InfoSecBulletin Cybersecurity for mankind
Banking trojans in South America use various tactics, like phishing emails, malicious attachments, and manipulating web browsers. Some examples are Casbaneiro (Metamorfo/Ponteiro), Guildma, Mekotio, and Grandoreiro. These trojans focus on stealing online banking credentials and personal information, which poses a major threat to users in countries like Brazil and Mexico. Figure 2 shows the telemetry of CHAVECLOAK’s Command and Control (C2) server.
Delay patching leaves about 50,000 Fortinet firewalls to zero-day attack
Daily Security Update Dated: 21.01.2025
126 Linux kernel Vulns Allow Attackers Exploit 78 Linux Sub-Systems
CERT-UA alerts about “security audit” requests through AnyDesk
Oracle Critical Pre-Release update addressed 320 flaw
OWASP Reveils Top 10 Smart Contract Vulnerabilities for 2025
Multiple Azure DevOps Vulns Allow To Inject CRLF Queries & Rebind DNS
Intel holds 22 employees from one Bangladeshi University
VPN Surge 1500% in USA after TikTok Shut Down
MITRE Launches D3FEND 1.0; The Milestone for Cybersecurity Ontology
Initial Vector PDF:
Figure 3 shows a PDF that allegedly contains contract-related documents with Portuguese instructions. The PDF prompts users to click a button to read and sign the attached documents. However, there is a hidden malicious downloader link in the PDF’s stream object, as revealed in Figure 4. This URL undergoes processing via the free link shortening service “Goo.su,” ultimately leading to a redirect at hxxps://webattach.mail.yandex.net/message_part_real/NotaFiscalEsdeletronicasufactrub66667kujhdfdjrWEWGFG09t5H6854JHGJUUR[.]zip for downloading the ZIP file. Upon decompression, the file yields the MSI file “NotafiscalGFGJKHKHGUURTURTF345.msi.”
Upon decompressing the MSI installer, researchers found additional files including TXT files for different languages, a legitimate execution file, and a suspicious DLL named “Lightshot.dll” with a more recent modified date compared to other files.
Examining the MSI installer reveals its entire configuration, which is written in Portuguese. It executes the file “Lightshot.exe,” extracting and depositing files at “%AppData%\Skillbrains\lightshot\5.5.0.7,” as shown in Figure 6.
The file “Lightshot.exe” uses DLL sideloading to run the malicious “Lightshot.dll” discreetly, allowing unauthorized activities like data theft. This technique poses a significant security threat by letting malware exploit legitimate processes for harmful purposes without being detected. To read out the full report click here.
Source: FortiGuard Labs
