April 5: Top Threat Actors, Malware, Vulnerabilities and Exploits

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


Welcome to Picus Security's weekly cyber threat intelligence roundup! 

Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.

Our new threat intelligence tool will enable you to identify threats targeting your region and sector, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.

April 5: Latest Vulnerabilities, Exploits and Patches

Here are the top vulnerabilities and exploitations that were observed in the first week of April.

CVE-2024-3094: A Vulnerability in XZ Backdoor Leads to SSHD Compromise

A critical vulnerability, CVE-2024-3094, has been discovered in the XZ Utils data compression library, specifically within versions 5.6.0 and 5.6.1, affecting a wide range of Linux-based systems [1]. 

This flaw, which scores a maximum 10.0 on the CVSS scale, introduces a backdoor capable of bypassing SSH authentication, allowing for remote code execution on compromised systems. The backdoor, subtly embedded within the liblzma component, is not detectable in the source code but is introduced during the distribution phase and is triggered during the library's build process. It specifically targets x86-64 Linux systems during Debian or RPM package builds, notably impacting OpenSSH via its interaction with systemd

The vulnerability's exploitation could enable unauthorized access and control over affected systems, posing a significant threat to the integrity and security of these systems. 

Various Linux distributions including Fedora, Arch Linux, Debian, and Alpine have issued advisories, recommending downgrading to secure versions of the affected packages to mitigate this critical security risk, which can be found here

To check if your version of “xz” is one of the affected versions (5.6.0 or 5.6.1), run the following command [2].

strings `which xz` | grep '5\.6\.[01]'

If you are safe, you should get no result. If not, “xz (XZ Utils) 5.6.1” might be an example output for you.

For proof-of-concept and two-years-of attack timeline, read our latest blog.

CVE-2024-2879: A Critical Vulnerability in LayerSlider WordPress Plugin Leads to Unauthenticated SQL Injection Attacks

A significant security flaw has been identified in the LayerSlider plugin for WordPress, which is actively used on over one million websites [3]. This plugin, which enhances websites with responsive sliders, galleries, and animations, contains a critical vulnerability (CVSS 9.8) that exposes these sites to unauthenticated SQL injection attacks. 

Discovered by researcher AmrAwad during Wordfence's Bug Bounty Extravaganza on March 25, the vulnerability, cataloged as CVE-2024-2879, affects versions 7.9.11 to 7.10.0 of LayerSlider. 

Exploitation of this flaw could enable attackers to dump sensitive data, including password hashes, from the websites' databases, potentially leading to site takeovers or data breaches. Wordfence's detailed report pinpoints the vulnerability within the 'ls_get_popup_markup' function of LayerSlider.

function ls_get_popup_markup() {
    $id = is_numeric( $_GET['id'] ) ? (int) $_GET['id'] : $_GET['id'];
    $popup = LS_Sliders::find( $id );
    if( $popup ) {
        $GLOBALS['lsAjaxOverridePopupSettings'] = true;
        $parts  = LS_Shortcode::generateSliderMarkup( $popup );
        die( $parts['container'].$parts['markup'].'<script>'.$parts['init'].'</script>' );

The insufficient sanitization of the 'id' parameter allows for the injection of malicious SQL code [4]. 

GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup
&id[where]=1)UNION SELECT SLEEP(1) ...

Although classified as a time-based blind SQL injection, which is somewhat restrictive for attackers, the vulnerability nonetheless represents a significant risk, allowing data extraction without site authentication. 

In response, the plugin's developers, Kreatura Team, promptly issued a security update, urging all users to upgrade to version 7.10.1 to mitigate the risk.

April 5: Top Threat Actors Observed In Wild

Here are the top threat actors that were active in the first week of April.

Chinese Cyber Espionage Group APT41 Deploying UNAPIMON Backdoor

  • Threat Actor: APT41

  • Threat Actor Aliases: Earth Freybug, Axiom, Barium, Wicked Panda, Wicked Spider, Winnti

  • Actor Motivation: Cyber Espionage, Cybercrime

  • Victim Location: United States

  • Sectors: Government, Technology

  • Malware: UNAPIMON Backdoor

APT41, a sophisticated Chinese cyber espionage group, has escalated its cyber operations by deploying a novel backdoor called UNAPIMON, which exhibits advanced evasion tactics to bypass security monitoring [5]. 

This backdoor uniquely interferes with system processes by "unhooking" critical API functions, a method that ensures malicious activities remain undetected by conventional security tools. UNAPIMON's deployment is part of a larger, complex attack framework that also involves exploiting VMware Tools for code injection and leveraging DLL hijacking techniques to gain persistence and control over targeted systems. 

Security experts highlight its global reach and cross-sector impact, emphasizing the critical need for organizations to enforce strict administrative controls and adopt proactive security measures to defend against these increasingly sophisticated and covert cyber threats.

Chilean Hosting Firm's VMware ESXi Servers Hit by SEXi Ransomware

  • Threat Actor: SEXi Ransomware Group

  • Actor Motivation: Financial Gain

  • Victim Organization: PowerHost

  • Victim Location: United States, Chile, Europe

  • Sectors: Hosting, Data Center, Interconnectivity, Technology

IxMetro Powerhost, a Chilean division of the data center and hosting provider PowerHost, fell victim to a cyberattack by a new ransomware group dubbed SEXi, resulting in the encryption of the company's VMware ESXi servers and backups [6]. This incident has severely impacted customers who relied on these servers for hosting virtual private servers, causing significant service disruptions as websites and services hosted on these platforms are currently inaccessible. The ransomware, which appends a .SEXi extension to encrypted files, has not only locked out critical data but also compromised backup systems, making recovery efforts challenging and uncertain. 

The attackers demanded a ransom of two bitcoins per victim, summing up to an exorbitant total of $140 million, a demand that highlights the severity and financial implications of the attack. The company's efforts to negotiate and collaborate with international security agencies have so far not yielded a viable solution to decrypt the affected data, leaving PowerHost and its customers in a precarious situation as they attempt to mitigate the damages and restore services.

April 5: Latest Malware Attacks

Here are the malware attacks and campaigns that were active in the first week of April.

VenomRAT Being Used in a Massive Phishing Campaign in Latin America 

  • Threat Actor: TA558

  • Actor Motivation: Financial Gain

  • Victim Location: Spain, Mexico, United States, Colombia, Portugal, Brazil, Dominican Republic, Argentina

  • Sectors: Hotel, Travel, Trading, Finance, Manufacturing, Industrial, Government

  • Malware: Venom RAT, Loda RAT, Vjw0rm, Revenge RAT

The cybercriminal group TA558 has initiated a significant phishing campaign across Latin America, deploying Venom RAT to infiltrate a diverse array of sectors, including hospitality, finance, manufacturing, and government, among others [7]. 

This campaign has notably affected countries such as Spain, Mexico, the U.S., Colombia, Portugal, Brazil, the Dominican Republic, and Argentina

TA558, known for its persistent cyber activities in the LATAM region since 2018, has previously distributed various malware strains like Loda RAT and Revenge RAT. This time, their weapon of choice, Venom RAT, is a potent derivative of Quasar RAT, equipped to steal sensitive information and remotely control victim systems. This campaign's revelation aligns with a broader trend where cybercriminals are leveraging sophisticated tools like DarkGate following the dismantlement of the QakBot network, targeting mainly financial entities in Europe and the U.S. 

CVE-2023-36025: Mispadu Banking Trojan Spreads Its Operation to Europe Leveraging the Windows SmartScreen Bypass Vulnerability

  • Threat Actor: Mispadu, URSA

  • Actor Motivation: Financial Gain 

  • Victim Location:  Mexico, Italy, Poland, Sweden

  • Sectors: Finance, Services, Manufacturing, Legal, Commercial

  • Malware: Mispadu, URSA, Lumma Stealer, Stealc, Vidar

  • CVEs: CVE-2023-36025

The Mispadu banking trojan, originally targeting Latin American regions, has escalated its activities to Europe, specifically Italy, Poland, and Sweden, compromising thousands of user credentials across various sectors including finance, legal, and manufacturing [8].

Security analysis reveals that while Mexico remains a primary target, the geographical spread of Mispadu's impact is widening. This Delphi-based malware, known for its credential-stealing capabilities, including fake pop-up windows for credential harvesting and keylogging, is now leveraging a patched Windows SmartScreen bypass vulnerability (CVE-2023-36025) to extend its reach.

The infection process involves sophisticated multi-stage mechanisms, starting with a booby-trapped PDF in spam emails, leading to a chain of script executions that ultimately deliver the Mispadu payload. Notably, the malware uses dual command-and-control servers to manage its operations and exfiltrate data from numerous services, with evidence of over 60,000 files stored on these servers. This expansion signifies a heightened threat level, underscoring the need for enhanced vigilance and robust cybersecurity defenses across the affected regions.


[1] S. Özeren, “CVE-2024-3094: A Backdoor in XZ Utils Leads to Remote Code Execution,” Mar. 31, 2024. Available: https://www.picussecurity.com/resource/blog/cve-2024-3094-a-backdoor-in-xz-utils-leads-to-remote-code-execution. [Accessed: Apr. 04, 2024]

[2] Shachar Menashe, Senior Director Security Research and Jonathan Sar Shalom, Director of Threat Research, “XZ Backdoor Attack CVE-2024-3094: All You Need To Know,” JFrog, Mar. 31, 2024. Available: https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/. [Accessed: Apr. 04, 2024]

[3] L. French, “WordPress LayerSlider plugin bug risks password hash extraction,” SC Media, Apr. 03, 2024. Available: https://www.scmagazine.com/news/wordpress-layerslider-plugin-bug-risks-password-hash-extraction. [Accessed: Apr. 04, 2024]

[4] Dhivya, “Wordpress Plugin SQL Injection Flaw Exposes 1,000,000 Sites to Cyber Attack,” Cyber Security News, Apr. 04, 2024. Available: https://cybersecuritynews.com/wordpress-plugin-sql-injection/. [Accessed: Apr. 04, 2024]

[5] L. Constantin, “Chinese APT group deploys defense-evading tactics with new UNAPIMON backdoor,” CSO Online, Apr. 03, 2024. Available: https://www.csoonline.com/article/2079883/chinese-apt-group-deploys-defense-evading-tactics-with-new-unapimon-backdoor.html. [Accessed: Apr. 04, 2024]

[6] L. Abrams, “Hosting firm’s VMware ESXi servers hit by new SEXi ransomware,” BleepingComputer, Apr. 03, 2024. Available: https://www.bleepingcomputer.com/news/security/hosting-firms-vmware-esxi-servers-hit-by-new-sexi-ransomware/. [Accessed: Apr. 04, 2024]

[7] 2024 newsroom Apr 02, “Massive Phishing Campaign Strikes Latin America: Venom RAT Targeting Multiple Sectors,” The Hacker News, Apr. 02, 2024. Available: https://thehackernews.com/2024/04/massive-phishing-campaign-strikes-latin.html. [Accessed: Apr. 04, 2024]

[8] 2024 newsroom Apr 03, “Mispadu Trojan Targets Europe, Thousands of Credentials Compromised,” The Hacker News, Apr. 03, 2024. Available: https://thehackernews.com/2024/04/mispadu-trojan-targets-europe-thousands.html. [Accessed: Apr. 04, 2024]