Request demo

Weekly Report: Geopolitical Risk Briefs

SIGN UP

Weekly Cyber Round-up

Intelligence Report

November 19, 2024

Get the alert delivered directly to your inbox

WezRat distributed via emails impersonating the Israeli National Cybersecurity Directorate

Check Point researchers analysed the latest version of the custom modular infostealer, WezRat, which is capable of executing commands, taking screenshots, uploading files, performing keylogging, and stealing both clipboard content and cookie files. The malware has backdoor functions, some of which are performed by separate modules that are retrieved from its C2 server in the form of DLL files. The malware was recently distributed to multiple Israeli organisations via phishing emails impersonating the Israeli National Cybersecurity Directorate (INCD) on October 21st, 2024. The earliest sample of WezRat was first identified on August 30th, 2023, with the malware having since gained additional modules and various changes to its backend infrastructure.

PXA Stealer targets education and government sectors in Europe and Asia

Cisco Talos researchers identified a campaign delivering a new infostealer, dubbed PXA Stealer, to the education sector in India and government organisations in Europe, including Sweden and Denmark. PXA Stealer targets credentials for online accounts, VPN and FTP clients, browser cookies, and data from gaming software. It also has the capability of decrypting a victim’s browser master password and using it to steal the stored credentials of online accounts. The attacker gains initial access by sending a phishing email with a ZIP file attachment that contains a malicious Rust loader executable and a hidden folder. The researchers assess that the attacker responsible for the attacks is of Vietnamese origin. The attacker was observed selling credentials and tools in a Telegram channel named ‘Mua Bán Scan MINI’, which is also where the CoralRaider threat actor operates.

DONOT APT use updated techniques to target Pakistan’s manufacturing sector  

Cyble researchers identified a campaign attributed to the DONOT advanced persistent threat (APT) group, targeting the maritime and defense manufacturing industry in Pakistan. The campaign uses a LNK file as the initial access vector, which is likely delivered within a RAR archive via a spam email. The LNK is disguised as an RTF, which is decrypted via PowerShell to deliver a lure RTF and payload, before establishing persistence via a scheduled task. This activity is believed to be linked to a July 2024 campaign that targeted government agencies and manufacturing companies in Pakistan with macro-enabled Microsoft Office files. DONOT have since updated their C2 communication, now leveraging AES encryption and Base64 encoding, as well as dynamic domain generation for backup C2 servers. 

High Priority Vulnerabilities

Name Software Base
Score
Temp
Score
CVE-2024-9463 Expedition 9.8 9.4
Related: CISA Flags Critical Palo Alto Network Flaws Actively Exploited in the Wild
CVE-2024-11120 GVLX 4 V3 9.8 9.6
Related: Botnet exploits GeoVision zero-day to install Mirai malware

Get the full report
delivered to your inbox​

By filling out and submitting this request you give us your consent to use and store the information  you have provided for the purpose set out above or in connection with it. For more information, see our Privacy Policy.

Detect and respond to threats faster.

Request a personalised demo to see Silobreaker in action.
Get started

Request a demo