Avoid becoming a victim of USB drive malware.

Jun 23 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s celebrating its 100th issue today ???????????? Here’s to the next 100! ???? And thanks for coming along for the ride ????????????

Welcome to our weekly segment. It goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it. This week’s double trouble: Apple, and Abandoned Cart Lite for WooCommerce (rolls off the tongue, eh?). Enjoy!

Apple patches for days

On Wednesday, Apple released enough patches to sew a patchwork quilt. Having discovered flaws that were being actively exploited in the wild, they updated iOS, iPadOS, macOS, watchOS, and Safari browser.

These updates deal primarily with the below flaws:

CVE-2023-32434 – An integer overflow vulnerability in the Kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges.

CVE-2023-32435 – A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content.

How do you like them Apples?

"Abandoned Cart Lite for WooCommerce"

That’s not all, folks! If you’re wheeling and dealing on WordPress and you use the WooCommerce plugin, you might want to take note!

Tracked as CVE-2023-2986, the shortcoming has been rated 9.8 out of 10 for severity on the CVSS scoring system and is currently installed on 30k sites. It impacts all versions of the plugin, including and prior to versions 5.14.2. Yikes!

Good news is the vulnerability was addressed with version 5.15.0. The current version of Abandoned Cart Lite for WooCommerce is 5.15.2. Phew!

Now on to today’s hottest cyber security stories:

  • Camaro Dragon Hackers’ USP is its USB-driven self-propagating malware

  • MULTI#STORM rains RATs on USA and India

  • DuckDuckGo (beta) browser now available on Windows for all

Crouching Tiger, Hacking Dragon

Enter the Dragon! It gives us absolutely no pleasure to introduce the Chinese cyber espionage actor known as Camaro Dragon.

They’re the bad actors behind a particularly insidious strain of self-propagating malware that spreads through compromised USB drives.

We’re told that on one occasion it pretty much brought down an entire conference thanks to the sharing of USB drives for presentations etc. Scary prospect, no?

And what’s more is the bastards are widening their scope from just SE Asian countries to the Western world.

"While their primary focus has traditionally been Southeast Asian countries, this latest discovery reveals their global reach and highlights the alarming role USB drives play in spreading malware," Check Point said in new research.

How does it spread?

"When a benign USB thumb drive is inserted into an infected computer, the malware detects a new device inserted into the PC and manipulates its files, creating several hidden folders at the root of the thumb drive," Check Point researchers said.

It uses a Delphi launcher known as HopperTick via USB drives and its primary payload (dubbed WispRider), infects the devices when they are attached to a machine. They’ve got it all worked out!

WispRider communicates with a remote server, compromising any newly connected USB devices, executing arbitrary commands, and performing file operations.

TOP TIP:

Pretend you’re a junkie and USB drives are needles. Don’t share!

Use the cloud. Use email. But don’t stick anything anywhere strange and don’t let anyone stick you. We really want to Drive this point home.

You’ve USBeen warned!

Not just a MULTI#STORM in a teacup

Can’t you smell that smell? Smells like a RAT. And not the furry kind. The Remote Access Trojan kind. A little trickier to deal with it must be said. But dw, we’re here to help!

So, MULTI#STORM is a new phishing campaign and it’s set its sights on India and the U.S. by leveraging JavaScript files to deliver, you guessed it, RATs on compromised systems.

"The attack chain ends with the victim machine infected with multiple unique RAT (remote access trojan) malware instances, such as Warzone RAT and Quasar RAT," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said.

"Both are used for command-and-control during different stages of the infection chain."

Warzone RAT? That’s making us feel Quesar (queasy? Like the Quesar RAT? Bueller?).

But seriously, the multi-stage attack chain begins when an email recipient clicks the embedded link pointing to a password-protected ZIP file ("REQUEST.zip") hosted on Microsoft OneDrive with the password "12345."

Extract the archive file and you’ll find yourself in a world of hurt. A heavily obfuscated JavaScript file ("REQUEST.js") triggers a double trouble attack of two PowerShell commands.

One is a decoy PDF document to throw the victim off the scent, while the second file, a Python-based executable, runs stealthily in the background. Sneaky, sneaky.

Ave Maria ????

The attack culminates with the deployment of Warzone RAT (aka Ave Maria), an off-the-shelf malware (available for the low, low price of just $38 per month ????) and comes with an exhaustive list of features to harvest sensitive data and download additional malware such as Quasar RAT.

TOP TIP:

As always with phishing and even spear-phishing cyber-attacks, you just have to read emails and messages carefully.

This one comes in the form of a phoney phishing email purporting to come from Microsoft OneDrive. Check the email address, examine the font and the look of the mail and the spelling.

And never download attachments unless you know exactly what they are and who sent them, even if they look like they’re coming from a legitimate source.

You can’t be too careful these days, folks!

Today’s AI Midjourney render above, with a little Photoshop generative side fill

DuckDuck, Gates

Finally a bit of good news to finish off the week and start your weekend with a smile! Okay, it’s not earth shattering but if you’re big on privacy and you run Windows then you’re in for a treat.

The increasingly popular DuckDuckGo browser now has a Windows version that, as of this week, is available for public consumption. Well, the beta is, at least.

DuckDuckGo’s web browser promises to protect users from third-party tracking, targeted advertising, search query logging, and profiling. To achieve this, it comes with various data protection and security enhancements active by default.

“Starting today, our desktop browser for Windows is officially in public beta – no invite codes, no waiting list, just a fast, lightweight browser that makes the Internet less creepy and less cluttered,” reads the announcement. Sounds great to us!

Thanks for celebrating 100 editions with us folks, if you are loving the newsletter be sure to recommend it to your friends with your link at the bottom. ????

Also don’t forget the sunscreen this weekend in the UK ???? . All the best!

So long and thanks for reading all the phish!

Cyber Dawgs top picks from the week, he's your Dawg, he got you.

MONDAY: Stay clear of African version of Binance

TUESDAY: Apple macOS users beware

WEDNESDAY: 100k ChatGPT logins stolen

THURSDAY: iOS Users beware

footer graphic cyber security newsletter

Recent articles