Trend Micro's Zero Day Initiative (ZDI) criticized Microsoft for not crediting them in the disclosure and patching of a zero-day vulnerability in MSHTML, reported in May and patched in July. ZDI claims the flaw is a remote code execution vulnerability, contrary to Microsoft's classification as a spoofing vulnerability. This incident highlights broader issues in the coordinated vulnerability disclosure process, with vendors often failing to properly communicate and credit researchers.
A new Linux variant of the TargetCompany ransomware, also known as Mallox, FARGO, and Tohnichi, is targeting VMware ESXi environments using a custom shell script to deliver and execute payloads. This variant ensures administrative privileges, exfiltrates data, and encrypts VM-related files, appending a ".locked" extension. The ransomware operation, active since June 2021, has primarily targeted database systems in Asia. Trend Micro attributes the latest attacks to an affiliate named "vampire" and recommends measures like enabling MFA, creating backups, and keeping systems updated.
DarkGate malware operators are exploiting a now-fixed Windows Defender SmartScreen vulnerability to automatically install fake software installers and drop their malware onto targeted systems. The flaw, tracked as CVE-2024-21412, allows specially crafted downloaded files to bypass security warnings. The attack involves a complex and multi-step infection chain, utilizing malicious emails, open redirects, Windows shortcuts, and MSI files masquerading as legitimate software. Trend Micro has detailed the DarkGate infection chain and published indicators of compromise (IoCs) for this campaign, urging users to apply Microsoft's February 2024 Patch Tuesday update to mitigate the risk.
LockBit ransomware developers were secretly working on a new version of their file encrypting malware, LockBit-NG-Dev, likely to become LockBit 4.0, before law enforcement took down their infrastructure. The new version, written in .NET and compiled with CoreRT, supports multiple operating systems and includes features such as three encryption modes, custom file exclusion, and a self-delete mechanism. While the new encryptor lacks some features present in previous iterations, its discovery is another blow to LockBit operators through Operation Cronos, making restoring their cybercriminal business a tough challenge.
A zero-day vulnerability in Microsoft Defender SmartScreen, exploited by an advanced persistent threat actor known as Water Hydra, has been used to target financial market traders with the DarkMe malware. The flaw, CVE-2024-21412, allows the bypassing of security checks, enabling the delivery of the DarkMe trojan through a cleverly crafted internet shortcut file distributed via forex trading forums. This campaign highlights the increasing trend of cybercrime groups exploiting zero-day vulnerabilities, with the potential for such exploits to be incorporated into sophisticated attacks by nation-state hacking groups.
A new ransomware called Big Head is being distributed through a malvertising campaign disguised as fake Microsoft Windows updates and Word installers. The ransomware encrypts files on victims' machines and demands a cryptocurrency payment. Trend Micro has analyzed the ransomware and identified its inner workings, including its ability to display a fake Windows update UI to deceive victims. The malware also deletes backups, terminates processes, and checks for virtualized environments. It disables the Task Manager, aborts itself in certain languages, and incorporates a self-delete function. Trend Micro has detected a variant of Big Head with stealer behaviors and another variant that incorporates a file infector called Neshta. The identity of the threat actor behind Big Head is currently unknown.
The Lemon Group has pre-infected over 8.9 million Android devices worldwide with Guerilla malware, including smartphones, watches, and televisions. The malware can infiltrate a number of Android tools, including swiping passwords, intercepting one-time passwords, and interrupting messaging as well as other apps. The Lemon Group is after massive amounts of data from shipments to advertising content. The malware can also infiltrate users’ social media accounts, including WhatsApp, as well as compromise the Splash Plugin with intrusive advertisements. Trend Micro is concerned it could even affect cars.
Multiple lines of Android devices, including potentially millions of phones and TV boxes, have been found to come with preinstalled malware that cannot be removed without heroic measures. The malware, named Guerrilla, opens a backdoor that allows for regular communication with a remote command and control server to check for new malicious updates. The affected brands have not been identified. Android users are advised to stick to known brands such as Samsung or LG, which have more reliable quality assurance controls.
The Lemon Group, a cybercrime gang, has pre-installed malware known as 'Guerilla' on almost 9 million Android-based devices, including smartphones, watches, TVs, and TV boxes. The malware is used to load additional payloads, intercept one-time passwords from SMS, set up a reverse proxy, hijack WhatsApp sessions, and more. The group's infrastructure overlaps with the Triada trojan operation from 2016. The malware is implanted through supply chain attacks, compromised third-party software, a compromised firmware update process, or enlisting insiders on the product manufacturing or distribution chain. The group has a diverse monetization strategy that includes selling compromised accounts, hijacking network resources, offering app-installation services, generating fraudulent ad impressions, offering proxy services, and SMS Phone Verified Accounts (PVA) services. The countries most significantly impacted include the United States, Mexico, Indonesia, Thailand, and Russia.
Security experts at Trend Micro have warned of recent scams involving popular brands like Tinder, Walmart, and Costco. Cybercriminals are pretending to be from these brands and sending messages that lead to malicious online surveys or adult-themed sites that attempt to steal personal and credit card details. It's important to be cautious and check the sender's email address carefully before clicking any links, and remember that if an offer seems too good to be true, it usually is.
