Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label RedLine. Show all posts

YouTube Emerging as a Hotspot for Cyber Threats: Avast Report

 

YouTube has become a new battleground for cybercriminals to launch phishing attacks, spread malware, and promote fraudulent investment schemes, according to a recent report by Avast, a leading security vendor.

Avast's researchers highlighted the use of tools like Lumma and RedLine in executing phishing attacks, creating scam landing pages, and distributing malicious software. YouTube functions as a traffic distribution network, guiding unsuspecting users to these harmful sites, thus facilitating various levels of scams.

The platform is also experiencing a surge in deepfake videos, which are used to mislead viewers with hyper-realistic but fake content, thereby spreading disinformation. Avast discovered multiple high-subscriber accounts, each with over 50 million followers, that were compromised and repurposed to disseminate cryptocurrency scams utilizing deepfake technology. These fraudulent videos often feature fake comments to deceive viewers further and include links to malicious sites.

Researchers identified five primary methods through which YouTube is exploited by cybercriminals. These include sending personalized phishing emails to YouTube creators, proposing fake collaboration opportunities to gain trust and eventually send malicious links. Additionally, attackers embed malicious links in video descriptions to trick users into downloading malware. They also hijack YouTube channels to spread other threats, such as cryptocurrency scams.

Moreover, cybercriminals exploit reputable software brands and legitimate-looking domains by creating fraudulent websites filled with malware. They produce videos that use social engineering tactics, guiding users to supposedly helpful tools that are actually malicious software in disguise.

Avast attributes its advanced scanning technology to protecting over 4 million YouTube users in 2023 and around 500,000 users in the first quarter of this year alone.

Trevor Collins, a network security engineer at WatchGuard, stresses the importance of educating employees and security teams about these threats. 

"Regular education is essential. Make people aware that there are scammers out there doing this," Collins says. "In addition, train and reassure them that it's OK to notify either their security team or other people within the company if they've gotten an unusual request — for instance, to provide login credentials, move money, or go buy a bunch of gift cards — before acting on it."

This Chinese PC Manufacturer Tailored its Own Devices to be Susceptible to Malware

 

Acemagic, a Chinese manufacturer of personal computers, has acknowledged that certain products were shipped with pre-installed malware.

The discovery was made by a YouTuber known as The Net Guy, who encountered malware on Acemagic mini PCs during testing in early February. The malware, identified as Bladabindi, was detected by Windows Defender shortly after booting the machine. Bladabindi is a well-known backdoor that can steal user information and facilitate the installation of other malicious software.

Recently, Acemagic confirmed that some of its PCs were indeed infected with Bladabindi and also raised concerns about the potential presence of another malware called Redline. Redline is capable of stealing information from web browsers, conducting system inventories, and even pilfering cryptocurrency.

Acemagic's explanation for the malware's presence was somewhat perplexing and inconsistent. Initially, the company attributed the issue to adjustments made by software developers to enhance user experience by reducing boot time, which inadvertently affected network settings and omitted digital signatures. However, in a subsequent statement to The Register, the company mentioned that the incident stemmed from similar software adjustments made by developers.

The company has pledged to bolster its use of digital certificates to prevent unauthorized modifications, hinting that external parties might have accessed its machines or its master copy of Windows to deliver the malware.

It remains uncertain whether the infections occurred at the factory or after the PCs were in the possession of their new owners. Acemagic has announced plans to refund the cost of machines manufactured between September and November 2023 and has advised owners to check the stickers affixed to their models for the date of manufacture.

Interestingly, just before The Register received Acemagic's acknowledgment of the malware issue, they received a review unit of one of its PCs. However, the labels on that unit did not contain information about the date of manufacture, nor did the QR codes provide such details.

Acemagic has provided clean system images for owners to disinfect their machines and is offering a 25 percent purchase price rebate for those who do so. Additionally, owners of infected machines can apply for a voucher providing a ten percent discount on any future Acemagic purchase, though it remains to be seen if customers will trust the brand after this incident.

Pay to Play PrivateLoader Disseminates Smokeloader, Redline &Vidar malware

 

An investigation at a pay-per-install loader has revealed its role in the distribution of famous malware variants including Smokeloader and Vidar. 

Intel 471 issued a report on PrivateLoader on Tuesday, analyzing cyberattacks that have used the loader since May 2021. The pay-per-install (PPI) malware service has been around for a time, but it's unclear who is responsible for its creation. Additional payloads are deployed on a target machine using loaders. 

PrivateLoader is a variation that is supplied to criminal customers on an installation basis, with payment based on the number of victims captured. PrivateLoader is managed by a collection of command-and-control (C2) servers and an AdminLTE 3-based administrator panel. 

Adding new users, configuring the loader to install a payload, picking target regions and nations, setting up payload download links, encryption, and selecting browser extensions for infecting target devices are all available through the front-end panel. 

The loader is mainly distributed through websites that sell pirated software. Cracked copies of popular software, which are occasionally included with key generators, are illegal versions of software that have been modified to avoid licencing or payment. On websites, download buttons for cracked software are included with JavaScript, which releases the payload in a.ZIP archive. 

The package contained a malicious executable, according to the cybersecurity firm's findings. A false GCleaner load reseller, PrivateLoader, and Redline are among the malware that is triggered by .exe file. 

Since at least May 2021, the PrivateLoader module has been used to run Smokeloader, Redline, and Vidar. Smokeloader is the most well-known of these malware families. Smokeloader is a distinct loader that can also be utilized for data theft and reconnaissance; Redline specializes in credential theft, whereas Vidar is spyware that can steal data from a variety of data types, including passwords, documents, and digital wallet details. 

A distribution link for Smokeloader also signals a possible connection to the Qbot banking Trojan. The Kronos banking Trojan and the Dridex botnet have both been disseminated using PrivateLoader bots. 

Although PrivateLoader isn't particularly linked to the distribution of ransomware, a loader associated with it, known as Discoloader, has been used in assaults aimed at spreading the malware. 

The researchers stated, "PPI services have been a pillar of cybercrime for decades. Just like the wider population, criminals are going to flock to software that provides them with a wide array of options to easily achieve their goals. By highlighting the versatility of this malware, we hope to give defenders the chance to develop unique strategies in thwarting malware attacks empowered by PrivateLoader."

441K accounts Were Taken by RedLine Virus, according to Have I Been Pwned.

 

Have I Been Pwned may now search the RedLine data for 441,657 unique email addresses taken by RedLine. RedLine is viewed as right now the most generally utilized data-taking malware. It is conveyed through phishing efforts with pernicious connections, YouTube tricks, and warez/break locales. The RedLine malware, once introduced, will endeavor to take qualifications, treats, Visas, and auto-complete data put away in programs. 

The Have I Been Pwned information on data breach notice currently allows you to browse in the event that your email and secret phrase are one of 441,000 records taken in a data-taking effort utilizing RedLine malware. 

The illegally taken information is gathered into a file, called "logs," and transferred to a distant server from where the aggressor can later gather them. Aggressors utilize these logs to think twice about records or sell them on dull web criminal commercial centers for just $5 per log. 

RedLine is a trojan that may be purchased individually or as part of a membership-based on underground forums. This spyware collects information from applications such as saved accreditations, autocomplete data, and Mastercard information. When executing on an objective system, a framework inventory is taken to include details such as the username, location information, equipment setup, and information about installed security programming. Later versions of RedLine included the ability to accept digital currency. This malware can transfer and download records, execute orders, and occasionally send back data about the infected PC. FTP and IM customers are also clearly identified by this family, and this malware can transfer and download records, execute orders, and occasionally send back data about the infected PC. 

Bob Diachenko, a security researcher, discovered a site with over 6 million RedLine logs from August and September 2021 last weekend. This server was most likely utilized by the threat actor to store stolen data, although it was not effectively secured. The server is still accessible, according to Diachenko, but it does not appear to be used by threat actors because the amount of logs has not increased. 

Diachenko shared the data with Troy Hunt, who added it to his Have I Been Pwned service to make it simpler for others to check if a hacker got their data in the exposed RedLine malware operation. 

Have I Been Pwned assuming an organization you have a record with, has experienced an information break it's conceivable your email might have been pwned; presented to cybercriminals haveibeenpwned.com(link is outside) is a site that checks assuming a record has been compromised 

RedLine is attempting to steal cryptocurrency wallets, you should transfer any tokens you hold to another wallet and reset the passwords for all accounts used on the machine, including work VPN and email accounts, as well as other personal accounts.

Ultimately, if your email address appears in the RedLine data, you should run an antivirus scan on your computer to detect and remove any malware.

Redline Malware Stealing Web Browser Stored Credentials

 

The RedLine malware steals information from popular internet browsers such as Chrome, Edge, and Opera, highlighting why saving passwords in browsers is a terrible idea. 

This malware is a commodity information-stealer that can be obtained on cyber-crime websites for around $200 and deployed with very little understanding or effort. 

A new analysis by AhnLab ASEC, on the other hand, cautions that the ease of using the auto-login function on web browsers has become a significant security problem, impacting both enterprises and individuals. 

In one case given by the analysts, a distant employee handed over VPN account credentials to RedLine Stealer actors, who utilized the information three months later to attack the company's network. 

Whilst an anti-malware program was installed on the affected computer, it was unable to identify and eradicate RedLine Stealer. The malware attacks the 'Login Data' file, which is found on all Chromium-based web browsers and contains an SQLite database containing usernames and passwords. 

While browser password stores, that are also used by Chromium-based browsers, are secured, information-stealing malware can programmatically decode the store as long as they are logged in as the same user. Because RedLine operates as an infected user, it can collect passwords from their browser profile. 

"Google Chrome encrypts the password with the help of CryptProtectData function, built into Windows. Now while this can be a very secure function using a triple-DES algorithm and creating user-specific keys to encrypt the data, it can still be decrypted as long as you are logged into the same account as the user who encrypted it," explains the author of the 'chrome_password_grabber' project. 

"The CryptProtectData function has a twin, who does the opposite to it; CryptUnprotectData, which... well you guessed it, decrypts the data. And obviously, this is going to be very useful in trying to decrypt the stored passwords." 

Even if users decline to save their credentials in the browser, the password management system will nonetheless add an entry indicating that the specific site is "blacklisted." 

While the malicious actors may not have had the credentials for this "blacklisted" account, it does inform them of its existence, allowing them to undertake credential stuffing or social engineering/phishing attacks. 

Threat actors either utilize the obtained credentials in subsequent assaults or attempt to monetize them by selling them on darknet marketplaces. 

The emergence of the '2easy' dark web marketplace, where 50% of all traded data was taken via this software, is an illustration of how popular RedLine has become among hackers.