Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Spear Phishing attacks. Show all posts

Ducktail Spear-Phishing Campaign Targets Facebook Business Accounts Via LinkedIn

 

An ongoing spear-phishing campaign dubbed “Ducktail” is targeting admin profiles of enterprise networks via LinkedIn, with the motive of taking over Facebook Business accounts and exploiting the Ads function to run malvertising campaigns. 

According to researchers at WithSecure, a popular global IT-security firm, the hackers are of Vietnamese origin and have been active since 2018. 

Modus operandi 

The Ducktail operators have a limited targeting scope and carefully choose their victims, seeking those with administrative access to their employer's social media accounts. The hacker contacts employees on LinkedIn who may have access to Facebook business accounts, such as those described as working in "digital media" and "digital marketing." 

Subsequently, the hacker lures the potential victim to download a file hosted on legitimate cloud hosting services like Dropbox or iCloud. The downloaded file contains JPEG image files and a PDF document relevant to the topic discussed between the hacker and the potential victim during the convincing stage.

Security researchers reported that the entire file is a .NET Core malware that can infect any operating system by running on computers without having to install the .NET runtime. Once it has compromised the system the malware collects browser cookies from Chrome, Edge, Firefox, and additional sensitive information to steal Facebook credentials. 

“The malware directly interacts with various Facebook endpoints from the victim’s machine using the Facebook session cookie (and other security credentials that it obtains through the initial session cookie) to extract information from the victim’s Facebook account,” researchers explained. 

The malware is then deployed to other Facebook pages owned by the victim and collects multiple tokens, IP addresses, account information, geolocation data, and other valuables to disguise itself as a legitimate admin. 

After getting access to the victim’s business profile the malware steals advertising limits, credit card details, client lists, currency, payment cycle, and more sensitive details, and finally, the stolen data is exfiltrated through Telegram bots when the malware exits or crashes. 

The phishing campaign operates on an infinite loop in the background which allows continuous exfiltration of new cookies and any update to the victim’s Facebook account. The motive is to interact with the victim’s account, and ultimately create an email account managed by the hacker with the highest privilege role; that is, admin access and finance editor roles.

Hackers in Dprk use Trojanized DeFi Wallet App to Steal Bitcoin

 

North Korean government-linked hackers have now been circulating a trojanized version of a DeFi Wallet for holding bitcoin assets to obtain access to cryptocurrency users' and investors' systems.

Securing economic benefits is one of the primary motives for the Lazarus threat actor, with a focus on the cryptocurrency industry. The Lazarus group's targeting of the financial industry is increasing as the price of cryptocurrencies rises and the appeal of the non-fungible asset (NFT) and decentralized finance (DeFi) enterprises grows.

In this attack, the threat actor used web servers in South Korea to distribute malware and communicate with the implants that had been placed. Kaspersky Lab researchers recently identified a malicious version of the DeFi Wallet software that installed both the legal app and a backdoor disguised as a Google Chrome web browser executable. When the trojanized DeFi application was launched on the machine, it introduced a full-featured backdoor with a compilation date of November 2021. It's unknown how the hackers spread the word, but phishing emails or contacting victims through social media are both possibilities. 

Although it's not clear how the threat actor persuaded the victim to run the Trojanized program (0b9f4612cdfe763b3d8c8a956157474a), it is believed they used a spear-phishing email or social media to contact the victim. The Trojanized application initiates the previously unknown infection technique. This installation package masquerades as DeFi Wallet software, but it actually contains a legal binary that has been packed with the installer. 

The virus installed in this manner, as per the researchers, has "sufficient capabilities to manage" the target host by issuing Windows commands, uninstalling, starting or killing processes, enumerating files and related information, or connecting the computer to a particular IP address. 

The malware operator can also collect relevant data (IP, name, OS, CPU architecture) and the discs (kind, free space available), files from the command and control server (C2), and retrieve a list of files stored in a specified area using additional functionalities. According to Japan CERT, the CookieTime malware group known as LCPDot has been linked to the DPRK operation Dream Job, which enticed victims with phony job offers from well-known firms. 

Google's Threat Analysis Group (TAG) revealed recent activity related to Dream Job earlier this month, finding North Korean threat actors used a loophole for a zero-day, remote code execution bug in Chrome to aim at people working for media, IT companies, cryptocurrency, and fintech companies. "The CookieTime cluster has linkages with the Manuscrypt and ThreatNeedle clusters, which are also attributed to the Lazarus organization," Kaspersky adds. 

The links between the current trojanized DeFiWallet software and other malware attributed to North Korean hackers go beyond the virus code to the C2 scripts, which overlap many functions and variable names. It's worth mentioning that Lazarus is the umbrella name for all state-sponsored North Korean threat operations. Within the DPRK, however, several threat groups are operating under different institutions/departments of the country's intelligence establishment. 

Mandiant analysts prepared an evaluation of the DPRK's cyber program structure using data collected over 16 months from its digital activity tracking for the entire country, OSINT monitoring, defector reporting, and imaging analysis. Targeting bitcoin heists is certainly within the scope of financially motivated units inside the country's Reconnaissance General Bureau's 3rd Bureau (Foreign Intelligence), according to their map (RGB).   

DDoS Attacks Hit Ukrainian Government Websites

 

DDoS attacks are causing havoc for the Ministry of Defense and the Armed Forces of Ukraine, as well as two of the country's state-owned banks, Privatbank (Ukraine's largest bank) and Oschadbank (the State Savings Bank). 

Bank customers got text messages saying that bank ATMs were down today, according to Ukraine's Cyberpolice, who added that the messages were "part of an information attack and do not correspond to reality." 

The Ukrainian Ministry of Defense, whose website was taken down as a result of the attacks, stated their website was most likely assaulted by DDoS: an excessive number of requests per second was observed. 

"Starting from the afternoon of February 15, 2022, there is a powerful DDOS attack on a number of information resources of Ukraine," Ukraine's State Service for Special Communication and Information Protection added. 

"In particular, this caused interruptions in the work of web services of Privatbank and Oschadbank. The websites of the Ministry of Defense and the Armed Forces of Ukraine were also attacked."

While the Ukrainian defence ministry's website is down, Oschadbank and Privatbank's websites are still up and running, albeit users are unable to access their online banking. Privatbank users have been experiencing problems with payments and the bank's mobile app, according to the Ukrainian Center for Strategic Communications and Information Security. Some stated that they couldn't get into their Privat24 internet banking accounts, while others said they observed inaccurate balances and recent transactions. 

A traffic geofencing rule was added to Privatbank's web application firewall (WAF), which automatically removed the website's contents for IP addresses outside of Ukraine and displayed a "BUSTED! PRIVATBANK WAF is watching you)" message. 

The Security Service of Ukraine (SSU) stated on Monday that the country is being targeted in a "massive wave of hybrid warfare" aimed at instilling fear in Ukrainians and undermining their faith in the state's ability to safeguard them. The SSU further stated that it has already blocked many such attempts related to hostile intelligence agencies, as well as dismantled bot farms aimed at spreading fear in Ukrainian residents through bomb threats and fake news.  

Attacks on Ukrainian authorities are being coordinated by the Gamaredon hacking organisation (connected to Russia's Federal Security Service (FSB) by Ukrainian security and secret agencies), according to the country's Computer Emergency Response Team. 

A day later, the SSU announced that it has prevented more than 120 cyberattacks aimed at Ukrainian governmental institutions in January 2022. 

Gamaredon has been directing a wave of spear-phishing emails targeting Ukrainian businesses and organisations relevant to Ukrainian issues since October 2021, according to Microsoft.

The Hacking Group 'ModifiedElephant' Remained Undetected

 

SentinelLabs' IT security researchers have discovered information of growing cyber-attacks (APT) wherein the threat actors have been targeting human rights activists, free speech advocates, professors, and lawyers in India using readily available trojans via spear-phishing since 2012. The group known as ModifiedElephant has been found to be planting 'incriminating evidence' on the devices of its targets. 

"The goal for ModifiedElephant is long-term espionage which sometimes ends with the transmission of evidence – files that implicate the victim in criminal offenses – prior to conveniently synchronized arrests," stated Tom Hegel, a threat researcher at SentinelOne. According to the research, over the previous decade, ModifiedElephant hackers have been attacking their victims with spearphishing emails containing malicious file attachments, with their methods becoming more complex over time. 

Spearphishing is the technique of emailing victims that appear to come from a trustworthy source in order to either divulge sensitive information or install malware on their computers. ModifiedElephant usually uses infected Files to spread malware to its victims. The particular mechanism and content included in malicious files have varied over time, according to SentinelOne, the timeline has been given below: 
  • 2013 – An adversary sends malware via email attachments with phony double extensions (file.pdf.exe). 
  • 2015 – The group switches to encryption key RAR attachments including legitimate luring documents that hide malware execution signals. 
  • 2019 – Updated Elephant begins hosting malware-distribution sites and takes advantage of cloud hosting capabilities, transitioning from phony papers to malicious URLs.
  • 2020 – attackers circumvent identification by skipping scans by using big RAR files (300 MB).

The CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, and CVE-2015-1641 exploits, according to SentinelOne, were frequently utilized in luring documents, which attacked Microsoft Office Suite programs. 

Modified Elephant is not seen using any customized backdoors in its operational history, indicating the group isn't particularly sophisticated. NetWire and DarkComet, two publicly available remote access trojans extensively utilized by lower-tier hackers, were the principal malware used in the campaigns. 

ModifiedElephant's Visual Basic keylogger hasn't changed since 2012, and it's been open-source on hacking forums all that time. SentinelLabs remarks on the tool's history, pointing out that it no longer works on recent OS versions. The Android virus is likewise a commodity trojan that is distributed to users in order of an APK, luring them in by appearing like a news app or a secure messaging tool.

Spoofed Zix Encrypted Email is Used in Credential Spear-Phishing

 

Hackers have used a credential phishing attack to steal data from Office 365, Google Workspace, and Microsoft Exchange by spoofing an encrypted mail notification from Zix. According to Armorblox security researchers, the assault impacted around 75,000 users, with small groups of cross-departmental staff being targeted in each customer environment. 

Social engineering, brand impersonation, replicating existing workflows, drive-by downloads, and accessing valid domains were among the methods employed by the hackers to obtain data. “Secure Zix message” emails were sent to victims. In the body of the email, there was a header that repeated the email subject and claimed the victim had received a secure communication from Zix, a security technology company that provides email encryption and data loss prevention services.

The victim is invited to view the secure message by clicking on the "Message" button in the email. While the phoney email is not a facsimile, it is similar enough on the surface to fool the unwary victims. According to researchers, clicking the “Message” link in the email causes an HTML file entitled “securemessage” to be installed on the victim's PC. The file could not be opened in a virtual machine (VM) because the download redirect did not show within the VM.

Using valid (albeit unrelated) domains to send emails, according to Armorblox researcher Abhishek Iyer, is “more about tricking security measures (i.e. evading authentication checks) than it is about tricking recipients, especially if the domains are not forged to appear like the real thing.”

A Verizon credential phishing campaign located on the website of a Wiccan coven, for example, was discovered by Armorblox last year. Another example is an Amazon credential phishing email sent from the domain of Blomma Flicka Flowers, a tiny floral design firm situated in Vermont. Under the pretext of Amazon item delivery notices, the campaign intended to steal passwords and other personal information. 

“Whether these domains are used to send the email or host the phishing page, the attackers’ intent is to evade security controls based on URL/link protection and get past filters that block known bad domains,” Iyer said via email.

"To host phishing pages on legitimate domains, attackers usually exploit vulnerabilities in the web server or the Content Management Systems (CMS) to host the pages without the website admins knowing about it," he continued.

Threat Group Aggah Targets Industries Via Spear-Phishing Campaigns

 

A spear-phishing attack that seems to have commenced in early July 2021, targeting various manufacturing industries in Asia has been identified and reported by Anomali Threat Research. 

During this campaign, the strategies, methods, and procedures detailed in the report correspond to the threat group Aggah. The investigation further unveiled several PowerPoint files with harmful macros that employed MSHTA to launch a PowerShell script to charge hex-encoded payloads. Through the findings as well as the analysis based on the campaign's TTP, researchers evaluated that the threat group behind the security incident probably is Aggah. 

Cybercriminals employed numerous vulnerable WordPress websites to target Asian producers with a new operation for phishing attacks that deliver, the Warzone RAT, a freight for sale on crime forums, researchers stated. 

Warzone is a malware commodity having hacked versions available on GitHub. The RAT utilizes the Ave Maria stealer's code repeatedly. Warzone RAT's features include scale privilege, keylogging; remote shelling, file download and execution of files, file managers, and network endurance, as per the researchers.

Based on the recent research by Anomali threat detection and security agency, the threat organization Aggah, which is believed to be associated with Pakistan and was identified for the first time in March 2019, has delivered the RAT to manufacturing enterprises in Taiwan and South Korea. 

Aggah is an information-based threat group discovered by researchers from Palo Alto Network’s Unit 42, for the very first time. The researchers believed the activity to be a campaign against organizations in the UAE. In-depth research by the very same team revealed that it was a global Revenge Rat Phishing Campaign.

“Spoofed business-to-business (B2B) email addresses against the targeted industry is activity consistent with Aggah,” Tara Gould and Rory Gould from Anomali Threat Research wrote in a report on the campaign published Thursday 12th of August 2021. 

Aggah, which normally seeks to steal information from targets, was also previously considered to be affiliated with the Gorgon Group: a Pakistani organization recognized for targeting the Western governments. This relationship has still not been confirmed yet, however, the Anomali researchers believe that the Urdu-speaking group came from Pakistan. The most recent campaign of Aggah included the Taiwan-based manufacturing company, Fon-star International Technology; Fomo Tech, a Taiwanese engineering company, and the Korean power plant, the Hyundai Electric. 

Researchers have indicated that the latest campaign of Aggah for spear phishing began with a bespoke e-mail pretending to be from "FoodHub.co.uk," a UK-based food delivery service. “The email body includes order and shipping information as well as an attached PowerPoint file named 'Purchase order 4500061977, pdf.ppam' that contains obfuscated macros that use mshta.exe to execute JavaScript from a known compromised website, mail.hoteloscar.in/images/5[.]html,” researchers stated. 

“Hoteloscar.in is the legitimate website for a hotel in India that has been compromised to host malicious scripts,” they said. “Throughout this campaign, we observed legitimate websites being used to host the malicious scripts, most of which appeared to be WordPress sites, indicating the group may have exploited a WordPress vulnerability.”

Cyber Criminals Sending Phishing Mails Pretending to be from Russian Government Domain

The administration of RSNet (Russian State Network) recommended not to open letters from unknown senders, not to click on links from emails of legitimate users of the RSNet, including from the administration of the RSNet, and also not to open attachment files contained in such emails.

According to Andrey Kovtun, the head of the mail threat protection group at Kaspersky Lab, scammers set up phishing mailings allegedly from a domain gov.ru. He explained that the attackers use a fake sender's address webmaster@gov.ru.

"Such attacks are usually more complicated than mass attacks, even the real names and phone numbers of employees of the organization can be used," added the expert.

In turn, Alexey Drozd, the head of the information security department of SearchInform, warned against using links from emails even from legitimate users because of the possibility of hacking their accounts.

The expert also noted that recently, scammers sent phishing emails allegedly from the tax authorities.

"People trust domains that look like government domains. In addition, if any letter comes from a government agency, we consider it important," he added.

Earlier, the Ministry of Internal Affairs of Russia reported on the arrest of a group that published ads for the sale of real estate and premium cars and stole money from the accounts of Russians. The attackers asked potential buyers to confirm their solvency by transferring a certain amount to friends or relatives through certain payment systems, and then to provide the potential seller with a receipt for a financial transaction.

Thus, the attackers found out the personal data of the recipients of the transfers and made fake passports in their names, with which they visited credit and financial organizations and withdrew money from the accounts of citizens.

Hacking Group Earth Wendigo Exploits Emails via Spear-phishing Attacks


As per the cybersecurity experts, the cyberattacks are related to Earth Wendigo, a cyber criminal currently not linked to any of the hacking groups. At the start of May 2019, Trend Micro reported that multiple organizations were attacked by Earth Wendigo. The targets include research institutions, government organizations and universities. The cyberattack used spear-phishing mails to exploit its victims, which include activists and politicians based in Hong Kong, Tibet and Uyghur region. 

Trend Micro reports, "we discovered a new campaign that has been targeting several organizations — including government organizations, research institutions and universities in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that is widely-used in Taiwan. With no clear connection to any previous attack group, we gave this new threat actor the name “Earth Wendigo.” 

Earth Wendigo deployed spear-phishing emails that contained obfuscate Java script code, using initial attack vectors, Java script loaded corrupted scripts from remote servers controlled by attackers. The scripts were built for stealing Webmail session keys and browser cookies, spread the malicious scripts through appending code with the target's email signature, and exploiting an XSS (cross-site scripting) vulnerability in the Javascript injection Webmail server. "The Earth Wendigo threat actor will establish a WebSocket connection between the victims and their WebSocket server via a JavaScript backdoor. The WebSocket server instructs the backdoor on the victim’s browser to read emails from the webmail server and then send the content and attachments of the emails back to the WebSocket servers," says Trend Micro. 

The XSS vulnerability exploit exists in system shortcut feature of webmail, which allows the threat actor to put craft payload shortcut that replaces webmail system page's parts by corrupted JavaScript codes. "Additional investigation shows that the threat actor also sent spear-phishing emails embedded with malicious links to multiple individuals, including politicians and activists, who support movements in Tibet, the Uyghur region, or Hong Kong. However, this is a separate series of attacks from their operation in Taiwan, which this report covers," reports Trend Micro.

Banking Malware Being Distributed By Hackers Via Password Protected Zip Files!





Cyber-cons have a new way of wreaking havoc. Hackers have found another unique way to bypass security. Reportedly the infamous BOM technique’s to blame.

The “Byte Order Mark” technique goes about altering the host’s files on the windows system.

The major superpower of the BOM is helping the threat actor group to be under the line of display or detection.

The researchers from a very widely known anti-virus firm noticed a new campaign that majorly worked on spear phishing.

The spear phishing process would help to deliver the infected files to the victim’s system.

The moment the user attempts to open the ZIP file using their default browser, it all crashes and an error sign pops up, saying.

According to the researchers, the legit ZIP files start with “PK” and are of (0x 504B). The BOM have extra three bytes (0x EFBBBF) found within UTF-8 text files.

In some systems the ZIP archive format goes undetected but in some systems it’s recognized as a UTF-8 text file and the malicious payload isn’t extracted.

The same files on the other hand could be opened via third-party functions to name a few 7-Zip & WinRAR.

Once the extraction of the file is done, the malware is executed thence beginning the infection process.

Systems using third party utilities are more susceptible to such malware attacks than the rest.

The malicious executable is just a tool to help load the main payload inserted within the main source section.

The malware originates from a DDL along with a BICDAT function encrypted with the XOR based algorithm.
The library then downloads a second stage of payload, the password protected ZIP file.
The dcyber crownloaded payload material is encrypted using similar functions as the inserted payload.
After having extracted the necessary files the last and final payload is launched, which goes by the name of “Banking RAT malware.”
This RAT scours information like access card codes, dates of birth, account passwords, electronic signature, e-banking passwords and etc from the system.

Android Spyware "Triout" Back With Spying Abilities And New Malicious Schemes






An android malware in the guise of an online privacy app, is all set to cause a lot of harm as it’s resurfaced as a more malicious version of itself and has acquired spy abilities.

The application tries to trick the users into downloading and then starts working its method.

Triout, the application is created to help users dodge censorship on the internet.

The campaign had been active since May last year, under the guise of an adult 
application.

August, 2018 is when the spyware was discovered, because of the massive amounts of information it was harvesting, including photos, text conversations, and phone conversations.

Collecting GPS information about the victims and making the user’s location vulnerable are two of the other mal effects.


With changed tactics and better malicious effects to it, the malware is being distributed under the cloaks of a stolen but legit privacy tool from Google play store.

Psiphon is the privacy tool behind whose face version Triout is hiding. This application is widely used and has been downloaded like a million times.

Third party sites also provide this app on their platforms, in case hackers don’t seem to have access to play store of Google.

The fake version of Psiphon works in exactly the same way as the real version of it. The looks and the interface have all been cleverly matched.



A particular type of set of victims is being targeted via Triout so that it doesn’t raise much suspicion.

When the malware was discovered it was found to be targeting users from Germany and South Korea.

Spear-phishing is another concept that is reportedly being employed by the cyber-cons to ensure that the users download their malicious app.

The way to lure in the victims and the commands and controls of Triout have been cunningly altered to extract a hike in the success rate.


Reportedly, the updated versions of Triout are being uploaded from various distinct locations of the world, a few being Russia, France and US.

The origin of the campaign and the cyber-cons behind it are still behind the curtain and this is what makes Triout more malicious.

According to the leading security researchers, this application possesses super spying powers and is deliberately fabricated to perform activities like espionage.

The researchers implore the users to download applications only from official sites and try to steer clear off any suspicious looking applications and refrain from downloading it.

Infamous North Korean Hacking Group Steals $571 Million in Cryptocurrency


The North Korean Hacking Group, Lazarus has managed once more to embezzle more than a billion dollars in cryptocurrency. The group has purportedly done such sorts of thefts since January 2017, amassing an enormous $571 million from the attacks. This was in accordance with an article published on Friday by The Next Web as well as the coming yearly report from the cybersecurity vendor Group-IB.

The claims made by some South Korean officials in February express that the North Korean hackers likely stole millions of dollars' worth in cryptocurrency in the year 2017.

Since the beginning of last year, the greatest contribution that could be made in hacking outfits has been done by Lazarus, which stole $571 million in cryptocurrency. Their greatest plunder - $534 million originated from a solitary attack led earlier in January 2018.

As indicated by the eminent cybersecurity unit Group IB the hacking outfits are more acclimated with utilizing techniques extending from spear phishing to social engineering and malware introduction to compromising cryptocurrency exchange networks.

"After the local network is successfully compromised, the hackers browse the local network to find work stations and servers used working with private cryptocurrency wallets," says the summary of an annual report prepared by the unit detailing the situation of hi-tech cybercrime trends across the globe. It also indicates that $882 million in cryptocurrency was stolen from exchanges in total from 2017 to 2018.

Massive phishing groups, as the report stated, are exploiting the users' fear of missing out a major opportunity, baiting them to invest their resources into unauthentic projects on knockoff websites.
Group IB additionally states that the quantity of attacks focusing on crypto trades is probably going to rise further, with hackers of more conventional financial institutions, like the banks are being attracted to the space looking for enormous increases.

All the more worryingly, these thefts are prognosticated to increment similarly as with time, more and more aggressive hacking groups are likely to move towards cryptocurrency.

Lebanon Spyware Uncovered, Steals Data through Fake Messaging Apps

Researchers from non-profit campaign group Electronic Frontier Foundation (EFF) and mobile security group Lookout have together uncovered malware that targets individuals such as military personnel, journalists, lawyers, and activists, using fake apps that look like popular messaging apps like WhatsApp and Signal.

The malware, dubbed “Dark Caracal” by the researchers, targets known Android weaknesses and iOS has not been affected by it.

According to their report on Dark Caracal, the malware was traced back to a server in a Lebanese government building — a building belonging to the Lebanese General Security Directorate in Beirut, Lebanon — and seems like the threat could be coming from a nation-state.

“We have identified hundreds of gigabytes of data exfiltrated from thousands of victims, spanning 21+ countries in North America, Europe, the Middle East, and Asia,” the report read.

“This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying because phones are full of so much data about a person’s day-to-day life,” said EFF Director of Cybersecurity Eva Galperin.

Data stolen through the spyware includes documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.

According to EFF, WhatsApp or Signal have not been compromised, and Google has confirmed that the infected apps were not downloaded from its Play Store. Instead, the attackers use “spearphishing” to get these fake apps on targets’ phones, which is a phishing attack that specifically targets an individual using information the attacker has on the victim.

“All Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said EFF Staff Technologist Cooper Quintin.

Dark Caracal has reportedly been operating since 2012 but has been unable to track down because of the number of similar attacks happening all over the world that have repeatedly been misattributed to other cybercrime groups.

This research has shed light on how governments and people are able to spy on individuals all over the world.


The Dyre Wolf of cyber street is after your money


The Dyre malware affecting the corporate banking sector has successfully stolen upwards of million dollars from unsuspecting companies since its inception in mid-2014, according to IBM's Security Intelligence report.

In a span of seven months the global infection rate has shot up from 500 to more than 4000 with North America being the most affected region.

While such a threat is not new to the banking sector what sets Dyre apart is its wealth of features that combines Spear phishing, malware (initial infection via Upatre), social engineering, complex process injections, the Deep Web and even Distributed Denial of Service (DDoS) alongside the constant updates that makes its detection tough.

The malware works in multiple steps.

Spear phishing: An organization  is as strong as its weakest link. Dyre uses this adage to the full as it targets employees of an organization with mails that contains the malware delivered in a zip file. Unsuspecting employees might download the zip file having a scr or an exe file which is actually the  malware known as Upatre (pronounced like “up a tree”), which begins the initial infection of the target machine.

First Stage Malware: Upatre then establishes contact with the Control and Command servers and downloads and installs Dyre to the system and deletes itself.

Second Stage Malware: Dyre establishes persistence in the system and connects to nodes at Invisible Internet Project that would enable it to communicate information without revealing destination or content.It also sends emails to victim's contact list aiming to increase its list of potential victims.It then hooks to the victim's browsers to intercept log in credentials by routing them to fake pages when the victim tries to visit web sites of the targeted bank.

Advanced Social Engineering: Social engineering is the alarming aspect of Dyre Wolf campaign. In addition to providing fake pages to extract log in data from individuals, it can at times display a message to the consumer asking them to call the bank at a specified number. Dyre wolf operators at the other end of the line act professionally and extract information under the guise of verification. This is done to circumvent bank's two stage authentication processes.

Wire Transfer and DDoS: After obtaining credentials, they log into the accounts and request for wire transfer of large sums. The money is moved from account to account quickly to make tracing and reversal impossible. Following this the affected consumer faces DDoS from the bank pages which hinders detection and investigation.

Dyre is operated by a highly organized and well funded group of cyber criminals in Eastern Europe.

The only way to prevent this seems to be to avoid the first infection of the system arising from a vulnerable employee. Employees need to be trained well on regarding such malwares, spear-phishing campaigns. Other preventive measures include stripping executables from email attachments, preventing installation from temp folders, using updated anti-virus, two factor authentications etc.

Target data breach started with a Spear phishing attack targeting HVAC firm

A latest information on Target data breach published by security blogger Brian Krebs shows the power of Social Engineering attacks. 

It appears everything began from a spear phishing attack in which employees of HVAC company Fazio Mechanical Services targeted with an email containing a piece of malware.

Sources have told Krebs that the malware used in the attack is Citadel- a notorious banking trojan capable of stealing login credentials and other information.  However, Krebs isn't able to confirm the information.

The reason why the company didn't get chance to identify the malware is because it is using a free version of Malwarebytes Anti-malware to protect is internal systems.

Malwarebytes is one of good tool capable of scanning and removing threats from infected machines.  However, unlike the Pro version(just $25), it doesn't offer any real-time protection.

Furthermore, the free version is meant for individuals not for companies, also the license for free version prohibits corporate use. 

Java based Remote Access Tool used in Spear Phishing attacks targeting Government


A Spear Phishing attack targeting Government Agencies has been uncovered by Symantec Security Researchers.  The emails with the subject related to recent hot media topic "NSA surveillance program PRISM" have three attachments.

What's interesting about the attachment is one of the attachment is a JAR file which is nothing but a Java based Remote Administration Tool(RAT).  The other attachments are two non-malicious PDF files.

Once victim opened the JAR file, the java applet will run in the victim's system which is capable of giving full control of the compromised system to the Cybercriminals.

Java RAT builder control panel- Image Credits: Symantec

As we all know, the Java is platform independent language, the applet can run not only windows but also but also Linux, Mac OSX, FreeBSD, Solaris and Any operating system that supports java.

According to Symantec report, most of the target of this malware are located in United States.  Symantec now detects this threat as Backdoor.Jeetrat.