GuptiMiner malware hijacks eScan antivirus update to distribute cryptominers and backdoors
Avast researchers identified the threat actors behind GuptiMiner exploiting a vulnerability in the update mechanism of eScan antivirus to distribute malware via man-in-the-middle attacks. GuptiMiner was used to deploy the XMRig miner, a modular backdoor, and an enhanced version of the PuTTY Link backdoor. GuptiMiner dates back to at least 2018 and has possible ties to the North Korean hacker group, Kimsuky. eScan confirmed that the issue has since been fixed, however, Avast continues to observe new infections by GuptiMiner, indicating potentially outdated eScan clients.
Suspected CoralRaider campaign uses CDN cache to deliver infostealer malware
Cisco Talos researchers analysed an ongoing campaign active since at least February 2024 that uses a content delivery network (CDN) cache to deliver infostealer malware. The campaign features new variants of LummaC2 and Rhadamanthys, and a Cryptbot variant first observed in January 2024. Victims were identified in multiple countries, including the United States, UK, Germany, Japan, and more. The malware is delivered through a multi-stage infection chain that starts with a malicious link, likely sent via a phishing email, that uses the drive-by download technique to deliver a LNK file.The researchers assess with medium confidence that the threat actor CoralRaider is behind the campaign.
GitHub comments abused to push malware
BleepingComputer found that threat actors are abusing the comments feature in GitHub to spread malware under the guise of legitimate GitHub repositories. Threat actors can upload malicious files as part of a comment left on a commit or issue in a project. GitHub then generates a download link, even if a comment is not saved, meaning threat actors can attach their malware to any repository without its owner’s knowledge. McAfee first identified such abuse to spread Redline stealer via Microsoft’s GitHub account. BleepingComputer noted that any public repository on GitHub could be abused, with GitLab also found to be affected by the same issue.
Phishing files impersonate Korean portal login pages
ASEC researchers identified phishing files disguised as portal website login pages impersonating numerous Korean brands, including Naver. Threat actors use the source code of the normal website to make the fake pages almost identical to the normal versions. Users are tricked into entering their account passwords as the ID of the phishing email recipient is already filled out. Account credentials are exfiltrated using NoCodeForm and sent to the attacker’s email or Slack account in HTML format.
CR4T backdoor used in DuneQuixote campaign targeting Middle Eastern government entities
In February 2024, Kaspersky researchers identified a new campaign, dubbed DuneQuixote, targeting government entities in the Middle East. The campaign delivers a newly discovered memory-only backdoor, dubbed CR4T, via both regular droppers and a trojanised installer file for the Total Commander tool. The campaign has been ongoing since at least February 2023. Two versions of the CR4T implant were identified, one written in C and one written in Golang.
Ransomware
Volume of blog posts by operators during the last week.
UnitedHealth admits breach could ‘cover substantial proportion of people in America’TheRegister.com – Apr 23 2024HydraCrypt Ransomware Targets Brazil and Charges $5,000 for DecryptionSonicWALL – Apr 22 2024Security UN agency ransomware attack claimed by 8BaseCyber Daily – Apr 22 2024APT73/ERALEIG NEWS: UNVEILING NEW RANSOMWARE GROUPThreat Intelligence on Medium – Apr 20 2024HelloKitty ransomware rebrands, releases CD Projekt and Cisco dataBleepingComputer.com – Apr 19 2024Ransomware feared as IT ‘issues’ force Octapharma Plasma to close 150+ centersTheRegister.com – Apr 18 2024
Financial Services
Bank fraud ‘call center’ gang busted in Ukraine, police sayThe Record – Apr 24 2024North Korean Lazarus hacker group using LinkedIn to target and steal assets: ReportCointelegraph – Apr 24 2024Brazilian Government Payment System Breached, with Suspicion of Fund DiversionFolha de São Paulo – Apr 23 2024Google ad impersonates Whales Market to push wallet drainer malwareBleeping Computer – Apr 18 2024Korean researcher details scheme abusing Apple’s third-party pickup policyTheRegister.com – Apr 18 2024
Geopolitics
Threat actor uses Signal spear-phishing to infect Ukrainian military personnel with malwareCyberSecurity Help – Apr 23 2024North Korea hacking teams hack South Korea defence contractors – policeReuters – Apr 23 2024Rural Texas Towns Report Cyberattacks That Caused One Water System to OverflowSecurityWeek RSS Feed – Apr 22 2024Russian Sandworm hackers targeted 20 critical orgs in UkraineBleepingComputer – Apr 22 2024Hackers claim Belarus fertilizer plant infiltrated to demand political prisoner releaseABC News – Apr 19 2024
High Priority Vulnerabilities
Name | Software | Base Score |
Temp Score |
|||
---|---|---|---|---|---|---|
CVE-2022-38028 | Windows | 7.7 | ||||
Related: Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials | ||||||
CVE-2024-20353 | Firepower Threat Defense | 8.6 | – | |||
Related: ArcaneDoor – New espionage-focused campaign found targeting perimeter network devices | ||||||
CVE-2024-4040 | CrushFTP | 9.8 | – | |||
Related: Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise | ||||||
CVE-2024-21388 | Edge | 6.5 | – | |||
Related: Lazarus Group AppLocker zero-day campaign used Kaolin RAT to deliver FudModule rootkit | ||||||
CVE-2024-3400 | PAN-OS | 10.0 | – | |||
Related: Additional exploitation of PAN-OS zero-day observed following release of PoC |