Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Trojan. Show all posts
Trojan
Cyber Security Google AMP Phishing Attacks RATs Russia TikTok Trojan

Hackers Use Russian Domains for Phishing Attacks

Hackers Use Russian Domains for Phishing Attacks

The latest research has found a sharp rise in suspicious email activities and a change in attack tactics. If you are someone who communicates via email regularly, keep a lookout for malicious or unusual activities, it might be a scam. The blog covers the latest attack tactics threat actors are using.

Malicious email escapes SEGs

Daily, at least one suspicious email escapes Secure Email Getaways (SEGs), like Powerpoint and Microsoft, every 45 seconds, showing a significant rise from last year’s attack rate of one of every 57 seconds, according to the insights from Cofense Intelligence’s third-quarter report.

A sudden increase in the use of remote access Trojans (RATs) allows hackers to gain illegal access to the target’s system, which leads to further abuse, theft, and data exploitation.

Increase in Remote Access Trojan (RAT) use

Remcos RAT, a frequently used tool among hackers, is a key factor contributing to the surge in RAT attacks. It allows the attacker to remotely manipulate infected systems, exfiltrate data, deploy other malware, and obtain persistent access to vulnerable networks.

According to the data, the use of open redirects in phishing attempts has increased by 627%. These attacks use legitimate website functionality to redirect users to malicious URLs, frequently disguised as well-known and reputable domains.

Using TikTok and Google AMP

TikTok and Google AMP are frequently used to carry out these attacks, leveraging their worldwide reach and widespread use by unknowing users.

The use of malicious Office documents, particularly those in.docx format, increased by roughly 600%. These documents frequently include phishing links or QR codes that lead people to malicious websites.

Microsoft Office documents are an important attack vector due to their extensive use in commercial contexts, making them perfect for targeting enterprises via spear-phishing operations.

Furthermore, there has been a substantial shift in data exfiltration strategies, with a rise in the use of.ru and.su top-level domains (TLDs). Domains with the.ru (Russia) and.su (Soviet Union) extensions saw usage spikes of more than fourfold and twelvefold, respectively, indicating cybercriminals are turning to less common and geographically associated domains to evade detection and make it more difficult for victims and security teams to track data theft activities.

Read more »
Trojan
Backoor Malvertising malware Smokedham Trojan

Smokedham: Malicious Backdoor for Surveillance and Ransomware Campaigns

Smokedham: Malicious Backdoor for Surveillance and Ransomware Campaigns

A study by TRAC Labs reveals details about a backdoor called “SMOKEDHAM”, a malicious tool used by hacker UNC2465. The financially motivated attacker has been in action since 2019, the SMOKEDHAM tool plays a main role in sophisticated extortion and launching ransomware attacks, making UNC2465 the most adaptive and persistent threat group in the cybersecurity environment.

About Smokedham malware

SMOKEDHAM is a highly adaptable backdoor planted through trojanized software installers and strives via malvertising campaigns. “UNC2465 has leveraged trojanized installers disguised as legitimate tools, such as KeyStore Explorer and Angry IP Scanner, to deliver SMOKEDHAM payloads,” says TRAC Labs.

Once deployed, SMOKEDHAM allows hackers initial entry to a victim’s device, making way for network surveillance, later movements, and deploying ransomware. If we look back, SMOKEDHAM has links with DARKSIDE ransomware, and UNC2465 has now shifted focus to Lockbit ransomware.

When infecting the target system, SMOKEDHAM uses stealthy techniques, this includes DLL side-loading and PowerShell obfuscation. 

Important steps in the infection process include: 

Manipulating Service: The backdoor changes configurations of Windows services like MSDTC to maintain presence and exploit privileges. “The purpose of running these commands is to later DLL side-load the binary named oci.dll retrieved from the C2 server.”

Trojanized Installers: Distributed through famous platforms like Google Ads, these trojan installers may look legit but contain a malicious SMOKEDHAM payload.

Registry and Batch Script Modifications: Infected scripts run payloads, and configure registry keys for maintaining presence, and also make PowerShell commands for obfuscation. 

For post-campaign activities, the attacker uses:

1. Using tools such as Advanced IP Scanner and Bloodhound to track valuable targets in a compromised network. 

2. Credential Harvesting: Extracting login credentials for future exploitation. 

3. Escaping Firewall: Using NGROK to leak internal services like RDP to the web, evading network defenses. 

“Approximately 6 hours after the execution of the malicious binary on the beachhead host, the threat actors moved laterally to the Domain Controller using WMI,” says TRAC labs.

The SMOKEDHAM backdoor is a living example of sophisticated cyber threats corrupting the cybersecurity industry, with its advanced tools for surveillance, network infiltration, and persistence.

Read more »
Trojan
CVE-2024-38213 Cyber Security CyberCrime DarkGate operators Microsoft security patch Ransomware SmartScreen vulnerability Spyware Trojan

Microsoft Patches Critical SmartScreen Vulnerability Exploited by Attackers

 


Microsoft's SmartScreen feature, a cornerstone of Windows security, faced a significant setback when a critical vulnerability, CVE-2024-38213, was exploited by cybercriminals. This vulnerability allowed attackers to circumvent SmartScreen's protective mechanisms and deliver malicious code to unsuspecting users.

The vulnerability exploited a weakness in SmartScreen's ability to identify and block potentially harmful files. By exploiting this flaw, attackers were able to disguise malware as legitimate software, tricking users into downloading and executing harmful files. This deceptive tactic, known as social engineering, is a common strategy employed by cybercriminals.

The consequences of this breach were severe. Cybercriminals were able to deploy various types of malware, including ransomware, spyware, and trojans. These malicious payloads could steal sensitive data, encrypt files for ransom, or even take control of infected systems. The potential impact on individuals and organizations was significant, ranging from financial loss to data breaches and disruption of critical operations.

Several threat groups were implicated in the exploitation of CVE-2024-38213. Notable among them were the DarkGate operators, who used the vulnerability to distribute malware through copy-and-paste operations. These attackers often targeted popular software, such as Apple iTunes, Notion, and NVIDIA, to lure victims into downloading malicious files.

Upon discovering the vulnerability, Microsoft's security teams worked diligently to develop a patch to address the issue. The patch was included in the June 2024 Patch Tuesday update. However, the company initially failed to provide a public advisory, leaving users unaware of the potential threat. This oversight highlighted the importance of timely communication and proactive security measures.

The exploitation of CVE-2024-38213 serves as a stark reminder of the constant threat posed by cybercriminals. It underscores the need for robust security measures, both at the individual and organizational level. Users must remain vigilant, exercise caution when downloading files, and keep their systems up-to-date with the latest security patches.

For organizations, the incident emphasizes the importance of a comprehensive security strategy that includes vulnerability management, incident response planning, and employee training. By investing in these areas, businesses can better protect themselves against cyber threats and minimize the potential damage from successful attacks.

As the cyber threat landscape continues to evolve, it is essential for both individuals and organizations to stay informed about emerging threats and best practices for cybersecurity. By working together, we can help create a safer digital environment for everyone.

Read more »
Trojan
cryptocurrency Cryptojacking Cyberattacks Cyberbreach Cyberhakcers Cybersecurity Cyberthreats IoT Malicious program Technology Trojan

Cryptojacking Attacks Soar 409% in India Amid a Global Shift in Cybersecurity Tactics

 


A rise in technology has also led to an increase in cybersecurity concerns as a result of the rise of technology. It is becoming more and more common for users across the world to fall victim to online scams day after day, and this is even getting the authorities in action, as they're now attempting to combat this trend by taking steps to introduce safeguards for users. 

According to the first half of 2024 global statistics, malware volume increased by a whopping 30 per cent on a global scale. As a result of this increase alone, the number of reports increased by 92 per cent in May. Throughout 2024, the number of malware attacks in the country increased by 11 per cent and ransomware attacks rose by 22 per cent, indicating that businesses are facing more cyber threats than ever before, according to a report by SonicWall. 

A SonicWall report published in February 2024 revealed that malware attacks increased by eleven per cent in volume from 12,13,528 in 2023 to 13,44,566 in 2024 as compared to the previous year. IoT (Internet of Things) attacks have increased by 59 per cent in the last year, with 16,80,787 attacks occurring annually in 2024 as opposed to 10,57,320 in 2023, the study found. 

There is no doubt that India is making substantial efforts to become one of the leading countries in the field of technology. While the use of technology has increased over the years, a recent trend has also been accompanied by significant cybersecurity risks. Attacks on Internet of Things (IoT) devices have increased by 59 per cent in 2024 as compared to 1,057,320 in 2023, which marks an increase of 11 per cent in malware attacks, a 22 per cent increase in ransomware attacks, and an 11 per cent increase in Internet of Things (IoT) attacks. 

According to the report, there was a marked increase in both ransomware attacks and crypto attacks; the latter grew by an astonishing 409 per cent. The SonicWall Vice President for APJ Sales, Debasish Mukherjee, noted that organizations are facing an increasingly hostile threat environment because attackers are continuing to innovate beyond traditional defences to become more successful. According to the "Mid-Year Cyber Threat Report" published by SonicWall, the rise of new cyber threats is becoming increasingly prevalent among businesses due to these new developments in cybersecurity. 

Cryptojacking attacks are increasing, and India has reported the highest number of attacks with a 409 per cent increase compared to a global decline of 60 per cent — a startling statistic. In a recent report published by SonicWall Capture Labs, SonicWall released the 2024 SonicWall Mid-Year Cyber Threat Report today. This report reveals that cyber threats are once again on the rise after an 11% increase in 2023, confirming the 11% rise in high-quality attacks since 2023.

A report published by the company details the changing threat landscape over the first five months of this year, showing the persistence, relentlessness, and ever-growing nature of cyber threats across the globe. A report that has been designed with SonicWall's partners in mind, has undergone several changes over the past few years, much like SonicWall itself has undergone several changes. As part of its evolution, the report has recently changed the way it measures vital cyber threat data to include time as a component. 

A key part of the report outlines the latest threats which are affecting our partners and the customers they serve, and for the first time, it highlights how attacks can have a direct impact on our partners, including threats to revenue. According to SonicWall intelligence, on average, companies are likely to be under critical attack - that is, attacks which are most likely to deplete business resources - for 1,104 of the 880 working hours they have in a given month. 

In the first five months of 2024, businesses were shielded from potential downtime of up to 46 days, a critical safeguard that protected 12.6% of total revenues from potentially devastating cyber intrusions. This significant finding was among the key insights from a recent report, underscoring the escalating threats faced by modern enterprises. 

Douglas McKee, Executive Director of Threat Research at SonicWall, emphasized the importance of robust cybersecurity measures, stating, "The data and examples found in the report provide real-life scenarios of how crafty and swift malicious actors operate, underscoring that traditional cybersecurity defences often prove to be the most reliable." One of the most pressing concerns highlighted in the report is the increasing sophistication of supply chain attacks. 

These attacks exploit the interconnectedness of modern enterprises, targeting vulnerabilities in third-party software and services to compromise broader networks. The first half of 2024 saw several sophisticated attacks, including a high-profile breach involving the JetBrains TeamCity authentication bypass. By the end of 2023, three out of the top five companies globally had already suffered supply chain breaches, affecting more than 50% of their customers. 

These breaches were primarily due to vulnerabilities such as Log4j Log4Shell and Heartbleed. The report also revealed that organizations, on average, took 55 days to patch even 50% of their critical vulnerabilities, further exposing them to risk. In response to these growing threats, Microsoft has made significant strides in addressing vulnerabilities. 

In 2023, the company patched more than 900 vulnerabilities, with Remote Code Execution (RCE) vulnerabilities accounting for 36% of them. Despite the high number of RCE vulnerabilities, they were exploited only 5% of the time. In contrast, Elevation of Privilege vulnerabilities, which were leveraged 52% of the time, posed a greater risk. By mid-2024, Microsoft had already patched 434 vulnerabilities, matching the record set in 2023. 

Notably, 40% of these vulnerabilities were classified as RCE, yet 86% of the exploited vulnerabilities were related to Security Feature Bypass or Elevation of Privilege issues. The report also sheds light on the growing threat posed by Remote Access Trojans (RATs). These malicious programs disguise themselves as legitimate applications to obtain necessary permissions and connect to command-and-control servers, enabling them to steal sensitive information and bypass multi-factor authentication (MFA). Industries will experience several sophisticated RAT attacks in 2024, with malware such as Anubis, AhMyth, and Cerberus evolving to bypass MFA, making them a significant cybersecurity threat. PowerShell, a versatile scripting language and command-line shell, has also become a favoured tool among malicious actors due to its user-friendly features. 

The report revealed that 90% of prevalent malware families, including AgentTesla, AsyncRAT, GuLoader, DBatLoader, and LokiBot, utilize PowerShell for malicious activities. Of these, 73% use PowerShell to download additional malware, evade detection, and carry out other harmful actions. This report serves as a stark reminder of the increasing sophistication and prevalence of cyber threats in 2024, underscoring the need for continued vigilance and robust cybersecurity measures to protect businesses and their customers.
Read more »
Trojan
Cyber Attacks IT Sector Malware Attack Ransomware attack Ransomware Threat Remote Access Trojan Trojan

New Ransomware Threat: Hunters International Deploys SharpRhino RAT

 

In a troubling development for cybersecurity professionals, the Hunters International ransomware group has introduced a sophisticated new remote access trojan (RAT) called SharpRhino. This C#-based malware is specifically designed to target IT workers and breach corporate networks through a multi-stage attack process. The malware’s primary functions include achieving initial infection, elevating privileges on compromised systems, executing PowerShell commands, and ultimately deploying a ransomware payload. 

Recent findings from Quorum Cyber researchers reveal that SharpRhino is distributed via a malicious site masquerading as Angry IP Scanner, a legitimate networking tool widely used by IT professionals. The deceptive website uses typosquatting techniques to lure unsuspecting users into downloading the malware. This approach highlights a new tactic by Hunters International, aiming to exploit the trust IT workers place in well-known tools. The SharpRhino RAT operates through a digitally signed 32-bit installer named ‘ipscan-3.9.1-setup.exe.’ 

This installer contains a self-extracting, password-protected 7z archive filled with additional files necessary for the malware’s execution. Upon installation, SharpRhino modifies the Windows registry to ensure persistence on the compromised system and creates a shortcut to Microsoft.AnyKey.exe, which is normally a Microsoft Visual Studio binary but is abused here for malicious purposes. Additionally, the installer drops a file named ‘LogUpdate.bat,’ which executes PowerShell scripts to run the malware stealthily. To facilitate command and control (C2) operations, SharpRhino creates two directories: ‘C:\ProgramData\Microsoft: WindowsUpdater24’ and ‘LogUpdateWindows.’ 

These directories are used to manage communication between the malware and its operators. SharpRhino also includes hardcoded commands such as ‘delay’ to set the timer for the next POST request and ‘exit’ to terminate communication. This enables the malware to execute various dangerous actions, including launching PowerShell commands. For instance, Quorum Cyber researchers demonstrated the malware’s capability by launching the Windows calculator. Hunters International, which began operations in late 2023, has been associated with several high-profile ransomware attacks. Notable victims include U.S. Navy contractor Austal USA, Japanese optics giant Hoya, Integris Health, and the Fred Hutch Cancer Center. 

In 2024 alone, the group has claimed responsibility for 134 ransomware attacks, ranking it among the top ten most active ransomware operators globally. The deployment of SharpRhino through a fake website underscores Hunters International’s strategic focus on IT professionals, leveraging their reliance on familiar software to infiltrate corporate networks. To protect against such threats, users should exercise caution with search results and sponsored links, use ad blockers, and verify the authenticity of download sources. Implementing robust backup plans, network segmentation, and keeping software up-to-date are essential measures to mitigate the risk of ransomware attacks.
Read more »
Trojan
Clone Cyber Security Malicious Payload Minesweeper Trojan

Unmasking the Trojan: How Hackers Exploit Innocent Games for Malicious Intent


Hackers continue to find ingenious ways to infiltrate organizations and compromise sensitive data. Recently, a peculiar attack vector emerged—one that leverages an unsuspecting source: a Python clone of the classic Minesweeper game. 

In this blog post, we delve into the details of this novel attack and explore the implications for cybersecurity professionals.

The Trojanized Minesweeper Clone

The Setup

The attack begins innocuously enough—an email arrives in an employee’s inbox, seemingly from a legitimate medical center. 

The subject line reads, “Personal Web Archive of Medical Documents.” Curiosity piqued, the recipient opens the email and finds a Dropbox link to download a 33MB SCR file. The file claims to contain a web archive of medical documents, but hidden within its code lies a sinister secret.

The Malicious Payload

The SCR file contains two distinct components:

Legitimate Minesweeper Code

  • The attackers cleverly embed code from a Python clone of the classic Minesweeper game. This seemingly harmless code serves as camouflage, distracting security scanners and human reviewers.
  • The Minesweeper game runs as expected, creating a façade of normalcy.

Malicious Python Script

  • Concealed within the Minesweeper code, a malicious Python script lies dormant.
  • When executed, this script connects to a remote server (“anotepad.com”) and downloads additional payloads.
  • The ultimate goal? To install the SuperOps RMM (Remote Monitoring and Management) software—a legitimate tool that provides remote access to compromised systems.

The Threat Actor: UAC-0188

The attack is attributed to a threat actor known as “UAC-0188.” This actor demonstrates a keen understanding of social engineering and exploits users’ trust in seemingly benign applications. By piggybacking on the Minesweeper clone, UAC-0188 bypasses initial scrutiny and gains a foothold within the organization.

Implications and Countermeasures

Organizations must remain vigilant and adopt proactive measures to counter such attacks:

User Awareness

  • Educate employees about phishing tactics and the importance of scrutinizing unexpected attachments.
  • Encourage skepticism—even when the sender appears legitimate.

Behavioral Analysis

  • Implement behavioral analysis tools that detect anomalies in file behavior.
  • Scrutinize code for hidden payloads, especially within seemingly harmless files.

Network Segmentation

  • Isolate critical systems from less secure areas of the network.
  • Limit lateral movement for attackers.

Regular Security Audits

  • Conduct regular audits to identify vulnerabilities.
  • Update security policies and procedures accordingly. 

Read more »
User Security
Bing Ad Cyber Fraud Fake Website Malicious Sites Trojan User Security

Bing Ad Posing as NordVPN Aims to Propagate SecTopRAT Malware

 

A Bing advertisement that appeared to be a link to install NordVPN instead led to an installer for the remote access malware SecTopRAT. 

Malwarebytes Labs identified the malvertising campaign on Thursday, with the domain name for the malicious ad having been registered only a day earlier. The URL (nordivpn[.]xyz) was intended to resemble an authentic NordVPN domain. The ad link linked to a website with another typosquatted URL (besthord-vpn[.]com) and a duplicate of the actual NordVPN website.

The download button on the fake website directed to a Dropbox folder containing the installer NordVPNSetup.exe. This executable comprised both an authentic NordVPN installation and a malware payload that was injected into MSBuild.exe and connected to the attacker's command-and-control (C2) server.

The threat actor attempted to digitally sign the malicious programme, however the signature proved to be invalid. However, Jérôme Segura, Principal Threat Researcher at Malwarebytes ThreatDown Labs, told SC Media on Friday that he discovered the software had a valid code signing certificate. 

Segura said some security products may block the executable due to its invalid signature, but, “Perhaps the better evasion technique is the dynamic process injection where the malicious code is injected into a legitimate Windows application.” 

“Finally, we should note that the file contains an installer for NordVPN which could very well thwart detection of the whole executable,” Segura added. 

The malicious payload, SecTopRAT, also known as ArechClient, is a remote access trojan (RAT) identified by MalwareHunterTeam in November 2019 and then analysed by GDATA experts. The researchers discovered that the RAT produces an "invisible" second desktop, allowing the attacker to manage browser sessions on the victim's PC. 

SecTopRAT can also provide system information, such as the system name, username, and hardware, to the attacker's C2 server. 

Malwarebytes reported the malware campaign to both Microsoft, which controls Bing, and Dropbox. Dropbox has since deactivated the account that contained the malware, and Segura said his team had yet to hear anything from Microsoft as of Friday. 

“We did notice that the threat actors updated their infrastructure last night, perhaps in reaction to our report. They are now redirecting victims to a new domain thenordvpn[.]info which may indicate that the malvertising campaign is still active, perhaps under another advertiser identity,” Segura concluded. 

Other malvertising efforts promoting SecTopRAT have been discovered in the past. In 2021, Ars Technica reported on a campaign that used Google advertisements to promote the Brave browser.

Last October, threat actors employed malvertising, search engine optimisation (SEO) poisoning, and website breaches to deceive consumers into installing a fake MSIX Windows programme package containing the GHOSTPULSE malware loader. Once deployed, GHOSTPULSE employs a process doppelganging to enable the execution of several malware strains, including SecTopRAT.
Read more »
Trojan
Cybersecurity Precautions data security iPhone Malware Mobile Security Trojan

Securing Your iPhone from GoldPickaxe Trojan

 

In recent times, the digital realm has become a battleground where cybercriminals constantly devise new tactics to breach security measures and exploit unsuspecting users. The emergence of the GoldPickaxe Trojan serves as a stark reminder of the ever-present threat to our personal data and privacy. As reported by 9to5Mac, this insidious malware has targeted iPhone users, raising concerns about the safety and security of our devices. 

The GoldPickaxe Trojan is a sophisticated form of malware designed to infiltrate iPhones, compromising sensitive information and potentially causing significant harm to users. This malicious software operates covertly, often masquerading as legitimate applications or using social engineering tactics to trick users into installing it. Once installed on a device, the GoldPickaxe Trojan can execute a range of malicious activities, including stealing personal data such as login credentials, financial information, and sensitive communications. 

Moreover, it may grant unauthorized access to the device, allowing cybercriminals to control its functionalities remotely. Given the severity of the threat posed by the GoldPickaxe Trojan, it is imperative for iPhone users to take proactive measures to safeguard their devices and personal data. Here are some essential steps to enhance your device's security and protect against this insidious malware. 

Ensure that your iPhone's operating system, as well as all installed applications, is up to date. Manufacturers regularly release security patches and updates to address vulnerabilities and strengthen defences against emerging threats like the GoldPickaxe Trojan. Exercise caution when downloading and installing applications from the App Store or third-party sources. Verify the authenticity of the developer and scrutinize app permissions before granting access to your device's resources. Avoid installing apps from unknown or untrusted sources, as they may contain malicious payloads. 
 
Activate two-factor authentication (2FA) wherever possible to add an extra layer of security to your accounts. By requiring a secondary verification method, such as a one-time code sent to your phone, 2FA can thwart unauthorized access attempts even if your login credentials are compromised by the GoldPickaxe Trojan. Use strong, unique passwords for all your online accounts, including your iPhone's lock screen and iCloud account. Avoid using easily guessable passwords or reusing the same password across multiple platforms, as this can significantly increase the risk of unauthorized access and data breaches. 

Consider installing reputable antivirus and security software on your iPhone to detect and remove malicious threats like the GoldPickaxe Trojan. These applications can provide real-time protection against malware, phishing attacks, and other cyber threats, helping to safeguard your device and personal information. Remain vigilant against suspicious activities and phishing attempts, such as unsolicited emails or messages requesting sensitive information. Stay informed about the latest cybersecurity threats and trends, and educate yourself on best practices for online safety and privacy. 

The GoldPickaxe Trojan represents a significant threat to iPhone users, highlighting the importance of robust security measures and proactive defence strategies. By following the guidelines above and adopting a security-conscious mindset, you can mitigate the risk of falling victim to this malicious malware and protect your device, data, and privacy from harm. Remember, safeguarding your iPhone is not just a matter of convenience; it's a crucial step in safeguarding your digital identity and maintaining control over your online presence in an increasingly interconnected world.
Read more »
Subscribe to: Posts (Atom)