New Web Skimmer Cleverly Forges PayPal Page
A new web skimmer has been discovered on the web that not only steals customer input, but also uses it to fill out a fake PayPal payment form to make it more convincing. The malicious script is placed inside an image that is stored on the server of the compromised store using steganography. To collect payment details, the skimmer replaces the PayPal page by loading a fake via iFrame, pre-filled with data from the order form. Theft of payment data occurs when the victim enters all the details in a fake form and clicks the payment confirmation button.
Oracle WebLogic servers attacked by DarkIRC botnet
Juniper Threat Labs researchers have reported DarkIRC botnet attacks on Oracle WebLogic servers via a remote code execution vulnerability ( CVE-2020-14882 ). Malware is delivered via PowerShell scripts via HTTP GET requests. The payload is in binary form with analysis and sandbox traversal functionality. DarkIRC has a large list of functions in its arsenal: keylogging, downloading files and executing commands, stealing credentials, distributing via MSSQL and RDP (brute force), SMB or USB, as well as launching several types of DDoS attacks.
New TrickBot module looks for vulnerabilities in UEFI
Specialists from Advanced Intelligence (AdvIntel) and Eclypsium have published a report on the new TrickBot botnet module that looks for vulnerabilities in the UEFI firmware of an infected device. Having access to the UEFI firmware gives an attacker the opportunity to achieve the persistence of malware on a compromised device in cases of reinstalling the operating system or replacing drives. The module checks the UEFI / BIOS write protection activity using the RwDrv.sys driver.