Cyware Weekly Threat Intelligence - April 15–19

Weekly Threat Briefing • April 19, 2024
Weekly Threat Briefing • April 19, 2024
The week has been blessed with quite a few strides toward a secure cyber landscape. In a significant victory for justice, European police have dismantled the JuicyFields investment fraud scheme, arresting nine and seizing millions. Microsoft is spearheading the fight against email spam with a new policy that introduces a daily limit of 2,000 external recipients for Exchange Online users starting January 2025.
Alarm bells ring as a deceptive ad for Whales Market appears in Google search results, luring unsuspecting users to a sophisticated phishing site designed to mimic its legitimate counterpart. Cryptocurrency enthusiasts beware: A new, intricate phishing scheme has been uncovered, deploying the FatalRAT trojan along with Clipper and Keylogger malware to target users. A critical zero-day flaw in Palo Alto Networks' PAN-OS software is under active assault by MidnightEclipse, deploying the Python-based UPSTYLE backdoor.
Beware gamers and developers: A new information-stealing malware known as Cheat Lab is infiltrating Microsoft's GitHub repository. Disguised as fake game cheat demos, this malware is connected to the Redline family. Researchers identified a cunning malvertising campaign that utilizes typosquatting domains and deceptive Google Ads to push a dangerous new backdoor called MadMxShell. The notorious cybercrime group FIN7 has once again made headlines by targeting a major U.S. car manufacturer with the Anunak backdoor.
A new information-stealing malware, disguised as a game cheat called Cheat Lab is being spread through fake demos of cheating tools on Microsoft's GitHub repository. The malware, linked to Redline, promises a free copy if users convince their friends to install it. The malware injects into legitimate processes for stealth, using Lua bytecode to evade detection and take advantage of Just-In-Time (JIT) compilation performance.
Zscaler ThreatLabz uncovered a sophisticated malvertising campaign in March, utilizing typosquatting domains and Google Ads to distribute a novel backdoor dubbed MadMxShell. The threat actor registered multiple sites masquerading as legitimate IP and port scanner software programs. Employing DLL sideloading and DNS tunneling for C2 communication, the backdoor evades memory forensics and endpoint security.
The financially motivated group FIN7 employed the Anunak backdoor to target a leading U.S. car manufacturer. The attack utilized spear-phishing tactics, luring high-level IT personnel with a counterfeit Advanced IP Scanner tool. Through a multi-stage process, the malicious executable 'WsTaskLoad.exe' deployed the Anunak backdoor, enabling persistent access by installing OpenSSH, and created a scheduled task.
An Android malware campaign, tracked as eXotic Visit by cybersecurity firm ESET, has been actively targeting users in South Asian countries since November 2021. Operating under the name Virtual Invaders, the campaign distributed malware via dedicated websites and the Google Play Store. Downloaded apps also include code from the open-source Android XploitSPY RAT which could gather sensitive data from infected devices.
Juniper Networks published multiple advisories detailing more than a hundred vulnerabilities in Junos OS, Junos OS Evolved, and other products. Patches were released for over 80 bugs, including critical issues in Junos cRPD and Cloud Native Router. Additionally, high-severity flaws, such as information leaks and denial-of-service vulnerabilities, were addressed in Paragon Active Assurance Control Center and Junos OS.
The FBI warned about a widespread SMS phishing campaign targeting Americans with fraudulent messages claiming unpaid road toll fees. The scam, which started in March 2024, has already affected thousands of individuals across multiple states. The malicious texts contain links disguised as state toll service websites, aiming to trick recipients into clicking and providing personal information.
A flaw in TP-Link Archer AX21 router models is being exploited by multiple botnet operators, such as Moobot, Miori, and AGoent (a Gafgyt Variant), found FortiGuard Labs. The vulnerability enables unauthenticated command injection through the web management interface, allowing attackers to execute arbitrary code. Various botnets utilize different infection tactics, such as fetching script files, establishing connections with C2 servers, and launching DDoS attacks.
The TA558 hacking group launched a new campaign called SteganoAmor, with over 320 attacks impacting multiple sectors across different countries. The attackers exploit the CVE-2017-11882 flaw in Microsoft Office. The group uses long chains of tools and malware, including AgentTesla, FormBook, Remcos, LokiBot, Guloader, SnakeKeylogger, and XWorm. The attackers use compromised legitimate FTP servers for C2, and SMTP servers for C2 and phishing. The group also uses legitimate services to store malware strings and images with embedded malicious code.
WithSecure researchers uncovered a new backdoor, Kapeka, attributed to the Russian nation-state group Sandworm. Used in espionage campaigns across Eastern and Central Europe since the Russia-Ukraine conflict, Kapeka facilitates intelligence collection and potential sabotage, including ransomware attacks and modular payload execution. The malware bears similarities to GreyEnergy, indicating Sandworm's involvement.
A recent investigation by Sophos X-Ops delves into a new trend in the cybercrime landscape: the emergence of junk gun ransomware. Drawing parallels to cheap, unreliable firearms from the past, this ransomware is independently produced, inexpensive, and sold as a one-time purchase. Unlike typical ransomware-as-a-service models, these variants lack complex infrastructure and corporate-like hierarchies.
Microsoft warned of a series of chained vulnerabilities in the OpenMetadata platform on Kubernetes clusters, allowing Chinese hackers to execute code and install cryptomining software remotely. The flaws, including CVE-2024-28255 and CVE-2024-28847, affect versions before 1.3.1. Attackers left a plea for victims not to remove the malware, citing financial hardship. The attack sequence involves reconnaissance, exploitation, and installation of cryptomining software.