Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malware Campaign. Show all posts
Windows
Amaday Bot Lumma Stealer malware Malware Campaign Manufacturing Windows

New Malware Campaign Attacks Manufacturing Industry


Lumma Stealer and Amaday Bot Resurface

In a recent multi-stage cyberattack, Cyble Research and Intelligence (CRIL) found an attack campaign hitting the manufacturing industry. The campaign depends upon process injection techniques aimed at delivering malicious payloads like Amaday Bot and Lumma Stealer.

Using a chain of evasive actions, the threat actor (TA) exploits diverse Windows tools and processes to escape standard security checks, which leads to persistent system control and potential data theft. 

About the campaign

CRIL found an advanced multi-level attack campaign that starts with a spear-phishing mail. The email has a link that directs to an LNK file, hidden as a PDF file. When the fake PDF is clicked, it launches a series of commands. The LNK file is hosted on a WebDAV server, making it challenging for security software to trace.

“For instance, one of the malicious links observed in the campaign was hxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-ns.shop. The attack’s effectiveness stems from its ability to exploit the name of a legitimate cloud-based document management system (LogicalDOC), commonly used in manufacturing and engineering industries, to convince targets into opening the file,” reports the Cyber Express.

How the campaign works

After executing the LNK file, it opens ssh.exe, a genuine system utility that can escape security software checks. Via ssh.exe, a PowerShell command is activated to retrieve an extra payload via a remote server from mshta.exe. 

Threat actors use this process to avoid detection via Google’s Accelerated Mobile Pages (AMP) framework merged with a compressed URL. The retrieved payload is a malicious script containing extra hacked commands that gradually deliver the last malicious payload to the target system.

Once the LNK file is executed, it launches ssh.exe, a legitimate system utility that can bypass security software’s detection. Through ssh.exe, a PowerShell command is triggered, which fetches an additional payload from a remote server using mshta.exe. This process is designed to evade detection by using Google’s Accelerated Mobile Pages (AMP) framework combined with a shortened URL. 

The payload fetched is a script that contains additional obfuscated commands that eventually deliver the final malicious payload to the victim’s system. 

CYBLE blog says, “The final payload, which involves the deployment of both Lumma stealer and Amadey bot, highlights the TA’s intent to steal sensitive information and maintain persistent control over compromised systems. Yara and Sigma rules to detect this campaign, are available for download from the linked GitHub repository.”    

Read more »
Spear Phishing
Business Security Consumer Data Cyber Attacks Infostealer Infostealer Malware Malvertising Malware Campaign Spear Phishing

Marko Polo Infostealer Campaigns Target Thousands Across Platforms

 

The cybercriminal group “Marko Polo” is behind a major malware operation, running 30 infostealer campaigns targeting a wide array of victims. Using techniques such as spear-phishing, malvertising, and brand impersonation, the group spreads over 50 malware payloads, including AMOS, Stealc, and Rhadamanthys, across different sectors like gaming, cryptocurrency, and software. 

According to Recorded Future’s Insikt Group, Marko Polo’s campaigns have compromised thousands of devices globally, posing a significant threat to consumer privacy and business security, with potential financial losses in the millions. The group primarily uses spear-phishing tactics via direct messages on social media, targeting high-value individuals like cryptocurrency influencers, gamers, and software developers. 

They impersonate popular brands such as Fortnite, Zoom, and RuneScape, creating fake job offers and project collaborations to deceive victims into downloading malware. In addition to these impersonations, Marko Polo even fabricates its own brand names like VDeck, Wasper, and SpectraRoom to lure unsuspecting users. The Marko Polo operation is highly versatile, capable of infecting both Windows and macOS platforms. On Windows, they use a tool called “HijackLoader” to deliver malware like Stealc, designed to extract data from browsers, and Rhadamanthys, which targets a wide array of applications and data types. 

Rhadamanthys has also added advanced features, such as a cryptocurrency clipper to redirect payments to the attackers’ wallets, and the ability to evade Windows Defender. When it comes to macOS, the group deploys Atomic (AMOS), an infostealer launched in 2023, which they rent out to cybercriminals for $1,000 per month. AMOS is highly effective at extracting sensitive data stored on macOS systems, such as Apple Keychain passwords, MetaMask seeds, WiFi credentials, credit card details, and other encrypted information. 

The Marko Polo campaign’s widespread nature highlights the dangers of information-stealing malware, and users need to be vigilant against unsolicited links and downloads from unknown sources. One of the most effective ways to protect against such malware is to download software exclusively from official websites and ensure your antivirus software is up-to-date. This ensures the detection of malicious payloads before they can compromise your system. 

Information-stealing malware campaigns are becoming increasingly common, with Marko Polo’s operation serving as a stark reminder of the sophisticated tactics cybercriminals employ today. These stolen credentials often enable hackers to breach corporate networks, engage in data theft, and disrupt business operations. Therefore, cybersecurity awareness and strong preventive measures are crucial for protecting against such malicious activities.
Read more »
Malware Campaign
Google Google Products Malvertising malware Malware Campaign

The Rise of Malvertising: How Scammers Target Google Products with Malicious Search Ads

The Rise of Malvertising: How Scammers Target Google Products with Malicious Search Ads

Cybersecurity keeps evolving, and so do threats. One such threat is malvertising, it exploits the tools made for enhancing our digital threats. A recent campaign has surfaced, targeting Google products through malicious search ads, displaying the persistence and sophistication of threat attackers. The blog dives into the details of this campaign, its impact, and the steps users can take to protect themselves.

Malvertising, which comes from malicious + advertising involves the use of online advertisements to spread malware. Cybercriminals purchase ad space on legitimate websites, embedding malicious code within the ads. When users click these ads, they are redirected to malicious websites or have malware silently installed on their devices.

The Campaign Against Google Products

The recent campaign showcases the ingenuity of cybercriminals. By targeting dozens of Google products through malicious search ads, scammers managed to deceive users into visiting a fake Google homepage. This fake page, created using Looker Studio, was designed to lock up the browsers of both Windows and Mac users, effectively trapping them in a malicious environment.

The attackers utilized stolen or free accounts and leveraged Google's APIs to generate rotating malicious URLs. This tactic made it difficult for security systems to detect and block malicious ads and ensured a steady stream of potential victims.

The Mechanics of the Attack

1. Ad Placement: Cybercriminals purchased ad space on legitimate platforms, ensuring their malicious ads appeared in search results for popular Google products.

2. Redirection: When users clicked on these ads, they were redirected to a fake Google homepage. This page was meticulously crafted to resemble the genuine Google site, adding a layer of credibility to the scam.

3. Browser Lock: The fake homepage employed scripts to lock the user's browser, preventing them from navigating away or closing the tab. This tactic often creates a sense of urgency and panic, compelling users to follow the attackers' instructions.

4. Rotating URLs: By using Google's APIs, the attackers generated rotating URLs, making it challenging for security systems to blacklist the malicious sites. This ensured the longevity and effectiveness of the campaign.

What it means for Users

The impact of such a campaign is far-reaching. Users who fall victim to these scams can experience a range of consequences, from minor annoyances to significant security breaches. The immediate impact includes browser hijacking, which can disrupt productivity and cause frustration. However, the long-term consequences can be more severe, including the installation of malware, theft of personal information, and financial loss.

How to stay safe

  • Ad blockers can prevent malicious ads from appearing in your search results and on websites you visit. While not foolproof, they add an extra layer of security.
  • Before clicking on any ad, hover over the link to see the URL. Ensure it matches the official website of the product or service you are interested in.
  • Regularly update your browser, operating system, and security software. Updates often include patches for vulnerabilities that cybercriminals exploit.
  • Utilize built-in security features in your browser and operating system. Features like pop-up blockers and safe browsing modes can help mitigate the risk of malvertising.
  • Stay informed about the latest cybersecurity threats and trends. Awareness is a powerful tool in preventing cyberattacks.

Read more »
RATs
CloudFlare Cyber Attacks LNKs Malware Attack Malware Campaign Malware Trojan RATs

Abuse of Cloudflare Tunnel Service for Malware Campaigns Delivering RATs

 

Researchers have raised alarms over cybercriminals increasingly exploiting the Cloudflare Tunnel service in malware campaigns that predominantly distribute remote access trojans (RATs). This malicious activity, first detected in February, utilizes the TryCloudflare free service to disseminate multiple RATs, including AsyncRAT, GuLoader, VenomRAT, Remcos RAT, and Xworm. Cloudflare Tunnel service allows users to proxy traffic through an encrypted tunnel to access local services and servers over the internet without exposing IP addresses. 

This service is designed to offer added security and convenience by eliminating the need to open public inbound ports or set up VPN connections. With TryCloudflare, users can create temporary tunnels to local servers and test the service without requiring a Cloudflare account. However, threat actors have abused this feature to gain remote access to compromised systems while evading detection. A recent report from cybersecurity company Proofpoint observed that malware campaigns are targeting organizations in the law, finance, manufacturing, and technology sectors with malicious .LNK files hosted on the legitimate TryCloudflare domain. The attackers lure targets with tax-themed emails containing URLs or attachments leading to the LNK payload. 

Once launched, the payload runs BAT or CMD scripts that deploy PowerShell, culminating in the download of Python installers for the final payload. Proofpoint reported that an email distribution wave starting on July 11 sent out over 1,500 malicious messages, a significant increase from an earlier wave on May 28, which contained fewer than 50 messages. Hosting LNK files on Cloudflare offers several advantages to cybercriminals, including making the traffic appear legitimate due to Cloudflare’s reputation. 

Additionally, the TryCloudflare Tunnel feature provides anonymity, and the temporary nature of the subdomains makes it challenging for defenders to block them effectively. The use of Cloudflare’s service is not only free and reliable but also allows cybercriminals to avoid the costs associated with setting up their own infrastructure. 

By employing automation to evade blocks from Cloudflare, these criminals can use the tunnels for large-scale operations. A Cloudflare representative stated that the company immediately disables and takes down malicious tunnels as they are discovered or reported by third parties. Cloudflare has also implemented machine learning detections to better contain malicious activity and encourages security vendors to submit suspicious URLs for prompt action. 

In light of this increasing threat, it is crucial for organizations to remain vigilant and enhance their cybersecurity measures to defend against these sophisticated malware campaigns.
Read more »
suspension
combat malware Malware Campaign new user registration PyPI suspension

PyPI Halts New User Registrations to Combat Malware Campaign

 

The Python Package Index (PyPI) has implemented a temporary halt on user registrations and the creation of new projects due to an ongoing malware scheme. PyPI serves as a central hub for Python projects, aiding developers in discovering and installing Python packages.

With a vast array of packages available, PyPI becomes an attractive target for malicious actors who often upload counterfeit or fraudulent packages, posing risks to software developers and potentially initiating supply-chain attacks. Consequently, PyPI administrators recently announced the suspension of new user registrations to address this malicious activity.

According to a report by Checkmarx, cyber threat actors began uploading 365 packages to PyPI, masquerading as legitimate projects. These packages contain malicious code within their 'setup.py' files, which triggers upon installation, attempting to retrieve additional harmful payloads from remote servers.

To avoid detection, the malicious code encrypts using the Fernet module, with the remote server's URL dynamically generated as required. The ultimate payload includes an information-stealing mechanism with persistent capabilities, targeting data stored in web browsers such as login credentials, cookies, and cryptocurrency extensions.

Checkmarx has published a comprehensive list of identified malicious entries, featuring numerous typosquatting variants of genuine packages. However, Check Point researchers reveal that the list of malicious packages exceeds 500 and was deployed in two phases. Each package originated from unique maintainer accounts with distinct names and email addresses.

The researchers note that each maintainer account uploaded only one package, suggesting the use of automation in orchestrating the attack. All entries shared the same version number, contained identical malicious code, and displayed randomly generated names.

This incident underscores the critical importance for software developers and package maintainers to rigorously verify the authenticity and security of components sourced from open-source repositories. Notably, this is not the first time PyPI has taken aggressive measures to protect its community from malicious submissions. Similar actions were taken on May 20 last year.
Read more »
Windows SmartScreen
Bypass Flaw Cybersecurity DarkGate RAT Exploited malware Malware Campaign Threat actors Windows SmartScreen

Exploitation of Windows SmartScreen Bypass Flaw Facilitates Deployment of DarkGate RAT

 


The operators behind the DarkGate malware have been taking advantage of a recently patched flaw in Windows SmartScreen through a phishing scheme. This campaign involves circulating counterfeit Microsoft software installers to spread the malicious code.

Researchers from Trend Micro, along with others, uncovered a vulnerability earlier this year, known as CVE-2024-21412, which allowed attackers to bypass security measures in Internet Shortcut Files. Microsoft addressed this issue in its February Patch Tuesday updates, but not before threat actors like Water Hydra and DarkGate seized the opportunity to exploit it. Trend Micro's Zero Day Initiative (ZDI) reported that DarkGate also utilized this flaw in a mid-January attack, enticing users with PDFs containing Google DoubleClick Digital Marketing (DDM) redirects, ultimately leading to compromised websites hosting the malware-laden installers.

According to Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun, the attackers manipulated Google-related domains using open redirects in conjunction with CVE-2024-21412 to circumvent Microsoft Defender SmartScreen protections, facilitating malware infections. They emphasized the effectiveness of combining fake software installers with open redirects in propagating infections.

DarkGate, described as a remote-access Trojan (RAT), has been advertised on Russian-language cybercrime forums since at least 2018 and is considered one of the most sophisticated and active malware strains. It offers various functionalities, including process injection, information theft, shell command execution, and keylogging, while employing multiple evasion techniques.

The DarkGate campaign observed by Trend Micro leverages Google Open Redirects, exploiting a previously patched SmartScreen vulnerability, CVE-2023-36025, affecting all supported Windows versions. By utilizing open redirects in Google DDM technologies, threat actors can execute malicious code when combined with security bypasses.

To defend against DarkGate's exploitation of CVE-2024-21412, Windows system administrators are advised to apply Microsoft's patch promptly. Additionally, organizations should prioritize employee training to raise awareness about the risks of installing software from untrusted sources. Continuous monitoring of the cyber environment, including identifying vulnerabilities and potential attack vectors, is crucial for effective cybersecurity defense.

In conclusion, proactive measures are necessary for both businesses and individuals to safeguard their systems against evolving threats like DarkGate and similar malware campaigns.
Read more »
Windows
CyberCrime Info-Stealer malware Malware Campaign Uptycs security firm Vidar Stealer Windows

Italian Users Warned of New Info-Stealer Malware Campaign


The Uptycs Threat research team has revealed a new malware campaign, targeting Italy with phishing attacks in order to deploy information-stealing malware on victims’ compromised Windows systems. 

According to Uptycs security researcher Karthickkumar Kathiresan, the malware campaign is designed to acquire sensitive information like system details, cryptocurrency wallet information, browser histories, cookies, and login credentials of crypto wallets. 

Details of the Campaign 

  • The multiple-stage infection sequence begins with an invoice-themed phishing email that comprises a link that downloads a password-protected ZIP archive file containing two files: A shortcut (.LNK) file and a batch (.BAT) file. 
  • Irrespective of what file has been deployed, the attack chain remains the same, fetching a batch script that installs an information-stealing payload from a GitHub repository. This is achieved by utilizing a legitimate PowerShell binary that as well is retrieved from GitHub. 
  • After being installed, the C#-based malware gathers system metadata and information from a variety of web browsers and cryptocurrency wallets, and then it transfers that data to a domain that is under the authority of an actor. 

Info-stealers You Should Beware of

Vidar stealer: It resurfaced with certain sophisticated tactics in order to exploit popular social media platforms such as Telegram, Mastodon, TikTok, and Steam. Back in December 2022, numerous information stealers were discovered targeting the PyPI repository. It was discovered that 16 packages, each of which had been downloaded more than 100 times, were being used to distribute ten different stealer variants. 

In today’s world of cybercrime, which is constantly evolving, one of the most severe forms of malware that one must beware of is the info-stealer. This covert digital burglar may sneak into your devices and networks to steal sensitive information, consequently rendering you vulnerable to identity theft, financial fraud, or more devastating repercussions. 

In order to protect oneself from malware attacks like info-stealer, it is advised by Uptycs to update passwords regularly and employ robust security controls with multi-layered visibility and security solutions.  

Read more »
Vmware vulnerability
Chrome Malicious Campaign malware Malware Campaign VMware Vmware vulnerability

ChromeLoader: Microsoft, VMware Warns of the New Malware Campaigns

 

Microsoft and VMware are warning about the ongoing widespread malware campaign of ChromeLoader, which led to an “ongoing wide-ranging click frauds” later this year. 

The malware tool named ChromeLoader is apparently hijacking the browsers to redirect users to ad pages. The software has now evolved into a potential threat by deploying more potent payloads that go beyond malvertising. Variants of ChromeLoader have been dropping malicious browser extensions, node WebKit malware, and even ransomware on Windows PCs and Macs. 

Functioning of ChromeLoader 

Microsoft detected an ongoing widespread campaign of click frauds and attributed it to a threat actor DEV-0796. The malware attack begins with an ISO file that is downloaded when the user clicks a malicious ad, browser redirects, or Youtube comment. The attackers seek to profit from clicks generated by malicious browser extensions or node-WebKit that they have installed on the victim’s device, without being detected.  

The researchers from VMware’s Carbon Black Managed Detection and Response (MDR) team said they have seen the malware’s operators impersonating various legitimate services that would lead users to ChromeLoader. The researchers observed hundreds of attacks that included variants of the malware, targeting multiples sectors such as education, government, healthcare, and enterprises in business services. 

“This campaign has gone through many changes over the past few months, and we don’t expect it to stop [...] It is imperative that these industries take note of the prevalence of this threat and prepare to respond to it” warns the researchers. 

Rapid Evolution Of Malware

Earlier, the malware infected Chrome with a malicious extension that redirected the user traffic to advertising sites performing click frauds and generating income for the threat actors. “But, it later evolved into an ‘info-stealer’, stealing sensitive data stored in browsers and deploying zip bombs (i.e. malicious archive files) to crash systems, while still retaining its adware function,” said researchers, in an advisory released on September 19. 

Since Adware does not cause any significant damage to a victim’s software, the threat is not taken seriously by analysts. However, any software, such as ChromeLoader, that could enter a system undetected, is an immediate threat to a user, as the victim may as well apply modifications, facilitating monetization options for the malware. 

“The Carbon Black MDR team believes that this is an emerging threat that needs to be tracked and taken seriously [...] due to its potential for delivering more nefarious malware,” VMware said in the advisory. 
Read more »
Subscribe to: Posts (Atom)