Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label MaaS. Show all posts
malware
Adobe Creative Cloud Service Cthulhu CyberCrime Cyberhackers Cybersecurity CyberThreat DMG MaaS macOS malware

Fake macOS Apps Infect Devices, Steal Sensitive Data in the Latest Malware Attack

 


The latest cyber-attack uncovered by security researchers is an information stealer that targets Apple macOS hosts and gathers a wide array of information to reach sensitive computer data. It underscores how threat actors are increasingly targeting the OS as a target. As of late 2023, malware dubbed Cthulhu Stealer was available as a malware-as-a-service (MaaS) product and was priced at $500 per month as part of a subscription-based price structure. 

As far as the architecture is concerned, it can support both x86_64 and Arm platforms. Several cybersecurity researchers have discovered a new form of macOS malware that can steal user's sensitive data in the most insidious ways. A malware called Cthulhu Stealer has been spotted that impersonates popular applications to infect users with Trojan malware that allows the malware to steal passwords for users' operating systems and the iCloud keychain, as well as cryptocurrency wallets. 

A $500/month service offering for bad actors has reportedly been available since late 2023, as part of the Cthulhu Stealer program. It is particularly effective because it can masquerade as legitimate software and thus make itself appear more appealing. A Cado Security researcher has pointed out that Cthulhu Stealer is an Apple disk image (DMG) that carries two binaries, depending on the architecture of the machine, according to Gould. 

Using Golang, the malware disguises itself as a legitimate piece of software and disguises itself as a malicious application. A few of the software programs it impersonates include CleanMyMac, Grand Theft Auto IV, and Adobe GenP because the last of these is an open-source tool that can patch Adobe apps to bypass Creative Cloud service encryption and use the serial key to activate them without having to create a login account with a creator's account. 

A user who launches an unsigned file that has been explicitly allowed to be run – i.e., bypassing Gatekeeper protections – will be prompted to enter their system password when they launch it. In addition to Atomic Stealer, Cuckoo, MacStealer, and Banshee Stealer using this postscript-based approach, other software developers have adopted similar approaches. Afterwards, a second prompt will appear asking the user to enter their MetaMask password for the third time. 

This tool was also designed with the goal of harvesting system information and dumping iCloud Keychain passwords using an open-source tool called Chain Breaker which an anonymous developer developed. There are several ways the data theft takes place, including through the use of web browser cookies and information from Telegram accounts. This information is compressed and stored in a ZIP file, before being sent to a command-and-control server (C2).

It is believed that the main purpose of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from a wide range of shops and services, including game accounts, to steal information. The functionality and features of Cthulhu Stealer are very similar to that of Atomic Stealer, which implies that it was probably developed by the same person who modified Atomic Stealer. As users can see from the above paragraph, Atomic Stealer and Cthulhu both use Osascript as a password prompt. Even the spelling mistakes in the two games are identical. 

As a result, the threat actors responsible for the malware appear to have vanished, in part due to disagreements over payments, which has led to affiliates accusing the main developer of an exit scam, which has led to him being permanently banned from the cybercrime marketplace he used to advertise the malware in the first place. It is important to note that Cthulhu Stealer does not have very sophisticated anti-analysis techniques that would allow it to operate stealthily, which could be used to avoid detection. 

As well as this, it does not include any features that set it apart from similar underground offerings, apart from the fortress is one issue that affects this. Malware like Cthulhu Stealer, as well as other software threats like it, can cause far less damage when users take macOS' security features seriously, so they do not fall victim to them. 

MacOS is much less commonly targeted by malware threats than Windows or Linux, but users are advised to stay away from downloading software from sources they don't trust, stay away from installing apps that are not verified, and make sure their systems are updated with the latest security measures. 

There has been a surge in macOS malware recently and in response Apple announced this week that an update is coming to its next version of the operating system that will add more friction when trying to open software that is not signed correctly or notarized, which will help prevent future outbreaks of macOS malware.
Read more »
Mobile Security
Android Cyber Hacking Cyber Security MaaS Malware Attack Mobile Cyber Attacks Mobile Security

Unveiling the MaaS Campaign: Safeguarding Android Users in India

 

In the vast landscape of cybersecurity threats, a new campaign has emerged, targeting Android users in India. Dubbed as the "MaaS Campaign," this nefarious operation has caught the attention of security experts worldwide due to its sophisticated nature and potential for widespread damage. Let's delve into the intricacies of this campaign, understanding its modus operandi and the measures users can take to protect themselves. 

The MaaS Campaign, short for Malware-as-a-Service, represents a significant evolution in cybercrime tactics. Unlike traditional cyberattacks that require substantial technical expertise, the MaaS Campaign allows even novice hackers to deploy sophisticated malware with minimal effort. This democratization of cybercrime poses a severe threat to users, particularly in regions like India, where Android devices dominate the market. 

At the heart of the MaaS Campaign lies the exploitation of Android's vulnerabilities. Android, being an open-source platform, offers a fertile ground for cybercriminals to exploit security loopholes. Through various means, including malicious apps, phishing emails, and compromised websites, hackers lure unsuspecting users into downloading malware onto their devices. Once the malware infiltrates a device, it operates stealthily, often evading detection by traditional antivirus software. One of the primary objectives of the MaaS Campaign is to steal sensitive information, including personal data, financial credentials, and login credentials for various online accounts. 

This information is then used for a range of malicious activities, including identity theft, financial fraud, and espionage. What makes the MaaS Campaign particularly concerning is its targeted approach towards Android users in India. With India's burgeoning smartphone market and increasing reliance on digital services, the country has become a lucrative target for cybercriminals. 

Moreover, the diversity of Android devices and the prevalence of outdated software versions exacerbate the security risks, leaving millions of users vulnerable to exploitation. To mitigate the risks associated with the MaaS Campaign and similar cyber threats, users must adopt a proactive approach to cybersecurity. Firstly, maintaining vigilance while downloading apps or clicking on links is crucial. Users should only download apps from trusted sources such as the Google Play Store and avoid clicking on suspicious links or email attachments. 

Additionally, keeping software and operating systems up-to-date is paramount. Developers frequently release security patches to address known vulnerabilities, and failing to update exposes devices to exploitation. Users should enable automatic updates wherever possible and regularly check for updates manually. 

Furthermore, investing in robust cybersecurity solutions can provide an added layer of defense against malware and other cyber threats. Antivirus software, firewalls, and anti-malware tools can help detect and neutralize malicious activity, safeguarding users' devices and data. Education also plays a pivotal role in combating cyber threats. Users should familiarize themselves with common phishing tactics, malware warning signs, and best practices for online security. By staying informed and vigilant, users can avoid falling victim to cyberattacks and protect their digital identities. 

In conclusion, the MaaS Campaign represents a significant threat to Android users in India and underscores the importance of robust cybersecurity measures. By understanding the tactics employed by cybercriminals and adopting proactive security practices, users can minimize the risk of falling victim to such campaigns. Ultimately, safeguarding against cyber threats requires a collective effort involving users, cybersecurity professionals, and technology companies to create a safer digital environment for all.
Read more »
Privacy
Cyberattacks CyberCrime Cyberfraud iCloud MaaS Malwares Passwords Privacy

iCloud Keychain Data and Passwords are at Risk From MacStealer Malware

 


Uptycs, a cybersecurity company that discovered the information-stealing malware while searching for threats on the dark web, is warning that Mac computers have been the latest targets of updated info-stealing malware. 

The iCloud Keychain can easily access cryptocurrency wallets with the help of MacStealer. This is an innovative malware that steals your credentials from your web browsers, cryptocurrency wallets, and potentially sensitive files stored in your iCloud Keychain. 

The MacStealer malware is distributed as malware-as-a-service (MaaS), whereby the developer sells pre-built builds for $100, allowing customers to run their marketing campaigns and spread the malware to their victims. 

On the dark web, cybercriminals use Mac computers as a breeding ground to launch malware and conduct illegal activities. This makes the dark web a prime place to conduct illegal activities and launch malware. 

Upon discovering the newly discovered macOS malware, the Uptycs threat research team reported that it could run on multiple versions of Mac OS. This included the current Mac OS, Catalina (10.15), and the latest and greatest Apple OS, Ventura (13.2). 

Sellers claim that the malware is still in beta testing and that there are no panels or builders available. In China, Big Sur, Monterey, and Ventura provides rebuilt DMG payloads that infect macOS with malware. 

To charge a low $100 price for a piece of malware without a builder and panel, the threat actor uses this fact. Despite this, he will release more advanced features as soon as possible. 

A new threat named MacStealer is using Telegram as a command and control (C2) platform to exfiltrate data, with the latest example being called PharmBot. There is a problem that affects primarily computers running MacOS Catalina and later with CPUs built on the M1 or M2 architecture. 

According to Uptycs' Shilpesh Trivedi and Pratik Jeware in their latest report on the MacStealer exploit, the tool steals files and cookies from the victim's browser and login information. 

In its first advertising on online hacking forums at the beginning of the month, this project was advertised for $100, but it is still far from being finished. There is an idea among the malware authors of adding features to allow them to access notes in Apple's Notes app and Safari web browser. 

Functioning of Malware

MacStealer is distributed by the threat actors using an unsigned DMG file which is disguised as being something that can be executed on Mac OS if it is tricked into going into the system.

As a result, the victim is presented with a fake password prompt to run the command, which is made to look real. The compromised machine becomes vulnerable to malware that collects passwords from it. 

Once it has collected all the data described in the previous section, the malware then begins to spread. As soon as the stolen data is collected, it is stored in a ZIP file. It is then sent to a remote server for processing and analysis. Later on, the threat actor will be in a position to collect this information as well.

Additionally, MacStealer is also able to send some basic information to a pre-configured Telegram channel, which allows the operator to be notified immediately when updates to the stolen data have been made, which will enable him to download the ZIP file immediately as well.

What can You do to Protect Your Mac?

You can do a few things right now to ensure that you have the latest software update installed on your Mac computer, beginning with opening the Settings app and checking that it is the latest version. 

The first thing you should do is install it as soon as possible if it has not been installed already. You should make sure that all of your Apple devices are up-to-date before you begin using them since Apple is constantly improving its security. 

Your devices will be protected from malware if you use antivirus software, which protects you from potentially malicious links on the internet. By clicking the magnifying glass icon at the top of my webpage, you can find my expert review of the highest-rated antivirus protection for your Windows, Mac, Android, and iOS devices, which includes reviews of which ranked antivirus protection for Windows, Mac, Android, and iOS devices.  

Different forms of malware, such as email attachments, bogus software downloads, and other techniques of social engineering, are utilized to spread stealer malware. 

Keeping up-to-date the operating system and security software of the computer is one of the best ways to mitigate such threats. In addition, they should not download files from unknown sources or click on links they find on the internet. 

"It becomes more important for data stored on Macs to be protected from attackers as Macs become more popular among leadership teams as well as development and design teams within organizations", SentinelOne researcher Phil Stokes said in a statement last week.
Read more »
Russian Hackers
Cobalt Strike MaaS malware Phishing Attacks Ransomware Attacks. Russian Hackers

eSentire: Golden Chickens Malware's Attacker Uncovered

The Threat Response Unit (TRU) of eSentire has been monitoring one of the most effective and covert malware families, Golden Chickens, for the past 16 months. The malware of choice for FIN6 and Cobalt, two of the most established and prosperous online crime organizations in Russia, who have collectively stolen an estimated $1.5 billion US, is Golden Chickens. 

The creator of a comprehensive toolkit that includes SKID, VenomKit, and Taurus Loader is Golden Chickens, widely known as VENOM SPIDER. Since at least 2012, the adversary has participated actively in Russian underground forums under the alias 'badbullzvenom,' where they have developed tools for exploiting vulnerabilities as well as for getting and retaining access to victim machines and ticketing services.

The 'Chuck from Montreal' identity used by the second threat actor Frapstar allows the cybersecurity company to link together the criminal actor's online trail.

The malware-as-a-service (MaaS) provider Golden Chickens is associated with several tools, including the JavaScript downloader More Eggs and the malicious document creator Taurus Builder. Previous More eggs efforts, some of which date back to 2017, involved spear-phishing executives on LinkedIn with phony job offers that gave threat actors remote control over victim devices, allowing them to use them to gather data or spread more malware.

By using malware-filled resumes as an infection vector, the same strategies were used last year to target corporate recruiting supervisors. The first known instance of Frapster's activities dates back to May 2015, at which point Trend Micro referred to him as a 'lone criminal' and a luxury automobile fanatic.

According to eSentire, one of the two threat actors believed to be behind the badbullzvenom account on the underground forum Exploit.in maybe Chuck, with the other person probably residing in Moldova or Romania. Recruiters are being duped into downloading a malicious Windows shortcut file from a website that poses as a résumé in a new assault campaign that targets e-commerce businesses, according to a Canadian cybersecurity company.

By highlighting Golden Chickens' multi-layer architecture and the MaaS's multi-client business model, researchers stress the challenges of performing accurate attribution for cyberattacks.


Read more »
Typo Squatting
Advertisements Crytocurrency Fraud Dark Web Google Google Ads Hacking MaaS malware OBS Platform Rhadamanthys malware Typo Squatting

Rhadamanthys: Malware Hidden in Google Ads


Threat actors are establishing fraudulent websites for popular free and open-source software in order to promote malicious downloads via advertisements present in the Google search result. 

The info-stealing malware Rhadamanthys uses Google advertisements as a means of luring people into downloading malicious software. The malware steals information including email addresses and passwords in addition to focusing on cryptocurrency wallet credentials. 

Rhadamanthys is sold to criminals as malware-as-a-service (MaaS), and its utility has multiplied as infostealers become a popular tactic to attack targets. 

As of yet, at least one prominent user on the cryptocurrency scene has fallen prey following the malware campaign. According to the victims, the hackers had stolen all their digital crypto assets, along with having access to their professional and personal accounts. 

What is Rhadamanthys? 

According to threat researcher Germán Fernández, Rhadamanthys, named after the demigod child of Zeus and Europa in Greek mythology, has been dominating Google advertising for the widely used OBS (Open Broadcasting Tool) platform, a free video recording, and streaming service. 

Since November 2022, Rhadamanthys’ popularity has been growing rapidly. It has now advanced to a point where, if an online user searches for an OBS, they will eventually encounter five malicious ads at the apex of their Google searches, before seeing legitimate results below. 

A user may download malware, alongside legitimate software after he clicks on these advertisement links. 

In one such instance, 'Alex', a crypto influencer, better known by his online persona NFT God, was hacked following the download of a fraudulent executable for the OBS video recording and streaming program, through Google’s search results. His life was permanently altered when he mistakenly clicked on the fraudulently sponsored advertisement rather than the genuine one. 

“Last night my entire digital livelihood was violated. Every account connected to me both personally and professionally was hacked and used to hurt others. Less importantly, I lost a life changing amount of my net worth,” he tweeted. 

How does Rhadamanthys work? 

According to a report by the security firm Cyble, Rhadamanthys is offered for sale on the dark web and is distributed via spam emails along with Google advertisements. 

Rhadamanthys will start by obtaining relevant device data after a successful intrusion. The data often includes the device's name, model, operating system, OS architecture, hardware details, installed software, IP addresses, and user credentials 

“The Rhadamanthys program is capable of executing certain PowerShell commands[...]It also targets document files, the theft of which (depending on the sensitivity of their data) can cause severe issues for victims,” reads a blog post by cybersecurity firm PCrisk. 

In addition to this, the MaaS targets cryptocurrency wallet credentials by attempting to extract crytowallets’ passwords in order to acquire control of them and their funds. 

“In summary, the presence of stealer-type malware like Rhadamanthys on devices can result in serious privacy issues, significant financial losses, and even identity theft,” PCrisk concluded. 

How Can You Protect Yourself? 

In order to delay the victim’s response, users are advised to evade the malware activity by checking the URL, since the malicious links may seem identical to the official OBS site. The fraudulent URL may contain subtle spelling mistakes, a malicious tactic used to create fake URLs, called Typosquatting.   

Read more »
Subscribe to: Posts (Atom)