Another ambitious banking trojan has emerged to target at least 40 banks in the LATAM region. Named BBTok, the malware is designed in a way that generates unique payloads for each victim based on operating system and location. It’s multi-layered geo-fencing measures help it avoid infecting systems in other countries. In another report, security experts linked a malicious backdoor called Deadglyph to the UAE-associated Stealth Falcon. The malware supports a range of functions that allow it to steal extensive information about victims' systems, including OS details, software, and file contents.

Another backdoor, dubbed LuaDream, also made the headlines but this one lacks any lineage. The operators likely seek call and location data from telecom providers. The analysis revealed that the development of the malware began last year.

Top Breaches Reported in the Last 24 Hours

Cyberattack stunned Bermuda government

The Government of Bermuda experienced a cyberattack that disrupted internet, email, and phone services across all government departments. Initial findings suggest the attack originated from abroad, likely in Russia. While it does not appear that data was stolen, various systems were affected. Efforts are underway to identify the extent of the impact and restore services promptly. The incident also led to the postponement of the House of Assembly sitting.

Data Breach impacts 890 U.S. schools

National Student Clearinghouse, a U.S. educational nonprofit, has reported a data breach affecting 890 schools. Attackers gained access to their file transfer server on May 30, 2023, and stole personal information, including names, dates of birth, contact details, SSNs, student IDs, and school-related records. The extent of data exposed raised concerns about potential identity theft and privacy issues among students and staff at the affected schools.

Top Malware Reported in the Last 24 Hours

Banking threat overshadow LATAM Banks

Check Point researchers have uncovered a new variant of the BBTok banking trojan, which focuses its attacks on users of more than 40 banks in Latin America, with a primary focus on Brazil and Mexico. This campaign utilizes sophisticated infection chains and unique Living-off-the-Land Binaries (LOLBins), resulting in a low detection rate. BBTok replicates the interfaces of major banks, including Citibank, Scotiabank, Banco Itaú, and HSBC, to deceive victims into divulging personal and financial information, such as 2FA codes.

Stealth Falcon launches modular backdoor

Security researchers have identified a highly advanced modular backdoor, named Deadglyph, believed to be linked to the Stealth Falcon cyberespionage group. It was discovered during an investigation into a cyberattack on a government body in the Middle East. Deadglyph employs various anti-detection mechanisms, continuously monitors system processes, utilizes homoglyph techniques to impersonate legitimate Windows files, and even self-removes if it cannot establish a connection to the C2 server.

Telecom firms face LuaDream backdoor

SentinelOne found the Sandman APT group targeting telecommunications companies in the Middle East, Western Europe, and South Asia using a novel backdoor called LuaDream. The backdoor leverages the LuaJIT just-in-time compiler to make malicious Lua script code hard to detect. LuaDream loads a malicious ualapi.dll file through the Fax and Windows Spooler services, waiting for system reboots to execute. The researchers noted that the campaign began in August and demonstrates advanced tactics.

Xenomorph malware expands targets

A new Xenomorph malware campaign was detected in August 2023. It appears to have widened its target scope, including financial institutions and crypto-wallet apps, with each sample aiming at over 100 different targets. This Android malware leverages its Automated Transfer System for versatile actions based on specific conditions. New functionalities include an antisleep feature to prevent sleep mode in devices, mimicking crypto-wallet apps, and a ClickOnPoint feature for simulated touch actions.

Top Vulnerabilities Reported in the Last 24 Hours

CISA flags actively exploited zero day

The CISA added CVE-2023-41179, a high-severity zero-day flaw affecting Trend Micro Apex One and Worry-Free Business Security, to its list of Known Exploited Vulnerabilities. This vulnerability, related to the products' ability to uninstall third-party security software, has been actively exploited in attacks. To mitigate the risk, Trend Micro and the CISA advised government agencies and private organizations to update to the latest versions promptly and recommended restricting access to trusted networks.