Share Blog Post
A new information stealer targeting gamers is gaining traction on the dark web forums. Dubbed Sharp Stealer, the malware shares similarities with Sharpil RAT and is capable of stealing system information as well as details stored in web browsers. A sophisticated cyberespionage campaign distributing XploitSPY malware via malicious apps has come to the notice of researchers around two years after its inception. The malicious apps were distributed via Google Play Store and dedicated websites to infect users in India and Pakistan.
Meanwhile, the defunct HelloKitty ransomware has re-emerged in a new form and is now being called HelloGookie. In other threats, a zero-day flaw discovered in the CrushFTP file transfer server is being actively exploited in the wild, with multiple instances observed in the U.S.
Top Malware Reported in the Last 24 Hours
XploitSPY malware spies on Android users
ESET researchers shared details of an active espionage campaign that targeted Android users with apps that offered functional services as bait and came bundled with the open-source XploitSPY malware. The campaign primarily targeted users in Pakistan and India, with XploitSPY being used to extract contact lists, GPS locations, and files in specific directories related to the camera, downloads, Telegram, and WhatsApp. Other capabilities of the malware include sending SMS messages and recording audio from the device’s surroundings.
New Sharp Stealer spotted
Researchers spotted a new info-stealer, named Sharp Stealer, deployed against gamers. Written in C#, the malware is capable of pilfering system information and details from Google Chrome, Yandex, Brave, Edge, Comodo, and UR browsers. Additionally, it can collect geolocation of the victim and user information from Vime World, the gaming server of Minecraft.
GitHub flaw exploited to distribute malware
A vulnerability or potentially a design choice in GitHub is being exploited by malicious actors to disseminate malware via URLs associated with a Microsoft repository. This loophole enables threat actors to make malware files appear credible by utilizing URLs linked to public repositories on GitHub, not just limited to Microsoft. In one such incident, a new LUA malware loader was distributed through what seemed to be a legitimate Microsoft GitHub repository for "vcpkg," the C++ Library Manager for Windows, Linux, and MacOS.
Androxgh0st attacks escalates
Over 600 servers located across the U.S., India, and Taiwan have been subjected to recent attacks by Androxgh0st malware. The attacks exploited several vulnerabilities, including CVE-2019-2725, CVE-2021-3129, and CVE-2024-1709, to deploy webshells that eventually dropped the malware. Numerous Laravel apps were also leveraged as part of the attacks to enable the theft of Amazon Web Services, Twilio, and SendGrid accounts.
HelloKitty rebranded
The HelloKitty ransomware has been rebranded as HelloGookie ransomware in an attempt to expand the attack scope. The development comes after the ransomware became obsolete in 2023, with developers both the builder and the source code on a hacker forum. The re-emergence of HelloGookie raises concerns as threat actors behind the ransomware have begun their malicious activities and added new victims to their leak sites.
Top Vulnerabilities Reported in the Last 24 Hours
Forminator WordPress plugin affected by a flaw
Japan’s CERT warned of a flaw in the Forminator WordPress plugin installed in over 500,000 sites. The flaw is tracked as CVE-2024-28890 and can allow remote attackers to upload malicious code on sites. Besides these, the plugin is affected by an SQL injection flaw (CVE-2024-31077) and a cross-site scripting flaw (CVE-2024-31857). The vulnerabilities have been fixed in version 1.29.3 of the plugin.
CrushFTP zero-day flaw under attack
A zero-day flaw discovered in the CrushFTP file transfer server is being actively exploited in the wild. The flaw, which has no CVE assigned, can allow threat actors to escape the virtual file system present in the CrushFTP application and download system files. According to reports, there have been several exploitation attempts against CrushFTP instances owned by multiple U.S. entities to gather politically motivated intelligence. The flaw has been addressed in version 11.1 of the software.
MagicDot flaw spotted in Windows systems
A new vulnerability unearthed in the Windows systems can allow attackers to gain rootkit-like privileges without requiring administrative privileges. The flaw, dubbed MagicDot, exists in the DOS-to-NT path conversion process within the OS. It can be exploited by sending specially crafted files and processes and manipulating archive files. The vulnerability can also be used to make malware files appear as verified executables published by Microsoft, thus, deceiving users.
Top Scams Reported in the Last 24 Hours
LLM models used in spear-phishing
Microsoft reported that the North Korea-linked Kimsuky APT has been using LLMs-based Generative AI to launch spear-phishing attacks against Korean Peninsula experts. As part of the attack, it uses LLMs to troubleshoot technical issues, conduct basic scripting tasks, and draft content for spear-phishing messages. Furthermore, the group engages in benign conversations and uses AI-generated content to establish contact with target victims.
Phishing under the guise of Naver
ASEC recently identified the distribution of phishing files that mimicked the login page of Naver, a Korea-based search engine and online platform. Threat actors used NoCodeForm as a means to exfiltrate the account details, such as ID and passwords, of users. NoCodeForm provided a method of transmitting the results in HTML format through the user’s email or Slack. ASEC recommended users not log in through attachments to emails from unknown sources.
E-ZPass spoofed
Cybersecurity researchers have found almost 30 phishing websites spoofing the electronic toll collection service E-ZPass following an FBI warning last week. The FBI said in an alert that since early March the Internet Crime Complaint Center (IC3) has received over 2,000 complaints reporting smishing texts impersonating road toll collection services from at least three states.
Tags
Posted on: April 22, 2024
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
