ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware

Cybersecurity researchers have disclosed details of a new ClickFix campaign that abuses compromised legitimate sites to deliver a previously undocumented remote access trojan RAT called MIMICRAT aka AstarionRAT. "The campaign demonstrates a high level of operational sophistication: compromised...

How phishers hide banking scams behind free Cloudflare Pages

During a recent investigation, we uncovered a phishing operation that combines free hosting on developer platforms with compromised legitimate websites to build convincing banking and insurance login portals. These fake pages don't just grab a username and password–they also ask for answers to...

FakeBat Loader Malware Spreads Widely Through Drive-by Download Attacks

The loader-as-a-service LaaS known as FakeBat has become one of the most widespread loader malware families distributed using the drive-by download technique this year, findings from Sekoia reveal. "FakeBat primarily aims to download and execute the next-stage payload, such as IcedID, Lumma,...

New Sysrv Botnet Variant Makes Use of Google Subdomain to Spread XMRig Miner

Sysrv is a well-documented botnet first identified in 2020, with the main payload being a worm written in Golang. It drops a cryptominer onto infected hosts before attempting to propagate itself using various methods, including network vulnerabilities. Over the past few years, the botnet has...

Hacked WordPress Sites Abusing Visitors' Browsers for Distributed Brute-Force Attacks

Threat actors are conducting brute-force attacks against WordPress sites by leveraging malicious JavaScript injections, new findings from Sucuri reveal. The attacks, which take the form of distributed brute-force attacks, "target WordPress websites from the browsers of completely innocent and...

Atomic Stealer Gets an Upgrade - Targeting Mac Users with Encrypted Payload

Cybersecurity researchers have identified an updated version of a macOS information stealer called Atomic or AMOS, indicating that the threat actors behind the malware are actively enhancing its capabilities. "It looks like Atomic Stealer was updated around mid to late December 2023, where its...

Years into these games’ histories, attackers are still creating “Fortnite” and “Roblox”-related scams

Welcome to this weeks edition of the Threat Source newsletter. I have no idea how "Fortnite" keeps coming up in this newsletter, but here we are again. Even though the game/metaverse has never been bigger, it had been a while since I had heard about "V-Bucks" scams. V-Bucks are the in-game virtua...

Exploring New Techniques of Fake Browser Updates Leading to NetSupport RAT

Exploring New Techniques of Fake Browser Updates Leading to NetSupport RAT By Jonell Baltazar and Antonio Ribeiro · August 10, 2023 Trellix detected an ongoing campaign using fake Chrome browser updates to lure victims to install a remote administration software tool called NetSupport Manager...

Information stealer compromises legitimate sites to attack other sites

Security researchers at Akamai have published a blog about a new Magecart-alike web skimming campaign that uses compromised legitimate sites as command and control C2 servers. A web skimmer is a piece of malicious code embedded in web payment pages to steal personally identifiable information PII...

Google Gets Court Order to Take Down CryptBot That Infected Over 670,000 Computers

Google on Wednesday said it obtained a temporary court order in the U.S. to disrupt the distribution of a Windows-based information-stealing malware called CryptBot and "decelerate" its growth. The tech giant's Mike Trinh and Pierre-Marc Bureau said the efforts are part of steps it takes to "not...

Magecart threat actor rolls out convincing modal forms

To ensnare new victims, criminals will often devise schemes that attempt to look as realistic as possible. Having said that, it is not every day that we see the fraudulent copy exceed the original piece. While following up on an ongoing Magecart credit card skimmer campaign, we were almost fooled...

Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress Sites

Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign, Sucuri revealed in a report published last week. The plugin in question is Eval PHP, released by a developer named flashpixx. It allows users...

Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability

A zero-day flaw in the latest version of a WordPress premium plugin known as WPGateway is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites. Tracked as CVE-2022-3180 CVSS score: 9.8, the issue is being weaponized to add a malicious...

Belarusian ‘Ghostwriter’ Actor Picks Up BitB for Ukraine-Related Attacks

Ghostwriter – a threat actor previously linked with the Belarusian Ministry of Defense – has glommed onto the recently disclosed, nearly invisible “Browser-in-the-Browser” BitB credential-phishing technique in order to continue its ongoing exploitation of the war in Ukraine. In a Wednesday post,...

Phishing Campaign Dangles SharePoint File-Shares

Attackers are using spoofed sender addresses and Microsoft SharePoint lures in a new phishing campaign that is “sneakier than usual” and can slip through the usual security protections in its aim to fool people into giving up their credentials, Microsoft researchers discovered. Microsoft Security...

Polazert Trojan using poisoned Google Search results to spread

Trojan.Polazert aka SolarMarker has gone back and fine-tuned an old tactic known as SEO-poisoning to plant their Remote Access Trojan RAT on as many systems as possible. This RAT runs in memory and is used by attackers to install additional malware on affected systems. Trojan.Polazert...

Hackers Now Hiding ObliqueRAT Payload in Images to Evade Detection

Cybercriminals are now deploying remote access Trojans RATs under the guise of seemingly innocuous images hosted on infected websites, once again highlighting how threat actors quickly change tactics when their attack methods are discovered and exposed publicly. New research released by Cisco Tal...

Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites

A framework notorious for delivering a banking Trojan has received a facelift to deploy a wider range of malware, including ransomware payloads. "The Gootkit malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft," Soph...

Emotet is back: botnet springs back to life with new spam campaign

After a fairly long hiatus that lasted nearly four months, Emotet is back with an active spam distribution campaign. For a few weeks, there were signs that the botnet was setting its gears in motion again, as we observed command and control C2 server activity. But this morning, the Trojan started...

Hackers conducting botnet attacks through 20k hacked WordPress sites

By Uzair Amir A newly published research from Defiant, a WordPress security firm, reveals that there is a botnet hunting for WordPress sites using over 20,000 already compromised WordPress sites. As the new sites are infected, these automatically become part of the bot army and start acting on th...