{"id":4273,"date":"2023-02-02T06:03:00","date_gmt":"2023-02-02T06:03:00","guid":{"rendered":"\/cybersecurity-blog\/?p=4273"},"modified":"2025-03-11T12:20:41","modified_gmt":"2025-03-11T12:20:41","slug":"malware-news-digest-january-2023","status":"publish","type":"post","link":"\/cybersecurity-blog\/malware-news-digest-january-2023\/","title":{"rendered":"Malware News Digest: January 2023"},"content":{"rendered":"\n

Welcome to our new monthly synopsis of noteworthy malware and security news. <\/p>\n\n\n\n

Let’s take a look at what’s been going on.<\/p>\n\n\n\n

<\/p>\n\n\n\n

1. New threat alert: Rhadamanthys Stealer<\/h2>\n\n\n\n

The newly discovered<\/a> malware strain is an infostealer that is being distributed through Google Ads phishing campaigns. It collects system data and targets the most popular cryptocurrency wallets.<\/p>\n\n\n\n

Google\u2019s advertising network is rapidly turning into a potent malware distribution channel. Despite the ongoing criticism from the cybersecurity community, Google seemingly does nothing to stop its abuse.<\/p>\n\n\n\n

2. Malicious Python packages spread malware on Python Package Index (PyPI)<\/h2>\n\n\n\n

Three malicious packages named “colorslib,” “httpslib,” and “libhttps” were uploaded<\/a> to Python Package Index (PyPI) repository by a threat actor named Lolip0p. <\/p>\n\n\n\n

These packages were downloaded over 550 times before being removed from PyPI. The packages have identical setup scripts that download and run a malicious binary (“Oxzy.exe”) hosted on Dropbox. <\/p>\n\n\n\n

The binary triggers the retrieval of another binary called “update.exe,” which is an information stealer and can drop additional malware, one of which is a trojan detected by Microsoft as Wacatac.<\/p>\n\n\n\n

The packages were made to look legitimate by including a convincing project description.<\/p>\n\n\n\n

3. Attackers hide malware in blank images to bypass the detection<\/h2>\n\n\n\n

A new phishing scam called the Blank Image Attack has been discovered<\/a> by Avanan researchers. <\/p>\n\n\n\n

The attack sends a blank image in an HTML attachment, which when opened, redirects the recipient to a malicious landing page that delivers malware. The attacker uses a legitimate link from DocuSign to trick the victim into trusting the email and its attachments. <\/p>\n\n\n\n

The blank image contains an encoded JavaScript that bypasses antivirus services and redirects the victim to the malicious link. To avoid this attack, users should avoid opening .htm attachments to block HTML attachments.<\/p>\n\n\n\n

<\/div>\n\n\n\n

<\/p>\n\n\n\n

\n

Try ANY.RUN for Enterprises <\/strong><\/h3>\n\n\n\n

Combat new threats together \u2013 ANALYZE MALWARE IN A TEAM<\/h2>\n\n\n\n
\n
Get a demo<\/a><\/div>\n<\/div>\n<\/div><\/div>\n\n\n\n
<\/div>\n\n\n\n

<\/p>\n\n\n\n

4. Google Ads phishing attacks target password managers<\/h2>\n\n\n\n

Reports indicate<\/a> that malicious actors are running Google Ads phishing scams, targeting popular password management software. They\u2019re after users’ master passwords. <\/p>\n\n\n\n

Master passwords are used to encrypt credentials stored in online \u201cpassword vaults\u201d, which hold sensitive login data online to make it accessible from multiple devices. Getting access to the master password grants attackers full control over the vault.<\/p>\n\n\n\n

Security breaches at LastPass and Norton have already shown just how effective such attacks can be.<\/p>\n\n\n\n

5. Windows 11 now protects users from themselves<\/h2>\n\n\n\n

Smart App Control is a new safety feature that was added<\/a> to Windows 11 in January. It is designed to block untrusted apps from running or files to be opened.<\/p>\n\n\n\n

When a user clicks on a potentially malicious app, windows will now show a pop suggesting that the application may be unsafe. Only time will tell if Microsoft\u2019s implementation will prove effective or if it evolves into scareware, similar to Apple’s implementation on Mac OS.<\/p>\n\n\n\n

For now, the feature is available for testing to select users. <\/p>\n\n\n\n

6. OneNote maldocs usage spiked in January<\/h2>\n\n\n\n

We’re seeing a spike in OneNote maldoc usage lately and crooks using different lures, such as Office365 and blurred documents. We found a fresh maldoc with “Legal Notice” lure which download Redline as a payload. Check out this task in ANY.RUN<\/a> to see it in action.<\/p>\n\n\n\n

<\/p>\n\n\n\n

\"OneNote
OneNote maldoc<\/figcaption><\/figure>\n\n\n\n

<\/p>\n\n\n\n

ANY.RUN\u2019s January updates<\/h2>\n\n\n\n

Deep malware analysis from our analyst team, the history of the most preventable ransomware, the most effective ways to use virtualization to provide additional security, and trends of the last year and ANY.RUN achievements in 2022 \u2013 ANY.RUN Blog is ready to share its own digest. <\/p>\n\n\n\n

January gave us an amazing starting point with these posts:<\/p>\n\n\n\n