Internet Storm Center Spotlight


Title: Lazarus Group starts using new MagicRAT in attacks targeting vulnerable VMware Horizon platforms

Description: Cisco Talos discovered a new remote access trojan (RAT) named "MagicRAT" that Talos attributed with moderate to high confidence to the Lazarus threat actor, a state-sponsored APT attributed to North Korea by the U.S. Cyber Security & Infrastructure Agency (CISA). This new RAT was found on victims that had been initially compromised through the exploitation of publicly exposed VMware Horizon platforms. While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely. Talos also found evidence to suggest that once MagicRAT is deployed on infected systems, it launches additional payloads such as custom-built port scanners. Additionally, we've found that MagicRAT's C2 infrastructure was also used to host newer variants of known Lazarus implants such as TigerRAT. The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide.


Snort SIDs: 60459 - 60466

Title: Number of attacks against Linux machines on the rise

Description: A new report indicates that attackers are increasingly targeting Linux machines as the operating system becomes increasingly popular among enterprise users. Security firm Trend Micro said that there’s been a 75 percent increase in ransomware attacks against Linux systems in the first half of 2022 compared to the same stretch last year. The report also said the firm’s seen more than 1,900 instances of Linux-based malware being used against its customers in the first half of 2022. These attacks are mainly coming from the operators of the REvil and DarkSide ransomware-as-a-service groups, along with a recently released Linux version of the LockBit ransomware. Cloud computing company VMware released a different report earlier this year warning against a rise in cryptocurrency mining attacks against Linux systems, such as XMRig, to hijack CPU power on Linux machines to mine Monero and other virtual currencies.


Snort SIDs: 55223, 55224, 57621 and 57622

Internet Storm Center Entries

Apple released a security update for iOS 12, an older mobile operating system, to fix a vulnerability that is being actively exploited.

An updated version of the SharkBot malware has found its way into legitimate apps on the Google Play store.

A new ransomware group called BianLian has become increasingly active since the start of 2022, targeting organizations in Australia, North America, and the U.K.

Local police departments in the U.S. are using a little-known spyware tool that allows them to retroactively track suspects’ movements without a search warrant.

Social media app TikTok recently patched a vulnerability that could have allowed any attacker to completely take over an account with just one click, allowing them to post videos, send messages and edit account details.

QNAP is warning users that the DeadBolt ransomware is being used in a campaign targeting its NAS devices.

A large school district in California was the target of a cyber attack over the Labor Day holiday weekend, though schools opened as planned Tuesday.

Recent CVEs


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2019-15167

Title: Buffer over-read vulnerability in VRRP PARSER

Description: The vulnerability affects the function vrrp_print of the file print-vrrp.c of the component VRRP Parser. The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

CVSS v3.1 Base Score: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)

ID: CVE-2020-26938

Title: Cross-site Scripting (XSS) vulnerability in oauth2-server

Description: In oauth2-server (aka node-oauth2-server) through 3.1.1, the value of the redirect_uri parameter received during the authorization and token request is checked against an incorrect URI pattern ("[a-zA-Z][a-zA-Z0-9+.-]+:") before making a redirection. This allows a malicious client to pass an XSS payload through the redirect_uri parameter while making an authorization request.

NOTE: This vulnerability is similar to CVE-2020-7741.

CVSS v3.1 Base Score: 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)

ID: CVE-2020-27792

Title: Heap-based buffer overwrite vulnerability in GhostScript package

Description: A heap-based buffer overwrite vulnerability was found in GhostScript's lp8000_print_page() function in gdevlp8k.c file. An attacker could trick a user to open a crafted PDF file, triggering the heap buffer overflow that could lead to memory corruption or a denial of service.

CVSS v3.1 Base Score: 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)

Prevalent Malware Files


SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c


Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c


Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name:

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

MD5: 8c69830a50fb85d8a794fa46643493b2


Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Dropper.Generic::1201

SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681

MD5: f1fe671bcefd4630e5ed8b87c9283534


Typical Filename: KMSAuto Net.exe

Claimed Product: KMSAuto Net

Detection Name: PUA.Win.Tool.Hackkms::1201

SHA 256: 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7

MD5: 0e4c49327e3be816022a233f844a5731


Typical Filename: aact.exe

Claimed Product: AAct x86

Detection Name: PUA.Win.Tool.Kmsauto::in03.talos