Weekly Summary Cyberattacks april 17-23
Hackers Abuse Zoom Remote Control Feature to Steal Cryptocurrency
A new wave of sophisticated social engineering attacks has emerged in which cybercriminals exploit Zoom's built-in remote control functionality to steal cryptocurrency from unsuspecting victims. The campaign, attributed to a group called "Elusive Comet," impersonates legitimate crypto media outlets like Bloomberg Crypto to lure targetsinto scheduled Zoom calls. The attackers initiate contact through email or social media, often using platforms like Calendly to add legitimacy to the invitation. Once on the Zoom call, the attackers claim a need to troubleshoot technical issues or validate interview setups, during which they request remote control access. Many victims grant permission without realizing the consequences. With control over the victim’s computer, the attackers can access crypto wallets, browser sessions, or even install malware to maintain long-term access. In several cases, large sums of cryptocurrency were exfiltrated from both hot wallets and browser-based extensions. Some victims also reported finding backdoors installed post-attack.
Chinese Hacker Group ‘Lotus Panda’ Targets Southeast Asian Governments
A Chinese group known as Lotus Panda has conducted a major cyber-espionage campaign targeting six Southeast Asian government entities. The group employs custom browser data stealers and sideloaded malware, often delivered through spear-phishing emails and compromised websites. Lotus Panda's tactics include deploying malware that extracts credentials, cookies, and browsing history from Chrome, Edge, and Firefox. In some cases, the attackers used fake browser updates to trick officials into installing spyware. The campaign aims to gather intelligence on diplomatic affairs, trade policies, and internal government communications. It reflects broader strategic interest in the region and the use of cyber capabilities to support geopolitical goals.
FOG Ransomware Hidden in Binary Loaders That Reference DOGE Memes
Researchers have uncovered a new variant of the FOG ransomware that is being distributed through binary loaders designed to hide the malicious payload. These loaders include references to the Dogecoin (DOGE) cryptocurrency and internet memes, possibly to mask their real intent or as a diversion tactic. The binary loaders use multiple layers of obfuscation to bypass antivirus software and behavioral analysis tools. Once executed, the ransomware encrypts files on the victim's machine and displays a ransom note demanding cryptocurrency payment in exchange for the decryption key. What makes this campaign stand out is its use of social engineering and pop culture references to distract from the underlying threat. Researchers suggest that this could be a strategy to evade detection or simply a way to appeal to younger, less security-savvy users.
Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
Cybersecurity researchers have identified three rogue packages uploaded to the npm registry that mimic the legitimate Telegram Bot API. These malicious packages were specifically designed to deceive developers by posing as official or helpful tools for building bots on Telegram. Once installed, these packages deploy a malicious script that sets up an SSH backdoor on Linux systems, granting remote and persistent access to the attacker. This allows threat actors to execute commands, exfiltrate data, and maintain control over compromised systems without detection. The backdoor connects to an external server, awaiting instructions from the attacker. The campaign is notable for its use of typosquattingto target unsuspecting developers. The packages have since been removed from the npm registry, but researchers warn that this technique remains a serious threat to open-source ecosystems. Developers are advised to thoroughly vet third-party packages before integrating them into their projects, paying special attention to unfamiliar or newly published libraries.