Phishing, Malware and Spyware Campaign, BRUTED Tool & CISA’s List Of Exploited Vulnerabilities
Notable security news for the week of March 9th-15th March 2025, brought to you by the F5 Security Incident Response Team. This week, your editor is Dharminder. In this edition, I have security news about phishing campaign against Coinbase users, a new tool developed by ‘Black Basta’ ransomware group to breach edge networking devices like VPNs and Firewalls, OBSCURE#BAT Malware and KoSpy spyware campaigns and CISA’s updated list of Known Exploited Vulnerabilities (KEV)
We at F5 SIRT invest a lot of time to understand the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.
Ok, let’s get started and see the details of the security news.
Coinbase Phishing Scam, Exploits Wallet Migration Fears
A large-scale Coinbase phishing campaign is tricking users into setting up new wallets with pre-generated recovery phrases controlled by attackers. The phishing emails, with the subject "Migrate to Coinbase Wallet," claim that users must transition to self-custodial wallets due to a court mandate following a class action lawsuit. The email provides instructions on how to download the legitimate Coinbase Wallet but includes a recovery phrase, falsely presented as the user's unique Coinbase Identity, to be used during the wallet setup. Unlike typical crypto phishing scams that aim to steal recovery phrases, this campaign provides a recovery phrase already controlled by the attacker. When users set up a wallet using this phrase and transfer funds, the attacker can access and steal the assets. The emails appear legitimate, passing various security checks, as they are sent through SendGrid, seemingly via an Akamai account. The reply address is noreply@akamai.com. Since the reply email address if of Akamai, Akamai is investigating it and urges users to exercise caution with unsolicited emails. Coinbase has issued a warning on X (formerly Twitter), stating they will never send recovery phrases and advising users never to enter a recovery phrase provided by someone else. Users who have fallen for the scam are advised to quickly transfer their funds out of the new wallet to regain control before the attackers steal them.
https://cryptodnes.bg/en/crypto-users-targeted-in-new-sophisticated-wallet-scam/
Black Basta Develops BRUTED Tool to Breach VPNs and Firewalls
The Black Basta ransomware group developed an automated brute-forcing framework called "BRUTED" to target edge networking devices, including VPNs and firewalls. Active since 2023, BRUTED enables large-scale credential-stuffing and brute-force attacks, streamlining initial network access for ransomware deployment.
BRUTED targets widely used products such as SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler, Microsoft RDWeb, and WatchGuard SSL VPN. It scans for publicly accessible devices by enumerating subdomains, resolving IP addresses, and appending prefixes like ".vpn" or "remote." The framework retrieves password candidates from remote servers, combines them with locally generated guesses, and executes authentication attempts using multiple CPU processes. It further extracts SSL certificate data to generate additional password guesses based on domain naming conventions.
To evade detection, BRUTED uses SOCKS5 proxies to obscure its infrastructure, which comprises servers registered in Russia. The tool's sophistication and automation expand Black Basta's victim pool and accelerate ransomware operations, Hence Organizations are urged to:
- Enforce strong, unique passwords for all edge devices.
- Implement multi-factor authentication (MFA) to block unauthorized access.
- Monitor for unusual login attempts and high-volume failures.
- Apply rate-limiting and account lockout policies.
- Regularly update device firmware and software to mitigate vulnerabilities.
- Block list of malicious IPs and domains linked to BRUTED provided by EclecticIQ researchers.
OBSCURE#BAT: Advanced Malware Campaign Leveraging Fake CAPTCHAs and Rootkits
OBSCURE#BAT, a newly identified malware campaign, leverages social engineering to install the open-source rootkit r77. The malware primarily targets English-speaking users in the U.S., Canada, Germany, and the U.K. It uses fake Cloudflare CAPTCHA pages and masquerades as legitimate software, such as the Tor Browser and VoIP applications, to trick users into downloading malicious batch scripts.
Once executed, the scripts run PowerShell commands that drop additional payloads, modify Windows Registry keys, and set up scheduled tasks to ensure persistence. The malware conceals itself by obfuscating scripts in the Windows Registry and registering a fake driver (ACPIx86.sys). The final stage of the attack installs r77, a user-mode rootkit that hides files, processes, and registry keys.
OBSCURE#BAT also monitors clipboard activity and command history, likely for data exfiltration. To evade detection, it employs advanced obfuscation, string encryption, and API hooking techniques. The campaign highlights the increasing sophistication of modern malware, making detection and mitigation more challenging. Users are advised to avoid suspicious downloads, enable security protections, and scan their systems for unauthorized processes.
https://thehackernews.com/2025/03/obscurebat-malware-uses-fake-captcha.html
https://hackread.com/new-obscurebat-malware-targets-users-fake-captchas/
KoSpy: North Korean Android Spyware Campaign Against Android Users
KoSpy, a sophisticated Android spyware linked to North Korean threat group APT37 (ScarCruft), infiltrated Google Play and APKPure through five malicious apps, including Phone Manager, File Manager, Smart Manager, Kakao Security, and Software Update Utility. Active since March 2022, the spyware targets Korean and English-speaking users by masquerading as utility tools.
Once installed, KoSpy retrieves encrypted configurations from Firebase Firestore, connects to command-and-control (C2) servers, and evades detection by ensuring it is not running in an emulator. It dynamically loads plugins to collect sensitive data such as SMS messages, call logs, GPS location, files, audio recordings, photos, videos, screenshots, and keystrokes via Android Accessibility Services. Data is encrypted using a hardcoded AES key before exfiltration.
The campaign was attributed to APT37 based on shared infrastructure with APT43 and ties to domains used in previous North Korean malware operations. While Google has removed these apps and deactivated related Firebase projects, users must manually uninstall them or perform factory resets for complete removal. Enabling Google Play Protect offers additional defense against known malware variants.
https://www.securityweek.com/north-korean-hackers-distributed-android-spyware-via-google-play/
Recent Additions To CISA's Known Exploited Vulnerabilities Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) maintains list of known exploited vulnerabilities, which benefits the cybersecurity community, network defenders and organizations.
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog with several new vulnerabilities known to be actively exploited in the wild. Below mentioned are the vulnerabilities added since March 11. Since the vulnerabilities are exploited in wild, organisations should take note of that and mitigate the vulnerabilities as soon as possible.
|
CVE |
Product |
Vulnerability Info/ CWE |
Mitigation |
|
CVE-2025-24201 |
Apple iOS, iPadOS, macOS, visionOS, Safari |
Out-of-bounds write in WebKit |
Update to visionOS 2.3.2, iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, or Safari 18.3.1. |
|
CVE-2025-21590 |
Juniper Networks Junos OS |
Improper isolation or compartmentalization |
Apply the security patches provided by Juniper Networks. |
|
CVE-2025-26633 |
Microsoft Windows Management Console (MMC) |
Improper neutralization |
Apply the security updates provided by Microsoft. |
|
CVE-2025-24983 |
Microsoft Windows Win32 Kernel Subsystem |
Use-after-free |
Install the security updates provided by Microsoft. |
|
CVE-2025-24984 |
Microsoft Windows NTFS |
Information disclosure |
Apply the latest security patches from Microsoft. |
|
CVE-2025-24985 |
Microsoft Windows Fast FAT File System Driver |
Integer overflow and heap-based buffer overflow |
Install the security updates provided by Microsoft. |
|
CVE-2025-24991 |
Microsoft Windows NTFS |
Out-of-bounds read |
Apply the latest security updates from Microsoft. |
|
CVE-2025-24993 |
Microsoft Windows NTFS |
Heap-based buffer overflow |
Install the security updates provided by Microsoft. |
|
CVE-2025-25181 |
Advantive VeraCore |
SQL Injection |
Apply the updates provided by Advantive. |
|
CVE-2024-57968 |
Advantive VeraCore |
Unrestricted File Upload |
Update to VeraCore version 2024.4.2.1 or later. |
|
CVE-2024-13159 |
Ivanti Endpoint Manager (EPM) |
Absolute Path Traversal |
Apply the security update for Ivanti (EPM). |
|
CVE-2024-13160 |
Ivanti Endpoint Manager (EPM) |
Absolute Path Traversal |
Apply the security update for Ivanti EPM. |
|
CVE-2024-13161 |
Ivanti Endpoint Manager (EPM) |
Absolute Path Traversal |
Apply the security update for Ivanti EPM |
For CISA's complete list of exploited vulnerabilities please check the following link
