FlagThis

A widespread campaign is leveraging the MintsLoader malware loader to distribute secondary payloads, including the StealC information stealer and a legitimate open-source network computing platform called BOINC. MintsLoader, a PowerShell-based loader, is delivered via spam emails with malicious attachments. This campaign targets a wide range of users with the intent to steal sensitive information using Stealc, and also leveraging BOINC for other malicious purposes such as crypto mining and other resource abuse. The multi-pronged approach makes this campaign more versatile and dangerous.

A threat actor has successfully targeted low-skilled hackers, often referred to as ‘script kiddies,’ by distributing a fake malware builder. The builder is not what they expected, instead it secretly infects the user’s systems with a backdoor. This sophisticated method allowed the attacker to compromise over 18,000 devices, highlighting a serious issue in the threat landscape. This indicates that even low skilled attackers can be targets and may unknowingly become victims.

A sophisticated cyberattack has compromised over 10,000 WordPress websites, injecting malicious JavaScript to redirect visitors to fake browser update pages. These pages deliver malware targeting both macOS and Windows systems. The attack exploits vulnerabilities in outdated WordPress versions and plugins, resulting in a large scale cross platform malware distribution campaign. The malware campaign uses techniques like iframe injection and the distribution of malicious AMOS (Atomic macOS) payload on macOS and some other Windows executable on the Windows platform.

A new malicious AI chatbot, GhostGPT, is being advertised on underground forums as a tool for creating malware, executing BEC attacks, and other cybercrimes. This tool lowers the barrier for less-skilled hackers to launch attacks, which is very concerning. GhostGPT is an uncensored AI chatbot which does not have any ethical safeguards which can be found in similar AI tools, and it provides unrestricted responses to malicious queries.

This is one of the first use cases of a malicious AI chatbot being used in cyber crime, and is an indicator of things to come. This new frontier in AI is a major concern.

The Silver Fox APT group is targeting organizations in Chinese-speaking regions using a multi-stage loader named PNGPlug to deliver the ValleyRAT malware. The attack begins with a phishing webpage that lures victims into downloading a malicious MSI package disguised as a legitimate application, using weaponized PNG files to deliver multi-stage malware.

A sophisticated botnet is exploiting misconfigured DNS records on approximately 13,000 MikroTik routers to bypass email protection systems and deliver malware through spam campaigns. This botnet operation leverages a simple DNS misconfiguration to send malicious emails that appear to come from legitimate domains, distributing trojan malware and other malicious content.

A sophisticated credit card skimmer malware campaign is targeting WordPress e-commerce checkout pages. The malware injects malicious JavaScript code directly into the database tables, evading traditional detection methods. This allows attackers to steal sensitive payment information, highlighting the need for robust security practices, including database monitoring and regular security audits to protect against such advanced threats.

A fake proof-of-concept (PoC) exploit is being used to target security researchers, disguising itself as a fix for a critical Microsoft LDAP vulnerability. The attackers used a forked version of the legitimate PoC and embed information-stealing malware that is deployed when the malicious code is executed. The tactic aims to steal credentials, and other sensitive information from security researchers.

Malicious npm packages are targeting Ethereum developers, impersonating Hardhat plugins to steal private keys and other sensitive data. These packages, with names similar to legitimate Hardhat plugins, are downloaded over 1,000 times, potentially backdooring production systems and causing financial losses. The attackers use Ethereum smart contracts to store and distribute Command & Control (C2) server addresses to compromised systems. The attack uses a supply chain vulnerability.

Malicious actors are weaponizing legitimate security testing tools by using OAST (Out-of-Band Application Security Testing) techniques within npm, PyPI, and RubyGems ecosystems. Attackers are using malicious packages in these ecosystems to exfiltrate data and establish command and control channels. This enables multi-stage attacks using seemingly legitimate infrastructure. These packages impersonate legitimate libraries to steal developer secrets.

The cybersecurity industry is seeing increased discussion and research around emerging threats and techniques. This includes detection of NonEuclid RAT malware which enables adversaries to gain unauthorized access and remote control, and Linux Immutable malware process binary attacks. Security advisories have been released by IBM, HPE, and Dell, highlighting the need for vigilance and proactive security measures. Research is also focusing on event streaming technologies such as Apache Kafka for data processing, and visual search privacy techniques in Apple Photos. The need for strong passwords is also emphasized. These reports cover various areas of Cyber Security, and not one specific vendor.

North Korean threat actors are actively using a new malware called ‘OtterCookie’ in their ‘Contagious Interview’ campaign. This campaign is targeting software developers with fake job offers. The malware acts as a backdoor, enabling unauthorized access to compromised systems. This is part of a broader trend of North Korean cyber activity aimed at financial gain and espionage. The activity indicates a sophisticated and persistent threat actor leveraging social engineering to infiltrate targeted systems.

Lumma is a sophisticated information stealer available as Malware-as-a-Service (MaaS) on Russian-speaking forums and Telegram. It targets Windows systems to steal credentials, cryptocurrency wallets, browser data, and 2FA details using various techniques to avoid detection. It offers tiered subscription plans with features such as binary morphing and server-side data decryption. The stealer is actively used in campaigns involving phishing, malvertising, and fake software updates targeting manufacturing, transportation, gamers, cracked software users, and crypto enthusiasts, making it a dominant force in the info-stealer market.

The Iranian nation-state hacking group Charming Kitten has been observed deploying a new C++ variant of the BellaCiao malware, dubbed BellaCPP. This malware was discovered during an investigation of a compromised machine in Asia that was also infected with BellaCiao. This indicates an evolution in the group’s tactics, utilizing C++ for its malware, possibly to enhance its evasion and capabilities. The activity suggests a continued focus on cyber espionage and the use of updated malware variants by nation-state actors.