BazarLoader is back in action with its BazaCall method. The campaign includes a new set of lures that finally results in the exfiltration of users’ data and the distribution of ransomware. What else? SolarMarker and WellMess malware have also been spotted in different campaigns designed to wreak havoc and harvest credentials from targets.
An instance of wild exploitation of a zero-day flaw in the Internet Explorer browser has also surfaced in the last 24 hours. The campaign was used to deliver a fully-featured VBA RAT capable of accessing files stored in compromised Windows systems and downloading and executing malicious payloads.
Top Breaches Reported in the Last 24 Hours
Update on railway system attack
The Meteor file wiper malware has been linked to a cyberattack that targeted the Iranian railway system and transport ministry. The wiper was designed to cripple the targeted systems by leaving no option for remediation by recovering shadow copies.
Chipotle account compromised
An email marketing account belonging to Chipotle has been compromised by cybercriminals in a phishing attack campaign. During the operation, more than 120 malicious emails were sent from a hacked Mailgun account that the firm used for email purposes.
South Africa’s ports and freight rail operator Transnet was hit by ransomware named Death Kitty. Following the attack, the company was forced to halt its operation temporarily.
Top Malware Reported in the Last 24 Hours
Researchers are actively tracking a SolarMarker campaign that dates back to September 2020. The malware is capable of pilfering sensitive information such as credit card details. Evidence collected so far indicates that the attackers have an interest in European organizations.
An unidentified threat actor has been exploiting a now-patched zero-day flaw in the IE browser to deliver a fully-featured VBA-based RAT. The malware is capable of accessing files stored in compromised Windows systems and downloading and executing malicious payloads. It is distributed via a decoy document named ‘Manifest.docx’ that includes the exploit for the vulnerability.
Eight malicious Python packages
As many as eight Python packages have been removed from the PyPI repository for containing malicious code. These packages could allow attackers to spread malware through typosquatting, dependency confusion, or simple social engineering attacks. The eight malicious packages are pytagora, pytagora2, noblesse, genesisbot, are, sufferm noblesse2, and noblessev2.
Microsoft 365 Defender Threat Intelligence Team uncovered an ongoing malware campaign that tricks victims into downloading the BazarLoader malware on their systems. The attack campaign leverages bogus call centers and phishing emails to target victims. The ultimate purpose is to exfiltrate data and credentials and distribute ransomware.
WellMess malware observed
A new C2 infrastructure linked to the Cozy Bear threat actor group is actively serving WellMess malware as part of an ongoing attack campaign. More than 30 C2 servers have been uncovered, according to the report.
Top Vulnerabilities Reported in the Last 24 Hours
Flawed Download Manager plugin
A remote code execution flaw found in the WordPress Download Manager plugin has been patched recently. Tracked as CVE-2021-34639, the flaw has a CVSS score of 7.5 and is related to an authenticated file upload issue. The flaw can allow attackers to upload files with php4 extensions, as well as files that could be executed under certain circumstances.
Top Scams Reported in the Last 24 Hours
PayPal users are being targeted in a new phishing campaign that steals their account details. The email contains a link that leads recipients to a bogus PayPal live chat page. Once the victims enter the live chat page, attackers use automated scripts to steal their addresses, email addresses, and phone numbers.