Share Blog Post
New chapters unfold in the ransomware landscape with data encryption attacks turning into psychological warfare. Researchers at the RSA conference unveiled a shift from attacking companies to individuals that has changed the calculus for paying ransoms, now focusing on protecting employees and their families. Security experts uncovered a campaign delivering infected LNK files to South Korean users believed to be linked to North Korea. These files contain PowerShell commands to execute RokRat malware.
By adopting new technologies like deepfake tools, the Yahoo Boys scammer group from West Africa was identified as posing a growing threat to social media users worldwide. For instance, they masquerade as military personnel, individuals seeking romantic connections, FBI agents, medical professionals, and individuals in search of companionship.
Top Malware Reported in the Last 24 Hours
Malicious shortcut files target South Korea
AhnLab confirmed the ongoing distribution of abnormal-sized shortcut files (*.LNK) targeting South Korean individuals concerned with North Korea. The investigation revealed that the files contained the RokRAT malware. The malware utilizes cloud APIs to collect user data, transmitting it to the threat actor's cloud servers through services like pCloud and Yandex. Malicious behaviors include command execution, file deletion, and information collection.
Ransomware tactics evolve into psychological warfare
According to Mandiant, ransomware operators have turned their attacks into psychological warfare by resorting to personal and aggressive tactics. They've gone beyond encrypting files, now targeting victims' families, including children, and even ambulances. With cryptocurrency facilitating payments, healthcare organizations are particularly vulnerable due to the sensitive nature of their data.
HijackLoader's latest evolutions
HijackLoader has undergone significant updates to enhance its evasion techniques and expand its malware distribution capabilities. It now employs advanced methods such as bypassing Windows Defender and User Account Control and utilizing PNG image delivery for payload deployment. Recent analysis reveals its distribution of various malware families, including Amadey, Lumma Stealer, and Remcos RAT. The updates also include utilizing modular architecture and a dynamic API resolution tactic for evasion.
Top Vulnerabilities Reported in the Last 24 Hours
Citrix fixes memory flaw in NetScaler appliances
Citrix patched an out-of-bounds memory vulnerability in NetScaler ADC and Gateway appliances, similar to the critical CitrixBleed flaw, enabling attackers to access sensitive data. Bishop Fox reported the issue, affecting NetScaler version 13.1-50.23. While less severe than CitrixBleed, the bug allowed occasional access to HTTP request bodies, potentially exposing credentials and cryptographic material. Citrix acknowledged the disclosure but did not assign a CVE.
Top Scams Reported in the Last 24 Hours
Yahoo Boys: Scammers of West Africa
Yahoo Boys, a collective of scammers primarily based in West Africa, have been conducting fraudulent activities openly across social media platforms like Facebook, WhatsApp, and Telegram. WIRED's analysis revealed their bold tactics, including sharing scripts for sextortion scams and distributing fake nude images created using AI. Despite companies' efforts to remove their accounts, the Yahoo Boys thrive due to the lack of moderation and continue to exploit victims globally.
Tags
Posted on: May 07, 2024
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
