Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malware Report. Show all posts
Malware Report
Blockchain Glupteaba Google malware Malware Report

Glupteba Malware has Returned After Being Disrupted by Google



After nearly a year of being disrupted by Google, the Glupteba malware botnet has again become active, infecting devices worldwide. As a result of Google's efforts, the blockchain-enabled botnet could be seriously disrupted in December 2021 by securing court orders for control of its infrastructure as well as filing legal claims against two Russian operators. 

Based on Nozomi's analysis, blockchain transactions, TLS certificate registrations, and reverse engineering Glupteba samples, there is a new, large-scale campaign of Glupteba that started in May 2022 and continues to be conducted today. 

Blockchain as a hiding place

The virus Glupteba is modular and designed using blockchain technology. It aims to mine cryptocurrencies, steal user credentials and cookies, and deploy proxy servers on Windows and IoT systems. A large percentage of the malware is distributed through malvertising on a pay-per-install (PPI) network or traffic distribution system (TDS) pushing installers disguised as free software, videos, and movies by cybercriminals, after which they are sold to other cybercriminals as 'residential proxies.' 

As part of its evasion strategy, Glupteba utilizes the Bitcoin blockchain to obtain updated lists of command and control servers so that it can contact them to execute commands. 

A discover function in the botnet's clients allows them to find the address of the C2 server in an encrypted format. With this method, they enumerate the servers of Bitcoin wallets, retrieve their transactions, and then parse them to find an AES-encrypted address in an encoded format. Since Glupteba has employed this approach for many years, they offer a resilient stance against attacks. 

There is no way to wipe out blockchain transactions, so C2 address takedown efforts have a limited impact on the botnet since blockchain transactions cannot be erased. Additionally, law enforcement cannot plant payloads onto the controller address of Bitcoin without a Bitcoin private key. It means there can be no sudden botnet takeovers or global deactivations, like what happened to Emotet in early 2021. 

It is pertinent to note that Bitcoin is a public blockchain, which means anyone is entitled to access it and scrutinize transactions to gather information. 

It was reported by Nozomi that Glupteba continues to use blockchain in the same manner as it used years ago. Therefore, it was only a matter of scanning the whole blockchain to reveal hidden C2 domains within the network. 

Tremendous effort was put into the process, which involved the scrutiny of more than 1,500 Glupteba samples uploaded to VirusTotal. Several samples were analyzed so that wallet addresses could be extracted and encryption keys associated with the malware could be used to decrypt transaction payload data. 

Further, Nozomi made use of passive DNS records to find domains and hosts associated with Glupteba. 

The team examined the latest set of TLS certificates issued by the malware to unearth more information about the infrastructure the malware relies upon. 

An investigation by Nozomi identified 15 Bitcoin addresses that participated in the Glupteba campaign four times. This was the most recent one starting in June 2022, six months after Google disrupted the campaign. It is still in the midst of this campaign. 

The botnet is now even more resilient because it uses more Bitcoin addresses than ever. As a result of similar redundancy efforts, the number of TOR hidden services used as C2 servers has increased 10-fold since the 2021 campaign, following the same model. 

A particularly prolific address had 11 transactions over the past year, and more than 1,197 samples were connected to it. The last activity occurred on 11/8/2022, which made it the most active address. Also, Nozomi reports that many Glupteba domain registrations have been discovered in passive DNS data since November 22, 2022. 

Based on the information provided above, it is obvious that the Glupteba botnet has struck back at the scene and is again in attack mode. This organization is now much larger than it once was and has the potential to become even more resilient as a result. Because of the number of fallback addresses, it has set up, it is resisting any takedown attempts by researchers and law enforcement agencies due to their tightening up of security.

Read more »
Malware Report
cyber espionage Kaspersky malware Malware Report

Kaspersky Lab detected a new threat to user data

 Kaspersky Lab experts discovered a targeted cyber espionage campaign, where attackers infect computers with malware that collects all recent documents on the victim's device, archives them and passes them back to them.

The UEFI program is loaded before the operating system and controls all processes at an "early start". Using it, an attacker can gain full control over the computer: change the memory, disk contents, or force the operating system to run a malicious file. Neither replacing the hard drive nor reinstalling the OS will help get rid of it.

"This file is a bootloader, it communicates with the control server, collects all recent documents on the computer, archives them, and sends them back to the server. In fact, this is just espionage. Now there is information about two victims of the UEFI bootkit, as well as several victims of the campaign who encountered targeted phishing. All of them are diplomats or members of nonprofit organizations, and their activities are related to North Korea," commented Igor Kuznetsov, a leading anti-virus expert at Kaspersky Lab.

The experts also found out that the components of the UEFI bootkit are based on the Vector-EDK code - a special constructor that was created by the cyber group Hacking Team and contains instructions for creating a module for flashing UEFI. In 2015, as a result of a leak, these and other sources of the Hacking Team were freely available, which allowed attackers to create their own software.

"Be that as it may, we are dealing with a powerful, advanced tool for cyber attacks, far from every attacker can do this. However, with the appearance of ready-made working examples, there is a danger of reusing the technology, especially since the instructions for it can still be downloaded by anyone,” added Kuznetsov.

Interestingly, five years ago, Kaspersky Lab already found undetectable viruses. Then the control servers and traces of attacks of the Equation hacker group were discovered, it was associated with the American special services.

Read more »
Zoom
malware Malware Report Zoom

Hackers use fake Zoom domains to spread malware


The coronavirus pandemic is forcing many people around the world to work remotely. This has significantly increased the popularity of video conferencing services such as Zoom. Attackers took advantage of this and began to use fake Zoom domains to spread malware and gain access to other people's video conferencing. This was reported by the security company Check Point.

Researchers note that since the beginning of the virus pandemic, 1,700 domains with the word Zoom have been registered. At the same time, 25% of new domains were registered in the last seven days, and 70 of them are considered suspicious by the company.

Check Point specialists found malicious files like "zoom-us-zoom_##########.exe", where # is a set of digits. After running such a file, the InstallCore batch application is installed on the user's computer, which is used for further downloading malware.

Fraudulent sites that simulate the work of Google Classroom or Google Hangouts have also appeared on the Internet. Disguised sites are created for the purpose of phishing: stealing passwords, credit card data, and other personal information from users. Check Point Cyber Research Manager Omer Dembinsky advised all users to make sure that links to video conferences are secure before using them.

In January of this year, Check Point published a report indicating that Zoom has security flaws. According to the company, hackers could connect to video conferences by generating random numbers that became conference URLs. Zoom then fixed the security breach and made some changes to the service, for example, introducing mandatory password protection for conferences.
Read more »
Russia
cryptocurrency mining Cyrptocurrency malware Malware Report Russia

Hackers using government websites of Russian Federation for mining


Cybercriminals used to generate cryptocurrencies not only computers of ordinary Internet users but also the resources of large companies, as well as the websites of government agencies of the Russian Federation. This was announced at a press conference on Monday by Nikolai Murashov, the Deputy Director of the National Coordination Center for Computer Incidents (NCCCI).

"Cases of cryptocurrency mining with the help of infected information resources of state organizations have been identified. In this case, attackers infect web pages, and mining is carried out at the moment they are viewed pages in the browser,” said Murashov.

He noted that the cost of most virtual coins is very high, so there are a lot of people who want to earn money easily. "Up to 80% of the free power of a computer can be used to generate virtual coins, and the legal user may not even know about it," said the Deputy head of the NCCCI. He noted that the seizure of servers of large companies for mining purposes threatens to significantly reduce their productivity and significant damage to the business.

Murashov at a press conference also said that in 2019, about 12 thousand "foreign information resources were blocked, which were used by attackers to damage our country."  In addition, according to him, in the Russian Federation at the request of foreign partners in the current year, the activities of more than 6 thousand malicious resources were stopped.

According to Murashov, users should pay attention to the security of their computers to counter such attacks. The fact of infection with malicious software should serve as a signal that the computer is poorly protected and can become a victim of any attackers.

Murashov noted that two Russian citizens were prosecuted for mining cryptocurrencies through infected computers of organizations.

"In Russia recently there were two cases of criminal prosecution of persons who used seized computers for mining cryptocurrencies," said he.

One of them is a resident of Kurgan, who used almost an entire bot network in various regions of the country. In the second case, a criminal case was initiated on the fact of using the site of company Rostovvodokanal for mining.

Read more »
Russian Cyber Security
malware Malware Report Russia Russian Cyber Security

Russian Companies infected by a virus masquerading as accounting documents


In September, Russian companies faced the problem of malicious software disguised as accounting documents. The launch of the virus led to leaks of personal data of users and the connection their computers to the botnet. Check Point company claims that 15.3% of Russian Internet users received such letters only in a month.

According to Check Point, the Pony malware has been activated since the beginning of the business season, in September, and was in second place on the list of the most active malware by the end of the month.

The company said that Pony was distributed via email through malicious EXE files simulating accounting requests. Topics and titles of such letters were called something like this: "Closing documents Tuesday" and "Documents September". Pony is able to steal user credentials, monitor system and network operations, install additional malware and turn devices into a botnet.

Specialists of Rostelecom-Solar recorded in September phishing emails with similar titles, confirms Igor Zalevsky, the head of the Solar JSOC incident investigation department.

"The simplest and most effective defense against such attacks is content filtering on the mail gateway. It is necessary to stop sending executable files of any format by e-mail," emphasizes Mr. Zalevsky.

Attacks like Pony are standard practice, said Vladimir Ulyanov, the head of the Zecurion analytical center. According to him, such malware is easier to monetize because accountants work with important data, but are not always well aware of information security risks.

"All companies work with closing documents, but not all employees know what these documents look like," explains Mr. Ulyanov.

The expert is sure that it is necessary to deal with such attacks and raising staff awareness.

Pony belongs to spyware, and it is included in the top 3 types of malicious software used by cybercriminals. So, according to the rating, Cryptoloot is in the first place in the top of the most aggressive malware in Russia, which uses other people's computers and their resources for mining cryptocurrencies. The XMRig malware is in third place, which is also used for mining.

Read more »
Network Security News
Malware Attack Malware Report Network Security News

A new virus attacked computers in Russia


Cases of malicious e-mails to Russian companies have become more frequent. Attackers write on behalf of Banks, large air operators, car dealers and mass media. They offer cooperation to companies and advise to open the file in the attachment, where there are details about a good deal. If the user does this, the computer is infected with the so-called Troldesh virus. This malware encrypts files on the infected device and demands a ransom.

Fraudsters claim that they are employees of companies and attach a password-protected archive to the letter, in which, according to them, the details of the order are indicated. But in fact, a malicious virus is attached to this email. When a victim gains access to the archive, important files are blocked in his operating system that can be opened only by paying a ransom to the fraudsters. Of course, the addresses from which the letters were sent are fake.

Group-IB found out that in June more than a thousand such messages were sent to different Russian companies. The number of attacks using Troldesh only in this quarter increased 2.5 times compared to 2018. Yaroslav Kargalev, the Deputy Head of Information Security Incident Monitoring and Response Division of Group-IB, said that it is almost impossible to destroy the virus.

Experts of Group-IB noted that Troldesh was previously sent out mainly on behalf of Banks, however, at the moment, the attackers stopped doing it, as Banks have strengthened measures to counter phishing.

It is interesting to note that Troldesh can be bought or rented at specialized sites on the Darknet. Judging from the latest attacks, Troldesh not only encrypts files but also mines cryptocurrency and generates traffic to websites, thereby increasing their traffic and revenue from online advertising.

Experts of Group-IB also stressed that a fairly large-scale infrastructure is involved in the virus distribution, which includes servers, infected IoT (Internet of Things) devices, for example, routers. Now the virus distribution campaign is still active.

It is worth noting that Troldesh attacks companies not for the first time. Such attacks were first recorded in 2015, and the largest took place in March 2019. Then messages came from well-known retailers, as well as financial and construction companies.
Read more »
Malware Report
MacOS Malware Malware Report

Russian Antivirus Company Dr.Web Found New Malware Targeting MacOS


Specialists of the Russian company Dr Web found malicious software that threatens the MacOS operating system, which allows attackers to download and execute any Python code on the user's device. In addition, sites distributing this malware also infected Windows users with a dangerous spyware Trojan.

According to the employees of the company Dr Web, a new threat was discovered by their experts on April 29. This malware is called Mac.BackDoor.Siggen.20 and it's BackDoor that allows you to download malicious code from a remote server and execute it.

According to experts, the attackers will be able to gain unauthorized remote access to the computer system. They explained that it runs in the background and is hidden from the user. It is said that it is difficult to detect this malware.

Mac.BackDoor.Siggen.20 gets to devices through sites owned by its developers. One such resource is designed as a business card site with a portfolio of a non-existent person, and the second is disguised as a page with the WhatsApp application.

The Press Service of the company said that BackDoor or Trojan is loaded on the device depending on the operating system. If a visitor uses Mac OS, his device is infected with Mac.BackDoor.Siggen.20, and BackDoor.Wirenet.517 (NetWire) is loaded on Windows devices. NetWire is a long-known RAT Trojan by which hackers can remotely control the victim's computer, including the use of a camera and microphone on the device. In addition, the distributed RAT Trojan has a valid digital signature.

According to web specialists, about 300 visitors with unique IP addresses opened the site distributing Mac.BackDoor.Siggen.20 under the guise of Whatsapp application. The dangerous resource works since April 29 and has not yet been used by hackers in large-scale campaigns. Nevertheless, programmers recommend updating the antivirus in time, not to open suspicious business cards and distributing.
Read more »
Malware Report
Breaking News Data Encrypting Malware Hacking News Malware Report

Website of Chelyabinsk court hits by data-encrypting malware



Attackers hacked into the website of Arbitration court of Chelyabinsk( a federal subject of Russia, on the border of Europe and Asia) and infected the server with a data encrypting malware.

The malware encrypted the information and files on the server. This incident took place on 4th October. By 10th October, the experts have managed to restore the website from previously saved backup.

However, the court lost all the information that was published on their website for this year, as the last backup operation was done only in January. The online resources including news, charts, video of conferences, information about bureau and judicial appointments were irretrievably lost.

According to the local report, the court is still trying to recover the information using their own sources.  There is no detailed information about the malware variant used in the attack.

- Christina
Read more »
Subscribe to: Posts (Atom)