Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Malicious Sites. Show all posts

Bing Ad Posing as NordVPN Aims to Propagate SecTopRAT Malware

 

A Bing advertisement that appeared to be a link to install NordVPN instead led to an installer for the remote access malware SecTopRAT. 

Malwarebytes Labs identified the malvertising campaign on Thursday, with the domain name for the malicious ad having been registered only a day earlier. The URL (nordivpn[.]xyz) was intended to resemble an authentic NordVPN domain. The ad link linked to a website with another typosquatted URL (besthord-vpn[.]com) and a duplicate of the actual NordVPN website.

The download button on the fake website directed to a Dropbox folder containing the installer NordVPNSetup.exe. This executable comprised both an authentic NordVPN installation and a malware payload that was injected into MSBuild.exe and connected to the attacker's command-and-control (C2) server.

The threat actor attempted to digitally sign the malicious programme, however the signature proved to be invalid. However, Jérôme Segura, Principal Threat Researcher at Malwarebytes ThreatDown Labs, told SC Media on Friday that he discovered the software had a valid code signing certificate. 

Segura said some security products may block the executable due to its invalid signature, but, “Perhaps the better evasion technique is the dynamic process injection where the malicious code is injected into a legitimate Windows application.” 

“Finally, we should note that the file contains an installer for NordVPN which could very well thwart detection of the whole executable,” Segura added. 

The malicious payload, SecTopRAT, also known as ArechClient, is a remote access trojan (RAT) identified by MalwareHunterTeam in November 2019 and then analysed by GDATA experts. The researchers discovered that the RAT produces an "invisible" second desktop, allowing the attacker to manage browser sessions on the victim's PC. 

SecTopRAT can also provide system information, such as the system name, username, and hardware, to the attacker's C2 server. 

Malwarebytes reported the malware campaign to both Microsoft, which controls Bing, and Dropbox. Dropbox has since deactivated the account that contained the malware, and Segura said his team had yet to hear anything from Microsoft as of Friday. 

“We did notice that the threat actors updated their infrastructure last night, perhaps in reaction to our report. They are now redirecting victims to a new domain thenordvpn[.]info which may indicate that the malvertising campaign is still active, perhaps under another advertiser identity,” Segura concluded. 

Other malvertising efforts promoting SecTopRAT have been discovered in the past. In 2021, Ars Technica reported on a campaign that used Google advertisements to promote the Brave browser.

Last October, threat actors employed malvertising, search engine optimisation (SEO) poisoning, and website breaches to deceive consumers into installing a fake MSIX Windows programme package containing the GHOSTPULSE malware loader. Once deployed, GHOSTPULSE employs a process doppelganging to enable the execution of several malware strains, including SecTopRAT.

How to Shield Yourself From Malicious Websites

 

The sense of wondering if you've just infected your phone or computer with a virus is familiar if you've ever clicked on a link someone sent you, say in an email or a direct message, only to be sent to a website that seemed really suspect. Hackers are getting more and more creative in their attempts to trick you into visiting dangerous websites by disguising them as benign ones.

Furthermore, the practice has spread so widely that it isn't restricted to a small number of sites or site types. It is no longer sufficient to simply be informed that a particular site is off-limits. Therefore, while viewing a website, it's critical to approach it with the mindset of a tech expert and to conduct some research before you decide to keep browsing. 

In this post, we'll look at some easy measures you can take to check the website you land on to see if it's safe and secure and see if there's any chance of data loss or malware installation.

Beware of unclear characters and misspelled URLs

In order to lure visitors into visiting their malicious websites, fraudsters frequently utilise homoglyphs, also known as homographs, assaults, and misspelled or other misleading URLs. Although it might sound like you're going to get whacked over the head with a dictionary, a homoglyph attack actually happens when threat actors register domains with names that are highly similar to others yet contain visually confusing letters or have an imperceptible addition. 

Scan malicious website

There are several online tools you may use to determine whether a website is harmful if you have a bad feeling about it or, even better, if you are considering going but haven't yet. 

One such service is Google's Safe Browsing site status tool, which allows you to paste the URL of a website and receive information on its security. VirusTotal's URL checker is another comparable tool you can use. It analyses a website's address, verifies it with a number of top-tier antivirus engines, and then provides you with a prediction of whether a specific URL might be malicious. The SANS teacher Lenny Zeltser has put together a list of tools that may be useful even if the scan comes back "clean."

To learn who owns the domain you're visiting, you can also run a "whois" search as an alternative. 'Whois' is a record that lists details about the domain you're looking for, including who owns it, when and where it was registered, and how to contact the owner. The address of the website you're looking for must be entered on a special website before you can conduct a whois inquiry. 

Whether the domain is newly registered, which could be a sign that it could be malicious, is one of the details you should be keeping an eye out for. For instance, Facebook won't be a domain that was initially registered in February 2021. If you click "display more data," and it is incomplete or full of errors, that is another indication that the domain may be malicious; although, in some cases, that could be the result of someone being negligent while entering the registration information.

Check for a privacy statement 

If you're browsing a website and unsure if it's trustworthy or not, one thing to check is whether there is a privacy policy. As they are required by data protection legislation to describe how the website handles and protects user data, every reputable website needs to have one. 

Companies that violate data protection laws, particularly the General Data Protection Regulation (GDPR) of the European Union, may suffer substantial repercussions for privacy and security failings. Thus, if a website doesn't have a privacy policy or has one that seems deficient, that should be a pretty good indication that something is amiss and that the website doesn't care about the severe data protection rules that are enforced globally. 

Get contact details

Any trustworthy business that values establishing long-lasting relationships with its clients will have contact information readily available on its website. Typically, it includes a phone number, email address, physical mailing address, or contact form. While attempting to determine whether you're dealing with a genuine or reputable organisation, there are a number of warning indicators that you should be on the watch for. 

For instance, you will most likely be dealing with a scam if you attempt to call the provided phone number and it is disconnected or the person who answers the phone doesn't sound professional. If it passes that evaluation, then confirm by conducting a fast Google search for the business's official contact information and giving that number a call just to be safe. 

Now that you know what you should do to stay secure, you might feel like it's a tall order. In fact, there are other factors you should pay attention to as well, such as whether a website has strange advertising that keeps appearing everywhere or whether it is rife with typos and poor grammar, which may suggest that you have found a shady website. 

To summarise, you should check the website's security certificate, watch for misspellings in the URL, and preferably manually type the address if possible or only click on reliable links.

BATLOADER and Atera Agent are Being Distributed Through an SEO Poisoning Campaign

 

A new SEO poisoning campaign is underway, with the purpose of infecting targeted systems with the BATLOADER and Atera Agent malware. It appears to be aimed at professionals looking to download productivity applications such as TeamViewer, Zoom, or Visual Studio. SEO poisoning is a tactic used by hackers in cyberattacks to build up malicious websites loaded with certain keywords that visitors typically seek up in search engines. Then they use various SEO (Search Engine Optimization) techniques to make these appear prominently in search results. 

According to a report by Mandiant researchers, in this malicious SEO campaign, threat actors attack legitimate websites in order to plant compromised files or URLs. Users are thus routed to websites that host malware posing as well-known applications. 

“The threat actor used “free productivity apps installation” or “free software development tools installation” themes as SEO keywords to lure victims to a compromised website and to download a malicious installer. The installer contains legitimate software bundled with the BATLOADER malware. The BATLOADER malware is dropped and executed during the software installation process.” said the researchers. 

“This initial BATLOADER compromise was the beginning of a multi-stage infection chain that provides the attackers with a foothold inside the target organization. Every stage was prepared for the next phase of the attack chain. And legitimate tools such as PowerShell, Msiexec.exe, and Mshta.exe allow proxy execution of malicious payloads to avoid detection,” they added. 

A file called "AppResolver.dll" was discovered in the attack chain as a significant sample. This DLL sample is an internal component of Microsoft's Windows Operating System, but it contains malicious VBScript inserted in such a way that the code signature stays valid. When run on its own, the DLL sample does not execute the VBScript. When ran with Mshta.exe, Mshta.exe locates and executes the VBScript without error. 

This vulnerability is similar to CVE-2020-1599 in that the PE Authenticode signature remains valid after appending HTA compatible scripts signed by any software developer. These PE+HTA polyglot (.hta files) can be used by Mshta.exe to circumvent security solutions that rely on Microsoft Windows code signing to determine whether or not files are trusted. 

In this case, researchers discovered that arbitrary script data was attached to the signature section of a legitimately signed Windows PE file at the end of the ASN.1. As long as the file extension is not '.hta,' the resulting polyglot file retains a valid signature. If this polyglot file is executed with Mshta.exe, the script contents will be successfully executed since Mshta.exe will skip the PE's bytes, locate the script at the end, and execute it.

Omicron Test Scam : A Free Test Is Available

 

Cybercriminals send emails containing malicious links and data, according to police sources. When individuals click on such a link or download a file, their system — whether it's a phone or a computer — is compromised, and hackers have access to sensitive data. The government recommended citizens examine the domain name and URL of websites to ensure their validity, and to report any such incidents to the cybercrime.gov.in portal. 

A warning has been issued by the Ministry of Home Affairs (MHA) against cybercriminals about offering free testing to potential victims in order to detect the Omicron variant. TheMHA's cyber and information security branch has issued the following advisory: "Due to the shift in focus to the health crisis, cybercriminals are taking advantage of the weakening of cyber defenses. Cybercriminals are always devising new methods of defrauding citizens. As time goes on, Omicron-themed cybercrime is becoming more prevalent. Cybercriminals are using a variety of strategies to commit cybercrime in order to take advantage of the continuously changing scenario and scam innocent victims."

Hackers in the United Kingdom have already begun to take advantage of the virus by sending out phishing emails offering free COVID-19 testing that claims to detect the new variant. In reality, hackers are attempting to dupe unwary users into divulging their personal data. According to a consumer watchdog group, the scam emails appear to come from the UK's National Health Service. The subject line of one email reads, "Get Your Free Omicron PCR Test - Apply Now to Avoid Restrictions. People who do not consent to a COVID-19 test and refuse to have a swab must be segregated," the email continues, in an attempt to terrify the user into complying. 

Users who fall for the ruse will be directed to a fake NHS website, which will ask for their full name, date of birth, address, phone number, and email address – all of which can be used to commit identity theft. The phishing emails are embellished with official-looking NHS logos by hackers. The scam emails were also received from the address "contact-nhs[AT]nhscontact.com."

This WordPress Plugin Flaw Impacts 1M Sites & Allows Malicious Redirects

 

A high-severity issue in the OptinMonster plugin permits unauthorised API access and sensitive information leak on around a million WordPress sites. 

The flaw, identified as CVE-2021-39341, was found by researcher Chloe Chamberland on September 28, 2021, and a fix was made available on October 7, 2021. All OptinMonster plugin users are recommended to upgrade to version 2.6.5 or later, as all previous versions are impacted. 

OptinMonster is a popular WordPress plugin for creating stunning opt-in forms that assist site owners in converting visitors to subscribers/customers. It is primarily a lead generation and monetization tool, and it is used on roughly a million websites because of its ease of use and variety of features.

According to Chamberland's vulnerability disclosure report, OptinMonster's power is based on API endpoints that provide easy integration and a streamlined design process. However, the execution of these endpoints isn't always safe, with the '/wp-json/omapp/v1/support' endpoint being the most crucial example. 

This endpoint can provide information such as the site's entire route on the server, API keys used for site requests, and more. An attacker with access to the API key could make modifications to the OptinMonster accounts or even inject malicious JavaScript snippets into the site. Without anyone's knowledge, the site would run this code every time a visitor activated an OptinMonster element.

To make circumstances terrible, the intruder would not even need to authenticate on the targeted site in order to use the API endpoint, since an HTTP request would circumvent security checks under certain, simple conditions. While the '/wp-json/omapp/v1/support' endpoint is the worst-case scenario, it is not the only insecure REST-API endpoint that may be exploited. 

When the researcher's findings reached the OptinMonster team, the popular WordPress plugin's developers understood that the entire API needed to be revisited. As a result, all OptinMonster upgrades that appear on the WordPress dashboard in the next weeks must be installed, as they will most likely resolve further API issues. 

Meanwhile, any API keys that may have been stolen were instantly invalidated, forcing site owners to produce new keys. This case demonstrates how widely deployed and popular WordPress plugins can harbour several undetected flaws over extended periods.