Share Blog Post
The collusion between cybercriminals and nation-state actors in exploiting compromised routers for proxy anonymization presents a significant challenge. For instance, Pawn Storm APT and other threat actors have been utilizing dedicated and criminal proxy botnets like EdgeRouter botnet through diverse exploits such as SSHDoor and Ngioweb malware. Meanwhile, corporate networks have come under attack from Latrodectus malware propagating via Microsoft Azure and Cloudflare lures in phishing campaigns. The campaigns further drop payloads like Lumma and Danabot to infected networks.
An advanced obfuscation technique has been detected in the wild by a freshly discovered Android trojan called Wpeeper. It uses hacked WordPress sites to conceal its C&C server. Additionally, a modular malware platform called Cuttlefish is targeting enterprise SOHO routers to steal authentication data from LAN web traffic.
Top Malware Reported in the Last 24 Hours
Router-based threats magnify
Cybercriminals and nation-state actors exploit compromised routers for anonymity, renting them out for malicious activities. Pawn Storm APT accessed Ubiquiti EdgeRouter botnet and used them for espionage, revealed Trend Micro. The botnet, dating back to 2016, also includes Raspberry Pi devices and VPS servers. Another threat, Ngioweb malware, operates discreetly on EdgeRouters. With diverse exploits like SSHDoor, attackers persistently compromise routers.
Trojan conceals C2 servers behind WordPress sites
Chinese cybersecurity firm QAX XLab uncovered the Android trojan Wpeeper, utilizing compromised WordPress sites for multi-level C&C infrastructure. Wpeeper, distributed via repackaged apps on UPtodown Store, employs HTTPS, elliptic signature encryption, and session differentiation to conceal its activities. Despite its sudden self-deletion command and disappearance, likely to evade detection, Wpeeper has infected thousands of devices.
Latrodectus malware exploits Azure and Cloudflare
Security team experts laid bare Latrodectus malware that is being distributed via phishing emails using Microsoft Azure and Cloudflare lures, making detection challenging. Employed in reply-chain phishing, it delivers via PDF attachments or URLs, simulating Azure-hosted documents. A deceptive Cloudflare captcha shields the attack chain, facilitating JavaScript payload downloads. Once installed, Latrodectus acts as a backdoor, facilitating further malware deployments for Lumma and Danabot.
Unveiling the Cuttlefish malware
Lumen Technologies' Black Lotus Labs uncovers Cuttlefish, a sophisticated malware targeting SOHO routers, capable of data theft and network infiltration. Cuttlefish passively sniffs packets by utilizing HTTP and DNS hijacking, intercepting authentication material and cloud-based credentials. With origins dating back to July 2023, Cuttlefish's recent campaign, detected mainly in Turkey, showcases its potential for long-term access and evasion of detection.
Top Vulnerabilities Reported in the Last 24 Hours
Unveiling Siemens' serialization snag
Researchers at Claroty revealed a deserialization vulnerability, CVE-2022-23450, in Siemens' Simatic Energy Manager software, exposing industrial systems to RCE. Despite being patched two years prior, vulnerable versions remain widespread, posing severe risks to industrial infrastructure. Exploiting flaws in the .NET BinaryFormatter class, attackers can inject malicious code, bypassing authentication checks and compromising systems.
Tags
Posted on: May 01, 2024
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
