Cyware Weekly Threat Intelligence - March 20–24

Weekly Threat Briefing • March 24, 2023
Weekly Threat Briefing • March 24, 2023
A good number of cybersecurity approaches to deal with advanced and sophisticated cyber threats were disclosed this week. One of these involved a new open-source incident response tool released by the CISA. The tool is designed to detect signs of malicious activity across different Microsoft cloud environments. In another significant development, the U.K’s NCSC announced two new services—Cyber Action Plan and Check Your Cyber Security—to help small businesses effectively deal with cyber risks.
The infamous GoAnywhere MFT hacking incident continues to be in the headlines as the notorious Cl0p ransomware gang exposed a list of new victims. This includes a luxury brand retailer in the U.S., a British multinational conglomerate, and the City of Toronto. Apart from this, the LockBit gang took credit for the attack on the City of Oakland while setting a ransom demand deadline for the government to prevent the stolen files from being exposed. In other concerning news, a popular streaming platform had put the personal data of nearly 37 million subscribers at risk due to an unprotected Elasticsearch database.
This week, a new wave of Magecart attacks was observed against multiple Magento and WooCommerce sites. In one of these campaigns, researchers found the emergence of a Kritec skimmer that masqueraded as Google Tag Manager. There is also an update on the FakeGPT campaign that was first discovered on March 14. The attackers have launched a new Chrome extension called ‘Chat GPT for Google’ to ensnare more Facebook user accounts.
In a joint advisory, the German Federal Office for the Protection of the Constitution (BfV) and the National Intelligence Service of the Republic of Korea (NIS) warned that the notorious Kimsuky APT is using a malicious Chrome extension and Android apps to intercept and steal victims’ email content. The campaign is aimed at diplomats, journalists, government agencies, university professors, and politicians in South Korea, the U.S., and Europe.
A new Kritec skimming malware was used in Magecart attacks to target Magento stores. The malware masqueraded as a legitimate Google Tag Manager to evade detection. Once executed, the stolen credit card details were exfiltrated twice - one via a WebSocket skimmer and the other via a POST request. Apart from abusing Google Tag Manager, Magecart actors were also found hiding malicious code inside the ‘Authorize[.]net’ payment gate module for WooCommerce to steal credit card details.
Researchers disclosed a campaign where the North Korea-based ScarCruft APT used Microsoft Compiled HTML Help (CHM) files to deploy malware on targeted machines. The latest development illustrates the group’s continuous efforts to refine its tactic to bypass detection.
A new Android banking trojan, dubbed Nexus, is being used by several threat actors to target 450 financial applications and conduct fraud. While it is still under development, the trojan provides all the main features to perform ATO attacks against banking portals and cryptocurrency services. The trojan is advertised on various hacking forums for a monthly fee of $3,000.
The PoC for vulnerabilities in Netgear’s Orbi 750 series router and extender satellites has been released, indicating that organizations using these products must immediately apply security patches to stay safe. One of these flaws is related to a remote command execution vulnerability.
Government agencies and organizations operating in Russia-occupied territories of Ukraine are being targeted with new malware strains, named CommonMagic and PowerMagic. Active since September 2021, the malware are designed to steal data from victims’ devices. They are distributed via phishing emails with a link to a ZIP archive.
Threat actors are abusing the legitimate Adobe Acrobat Sign service to distribute the notorious RedLine information stealer. The infection chain starts with a phishing email that asks recipients to verify a report by clicking on the review and sign button. Once the victim clicks on the button, they are redirected to a site that asks them to enter a CAPTCHA that is hard coded. Consequently, the victim downloads the ZIP archive that contains the trojan.
Attackers have been found impersonating legitimate packages via typosquatting to infect .NET developers with cryptocurrency stealers. These malicious packages are delivered through the NuGet repository, with three of them being downloaded over 150,000 times within a month. The malicious packages are designed to download and execute a PowerShell-based dropper script that configures the compromised system before dropping the second-stage payload.
The threat group tracked as REF2924 has been found deploying previously unseen malware in its attacks against entities in South and Southeast Asia. The malware, dubbed NAPLISTENER, is an HTTP listener programmed in C# and is designed to evade network-based forms of detection. In addition to NAPLISTENER, the hacking group has also been associated with multiple custom malware tracked as SiestaGraph and Somnirecord, among others.
A new variant of BlackGuard stealer has been spotted with capabilities like USB propagation, persistence mechanisms, and targeting additional crypto wallets. While the developers are constantly improving the malware, researchers warn that the new variant is being widely used to launch attacks.
A new variant of the FakeGPT Chrome extension titled ‘Chat GPT for Google’ is targeting Facebook users in an attempt to hijack their accounts. The attack is an extension of the FakeGPT campaign that was discovered on March 14. This time, the malicious extension is not pushed using sponsored Facebook posts but rather is distributed by abusing Google Ads.