VIEH Daily Threat Analysis | 24 July 2024

In the chilling depths of a Ukrainian winter, a previously unseen malware, launched a calculated cyberattack against a district energy company. Dubbed FrostyGoop, the malware targeted temperature controllers, crippling the central heating system of over 600 apartment buildings. 

Meanwhile, ESET researchers uncovered a zero-day exploit, named EvilVideo, threatening Telegram for Android. This exploit allowed attackers to dispatch malicious APK payloads masquerading as innocuous video files in vulnerable versions of Telegram. 

The recent buggy update from CrowdStrike has inadvertently thrown open the gates for cybercriminal exploitation. Phishing emails, masquerading as official CrowdStrike communications, have become the vector for disseminating data wipers and remote access tools, compromising millions of Windows hosts globally.

Top Malware Reported in the Last 24 Hours

FrostyGoop malware plays the cold game

A previously unseen malware called FrostyGoop was used in a cyberattack against a district energy company in Ukraine last winter. The attack targeted temperature controllers, disrupting the central heating system and leaving over 600 apartment buildings without heat for two days during sub-zero temperatures. FrostyGoop is able to disrupt industrial processes by altering values on ICS devices. The malware exploited the Modbus protocol to directly tamper with industrial control systems, posing a significant threat to OT environments globally.

Daggerfly updates arsenal

The espionage outfit Daggerfly updated its malware arsenal, releasing new versions in reaction to previously unknown varieties becoming public. A new iteration of the Macma macOS backdoor and a new malware family built on the MgBot modular malware framework have also been unveiled by the group. Recent iterations of Macma demonstrate continuous development; one has a new core module, while another has small enhancements to the functionality that already exists. More significant changes were also seen in the main module, which now included new logic to gather a file’s system listing.

Beware of GTA VI Beta version

Threat actors are exploiting the hype around the upcoming Grand Theft Auto VI release by creating malicious Facebook ads promising a GTA VI beta version for download. These ads are designed to lure unsuspecting gamers into downloading malware instead of a legitimate game. The malicious ads lead users to download a fake GTA VI installer, which is actually a form of FakeBat loader malware. FakeBat can, in turn, deploy next-stage malware like info-stealers and RATs.

Credit card skimmer on Magento

In a sophisticated attack on a Magento e-commerce website, attackers used a swap file to maintain a persistent credit card skimmer. The malicious script captured sensitive customer data and was hidden in the code, making it challenging to remove. The attackers also leveraged a domain with a popular brand name to retrieve stolen credit card details. The malware was found in the app/bootstrap.php file and persisted even after replacing the file, hinting at a complex and resilient infection.

Top Vulnerabilities Reported in the Last 24 Hours

EvilVideo vulnerability exploit on Telegram

ESET researchers discovered a zero-day exploit targeting Telegram for Android, called EvilVideo. This exploit allowed attackers to send malicious Android payloads disguised as video files in unpatched versions of Telegram. The exploit relied on tricking users into installing a malicious app disguised as a multimedia file. Telegram fixed the issue in version 10.14.5, and the exploit no longer works in patched versions. The threat actor also advertised an Android cryptor-as-a-service on the same underground forum. The exploit did not work on Telegram Web or Desktop clients.

Buggy LangChain Gen AI

Palo Alto Networks discovered two vulnerabilities in the popular open source generative AI framework LangChain, which is widely used in app development and has over 81,000 stars on GitHub. The vulnerabilities, CVE-2023-46229 and CVE-2023-44467, could have allowed attackers to execute arbitrary code and access sensitive data. LangChain has since issued patches to address these issues.

Top Scams Reported in the Last 24 Hours

Cybercriminals capitalize on CrowdStrike outage

The recent glitchy update from CrowdStrike has led to cybercriminals exploiting the situation by distributing malware disguised as fixes and updates. Phishing emails impersonating CrowdStrike have been used to distribute data wipers and remote access tools, impacting millions of Windows hosts globally. The malware campaigns targeted businesses and even a bank’s customers, leading to significant disruptions in various sectors. CrowdStrike and government agencies have warned about the increase in phishing attempts and advised organizations to verify communication through official channels.

Looking for a Internship lead by Industry expert ? Click on me

Post Credit: theregister, symantec enterprise, bitdefender, sucuri, welivesecurity, paloalto network, bleeping computers, cyware

Leave a Comment

Your email address will not be published. Required fields are marked *