Go to listing page

Cyware Daily Threat Intelligence, December 01, 2021

Cyware Daily Threat Intelligence, December 01, 2021

Share Blog Post

A new evasion technique is on the rise in 2021. Proofpoint has warned that three state-sponsored threat actor groups—DoNot Team hackers, Gamaredon, and TA423—are actively using the RTF Template Injection technique as part of their phishing campaigns to deliver malware to targeted systems. This new innovation is likely to expand the surface area of threats for organizations worldwide.

FluBot trojan is going on a global attack spree as it adds another new country to its list of victims. This time Finnish people are under attack following which Finland’s National Cyber Security Center has raised an alert. The malware is either being pushed via text messages or voicemail. In another threat, SpyAgent has unleashed a variety of infostealer to target cryptocurrency users.

Top Breaches Reported in the Last 24 Hours

Web skimming attack spotted
A threat actor hacked the government site of the Principality of Sealand in an attempt to plant web skimming code. As a result, all transactions made on the site were interrupted from October 12. People buying Baron or Duke titles have likely been affected by the attack.

Attackers improvise phishing campaigns
Three state-sponsored threat actors, namely DoNot Team hackers, Gamaredon, and TA423, have adopted a new RTF Template Injection technique to evade detection during phishing attacks. The technique makes use of Microsoft Office files such as DOC, XLS, or PPT to deliver malware on targeted systems.

Iranian targeted in Smishing attacks
Multiple Iranian media and social networks have fallen victim to an ongoing SMS phishing campaign that impersonated Iran’s government services. In some cases, the users have reported receiving SMS containing a fake notification from the Iranian Judiciary. The ultimate goal of the attackers is to steal personal information from users.

Top Malware Reported in the Last 24 Hours

Surge in FluBot
Finland’s NCSC-FI has warned about a severe rise in FluBot attacks. The banking malware is pushed via text messages. The new campaigns also use a voicemail theme that asks the users to open a malicious link designed to deploy the malware.

SpyAgent spotted
A malware campaign distributing SpyAgent malware is targeting crypto users. The malware abuses legitimate Remote Access Tools such as TeamViewer to spread the infection to different devices. The malware employs DLL sideloading attacks to hide in Windows systems. The malware is distributed via fake cryptocurrency websites where the malware dropper mimics crypto wallets. Researchers have also noticed that the SpyAgent downloads additional malware such as AZORult, RedLine Stealer, Cypress, and Ducky Stealers.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerabilities in OmniPod Insulin systems
Researchers revealed a design protocol vulnerability in the Insulet OmniPod Insulin Management System, also known as OmniPod Eros. The flaw can allow attackers to take control of the devices and send programming commands. The firm is yet to issue a patch for the vulnerability.

Symfony vulnerable to attacks
A design flaw in the Symfony web framework could have led to web cache poisoning attacks. This could potentially expose sensitive information such as users’ IP addresses. The issue existed due to the mishandling of HTTP headers and affects all websites built on Symfony. Upon learning, Symfony took immediate action to fix the issue.

 Tags

smishing attacks
flubot trojan
rtf template injection technique
omnipod insulin systems
spyagent
web skimming attack

Posted on: December 01, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.