Cyware Weekly Threat Intelligence - April 24–28

Weekly Threat Briefing • April 28, 2023
Weekly Threat Briefing • April 28, 2023
This week, cyber defenders displayed some notable advances in the battle against malware threats. Google announced the disruption of CryptBot malware operations that infected over 670,000 computers worldwide. In another incident, eSentire’s Threat Response Unit launched a multi-pronged offensive against Gootloader, saving 12 different organizations from being targeted. The act was pulled off after researchers gained access to the malware code and infrastructure.
Despite all the good efforts, multiple organizations were found using misconfigured cloud assets that exposed them to a variety of cyberattacks. In one study, researchers found that several Fortune 500 companies using poorly secured repositories and registries were at risk of supply chain attacks as they leaked millions of software artifacts and container images online. Besides this, over 2000 organizations are vulnerable to massive DoS amplification attacks owing to a high-severity flaw discovered in the Service Location Protocol (SLP). In other news, a massive phishing attack impersonating 3,200 Meta support staff was also detected stealing login credentials from Facebook users.
Coming to new threats, cybercriminals were found upgrading their arsenal with new malware. While the North Korean BlueNoroff group added a new malware, dubbed RustBucket, to target macOS systems, the Russia-based Evil Corp gang enhanced its crypto-stealing ability using a malware called LOBSHOT. A new attack method was also discovered this week, enabling threat actors to launch cryptojacking attacks on Kubernetes clusters.
Threat actors have devised a new attack method to abuse Kubernetes role-based access control (RBAC) to deploy backdoors for persistence. Dubbed RBAC Buster, the attack method can also enable attackers to launch cryptojacking attacks on targeted Kubernetes clusters by exploiting misconfigured API servers linked to the clusters.
North Korea-based BlueNoroff threat actor added a new macOS malware called RustBucket to its malware arsenal. The malware masquerades as a legitimate Apple bundle identifier that helps the attackers to override Gatekeeper on Mac. Written in Rust language, it is capable of gathering system information.
More than 1,000 Windows and macOS systems are still vulnerable to the PaperCut installation flaw that was patched in March 2023. Attackers can exploit the flaw to bypass authentication and execute arbitrary code remotely. The vulnerability has been patched with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9. In another update, Microsoft has attributed recent attacks on PaperCut servers to the Clop and LockBit ransomware groups.
ViperSoftX, a cryptocurrency and info-stealer malware, has been updated to include more sophisticated encryption and data-stealing methods. So far, the variant has infected a significant number of victims in consumer and enterprise sectors across Australia, Japan, the U.S., India, Taiwan, Malaysia, France, and Italy.
Certain attacks previously correlated with the Turla group were carried out by Tomiris APT, according to researchers. It was found that the cybercriminal group made use of KopiLuwak and TunnusSched (malicious tools that are also associated with Turla) to launch attacks between 2021 and 2023.
Multiple generations of Intel CPUs are vulnerable to a new side-channel attack that allows the leak of data through the EFLAGS register. The new attack relies on a flaw in transient execution that affects the timing of Jump on Condition Code (JCC) instructions.
LOBSHOT is a new malware that is being used by the TA505 threat actor to steal cryptocurrencies and private information from users. The malware targets 32 Chrome extensions, nine Edge wallet extensions, and 11 Firefox wallet extensions, enabling threat actors to steal cryptocurrency asssets.
Charming Kitten APT was observed using a previously unseen custom dropper malware, BellaCiao, to target users located in the U.S., Turkey, India, Europe, and the Middle East. The attackers possibly exploited known vulnerabilities in internet-exposed applications such as Zoho ManageEngine or Microsoft Exchange Server to drop the malware.
An ongoing attack campaign, tracked as OCX#HARVESTER, has been found distributing More-eggs backdoor, along with other malicious payloads. The More-eggs backdoor was observed in the wild from December 2022 through March 2023. The attack chain leveraged specially crafted phishing emails to lure victims in the financial sector, especially those organizations involved with cryptocurrencies.
CheckPoint researchers shared new findings on Educated Manticore which is a sub-group of the Iranian cyberespionage group known as Phosphorous. The attackers have significantly improved their toolset which uses a mixture of .NET and C++ code. The final executed payload is an updated version of the Powerless malware which is also tied to some Phosphorous ransomware operations.
A new macOS info-stealing malware named Atomic (aka AMOS) is being sold on private Telegram channels for a subscription of $1,000/month. The malware steals keychain passwords, files from local filesystems, passwords, cookies, and credit card details stored in browsers. It also attempts to steal data from 50 cryptocurrency extensions.
China-based Alloy Taurus APT was spotted using a Linux variant of PingPull malware, along with a backdoor named Sword2033, to target organizations in South Africa and Nepal. Upon execution, the malware variant uses the OpenSSL library and HTTP POST request to interact with C2 servers handled by attackers.