In the ever-expanding market of cybercrime services, new threats are emerging as sophisticated tools available for hire. A new RaaS operation Cicada3301 has quickly made its presence known, targeting both Windows and Linux/ESXi systems and already listing 23 victims since mid-June. Similarly, ManticoraLoader, a stealthy MaaS distributed on the XSS hacker forum, is gaining traction for its stealth and obfuscation capabilities.

Intensifying the threat landscape, the North Korean Citrine Sleet capitalized on a recently patched Chrome zero-day vulnerability. The APT group deployed the FudModule rootkit, honing in on the cryptocurrency sector.

Top Malware Reported in the Last 24 Hours

Cicada3301: New RaaS in the threat landscape

A new RaaS operation called Cicada3301 has emerged and already listed 23 victims on its extortion portal since mid-June. The ransomware is written in Rust and targets both Windows and Linux/ESXi hosts. The group behind Cicada3301 has recruited affiliates and shares similarities with the now-defunct BlackCat/ALPHV group. The ransomware supports configurable parameters for its operation and generates a symmetric key for encryption. After encrypting files, it creates a ransom note and targets specific file extensions.

Malicious npm packages target Roblox developers

Developers on Roblox are being targeted in a persistent campaign using fake npm packages to compromise systems. Attackers are mimicking the popular 'noblox.js' library, creating packages to steal data and compromise systems. Malicious packages noblox.js-proxy-server and noblox-ts were found impersonating Node.js libraries to deliver malware like Quasar RAT. Techniques like brandjacking and starjacking were used to make these packages seem legitimate. The malware enables the delivery of additional payloads from GitHub, steals Discord tokens, and gains persistence through Windows Registry changes.

New ManticoraLoader MaaS proliferates

ManticoraLoader is a new MaaS observed on the XSS cybercrime forum distributed by a user with the alias DarkBLUP. The malware, available on Telegram since August 8, features stealth and obfuscation tactics, compatible with Windows 7 and above. It collects detailed information from infected devices, covertly sending data to a central control panel for profiling victims and customization of attacks. The actors limit clients to 10, offering services for $500 per month, aiming to monetize the tool.

GitHub comments push password-stealer

GitHub is being misused to spread the Lumma Stealer information-stealing malware through fake fixes posted in project comments. The issue was initially highlighted by a teloxide Rust library contributor who received fake fix comments on their GitHub issues, leading to further investigation revealing thousands of similar fake fixes on various GitHub projects. The fake fixes prompt users to download a password-protected archive from mediafire.com or a bit.ly URL, with the password usually being ‘changeme’. Reverse engineer Nicholas Sherlock identified over 29,000 malicious comments pushing this malware in just three days.

Top Vulnerabilities Reported in the Last 24 Hours

Citrine Sleet group exploits Chromium 0-day

The North Korean Citrine Sleet group exploited a recently patched Google Chrome zero-day vulnerability (CVE-2024-7971) to deploy the FudModule rootkit, targeting the cryptocurrency sector for financial gain. The zero-day exploit allows for remote code execution in the sandboxed Chromium renderer process, enabling the deployment of the FudModule rootkit, which operates from user mode and tampers with kernel security mechanisms. The attack also involved the exploitation of an elevation of privilege vulnerability in the Windows kernel (CVE-2024-38106).

Fortra fixes two severe bugs

Fortra released patches for two vulnerabilities found in FileCatalyst Workflow. One of the vulnerabilities, tracked as CVE-2024-6633 with a CVSS score of 9.8, is considered critical and is described as an Insecure Default in FileCatalyst Workflow Setup. This vulnerability affects FileCatalyst Workflow 5.1.6 Build 139 and earlier versions. The flaw allows an unauthenticated attacker to gain remote access to the database, potentially manipulating or exfiltrating data and creating admin users. The other one is a high-severity SQL injection issue (CVE-2024-6632) that requires super admin credentials to exploit. Customers are advised to update to FileCatalyst Workflow version 5.1.7 build 156 or later to mitigate these vulnerabilities.