InfoSec Weekly
July 03, 2023
Table Of Contents
Beware: New ‘Rustbucket’ Malware Variant Targeting macOS Users
Description
Researchers have discovered an updated version of the Apple macOS malware called Rustbucket. This variant, attributed to the North Korean threat actor BlueNoroff, exhibits improved persistence capabilities and employs a dynamic network infrastructure for command-and-control. Rustbucket was initially identified as an AppleScript-based backdoor, capable of retrieving a second-stage payload from a remote server. The second-stage malware, compiled in Swift, downloads the main Rust- based binary from the command-and-control server. A .NET version of Rustbucket with similar features has also been observed. The attacks primarily target finance-related institutions in Asia, Europe, and the U.S., indicating a focus on illicit revenue generation. The malware utilizes a backdoored PDF reader and employs phishing emails and bogus social media profiles for initial intrusion. The newly identified version establishes persistence by creating a plist file and copying the binary to specific paths on the compromised system.
Infected Technology
Apple macOS
Source
https://thehackernews.com/2023/07/beware-new-rustbucket-malware-variant.html
Recommendation
• Keep macOS systems updated. • Deploy robust endpoint protection solutions. • Provide user awareness training on phishing and social engineering. • Implement email filtering to block malicious attachments. • Use application whitelisting to control authorized software. • Monitor network traffic for unusual patterns.
New JokerSpy Malware Targets MAC OS
Description
A new malware JokerSpy which effects macOS has been found exploiting devices across organizations. Once a device is infected, the malware connects to a C2 server and then proceeds further according to the response from the server. It creates a reverse shell and a backdoor through which the attacker can access the victim’s machine. Various victim device data such as the path to the backdoor python script along with the python version, hostname, username, domain name, OS version etc. are sent periodically to the attacker. Furthermore, within the malware’s construction, a hidden “xcc” binary was also found which contains Mach-O for x86 Intel and ARM M1 architectures. The malware was found to be collecting data related to the victim’s behaviors such as device idle time (last use of keyboard, mousepad etc.), active (frontmost) app, screen status (locked or unlocked), full disk access, screen recoding access and accessibility permission of the active app etc.
Infected Technology
Intel and Apple Silicone Macs (x86 Intel and ARM M1 architectures)
Source
https://cybersecuritynews.com/jokerspy-macos-malware/
Recommendation
• Keep the macOS up to date which will provide new and consistent security fixes. • Exercise good online hygiene when surfing the web. • Do not open malicious links or emails. • Download files only from trusted sites. • Use security options provided by some browsers like Brave when browsing the web which will ensure secure browsing.
200,000 WordPress Sites Exposed to Attacks Exploiting Flaw in ‘Ultimate Member’ Plugin
Description
Tracked as CVE-2023-3460 (CVSS score of 9.8), the recently identified security defect in Ultimate Member allows attackers to add a new user account to the administrators group. Due to the difference in operation between the plugin and WordPress, attackers were able to trick the plugin into updating metadata keys, including one that stores user role and capabilities, WPScan explains. The company provides indicators of compromise (IoCs) associated with the observed attacks. This has allowed attackers to register user accounts with the administrator role, and at least two site owners have observed and reported the suspicious activity. The plugin’s maintainers, who describe the issue as a privilege escalation bug, have attempted to address it in the last two versions of Ultimate Member, but they have reportedly failed to fully patch it. However, they did acknowledge the ongoing in-the-wild exploitation.
Infected Technology
WordPress Site with ‘Ultimate Member’ Plugin
Source
Recommendation
• Implement the least privilege principle for user roles. • Monitor site activity for unusual behavior. • Use reputable security plugins or firewalls.
Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now
Description
Fortinet, a leading network security solutions provider, has resolved a critical Remote Code Execution (RCE) vulnerability affecting its FortiGate SSL VPN devices. This flaw could allow attackers to execute arbitrary code on vulnerable systems, leading to a complete compromise of the devices. Fortinet responded swiftly by releasing security patches and firmware updates to address the vulnerability, urging all users to apply them immediately. Prompt patching and adherence to security best practices, such as strong passwords and regular updates, are essential to mitigate the risk and maintain a robust security posture. The critical RCE vulnerability in FortiGate SSL VPN devices could enable attackers to execute arbitrary code with elevated privileges. Exploiting this flaw could lead to unauthorized access, tampering with network configurations, and potential data breaches. Fortinet’s proactive response included the release of security patches, firmware updates, and recommendations for users to promptly apply them. Organizations utilizing FortiGate SSL VPN devices must prioritize patching and follow security best practices to protect their networks from potential exploitation and ensure a secure environment.
Infected Technology
Fortinet Products
Source
Recommendation
• Patch and update immediately
CVE ID
CVE CVE-2023-28299
FluHorse: Flutter-Based Android Malware Emerges, Targeting Mobile Devices
Description
In a concerning development for mobile device users, security researchers have recently uncovered a new Android malware called FluHorse. This sophisticated malware, developed using the Flutter framework, poses a significant threat to Android devices, compromising user privacy and device security. Understanding the nature of this emerging threat is crucial for Android users to protect themselves from potential harm. FluHorse leverages the cross-platform capabilities of the Flutter framework, which is popular for developing visually appealing and high-performing mobile applications. By exploiting this framework, malware gains the ability to infect a wide range of Android devices, putting millions of users at risk. The malware operates stealthily, avoiding detection and remaining hidden within legitimate-looking applications.
Infected Technology
Android devices running Flutter applications.
Source
https://thehackernews.com/2023/06/fluhorse-flutter-based-android-malware.html
Recommendation
• Download and install applications from trusted sources, such as the official Google Play Store. • Avoid sideloading apps from third-party websites or unofficial sources, as they may contain malicious code.
Ready to get started?
Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.
Contact Us