Cyware Weekly Threat Intelligence - July 01–05
Weekly Threat Briefing • Jul 5, 2024
We use cookies to improve your experience. Do you accept?
Weekly Threat Briefing • Jul 5, 2024
In a labyrinthine orchestration of international cyber-justice, Europol spearheaded an intricate, multifaceted probe dubbed Operation Morpheus, meticulously dismantling the subterranean networks of nearly 600 IP addresses that clandestinely harbored illicit Cobalt Strike variants. This sweeping crackdown enveloped 690 IP addresses sprawling across 27 nations. Simultaneously, the U.S. federal government unveiled an avant-garde framework designed to streamline the validation and assimilation of nascent technological innovations within the aegis of FedRAMP. This pioneering framework aspires to catalyze the adoption of cutting-edge, secure technological solutions by federal entities, with a pronounced emphasis on cloud-centric emergent technologies.
The Mekotio banking trojan, a cunningly intricate malware, cast its nefarious net primarily over Latin American territories. Disguised in the guise of seemingly innocuous phishing emails masquerading as communications from tax agencies, Mekotio ensnares its victims with malicious links or attachments. In a parallel vein, a seemingly benign QR code reader app on Google Play has been unmasked as a vessel for the notorious Anatsa banking malware. Simultaneously, cyber malefactors have turned their predatory gaze towards antiquated versions of Rejetto's HFS software, exploiting the critical-severity vulnerability CVE-2024-23692.
The Mekotio banking trojan is a sophisticated malware targeting Latin American countries, particularly Brazil, Chile, Mexico, Spain, and Peru. Mekotio is often delivered through phishing emails that appear to be from tax agencies, containing malicious links or attachments. Upon execution, Mekotio gathers system information and establishes a connection with a C2 server. It displays fake pop-ups that mimic legitimate banking sites, tricking users into entering their login details. Mekotio can also capture screenshots, log keystrokes, and steal clipboard data.
A malicious QR code reader app on Google Play has been discovered to be delivering the notorious Anatsa banking malware. The app has already been downloaded thousands of times, potentially compromising a significant number of users' financial data. Anatsa is a sophisticated piece of malware designed to steal sensitive banking information. It has advanced capabilities, including keylogging, overlay attacks, and remote access, making it a formidable threat to users' banking security.
Hackers are targeting older versions of the HTTP File Server (HFS) software from Rejetto to drop malware and cryptocurrency mining software.They are exploiting CVE-2024-23692, a critical-severity vulnerability in HFS versions up to and including 2.3m, which allows unauthenticated remote attackers to execute arbitrary commands on the affected system. The attackers use the vulnerability to gather information about the compromised system, install backdoors, and deploy various types of malware, including XMRig for Monero mining, XenoRAT, Gh0stRAT, and PlugX for remote access and control, and GoThief information stealer.
ASEC uncovered a case where an unidentified threat actor exploited a Korean ERP solution to attack the defense and manufacturing industries. The attack involved inserting a malicious routine into the ERP update program to distribute the Xctdoor backdoor, which is designed to steal system information and execute commands. The attack also targeted web servers, installing the XcLoader malware to inject Xctdoor into processes. The malware communicates with a C&C server using HTTP and employs encryption.
The notorious Turla malware group has been found deftly utilizing insidious LNK files to unleash a fileless backdoor. The LNK file masquerades as an innocuous PDF document and triggers a PowerShell script. Microsoft unveiled two critical vulnerabilities within Rockwell Automation's PanelView Plus devices, presenting gateways for remote code execution and denial-of-service attacks. A new ransomware menace, Volcano Demon, has been using a ransomware variant dubbed LukaLocker.