Cyware Daily Threat Intelligence
Daily Threat Briefing • Sep 4, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Sep 4, 2024
Cybercriminals are turning everyday Office documents into weapons, as researchers recently found a string of malicious files uploaded to VirusTotal. What’s unique is that each file is packed with dangerous payloads generated by the MacroPack framework, deploying malware and post-exploitation frameworks.
Hackers have found a new way to slip malware past defenses, as WikiLoader is being spread through SEO poisoning. The malware also spoofs the GlobalProtect VPN software, targeting key U.S. sectors.
Serious security flaws in Zyxel’s business routers have raised alarms, prompting the company to release updates that patch a critical vulnerability allowing remote attackers to execute arbitrary OS commands. The company has also patched other bugs in its firewall products.
Hackers use MacroPack to deploy Brute Ratel
Cisco Talos recently discovered a series of Microsoft Office documents created by the MacroPack payload generator framework and uploaded to VirusTotal between May and July. These documents contained various malicious payloads like the Havoc and Brute Ratel post-exploitation frameworks, as well as a new PhantomCore RAT variant. The MacroPack framework allows for the quick generation of different payloads with a single command, posing a challenge for detection. These documents originated from different countries, each featuring unique payloads and themes.
Earth Lusca uses KTLVdoor backdoor
A new multi-platform backdoor called KTLVdoor, developed in Golang, was found to be associated with the Chinese threat actor Earth Lusca. This malware, available for Windows and Linux, disguises itself as system utilities to perform tasks like file manipulation, command execution, and port scanning. It uses sophisticated encryption and obfuscation methods to avoid detection. The attack utilizes more than 50 C&C servers in China, but it is uncertain if they are exclusively for Earth Lusca or shared with other threat actors.
Emansrepo info-stealer explained
FortiGuard Labs found Emansrepo, a Python info-stealer spreading through fake emails with purchase orders and invoices. The malware compresses victim data into zip files and sends them to the attacker. Initially spread via phishing emails with Emansrepo download links, it's now packed using PyInstaller for systems without Python. The attack has become more complex, with multiple stages and data theft from different sources. Emansrepo collects user data from browsers and sends them to the attacker. The malware has evolved to steal PDF files, extensions, and cookies.
Spoofed GlobalProtect delivers WikiLoader
Unit 42 discovered a variant of the WikiLoader malware being delivered through SEO poisoning and spoofing the GlobalProtect VPN software. The malware uses evasion techniques and has been observed targeting U.S. higher education and transportation sectors. The malware is delivered through fake GlobalProtect installers, and once executed, it uses anti-analysis techniques to avoid detection. The campaign has shown a shift from phishing to SEO poisoning as the delivery method.
Critical bug in Zyxel routers
Zyxel released security updates to fix a critical vulnerability in many of its business routers, which could allow unauthorized attackers to execute OS command injection. The flaw, known as CVE-2024-7261 and rated 9.8 on the CVSS v3 scale, enables remote attackers to run arbitrary commands on the host OS due to an input validation error. Zyxel warns that some access points and security routers are vulnerable to this flaw, including models like NWA Series, NWA1123-AC PRO, WAC Series, WAX Series, and WBE Series. Moreover, Zyxel has also addressed several high-severity flaws in APT and USG FLEX firewalls through security updates.
High-severity bug in VMware Fusion
A high-severity security vulnerability (CVE-2024-38811, CVSS 8.8) has been found in VMware Fusion for macOS, allowing a malicious actor to execute arbitrary code with standard user privileges. This could lead to unauthorized access, data breaches, or system compromise. The vulnerability affects version 13.x, and users are advised to update to the patched version 13.6 (VMware's response) to mitigate the risk.
Social engineering scams target crypto industry
The FBI warned that North Korean threat actors are targeting DeFi and blockchain businesses with sophisticated social engineering scams to steal cryptocurrency assets held by companies. The bureau highlighted the use of complex tactics to gather information about employees and gain unauthorized access to networks, ultimately aiming to deploy malware. Signs of potential attacks include requests for non-standard software and companies dealing with cryptocurrency exchange-traded funds. The FBI emphasized the persistent threat posed by North Korea in stealing cryptocurrency funds and engaging in related scams, such as ransomware and money laundering.