Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Skip to main content

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Sep 13, 2024

Cybercriminals have turned Android TV streaming boxes into their own personal remote controls, infecting over 1.3 million devices with the new Vo1d backdoor. It is to be noted that the infected devices were running the open-source version of Android.

What looks like just another Excel file hides something far more sinister - a phishing campaign that unleashes the stealthy Remcos RAT. The campaign has been exploiting a 2017 Microsoft Office bug.

GitLab users, beware: A newly discovered critical flaw could turn your pipelines into an attacker’s playground, with GitLab rushing to patch 17 vulnerabilities before they can be exploited.

Top Malware Reported in the Last 24 Hours

New Vo1d malware infects Android streaming boxes

Threat actors infected over 1.3 million Android TV streaming boxes with Vo1d backdoor, giving them full control over the devices. The malware targets Android firmware versions such as Android 7.1.2 and Android 10.1, modifying system files for persistence. Dr. Web researchers found infected devices in over 200 countries, with the most cases in Brazil, Morocco, and Pakistan. While the exact method of compromise is unknown, researchers suspect vulnerabilities in outdated software. Google clarified that the infected devices are not running Android TV but the Android Open Source Project (AOSP).

New Android malware attacks Central Asia

Banking customers in Central Asia are under attack from Ajina.Banker, an Android malware discovered in May 2024 by Group-IB. The malware spreads through Telegram channels posing as legitimate apps related to banking, payment systems, and more. Affiliates motivated by financial gain are distributing the malware to ordinary users in countries like Armenia, Kazakhstan, Russia, and others. Once installed, Ajina.Banker can access SMS messages, SIM card information, financial apps, and more, sending the data to a remote server.

Weaponized Excel doc spreads Remcos RAT

A recent phishing campaign delivered a harmless-looking Excel file that utilizes CVE-2017-0199 to embed malicious code through OLE objects in Microsoft Office. The file employs encryption and obfuscation techniques to hide the malicious payload, which, when opened, executes a fileless version of the Remcos RAT, providing attackers with remote access. This campaign has been targeting various sectors in different countries and involves OLE object exploitation, HTA application execution, and PowerShell commands to inject the RAT into a legitimate process. Remcos RAT establishes persistence by injecting itself into legitimate processes, evading traditional security measures.

Top Vulnerabilities Reported in the Last 24 Hours

GitLab patches 17 vulnerabilities

GitLab released security updates for 17 vulnerabilities, including a critical flaw (CVE-2024-6678) that allows attackers to run pipeline jobs as arbitrary users. The update also addresses three high-severity, 11 medium-severity, and two low-severity bugs. These fixes are available in versions 17. 3. 2, 17. 2. 5, and 17. 1.7 for GitLab CE and EE. While there is no evidence of active exploitation, users are advised to apply the patches promptly to reduce potential risks.

Bugs in Citrix Workspace app

Cloud Software Group revealed two vulnerabilities, CVE-2024-7889 and CVE-2024-7890, in the Citrix Workspace app for Windows. These flaws could be exploited to escalate privileges to the highest level, potentially taking over compromised systems. The affected versions include the Citrix Workspace app for Windows before 2405 (CR) and before 2402 LTSR CU1 (LTSR). The vulnerabilities have CVSSv4 scores of 7. 0 and 5. 4, categorized as high and medium severity, respectively.

Related Threat Briefings