Security News

A spear-phishing campaign targeting Jordan's foreign ministry has been observed dropping a new stealthy backdoor dubbed Saitama. The newly observed phishing message contains a weaponized Microsoft Excel document, opening which prompts a potential victim to enable macros, leading to the execution of a malicious Visual Basic Application macro that drops the malware payload. Furthermore, the macro takes care of establishing persistence for the implant by adding a scheduled task that repeats every four hours.

The backdoor Windows malware, dubbed DCRat or DarkCrystal RAT, was released in 2018, then redesigned and relaunched the following year. Despite its bargain price, and being the work of a lone developer as opposed to custom malware sold by a well-funded, sophisticated crime-ring, miscreants can perform a range of nefarious acts with DCRat due to its modular architecture and plugin framework.

Threat actors have started massively exploiting the critical vulnerability tracked as CVE-2022-1388, which affects multiple versions of all F5 BIG-IP modules, to drop malicious payloads. F5 last week released patches for the security issue, which affects the BIG-IP iControl REST authentication component.

Cybersecurity researchers have shed light on an actively maintained remote access trojan called DCRat that's offered on sale for "Dirt cheap" prices, making it accessible to professional cybercriminal groups and novice actors alike. "Unlike the well-funded, massive Russian threat groups crafting custom malware , this remote access Trojan appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget," BlackBerry researchers said in a report shared with The Hacker News.

A newly discovered and uncommonly stealthy Advanced Persistent Threat group is breaching corporate networks to steal Exchange emails from employees involved in corporate transactions such as mergers and acquisitions. Mandiant researchers, who discovered the threat actor and now track it as UNC3524, say the group has demonstrated its "Advanced" capabilities as it maintained access to its victims' environments for more than 18 months.

Advanced hackers are actively exploiting a critical remote code execution vulnerability, CVE-2022-22954, that affects in VMware Workspace ONE Access.The issue was addressed in a security update 20 days ago along with two more RCEs - CVE-2022-22957 and CVE-2022-22958 that also affect VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

An Iranian-linked threat actor known as Rocket Kitten has been observed actively exploiting a recently patched VMware vulnerability to gain initial access and deploy the Core Impact penetration testing tool on vulnerable systems. Tracked as CVE-2022-22954, the critical issue concerns a case of remote code execution vulnerability affecting VMware Workspace ONE Access and Identity Manager.

Abstract: Given the computational cost and technical expertise required to train machine learning models, users may delegate the task of learning to a service provider. We show how a malicious learner can plant an undetectable backdoor into a classifier.

What researchers are calling a "Horde" of miner bots and backdoors are using the Log4Shell bug to take over vulnerable VMware Horizon servers, with threat actors still actively waging some attacks. On Tuesday, Sophos reported that the remote code execution Log4j vulnerability in the ubiquitous Java logging library is under active attack, "Particularly among cryptocurrency mining bots." Besides cryptominers, attackers are also prying open Log4Shell to deliver backdoors that Sophos believes are initial access brokers that could lay the groundwork for later ransomware infections.

Researchers have discovered a cyberattack that uses unusual evasion tactics to backdoor French organizations with a novel malware dubbed Serpent, they said. These include the use of a legitimate software package installer called Chocolatey as an initial payload, equally legitimate Python tools that wouldn't be flagged in network traffic, and a novel detection bypass technique using a Scheduled Task, they said.