Share Blog Post
Invoice-themed phishing is once again the conduit for a highly sophisticated multi-stage attack distributing VenomRAT, Remcos RAT, XWorm, NanoCore RAT, and a crypto wallet stealer. Flimsy security for WordPress sites continues to act as a hotbed for criminals. Thousands of WordPress sites were found hosting fake NFT and discount pop-ups, aiming to deceive visitors into connecting their wallets to crypto drainers, marking a significant escalation in cyber threats.
Moving on. Sahrawi Arab Democratic Republic activists are being targeted with a novel mobile malware, FlexStarling. Depending on the target's operating system, it serves either the FlexStarling APK for Android or redirects to a social media login page for credential harvesting. Additionally, a critical local privilege escalation bug has been resolved by the KernelCare team to safeguard CloudLinux users.
Top Malware Reported in the Last 24 Hours
Multi-stage attack unleashes VenomRAT
Cybersecurity researchers unearthed a complex multi-stage attack leveraging invoice-themed phishing emails to disseminate a variety of malware, including VenomRAT, Remcos RAT, XWorm, NanoCore RAT, and a crypto wallet stealer. The attack employs Scalable Vector Graphics (SVG) file attachments to initiate the infection chain, with malware delivered via obfuscated batch scripts using tools like BatCloak and ScrubCrypt.
Malware campaign targets activists
A new threat actor, dubbed Starry Addax, is primarily targeting human rights activists supporting the Sahrawi Arab Democratic Republic cause using a malicious apk for Android. The app named FlexStarling imitates the application for Sahara Press Service (SPSRASD). The malware deploys additional malicious components and steals information from infected devices. Additionally, the attackers deploy credential-harvesting pages for Windows users disguised as popular media website logins.
Top Vulnerabilities Reported in the Last 24 Hours
Urgent patch issued for CloudLinux users
The KernelCare team has swiftly addressed CVE-2024-1086, a critical vulnerability impacting the Netfilter subsystem of the Linux kernel in CloudLinux environments. A patch has been released for CloudLinux 6h and CloudLinux 7, with manual updates available for users. The flaw poses a local privilege escalation risk and is easily exploitable, emphasizing the urgency of patching.
Top Scams Reported in the Last 24 Hours
WordPress sites promote fake NFT scams and crypto drainers
Nearly 2,000 compromised WordPress websites were discovered displaying fraudulent NFT and discount pop-ups, aiming to deceive visitors into connecting their wallets to crypto drainers. Originally, scammers targeted approximately 1,000 sites, however, there were some challenges. Later, they deployed new scripts to turn visitors' browsers into tools for brute-forcing admin passwords on other sites, leading to more compromised sites displaying pop-ups promoting fake NFT offers and crypto discounts.
Voice messages harvest credential
ARC Labs dissected a phishing email tactic where targets were prompted to access a voice message via a link, concealing a credential harvesting scheme. The payload featured heavily obfuscated HTML data with embedded JavaScript within an SVG file. Using CryptoJS, the JavaScript dynamically decrypted encrypted content. Through code analysis, ARC Labs retrieved the decryption key, exposing the second-stage page and prompting credential entry.
Tags
Posted on: April 09, 2024
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
