Go to listing page

Cyware Daily Threat Intelligence, April 20, 2021

Cyware Daily Threat Intelligence, April 20, 2021

Share Blog Post

The infamous Lazarus APT is on a roll in 2021. After launching a series of new malware from its kit, the North Korean hacker group has now come up with an evasion technique that was observed in a recent phishing attack. The technique involved concealing a malicious loader within the BMP image which ultimately deployed a RAT.

Meanwhile, the evolution in phishing campaigns targeting Facebook users has put researchers in worry. A worldwide scam that targets Facebook Messenger users across 80 countries has been launched in full force to harvest credentials. The catch is that the scam lures users with ads promoting fake versions of the Messenger app. Facebook is not alone, threat actors are also impersonating several other brands, such as Microsoft Store and Spotify, to distribute an information-stealing trojan called Ficker.  

Top Breaches Reported in the Last 24 Hours

Update on Codecov breach
More details have emerged on the recent Codecov system breach. During the investigation, the U.S. federal authorities have linked the breach to the recent SolarWinds attack, which is attributed to the Russian Foreign Intelligence Service (SVR). Codecov had suffered a supply-chain attack that went undetected for over 2 months.

Top Malware Reported in the Last 24 Hours

Purple Fox malware attacks
Threat actors are leveraging brute force attacks to target the SMB protocol with an aim to distribute the Fox malware. The new SMB attack method is especially concerning as Purple Fox no longer requires user interaction to propagate.

Ficker malware
Threat actors are promoting sites impersonating Microsoft Store, Spotify, and an online document converter to distribute an information-stealing malware called Ficker. Using this malware, attackers can steal saved credentials in web browsers, desktop messaging clients (Pidgin, Steam, Discord), and FTP clients.  

Top Vulnerabilities Reported in the Last 24 Hours

WordPress releases patches
WordPress has released version 5.7.1 of its popular CMS, which includes fixes for two security vulnerabilities. The flaws are tracked as CVE-2021-29447 and CVE-2021-29450. While the former is an XML External Entity vulnerability in the ID3 library in PHP 8, the latter affects REST API, leading to the loss of sensitive data.

Top Scams Reported in the Last 24 Hours

Facebook Messenger scam
Researchers have detected a large-scale scam campaign targeting Facebook Messenger users in over 80 countries. The ultimate goal of the campaign is to pilfer login credentials from users by distributing ads promoting a fake version of Facebook Messenger. The first incident of the scam came to the light in 2020. To draw users’ attention, fraudsters registered accounts with names mimicking the real Messenger app and used the official logo as their profile picture. 

Google Alerts for scam
Google Alerts has long been abused for scams and malware attacks. The service is heavily used by scammers to redirect users to fake adult sites, fake dating apps, sweepstake scams, and unwanted browser extensions. Such attacks are launched by sending fake Google Alert URLs to unsuspicious users.


facebook users
bmp image
lazarus apt
google alerts

Posted on: April 20, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.