Top 10 SpiderLabs Blog Posts of 2023

1. HTML Smuggling: The Hidden Threat in Your Inbox

Last October, Trustwave SpiderLabs blogged about the use and prevalence of HTML email attachments to deliver malware and phishing for credentials. The use of HTML smuggling has become more prevalent, and we have since seen various cybercriminal groups utilizing these techniques to distribute malware.

2. Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies

Trustwave SpiderLabs uncovered a new strain of malware that it dubbed Rilide, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.

3. Microsoft Encrypted Restricted Permission Messages Deliver Phishing

Over the past few days, we have seen phishing attacks that use a combination of compromised Microsoft 365 accounts and .rpmsg encrypted emails to deliver the phishing message. At this stage, we are exploring and uncovering different aspects of this campaign and will share here some of our observations to date.

4. New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3

Trustwave SpiderLabs discovered a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. This malware uses a creative way to work around the Chrome Extension Manifest V3 from Google which is aimed at blocking the installation of malicious extensions for chromium browsers.

5. Anonymous Sudan: Religious Hacktivists or Russian Front Group?

The Trustwave SpiderLabs research team has been tracking a new threat group calling itself Anonymous Sudan, which has carried out a series of Distributed Denial of Service (DDoS) attacks against Swedish, Dutch, Australian, and German organizations purportedly in retaliation for anti-Muslim activity that had taken place in those countries.

6. WormGPT and FraudGPT – The Rise of Malicious LLMs

As technology continues to evolve, there is a growing concern about the potential for large language models (LLMs), like ChatGPT, to be used for criminal purposes. In this blog we will discuss two such LLM engines that were made available recently on underground forums, WormGPT and FraudGPT.

7. Think Before You Scan: The Rise of QR Codes in Phishing

QR Codes, the square images that contain coded information that can be scanned by a smartphone, are becoming increasingly popular. With the number of smartphone users reaching 6.92 billion this year, access to the information within these ingenious images is within reach by around 86% of the world’s population. Since most, if not all, of the smartphones today feature QR scanners and for those that don’t come so equipped, free apps can be downloaded to add this functionality.

8. Stealthy VBA Macro Embedded in PDF-like Header Helps Evade Detection

In the ever-evolving landscape of malware threats, threat actors are continually creating new techniques to bypass detection. A recent discovery by JPCERT/CC sheds light on a new technique that involves embedding a malicious Word document within a seemingly benign PDF file using a .doc file extension.

9. A Bucket of Phish: Attackers Shift Tactics with Cloudflare R2 Public Buckets

In a previous blog, we found a lot of phishing and scam URLs abusing Cloudflare services using pages.dev and workers.dev domains, respectively. We’re now seeing a lot of phishing emails with URLs abusing another Cloudflare service which is r2.dev.

10. Threat-Loaded: Malicious PDFs Never Go Out of Style

In the realm of cybersecurity, danger hides where we least expect it and threats never, ever, go out of style!