Share Blog Post
Cryptocurrency users were found on their own against a sophisticated phishing campaign deploying FatalRAT and other malware. Aimed at Chinese-speaking entities, the operation mimicked the Exodus wallet interface, employing clipper and keylogger modules for data interception. A new malware campaign, dubbed eXotic Visit, has emerged to target South Asian users. Criminals camouflage their malicious deeds as messaging apps and other deceptive services, utilizing code from the open-source Android XploitSPY RAT.
Adding to the woes is a critical security flaw found in Delinea’s Secret Server that triggered urgent updates for on-prem installations. Meanwhile, dozens of security holes were plugged in by Juniper Networks across its products, including but not limited to Junos OS and Junos OS Evolved.
Top Malware Reported in the Last 24 Hours
FatalRAT’s phishing targets crypto users
Researchers uncovered a sophisticated phishing operation targeting cryptocurrency users with the notorious FatalRAT trojan alongside Clipper and Keylogger malware. Employing DLL side-loading tactics, attackers crafted a deceptive website resembling the Exodus wallet interface, primarily targeting Chinese-speaking individuals. Technical analysis revealed a multi-staged attack orchestrating data theft and clipboard manipulation to intercept cryptocurrency transactions.
New Android malware campaign arrives South Asia
An Android malware campaign, tracked as eXotic Visit by cybersecurity firm ESET, has been actively targeting users in South Asian countries since November 2021. Operating under the name Virtual Invaders, the campaign distributed malware via dedicated websites and the Google Play Store. Downloaded apps also include code from the open-source Android XploitSPY RAT which could gather sensitive data from infected devices.
Coordinated attack strikes Rust crate
Security experts at Phylum discovered test files containing the XZ Utils backdoor embedded within the Rust crate liblzma-sys, affecting over 21,000 downloads. The files were removed in version 0.3.3 following responsible disclosure. The backdoor, attributed to a GitHub user named JiaT75, aimed to compromise SSH authentication controls, potentially enabling RCE attacks.
Python backdoor deployed against Palo Alto’s zero day
The zero-day flaw disclosed last week in Palo Alto Networks PAN-OS software is under attack by an operation named MidnightEclipse. Threat actors, tracked as UTA0218, utilize a Python-based backdoor named UPSTYLE to create a reverse shell, download tools, pivot into networks, and exfiltrate data. The flaw allows an attacker to execute arbitrary code with root privileges on affected firewalls.
iOS espionage campaign returns
The LightSpy iOS espionage campaign has reemerged, targeting Southern Asia, possibly indicating political motives. F_Warehouse, its latest iteration, features extensive spying capabilities, including file theft and audio recording. Evidence suggested Chinese origins, raising concerns about state-sponsored activity. Advanced techniques like certificate pinning enhance its stealth. The hyper-focused attacks pose risks to journalists, activists, and politicians globally.
Malicious Notepad++ plug-in distributed
AhnLab unearthed a modified version of the default Notepad++ plug-in mimeTools.dll. The malware was disguised within the legitimate package file, exploiting the automatic loading of mimeTools.dll when Notepad++ launches. The threat actor likely used a DLL-hijacking technique, where mimeTools.dll loads alongside Notepad++.exe, triggering the malware. The malicious file contained encoded shellcode and decryption code.
Top Vulnerabilities Reported in the Last 24 Hours
Critical bug in Delinea's Secret Server
A high-severity vulnerability in Delinea's Secret Server, discovered by researcher Johnny Yu, could enable attackers to gain admin-level access and extract sensitive data. The vulnerability lies in Secret Server's SOAP API and affects both on-prem and cloud deployments. Delinea responded by blocking SOAP endpoints for cloud customers and releasing patches, including version 11.7.000001 for on-premises deployments.
Juniper Networks discloses over hundred flaws
Juniper Networks published multiple advisories detailing more than a hundred vulnerabilities in Junos OS, Junos OS Evolved, and other products. Patches were released for over 80 bugs, including critical issues in Junos cRPD and Cloud Native Router. Additionally, high-severity flaws, such as information leaks and denial-of-service vulnerabilities, were addressed in Paragon Active Assurance Control Center and Junos OS.
Top Scams Reported in the Last 24 Hours
SMS campaign spreads toll fees scam
The FBI warned about a widespread SMS phishing campaign targeting Americans with fraudulent messages claiming unpaid road toll fees. The scam, which started in March 2024, has already affected thousands of individuals across multiple states. The malicious texts contain links disguised as state toll service websites, aiming to trick recipients into clicking and providing personal information.
Tags
Posted on: April 15, 2024
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
