The Hacker News reports that advanced threat operations have been leveraging malicious configuration files of the open-source pen-testing tool OpenBullet to facilitate remote access trojan malware attacks against their less sophisticated peers.
Illicit OpenBullet configurations are being used to enable the retrieval of the Rust-based Ocean dropper from a GitHub repository, according to a Kasada report. The dropper's retrieval of the Python-based Patent malware from the same repository is then followed by the execution of a remote access trojan with screenshot capturing, task termination, cryptocurrency wallet information exfiltration, and Chromium browser-stored password and cookie theft capabilities. Cryptocurrency assets could also be stolen by the RAT.
"The distribution of the malicious OpenBullet configs within Telegram is a novel infection vector, likely targeting these criminal communities due to their frequent use of cryptocurrencies. ... This presents an opportunity for attackers to shape their collection to a specific target group and obtain other members' funds, accounts, or access. As the old saying goes, there is no honor amongst thieves," said the report.
BleepingComputer reports that several U.S. financial institutions and numerous cryptocurrency apps are having their users mostly targeted by an expanded Xenomorph malware campaign leveraging an updated version of the Android banking trojan that also set sights on users in Canada, Italy, Spain, Belgium, and Portugal.