Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label GitHub. Show all posts
Social Engineering
Bots Gaming GitHub malware Redox Stealer Social Engineering

GitHub Scam: Fake Game Mods Steal User Credentials and Data


An advanced malware campaign exploiting GitHub repositories masked as game mods (and cracked software) has been found, revealing a risky blend of automated credential harvesting and social engineering tactics. 

While going through articles on social engineering, cybersecurity expert Tim found “a relatively new scam scheme” that shocked him. “People create thousands of GitHub repositories with all sorts of things - from Roblox and Fortnite mods to "cracked" FL Studio and Photoshop,” says Tim. 

About Redox stealer

Experts have found more than 1,100 dangerous repositories spreading versions of Redox stealer, a python-based malware built to extract important data, browser cookies, gaming platform credentials, and cryptocurrency wallet keys.

When we download and run this software, the data collected from our systems is sent to some Discord server, according to Tim, where “hundreds of people crawl through the data searching for crypto wallet private keys, bank accounts and social media credentials, and even Steam and Riot Games accounts.” 

Redox Stealer Details

Redox runs via a multi-stage data harvesting process that starts with system surveillance. Talking about the technical architecture of the redox stealer, cybersecurity news portal GB Hackers says, “Initial execution triggers a globalInfo() function that collects the victim’s IP address, geolocation via the geolocation-db.com API, and Windows username using os.getenv(‘USERNAME’).”

Issues with Mitigation and GitHub’s Response

Even with GitHub’s malware detection systems, repositories stay functional because:

  1. Activities look real: Accounts with star counts and realistic commit histories escape heuristic analysis. 
  2. Encrypted Payloads: RAR passwords like “cheats4u” stop static code analysis. 
  3. Slow Takedowns: Threat actors rebuild banned repositories via automated topic permutations. 

According to GB Hackers, “The researcher’s spreadsheet of confirmed malicious repos has not yet triggered bulk takedowns, highlighting gaps in proactive monitoring.” 

Conclusion

The GitHub campaign has exposed a significant rise in exploitation of open-source forums for large-scale social engineering. “It's been a long journey and it's barely over - but I think it's more than enough to summarise and discuss the problem,” says Tim. He finds it shocking how easily the information can be accessed online for free “without Tor, without invite, without anyone's approval.”

The information is cleverly disguised as something such as “telegram bot” that sends us offers (scams) or other lucrative baits. 

Read more »
Technology
Artificial Intelligence ChatGPT CyberCrime CyberThreat Cyersecurity GitHub Shadow AI Technology

Ensuring Governance and Control Over Shadow AI

 


AI has become almost ubiquitous in software development, as a GitHub survey shows, 92 per cent of developers in the United States use artificial intelligence as part of their everyday coding. This has led many individuals to participate in what is termed “shadow AI,” which involves leveraging the technology without the knowledge or approval of their organization’s Information Technology department and/or Chief Information Security Officer (CISO). 

This has increased their productivity. In light of this, it should not come as a surprise to learn that motivated employees will seek out the technology that can maximize their value potential as well as minimize repetitive tasks that interfere with more creative, challenging endeavours. It is not uncommon for companies to be curious about new technologies, especially those that can be used to make work easier and more efficient, such as artificial intelligence (AI) and automation tools. 

Despite the increasing amount of ingenuity, some companies remain reluctant to adopt technology at their first, or even second, glances. Nevertheless, resisting change does not necessarily mean employees will stop secretly using AI in a non-technical way, especially since tools such as Microsoft Copilot, ChatGPT, and Claude make these technologies more accessible to non-technical employees.

Known as shadow AI, shadow AI is a growing phenomenon that has gained popularity across many different sectors. There is a concept known as shadow AI, which is the use of artificial intelligence tools or systems without the official approval or oversight of the organization's information technology or security department. These tools are often adopted to solve immediate problems or boost efficiency within an organization. 

If these tools are not properly governed, they can lead to data breaches, legal violations, or regulatory non-compliance, which could pose significant risks to businesses. When Shadow AI is not properly managed, it can introduce vulnerabilities into users' infrastructure that can lead to unauthorized access to sensitive data. In a world where artificial intelligence is becoming increasingly ubiquitous, organizations should take proactive measures to make sure their operations are protected. 

Shadow generative AI poses specific and substantial risks to an organization's integrity and security, and poses significant threats to both of them. A non-regulated use of artificial intelligence can lead to decisions and actions that could undermine regulatory and corporate compliance. Particularly in industries with very strict data handling protocols, such as finance and healthcare, where strict data handling protocols are essential. 

As a result of the bias inherent in the training data, generative AI models can perpetuate these biases, generate outputs that breach copyrights, or generate code that violates licensing agreements. The untested code may cause the software to become unstable or error-prone, which can increase maintenance costs and cause operational disruptions. In addition, such code may contain undetected malicious elements, which increases the risk of data breach and system downtime, as well.

It is important to recognize that the mismanagement of Artificial Intelligence interactions in customer-facing applications can result in regulatory non-compliance, reputational damage, as well as ethical concerns, particularly when the outputs adversely impact the customer experience. Consequently, organization leaders must ensure that their organizations are protected from unintended and adverse consequences when utilizing generative AI by implementing robust governance measures to mitigate these risks. 

In recent years, AI technology, including generative and conversational AI, has seen incredible growth in popularity, leading to widespread grassroots adoption of these technologies. The accessibility of consumer-facing AI tools, which require little to no technical expertise, combined with a lack of formal AI governance, has enabled employees to utilize unvetted AI solutions, The 2025 CX Trends Report highlights a 250% year-over-year increase in shadow AI usage in some industries, exposing organizations to heightened risks related to data security, compliance, and business ethics. 

There are many reasons why employees turn to shadow AI for personal or team productivity enhancement because they are dissatisfied with their existing tools, because of the ease of access, and because they want to enhance the ability to accomplish specific tasks. In the future, this gap will grow as CX Traditionalists delay the development of AI solutions due to limitations in budget, a lack of knowledge, or an inability to get internal support from their teams. 

As a result, CX Trendsetters are taking steps to address this challenge by adopting approved artificial intelligence solutions like AI agents and customer experience automation, as well as ensuring the appropriate oversight and governance are in place. Identifying AI Implementations: CISOs and security teams, must determine who will be introducing AI throughout the software development lifecycle (SDLC), assess their security expertise, and evaluate the steps taken to minimize risks associated with AI deployment. 

In training programs, it is important to raise awareness among developers of the importance and potential of AI-assisted code as well as develop their skills to address these vulnerabilities. To identify vulnerable phases of the software development life cycle, the security team needs to analyze each phase of the SDLC and identify if any are vulnerable to unauthorized uses of AI. 

Fostering a Security-First Culture: By promoting a proactive protection mindset, organizations can reduce the need for reactive fixes by emphasizing the importance of securing their systems from the onset, thereby saving time and money. In addition to encouraging developers to prioritize safety and transparency over convenience, a robust security-first culture, backed by regular training, encourages a commitment to security. 

CISOs are responsible for identifying and managing risks associated with new tools and respecting decisions made based on thorough evaluations. This approach builds trust, ensures tools are properly vetted before deployment, and safeguards the company's reputation. Incentivizing Success: There is great value in having developers who contribute to bringing AI usage into compliance with their organizations. 

For this reason, these individuals should be promoted, challenged, and given measurable benchmarks to demonstrate their security skills and practices. As organizations reward these efforts, they create a culture in which AI deployment is considered a critical, marketable skill that can be acquired and maintained. If these strategies are implemented effectively, a CISO and development teams can collaborate to manage AI risks the right way, ensuring faster, safer, and more effective software production while avoiding the pitfalls caused by shadow AI. 

As an alternative to setting up sensitive alerts to make sure that confidential data isn't accidentally leaked, it is also possible to set up tools using artificial intelligence, for example, to help detect when a model of artificial intelligence incorrectly inputs or processes personal data, financial information, or other proprietary information. 

It is possible to identify and mitigate security breaches in real-time by providing real-time alerts in real-time, and by enabling management to reduce these breaches before they escalate into a full-blown security incident, adding a layer of security protection, in this way. 

When an API strategy is executed well, it is possible to give employees the freedom to use GenAI tools productively while safeguarding the company's data, ensuring that AI usage is aligned with internal policies, and protecting the company from fraud. To increase innovation and productivity, one must strike a balance between securing control and ensuring that security is not compromised.
Read more »
Web3
Bitcoin Bull Market Crypto GitHub Technology Trading Web3

Crypto Bull Market Targeted: The Lottie-Player Security Breach


In an alarming development for the tech community, especially for those immersed in the Web3 ecosystem, a supply chain attack has targeted the popular animation library, Lottie-Player. If users fall for this prompt, it could enable attackers to drain cryptocurrency wallets. 

Given Lottie-Player's impressive tally of over 4 million downloads and its significant presence on many prominent websites for animation embedding, this incident underscores the security vulnerabilities associated with open-source libraries.

Understanding the Attack

The breach initially came to light on GitHub when a user noticed an unusual Web3 wallet prompt while integrating Lottie-Player on their website. Upon closer examination, it was discovered that versions 2.0.5, 2.0.6, and 2.0.7 of Lottie-Player, released between 8:12 PM and 9:57 PM GMT on October 30, 2024, had been tampered with and compromised.

The attack involved the introduction of malicious code into three new versions of the Lottie-Player library, a widely used tool for rendering animations on websites and applications. Threat actors infiltrated the distribution chain, embedding code designed to steal cryptocurrencies from users' wallets. This method of attack is particularly insidious because it leverages the trust developers place in the libraries they use.

The Broader Implications

Once the compromised versions were released, they were integrated into numerous high-profile projects, unknowingly exposing countless users to the threat—the malicious code activated during transactions, redirecting funds to wallets controlled by the attackers. In one notable case, a user reportedly lost 10 Bitcoin (BTC), worth hundreds of thousands of dollars, due to a phishing transaction triggered by the malicious script.

Following the discovery of the attack, the Lottie-Player team swiftly released a clean version, 2.0.8, which developers can use to replace the compromised files. To further contain the breach and limit exposure, versions 2.0.5 through 2.0.7 were promptly removed from npm and CDN providers like unpkg and jsdelivr.

Moving Forward

The attack occurred during a pivotal phase of the crypto bull market, intensifying efforts to steal increasingly valuable tokens. To mitigate risks, it's advisable to connect a wallet only for specific purposes rather than granting full-time permissions for signing transactions. Additionally, being prompted to connect a wallet immediately upon entering a website can serve as a potential warning sign.

Read more »
Sophos report
BYOVD Attack Cyber Attacks EDR GitHub Malware Attack RansomHub Sophos Sophos report

RansomHub Deploys EDRKillShifter Malware to Disable Endpoint Detection Using BYOVD Attacks

 

Sophos security researchers have identified a new malware, dubbed EDRKillShifter, used by the RansomHub ransomware group to disable Endpoint Detection and Response (EDR) systems in attacks leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques. This method involves deploying a legitimate but vulnerable driver on a target device to gain escalated privileges, disable security measures, and take control of the system. 

The technique has gained popularity among various threat actors, including both financially motivated ransomware groups and state-sponsored hackers. The EDRKillShifter malware was discovered during an investigation of a ransomware incident in May 2024. The attackers tried to use this tool to disable Sophos protection on a targeted computer but were unsuccessful due to the endpoint agent’s CryptoGuard feature, which prevented the ransomware executable from running. Sophos’ investigation revealed two different malware samples, both exploiting vulnerable drivers with proof-of-concept code available on GitHub. These drivers include RentDrv2 and ThreatFireMonitor, the latter being part of an obsolete system-monitoring package. 

The malware’s loader execution process follows a three-step procedure. Initially, the attacker launches the EDRKillShifter binary with a password string to decrypt and execute an embedded resource named BIN in memory. This code then unpacks and executes the final payload, which installs and exploits a vulnerable driver to elevate privileges and disable active EDR processes. Once the driver is loaded, the malware creates a service and enters an endless loop that continuously monitors and terminates processes matching names on a hardcoded target list. Interestingly, the EDRKillShifter variants discovered were compiled on computers with Russian localization, and they exploit legitimate but vulnerable drivers, using modified proof-of-concept exploits found on GitHub. 

Sophos suspects that the attackers adapted portions of these proofs-of-concept and ported the code to the Go programming language. To mitigate such threats, Sophos advises enabling tamper protection in endpoint security products, separating user and admin privileges to prevent the loading of vulnerable drivers, and keeping systems updated. Notably, Microsoft continually de-certifies signed drivers known to have been misused in previous attacks. Last year, Sophos identified another EDR-disabling malware, AuKill, which similarly exploited a vulnerable Process Explorer driver in Medusa Locker and LockBit ransomware attacks.
Read more »
Ransomware
Data Breach DevSecOps GitHub GitLab Ransomware

DevSecOps Teams Face Regular Outages, Cyberattacks, and Data Breaches



The past year has seen a sharp rise in cyber attacks targeting popular DevOps platforms like GitHub, Bitbucket, GitLab, and Jira. These platforms, which are crucial for developers and IT operations teams, have faced growing threats that disrupt their services and put users at risk. The importance of securing the software development process at every stage cannot be emphasised enough. 

What is DevSecOps?

In response to the increasing complexity of cyber threats, many organisations are adopting a practice known as DevSecOps. This approach involves integrating security measures directly into the development process, rather than treating them as an afterthought. By doing so, security becomes a fundamental part of the software development lifecycle, ensuring that potential vulnerabilities are addressed early on. However, this shift also comes with challenges, as teams must be agile and proactive in adapting to new threats.

Cyber Incidents in 2023

In 2023, there was a noticeable increase in incidents that negatively affected the operation of DevOps services. GitHub, the largest of these platforms, experienced 13.94% of the reported incidents, while Bitbucket accounted for 8.33%, GitLab for 7.89%, and Jira for 4%. Most of these issues involved problems with key components that led to degraded performance and service disruptions.

One of the most alarming threats to GitHub in 2023 was the rise of a hacking method called "RepoJacking." This type of attack exposed millions of repositories to potential risks. Research indicated that as many as 9 million repositories on GitHub could be vulnerable to this kind of attack. Moreover, it was discovered that over 4,000 software packages were at risk, along with more than 15,000 Go module repositories.

Hackers also used GitHub as a platform to host malicious software. By taking advantage of GitHub's public services, attackers could create a cost-effective and reliable infrastructure for their activities, making it difficult for users to detect and respond to these threats. This method allowed hackers to retrieve malicious commands through seemingly legitimate interactions on GitHub, posing a significant risk to users' data.

Challenges Faced by Bitbucket, Jira, and GitLab

While Bitbucket saw a slight decrease in incidents in 2023, the difference was minimal, with only a 2.04% reduction compared to the previous year. Unfortunately, Jira experienced a 50% increase in incidents, with 75 recorded events, meaning users encountered an incident roughly every five days. Many of these issues were severe, involving vulnerabilities that could have serious consequences for users.

GitLab also faced challenges, with 32% of reported incidents impacting the platform's performance. This hindered users' ability to fully utilise the service. June and August were particularly problematic months for GitLab, with several events that disrupted services. In one instance, a sophisticated attack exploited a critical vulnerability (CVE-2021-22205), which could have led to ransomware attacks and data theft. GitLab's response highlighted the need for organisations to be prepared with robust security and disaster recovery plans.

The Importance of DevOps Security

One of the biggest challenges in DevOps security is ensuring that development and security teams work together effectively. Developers often focus on quickly pushing new software updates, while security teams prioritise finding and fixing vulnerabilities. Without a well-integrated security approach throughout the development process, organisations are at greater risk of cyberattacks, data breaches, and operational disruptions.

The increasing number of incidents affecting platforms like GitHub, GitLab, Bitbucket, and Jira serves as a wake-up call for organisations to strengthen their security practices. By embedding security into every stage of the development process and fostering collaboration among all teams, organisations can better protect their systems and data from cyber threats.

It’s crucial for organisations to prioritise security at every stage of software development. The challenges faced by major DevOps platforms in 2023 highlight the need for vigilance, collaboration, and proactive security measures to safeguard our digital infrastructure. By adopting a DevSecOps approach and integrating security from the start, organisations can better brace themselves.


 

Read more »
Vulnerabilities and Exploits
Account security Account Takeover BreachForums Dark Web Data Safety GitHub NPM Vulnerabilities and Exploits

Critical npm Account Takeover Vulnerability Sold on Dark Web

 

A cybercriminal known as Alderson1337 has emerged on BreachForums, offering a critical exploit targeting npm accounts. This vulnerability poses a significant threat to npm, a crucial package manager for JavaScript managed by npm, Inc., a subsidiary of GitHub. Alderson1337 claims this exploit can enable attackers to hijack npm accounts linked to specific employees within organizations. 

The method involves embedding undetectable backdoors into npm packages used by these employees, potentially compromising numerous devices upon updates. This exploit could have widespread implications for organizational security. Instead of sharing a proof of concept (PoC) publicly, Alderson1337 has invited interested buyers to contact him privately, aiming to maintain the exploit’s confidentiality and exclusivity. If executed successfully, this npm exploit could inject backdoors into npm packages, leading to extensive device compromise. 

However, npm has not yet issued an official statement, leaving the claims unverified. The incident primarily impacts npm Inc., with npmjs.com being the related website. While the potential repercussions are global, the specific industry impact remains undefined. Account takeover (ATO) vulnerabilities represent severe risks where cybercriminals gain unauthorized access to online accounts by exploiting stolen credentials. These credentials are often obtained through social engineering, data breaches, or phishing attacks. 

Once acquired, attackers use automated bots to test these credentials across various platforms, including travel, retail, finance, eCommerce, and social media sites. Users’ reluctance to update passwords and reusing them across different platforms increase the risk of credential stuffing and brute force attacks. Such practices allow attackers to access accounts, potentially leading to identity theft, financial fraud, or misuse of personal information. To mitigate ATO attack risks, experts recommend adopting strong password management practices, including using unique, complex passwords for each account and enabling two-factor authentication (2FA) wherever possible. Regular monitoring for unauthorized account activities and promptly responding to suspicious login attempts are also crucial for maintaining account security. 

While Alderson1337’s claims await verification, this incident underscores the ongoing challenges posed by account takeover vulnerabilities in today’s interconnected digital landscape. Vigilance and collaboration across the cybersecurity community are essential to mitigating these threats and preserving the integrity of online platforms and services.
Read more »
Vulnerabilities and Exploits
Bug Fixes CVE Reporting Developers GitHub Vulnerabilities and Exploits

Maintaining Sanity Amidst Unnecessary CVE Reports

Maintaining Sanity Amidst Unnecessary CVE Reports

Developers strive to maintain robust codebases, but occasionally, they encounter dubious or exaggerated reports that can disrupt their work. 

A recent incident involving the popular open-source project “ip” sheds light on the challenges faced by developers when dealing with Common Vulnerabilities and Exposures (CVEs).

The Growing Nuisance of Dubious CVE Reports in Open Source Projects

The famous open source project 'ip' just had its GitHub repository archived, or turned "read-only" by its creator.

Developer Fedor Indutny began to receive online harassment when a CVE complaint was submitted against his project, bringing the vulnerability to his attention.

Unfortunately, Indutny's condition is not isolated. Recently, open-source developers have seen an increase in dubious or, in some cases, completely false CVE reports made for their projects without confirmation.

This might cause unjustified concern among users of these projects, as well as alerts from security scanners, which can be a source of frustration for developers.

The “ip” Project and the Dubious CVE

Fedor Indutny, the creator, disputed the severity of the bug. He argued that the impact was minimal and that the reported vulnerability did not warrant a CVE. However, the process for disputing a CVE can be complex and time-consuming. 

Indutny decided to take a drastic step: he archived the “ip” repository on GitHub, making it read-only. This move was a clear expression of frustration and a signal that he would not tolerate unwarranted disruptions to his project.

The 'node-ip' project is listed on the npmjs.com registry as the 'ip' package, with 17 million downloads per week, making it one of the most popular IP address parsing utilities JavaScript developers use.

Indutny resorted to social media to express his reasons for archiving 'node-ip': 

“There is something that have been bothering me for past few months, and resulted in me archiving node-ip repo on github.Someone filed a dubious CVE about my npm package, and then I started getting messages from all people getting warnings from `npm audit`.”

The Challenge of Disputing a CVE

Disputing a CVE involves navigating a bureaucratic maze. Developers must provide evidence that the reported vulnerability is either invalid or less severe than initially assessed. Unfortunately, this process is not always straightforward. In the case of the “ip” project, Indutny’s efforts to revoke the CVE faced hurdles:

  • Severity Assessment: The initial severity assigned to the vulnerability was likely based on the worst-case scenario. However, Indutny argued that the real-world impact was minimal. Balancing severity with practical implications is a delicate task.
  • CVE Documentation: Properly documenting the dispute requires clear communication. Developers must provide detailed explanations, code samples, and any relevant context. This documentation is essential for CVE reviewers to reevaluate the issue.
  • Community Perception: Public perception matters. When a project receives a CVE, users may panic, assuming the worst. Even if the impact is minor, the mere existence of a CVE can create unnecessary anxiety.

GitHub’s Response and Recommendations

GitHub, the platform hosting the “ip” repository, adjusted the severity of the CVE after Indutny’s actions. They also recommended enabling private vulnerability reporting. This feature allows maintainers to receive vulnerability reports privately, assess them, and decide whether they warrant public disclosure. By doing so, maintainers can avoid unnecessary panic and focus on addressing legitimate issues.

Read more »
TRANSLATEXT
Cyberattacks CyberCrime Cyberhackers Cybersecurity CyberThreat GitHub JavaScript malware TRANSLATEXT

Kimsuky Unleashes TRANSLATEXT Malware on South Korean Academic Institutions

 


An investigation has found that a North Korea-linked threat actor, known as Kimsuky, has been involved in the use of a malicious Google Chrome extension to steal sensitive information to collect information as part of an ongoing intelligence collection effort. Observing the activity in early March 2024, Zscaler ThreatLabz has codenamed the extension TRANSLATEXT, emphasizing its ability to gather email addresses, usernames, passwords, cookies, and screenshots as well as its ability to gather this information. 

This targeted campaign is said to have targeted South Korean academia, specifically those focused on North Korean politics. There is a notorious North Korean hacker group known as Kimsuky that has been active since 2012, perpetrating cyber espionage and financial-motivated attacks against South Korean businesses. Kimsuky is widely known as a notorious hacker crew. In the remote server's PowerShell script, general information about the victim is uploaded as well as creating a Windows shortcut that enables a user to retrieve another script from the remote server through a PowerShell script. TRANSLATEXT's exact delivery method remains unclear, which makes it even more difficult for defenders to protect themselves from it. 

Despite this, Kimsuky is well known for utilizing sophisticated spear-phishing and social engineering attacks to trick the target into initiating the infection process. Two files appear to be connected to Korean military history when the attack begins, a ZIP archive that appears to contain two files, a Hangul Word Processor document and an executable file. Once the executable file has been launched, it retrieves a PowerShell script from the attacker's server. In addition to exporting the victim's information to a GitHub repository, this script also downloads additional PowerShell code via a Windows shortcut (LNK) file and executes it. 

It is clear from this multi-stage attack process that Kimsuky is an extremely sophisticated and well-planned operation. By using a familiar and seemingly legitimate document, the attackers decrease the chances of the targets being suspicious. As well as displaying an innovative method of blending malicious activities into regular internet traffic, GitHub is also utilized in the initial data export process, resulting in a much harder time finding and blocking malicious actions for traditional security systems. There are a few groups that are also associated with the Lazarus cluster or part of the Reconnaissance General Bureau (RGB). 

For instance, APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima are groups that are affiliated with the Lazarus cluster. There have been several incidents in the last few weeks in which the group has weaponized a vulnerability in Microsoft Office (CVE-2017-11882), distributed a keylogger, and used job-themed lures in attacks aiming at the aerospace and defence industries to drop an espionage tool that gathers data and executes secondary payloads. "The backdoor is unknown to the public and the attacker can conduct basic reconnaissance, drop additional payloads, and then take over or remotely control the computer." 

CyberArmor said. Despite Kimsuky's recent involvement in cyber espionage, it has given this campaign the name Niki. It is no secret that Kimsuky is not a new player. Since at least 2012, the group has been active and has developed a reputation for orchestrating cyber-espionage and financial-motivated attacks primarily on South Korean institutions, which has earned them a reputation as a notorious group. It has been reported that the group has stolen classified information, and committed financial fraud, and ransomware attacks. Throughout history, they have been one of the most formidable cyber threat actors associated with North Korea due to their adaptability and persistence. 

There is no doubt that Kimsuky is capable of blending cyber espionage with financially motivated operations, indicating a versatile approach to achieving the North Korean regime's objectives, whether they are to gather intelligence or generate revenue to support it. As of right now, it is not clear what is the exact mechanism for accessing the newly discovered activity, although it is known that the group is known for utilizing spear-phishing and social engineering attacks to launch the infection cycle. 

It is believed that the attack began with the delivery of a ZIP archive with the intent of containing Korean military history at the time, which contains two files: a word processor document in Hangul and an executable at the time of the attack. As soon as the executable is launched, a PowerShell script is extracted from a server controlled by the attacker that downloads additional PowerShell code with the aid of a Windows shortcut file (LNK) and creates a GitHub repository where the compromised victim's information is periodically uploaded. 

After the GitHub repository has been created, the attacker deletes the LNK file in question. This is the statement posted by Zscaler, a security company that found a GitHub account, created on February 13, 2024, that briefly hosted the TRANSLATEXT extension under the name "GoogleTranslate.crx," regardless of how it is distributed at the moment. TRANSLATEXT, which masquerades as Google Translate, incorporates JavaScript code to bypass security measures for services like Google, Kakao, and Naver; siphon email addresses, credentials, and cookies; capture browser screenshots; and exfiltrate stolen data. It's also designed to fetch commands from a Blogger Blogspot URL to take screenshots of newly opened tabs and delete all cookies from the browser, among others.
Read more »
Subscribe to: Posts (Atom)