Weekly Malware Roundup – September 5, 2023

This is the GreyKeep Security Malware Roundup for September 5, 2023. Here’s a summary of what’s in this week’s edition:

Targets

Barracuda ESG Juniper firewalls Windows Container Isolation Framework SQL Server Android Apache RocketMQ

OpenFire MinIO Signal Telegram PyPi, NPM, RubyGems repositories

Organizations

FBI and Justice Department Uyghurs FANAP (Iran)

UK Ministry of Defence South Korean activists

Threat Actors

LockBit UNC4841 (China) GREF (China) Earth Estries APT34 (Iran)

GhostSec Andariel (N. Korea) Sandworm (Russia) Gamaredon (Russia) Vietnamese cybercriminals

Malware / Ransomware

Qakbot botnet BadBazaar MMRat FreeWorld Chaes Chisel

DreamBus botnet SapphireStealer Kinsing SuperBear BLISTER

Malware in the News

Microsoft

• Hackers Can Exploit Windows Container Isolation Framework to Bypass Endpoint Security
• Hacker group compromises MSSQL servers to deploy FreeWorld ransomware

Barracuda

• Chinese Hackers Continue Espionage Campaign Despite Barracude Remediation

Android

• Chinese Group Spreads Android Spyware via Trojan Signal, Telegram Apps
• MMRat Android Trojan Executes Remote Financial Fraud Through Accessibility Feature

Openfire

• Cyberattackers Swarm OpenFire Cloud Servers With Takeover Barrage

MinIO

• Hackers Exploit MinIO Storage System Vulnerabilities to Compromise Servers

Developers

• Developers Warned of Malicious PyPI, NPM, Ruby Packages Targeting Macs
• Malicious npm Packages Aim to Target Developers for Source Code Theft

Government & Military

• FBI Takes Down Qakbot Botnet in “Duck Hunt”
• APT Attacks From ‘Earth Estries’ Hit Gov’t, Tech With Custom Malware
• Russian State-Backed ‘Infamous Chisel’ Android Malware Targets Ukrainian Military
• Russia-linked attackers hit UK Ministry of Defence, leak stolen data

Other Malware News

• Alert: Juniper Firewalls, Openfire, and Apache RocketMQ Under Attack from New Exploits
• GhostSec Leaks Source Code of Alleged Iranian Surveillance Tool
• Researchers Warn of Cyber Weapons Used by Lazarus Group’s Andariel Cluster
• Cybercriminals Team Up to Upgrade ‘SapphireStealer’ Malware
• Chaes malware now uses Google Chrome DevTools Protocol to steal data
• New SuperBear Trojan Emerges in Targeted Phishing Attack on South Korean Activists
• Vietnamese Cybercriminals Targeting Facebook Business Accounts with Malvertising
• Hacker Group Disguised as Marketing Company to Attack Enterprise Targets
• New BLISTER Malware Update Fuelling Stealthy Network Infiltration