We use cookies to improve your experience. Do you accept?

Cyware Announces Healthcare TIP

Check it Out

Skip to main content

Cyware Daily Threat Intelligence, December 18, 2024

shutterstock 2001814475 (1)

Daily Threat Briefing Dec 18, 2024

Cybercriminals are weaving new layers of deception, blending sophisticated delivery methods with innocuous-looking themes. The FLUX#CONSOLE phishing campaign has been targeting Pakistan with tax-themed lures to deliver a stealthy backdoor. I2PRAT, a malware leveraging the I2P network, is redefining stealth by enabling encrypted, anonymous communication between attackers and infected systems. Delivered through phishing emails that lead to malicious CAPTCHA pages, I2PRAT installs a RAT while disabling system defenses like Microsoft Defender.

Meanwhile, vulnerabilities in Apache Tomcat are raising alarms. A critical flaw allows remote code execution via the default servlet, while a DoS vulnerability affects the "examples" web app. The Apache Software Foundation urges users to update to the latest versions to safeguard against these risks.

Adding to the chaos, Google Calendar spoofing campaigns have targeted 300 organizations, using altered headers to lure victims into phishing traps. Fake links to Google Forms and Drawings masquerade as cryptocurrency services, stealing personal and financial data from unsuspecting users.

Top Malware Reported in the Last 24 Hours

Tax-themed lures deliver backdoor payloads

A new phishing campaign, known as FLUX#CONSOLE, is using tax-themed lures to deliver a stealthy backdoor payload in attacks targeting Pakistan. The campaign starts with a phishing email link or attachment, leveraging MSC files to deploy malicious payloads. The threat actors use double-extension files masquerading as PDFs and execute embedded JavaScript code to load a DLL file in the background. The main payload is a backdoor capable of exfiltrating data from compromised systems. 

TA397 deploys espionage RATs

Proofpoint detected the TA397 APT group targeting a Turkish defense organization. The attackers used an email lure about public infrastructure projects in Madagascar to initiate the attack. This involved a RAR archive that delivered a shortcut (LNK) file, which created a scheduled task on the target machine to download further malicious payloads. In the later stages of the attack, TA397 deployed WmRAT and MiyaRAT malware, both designed for intelligence gathering and data exfiltration. Proofpoint believes these campaigns are likely focused on supporting a South Asian government's interests. 

New I2PRAT exploits anonymous I2P network

A new malware called I2PRAT is improving cybercriminals’ ability to avoid detection. This malware uses the Invisible Internet Project (I2P) to hide its C2 communications. Unlike traditional malware, I2PRAT uses I2PD to enable anonymous and encrypted peer-to-peer communication, hiding both attackers and victims. I2PRAT infects victims through phishing emails, leading them to fake CAPTCHA pages with malicious JavaScript. This script tricks users into running a PowerShell command to install the malware loader, which then installs the RAT and hides its components. It can disable Microsoft Defender and block updates, manipulating system defenses effectively. 

Decoding RiseLoader

In October, Zscaler ThreatLabz discovered malware samples that use a network communication method similar to RisePro. Unlike RisePro, which mainly steals information, this new malware focuses on downloading and running second-stage payloads, leading to its naming as RiseLoader. RiseLoader uses a custom TCP-based network protocol similar to RisePro and often uses VMProtect for code obfuscation. RiseLoader has been found to drop malware types like Vidar, Lumma Stealer, XMRig, and Socks5Systemz, akin to those spread by PrivateLoader. The malware collects info on apps and browser extensions tied to cryptocurrency. 

Top Vulnerabilities Reported in the Last 24 Hours

RCE and DoS bugs in Apache Tomcat

The Apache Software Foundation has issued security updates for Apache Tomcat to address two vulnerabilities. One vulnerability (CVE-2024-50379) allows remote code execution by exploiting the default servlet, while the other (CVE-2024-54677) is a DoS flaw in the "examples" web application. The vulnerabilities affect various versions of Apache Tomcat, and users are urged to update to the latest versions (11.0.2 or later, 10.1.34 or later, 9.0.98 or later) to mitigate the risks. 

PoC published for CyberPanel flaw

A security researcher has discovered a critical vulnerability (CVE-2024-53376) in CyberPanel, which allows attackers to execute OS commands and compromise servers. The vulnerability exists in versions of CyberPanel prior to 2.3.8 and can be exploited using an HTTP OPTIONS request. This could lead to root-level access, data exfiltration, and infrastructure compromise. A PoC has been published on GitHub, demonstrating the severity of the exploit. CyberPanel has released a fix in version 2.3.8, and all users are strongly advised to update immediately.

Top Scams Reported in the Last 24 Hours

Spoofed Google Calendar invites and phishing 

Criminals are spoofing Google Calendar emails in a phishing scheme affecting about 300 organizations, with over 4,000 emails sent in four weeks. They alter sender email headers to make it seem like legitimate Google Calendar invites from known contacts. The phishing emails usually include a .ics calendar file with links to Google Forms or Google Drawings. Clicking these links leads to sites that mimic cryptocurrency mining or Bitcoin support, aimed at stealing personal and payment details. 

Ledger phishing campaign eyes crypto wallets 

A new phishing campaign is tricking people by pretending to be a data breach warning from Ledger. These emails ask users to verify their recovery phrases, which can lead to stolen cryptocurrency. The phishing emails look authentic but come from a marketing service, claiming that recovery phrases may be exposed. Clicking links leads to a fake site that collects recovery phrases.

Related Threat Briefings

Dec 20, 2024

Cyware Daily Threat Intelligence, December 20, 2024

Disguised as a harmless health tool, the BMI CalculationVsn app hid its sinister purpose within the Amazon Appstore. The spyware recorded screens, intercepted sensitive SMS messages, and scanned installed apps, leaving users vulnerable before its removal. However, traces of the app may still linger, necessitating manual removal and device scans. A critical vulnerability in BeyondTrust's Privileged Remote Access products landed on CISA's KEV catalog after reports of active exploitation. Tracked as CVE-2024-12356, the flaw enables attackers to execute commands as a site user, with patched updates now available for self-hosted installations. Copy-paste commands are no longer innocent. Threat actors have weaponized clipboard activity, tricking users into running malicious PowerShell scripts under the guise of software notifications. By exploiting trusted brands and Cloudflare tunnels, they discreetly deploy malware while bypassing conventional defenses.

Dec 19, 2024

Cyware Daily Threat Intelligence, December 19, 2024

Cybercriminals are pushing the boundaries of their operations, exploiting vulnerabilities in both devices and software ecosystems to widen their reach. The BADBOX botnet, thought to be dismantled, has made a troubling comeback, infecting over 192,000 Android-based devices worldwide. Expanding its scope, BADBOX now compromises high-end smart TVs and smartphones at the supply chain level. Juniper Networks routers are under siege in a botnet campaign deploying the Mirai malware. Exploiting default credentials, the malware scans the internet for vulnerable devices, infecting systems to launch DDoS attacks and execute malicious commands remotely. Juniper strongly advises users to change default passwords, monitor devices for unusual activity, and update firmware. Infected systems require reimaging to fully eradicate the threat. Fortinet has issued urgent patches for critical vulnerabilities in its products, including FortiClient VPN, FortiManager, and FortiWLM. The flaws allow attackers to extract VPN passwords, execute remote code, and access sensitive files. With millions of users at risk, Fortinet urges immediate upgrades to secure versions, highlighting the importance of proactive vulnerability management in today’s threat landscape.

Dec 17, 2024

Cyware Daily Threat Intelligence, December 17, 2024

Cybercriminals are doubling down on exploiting overlooked vulnerabilities, turning common devices and platforms into tools for covert operations. The FBI issued a warning about HiatusRAT attacks that target web cameras and DVRs, especially Chinese-branded devices with weak passwords and known flaws. Unit 42 researchers uncovered critical vulnerabilities in Azure Data Factory's Apache Airflow integration, exposing cloud infrastructure to potential compromise. Flaws like misconfigured Kubernetes RBAC and mishandled Geneva secrets could allow attackers to exfiltrate data, deploy malware, and gain unauthorized control. Meanwhile, Guardio Labs identified a malvertising campaign called DeceptionAds, responsible for over one million daily ad impressions. The attackers exploit a single ad network to spread fake CAPTCHA prompts, tricking users into running harmful PowerShell commands.

Dec 16, 2024

Cyware Daily Threat Intelligence, December 16, 2024

The ever-evolving threat landscape continues to target unsuspecting users across industries and platforms. A SocGholish malware campaign recently set its sights on Kaiser Permanente employees, leveraging fraudulent Google Search Ads masquerading as an HR portal. Meanwhile, the Chinese hacking group Winnti has unleashed a new modular backdoor named Glutton, targeting industries in both China and the U.S. This advanced ELF-based backdoor not only enables tailored cyberattacks but also infiltrates other threat actors’ systems by embedding itself in software packages. Ruijie Networks faced scrutiny as researchers uncovered 10 vulnerabilities in its Reyee cloud management platform and OS devices. Among these flaws is Open Sesame, allowing attackers near a Ruijie access point to exploit its cloud connection and infiltrate internal networks. Though Ruijie has patched these vulnerabilities at the cloud level, the findings emphasize the growing risks associated with cloud-enabled devices. Even content creators are under siege, as over 200,000 YouTubers have been targeted in a phishing campaign that mimics major brands. Cybercriminals lure victims with fake collaboration emails containing malware-laden attachments designed to steal credentials and grant remote system access.

Dec 13, 2024

Cyware Daily Threat Intelligence, December 13, 2024

Malware’s relentless evolution continues to shape the cyber landscape, with threat actors pushing boundaries in espionage and infrastructure disruption. Two spyware families, BoneSpy and PlainGnome, linked to the Russian group Gamaredon, have been identified as tools of surveillance. Both spyware families enable extensive data collection, reinforcing Gamaredon’s focus on espionage. Iranian cyber actors have unleashed IOCONTROL malware to compromise IoT and OT/SCADA systems in critical infrastructure. By exploiting routers and fuel management systems, this malware poses a serious threat to key infrastructure in Israel and the U.S. IOCONTROL is capable of executing commands, sending system information, and even self-deleting to avoid detection, highlighting the increasing risks tied to interconnected devices. Cleo has urged its customers to immediately patch their file-sharing products after the discovery of a vulnerability affecting widely used systems. Despite an earlier patch, the flaw remains exploitable. With exploitation reports rising, firms must secure their systems to mitigate risks associated with this critical bug.

Dec 12, 2024

Cyware Daily Threat Intelligence, December 12, 2024

Malware threats continue to evolve, targeting both enterprises and individual developers. Zloader’s latest variant leverages a custom protocol for DNS tunneling and advanced anti-analysis features. Meanwhile, a typosquatting attack tricked developers by mimicking the popular TypeScript ESLint plugin’s NPM package, enabling clipboard monitoring and persistence on compromised systems. Researchers revealed details about the AuthQuake vulnerability affecting Microsoft’s MFA system, leaving critical services like Outlook, Teams, and Azure exposed to brute-force attacks. Meanwhile, Siemens Healthineers issued a hotfix to address an SQL injection flaw in its syngo.plaza software that allowed database compromise. Phishing campaigns are becoming increasingly elaborate, with "Aggressive Inventory Zombies (AIZ)" impersonating major retailers like Amazon, Etsy, and eBay, and crypto platforms like Binance and Kraken. The phishing network preyed on unsuspecting users using fake sites and fraudulent chat support.

Dec 11, 2024

Cyware Daily Threat Intelligence, December 11, 2024

Privacy breaches wear a new mask as EagleMsgSpy, a stealthy spyware tool linked to Chinese law enforcement, was spotted. Active since 2017, this Android-based tool silently intercepts messages from apps like WhatsApp and WeChat, gathering extensive user data and transmitting it securely to C2 servers, raising alarms over state-sponsored surveillance. Microsoft delivered its December 2024 Patch Tuesday, addressing 71 vulnerabilities. Among the fixes is an actively exploited zero-day in the Windows Common Log File System Driver, alongside critical flaws across Remote Desktop Services, Edge, and SharePoint. Scammers turned UAE’s National Day into a playground for fraud, as the Smishing Triad exploited the celebratory buzz. Impersonating law enforcement, these fraudsters used phishing and smishing to manipulate victims, raking in financial gains while exploiting the festive spirit to lower guards.

Dec 10, 2024

Cyware Daily Threat Intelligence, December 10, 2024

Digital trust took a hit in Southern Asia as WhatsApp became the delivery vector for a sophisticated SpyNote RAT campaign targeting high-profile individuals. Disguised as seemingly benign apps like “Best Friend,” the malware exploited accessibility settings to gain deeper control over devices, enabling location tracking and the reading of text messages. OpenWrt narrowly avoided a potential security catastrophe with a critical flaw in its Attended Sysupgrade feature. The vulnerability, involving command injection and hash truncation, could have allowed attackers to distribute harmful firmware packages to network devices. Meanwhile, cybercriminals launched a new phishing campaign to spread the AppLite Banker malware, targeting Android devices through fake job applications. Masquerading as recruiters from trusted companies, the attackers directed victims to fraudulent websites where they were tricked into downloading a fake CRM app.

Dec 9, 2024

Cyware Daily Threat Intelligence, December 09, 2024

In a stark reminder of supply chain vulnerabilities, cybercriminals turned a trusted AI library into a covert delivery system for malware. A supply chain attack on the popular ultralytics AI library injected malicious code into two versions, distributing a crypto coinminer and creating backdoor access to compromised environments. Bitcoin's Lightning Network faced a storm of uncertainty. A newly disclosed vulnerability can expose the network's transaction-relay mechanism to jamming attacks, risking financial losses and degraded stability. The flaw allows malicious actors to disrupt Lightning channels, highlighting the fragile intersection of innovation and security in blockchain technologies. Deception ran deep in a phishing campaign against Ukraine's defense sector. Threat group UAC-0185 used emails advertising a fake NATO conference to infect systems with malware. By deploying a remote management program, the attackers gained unauthorized access to messaging and military systems, aiming to compromise Ukraine's security infrastructure.

Dec 6, 2024

Cyware Daily Threat Intelligence, December 06, 2024

BlueAlpha sharpened its arsenal by exploiting Cloudflare Tunnels to obscure its malware staging infrastructure. The Russian-backed group deployed GammaDrop malware against Ukrainian organizations, using advanced techniques like HTML smuggling to bypass email filters and DNS fast-fluxing for stealthy command-and-control. Mitel MiCollab’s unresolved vulnerability exposed enterprises to potential cyber risks despite earlier patches. While two critical flaws, including an authentication bypass, were fixed, a lingering arbitrary file read vulnerability remains open after over 100 days without a vendor-provided solution. Manufacturing firms have become the latest victims of a multi-stage malware campaign. Threat actors disguised malicious LNK files as PDFs, leveraging LOLBins and PowerShell commands to bypass security. The attack deploys tools like Lumma stealer and Amadey bot to siphon sensitive data.

Dec 5, 2024

Cyware Daily Threat Intelligence, December 05, 2024

Earth Minotaur is turning Android messaging apps into silent spies, using the MOONSHINE exploit kit to infiltrate Tibetan and Uyghur communities. With over 55 active servers, the group deploys the DarkNimbus backdoor for comprehensive surveillance across Android and Windows devices. Their tactics extend to compromising WeChat and leveraging social engineering to lure victims into clicking malicious links. Critical flaws in Lorex 2K Indoor Wi-Fi Security Cameras have exposed live feeds to potential attackers, prompting urgent updates. Researchers highlighted vulnerabilities allowing authentication bypass, admin control resets, and remote code execution. Affected users must install the mandatory firmware update to safeguard their devices against malicious takeovers. The National Tax Service has become the latest disguise in a surge of phishing campaigns targeting unsuspecting users. Impersonating the NTS, attackers employ malicious DLL and CHM files to distribute malware, exploiting tax-related topics to deceive victims and compromise systems.

Dec 4, 2024

Cyware Daily Threat Intelligence, December 04, 2024

Attackers struck at the heart of Solana’s Web3.js library, turning a trusted tool for decentralized applications into a weapon for stealing private keys and cryptocurrency funds. Versions 1.95.6 and 1.95.7 were compromised for five hours before being replaced with a clean update but the ripple effects may still endanger third-party tools managing private keys. A single filename was all it took to unravel security in MobSF. A Stored XSS vulnerability in feature allowed malicious scripts embedded in filenames to bypass security and execute harmful actions. Users of version 4.2.8 are urged to patch their systems without delay. Cloudflare’s trusted domains became a haven for cybercriminals as phishing campaigns skyrocketed. With phishing incidents up 198% this year, attackers are using these platforms to disguise their scams and target thousands of unsuspecting users globally.