Security News

In brief A quartet of malware-laden Android apps from a single developer have been caught with malicious code more than once, yet the infected apps remain on Google Play and have collectively been downloaded more than one million times. Google Play has a history of hosting malicious apps, with perhaps one of the most egregious cases coming to light this past July when 60 apps installed by more than 3.3 million users were taken down due to malware.

The Transparent Tribe threat actor has been linked to a new campaign aimed at Indian government organizations with trojanized versions of a two-factor authentication solution called Kavach. The cybersecurity company said the advanced persistent threat group has also conducted low-volume credential harvesting attacks in which rogue websites masquerading as official Indian government websites were set up to lure unwitting users into entering their passwords.

The threat actor behind the RomCom RAT has refreshed its attack vector and is now abusing well-known software brands for distribution. In a new campaign discovered by BlackBerry, the RomCom threat actors were found creating websites that clone official download portals for SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro, essentially disguising the malware as legitimate programs.

Threat actors are using the compromised infrastructure of an undisclosed media company to deploy the SocGholish JavaScript malware framework on the websites of hundreds of newspapers across the U.S. "The media company in question is a firm that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States," Sherrod DeGrippo, VP of threat research and detection at Proofpoint, told BleepingComputer. The threat actor behind this supply-chain attack has injected malicious code into a benign JavaScript file that gets loaded by the news outlets' websites.

The Emotet malware operation is again spamming malicious emails after almost a four-month "Vacation" that saw little activity from the notorious cybercrime operation. Emotet is a malware infection distributed through phishing campaigns containing malicious Excel or Word documents.

The Emotet malware operation is again spamming malicious emails after almost a five-month "Vacation" that saw little activity from the notorious cybercrime operation.Emotet is a malware infection distributed through phishing campaigns containing malicious Excel or Word documents.

Researchers have discovered over two dozen Python packages on the PyPI registry that are pushing info-stealing malware. Researchers have identified over two dozen Python packages on the PyPI registry that imitate popular libraries but instead drop info-stealers after infecting machines.

The Chinese state-sponsored threat actor known as Stone Panda has been observed employing a new stealthy infection chain in its attacks aimed at Japanese entities. The latest set of attacks, observed between March and June 2022, involve the use of a bogus Microsoft Word file and a self-extracting archive file in RAR format propagated via spear-phishing emails, leading to the execution of a backdoor called LODEINFO. While the maldoc requires users to enable macros to activate the killchain, the June 2022 campaign was found to drop this method in favor of an SFX file that, when executed, displays a harmless decoy Word document to conceal the malicious activities.

Clicking on it drove visitors to a lookalike phishing website that provided them with a 700 MB executable disguised as GIMP which, in reality, was malware. Reddit user ZachIngram04 earlier shared the development stating that the ad previously took users to a Dropbox URL to serve malware, but was soon "Replaced with an even more malicious one" which employed a fake replica website 'gilimp.org' to serve malware.

A threat group that targets corporate emails is delivering dropper malware through a novel technique that uses Microsoft Internet Information Services logs to send commands disguised as web access requests. The dropper, dubbed Geppei, is being used by a group Symantec threat researchers call Cranefly to install other undocumented malware.