WezRat distributed via emails impersonating the Israeli National Cybersecurity Directorate
Check Point researchers analysed the latest version of the custom modular infostealer, WezRat, which is capable of executing commands, taking screenshots, uploading files, performing keylogging, and stealing both clipboard content and cookie files. The malware has backdoor functions, some of which are performed by separate modules that are retrieved from its C2 server in the form of DLL files. The malware was recently distributed to multiple Israeli organisations via phishing emails impersonating the Israeli National Cybersecurity Directorate (INCD) on October 21st, 2024. The earliest sample of WezRat was first identified on August 30th, 2023, with the malware having since gained additional modules and various changes to its backend infrastructure.
PXA Stealer targets education and government sectors in Europe and Asia
Cisco Talos researchers identified a campaign delivering a new infostealer, dubbed PXA Stealer, to the education sector in India and government organisations in Europe, including Sweden and Denmark. PXA Stealer targets credentials for online accounts, VPN and FTP clients, browser cookies, and data from gaming software. It also has the capability of decrypting a victim’s browser master password and using it to steal the stored credentials of online accounts. The attacker gains initial access by sending a phishing email with a ZIP file attachment that contains a malicious Rust loader executable and a hidden folder. The researchers assess that the attacker responsible for the attacks is of Vietnamese origin. The attacker was observed selling credentials and tools in a Telegram channel named ‘Mua Bán Scan MINI’, which is also where the CoralRaider threat actor operates.
DONOT APT use updated techniques to target Pakistan’s manufacturing sector
Cyble researchers identified a campaign attributed to the DONOT advanced persistent threat (APT) group, targeting the maritime and defense manufacturing industry in Pakistan. The campaign uses a LNK file as the initial access vector, which is likely delivered within a RAR archive via a spam email. The LNK is disguised as an RTF, which is decrypted via PowerShell to deliver a lure RTF and payload, before establishing persistence via a scheduled task. This activity is believed to be linked to a July 2024 campaign that targeted government agencies and manufacturing companies in Pakistan with macro-enabled Microsoft Office files. DONOT have since updated their C2 communication, now leveraging AES encryption and Base64 encoding, as well as dynamic domain generation for backup C2 servers.
Ransomware
Volume of blog posts by operators during the last week.
RansomHub says 313GB exfiltrated in Mexican Government cyber attackCyber Daily – Nov 18 2024Thanos Operator Targets Police Department in United Arab EmiratesSonicWALL – Nov 15 2024
Financial Services
Six US Banks Issue Urgent Debit Card Alerts, Forcing Mandatory Replacements for Many, After Third-Party Security BreachThe Daily Hodl – Nov 16 2024VTB Bank Data Breach Exposes 6.3 Million Client RecordsDaily Dark Web – Nov 15 2024Inside Intelligence Center: Financially Motivated Chinese Threat Actor SilkSpecter Targeting Black Friday ShoppersEclecticIQ Blog – Nov 14 2024
Geopolitics
Cofense Intelligence Identifies U.S. Presidential Assassination-Themed Phishing CampaignCofense – Nov 15 2024Caution: Fake letters on behalf of MeteoSwiss – Instead of a ‘Severe Weather Warning App’, malware is downloadedNationale Zentrum für Cybersicherheit – Nov 14 2024Hungary’s defence procurement agency hacked, government saysReuters – Nov 14 2024
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2024-9463 | Expedition | 9.8 | 9.4 | |
| Related: CISA Flags Critical Palo Alto Network Flaws Actively Exploited in the Wild | ||||
| CVE-2024-11120 | GVLX 4 V3 | 9.8 | 9.6 | |
| Related: Botnet exploits GeoVision zero-day to install Mirai malware | ||||