Researchers have been tracking a relatively new Android malware that sends warning messages to cryptocurrency users about an issue with their wallet and urges them to enter their wallet seed phrase. The malware, known as Crocodilus, has only been active since September of 2024, and uses incredibly sophisticated tactics to avoid detection on Android devices by using a proprietary dropper that doesn’t trigger Play Protect protocols. Crocodilus predominantly targets users in Spain and Turkey, and is believed to have originated in Turkey, based on the messaging found while debugging.
Samsung Germany suffers customer data breach
Recently, a hacker published a data trove containing sensitive information for around 270,000 Samsung Germany customers. Further investigation revealed that the hacker used credentials that were compromised during a 2021 cyberattack that used the Raccoon infostealer to exfiltrate credentials from a third-party vendor, Spectos GmbH. Unfortunately, this is another case of companies not having proper protocols in order when falling victim to a cybersecurity incident and leaving credentials unchanged for an extended period of time.
CoffeeLoader employs sophisticated new tactics
A new malware loader has recently been identified that uses similar tactics to older loaders, such as SmokeLoader and BakuLoader, but also incorporates new methods of evasion. CoffeeLoader uses second-stage deployment to avoid payload detections and can drop that payload in a variety of system directories, depending on the available user privileges. Additionally, it has been discovered that CoffeeLoader connects to its command-and-control server by spoofing as an iPhone from a hardcoded user agent.
Clop ransomware adds Sam’s Club to breach site
Following the December compromise of the Cleo file-transfer service, the threat actors behind the Clop ransomware group have claimed a data breach of the warehouse wholesale chain, Sam’s Club. While officials for Sam’s Club are still working to verify if this claim is legitimate, Clop has added the company to their dark web leak site, though no data has been published as proof of the breach.
Hacker breaches Oracle Health data servers
Over the last few weeks, it has been determined that an unknown hacker breached a data migration server belonging to Oracle Health and may have compromised patient data from 170 hospitals. Though Oracle staff haven’t released an official statement regarding this incident, patients have received communications that have confirmed unauthorized activity on the servers and stored data may have been affected.
