An insidious QR code reader app lurking on Google Play has been unmasked as a conduit for the dreaded Anatsa banking malware. This nefarious app, already downloaded thousands of times, poses a significant threat to users' financial data.

In a parallel sphere of cyber mischief, the Turla malware group has been detected orchestrating a new campaign, employing malicious LNK files to unleash a fileless backdoor. This malicious escapade begins with a package downloaded from a compromised website, potentially disseminated through phishing emails.

Meanwhile, Microsoft has spotlighted and disclosed two critical vulnerabilities in Rockwell Automation's PanelView Plus devices, opening the door to remote code execution and denial-of-service attacks by unauthenticated assailants. The RCE vulnerability revolves around the exploitation of two custom classes. Conversely, the DoS flaw leverages these same custom classes to dispatch a crafted buffer.

Top Malware Reported in the Last 24 Hours

Turla enters via LNK files

A new campaign by the Turla malware group has been spotted using malicious LNK files to deploy a fileless backdoor. The malware campaign starts with a malicious package downloaded from a compromised website, potentially distributed through phishing emails. The malicious LNK file masquerades as a normal PDF document and executes a PowerShell script that deploys a fileless backdoor using Microsoft's msbuild.exe. The backdoor disables Event Tracing for Windows (ETW), performs memory patching on system modules, and bypasses the Windows Antimalware Scan Interface (AMSI) to evade detection.

Mekotio threatens LATAM

The Mekotio banking trojan is a sophisticated malware targeting Latin American countries, particularly Brazil, Chile, Mexico, Spain, and Peru. Mekotio is often delivered through phishing emails that appear to be from tax agencies, containing malicious links or attachments. Upon execution, Mekotio gathers system information and establishes a connection with a C2 server. It displays fake pop-ups that mimic legitimate banking sites, tricking users into entering their login details. Mekotio can also capture screenshots, log keystrokes, and steal clipboard data.

Malicious QR reader app delivers malware

A malicious QR code reader app on Google Play has been discovered to be delivering the notorious Anatsa banking malware. The app has already been downloaded thousands of times, potentially compromising a significant number of users' financial data. Anatsa is a sophisticated piece of malware designed to steal sensitive banking information. It has advanced capabilities, including keylogging, overlay attacks, and remote access, making it a formidable threat to users' banking security.

Top Vulnerabilities Reported in the Last 24 Hours

HFS servers under attack

Hackers are targeting older versions of the HTTP File Server (HFS) software from Rejetto to drop malware and cryptocurrency mining software.They are exploiting CVE-2024-23692, a critical-severity vulnerability in HFS versions up to and including 2.3m, which allows unauthenticated remote attackers to execute arbitrary commands on the affected system. The attackers use the vulnerability to gather information about the compromised system, install backdoors, and deploy various types of malware, including XMRig for Monero mining, XenoRAT, Gh0stRAT, and PlugX for remote access and control, and GoThief information stealer.

Ghostscript bugs patched

Canonical released security updates for Ubuntu to address several vulnerabilities in Ghostscript that could allow attackers to bypass security restrictions or execute malicious code. The vulnerabilities affected Ubuntu 20.04 LTS, 22.04 LTS, 23.10, and 24.04 LTS. They are tracked as CVE-2023-52722, CVE-2024-29510, CVE-2024-33869, CVE-2024-33870, and CVE-2024-33871.It is important for users to apply these updates to protect their systems from potential attacks and data breaches. The update process is straightforward through the Ubuntu software update tools.

Flaws in Rockwell Automation PanelView Plus

Microsoft discovered and disclosed two vulnerabilities in Rockwell Automation's PanelView Plus devices, which could allow RCE and DoS attacks by unauthenticated attackers. The RCE vulnerability (CVE-2023-2071) involves two custom classes that can be abused to upload and load a malicious DLL into the device. The DoS bug (CVE-2023-29464) takes advantage of the same custom class to send a crafted buffer that the device is unable to handle properly, leading to a DoS.