Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Trojan. Show all posts
Trojan
CVE-2024-38213 Cyber Security CyberCrime DarkGate operators Microsoft security patch Ransomware SmartScreen vulnerability Spyware Trojan

Microsoft Patches Critical SmartScreen Vulnerability Exploited by Attackers

 


Microsoft's SmartScreen feature, a cornerstone of Windows security, faced a significant setback when a critical vulnerability, CVE-2024-38213, was exploited by cybercriminals. This vulnerability allowed attackers to circumvent SmartScreen's protective mechanisms and deliver malicious code to unsuspecting users.

The vulnerability exploited a weakness in SmartScreen's ability to identify and block potentially harmful files. By exploiting this flaw, attackers were able to disguise malware as legitimate software, tricking users into downloading and executing harmful files. This deceptive tactic, known as social engineering, is a common strategy employed by cybercriminals.

The consequences of this breach were severe. Cybercriminals were able to deploy various types of malware, including ransomware, spyware, and trojans. These malicious payloads could steal sensitive data, encrypt files for ransom, or even take control of infected systems. The potential impact on individuals and organizations was significant, ranging from financial loss to data breaches and disruption of critical operations.

Several threat groups were implicated in the exploitation of CVE-2024-38213. Notable among them were the DarkGate operators, who used the vulnerability to distribute malware through copy-and-paste operations. These attackers often targeted popular software, such as Apple iTunes, Notion, and NVIDIA, to lure victims into downloading malicious files.

Upon discovering the vulnerability, Microsoft's security teams worked diligently to develop a patch to address the issue. The patch was included in the June 2024 Patch Tuesday update. However, the company initially failed to provide a public advisory, leaving users unaware of the potential threat. This oversight highlighted the importance of timely communication and proactive security measures.

The exploitation of CVE-2024-38213 serves as a stark reminder of the constant threat posed by cybercriminals. It underscores the need for robust security measures, both at the individual and organizational level. Users must remain vigilant, exercise caution when downloading files, and keep their systems up-to-date with the latest security patches.

For organizations, the incident emphasizes the importance of a comprehensive security strategy that includes vulnerability management, incident response planning, and employee training. By investing in these areas, businesses can better protect themselves against cyber threats and minimize the potential damage from successful attacks.

As the cyber threat landscape continues to evolve, it is essential for both individuals and organizations to stay informed about emerging threats and best practices for cybersecurity. By working together, we can help create a safer digital environment for everyone.

Read more »
Trojan
cryptocurrency Cryptojacking Cyberattacks Cyberbreach Cyberhakcers Cybersecurity Cyberthreats IoT Malicious program Technology Trojan

Cryptojacking Attacks Soar 409% in India Amid a Global Shift in Cybersecurity Tactics

 


A rise in technology has also led to an increase in cybersecurity concerns as a result of the rise of technology. It is becoming more and more common for users across the world to fall victim to online scams day after day, and this is even getting the authorities in action, as they're now attempting to combat this trend by taking steps to introduce safeguards for users. 

According to the first half of 2024 global statistics, malware volume increased by a whopping 30 per cent on a global scale. As a result of this increase alone, the number of reports increased by 92 per cent in May. Throughout 2024, the number of malware attacks in the country increased by 11 per cent and ransomware attacks rose by 22 per cent, indicating that businesses are facing more cyber threats than ever before, according to a report by SonicWall. 

A SonicWall report published in February 2024 revealed that malware attacks increased by eleven per cent in volume from 12,13,528 in 2023 to 13,44,566 in 2024 as compared to the previous year. IoT (Internet of Things) attacks have increased by 59 per cent in the last year, with 16,80,787 attacks occurring annually in 2024 as opposed to 10,57,320 in 2023, the study found. 

There is no doubt that India is making substantial efforts to become one of the leading countries in the field of technology. While the use of technology has increased over the years, a recent trend has also been accompanied by significant cybersecurity risks. Attacks on Internet of Things (IoT) devices have increased by 59 per cent in 2024 as compared to 1,057,320 in 2023, which marks an increase of 11 per cent in malware attacks, a 22 per cent increase in ransomware attacks, and an 11 per cent increase in Internet of Things (IoT) attacks. 

According to the report, there was a marked increase in both ransomware attacks and crypto attacks; the latter grew by an astonishing 409 per cent. The SonicWall Vice President for APJ Sales, Debasish Mukherjee, noted that organizations are facing an increasingly hostile threat environment because attackers are continuing to innovate beyond traditional defences to become more successful. According to the "Mid-Year Cyber Threat Report" published by SonicWall, the rise of new cyber threats is becoming increasingly prevalent among businesses due to these new developments in cybersecurity. 

Cryptojacking attacks are increasing, and India has reported the highest number of attacks with a 409 per cent increase compared to a global decline of 60 per cent — a startling statistic. In a recent report published by SonicWall Capture Labs, SonicWall released the 2024 SonicWall Mid-Year Cyber Threat Report today. This report reveals that cyber threats are once again on the rise after an 11% increase in 2023, confirming the 11% rise in high-quality attacks since 2023.

A report published by the company details the changing threat landscape over the first five months of this year, showing the persistence, relentlessness, and ever-growing nature of cyber threats across the globe. A report that has been designed with SonicWall's partners in mind, has undergone several changes over the past few years, much like SonicWall itself has undergone several changes. As part of its evolution, the report has recently changed the way it measures vital cyber threat data to include time as a component. 

A key part of the report outlines the latest threats which are affecting our partners and the customers they serve, and for the first time, it highlights how attacks can have a direct impact on our partners, including threats to revenue. According to SonicWall intelligence, on average, companies are likely to be under critical attack - that is, attacks which are most likely to deplete business resources - for 1,104 of the 880 working hours they have in a given month. 

In the first five months of 2024, businesses were shielded from potential downtime of up to 46 days, a critical safeguard that protected 12.6% of total revenues from potentially devastating cyber intrusions. This significant finding was among the key insights from a recent report, underscoring the escalating threats faced by modern enterprises. 

Douglas McKee, Executive Director of Threat Research at SonicWall, emphasized the importance of robust cybersecurity measures, stating, "The data and examples found in the report provide real-life scenarios of how crafty and swift malicious actors operate, underscoring that traditional cybersecurity defences often prove to be the most reliable." One of the most pressing concerns highlighted in the report is the increasing sophistication of supply chain attacks. 

These attacks exploit the interconnectedness of modern enterprises, targeting vulnerabilities in third-party software and services to compromise broader networks. The first half of 2024 saw several sophisticated attacks, including a high-profile breach involving the JetBrains TeamCity authentication bypass. By the end of 2023, three out of the top five companies globally had already suffered supply chain breaches, affecting more than 50% of their customers. 

These breaches were primarily due to vulnerabilities such as Log4j Log4Shell and Heartbleed. The report also revealed that organizations, on average, took 55 days to patch even 50% of their critical vulnerabilities, further exposing them to risk. In response to these growing threats, Microsoft has made significant strides in addressing vulnerabilities. 

In 2023, the company patched more than 900 vulnerabilities, with Remote Code Execution (RCE) vulnerabilities accounting for 36% of them. Despite the high number of RCE vulnerabilities, they were exploited only 5% of the time. In contrast, Elevation of Privilege vulnerabilities, which were leveraged 52% of the time, posed a greater risk. By mid-2024, Microsoft had already patched 434 vulnerabilities, matching the record set in 2023. 

Notably, 40% of these vulnerabilities were classified as RCE, yet 86% of the exploited vulnerabilities were related to Security Feature Bypass or Elevation of Privilege issues. The report also sheds light on the growing threat posed by Remote Access Trojans (RATs). These malicious programs disguise themselves as legitimate applications to obtain necessary permissions and connect to command-and-control servers, enabling them to steal sensitive information and bypass multi-factor authentication (MFA). Industries will experience several sophisticated RAT attacks in 2024, with malware such as Anubis, AhMyth, and Cerberus evolving to bypass MFA, making them a significant cybersecurity threat. PowerShell, a versatile scripting language and command-line shell, has also become a favoured tool among malicious actors due to its user-friendly features. 

The report revealed that 90% of prevalent malware families, including AgentTesla, AsyncRAT, GuLoader, DBatLoader, and LokiBot, utilize PowerShell for malicious activities. Of these, 73% use PowerShell to download additional malware, evade detection, and carry out other harmful actions. This report serves as a stark reminder of the increasing sophistication and prevalence of cyber threats in 2024, underscoring the need for continued vigilance and robust cybersecurity measures to protect businesses and their customers.
Read more »
Trojan
Cyber Attacks IT Sector Malware Attack Ransomware attack Ransomware Threat Remote Access Trojan Trojan

New Ransomware Threat: Hunters International Deploys SharpRhino RAT

 

In a troubling development for cybersecurity professionals, the Hunters International ransomware group has introduced a sophisticated new remote access trojan (RAT) called SharpRhino. This C#-based malware is specifically designed to target IT workers and breach corporate networks through a multi-stage attack process. The malware’s primary functions include achieving initial infection, elevating privileges on compromised systems, executing PowerShell commands, and ultimately deploying a ransomware payload. 

Recent findings from Quorum Cyber researchers reveal that SharpRhino is distributed via a malicious site masquerading as Angry IP Scanner, a legitimate networking tool widely used by IT professionals. The deceptive website uses typosquatting techniques to lure unsuspecting users into downloading the malware. This approach highlights a new tactic by Hunters International, aiming to exploit the trust IT workers place in well-known tools. The SharpRhino RAT operates through a digitally signed 32-bit installer named ‘ipscan-3.9.1-setup.exe.’ 

This installer contains a self-extracting, password-protected 7z archive filled with additional files necessary for the malware’s execution. Upon installation, SharpRhino modifies the Windows registry to ensure persistence on the compromised system and creates a shortcut to Microsoft.AnyKey.exe, which is normally a Microsoft Visual Studio binary but is abused here for malicious purposes. Additionally, the installer drops a file named ‘LogUpdate.bat,’ which executes PowerShell scripts to run the malware stealthily. To facilitate command and control (C2) operations, SharpRhino creates two directories: ‘C:\ProgramData\Microsoft: WindowsUpdater24’ and ‘LogUpdateWindows.’ 

These directories are used to manage communication between the malware and its operators. SharpRhino also includes hardcoded commands such as ‘delay’ to set the timer for the next POST request and ‘exit’ to terminate communication. This enables the malware to execute various dangerous actions, including launching PowerShell commands. For instance, Quorum Cyber researchers demonstrated the malware’s capability by launching the Windows calculator. Hunters International, which began operations in late 2023, has been associated with several high-profile ransomware attacks. Notable victims include U.S. Navy contractor Austal USA, Japanese optics giant Hoya, Integris Health, and the Fred Hutch Cancer Center. 

In 2024 alone, the group has claimed responsibility for 134 ransomware attacks, ranking it among the top ten most active ransomware operators globally. The deployment of SharpRhino through a fake website underscores Hunters International’s strategic focus on IT professionals, leveraging their reliance on familiar software to infiltrate corporate networks. To protect against such threats, users should exercise caution with search results and sponsored links, use ad blockers, and verify the authenticity of download sources. Implementing robust backup plans, network segmentation, and keeping software up-to-date are essential measures to mitigate the risk of ransomware attacks.
Read more »
Trojan
Clone Cyber Security Malicious Payload Minesweeper Trojan

Unmasking the Trojan: How Hackers Exploit Innocent Games for Malicious Intent


Hackers continue to find ingenious ways to infiltrate organizations and compromise sensitive data. Recently, a peculiar attack vector emerged—one that leverages an unsuspecting source: a Python clone of the classic Minesweeper game. 

In this blog post, we delve into the details of this novel attack and explore the implications for cybersecurity professionals.

The Trojanized Minesweeper Clone

The Setup

The attack begins innocuously enough—an email arrives in an employee’s inbox, seemingly from a legitimate medical center. 

The subject line reads, “Personal Web Archive of Medical Documents.” Curiosity piqued, the recipient opens the email and finds a Dropbox link to download a 33MB SCR file. The file claims to contain a web archive of medical documents, but hidden within its code lies a sinister secret.

The Malicious Payload

The SCR file contains two distinct components:

Legitimate Minesweeper Code

  • The attackers cleverly embed code from a Python clone of the classic Minesweeper game. This seemingly harmless code serves as camouflage, distracting security scanners and human reviewers.
  • The Minesweeper game runs as expected, creating a façade of normalcy.

Malicious Python Script

  • Concealed within the Minesweeper code, a malicious Python script lies dormant.
  • When executed, this script connects to a remote server (“anotepad.com”) and downloads additional payloads.
  • The ultimate goal? To install the SuperOps RMM (Remote Monitoring and Management) software—a legitimate tool that provides remote access to compromised systems.

The Threat Actor: UAC-0188

The attack is attributed to a threat actor known as “UAC-0188.” This actor demonstrates a keen understanding of social engineering and exploits users’ trust in seemingly benign applications. By piggybacking on the Minesweeper clone, UAC-0188 bypasses initial scrutiny and gains a foothold within the organization.

Implications and Countermeasures

Organizations must remain vigilant and adopt proactive measures to counter such attacks:

User Awareness

  • Educate employees about phishing tactics and the importance of scrutinizing unexpected attachments.
  • Encourage skepticism—even when the sender appears legitimate.

Behavioral Analysis

  • Implement behavioral analysis tools that detect anomalies in file behavior.
  • Scrutinize code for hidden payloads, especially within seemingly harmless files.

Network Segmentation

  • Isolate critical systems from less secure areas of the network.
  • Limit lateral movement for attackers.

Regular Security Audits

  • Conduct regular audits to identify vulnerabilities.
  • Update security policies and procedures accordingly. 

Read more »
User Security
Bing Ad Cyber Fraud Fake Website Malicious Sites Trojan User Security

Bing Ad Posing as NordVPN Aims to Propagate SecTopRAT Malware

 

A Bing advertisement that appeared to be a link to install NordVPN instead led to an installer for the remote access malware SecTopRAT. 

Malwarebytes Labs identified the malvertising campaign on Thursday, with the domain name for the malicious ad having been registered only a day earlier. The URL (nordivpn[.]xyz) was intended to resemble an authentic NordVPN domain. The ad link linked to a website with another typosquatted URL (besthord-vpn[.]com) and a duplicate of the actual NordVPN website.

The download button on the fake website directed to a Dropbox folder containing the installer NordVPNSetup.exe. This executable comprised both an authentic NordVPN installation and a malware payload that was injected into MSBuild.exe and connected to the attacker's command-and-control (C2) server.

The threat actor attempted to digitally sign the malicious programme, however the signature proved to be invalid. However, Jérôme Segura, Principal Threat Researcher at Malwarebytes ThreatDown Labs, told SC Media on Friday that he discovered the software had a valid code signing certificate. 

Segura said some security products may block the executable due to its invalid signature, but, “Perhaps the better evasion technique is the dynamic process injection where the malicious code is injected into a legitimate Windows application.” 

“Finally, we should note that the file contains an installer for NordVPN which could very well thwart detection of the whole executable,” Segura added. 

The malicious payload, SecTopRAT, also known as ArechClient, is a remote access trojan (RAT) identified by MalwareHunterTeam in November 2019 and then analysed by GDATA experts. The researchers discovered that the RAT produces an "invisible" second desktop, allowing the attacker to manage browser sessions on the victim's PC. 

SecTopRAT can also provide system information, such as the system name, username, and hardware, to the attacker's C2 server. 

Malwarebytes reported the malware campaign to both Microsoft, which controls Bing, and Dropbox. Dropbox has since deactivated the account that contained the malware, and Segura said his team had yet to hear anything from Microsoft as of Friday. 

“We did notice that the threat actors updated their infrastructure last night, perhaps in reaction to our report. They are now redirecting victims to a new domain thenordvpn[.]info which may indicate that the malvertising campaign is still active, perhaps under another advertiser identity,” Segura concluded. 

Other malvertising efforts promoting SecTopRAT have been discovered in the past. In 2021, Ars Technica reported on a campaign that used Google advertisements to promote the Brave browser.

Last October, threat actors employed malvertising, search engine optimisation (SEO) poisoning, and website breaches to deceive consumers into installing a fake MSIX Windows programme package containing the GHOSTPULSE malware loader. Once deployed, GHOSTPULSE employs a process doppelganging to enable the execution of several malware strains, including SecTopRAT.
Read more »
Trojan
Cybersecurity Precautions data security iPhone Malware Mobile Security Trojan

Securing Your iPhone from GoldPickaxe Trojan

 

In recent times, the digital realm has become a battleground where cybercriminals constantly devise new tactics to breach security measures and exploit unsuspecting users. The emergence of the GoldPickaxe Trojan serves as a stark reminder of the ever-present threat to our personal data and privacy. As reported by 9to5Mac, this insidious malware has targeted iPhone users, raising concerns about the safety and security of our devices. 

The GoldPickaxe Trojan is a sophisticated form of malware designed to infiltrate iPhones, compromising sensitive information and potentially causing significant harm to users. This malicious software operates covertly, often masquerading as legitimate applications or using social engineering tactics to trick users into installing it. Once installed on a device, the GoldPickaxe Trojan can execute a range of malicious activities, including stealing personal data such as login credentials, financial information, and sensitive communications. 

Moreover, it may grant unauthorized access to the device, allowing cybercriminals to control its functionalities remotely. Given the severity of the threat posed by the GoldPickaxe Trojan, it is imperative for iPhone users to take proactive measures to safeguard their devices and personal data. Here are some essential steps to enhance your device's security and protect against this insidious malware. 

Ensure that your iPhone's operating system, as well as all installed applications, is up to date. Manufacturers regularly release security patches and updates to address vulnerabilities and strengthen defences against emerging threats like the GoldPickaxe Trojan. Exercise caution when downloading and installing applications from the App Store or third-party sources. Verify the authenticity of the developer and scrutinize app permissions before granting access to your device's resources. Avoid installing apps from unknown or untrusted sources, as they may contain malicious payloads. 
 
Activate two-factor authentication (2FA) wherever possible to add an extra layer of security to your accounts. By requiring a secondary verification method, such as a one-time code sent to your phone, 2FA can thwart unauthorized access attempts even if your login credentials are compromised by the GoldPickaxe Trojan. Use strong, unique passwords for all your online accounts, including your iPhone's lock screen and iCloud account. Avoid using easily guessable passwords or reusing the same password across multiple platforms, as this can significantly increase the risk of unauthorized access and data breaches. 

Consider installing reputable antivirus and security software on your iPhone to detect and remove malicious threats like the GoldPickaxe Trojan. These applications can provide real-time protection against malware, phishing attacks, and other cyber threats, helping to safeguard your device and personal information. Remain vigilant against suspicious activities and phishing attempts, such as unsolicited emails or messages requesting sensitive information. Stay informed about the latest cybersecurity threats and trends, and educate yourself on best practices for online safety and privacy. 

The GoldPickaxe Trojan represents a significant threat to iPhone users, highlighting the importance of robust security measures and proactive defence strategies. By following the guidelines above and adopting a security-conscious mindset, you can mitigate the risk of falling victim to this malicious malware and protect your device, data, and privacy from harm. Remember, safeguarding your iPhone is not just a matter of convenience; it's a crucial step in safeguarding your digital identity and maintaining control over your online presence in an increasingly interconnected world.
Read more »
Trojan
Banking Trojan cyber attack Cyber Attacks Malicious Activities Mexico Mispadu Stealer Trojan

New Variant of Banking Trojan Discovered Targeting Mexico

In a recent discovery, cybersecurity researchers from Palo Alto Networks Unit 42 have uncovered a new variant of the stealthy banking Trojan known as Mispadu Stealer. This infostealer is specifically designed to target regions and URLs associated with Mexico, posing a significant threat to users in the region. 

The researchers stumbled upon this new variant while conducting investigations into attacks exploiting the Windows SmartScreen bypass vulnerability CVE-2023-36025. This vulnerability has been a prime target for cybercriminals looking to bypass security measures and infiltrate systems. However, it was addressed by Microsoft in November 2023. 

How You Are Being Attacked?

Essentially, attackers exploit a flaw in Windows SmartScreen, a security feature designed to warn users about potentially harmful downloads. By crafting internet shortcut files (.URL) or hyperlinks that point to malicious content, they can evade SmartScreen's defenses. This evasion tactic hinges on including a parameter that points to a network share rather than a standard URL. Inside the manipulated.URL file is a link leading to a network share controlled by the threat actor, housing a dangerous executable file. 

Since August 2022, Mispadu has been behind numerous spam campaigns, resulting in the theft of over 90,000 bank account credentials. This revelation highlights the significant threat Mispadu poses to the financial security of users across Latin America. However, Mispadu is just one member of a larger family of LATAM banking malware. 

Among its notorious counterparts is Grandoreiro, a formidable threat that has plagued users in the region. Recent efforts by law enforcement authorities in Brazil have resulted in the dismantling of Grandoreiro, offering some relief to users. 

Despite this success, cybersecurity experts warn that the danger from Mispadu and similar malware persists. Users are urged to remain vigilant when dealing with unsolicited emails and to bolster their defenses with robust security measures. By staying informed and implementing proactive strategies, users can better protect themselves against potential attacks.
Read more »
Trojan
Bandook Malware cryptocurrency Cyber Attacks CyberCrime Cybersecurity RAT Trojan

Unveiling 'Bandook': A Threat that Adapts and Persists

 


The Bandook malware family, which was thought to be extinct, is back and may be part of a larger operation intended to sell offensive hacking tools to governments and cybercriminal groups to attack them. Several recent research papers have been released by Check Point Research, which indicate that Bandook is regaining popularity across a wide range of targeted sectors and locations despite being a 13-year-old bank, Trojan. 

It has been observed that dozens of variants of the malware have been used in attacks in the United States, Singapore, Cyprus, Chile, Italy, Turkey, Switzerland, Indonesia and Germany over the past year in attacks against organizations. Government, finance, energy, food, healthcare, education, IT, and legal are some of the sectors targeted by the software. 

In 2007, Bandook malware was discovered as a remote access trojan (RAT) that has been active for several years. It has been reported that Bandook malware has evolved into a new variant that injects its payload into msinfo32.exe to distribute the malware and allow remote attackers to take control of the system if it is infected. As a result, this remote access trojan poses a significant threat to users privacy, as it is capable of performing various tasks allowing cybercriminals to gather various types of personal data. 

Therefore, my recommendation would be to avoid installing it if people are gaming their system and its usage can lead to several problems. Originally developed as a commercial RAT written in both Delphi and C++, Bandook RAT eventually evolved into several variants over the years, and this malware became available for download from the internet. Formerly a commercial RAT, Bandook was originally developed by a Lebanese named Prince Ali as a commercial RAT. 

It is common for remote access trojans to be used to remotely manage infected computers, without the consent of the users. In addition to keylogging, audio capture (microphone) and video capture (webcam), screenshot capture and uploading to a remote server, and running various command shell programs, this malware is capable of performing a variety of malicious activities. 

Cybercriminals could take advantage of this situation to gain access to personal accounts (for example, social networks, emails, banks, etc.). To gain as much revenue as possible, these people will use hijacked accounts for various purposes such as online purchases, money transfers, asking the victim's friends to lend them money, etc. Consequently, they are likely to make misuse of hijacked accounts. 

Moreover, thieves can use hijacked accounts to spread malware, sending malicious files and links to all contacts in the account. They can also utilize Bandook to launch several Windows shell commands, which could result in a significant loss of savings and debt. A Trojan horse is often used to spread infections, such as ransomware and crypto miners since they can modify system settings as well as download (inject) additional malware. 

Trojan horses are also often used to spread viruses and malware. There is a risk that this infection will result in significant financial loss, serious privacy issues (such as identity theft), as well as additional infections of the computer system. The last time Bandook was spotted was in 2015 as part of the "Operation Manul" campaign, while the last time it was spotted was in 2017-2018 as part of the "Dark Caracal" campaign. 

During the last few years, the malware had all but disappeared from the threat landscape, but it appears it has begun to resurface again. An infected computer will receive a malware chain consisting of three stages. The first stage is to download two files into the local user folder using a lure document, which contains malicious VBA macro code encoded with an encryption algorithm. 

First, there is a PowerShell script file that gets dropped into the user's folder, and the second file is a JPG file which contains a base64 encoded PowerShell script that is saved in the JPG file. Its second stage will be the decoding and executing of the base64 encoded PowerShell scripts stored in the JPG file, which will render a zip file containing four files from cloud services, then download the zip file containing the files in the zip file. 

Among the four files, three of them are PNG files with hidden RC4 functions encapsulated in the RGB values of the pixels that belong to the RGB file. As a result of the existence of these files, an executable that acts as a Bandook loader will be constructed. 

After the creation of the Internet Explorer process, the bandook loader will inject the malicious payload into the process and then proceed to the final stage of the process. It is the payload that makes contact with the command and control server, and it waits for the server to give additional commands.
Read more »
Trojan
Data Exfiltration malware MMRat Mobile Network Privacy Protobuf Technology threats Trojan

Rare Technique Deployed by Android Malware to Illicitly Harvest Banking Data

 

Trend Micro, a cybersecurity research firm, has recently unveiled a novel mobile Trojan that employs an innovative communication technique. This method, known as protobuf data serialization, enhances its ability to pilfer sensitive data from compromised devices.

Initially detected by Trend Micro in June 2023, this malware, named MMRat, primarily targets users in Southeast Asia. Surprisingly, when MMRat was first identified, popular antivirus scanning services like VirusTotal failed to flag it as malicious.

MMRat boasts a wide array of malicious functionalities. These include collecting network, screen, and battery data, pilfering contact lists, employing keylogging techniques, capturing real-time screen content, recording and live-streaming camera data, and even dumping screen data in text formats. Notably, MMRat possesses the ability to uninstall itself if required.

The capacity to capture real-time screen content necessitates efficient data transmission, and this is where the protobuf protocol shines. It serves as a customized protocol for data exfiltration, using distinct ports and protocols to exchange data with the Command and Control (C2) server.

Trend Micro's report highlights the uniqueness of the C&C protocol, which is customized based on Netty, a network application framework, and the aforementioned Protobuf. It incorporates well-designed message structures, utilizing an overarching structure to represent all message types and the "oneof" keyword to denote different data types.

Researchers have uncovered instances of this malware concealed within counterfeit mobile app stores, masquerading as government or dating applications. While they commend the overall sophistication of these efforts, it's essential to note that these apps still request permissions for Android's Accessibility Service, a common red flag that clearly signals their malicious nature.
Read more »
zero-day
Anonymous Data Breach ICAN Italy Kali Linux PowerShell servers Software Trojan unauthorised access zero-day

Global Ransomware Attack Targets VMware ESXi Servers



Cybersecurity firms around the world have recently warned of an increase in cyberattacks, particularly those targeting corporate banking clients and computer servers. The Italian National Cybersecurity Agency (ACN) recently reported a global ransomware hacking campaign that targeted VMware ESXi servers, urging organisations to take action to protect their systems.

In addition, Italian cybersecurity firm Cleafy researchers Federico Valentini and Alessandro Strino reported an ongoing financial fraud campaign since at least 2019 that leverages a new web-inject toolkit called drIBAN. The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments, altering legitimate banking transfers performed by the victims and transferring money to an illegitimate bank account.

These accounts are either controlled by the threat actors or their affiliates, who are then tasked with laundering the stolen funds. The fraudulent transactions are often realized by means of a technique called Automated Transfer System (ATS) that's capable of bypassing anti-fraud systems put in place by banks and initiating unauthorized wire transfers from a victim's own computer.

The operators behind drIBAN have become more adept at avoiding detection and developing effective social engineering strategies, in addition to establishing a foothold for long periods in corporate bank networks. Furthermore, there are indications that the activity cluster overlaps with a 2018 campaign mounted by an actor tracked by Proofpoint as TA554 targeting users in Canada, Italy, and the U.K.

Organisations need to be aware of these threats and take immediate action to protect their systems from cyberattacks. The ACN has reported that dozens of Italian organisations have been likely affected by the global ransomware attack and many more have been warned to take action to avoid being locked out of their systems.


Read more »
virus
communication Cyber Attacks DNS Informationblox malware RAT Trojan virus

DNS Malware Toolkit Discovered by Infoblox and Urged to be Blocked

 


This week, Infoblox Inc. announced the release of its threat report blog on a remote access Trojan (RAT) toolkit with DNS command and control, which is being used for remote access and data theft. Infoblox provides a cloud-enabled networking and security platform capable of improving performance and protection. 

In the U.S., Europe, South America, and Asia, an anomalous DNS signature had been observed in enterprise networks that were created through the use of the toolkit. Across a wide range of sectors such as technology, healthcare, energy, financial services, and others, these trends were seen. The communications with the Russian controller can be traced to some of these communications. 

A malware program is a software application that infiltrates your computer with the intent of committing malicious acts. Viruses, worms, ransomware, spyware, Trojan horses, Trojan horses, spyware, and keylogging programs, all of which can be classified as malware. There are alarming challenges network and security professionals face daily in the face of malware that is becoming more sophisticated and capable of circumventing traditional defenses. 

By leveraging DNS infrastructure and threat intelligence, Infoblox's Malware Containment and Control solution can help organizations reduce malware risk by employing the most effective mitigation methods. Additionally, it enables leading security technologies to use contextual threat data, indicators of compromise, and other context-sensitive information to automate and accelerate the threat response process. 

Informationblox's Threat Intelligence Group discovered a new toolkit known as "Decoy Dog" that was branded as an attack toolkit. To disrupt this activity, the company collaborates with other security vendors, customers, and government agencies to work together. 

Furthermore, it identifies the attack vector and even secures networks across the globe. A crucial insight is that DNS anomalies that are measured over time proved to be important in detecting and analyzing the RAT, but also enabling the C2 communications to be tracked together despite appearing to be independent on the surface. 

Analyzing threats, identifying them, and mitigating them: 

During the first and second quarters of 2023, Infoblox discovered activity in multiple enterprise networks caused by the remote access Trojan (RAT) Puppy being active in multiple enterprise networks. C2 communication has not been found since April 2022, indicating that this was a one-way communication. 

An indicator of the presence of a RAT can be uncovered by investigating its DNS footprint. It does, however, show some strong outlier behavior when analyzed using a global cloud-based DNS protection system such as Infoblox's BloxOne® Threat Defense, when compared to traditional DNS protection systems. The integration of heterogeneous domains within Infoblox was also made possible by this technology. 

Communication between two C2 systems takes place over DNS and is supported by an open-source RAT known as Puppy. The project is an open-source project but it has always been associated with actors that are acting on behalf of nations despite its open nature. 

The risks associated with a vulnerable DNS can be mitigated by organizations with a protective DNS. There is no need to worry about these suspicious domains because BloxOne Threat Defense protects customers against them. 

In the detection of the RAT, anomalous DNS traffic has been detected on limited networks and devices on the network, like firewalls, but not on devices used by users, like laptops and mobile devices. 

Malware uses DNS to connect to its command and control (C&C) servers to communicate with them. As a result of its ability to contain and control malware, DNS is ideally suited for the task. Infoblox, for example, should focus on DNS as the point of attack from where malware can be injected to contain and control malware. 

It is imperative to highlight that malware prevention solutions are becoming more and more adept at sharing threat data with the broader security ecosystem. This is thanks to APIs, Syslog, and SNMP communication protocols.
Read more »
Trojan
Cyber Security Data NetWireRAT Safety Security Trojan

Who Is Responsible for the NetWire Remote Access Trojan?

 

A Croatian national was arrested for reportedly running NetWire, a Remote Access Trojan (RAT) that has been advertised on cybercrime forums since 2012 as a covert way to spy on infected systems and steal passwords. The arrest coincided with the seizure of the NetWire sales website by the Federal Bureau of Investigation in the United States (FBI). While the defendant, in this case, has not yet been publicly identified, the NetWire website has been leaking information about its owner's likely true identity and location for the past 11 years.

NetWire is a multi-platform threat that can infect not only Microsoft Windows machines but also Android, Linux, and Mac systems. It is typically installed via booby-trapped Microsoft Office documents and distributed via email. NetWire's dependability and low cost ($80-$140 depending on features) have made it a popular RAT on cybercrime forums for years, and NetWire infections consistently rank among the top ten most active RATs in use.

Since 2012, NetWire has been sold openly on the same website: worldwiredlabs[.]com. The domain was taken as part of "a coordinated law enforcement action taken against the NetWire Remote Access Trojan," according to a seizure notice from the US Department of Justice (DOJ).

“As part of this week’s law enforcement action, authorities in Croatia on Tuesday arrested a Croatian national who allegedly was the administrator of the website,” reads a statement by the DOJ today. “This defendant will be prosecuted by Croatian authorities. Additionally, law enforcement in Switzerland on Tuesday seized the computer server hosting the NetWire RAT infrastructure.”

The name of the accused was not mentioned in either the DOJ statement or a press release issued by Croatian authorities about the operation. But it's remarkable that authorities in the United States and elsewhere have taken so long to take action against NetWire and its alleged owner, given that the RAT's author apparently did very little to conceal his true identity.

The WorldWiredLabs website was launched in February 2012 on a dedicated host with no other domains. The site's true WHOIS registration records have always been hidden by privacy protection services, but there are plenty of clues in WorldWiredLabs's historical Domain Name System (DNS) records that point in the same direction.

The WorldWiredLabs domain was moved to another dedicated server at the Internet address 198.91.90.7 in October 2012, which was home to only one other domain: printschoolmedia[.]org, which was also registered in 2012.

Printschoolmedia[.]org was registered to a Mario Zanko in Zapresic, Croatia, and to the email address zankomario@gmail.com, according to DomainTools.com. According to DomainTools, this email address was also used to register one other domain in 2012: wwlabshosting[.]com, which was also registered to Mario Zanko from Croatia. A look at the DNS records for printschoolmedia[.]org and wwlabshosting[.]com reveals that both domains used the DNS name server ns1.worldwiredlabs[.]com while they were online. There are no other domains that use the same name server.

Worldwiredlabs[.]com DNS records also show that the site forwarded incoming email to tommaloney@ruggedinbox.com. This email address was used to register an account at the clothing retailer romwe.com, using the password "123456xx," according to Constella Intelligence, a service that indexes information exposed by public database leaks.

A reverse search on this password in Constella Intelligence reveals that it has been used by over 450 email addresses, two of which are zankomario@gmail.com and zankomario@yahoo.com. A search in Skype for zankomario@gmail.com yields three results, including the account name "Netwire" and the username "Dugidox," as well as another for a Mario Zanko (username zanko.mario).

Dugidox is the hacker handle that has been most frequently associated with NetWire sales and support discussion threads on various cybercrime forums over the years. Constella associates dugidox@gmail.com with a number of website registrations, including the Dugidox handle on BlackHatWorld and HackForums, as well as Croatian IP addresses for both. According to Constella, the email address zankomario@gmail.com used the password "dugidox2407."

Someone with the email address dugidox@gmail.com registered the domain dugidox[.]com in 2010. The WHOIS records for that domain name list a "Senela Eanko" as the registrant, but the address used was the same street address in Zapresic that appears in the WHOIS records for printschoolmedia[.]org, which is registered in Mr. Zanco's name.

Prior to Google+'s demise, the email address dugidox@gmail.com corresponded to an account with the nickname "Netwire wwl." The dugidox email address was also linked to a Facebook account (mario.zanko3), which included check-ins and photos from various locations throughout Croatia.

That Facebook page is no longer active, but the administrator of WorldWiredLabs stated in January 2017 that he was considering adding certain Android mobile functionality to his service. Three days later, the Mario.Zank3 profile posted a photo saying he was chosen for an Android instruction course — with his dugidox email clearly visible.

According to incorporation records from the United Kingdom's Companies House, Mr. Zanko became an officer in a company called Godbex Solutions LTD in 2017. In a YouTube video, Godbex is described as a "next generation platform" for exchanging gold and cryptocurrencies. As per Companies House records, Godbex was dissolved in 2020. Mr. Zanko was born in July 1983, and his occupation is listed as "electrical engineer."

Multiple requests for comment from Mr. Zanko went unanswered. The Croatian police have issued a statement regarding the NetWire takedown.
Read more »
Trojan
Cyberattack CyberCriminal malware Mobile Banking Mobile Threats SharkBot Telecommunication Trojan

Mobile Banking Trojan Volume Doubles

 


There were nearly 200,000 new telecommunications and banking Trojans developed in 2022, an increase of 100% over the previous year and the biggest spike in mobile malware development seen in the previous six years, confirming the trend of mobile malware development being propelled forward in recent years. 

The information was provided by Kaspersky Lab's report entitled "Mobile Threats in 2022" which can be found here. During the year, the firm also reported that 1.6 million malware installers were detected as part of its telemetry as provided by telemetry. While malware creation surged ahead in 2020, there was a decline in threat activity (down from 3.5 million in 2021 and 5.7 million in 2020), despite the surge in attacks in 2021. 

Based on the report released today, cybercriminals are increasingly targeting mobile users. They are also investing a lot of time in creating updated malware to steal financial information, making these increased activities more likely. Similarly, it stated, over the last few years, cybercriminal activity has leveled off, with attack numbers staying steady after slackening in 2021. 

The truth is that cybercriminals continue to improve the functionality of malware as well as how it spreads. 

The banking Trojan is designed to steal mobile banking credentials and e-payment information, but it can quickly be repurposed to steal other kinds of information, including those related to identity theft and the spread of other malware. In the past few years, many malware strains have emerged that have become synonymous with the term "all-purpose malware strains", including popular strains like Emotet and TrickBot, for instance. 

There is a great risk that you might encounter a banking Trojan if you use a non-official app store, but Google Play has been repeatedly flooded with "downloaders of trojans such as Sharkbot, Anatsa/Teaban, Octo/Copper, and Xenomorph disguised as utilities." 

According to Kaspersky's report, unofficial apps pose the greatest risk. Sharkbot is an example of malware masquerading as a legitimate file manager that is malicious (and can evade Google's vetting process) until it has been installed. 

After that, it will begin to request permission to install other packages which will together perform malicious banking Trojan activities that can be considered malicious. In recent years, mobile banking Trojans have been one of the most prevalent and concerning mobile malware threats, used to implement attacks to steal data related to online banking and e-payment systems as well as bank credentials. This is the highest number of mobile banking Trojan installers detected by Kaspersky in the past six years. The number was double what Kaspersky detected in 2021 and represents a fifty percent increase from that year's figure. 

In light of this, cybercriminals are increasingly interested in stealing financial data from smartphone users, and this information is a target of their attacks. It is also clear that they seem to be investing heavily in updating their malware, which may result in severe losses for their targets in the long run. 

The Trojan banker malware is spread by cyber criminals through both official and unofficial app stores, through which they distribute their malware. Several banking Trojan families are still available on Google Play, including Sharkbot, Anatsa/Teaban, Octo/Copper, and Xenomorph, which are disguised as utilities but are downloaders for banking Trojans.  

In Sharkbot's case, they created a fake file manager in which they would distribute downloaders. A Trojan can request permission to be installed on the device of a user, thus putting the user's security at risk. Furthermore, these downloaders can request permission to be installed on the device so that it can operate on the user's device.
Read more »
Windows
malware python Safety Security Trojan Windows

This New Python RAT Malware Targets Windows in Attacks

 

A new Python-based malware has been discovered in the wild, with remote access trojan (RAT) capabilities that permit its operators to regulate the compromised systems. The new RAT, dubbed PY#RATION by researchers at threat analytics firm Securonix, communicates with the command and control (C2) server and exfiltrates data from the victim host via the WebSocket protocol. 

The company's technical report examines how the malware operates. The researchers note that the RAT is actively being developed, as they have seen multiple versions of it since the PY#RATION campaign began in August. MalwareHunterTeam, who tweeted about a campaign in August 2022, also discovered this malware.
 
The PY#RATION malware is distributed through a phishing campaign that employs password-protected ZIP file attachments with two shortcuts. Front.jpg.lnk and back.jpg.lnk are LNK files disguised as images.

When the shortcuts victim is launched, he or she sees the front and back of a driver's license. However, malicious code is also executed to contact the C2 (in later attacks, Pastebin) and download two.TXT files ('front.txt' and 'back.txt'), which are later renamed to BAT files to accommodate malware execution.

When the malware is launched, it creates the 'Cortana' and 'Cortana/Setup' directories in the user's temporary directory before downloading, unpacking, and running additional executable files from that location.

By placing a batch file ('CortanaAssist.bat') in the user's startup directory, persistence is established. Cortana, Microsoft's personal assistant solution for Windows, is used to disguise malware entries as system files.

The malware supplied to the target is a Python RAT packaged into an executable with the help of automated packers such as 'pyinstaller' and 'py2exe,' which can convert Python code into Windows executables that include all the libraries required for its implementation.

This method results in larger payload sizes, with version 1.0 (the first) being 14MB and version 1.6.0 (the most recent) being 32MB. The latest version is larger because it includes more code (+1000 lines) and a layer of fernet encryption.

As per Securonix's tests, version 1.6.0 of the payload deployed undiscovered by all but one antivirus engine on VirusTotal. While Securonix did not share the malware samples' hashes, BleepingComputer was able to find a file that appears to be from this campaign. To determine the malware's capabilities, Securonix analysts extracted the payload's contents and examined the code functions with the 'pyinstxtractor' tool.

Among the features seen in version 1.6.0 of the PY#RATION RAT are the following:
  • Perform network enumeration
  • Perform file transfers from the breached system to the C2, or vice versa
  • Perform keylogging to record the victim's keystrokes
  • Execute shell commands
  • Perform host enumeration
  • Extract passwords and cookies from web browsers
  • Steal data from the clipboard
  • Detect anti-virus tools running on the host
The malware, according to Securonix researchers, "leverages Python's built-in Socket.IO framework, which provides features to both client and server WebSocket communication." This channel is utilized for communication as well as data exfiltration.

The benefit of WebSockets is that the malware can concurrently receive and send data from and to the C2 over a single TCP connection using network ports such as 80 and 443. The threat actors utilized the same C2 address ("169[.]239.129.108") throughout their campaign, from malware version 1.0 to 1.6.0, per the analysts.

The IP address has not been blocked on the IPVoid checking system, indicating that PY#RATION has gone undetected for several months.. Details about specific campaigns employing this piece of malware, as well as their targets, distribution volume, and operators, are currently unknown.
 
Read more »
Trojan
Android Chat Apps malware Telegram Trojan

StrongPity Hackers Disseminate Trojanized Telegram App to Android Users

 

The StrongPity APT hacking group is disseminating a bogus Shagle chat app that is a trojanized version of the Telegram for Android app with a backdoor added. Shagle is a legitimate random video chat platform that allows strangers to communicate through an encrypted communications channel. 

However, the platform is entirely web-based and does not include a mobile app. Since 2021, StrongPity has been using a phony website that impersonates the official Shagle site to trick victims into downloading a malicious Android. Once installed, this app allows hackers to spy on their targets by monitoring phone calls, collecting SMS texts, and stealing contact lists.

StrongPity, also known as Promethium or APT-C-41, was previously linked to a malware-infecting campaign that distributed trojanized Notepad++ installers and malicious versions of WinRAR and TrueCrypt.

ESET researchers found the latest StrongPity activity and linked it to the espionage APT group based on code similarities with previous payloads. Furthermore, the Android app is signed with the same certificate that the APT used to sign an app in a 2021 campaign that mimicked the Syrian e-gov Android application.

Trojanizing the Telegram app 

StrongPity's malicious Android app is an APK file called "video.apk," which is a modified version of the standard Telegram v7.5.0 (February 2022) app.

ESET was unable to determine how victims arrived at the bogus Shagle website, but it is most likely through spear phishing emails, smishing (SMS phishing), or online instant messages. The malicious APK is downloaded directly from the bogus Shagle website and has never appeared on Google Play.

According to ESET, the cloned site first appeared online in November 2021, so the APK has most likely been actively distributed since then. The first confirmed detection in the wild, however, occurred in July 2022. One disadvantage of using Telegram as the basis for the hacking group's fake app is that the backdoored version will not be installed if the victim already has the real Telegram app installed on their phones.

The API ID used in the captured samples has currently been limited due to overuse, so the trojanized app will no longer approve new user registrations; thus, the backdoor will not function. This, according to ESET, indicates that StrongPity malware was successfully deployed on targeted victims.

Backdoor for spying on victims

When the malware is installed, it requests Accessibility Service access and then retrieves an AES-encrypted file from the attacker's command and control server. The file contains 11 binary modules that were downloaded to the device and used by the backdoor to perform various malicious functions.

Each module serves an espionage purpose and is activated as needed. The following is a complete list of the malicious spyware modules:
  • libarm.jar – records phone calls
  • libmpeg4.jar – collects text of incoming notification messages from 17 apps
  • local.jar – collects file list (file tree) on the device
  • phone.jar – misuses accessibility services to spy on messaging apps by exfiltrating contact name, chat message, and date
  • resources.jar – collects SMS messages stored on the device
  • services.jar – obtains device location
  • systemui.jar – collects device and system information
  • timer.jar – collects a list of installed apps
  • toolkit.jar – collects contact list
  • watchkit.jar – collects a list of device accounts
  • wearkit.jar – collects a list of call logs
The information gathered is saved in the app's directory, encrypted with AES, and then sent back to the attacker's command and control server.

The malware can read notification content from Messenger, Viber, Skype, WeChat, Snapchat, Tinder, Instagram, Twitter, Gmail, and other services by abusing the Accessibility Service. The malware automatically grants itself permission to change security settings, write to the filesystem, reboot, and perform other dangerous functions on rooted devices where the regular user has administrator privileges.

Since 2012, the StrongPity hacking group has been active, frequently hiding backdoors in legitimate software installers. According to ESET's report, the threat actor is still using the same tactic after a decade. Android users should exercise caution when downloading APKs from sources other than Google Play.
Read more »
Trojan
Cyber Criminals Cyber Security Data Theft Safety Security Trojan

The 5 Most Common Types of Trojans You Should Know About

 

Cybercriminals create more complicated and diverse methods of obtaining sensitive data as we become more dependent on technology and entrust it with more of our personal information. There are many different types of harmful malware, including Trojan Horses. But there are various varieties of this malware. Trojan Horses come in a variety of forms and are created for various purposes. 

What are the most typical Trojan types that you should be on the lookout for? Let's quickly review what Trojan Horses are before we look at the various types of them.

The Odyssey, a work of Homer's from classical Greece, is where the phrase "Trojan Horse" first emerged. The city of Troy receives a large wooden horse as a gift, but the recipients have no idea that soldiers are concealed inside the animal. The soldiers can invade when the horse enters the city.

Similar to the original, a Trojan Horse program conceals itself in otherwise defenseless software. For instance, you might believe that an app is safe to download and install, but the developer may have added a Trojan to the program. Once the program has infected your device, it can be used for a variety of illegal activities, including remote control, data theft, and activity monitoring.

Different Trojan Types:

It's crucial to be aware of the various Trojan Horse types so you can better protect yourself.

1. Downloader trojans

The operation of downloader Trojans requires an internet connection. When a device is infected by the Trojan, it does not do anything until an internet connection is made, at which point it can download more malicious software to aid the hacker in their attack. On the infected device, this type of Trojan can also start up malicious software. They serve as a kind of opening salvo in the assault, giving the hacker a firm grip on the target.

2. Rootkit Trojan

Software tools called rootkits are utilized for remote administrative access. Frequently, unauthorized remote access serves as a launchpad for a cyberattack. The attacker can exploit the infected device by performing a variety of different tasks with administrative access provided by a rootkit Trojan. A cybercriminal might, for instance, run another malicious programme, steal confidential login information, or listen in on personal communications.

3. Fake Antivirus Trojans

False antivirus Trojans, as their name implies, pose as antivirus software. In this way, the victim will believe the programme is keeping them safe when the reality is completely the opposite. Even though the programme may try to trick you by imitating antivirus functions, its true objective is exploitation. By intimidating the user into purchasing additional security measures, such software defrauds them of their money.

4. Banking Trojans

Banking data is the main focus of banking Trojans. In the world of cybercrime, bank credentials are a highly sought-after type of data because they can give attackers direct access to a victim's money. This type of information is frequently traded on the dark web, where criminal enterprises will pay hackers to gain access to their stolen information. Banking Trojans frequently target the websites of financial institutions.

5. Game-Thief Trojans

An attacker can obtain the victim's banking credentials when a banking Trojan is downloaded onto the victim's device. Banking Trojans can assist the attacker get past two-factor authentication barriers in addition to login credentials, which is a security measure that many people use to protect their online bank accounts.

Game-thief Trojans, also known as "gaming Trojans," are used to hack into gaming accounts and steal personal data. There are currently millions of online gaming accounts, giving cybercriminals a market for data theft. When the Trojan gains access to important data, it will then send that information to the attacker. For instance, a user's Steam account might be targeted in order to gain access to payment data or steal virtual goods.

Trojan horses are so adaptable that they put internet users at risk in various ways, making it challenging to avoid them. But you can more effectively avoid Trojan Horses and protect yourself and your data by being aware of the risks and using extra caution when using your devices.

Read more »
Windows
Cyber Data Cyber Security Cyberattacks Government Russia Trojan Ukraine Windows

Trojanized Windows 10 Installer Utilized in Cyberattacks Against Ukrainian Government Entities

 

Ukraine's government has been compromised as part of a new campaign that used trojanized versions of Windows 10 installer files to conduct post-exploitation activities. The malicious ISO files were distributed via Ukrainian and Russian-language Torrent websites, according to Mandiant, which discovered the "socially engineered supply chain" attack around mid-July 2022. The threat cluster is identified as UNC4166. 

"Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it," the cybersecurity company said in a technical deep dive published Thursday.

Even though the origin of the adversarial collective is unknown, the disruptions are said to have targeted organisations that had previously been victims of disruptive wiper attacks blamed on APT28, a Russian state-sponsored actor. According to the Google-owned threat intelligence firm, the ISO file was designed to disable telemetry data transmission from the infected computer to Microsoft, install PowerShell backdoors, and block automatic updates and licence verification.

The main objective of the operation appears to have been data gathering, with additional implants deployed to the machines only after an initial reconnaissance of the vulnerable environment to determine if it contained valuable intelligence.

Stowaway, an open source proxy tool, Cobalt Strike Beacon, and SPAREPART, a lightweight backdoor written in C that enables the threat actor to execute commands, harvest data, capture keystrokes and screenshots, and export the data to a remote server, were among them.

The malicious actor attempted to download the TOR anonymity browser onto the victim's device in some cases. While the precise reason for this action is unknown, it is suspected that it served as an alternative exfiltration route.

SPAREPART, as the name suggests, is considered to be redundant malware that is used to uphold remote access to the system if the other methods fail. It also has the same functionality as the PowerShell backdoors that were dropped early in the attack chain.

"The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest," Mandiant stated.

The findings come as Check Point and Positive Technologies revealed attacks on the government sector in Russia, Belarus, Azerbaijan, Turkey, and Slovenia by an espionage group known as Cloud Atlas as part of a persistent campaign.

The hacking group, which has been active since 2014, has a history of targeting entities in Eastern Europe and Central Asia. However, the outbreak of the Russo-Ukrainian war earlier this month has shifted its focus to organisations in Russia, Belarus, and Transnistria.

"The actors are also maintaining their focus on the Russian-annexed Crimean Peninsula, Lugansk, and Donetsk regions," Check Point said in an analysis last week.

The adversary's attack chains typically utilise phishing emails with bait attachments as the initial intrusion vector, leading to the delivery of a malicious payload via an intricate multi-stage sequence. The malware then contacts an actor-controlled C2 server to obtain additional backdoors capable of stealing files with specific extensions from the compromised endpoints.

Check Point's observations, on the other hand, culminate in a PowerShell-based backdoor known as PowerShower, which was first discovered by Palo Alto Networks Unit 42 in November 2018. Some of these intrusions in June 2022 were also successful, allowing the threat actor to achieve full network access and use tools such as Chocolatey, AnyDesk, and PuTTY.

"With the escalation of the conflict between Russia and Ukraine, their focus for the past year has been on Russia and Belarus and their diplomatic, government, energy and technology sectors, and on the annexed regions of Ukraine," Check Point added.

Cloud Atlas, also known as Clean Ursa, Inception, Oxygen, and Red October, is still unidentified, joining the ranks of other APTs such as TajMahal, DarkUniverse, and Metador. The group's name derives from its reliance on cloud services such as CloudMe and OpenDrive to host malware.

Read more »
Trojan
cryptomining malware Linux malware RAT Remote Access Trojan Trend Micro Trojan

This Linux-Targeting Malware is Becoming Even More Potent


A trojan software has been added to the capabilities of a cryptomining malware campaign that targets Linux-based devices and cloud computing instances, potentially making attacks more severe. 

This cryptomining campaign, as described by cybersecurity experts at Trend Micro, uses Linux computers' processing power, in order to sneakily compromise Linux servers and mine for Monero. 

Cryptomining attacks are frequently distributed by utilizing common cybersecurity flaws or by being concealed inside cracked software downloads. 

One compromised system is unlikely to generate much profit from cryptomining malware, but attackers infect a vast network of compromised servers and computers to produce as much cryptocurrency as possible, with the related energy bill being unknowingly carried by the victim. 

Because the affected user is unlikely to notice the decrease in system performance unless the machine is pushed to its limit, the attacks usually go unnoticed. Large networks of infected systems can thus generate a consistent income for threat actors, which is why this method has become a prevalent form of malware. 

Remote Access Trojan (RAT) 

Cryptojacking campaign comprises a remote access trojan (RAT) in its attacks – the reason why it stands out from other cyberthreat campaigns. Chaos RAT, a trojan malware is free and open source, and allows threat actors to take charge of any operating system. 

The RAT is downloaded with XMRig miner, which is utilized by threat actors in order to mine cryptocurrency, comprising of a shell script which is used to eliminate competing miners that could have previously been set up on the system. 

Chaos RAT has a variety of potent functions, like the ability to download, upload and delete files, take screenshots, access file explorer, as well as open URLs. 

In a blog post, written by Trend Micro researchers David Fisher and Oliveira, stated, “On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor […] However, given the tool's array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security.” 

In order to secure networks and cloud services against cryptomining malware and numerous other cyberattacks, organizations are advised to employ generic best cybersecurity measures, such as timely patching and updating of software and applications, in order to mitigate the risks of vulnerability being exploited in the outdated versions.  

Read more »
Trojan
Cyberattacks Facebook Google Play Store malware Social Media Trojan

Trojan Apps Stole Facebook Credentials From Over 300,000 Android Users

 


In the aftermath of the chaos caused by Schoolyard Bully Trojan, a new malware program for Android phones, more than 300,000 people in 71 countries have been affected. 

This malware is mainly intended to steal Facebook credentials from unsuspecting users. It is disguised as legitimate educational applications designed to trick users into downloading the malware without realizing that they are doing so. 

This week, it was announced that the apps had been removed from the official Google Play Store, where they had been available for download. However, it is still possible to download them from third-party app stores. 

According to Zimperium researchers Nipun Gupta and Aazim Bill SE Yashwant, this trojan uses JavaScript injection to steal Facebook credentials. The method by which it achieves this is by launching the Facebook login page within a WebView, which also includes malicious JavaScript code that encrypts and exfiltrates the user's phone number, email address, and password, which are then forwarded to one of the command-and-control (C2) servers in just one click. 

It is important to note that the Schoolyard Bully Trojan also uses native libraries to avoid detection by antivirus software, such as "libabc. so", for example. 

Aside from Vietnamese-language apps, the malware has also been detected in several other apps from over 70 countries, underscoring the global scope and scale of the problem. 

In a campaign codenamed FlyTrap, Zimperium discovered similar activity in the past year. This involved rogue Android apps delivering spam messages that intended to compromise Facebook accounts through Twitter accounts and Instant Messages. 

In a recent report by Zimperium, Richard Melick, director of mobile threat intelligence at Zimperium, stated that hackers have the potential to wreak havoc if they steal Facebook passwords. It becomes effortless for phishers to exploit friends and other contacts if they can impersonate someone from their legitimate Facebook account. Consequently, they can be tricked into sending money or sensitive information to fraudsters. 

The users' tendency to reuse the same passwords makes them more vulnerable to being attacked by an attacker who can more easily acquire their Facebook password. 

This is to access banking or financial apps, corporate accounts, web browsing, etc. If someone steals one's Facebook password, there is a high likelihood that the same password will also work with other apps or services. 

Social media has become popular with each sector and age group. With a rapidly growing number of social media users, caution while using social media should also be increased. There are several cyber-attack cases where malicious actors attacked the victim’s social media to steal sensitive information. Social media is a necessity in current times, so to use it without being a victim, you need to protect your social media from such attacks. There are some points you can follow: 
  • Prefer using stronger passwords.
  • Use different passwords for different platforms.
  • Enable two-step authentication security.

Malware and Trojans on Android: How to Avoid Them

As a first step, you should avoid installing apps from unofficial app stores and unknown sources. This will prevent your Facebook and other credentials from being stolen by hackers. The ability to sideload apps is one of the perks of using an Android device, but if caution is not exercised, it may result in harm. 

It is also wise to ensure that Google Play Protect is enabled on your Android device. This app can scan newly downloaded apps and other installed apps for malware. Aside from this application, you can also consider using one of the most effective Android antivirus applications to provide additional protection. 

Additionally, before updating any apps on your device, you must be mindful. While Google ensures that the apps it uploads to the Play Store are free of malware and viruses, it is still possible for malicious apps to creep their way into the store. To avoid this, it is recommended to read external reviews of an app before you decide to install it. You can also look at the app's developer before downloading it. 

A Trojan horse, Schoolyard Bully, was prominent on the Internet over four years ago. During that time, it was successful in stealing over 300,000 user credentials from users who were infected with it. Therefore, it is probable that cybercriminals will continue to use Trojan computers to steal passwords and account information from unsuspecting users as long as they continue to exist. 

Read more »
Subscribe to: Posts (Atom)