We’ve gathered the latest news on threats, malicious technology and cybersecurity advancements you need to know.

It’s Cybersecurity Awareness Month. In honor of helping organizations protect their employees and data, we are bringing you a new series where we cover the latest cybersecurity news security teams need to know about.

This week in cybersecurity news, zero-point font phishing scams are on the rise, a report identifies the loaders behind 80% of malware scams, Bing’s chatbot delivers malvertising links, a new “MalDoc” attack and a new zero-day vulnerability in WebP images spurs updates in major browsers. Here’s the cybersecurity news to keep up with this week:

ZeroFont phishing scam bypasses Outlook scanner 

First noticed in 2018, the ZeroFont phishing technique uses zero-point fonts to subvert AI scanners. The invisible-to-read text is scanned by safety algorithms but not visible to the human eye. This throws off the ability to detect fraud by natural language processing (NLP). In Microsoft Outlook, the notice that an email has been scanned gives the viewer a degree of trust for what’s inside. Being able to bypass these scanners puts end-users at risk.  

As AI and NLP phishing scanners advance, so too do phishing techniques. This method and others like it could fool users into trusting hazardous links.

“In a new report by ISC Sans analyst Jan Kopriva, the researcher warns that this trick could make a massive difference in the effectiveness of phishing operations, and users should be aware of its existence and use in the wild.”

— Bill Toulas, Bleeping Computer

80% of malware attacks come from just 3 sources  

Just three malware loaders, QBot, SocGholish, and Raspberry Robin, were responsible for 80% of attacks of 2023 thus far. The Register summarizes a report from ReliaQuest detailing the percentage of responsibility of each loader has had in recent attacks. These loaders run on unsuspecting victims’ computers, and can be installed by email attachment or a innocently appearing download. Once it is running, it can execute the malware, ransomware or other malicious content.

The three top loaders are delivered and function on the computer by different means. While SocGholish poses as an update, Raspberry Robin travels via infected USBs. The loaders can be linked back to the international cybercrime network, Evil Corp, and even a Russian crime gang.

“Mitigation for one loader may not work for another, even if it loads the same malware.”


Malvertising in Bing chatbot 

Malicious malware was found to be advertised in Bing’s AI chatbot. It appears as a legitimate search result at the top of a search for “IP scanners.” According to Malwarebytes, the site easily separates real victims from security operations centers (SOC) and other researchers by their user-agent string or the ability to recognize virtual machines. This filtering ability stops security professionals from being able to investigate the site and adequately protect their users. 

Sometimes malware ads come from a bad actor hacking into the legitimate advertising account of another company. With this cover, the malvertising scheme can go unnoticed for longer. The landing pages are convincing enough to fool the victim.

“It does that by checking your IP address, time zone, and various other system settings such as web rendering that identifies virtual machines.”

Jérôme Segura, Malwarebytes

Malware via PDF format 

A new form of attack has been reported by JPCERT, in which a bad actor embedded a malicious Microsoft Word file inside a PDF document. By disguising the format, the “MalDoc,” as the report dubbed it, is able to subvert sandbox and antivirus software. Other analysis tools, such as PDFiD, struggle to detect the malicious parts in Word format. 

While Word detectors can still detect malware in the content, but they may not be run for a file recognized as PDF. SOC teams and analysts should be on the lookout for this new type of attack.

“The attacker adds an mht file created in Word and with macro attached after the PDF file object and saves it.”

— Yuma Masubuchi and Kota Kino, JPCERT

Chrome, Firefox and other browsers work to patch zero-day 

Google Chrome, Mozilla Firefox, Microsoft Edge, Brave and the Tor browser have all announced updates to patch a recently exposed zero-day vulnerability that can execute malicious code via WebP image. The WebP file format is a modern web image that allows faster load time on many browsers. Many browsers and applications use WebP Codec to read WebP images on the web, and that reader is where the vulnerability originates.

“The vulnerability was first detected by the Apple Security Engineering and Architecture team and The Citizen Lab at The University of Toronto on September 6, StackDiary said.”

— Megan Crouse, Tech Republic

Each month, we gather the latest in cybersecurity news to shed light on an ever-evolving industry. Stay up to date on new types of malware attacks, the latest in detection and other advances in cybersecurity.

The most security-conscious government agencies, law enforcement organizations and enterprise companies rely on Silo to power secure, isolated access to the web and for third-party enablement, as well as to investigate malware and phishing attempts. Learn more about Silo products.

Cybersecurity Phishing/malware SOC