Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label MalwareBytes. Show all posts

Fraudulent KeePass Site Uses Google Ads and Punycode to Transfer Malware


A Google Ads campaign was discovered promoting a phoney KeePass download site that transferred malware by posing as the real KeePass domain using Punycode. 

Google has confirmed to be suffering from an ongoing malvertising campaign which has enabled hackers to take out sponsored ads that appear above search results. In the campaign, Google Ads can also be exploited to display the official KeePass domain in the advertisements (https://www.keepass.info), making it difficult for even the most vigilant and security-conscious consumers to identify the problem. 

Online victims who end up clicking on the malicious links navigate through a series of system-profiling redirections that block bot traffic and sandboxes, as illustrated below. 

Malwarebytes, which identified this campaign points out that using Punycode for cybercrime is nothing new. However, when combined with Google Ads misuse, it may indicate a new, risky pattern in the industry. 

Punycode Trick 

 Punycode is an encoding tactic to represent Unicode characters, that helps translate hostnames in any non-Latin script to ASCII so that the DNS (Domain Name System) can interpret them.

For instance, "München" will be converted to "Mnchen-3ya," "α" becomes "mxa," "правда" will be "80aafi6cg," and "도메인" will become "hq1bm8jm9l."

Actors who threaten to abuse Punycode uses Unicode to add one character to domain names that are identical to those of legitimate websites in order to make them appear slightly different.

These types of attacks are labelled as “homograph attacks.” Malwarebytes discovered that the threat actors were using the Punycode "xn—eepass-vbb.info" to transform to "eepass.info," the project's actual domain, but with a little intonation beneath the character "."

Although it is unlikely that most users who visit the decoy site will notice this little visual flaw, it serves as a clear indication of the approach taken in this situation.

The digitally-signed MSI installation 'KeePass-2.55-Setup.msix' that is downloaded by those who click on any download links featured on the false website includes a PowerShell script related to the FakeBat malware loader.

While Google has taken down the original Punycode advertisement, several other ongoing KeePass ads have also been found in the same malware campaign.

This advertisement leads to a domain named ‘keeqass[.]info,’ which executes the same MSIX file that contains the identical FakeBat PowerShell script to download and install malware on the Windows device, just like the Punycode domain.

Apparently, when executed, the FakeBat PowerShell script downloads a GPG-encrypted RAR archive, decrypts it, and extracts it to the %AppData% folder.

Moreover, in the file analyzed by BleepingComputer, the script launches a file called 'mergecap.exe' from the archive.

According to an Intel471 report from early 2023, FakeBat is a malware loader/dropper connected to malvertising activities from at least November 2022.

While Malwarebytes was unable to identify the final malware payload delivered in the campaign, a Sophos report from July 2023 links FakeBat with infostealers like Redline, Ursniff, and Rhadamathys.  

Mac Users Under Attack: Malvertising Campaign Distributing Atomic Stealer Malware

 


An updated version of macOS stealer malware called Atomic Stealer (or AMOS) is being distributed through a new malvertising campaign. The authors of the program appear to be actively maintaining and updating malware. 

When the creators of AMOS found a way to advertise this tool for $1,000 per month in the spring of 2023, they claimed that it would allow the theft of a wide range of data. It was not long after that that the wild was inundated with new variants of malware that were armed with a large number of new spying features, targeting gamers and cryptocurrency investors. 

According to the malware's authors, the malware can be used to steal keychain passwords, browser information, cryptocurrency wallets, and other files from a compromised device, among other things.  The company recently observed that although AMOS was originally distributed through cracked software downloads, it has now been discovered to have been delivered through a malvertising campaign, according to Malwarebytes. 

An unknown entity in Belarus appears to have hacked into a Google advertiser account and used it to advertise the TradingView financial market tracking app through a fake website for a real financial market tracking app. It has been reported that cybercriminals are increasingly deploying data-stealing malware against Apple computers in order to steal confidential information. 

Cybersecurity company SentinelOne reported Wednesday that it spotted a new version of one of the macOS infostealers, Atomic Stealer. The new version of Atomic Stealer is the third version of the malware that works on macOS in a variety of ways. 

According to SentinelOne, the latest version is really going after gaming and cryptocurrency users with a particular focus on the data that it's trying to obtain, which has not been described before in any detail. This infostealer, which is also known as the Atomic Stealer, or AMOS for short, was first described as macOS-based malware that focuses initially on cryptocurrencies, passwords, and important files that are encrypted. 

Throughout its evolution, it has become capable of grabbing more information and targeting a wider range of operating systems. As a result of such an advertisement, a user is directed to a site that offers a number of download options for NetSupport RAT for various operating systems, and while both the Windows and Linux download links direct users to download an MSIX installer that will install the NetSupport RAT on their computers. 

In a Malwarebytes report, clicking the macOS download link causes an Atomic Stealer to be downloaded and it attempts to exfiltrate data stored in iCloud Keychains, browsers, and user files. Several security experts have touted the new infostealer as having evasion capabilities to beat Gatekeeper protections, and this comes in the wake of increasing numbers of Mac OS X-targeted infostealer attacks. 

The criminals who purchase the toolkit are mainly distributing it via cracked software downloads, but they take the liberty to impersonate legitimate websites and to use advertising on search engines like Google to make their victims fall for their schemes. This attack attempts to bypass the Gatekeeper security mechanism in macOS in order to be able to exfiltrate the stolen data to a server under the attacker's control by bypassing Gatekeeper protections. 

As Mac OS continues to become a popular target for malware attacks, a number of new data-stealing apps targeting Mac OS have appeared for sale in crimeware forums over the past couple of months to take advantage of the wide availability of Apple systems in organizations as a target of malware attacks. When looking to download a new program, users are likely to turn to Google and run a search for the particular program that they require. 

As a result, threat actors are purchasing ads matching well-known brands and are tricking victims into visiting their site with the false impression that it is the official website of that brand. There are instructions in the downloaded file on how to open it so that it can bypass GateKeeper, Apple's built-in security system, to bypass the security lock. 

Further, according to the researchers, the malware is embedded in ad-hoc signed applications, which means that the revocation of the certificates used to sign the apps is not possible since they are not Apple certificates. The moment the victim runs the program, it immediately sends the stolen data to the attacker's C2 servers as soon as the data is stolen.

Passwords, information about users, wallets, cookies, keychains, and browser auto-fills are just some of the things that Atomic Stealer steals from users.  As a precautionary measure, Malwarebytes recommends that users check that any program they run on an endpoint is properly signed before running it. 

A further step that should be taken is to analyze the website from which the program was downloaded since it is possible that the address of the website has been typographical. In addition, it is possible that the content of the website reveals a scam.  

There has been increasing evidence that Google Ads are being used by spammers to spread rogue installers to victims looking for popular software, either legitimate or cracked, on search engines. The bogus Google Ads are shown to users searching for software on search engines that aren't securing legitimate software. 

An online campaign targeting the TradingView software was launched recently, featuring a fraudulent web page featuring a prominently displayed button for downloading the software for Windows, macOS, and Linux operating systems. 

The Stroz Friedberg Incident Response Services of Aon said last month that new versions of DarkGate have been used in attacks launched by threats employing tactics similar to Scattered Spider, which is a threat response technique used by cybercriminals.

8Base Ransomware: Researchers Raise Concerns Over its Increased Activities


The 8Base ransomware has well maintained its covert presence, avoiding detection for over a year. Although, a recent investigation into the ransomware revealed a significant rise in its operation during the period of May and June. It has been made clear that the ransomware group has been active since at least March 2022. The threat group labels itself as “simple pentesters,” indicating a basic level of proficiency in penetration testing.

Details of the 8Base

According to a research conducted by Malwarebytes and NCC Group, as of May, the ransomware group may have been linked with a total of whopping 67 attacks. Among these cyber incidents, around half of the manufacturing, construction, and business services industries together account for around half of the affected firms. The targeted firms are primarily located in the United States and Brazil, indicating a geographic focus by the threat group. 

June saw a significant surge in ransomware activities. The fact that the offenders used a dual extortion tactic raised the stakes for their victims is notable.

A list of 35 victims who have been identified has so far been on the 8Base-affiliated dark web extortion site. There have even been occasions where up to six companies have fallen victim to the ransomware operators' nefarious activities at once on specific days.

According to the VMware Carbon Black team, based on its recent activities, and its similarities of ransom notes and content on leak sites along with identical FAQ pages, 8Base could as well be a rebranding of the popular ‘RansomHouse’ ransomware group. RansomHouse, however flexibly promotes its partnership, while 8Base does not.

It is also noteworthy that a Phobos ransomware sample was also discovered by the VMware researchers, that was utilizing the “.8base” file extension, indicating the 8Base could well be the successor of or utilizing the existing ransomware strain.

The researchers concluded that the efficient operations conducted by the 8Base ransomware group may continue to group, which could be an onset of a mature organization. However, it has not yet been made clear whether the group is based on Phobos or RansomHouse.

As for now, there are speculations on 8Base's use of various ransomware strains, whether it be in earlier iterations or as a fundamental component of its typical mode of operation. However, it is commonly known that this organization is very active, with a concentration on smaller firms as a significant target.  

Kyocera AVX: Electronic Manufacturer Company the Current Target of LockBit


Kyocera, a global electronics manufacturer, has apparently experienced what seems like a data breach, wherein their data was exposed by ransomware gang LockBit on their dark web blog. The company was one of several who felt the aftershocks of a breach at Japanese tech firm Fujitsu last year.

The group has set a June 9 deadline for the payment of an undetermined ransom. According to the blog, "all available data will be published" if the company does not collaborate with the cybercriminals before then.

Kyocera AVX

Kyocera AVX’s clients involves military, industrial and automotive industries, for whom the company manufactures electronic products. It was established in the 1970s, and since 1990, it has been a part of Kyocera, a Japanese electronics business best known for its printers. Over 10,000 individuals are employed by it globally.

On May 26th, security researchers revealed that selected data of the company has been leaked and posted to LockBit’s dark web victim blog.

Apparently, the company’s data was breached following a cyberattack that took place on Fujitsu last year. The attack might have been the reason why LockBit was able to launch a supply chain attack on Kyocera AVX, and other companies that are partnered with Fujitsu via cyber or other social engineering attacks.

According to a Financial Times report, Fujitsu confirmed the attacks in December following a heads-up given by police agency of a potential intrusion. The intrusion further gave outsiders access to emails sent through an email system powered by Fujitsu.

It was later revealed that at least ten Japan-based companies, along with Kyocera AVX were victims of the attack.

LockBit Continues Cyber Activities Against Russia’s Enemy 

Ransomware gang LockBit, which is assumed to have originated in Russia has been on news highlights pertaining to its interest on targeting organizations based in US and allied countries. 

According to a report by security firm Malwarebytes, 126 victims have been posted by the ransomware gang in February alone.

This year, the gang targeted the UK Royal Mail, demanding ransom of $80 million in bitcoin. When the business refused to pay up, labeling the demands "ridiculous," the gang retaliated by sharing the information along with copies of the conversations between LockBit and Royal Mail's officials.

Later, it stole client information from WH Smith, a high-end street retailer in the UK. The hacker used current and previous employees' personal information. Since then, there has been no information indicating whether the business has paid the ransom.

In its recent case, this month, an individual named Mikhail Pavlovich Matveev who claims to have been involved with LockBit, has a bounty of $10 million on his head placed by the FBI. With connections to both the Hive and Babuk organizations, Matveev is believed to be a major participant in the Russian ransomware ecosystem.  

Fraudulent UK Visa Scams Circulate on WhatsApp


According to a Malwarebytes report, individuals working in the UK are being scammed by a recent phishing campaign on WhatsApp. 

Scammers claim in a WhatsApp message that users who are willing to relocate to the UK for work will be eligible for a free visa as well as other perks. 

Bogus scam message 

Scam operators are disseminating information under the pretext of the UK government, promising a free visa and other advantages to anyone who wants to migrate there. The chosen candidates would be given travel and lodging expenses as well as access to medical facilities. 

The WhatsApp chat app is used to transmit to target volumes to start the fraud. Users are informed that the UK is conducting a recruiting drive with more than 186,000 open job positions because the country will require more than 132,000 additional workers by the year 2022. 

The objective of the scam 

When a victim clicks on the scam link, a malicious domain that looks like a website for UK Visas and Immigration is displayed to them. "Apply for thousands of jobs already available in the United Kingdom," is the request made to foreign nationals as per the scam.

The website's goal is to collect victims' names, email addresses, phone numbers, marital statuses, and employment statuses. 

Any information entered into the free application form is instantly 'accepted,' and the user is informed that they "will be provided a work permit, visa, plane tickets, and housing in the UK for free" according to a Malwarebytes report. 


Report fake WhatsApp messages

Users have the option to Report and Block on WhatsApp if they get a message from someone who is not on their contact list. One should disregard these spam communications and use the report button to file a complaint. Additionally, users can block these contacts in order to stop getting future scam messages from them.

Phishing attacks with a Visa theme are a typical occurrence in the world of cybercriminals. A similar hoax circulated several times in the past to entice people looking to work or study abroad.


Security Researchers Discovered Crimea Manifesto Buried in VBA Rat

 

On Thursday, Hossein Jazi and the Threat Intelligence team at Malwarebytes released a report revealing a new threat actor that may be targeting Russian and pro-Russian individuals. A manifesto regarding Crimea was included by the assailants, implying that the attack was politically motivated. A suspicious document called "Manifest.docx" is used in the attacks, and it downloads and runs two attack vectors: remote template injection and CVE-2021-26411, an Internet Explorer exploit. Malwarebytes' Threat Intelligence team discovered the "Манифест.docx" ("Manifest.docx") on July 21.

"Both techniques have been loaded by malicious documents using the template injection technique. The first template contains a url to download a remote template that has an embedded full-featured VBA Rat. This Rat has several different capabilities including downloading, uploading, and executing files," Jazi said. 

The second template is imported into the document and is included in Document.xml.rels. According to the threat research teams at Google and Microsoft, the loaded code contains an IE Exploit (CVE-2021-26411) that was previously utilized by Lazarus APT to target security researchers working on vulnerability disclosure. The shell code used in this vulnerability loads the same VBA Rat as the remote template injection exploit. 

The attack, according to Jazi, was motivated by the ongoing conflict between Russia and Ukraine, which includes Crimea. Cyberattacks on both sides have been on the rise, according to the report. The manifesto and Crimea information, however, might be utilized as a false flag by threat actors, according to Jazi. 

The attackers used a combination of social engineering and the exploit, according to the report, to boost their chances of infecting victims. Malwarebytes was unable to pin the assault on a single actor but said that victims were shown a decoy document with a statement from a group linked to a figure named Andrey Sergeevich Portyko, who supposedly opposes Russian President Vladimir Putin's Crimean Peninsula policies. 

The decoy document is loaded after the remote templates, according to Jazi. The document is written in Russian but also has an English translation. A VBA Rat is also included in the attack, which collects victim information, identifies the AV product installed on the victim's workstation, runs shell-codes, deletes files, uploads and downloads files, and reads disc and file system information. Instead of using well-known API calls for shell code execution, which can easily be flagged by AV products, the threat actor employed the unique EnumWindows to run its shell-code, according to Jazi.

New Malware Downloader Spotted in Targeted Campaigns

 

In recent weeks, a relatively sophisticated new malware downloader has emerged that, while not widely distributed yet, appears to be gaining momentum. Malwarebytes researchers recently discovered the Saint Bot dropper, as they have termed it, being used as part of the infection chain in targeted campaigns against government institutions in Georgia. 

Saint Bot was discovered by researchers while investigating a phishing email containing a zip file containing malware they had never seen before. The zip file included an obfuscated PowerShell script disguised as a link to a Bitcoin wallet. According to Malwarebytes, the script started a chain of infections that led to Saint Bot being dropped on the compromised system. 

In each case, the attackers used Saint Bot to drop information stealers and other malware downloaders. According to the security vendor, the new loader is probably being used by a few different threat actors, implying that there are likely other victims. 

One of the information stealers that Saint Bot has noticed dropping is Taurus, a malware tool designed to steal passwords, browser history, cookies, and data from auto-fill. The Taurus stealer can also steal FTP and email client credentials, as well as system information such as configuration details and installed software. According to Malwarebytes, while Saint Bot mostly has been observed dropping stealers, the dropper is designed to deliver any malware on a compromised system. 

Malware droppers are specialized tools designed to install various types of malware on victim systems. One of the most notable recent examples of such malware is Sunburst, the tool that was distributed via poisoned SolarWinds Orion software updates to some 18,000 organizations worldwide. In that case, the dropper was specifically designed to deliver targeted payloads on systems belonging to organizations of particular interest to the attackers. 

Basically, the downloaders are first-stage malware tools designed to deliver a wide range of secondary and tertiary commodity payloads, such as ransomware, banking Trojans, cryptominers, and other malicious tools. Some of the most popular droppers in recent years, such as Emotet, Trickbot, and Dridex, began as banking Trojans before their operators switched tactics and used their Trojans as malware-delivery vehicles for other criminals. 

Saint Bot, like many other droppers, has several unclear and anti-analysis features to help it avoid malware detection tools. It is designed to detect virtual machines and, in some cases, to detect but not execute on systems located in specific Commonwealth of Independent States countries, which include former Soviet bloc countries such as Russia, Azerbaijan, Armenia, Uzbekistan, Ukraine, and Moldova.

"As we were about to publish on this downloader, we identified a few new campaigns that appear to be politically motivated and where Saint Bot was being used as part of the infection chain. In particular, we observed malicious documents laced with exploits often accompanied by decoy files." a spokesman from Malwarebytes' threat intelligence team states. In all instances, Saint Bot was eventually used to drop stealers. 

According to Malwarebytes, while Saint Bot is not yet a widespread threat, there are indications that the malware's creators are still actively working on it. According to the security vendor, its investigation of the Saint Bot reveals that a previous version of the tool existed not long ago. " Additionally, we are also seeing new campaigns that appear to be from different customers, which would indicate that the malware author is involved in further customizing the product," a Malwarebytes spokesman said.

Malwarebytes Report Confirms the Change in Tactics of Cybercriminals During Covid-19

 

Malwarebytes, an American security firm announced the findings of its annual ‘State of Malware’ report, this report explored the working methodology of employees and cybercriminals. Work from home was the new normal during the Covid-19 pandemic wherein many companies altered their working methodology and started working remotely.

The notable change was in the working methodology of the threat actors, they were more focused on gathering intelligence, and exploiting and preying upon fears with targeted and sophisticated assaults. Last year, threat actors targeted many high-profile firms and popular personalities which included hacking the accounts of famous personalities such as Barack Obama, Jeff Bezos, and Elon Musk; attacking FireEye and SolarWinds via supply chain and the Marriott hotel which recorded theft of the records of 5.2 million guests.

Marcin Kleczynski, CEO of Malwarebytes stated, “this past year has taught us that cybercriminals are increasingly formidable, planning long-term, strategic, and focused attacks that are sometimes years in the making. 2020 continued to show us that no company is immune, and there is no such thing as ‘safe enough’.”

“The COVID-19 pandemic compounded this with new challenges in securing remote workforces, making it essential that we quickly become more adaptable and learn how to better protect workers in any environment. While our total detections are down this year, we must remain vigilant. The threats we are seeing are more refined and damaging than ever before”, he further added.

Last year, Malwarebytes observed an overall drop of 24 percent of Windows detections across businesses and an 11 percent drop for clients. In total, there was a 12 percent drop in Windows detections across the board. However, Mac detections for businesses surged to 31 percent, 2020 also witnessed the growth of Android malware called FakeAdsBlock, which produced an alarming number of non-stop ads, accounting for 80,654 detections.

HiddenAds was discovered to be the most common mobile adware application, this trojan attacks users with ads, and nearly 704,418 malicious activities were reported with an increase of nearly 150 percent year-over-year.

Malwarebytes offers pirates a free one year license

Software companies have been serving the general public for years. But in this process, starts the raging war between the companies and the so-called "crackers" who try to counterfeit genuine products in order to promote piracy.

This creates a loophole in the distribution part of the products. This battle has seen some technical advancement in preventing counterfeiting of the services.

While Microsoft has implemented a product activation procedure for the Windows Operating system and its Office suite, some of the premiere gaming company have a registration process into their servers in order to activate the game, declining which the game becomes unavailable for playing. Yet, there is a continuous struggle amongst the "cracking " society to crack the softwares for free access and piracy.

While this struggle has accelerated with time, a company has finally decided to allow the vicious pirates to gain legit access to their product. Malwarebytes, a premium security firm has initiated Amnesty, a program to enable the users who have procured the serial key from piracy dealers or have downloaded it from the internet, to reissue their security key for free. This reissued key will provide the user with premium access to Malwarebytes Anti-Malware for a period of 12-months.

The company states that the internet has good pioneers as well as bad pirates. While the pioneers work hard day and night in order to provide users with state of the art services, pirates try to dupe people into buying pirated versions of Malwarebytes Anti-Malware.

"Amnesty program has initiated providing free replacement keys to the premium customers who have been facing inconvenience because of pirated keys or software abuse for Malwarebytes Anti-Malware".

To ease it up, you can start by downloading the latest version of Anti-Malware Premium(direct link to download). Once you are done with the installation, the activation setup is initiated, where you have to enter your illegal activation key and proceed. This redirects you to the dialog box which gives you the option to select "I’m not sure where I got my key, or I downloaded it from the Internet". The company then issues you with a new key along with a 12-months free premium membership.

This has been started by Malwarebytes, who are providing one of the best security suites and anti virus tools in the market.