X
NEXT
Forgot password?

DigitalXRAID

Threat Pulse – May 2024

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats. 

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.

DigitalXRAID’s SOC analysts constantly monitor for zero-day threats and update our signature databases using the largest Open Threat Exchange database available. 

New PHP Vulnerability Exposes Windows Servers to Remote Code Execution 

A serious remote code execution vulnerability in PHP affects all versions on Windows, allowing attackers to execute arbitrary code via argument injection attacks.  

A patch was released on June 6, 2024. Users should update to the latest PHP versions or switch to more secure architectures like Mod-PHP, FastCGI, or PHP-FPM.  

Temporary mitigations are available for those unable to upgrade immediately. Specific Apache HTTP Server configuration changes can help prevent attacks. XAMPP has not yet provided updates for this vulnerability. 

New Updates to ValleyRAT 

A new campaign has been discovered that is being used to deliver the latest iteration of ValleyRAT, a remote access trojan attributed to a China-based threat actor.  

The campaign involves multiple stages, with the initial stage downloader utilising an HTTP File Server (HFS) to fetch subsequent components. The malware employs various evasive techniques such as anti-virus checks, DLL sideloading, and process injection.  

ValleyRAT’s latest version introduces new capabilities like capturing screenshots, process filtering, forced shutdowns, and clearing Windows event logs. Additionally, it enhances device fingerprinting and bot ID generation mechanisms. 

Windows Print Spooler Privilege Escalation 

A security vulnerability in the Windows Print Spooler can be exploited to gain access to the operating system’s “backroom” without a formal security alert or a full security warning, or an alert. 

Guntior – the story of an advanced bootkit that doesn’t rely on Windows disk drivers 

Amid the rise of bootkits, a dropper was captured in-the-wild and posted on a malware tracker. The malware was called “Guntior“, named after the device object its authors had chosen for it (\Device\Guntior). The name also appears in AV detections. 

Operation Crimson Palace 

MOBPOPUP.dll (CSC) has been found to be the source of a malicious DLL, which can be found in Microsoft’s operating system, on the second day of the Windows Store. 

PyPI crypto-stealer targets Windows users, revives malware campaign 

Sonatype is a software supply chain management platform with a wide range of products, tools, resources, and resources that can be used to deliver the most secure open source software in the world. Sonatype has discovered ‘pytoileur’, a malicious PyPI package hiding code that downloads and installs trojanised Windows binaries capable of surveillance, achieving persistence, and crypto-theft.   

Although the “setup.py” file in the package looks clean at a first glance, you’d be fooled for thinking that it’s an empty package. However the command executes a base64-encoded payload. The code is targeting Windows users and invokes Python commands to retrieve a malicious executable from an external server: hxxp://51.77.140[.]144:8086/dl/runtime 

Files with TXZ extension used as malspam attachments 

A recent report describes a malspam campaign distributing malware payloads in attachments with TXZ file extensions. The attachments were RAR archives with renamed extensions, likely attempting to exploit native TXZ support in Windows 11.  

Two campaigns distributed the payloads, one with GuLoader malware targeting Spain and Slovakia, the other with Formbook targeting Croatia and Czechia. 

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.    

Talk to the team to see how you can start protecting your business against cyberattacks today. 

Cyber Security Experts

Accredited and regulated, we're in the top 1% of cyber security agencies globally

Crown Commercial Service Supplier Cyber Essentials Plus ISO 27001 BSI ISO 9001 CHECK NCSC Cyber Incident Response CREST

We’re trusted by the UK Government as Crown Commercial Service providers as well as being accredited by two of the leading cyber security governing bodies. Our ISO9001 certification means you can rest assured our processes and approach are market leading.

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]