Despite the availability of a patch since May 2023, most instances remain vulnerable, highlighting the importance of timely updates.

Top Malware Reported in the Last 24 Hours

Hackers abuse Godot to deploy GodLoader

Hackers utilized the GodLoader malware, taking advantage of the popular Godot game engine to infect over 17,000 systems across multiple platforms. By exploiting the engine's flexibility and GDScript capabilities, they embedded harmful scripts in game asset files to execute malicious code. The malware enables theft of credentials and the download of additional payloads, including a crypto miner. The attackers utilized the Stargazers Ghost Network to distribute the malware through seemingly legitimate GitHub repositories, targeting developers and gamers.

APT-C-60 targets Japan with SpyGrace

South Korea-linked cyber-espionage group APT-C-60 conducted a cyberattack on an organization in Japan using a job application theme to deliver the SpyGlace backdoor. The attack employed legitimate services like Google Drive, Bitbucket, and StatCounter. A phishing email disguised as a job application was sent to the organization's recruiting contact, which led to malware infection. The attack involved an RCE vulnerability in WPS Office, which initiated the infection chain through a file hosted on Google Drive. SpyGlace allowed the attackers to steal files and execute commands by connecting to a C2 server. 

PixPirate resurfaces, spreads via WhatsApp

The PixPirate malware, originally targeting financial services in Brazil, has evolved to spread through WhatsApp and now affects countries like India, Italy, and Mexico. It uses social engineering tactics on YouTube to trick users into installing it and then spreads through malicious WhatsApp messages. The malware hides itself on devices and exploits WhatsApp's trust-based system to send and delete messages, manipulate contacts, and create spam groups. 

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft re-releases Exchange updates

Microsoft re-released the November 2024 security updates for Exchange Server after initially pulling them due to email delivery issues caused by custom mail flow rules. The re-released update, called Nov 2024 SUv2, resolves the mail delivery problems and provides more granular control over email headers. Admins are advised to install the re-released update and run the Exchange Health Checker script after installation. The update also adds detection and warnings for a high-severity Exchange Server vulnerability (CVE-2024-49040). 

ProjectSend flaw under exploit

Threat actors are actively exploiting a critical authentication bypass flaw (CVE-2024-11680) in ProjectSend, allowing them to upload webshells and gain remote access to servers. Despite a patch being available since May 16, 2023, the majority of ProjectSend instances (99%) remain vulnerable. Public exploits released in September 2024 have led to an increase in exploitation, with attackers altering system settings, enabling user registrations, and deploying webshells. It's crucial for users to upgrade to ProjectSend version r1750 to mitigate the widespread attacks.

Top Scams Reported in the Last 24 Hours

“You’re Fired!” Beware of this new scam

A new phishing campaign deceives people into thinking they have lost their jobs. It starts with an email that looks like a legal notice of termination. Cloudflare observed this attack targeting 14 customers, indicating a single actor behind it. One email subject, "Action Required: Tribunal Proceedings Against You," threatens legal action and prompts users to click a link to download malware. This attack mainly targets Windows users, downloading harmful software, including a banking trojan, named Ponteiro, that steals credentials.

Related Threat Briefings