The imitation of legitimate software applications makes the best camouflage! A malware operator group has now abused the GoTo Meeting platform to deploy Remcos RAT using PDF icon shortcuts. Actors use bait such as tax forms or obscene content to trick users. The recently disclosed Google Chrome’s fifth zero-day became a nightmare for Microsoft Edge users as cybercriminals have started abusing the flaw. Disclosed days ago, it has been established that an exploit for the security issue is currently operational in the wild.

What more? Cyber experts detected FIN7 exploiting trusted brands and distributing NetSupport RAT and DiceLoader via deceptive ads and malicious MSIX files. Criminals would use sponsored Google Ads to promote these types of schemes.

Top Malware Reported in the Last 24 Hours

Black Basta: A grave threat to critical infrastructure

The Black Basta ransomware operation has hit over 500 organizations worldwide since April 2022, revealed an advisory by the CISA and partners. With a 41% surge in activity in Q1 2024, Black Basta employs sophisticated attack chains, exploiting tools like Cobalt Strike and vulnerabilities like ZeroLogon. The advisory, however, provides the white hat hackers with TTPs and IOCs used by the group and its affiliates.

GoTo Meeting deploys Remcos RAT

Malicious actors were found leveraging GoTo Meeting, a legitimate software, to execute Remcos RAT via deceptive tactics. Using a chain of LNK file executions, they trigger the malicious payloads, disguised as PDFs. The malware uses DLL sideloading to execute the malware DLL. The shellcode further obfuscates the process and assists in decrypting and executing the payload. A JS infection chain targeting diverse demographics with fake setups and documents was also identified.

Malicious PyPI Package Alert

The Phylum research team flagged a suspicious PyPI publication: "requests-darwin-lite," a deceitful version of the popular "requests" package. This fork contained a concealed malicious Go binary within an oversized PNG logo. During installation on macOS systems, the malware extracted system UUIDs and selectively executed commands. Notably, the attacker targeted specific machines, possibly for tailored attacks. The oversized PNG file, serving as a vessel for the binary, exhibited steganographic traits.

FIN7 drops NetSupport RAT and DiceLoader

The eSentire research team detected multiple incidents of FIN7 impersonating well-known brands like AnyDesk and Google Meet to distribute NetSupport RAT and DiceLoader. The attackers employed fake browser extensions and deceptive web ads to lure users into downloading malware-laden MSIX files. Analysis revealed sophisticated infection chains involving PowerShell scripts, data exfiltration, reconnaissance, and process injection.

Top Vulnerabilities Reported in the Last 24 Hours

Chrome zero-day flaw abused

CVE-2024-4671, the zero-day vulnerability in Microsoft Edge originating from the Chromium engine, is being targeted by attackers to execute malicious code. This may risk data loss and malware installation on affected devices. Google acknowledged the issue and is reportedly working on a fix. Meanwhile, experts have suggested Microsoft must swiftly deploy a security upgrade for Edge users.