Use after free in WebProtect in Google Chrome prior to 111.0.5563.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-1533

Global study reveals boards still undervalue cyber's role.

**DALLAS****,** **March 21, 2023** **/PRNewswire/ --** Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, today released new research\* revealing that while global organizations plan to increase cybersecurity budgets in 2023, business leaders hold conflicting views on the function.

**To read a full copy of the report,** _Risky Rewards_**, please visit:** https://www.trendmicro.com/explore/risk-reward2023/2031-tl-en-rpt#page=1

Jon Clay**, VP of threat intelligence at Trend Micro:** "If organizations want to make the most of their security investments, business leaders must reframe their view of cybersecurity – to think more broadly about how it can positively impact the enterprise. This research shows it's clearly a critical component of winning new business and talent. At a time when every dollar/penny counts, it's concerning to see stereotyped views of security persist at the very top."

Nearly two-thirds (64%) of business decision-maker (BDM) respondents say they plan to increase security investment in 2023.

However, the research also reveals critical gaps in BDMs' understanding of the relationship between cybersecurity and other parts of the organization.

On the one hand, half (51%) claim cybersecurity is a necessary cost but not a revenue contributor, while a similar share (48%) argue that its value is limited to attack/threat prevention. Nearly a fifth (38%) even see security as a barrier rather than a business enabler.

However, on the other hand, 81% worry that a lack of cybersecurity credentials could impact their ability to win new business – with a fifth (19%) admitting it already has. This comes as nearly three-quarters (71%) of BDMs admit they're being asked about security posture in negotiations with prospects and suppliers. And 78% say these requests for information are increasing in frequency.

This apparent contradiction in attitudes is laid bare by another finding. Despite prospects and suppliers clearly prioritizing security in negotiations, only 57% of BDMs perceive there to be a strong or very strong connection between cyber and client acquisition/satisfaction.

Talent acquisition is another area where there are clear gaps in BDMs' understanding of the interconnectivity between cybersecurity and the rest of the business.

Nearly three-quarters (71%) of respondents claim that the ability to work from anywhere has become vital in the battle for talent. Yet only around two-fifths understand the strong connection between cybersecurity and employee retention (42%) and talent attraction (43%).

That's despite respondents recognizing the impact of cyber on the employee experience:

*   83% say current security policies have affected remote employees' ability to do their jobs (eg. network and information access issues, and slowing the pace of work)
*   43% say current security policies place restrictions on employees' ability to work from anywhere
*   54% say current policies restrict what devices/platforms employees can choose to use

_\* Trend Micro commissioned Sapio Research to poll 2718 business decision-makers in companies with 250+ employees across 26 countries._ 

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.  

SOURCE Trend Micro Incorporated

Research Highlights Cyber Security's Underestimated Role As a Business and Revenue Enabler

**SAN FRANCISCO****,** **March 21, 2023** **/PRNewswire/ --** Normalyze, a pioneering provider of cloud data security solutions, was granted the most fundamental patent to date for Data Security Posture Management (DSPM) by the U.S. Patent and Trademark Office. The patent addresses cloud data attack path detection based on security posture of the cloud environment and resource network path tracing. This patent is foundational for an emerging data-first approach to secure cloud-resident sensitive data and its implications will help to innovate the enterprise cybersecurity market at large.

Patent #11,575,696 describes how an accurate measure of cloud security posture enables the Normalyze DSPM platform to automatically trace network paths at scale between cloud-resident sensitive data and all points of access to determine attack paths. Paths are dynamically displayed to IT, security, and compliance teams, which instantly identify authorized versus unauthorized access – including propagation of breach attacks. Automated remediation workflows ensure continuous safety and compliance of the sensitive data. The Normalyze patent details how its technology, via integration, improves systems and methods of separate siloed tools such as cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), cloud-native application protection platform (CNAPP), and/or cloud-native configuration management databases (CMDB).

"This patent's technology enables the Normalyze platform with 360-degree visibility of where our data resides across our cloud environments and any associated risks," said Rahul Gupta, Head of Information Security and GRC at Sigma Computing. "Normalyze's ability to connect the dots around data – including accesses, identities, vulnerabilities, and configurations – helps us understand where the real threats are and remediate them in near real-time. It is a game changer for securing our cloud environments."

"This patent is the first and the most important in the DSPM space. Its technology connects the risks to sensitive data in customer cloud environments, allowing them to focus on what matters most instead of chasing thousands of alerts generated by other siloed products," said Ravi Ithal, CTO and cofounder of Normalyze. "Getting the first major patent for an emerging new category such as DSPM shows our thought leadership in helping customers protect their most valuable asset, which is their data."

Read more detail about the patent from Ravi Ithal in this blog post. Normalyze has additional patents pending and will be announcing them in the first half of 2023.

The Normalyze platform is generally available in full functionality and supports all major IaaS and PaaS cloud services such as AWS, Google Cloud, Microsoft Azure and Snowflake.

**About Normalyze:**

Normalyze is a pioneering provider of cloud data security solutions helping customers secure their data, applications, identities, and infrastructure across public clouds. With Normalyze, organizations can discover and visualize their cloud data attack surface within minutes and get real-time visibility and control into their security posture, including access, configurations, and sensitive data to secure cloud infrastructures at scale. The Normalyze patented and agentless scanning platform continuously discovers resources, sensitive data and access paths across all cloud environments. The company was founded by industry veterans 

Ravi Ithal and Amer Deeba and has several customers, including Chargepoint, Corelight,

 Fairfield, Ginkgo Bio, Netskope, Sigma Computing and others. The company is funded by Lightspeed Venture Partners and Battery Ventures.

For more information, please visit normalyze.ai

SOURCE Normalyze

Normalyze Granted Patent for Data Security Posture Management (DSPM)

The kernel tree of CentOS Stream 9 suffers from multiple use-after-free conditions that were already patched in upstream stable trees.

    CentOS Stream 9: missing kernel security fixesSomeone reminded me last week that lots of enterprise Linux kernels arenot based on upstream stable trees. The most notable enterprise Linuxdistro I'm aware of is RHEL (Red Hat Enterprise Linux), so I decided totake a look at the kernel tree of CentOS Stream 9 - according to<https://developers.redhat.com/products/rhel/contribute-to-rhel>CentOS Stream is the closest freely available thing to RHEL.The CentOS Stream 9 kernel(<https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9>)is based on the original upstream 5.14 release, so I decided to lookthrough for interesting commits in the linux-5.15.y stable tree andcheck whether the same commits exist in the CentOS kernel tree.One interesting candidate I found is390031c94211 (\"coredump: Use the vma snapshot in fill_files_note\")which fixes a locking bug that can lead to out-of-bounds writes,but from what I can tell actually exploiting this would be a big painbecause unless you manage to race with the vulnerable code twice,a memory write will happen approximately 4GiB out of bounds.ebda44da44f6 (\"net: sched: fix race condition in qdisc_graft()\")also looked maybe interesting.9a2544037600 (\"ovl: fix use after free in struct ovl_aio_req\")looks like a moderately nice bug, but I think it might only behittable on CentOS if an ext4 filesystem is mounted, althoughhttps://access.redhat.com/articles/rhel-limits seems to implythat ext4 is a supported filesystem on RHEL.I am reporting this bug under our usual 90-day deadline this time because ourpolicy currently doesn't have anything stricter for cases where security fixesaren't backported; we might change our treatment of this type of issue in thefuture.It would be good if upstream Linux and distributions like you could figure outsome kind of solution to keep your security fixes in sync, so that an attackerwho wants to quickly find a nice memory corruption bug in CentOS/RHEL can'tjust find such bugs in the delta between upstream stable and your kernel.(I realize there's probably a lot of history here.)This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2023-03-19.Related CVE Numbers: CVE-2023-1249,CVE-2023-0590,CVE-2023-1252.Found by: jannh@google.com

CentOS Stream 9 Missing Kernel Security Fixes

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple.
While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage.
The

Cyber Threat Intel / Vulnerability

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple.

While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage.

The findings come from threat intelligence firm Mandiant, which noted that desktop operating systems (19), web browsers (11), IT and network management products (10), and mobile operating systems (six) accounted for the most exploited product types.

Of the 55 zero-day bugs, 13 are estimated to have been abused by cyber espionage groups, with four others exploited by financially motivated threat actors for ransomware-related operations. Commercial spyware vendors were linked to the exploitation of three zero-days.

Among state-sponsored groups, those attributed to China have emerged as the most prolific, exploiting seven zero-days – CVE-2022-24682, CVE-2022-1040, CVE-2022-30190, CVE-2022-26134, CVE-2022-42475, CVE-2022-27518, and CVE-2022-41328 – during the year.

Much of the exploitation has focused on vulnerabilities in edge network devices such as firewalls for obtaining initial access. Various China-nexus clusters have also been spotted leveraging a flaw in Microsoft Diagnostics Tool (aka Follina) as part of disparate campaigns.

"Multiple separate campaigns may indicate that the zero-day was distributed to multiple suspected Chinese espionage clusters via a digital quartermaster," Mandiant said, adding it points to the "existence of a shared development and logistics infrastructure and possibly a centralized coordinating entity."

North Korean and Russian threat actors, on the other hand, have been linked to the exploitation of two zero-days each. This includes CVE-2022-0609, CVE-2022-41128, CVE-2022-30190, and CVE-2023-23397.

The disclosure comes as threat actors are also getting better at turning newly disclosed vulnerabilities into powerful exploits for breaching a wide range of targets across the world.

"While the discovery of zero-day vulnerabilities is a resource-intensive endeavor and successful exploitation is not guaranteed, the total number of vulnerabilities disclosed and exploited has continued to grow, the types of targeted software, including Internet of Things (IoT) devices and cloud solutions, continue to evolve, and the variety of actors exploiting them has expanded," Mandiant said.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The Mandiant report also follows a warning from Microsoft's Digital Threat Analysis Center about Russia's persistent kinetic and cyber targeting as the war in Ukraine continues into the second year.

The tech giant said since January 2023 it has observed "Russian cyber threat activity adjusting to boost destructive and intelligence gathering capacity on Ukraine and its partners' civilian and military assets."

It further warned of a possible "renewed destructive campaign" mounted by the nation-state group known as Sandworm (aka Iridium) on organizations located in Ukraine and elsewhere.

What's more, Moscow-backed hackers have deployed at least two ransomware and nine wiper families against over 100 Ukrainian entities. No less than 17 European countries have been targeted in espionage campaigns between January and mid-February 2023, and 74 countries have been targeted since the start of the war.

Other key traits associated with Russian threat activity include the use of ransomware as weapons of cyber sabotage, gaining initial access through diverse methods, and leveraging real and pseudo hacktivist groups to expand the reach of Moscow's cyber presence.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022

Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.7.

**Description**

Feature create tag permit attacker injection html tag and execute it.

**Proof of Concept**

    1. Add question
    2. Create tag with payload in description:
    
    <img src=x onerror=alert(1) >
    
    3. Post your question
    4. Go to link http://<your domain>/tags/<id tag>/timeline  and click created. Payload executed.
    

**POC**

https://drive.google.com/file/d/1KncWqifwi\_VTbTxmCNotwMXeUkNgF9Ji/view?usp=sharing

**Impact**

Executing JavaScript in victim's session which leads to potential account takeover, perform actions as that user, ...

CVE-2023-1536: Store XSS in create tag in answer

By Deeba Ahmed
Researchers suspect that the malware may be operated by Russian-speaking groups, given the references to the language in its code.
This is a post from HackRead.com Read the original post: DotRunpeX: The Malware That Infects Systems with Multiple Families

****Currently, **DotRunpeX malware**** **appears to be primarily distributed through phishing emails and malicious Google Ads, presenting a significant threat to users’ systems.****

A new malware that distributes multiple known malware families, including Agent Tesla, FormBook, Ave Maria, NetWire, LokiBot, Raccoon Stealer, Remcos, RedLine Stealer, Vidar, and Rhadamanthys, has been discovered by Checkpoint researchers.

Dubbed DotRunpeX, the malware is a new injector written in .NET, created using the Process Hollowing technique, and used to infect systems with different malware families.

The researchers noted that DotRunpeX is being actively developed. Its infection chain invades the system as a second-stage malware, usually deployed via a downloader or loader delivered via malicious attachments in phishing emails.

Additionally, it can leverage malicious Google Ads that appear in search results to direct unsuspecting users when they search for commonly used software such as LastPass and AnyDesk and send them to copycat sites delivering trojanized installers.

A malicious Google Ad and phishing email that drop the malware (Image: Check Point)

Though the injector is fairly new, there are several similarities it shares with its previous versions. For example, the injector’s name is derived from its version information, which is the same for both versions across all samples the researchers analyzed. They also noted that it contained ProductName – RunpeX.Stub.Framework.

Their analysis revealed that each malware sample had an embedded payload of a specific malware family to be injected, which becomes possible by abusing the vulnerable procexp.sys process explorer driver incorporated into the malware for obtaining kernel mode execution.

They analyzed publicly shared data by independent researchers regarding DotRunpeX but learned that the malware was misattributed to a well-known malware family. Furthermore, they learned that the first-stage loader and the second-stage loader had no connection.

The most recent activity of DotRunpeX was detected in October 2022. It was noticed that using the KoiVM virtualizing protector adds an extra obfuscation layer. These findings were somewhat similar to a malvertising campaign discovered by SentinelOne in February 2023. In that instance, the loader and injector components were referred to as MalVirt.

Researchers suspect that the malware may be operated by Russian-speaking groups, given the references to the language in its code.

1.  New YTStealer Malware is Hijacking YouTube Channels
2.  YouTube Tutorial Videos Spread Vidar, Raccoon Malware
3.  Adsense abused: 11,000 sites hacked in a backdoor attack
4.  Google Drive behind most malicious Office doc downloads
5.  Google Ads drop FatalRAT in fake messenger, browser apps

DotRunpeX: The Malware That Infects Systems with Multiple Families

No-code has lowered the barrier for non-developers to create applications. AI will completely eliminate it.

Since ChatGPT captured our imaginations, people have been contemplating its pending impact on the business world. This week, these thoughts became a reality, with Google and Microsoft embedding AI features into their business productivity suites.

Microsoft took another major step by releasing AI Copilot for Power Apps, Microsoft's low-code platform. Power Apps can connect far and beyond the Microsoft ecosystem, with almost a thousand built-in connectors to everything from Salesforce to on-prem and AWS. With one swift move, AI has been integrated into the day-to-day workflows of the world's largest organizations.

This is an amazing achievement, and other low-code/no-code platforms will surely try to catch up quickly. But ask yourself: Who will make the decision to integrate data with AI? Who will grant access? The answer: Every business user, and you won't even know, since they'll let AI impersonate their accounts.

**AI + Low-Code/No-Code = A Perfect Storm**

In recent years, low-code/no-code has given business users newfound freedom. They were granted developer-level power that enabled them to customize their digital experience, with the technical skills they already have rather than having to learn new ones. Business users have started building applications that solve the problems that hurt most, on top of their day-to-day business data, without relying on IT or waiting for resources. After just a few years of low-code/no-code, many enterprises find themselves with tens or hundreds of thousands of applications, built outside of IT with no oversight or control.

Forget about CI/CD or security reviews, most of these applications follow the "push save to deploy to production" model instead. Quickly and quietly, applications developed outside of IT without SDLC have become a significant portion of enterprise business applications. This has already become a major concern for enterprise security.

Enter AI. Imagine that every conversation you had with ChatGPT involved you giving it access to business data, and left behind a nice little application you could play around with and share with others. Got a long business email? Let AI shorten it for you. Need to find relevant customers in your CRM? Let AI generate statistics for you. Need to analyze user behavior over product telemetry? Let AI query the database for you. Don't stop there! Create mini-applications to allow answering those questions repeatedly, and share them with your coworkers! Every application requires access — your access. Low-code has lowered the barrier for non-developers to create applications. AI, however, will completely eliminate it.

Low-code/no-code provides ease-of-connectivity to business data by removing the difficult hurdles around authentication, and provides a host of widgets business users can combine creatively to address their needs. AI brings power to everyone, allowing them to create by simply asking for what they want. The two techniques fit together like a glove and a hand. Superpowered by AI, low-code/no-code expands from "everyone can build an application" to "everyone builds an application, for everything they think of, all of the time."

**You Are Not in Control**

Who decides what data the AI can access? You might be thinking this would be IT, or the security team, but you would be wrong. Business users are making those decisions. But how?

Imagine a scenario where every business user in a large enterprise starts to build their own applications. Setting aside the skill gap, the No. 1 hurdle to progress would be identity and access. Provisioning an application identity and granting the right permissions to it would require approval, which would trigger questions and perhaps even a security review. You won't get to tens of thousands of applications in a large enterprise this way.

To circumvent this hurdle, low-code/no-code platforms made a significant compromise: Applications can — and mostly do — impersonate users rather than have their own identities. This completely negates the permission issue. As a low-code/no-code developer, I can embed my own identity within my newly created application. I can even share my credentials with others, so they'll be able to build their own applications with my access to data or performing operations on my behalf. No more waiting for approval — we have a green light to create!

The problem with this credentials-sharing-as-a-service is that it completely negates the enterprise permission model. If users are sharing their credentials with each other, there's no easy way to distinguish them. Moreover, an application can leverage credentials across your organizational boundary — say, an employee's personal email account — in combination with a business account. To add a cherry on top, moving data between one account and the other is done by automated copy-and-paste on the low-code/no-code platform's cloud. No data gets transmitted, so there is no opportunity to block data leaking out.

Credential sharing and data leakage have been a major issue with low-code/no-code applications. AI doesn't change that, but it magnifies the scale of the problem. When AI is plugged into a low-code/no-code platform, the AI gains potential access to everything the platform can access. The transition between potential and in-practice access is up to whoever prompts the AI to build a low-code/no-code application for them. We are trusting our business users with making the right choice without any guardrails or guidance.

**Business Users Build Enterprise Applications**

More than a specific technology, low-code/no-code is an idea — a strong push into IT decentralization and business empowerment. It has already brought tremendous productivity benefits to the world's largest organizations, because the employees who know best how to impact the business are the business users.

For professionals in IT and security, this is a paradigm shift. No longer can we rely on the security savviness of developers or official security mandates. We must embrace business users and help guide them in the right direction. If we fail to do so, the forces of productivity and data-hungry AI will surely be glad to do that for us.

AI Has Your Business Data

Users of affected devices that want to mitigate risk from the security issues in the Exynos chipsets can turn off Wi-Fi and Voice-over-LTE settings, researchers from Google's Project Zero say.

A newly disclosed set of vulnerabilities in Samsung chipsets has exposed millions of Android mobile phone users to potential remote code execution (RCE) attacks, until their individual device vendors make patches available for the flaws.

Until then, the best bet for users who want to protect against the threat is to turn off Wi-Fi calling and Voice-over-LTE settings on their devices, according to the researchers from Google's Project Zero who discovered the flaws.

In a blog post last week, the researchers said they had reported as many as 18 vulnerabilities to Samsung in the company's Exynos chipsets, used in multiple mobile phone models from Samsung, Vivo, and Google. Affected devices include Samsung Galaxy S22, M33, M13, M12, A71, and A53, Vivo S16, S15, S6, X70, X60, and X30, and Google's Pixel 6 and Pixel 7 series of devices.

**Android Users Face Complete Compromise**

Four of the vulnerabilities in the Samsung Exynos chipsets give attackers a way to completely compromise an affected device, with no user interaction needed and requiring the attacker to only know the victim's phone number, Project Zero threat researcher Tim Willis wrote.

"Tests conducted by Project Zero confirm that those four vulnerabilities \[CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498\] allow an attacker to remotely compromise a phone at the baseband level," Willis said. "With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely." 

The security researcher identified the remaining 14 vulnerabilities in Samsung Exynos chipsets as being somewhat less severe.

In an emailed statement, Samsung said it had identified six of the vulnerabilities as potentially impacting some of its Galaxy devices. The company described the six flaws as not being "severe" and said it had released patches for five of them in a March security update. Samsung will release a patch for the sixth flaw in April. The company did not respond to a Dark Reading request seeking information on whether it will release patches for all 18 vulnerabilities that Google disclosed. It's also unclear whether, or when, all affected Samsung Galaxy devices will receive the updates.

Willis said affected Google Pixel devices had already received a fix for one of the disclosed flaws (CVE-2023-24033) with the company's March 2023 security update. Google did not immediately respond to a Dark Reading request for information on when patches would be available for the remaining vulnerabilities. Vivo did not respond immediately to a Dark Reading request either, so the company's plans for addressing the vulnerabilities remain unclear as well.

**The Android Patch Gap Problem**

In the past, device vendors have taken their time addressing vulnerabilities in the Android ecosystem. So, if that's any indication, users affected by the vulnerabilities in the Samsung chipset could be in for a long wait. 

In November, Project Zero researchers reported on what they described a significant patch gap resulting from the delay between when a firmware patch for an Android device becomes available and when a device vendor actually makes it available for their users. As an example, Project Zero researchers pointed to several vulnerabilities they discovered in the ARM Mali GPU driver. Google reported the vulnerabilities to ARM last June and July, after which the latter issued patches for the flaws in July and August. Yet more than three months later, in November, when Google tested affected devices for the vulnerability, the researchers found every single device still vulnerable to the issues.

"The easy part is fixing the hardware flaws with new software," says Ted Miracco, CEO at Approov. "The harder part is getting manufacturers to push the updates to the end users and getting end users to update their devices," he says. Unfortunately, many users of the chipsets may not be quick to patch the devices and users are probably largely unaware if the vulnerabilities, he says.

Vulnerabilities like the ones Project Zero discovered in the Samsung chipsets exist not only in the Android ecosystem, but in the iOS ecosystem and any complex supply chain involving sophisticated hardware and software as well, Miracco continues. The challenge is reducing the time from detecting flaws to deploying solutions on all devices. 

"This is an area where the Android ecosystem needs to put a lot attention, as updates can be few and far between with many manufacturers of mobile devices," he says. Enterprises could mandate that users who bring their own devices (BYOD) to work must utilize devices from approved suppliers that have a track record of rapidly deploying updates, Miracco adds.

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says vulnerabilities like these highlight the need for enterprises to evaluate their mobile security strategies. "It makes sense for enterprises to guide their employees on how to stay safe and if there are new requirements for enterprise access," he notes.

With so much original equipment manufacturer (OEM) fragmentation in the Android space, the patches might only be available after a few months for all the vulnerabilities discovered. "This is why it's important for enterprises to invest in security that can handle zero-day threats and can be updated over the air," Vishnubhotta adds.

Unpatched Samsung Chipset Vulnerabilities Open Android Users to RCE Attacks

A new piece of malware dubbed dotRunpeX is being used to distribute numerous known malware families such as Agent Tesla, Ave Maria, BitRAT, FormBook, LokiBot, NetWire, Raccoon Stealer, RedLine Stealer, Remcos, Rhadamanthys, and Vidar.
"DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families," Check

A new piece of malware dubbed **dotRunpeX** is being used to distribute numerous known malware families such as Agent Tesla, Ave Maria, BitRAT, FormBook, LokiBot, NetWire, Raccoon Stealer, RedLine Stealer, Remcos, Rhadamanthys, and Vidar.

"DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families," Check Point said in a report published last week.

Said to be in active development, dotRunpeX arrives as a second-stage malware in the infection chain, often deployed via a downloader (aka loader) that's transmitted through phishing emails as malicious attachments.

Alternatively, it's known to leverage malicious Google Ads on search result pages to direct unsuspecting users searching for popular software such as AnyDesk and LastPass to copycat sites hosting trojanized installers.

The latest DotRunpeX artifacts, first spotted in October 2022, add an extra obfuscation layer by using the KoiVM virtualizing protector.

It's worth pointing out that the findings dovetail with a malvertising campaign documented by SentinelOne last month in which the loader and the injector components were collectively referred to as MalVirt.

Check Point's analysis has further revealed that "each dotRunpeX sample has an embedded payload of a certain malware family to be injected," with the injector specifying a list of anti-malware processes to be terminated.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

This, in turn, is made possible by abusing a vulnerable process explorer driver (procexp.sys) that's incorporated into dotRunpeX so as to obtain kernel mode execution.

There are signs that dotRunpeX could be affiliated to Russian-speaking actors based on the language references in the code. The most frequently delivered malware families delivered by the emerging threat include RedLine, Raccoon, Vidar, Agent Tesla, and FormBook.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google