Charming Kitten has deployed a new backdoor named “Sponsor” to target various entities in Brazil, Israel, and the United Arab Emirates, according to cybersecurity company ESET. The suspected Iranian threat actor, also known as APT35 or Charming Kitten, gained initial access by exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers. By conducting meticulous scans of systems or networks to identify weaknesses, Charming Kitten was able to target and exploit those vulnerabilities. ESET researchers believe that many of the 34 victims identified were opportune targets rather than preselected victims due to the presence of multiple threat actors with access to these systems.
In another news, Google’s Threat Analysis Group (TAG) issued a warning regarding a North Korean threat actor that has been targeting security researchers for several weeks. The threat actor used social media platforms, such as X (formerly Twitter), to establish rapport with their targets. After months-long conversations, the threat actors moved to encrypted messaging apps like Signal, WhatsApp, or Wire. Once a relationship was developed, the threat actors sent malicious files containing at least one zero-day vulnerability in a popular software package. TAG has notified the affected vendor, and the zero-day is currently being patched.
Kaspersky researchers have discovered several malicious Telegram replicates in the Google Play Store that target Chinese-speaking users, especially China’s Uyghur population. These apps claimed to be faster versions of the legitimate Telegram app but, in reality, were capable of stealing a victim’s entire correspondence, personal data, and contacts. The apps have been downloaded over 60,000 times, but Google has since removed them from the Play Store.
Researchers at Group-IB are tracking a newly discovered phishing-as-a-service operation called “W3LL.” This operation has targeted more than 56,000 corporate Microsoft 365 accounts within the past year. W3LL phishing campaigns are highly persuasive, covering almost the entire kill chain of business email compromise (BEC) attacks. The W3LL kit has become a trusted offering in criminal-to-criminal marketplaces, with around 500 criminal actors purchasing subscriptions over the past six years. The kit has successfully compromised over 8,000 Microsoft 365 accounts in the last 10 months.
Bitdefender researchers have identified a series of vulnerabilities affecting the IRM Next Generation online booking engine developed by Resort Data Processing, Inc. These vulnerabilities were discovered when suspicious activity was detected on a server owned by a resort in the United States. The researchers found webshell components, a variant of MicroBackdoor, and a malicious IIS native module called XModule, which specializes in e-skimming. Bitdefender attempted to notify the vendor of the vulnerabilities but received no response, leaving the IRMNg booking engine vulnerable to these flaws.
Lastly, Fortinet reports a new variant of the Agent Tesla remote access Trojan (RAT) that is being distributed through malicious Excel documents. The attackers exploit the long-patched CVE-2017-11882/CVE-2018-0802 vulnerabilities in Excel to execute the malware. Despite Microsoft releasing fixes for these vulnerabilities in 2017 and 2018, threat actors still continue to exploit them. Fortinet observes and mitigates approximately 3,000 attacks per day at the IPS level, indicating the presence of unpatched devices in the wild. Around 1,300 vulnerable devices are observed daily.