The notorious Trickbot trojan is rebooting. Threat actors are now in the process of revamping its C2 infrastructure with a new tvncDll module that can be used for stealthy monitoring and intelligence gathering. With this addition, they aim to enhance the trojan’s evasion capability, making attacks difficult to spot.
The last 24 hours also witnessed the comeback of the Joker malware in a new Android attack campaign that aims to steal data from users. A new variant of the malware, which includes both spyware and trojan capabilities, was being distributed to users in the form of a free QR code scanner app. An espionage campaign dubbed Operation SpoofedScholars has been ongoing since January, with an aim to pilfer confidential data from think tanks, senior professors from well-known academic institutions, and journalists specializing in Middle Eastern affairs.
Top Breaches Reported in the Last 24 Hours
Guess reports a breach
The fashion brand Guess has revealed details about a DarkSide ransomware attack that occurred in February. The criminals had gained access to people’s social security numbers, drivers’ license numbers, passport numbers, and financial information. In total, the gang had stolen about 200GB of data from the firm.
Top Malware Reported in the Last 24 Hours
Joker malware returns
A new variant of Joker malware has been uncovered in a new Android malware campaign. The malware is disguised as a free QR Scanner app to trick users. It is capable of functioning as both spyware and trojan.
Threat actors have revamped the attack infrastructure of TrickBot malware with a new VNC module to spy on its victims. The new version is named ‘tvncDll’ and can be used for monitoring and intelligence gathering.
The Iran-linked TA453 threat actor group was found impersonating British scholars in a recent attack campaign with an aim to steal credentials from senior professors from well-known academic institutions and experts focusing on the Middle East. The campaign was carried out by mimicking a website of London’s School of Oriental and African Studies (SOAS).
Top Vulnerabilities Reported in the Last 24 Hours
Flaws in WordPress plugin
Six critical flaws discovered in the Frontend File Manager plugin are found impacting more than 2,000 WordPress websites. These flaws can expose these sites to a broad range of remote code execution attacks, giving adversaries the ability to modify or delete posts, set up a spam relay, and even launch cross-site scripting attacks. The flaws have been fixed in versions 18.3 and above of the plugin.
SolarWinds issues a patch
SolarWinds has issued patches to fix a remote code execution flaw in its Serv-U managed file transfer service. The fixes were released after the firm was informed by Microsoft that the flaw was being exploited in the wild.
ForgeRock flaw exploited
Government agencies in the U.S. and Australia warned organizations of a recently patched ForgeRock OpenAM vulnerability being exploited in the wild. The flaw, tracked as CVE-2021-35464, is a Java deserialization issue that can be exploited by attackers by sending a specially crafted request. The flaw impacts versions 6.0.0 through 6.5.3.