Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Trojan Attacks. Show all posts
Trojan Attacks
Android 10 Banking Data Kaspersky malware Sensitive data Supply Chain Attack Trojan Attacks

Preinstalled ‘Guerrilla’ Malware Infects Millions of Smartphones Worldwide

 

Security experts have made the alarming discovery that preloaded 'Guerrilla' malware has been disseminated on millions of smartphones globally. Once embedded in the device, this sneaky type of malware grants attackers unrestricted access to private user data, potentially resulting in privacy violations and financial loss.

The Guerrilla malware, also known as the Triada trojan, is one of the most advanced and persistent mobile threats to date. It was first identified by Kaspersky researchers, who found it embedded in the firmware of various Android devices. This preinfection tactic makes it extremely difficult for users to detect and remove the malware, as it resides deep within the device's system files.

The Lemon Group, a notorious cybercriminal organization, is believed to be behind the distribution of these infected smartphones. They capitalize on unsuspecting users who unknowingly purchase devices already compromised with the Guerrilla malware. Once activated, the malware acts as a backdoor, allowing the cybercriminals to remotely control the device, intercept communications, and steal sensitive information such as login credentials, banking details, and personal data.

The implications of this preinfection tactic are profound. Users are left vulnerable, unaware that their devices have been compromised from the moment they start using them. Even performing a factory reset or flashing the firmware does not guarantee the complete removal of the malware, as it can persist in the device's system files.

To make matters worse, many of these infected devices are sold in regions with limited cybersecurity awareness and infrastructure, making it even more challenging to address the issue effectively. The impact extends beyond individual users to businesses and organizations that may unwittingly integrate these compromised devices into their networks, potentially exposing sensitive corporate data to cybercriminals.

The discovery of millions of smartphones distributed with preinstalled Guerrilla malware underscores the urgent need for stronger security measures throughout the supply chain. Smartphone manufacturers must implement rigorous security checks to ensure that their devices are free from malware before they reach the market. Additionally, users should exercise caution when purchasing devices, opting for reputable sellers and performing regular security scans on their devices.

The battle against preinstalled malware requires collaboration between smartphone manufacturers, cybersecurity researchers, and law enforcement agencies. By sharing intelligence and implementing proactive measures, it is possible to mitigate the impact of this growing threat and protect users from the dangers of preinstalled malware.

Guerrilla spyware that comes preinstalled on millions of cellphones poses a serious threat to consumer security and privacy. Users, manufacturers, and the cybersecurity community must all exercise vigilance and be proactive in addressing this sneaky danger due to the clandestine nature of this malware. We can only protect our digital life and maintain the integrity of our cellphones by working together.
Read more »
User Privacy
Malicious actor malware Open Source Tor Browser Trojan Attacks Trojanized Apps User Privacy

Trojanized Tor Browser Bundle Drops Malware

 

Cybersecurity experts are warning about a new threat in the form of trojanized Tor browser installers. The Tor browser is a popular tool used by individuals to browse the internet anonymously. However, cybercriminals have been able to create fake versions of the Tor browser that are infected with malware.

Recent reports suggest that cybercriminals have been distributing a trojanized version of the Tor browser, which installs cryptocurrency-stealing malware onto the victim's device. The malware is designed to steal the victim's crypto wallet keys and passwords, allowing the attacker to transfer funds out of the victim's account. This malware has been specifically targeting Russian-speaking users, distributed through a Russian-speaking forum.

As cybersecurity expert Kevin O'Brien stated in an interview with SC Magazine, "the security industry has been playing whack-a-mole with Tor-based attacks for years." He recommends that individuals only download the Tor browser from the official website and avoid downloading it from third-party sources.

The trojanized Tor browser installers are just one example of how cybercriminals constantly evolve their tactics to stay ahead of cybersecurity measures. Individuals and organizations need to remain vigilant, stay informed about the latest threats, and take the necessary precautions to protect themselves from these attacks. Regularly assessing the security posture, running security awareness campaigns, and ensuring that the right security technologies are in place to detect, prevent, and respond to attacks are important measures to take.

Organizations should educate their employees on how to spot fake versions of the Tor browser and other similar tools. They should encourage the use of official versions from trusted sources. In the words of the team at DarkReading, "It's always better to be proactive than reactive." Taking proactive measures can help individuals and organizations stay protected from cyber attacks.

The installers for the Tor browser that have been tampered with by cybercriminals are just one of the many methods they use to prey on unwary people and businesses. Individuals and organizations can better defend themselves against these attacks by remaining informed about the most recent risks and implementing preventative actions.

Read more »
Trojan Attacks
Antivirus APT Backdoor Botnets Cyber Crime Endpoint ESET Symantec Trojan Attacks

Hacker Group Cranefly Develops ISS Method

The novel method of reading commands from seemingly innocent Internet Information Services (IIS) logs has been used to install backdoors and other tools by a recently leaked dropper. Cybersecurity experts at Symantec claimed an attacker is utilizing the malware known as Cranefly also known as UNC3524 to install Trojan. Danfuan, another undocumented malware, as well as other tools.

Mandiant reported that Cranefly mainly targeted the emails of individuals who specialized in corporate development, merger and acquisitions, and significant corporate transactions when it was originally founded in May. Mandiant claims that these attackers remained undetected on target networks for at least 18 months by using backdoors on equipment without support for security measures.

One of the main malware strains used by the gang is QUIETEXIT, a backdoor installed on network equipment like cloud services and wireless access point controllers that do not enable antivirus or endpoint monitoring. This allows the attacker to remain undetected for a long time.

Geppei and Danfuan augment Cranefly's arsenal of specialized cyber weapons, with Geppei serving as a dropper by collecting orders from IIS logs that look like normal web access requests delivered to a compromised host.

The most recent Symantec advisory now claims that UNC3524 used Hacktool-based backdoors in some instances. Multiple advanced persistent threat (APT) clusters use the open-source technology Regeorg.
Additionally, Symantec has cautioned that Cranefly is a 'pretty experienced' hacking group as evidenced by the adoption of a new method in conjunction with the bespoke tools and the measures made to conceal their activity.

On its alert and Protection Bulletins website, Symantec lists the indicators of compromise (IoC) for this attack. Polonium is another threat actor that usually focuses on gathering intelligence, and ESET recently saw Polonium utilizing seven different backdoor variants to snoop on Israeli firms.

Cranefly employs this sneaky method to keep a foothold on compromised servers and gather information covertly. As attackers can send commands through various channels, including proxy servers, VPNs, Tor, or online development environments, this method also aids in avoiding detection by investigators and law enforcement.

It is unclear how many systems have been compromised or how often the threat actors may have utilized this technique in ongoing operations.



Read more »
User Privacy
Chaos Malware Data Breach Gaming Community Kaspersky Payloads Trojan Attacks User Privacy

Analysis of Cyberthreats Linked to Gaming Industry in 2022

 

In 2022, the global gaming industry will surpass $200 billion, with 3 billion players worldwide, predicts the analytical firm Newzoo. Such committed, solvent and eager-to-win viewers have become a bit of trivia for botnets, that always look for ways to deceive their victims. 

According to data gathered by Kaspersky between July 2021 and July 2022, dangerous files that propagated through the misuse of gaming brands were mostly related to Minecraft (25%), FIFA (11%), Roblox (9.5%), Far Cry (9.4%), and Call of Duty (9%).

In specific, the report reviewed the most widespread PC game–related threats and statics on miner breaches, attacks disguised as game frauds, and thefts. Also, it examined several most energetic malware groups, offering them detailed, in-depth features.

In aspects of annual dynamics, Kaspersky reveals seeing a decline in both the quantities of distribution (-30%) and the number of users (-36%) compared to 2020.

Further, in the first half of 2022, Kaspersky said those who witnessed a notable increase in the number of consumers threatened by schemes that can deceive secret info, with a 13% increase over the first half of 2021.

In the same period, hackers also amplified their attempts to expand Trojan–PSW: 77% of secret-stealing spyware infection cases have been linked to Trojan–PSW.

A few recent cases of concealing malware in software encouraged as game frauds, installers, keygens, and the games themself are the following:
  • Minecraft alt lists on videogames forums dropping Chaos ransomware
  • NPM packages masquerading as Roblox libraries conveying malware and password stealers
  • Microsoft Store copies of games with malware loaders
  • Valorant cheats elevated via YouTube falling info-stealing malware
The cause why hackers exploit game titles to entice people is mainly the massive targeted pool, as the exploited game titles capture the interest of tens of millions of players.

A few instances of fake in-game item stores that copied the originals are highlighted by Kaspersky. These stores conned gamers into paying for stuff they would never receive while also phishing their login information.

Some users find the cost of games itself to be prohibitive and turn to pirated versions instead. Other games are being developed in closed beta, which excludes many potential players and forces users to look for alternate access points. Hackers take advantage of these circumstances by selling fraudulent, pirated beta testing launchers.

In terms of threat variants, Kaspersky reported that little had changed since last year in the environment that impacts gamers, with downloaders (88.56%) topping the list of harmful and unwanted software that is disseminated using the names of well-known games. Trojans (2.9%), DangerousObject (0.86%), and Adware (4.19%) are the next three most prevalent threats.

Finally, many developers advise users to disable antivirus software before installing game-related mods, cheats, and tools because many of them are created by unofficial one-person projects and may trigger false positive security detections.

As a result, players may disregard AV alerts and run malicious programs that have been found on their systems. Downloaders dominate because they can pass internet security checks without incident while still retrieving riskier payloads later on when the user runs the program.

Kaspersky claims that information thieves, cryptocurrency miners, or both are frequently dumped onto the victim's PC. As always, only download free software from reputable websites and exercise caution when doing so.

Read more »
WordPress
Bug CVE vulnerability IP addresses malware phishing PHP Plugins Trojan Attacks WordPress

Defective WordPress Plugin Permits Full Invasion

 

According to security researchers, a campaign scanning almost 1.6 million websites was made to take advantage of an arbitrary file upload vulnerability in a previously disclosed vulnerable WordPress plugin.

Identified as CVE-2021-24284, the vulnerability that affects Kaswara Modern WPBakery Page Builder Addons, when exploited, gives an unauthorized attacker access to sites using any version of the plugin and enables them to upload and delete files or instead gain complete control of the website.

Wordfence reported the vulnerability over three months ago, and in a new alert this week it warned that attackers are scaling up their attacks, which began on July 4 and are still active. The WordPress security provider claims to have halted 443,868 attacks on client websites per day and strives to do the same till date. Daily, on average, 443,868 tries are made.

Malicious code injection  

The hacker attempts to upload a spam ZIP payload that contains a PHP file using the plugin's 'uploadFontIcon' AJAX function by sending a POST request to 'wp-admin/admin-ajax/php'.

Afterward, this file pulls the NDSW trojan, which inserts code into the target sites' legitimate Javascript files to reroute users to dangerous websites including phishing and malware-dropping sites. You've likely been infected if any of your JavaScript files contain the string "; if(ndsw==" or if these files themselves contain the "; if(ndsw==" string.

All versions of the software are vulnerable to an attack because the bug was never patched by the software creators, and the plugin is currently closed. The bug hunters stated that although 1,599,852 different sites were hit, a bulk of them wasn't hosting the plugin, and they believed that between 4,000 and 8,000 sites still have the vulnerable plugin installed.

Blocking the attackers' IP addresses is advised even if you are not utilizing the plugin. Visit Wordfence's blog for additional information on the indicators and the sources of requests that are the most common.

If you're still using it, you need to remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.
Read more »
User Privacy
APT attacks Chinese Hackers Cyber Attacks Palo Alto Networks' Unit 42 telecommunications Trojan Attacks Unauthorized Websites User Privacy

 GALLIUM APT Deployed a New PingPull RAT

According to Palo Alto Networks researchers, the PingPull RAT is a "difficult-to-detect" backdoor that uses the Internet Control Message Protocol (ICMP) for C2 connections. Experts also discovered PingPull variations that communicate with each other using HTTPS and TCP rather than ICMP.

Gallium, a Chinese advanced Trojan horse (APT), has an ancient legacy of cyberespionage on telecommunications companies, dating back to 2012. In 2017, the state-sponsored entity, also called Soft Cell by Cybereason, has been linked to a broader range of attacks aimed at five major Southeast Asian telecom businesses. However, during the last year, the group's victimology has expanded to include financial institutions and government agencies in Afghanistan, Austria, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. 

A threat actor can use PingPull, a Visual C++-based virus, to gain access to a reverse shell and run unauthorized commands on a compromised computer. File operations, detailing storage volumes, and timestamping files are all part of it now. 

The researchers explained that "PingPull samples which use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server." "The C2 server will send commands to the system by responding to these Echo queries with an Echo-Reply packet." 

PingPull variants that use HTTPS and TCP rather than ICMP to interact with its C2 server have been discovered, along with over 170 IP addresses associated with the company since late 2020. Although the threat actor is recognized to exploit internet-exposed programs to acquire an initial foothold and deploy a customized form of the China Chopper web shell to create persistence, it's not obvious how the targeted networks are hacked. 

Throughout Southeast Asia, Europe, and Africa, the GALLIUM trojan continues to pose a serious danger to telecommunications, finance, and government organizations. It is recommended all businesses use the results of researchers to inform the implementation of protective measures to guard against this threat group, which has deployed a new capability called PingPull in favor of its espionage efforts.
Read more »
WinRAR
Bitcoin C&C Crypto-Mining DLL malware P2P Botnets Symantec Trojan Attacks WinRAR

Clipminer Botnet Made 1.7 Million Dollars From Crypto Mining

 

Threat researchers have found a large-scale operation of Clipminer, a new cryptocurrency mining virus that netted its users at least $1.7 million in transaction hijacking.

Clipminer is built on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and mine cryptocurrency on affected computers. 

Clipminer is based on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and harvest cryptocurrency on affected computers. Researchers were taken aback by the new malware because it had fast grown in size by the time it was discovered. According to the Symantec team, these operations involved 4375 bitcoin wallet addresses that received stolen monies from victims.

Downloads or pirated software, are used to spread malware; malicious clipminer botnet files are distributed over torrent sites and other pirating methods. This bitcoin miner can be installed on the machine as a WinRAR archive, which will immediately start the extraction process and launch the control panel file, leading to the download of the dynamic link library. 

The infected DLL creates registry values and installs malware in several files in the Windows directory. Those files are named after ransoms so that the profile may be hosted and the main miner's payload can be downloaded and installed afterward. The system receives identification, which is sent on to the C&C server, which then sends out a request for the payload. The malware is delivered as a 10MB file in the Program Files directory. Once the trojan has been successfully executed, scheduled actions are set up to ensure the malware's persistence. To avoid re-infecting the same host, registry modification is also performed.

According to Symantec, the first Clipminer samples began to circulate in January 2021, with malicious activity picking up in February. Ever since the malware has spread over P2P networks, torrent indexers, YouTube videos, and through game and pirated software cracks. To avoid becoming infected with Clipminer or other malware, avoid downloading software from unknown sources. Verify the entered cryptocurrency wallet address before initiating the transaction to protect yourself from a clipboard hijacker.
Read more »
User Privacy
Android Banking Malware Cerberus Crypto Wallets Cyble Google malware Trojan Attacks User Privacy

Over 467 Apps Hit by the ERMAC 2.0 Android Banking Trojan

 

The ERMAC Android banking virus has been updated to version 2.0, increasing the number of apps targeted from 378 to 467, allowing attackers to steal account passwords and crypto wallets from a much greater number of apps.

Threatfabric researchers found ERMAC in July 2021, notably it is based on the well-known banking trojan Cerberus. Cerberus' source code was released in September 2020 on underground hacking forums after its operators failed an auction. The trojan's goal is to send stolen login credentials to threat actors, who then use them to gain access to other people's banking and cryptocurrency accounts and commit financial or other crimes.

ERMAC is currently available for subscription to members of darknet sites for $5,000 a month, that is a $2k increase over the first release's price, indicating the boost in features and popularity. A bogus Bolt Food application targeting the Polish market is the first malware campaign to use the new ERMAC 2.0 virus. According to ESET researchers, the threat actors disseminated the Android software by impersonating a reputable European food delivery business on the "bolt-food[.]site" website. This phony website is still active. 

Phishing emails, fraudulent social media posts, smishing, malvertising, and other methods are likely to lead users to the false site. If users download the program, they will be confronted with a request for complete ownership of private data.

Following ESET's early discovery, Cyble researchers examined the malware. ERMAC determines whether programs are installed on the host device before sending the data to the C2 server. The answer contains encrypted HTML injection modules which match the application list, which the virus decrypts and saves as "setting.xml" in the Shared Preference file. When the victim tries to run the real program, the injection operation takes place, and a phishing page is displayed on top of the original one. The credentials are forwarded to the same C2 that is responsible for the injections.

The following commands are supported by ERMAC 2.0:

  • downloadingInjections — sends the application list for injections to be downloaded.
  • logs — this command sends the injection logs to the server.
  • checkAP — check the status of the application and transmit it to the server. 
  • registration – sends information about the device.
  • updateBotParams — sends the bot parameters that have been updated.
  • downloadInjection — this function is used to download the phishing HTML page. 

EMAC 2.0 targets financial apps from all over the world, making it appropriate for use in a wide range of nations. A large number of apps supported makes this a dangerous piece of malware, but it's worth mentioning that it would have issues in Android versions 11 and 12, thanks to extra limits implemented by Google to prevent misuse of the Accessibility Service.
Read more »
Subscribe to: Posts (Atom)