Weekly Malware Roundup – August 21, 2023

This is the GreyKeep Security Malware Roundup for August 21, 2023. Here’s a summary of what’s in this week’s edition:

Organizations

CyberPower Dataprobe Microsoft Apple Citrix

Adobe U.S. Military Taiwan South Korea Latin Americans

Targets

CyberPower DCIM Dataprobe iBoot PDU Windows Microsoft OWA Powershell Gallery MacOS Linux

Android Citrix NetScaler Adobe Commerce/Magento 2 Ivacy VPN GitLab IoT Zulip

Threat Actors

Lolek 16shops APT29 Storm-0558 Bronze Starlight

EVLF DEV North Korea Russia China Africa

Malware / Ransomware

QwixxRAT Xurum JanelaRAT Monti Gigabud RAT Mirai botnet LABRAT

HiatusRAT AdLoad WoofLocker Aukill Kimsuky APT CypherRAT CraxsRAT

Malware in the News

CyberPower / Dataprobe

• Multiple data center vulnerabilities could cripple cloud services

Microsoft

• This Malware Turned Thousands of Hacked Windows and macOS PCs into Proxy Servers
• Report: PowerShell Gallery susceptible to typosquatting and other package-management attacks
• New Financial Malware ‘JanelaRAT’ Targets Latin American Users
• The Vulnerability of Zero Trust: Lessons from the Storm 0558 Hack

Apple

• Mac systems turned into proxy exit nodes by AdLoad

Google / Android

• Google Chrome to warn when installed extensions are malware
• Gigabud RAT Android Banking Malware Targets Institutions Across Countries
• Over 3,000 Android Malware spotted using unsupported/unknown compression methods to avoid detection

Linux

• Monti Ransomware Returns with New Linux Variant and Enhanced Evasion Tactics

Adobe

• Ongoing Xurum Attacks on E-commerce Sites Exploiting Critical Magento 2 Vulnerability

Citrix

• Citrix ADC, Gateways Still Backdoored, Even After Being Patched

Government

• Malware Unleashed: Public Sector Hit in Sudden Surge, Reveals New Report
• Russian Hackers Use Zulip Chat App for Covert C&C in Diplomatic Phishing Attacks
• N. Korean Kimsuky APT targets S. Korea-US military exercises
• HiatusRAT Malware Resurfaces: Taiwan Firms and U.S. Military Under Attack

Other Malware News

• Proxyjacking campaign LABRAT targets vulnerable GitLab deployments
• Lolek Bulletproof Hosting Servers Seized, 5 Key Operators Arrested
• Interpol Shuts Down Phishing Service ’16shops’
• Hackers use VPN provider’s code certificate to sign malware
• QwixxRAT: New Remote Access Trojan Emerges via Telegram and Discord
• Over 120,000 Computers Compromised by Info Stealers Linked to Users of Cybercrime Forums
• Interpol arrests 14 suspected cybercriminals for stealing $40 million
• Mirai Common Attack Methods Remain Consistent, Effective
• WoofLocker Toolkit Hides Malicious Codes in Images to Run Tech Support Scams
• Stories from the SOC – Unveiling the stealthy tactics of Aukill malware
• Researchers Uncover Real Identity of CypherRAT and CraxsRAT Malware Developer