Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Fake Updates. Show all posts
latest news
cyber attack Cyber Attacks Cyber campaign Cyber Scams Fake Updates latest news

New FakeUpdate Cyber Campaign Spreads Updated WarmCookie Backdoor in France

A new wave of cyberattacks is targeting users in France, exploiting fake browser and software update prompts to spread an updated version of the WarmCookie backdoor. The campaign, dubbed “FakeUpdate,” has been linked to the SocGolish threat group, known for using compromised or fake websites to display deceptive update messages for popular applications like Google Chrome, Mozilla Firefox, Microsoft Edge, and Java. 

When users fall for these fake update alerts and click on them, malicious software is installed on their systems instead of a legitimate update. This payload includes tools like info-stealers, remote access trojans (RATs), cryptocurrency drainers, and ransomware. According to researchers from Gen Threat Labs, the WarmCookie backdoor being distributed in this campaign is more advanced than its previous versions. 

Initially discovered by cybersecurity firm eSentire in 2023, WarmCookie is designed to steal data, capture screenshots, run arbitrary commands, and drop additional malicious files. In this latest campaign, it has been updated with new features, such as the ability to run DLLs from a system’s temporary folder and execute PowerShell and EXE files. The infection chain begins when users click on fake update prompts that closely mimic legitimate update notifications. 

Once clicked, a JavaScript file triggers the download of the WarmCookie installer, which bypasses security checks and installs the backdoor. The malware can evade detection through anti-virtual machine (anti-VM) checks, ensuring it’s not being monitored by security analysts before sending system data to its command and control (C2) server. 

While the attackers are primarily using compromised websites to distribute these fake updates, researchers also identified malicious domains designed to look like official update sites, such as “edgeupdate[.]com” and “mozilaupgrade[.]com.” Experts warn that legitimate browsers, including Chrome, Edge, and Firefox, update automatically and do not require users to manually download update files. 

Any pop-up asking users to do so should be viewed with suspicion and avoided.
Read more »
Web Servers
Cyber Attacks Fake Updates Ransomware User Security Web Servers

HavanaCrypt Ransomware Deployed Via Fake Google Updates

 

Trend Micro researchers have unearthed a new ransomware family dubbed ‘HavanaCrypt’ being deployed as a fake Google Software Update application. 

The ransomware launches multiple anti-virtualization checks and employs a Microsoft web hosting service IP address for its command and control (C&C) server, which allows it to bypass detection. HavanaCrypt also leverages a namespace method function in its execution process, a report from Trend Micro explained. 

“It disguises itself as a Google software update application and uses a Microsoft web hosting service IP address as its command-and-control server to circumvent detection,” Trend Micro said in a blog. 

The ransomware is the latest in a series of malware that poses as a legitimate application. This year alone has seen ransomware masquerading as Windows 10, Google Chrome, and Microsoft Exchange updates. 

HavanaCrypt modus operandi 

HavanaCrypt is a .NET-compiled application, that employs an open-source tool called Obfuscar to obfuscate its code. Once installed on a system, HavanaCrypt examines the AutoRun registry to see whether the "GoogleUpdate" registry is already present. If not, it continues with the routine. 

The malware then undertakes a four-stage assessment of whether the compromised device is running in a virtualized environment. 

First, it checks for services used by common virtualization applications such as VMWare Tools and vmmouse. Then it scans for files related to virtual applications, followed by a check for specific file names employed in virtual environments. Finally, it compares the machine's MAC address with unique identifier prefixes usually employed in virtual machine settings. If any of the checks show the infected machine to be in a virtual environment, the malware terminates itself. 

Additionally, the malware designs a text file that logs all the directories containing the encrypted files. The file is named foo.txt and the ransomware encrypts it as well. No ransom note is dropped. 

"It is highly possible that the ransomware's author is planning to communicate via the Tor browser because Tor is among the directories that it avoids encrypting files in. It should be noted that HavanaCrypt also encrypts the text file foo.txt and does not drop a ransom note. This might be an indication that HavanaCrypt is still in its development phase," said Bharat Mistry, technical director at Trend Micro.
Read more »
Subscribe to: Posts (Atom)