Share Blog Post
Compromised email accounts have again been utilized in a phishing campaign that hosted malicious PDF files on Autodesk Drive. These emails added legitimacy by using the senders’ real signature footers and tricked recipients into blurting out their Microsoft account credentials. Another WordPress plugin is in the fray today owing to the active exploitation of a critical vulnerability. The SQLi flaw in WP-Automatic enabled unauthorized access, admin account creation, and full site control.
PlugX made headlines with staggering figures. A security research group sinkholed a C2 server for a PlugX malware variant, only to observe over 2.5 million connections from thousands of unique IP addresses, accrued within just half a year. The infections were spread across 170 countries. Furthermore, Lazarus appeared on a mission to distribute the Kaolin RAT using job lures, followed by the deployment of the FudModule rootkit.
Top Malware Reported in the Last 24 Hours
Lazarus uses job lures in Asia
Lazarus was spotted employing fake job offers to distribute Kaolin RAT and FudModule rootkit in Asia under Operation Dream Job. The campaign delivers malware through social media and instant messaging platforms. Payload fetches shellcode from the C2 domain and initiates a multi-stage infection process. Kaolin RAT facilitates FudModule rootkit deployment, evading detection with file manipulation and C2 communication.
Office bug exploited to deploy Cobalt Strike beacon
Cybersecurity researchers detected a cyberattack targeting systems in Ukraine, utilizing the CVE-2017-8570 vulnerability in Microsoft Office. Attackers employed a malicious PPSX file disguised as a U.S. Army manual to bypass security measures. The attack involved a file with a custom Cobalt Strike Beacon loader, configured to communicate with a C2 server disguised as a photography website.
Researchers surprised after sinkholing a PlugX server
Sekoia researchers successfully inspected a C2 server for a variant of the PlugX malware, capturing over 2.5 million connections from unique IP addresses across 170 countries in six months. The sinkhole operation enabled analysis of traffic patterns, mapping of infections, and formulation of disinfection strategies. Although predominantly observed in 15 countries, the infections span globally, with notable concentrations in countries associated with China's Belt and Road Initiative.
Banking trojan evolves with over 1,000 variants
The Godfather mobile banking trojan, discovered in 2022, now boasts over 1,000 samples targeting 237 banking apps across 57 countries, revealed a Zimperium report. Godfather’s developers have automated sample creation to evade detection. According to experts, mobile malware, including other families like Nexus and Saderat, are rapidly multiplying, with some amassing over 100,000 unique samples.
Top Vulnerabilities Reported in the Last 24 Hours
Critical flaw fixed in Chrome
Google released an update for its Chrome web browser, version 124, addressing a critical vulnerability (CVE-2024-4058) in the ANGLE graphics layer engine. This flaw could allow attackers to execute code on affected systems remotely. Additionally, the update addressed two high-severity vulnerabilities: CVE-2024-4059, an out-of-bounds read in the V8 JavaScript engine, and CVE-2024-4060, a use-after-free issue in the Dawn component.
SQL injection flaw in WordPress plugin
WPScan issued an alert regarding a critical security vulnerability, CVE-2024-27956, in the WP-Automatic plugin for WordPress. The flaw allows attackers to execute arbitrary SQL queries, potentially leading to site takeovers. Exploitation involves circumventing the plugin's user authentication mechanism, enabling unauthorized access to the database, and creating an admin account. Some attackers have also been observed in the wild.
Microsoft's Warbird and PMP tech contain bugs
Security Explorations scrutinized Microsoft's Warbird and Protected Media Path (PMP) technologies, revealing vulnerabilities that exposed plaintext content keys guarded by PlayReady DRM on Windows 10 and 11. The flaws allowed the decryption of high-definition movies, affecting streaming platforms like Canal+, Netflix, and others. Security Explorations has agreed to share its findings with Microsoft only through a commercial agreement.
Top Scams Reported in the Last 24 Hours
Phishing campaign steals Microsoft credentials
Cybersecurity firm Netcraft warned of a phishing campaign exploiting compromised email accounts to send phishing emails. These contained links to malicious PDF files hosted on Autodesk Drive. Using legitimate email signatures, attackers direct victims to phishing pages masquerading as Microsoft login prompts. It potentially allowed attackers to access user’s sensitive data by abusing their credentials.
Tags
Posted on: April 26, 2024
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
