Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Trojans. Show all posts

Entropy Ransomware Connected to Dridex Malware, as per Sophos

 

The recently found Entropy ransomware has coding similarities to the Dridex malware, which started out as a banking trojan. After two Entropy cybercrimes on different firms, researchers were able to establish a bond between the different pieces of malware. 

Sophos principal researcher Andrew Brandt claimed in a new study detection signature designed to detect Dridex which prompted a closer look into the Entropy virus, both of the target businesses had gadgets were unprotected. Despite the characteristic for recognizing the Dridex packer code, endpoint protection measures blocked the attack, which was started by identifying the Entropy packer code.

In all incidents, the attackers gained remote access to the target networks by infecting them with Cobalt Strike Beacons and Dridex before deploying Entropy. Despite some similarities, the twin attacks differed greatly in terms of the initial access point used to parasite its path within the networks, the period invested in each environment, and the malware utilized to initiate the final stage of the invasion. 

The attack on the media company employed the ProxyShell vulnerability to infect a vulnerable Exchange Server with a web shell, which was then used to deploy Cobalt Strike Beacons throughout the network. The attacker is alleged to have spent four months doing espionage and data theft before launching the cyberattack in December 2021. The second attack on the provincial government agency was made possible via a malicious email attachment carrying the Dridex virus.

Notably, prior to encryption of the files on the hacked machines, redundant exfiltration of confidential documents to more than just one cloud storage service – in the form of packed RAR archives – occurred within 75 hours of the initial discovery of a suspect login session on a single machine. Apart from employing respectable tools like AdFind, PsExec, and PsKill, the resemblance between Dridex and Entropy samples and past DoppelPaymer extortion infections has raised the likelihood of a "similar origin."

The network of links between the various types of malware is worth mentioning; the Dridex malware, an information-stealing botnet, is thought to be the product of Indrik Spider, a well-known Russian cybercrime outfit  Evil Corp. 

The Evil Corp cluster continues to improve its tradecraft, continually altering payload signatures, exploitation tools, and initial access methods to mislead attribution. SentinelOne researchers identified the "evolutionary" ties in a standalone analysis, claiming nearly identical design, implementation, and functionality amongst various iterations of the malware, with the file-encrypting malware buried using a packer named CryptOne. 

"The attackers took advantage of a lack of attention in both situations - both targets had vulnerable Windows PCs which were missing relevant patches and updates," said Andrew Brandt, chief researcher at Sophos. Attackers would have had to work harder to gain first access into the Exchange Server if it had been patched properly.

New Mac Malware Samples Highlight The Growing Risk

 


Despite Apple's best attempts, Mac malware exists to keep in mind that Mac malware and viruses are quite rare in the wild. Apple has a number of safeguards in place to protect against such attacks. For example, according to the Security & Privacy settings in System Preferences > Security & Privacy > General, macOS should only allow the installation of third-party applications from the App Store or identified developers. If you were to install something from an unknown developer, Apple would prompt you to verify its legitimacy. 

Apple also has its own built-in anti-malware program and keeps all of the malware definitions in its XProtect file on your Mac, and whenever you download a new app, it checks to see whether any of them are there. This is a feature of Apple's Gatekeeper software, which prevents malware developers from creating apps and certifies that they haven't been changed. 

For the sixth year in a row, security researcher Patrick Wardle has compiled a list of all new Mac malware threats discovered during the previous year:
  1. ElectroRAT, a cross-platform remote access trojan that first appeared in January.
  2. Silver Sparrow, a malware tool designed specifically for Apple's M1 chip that was released last year.
  3. XLoader, a cross-platform password stealer. It was identified by XLoader to be a rebuilt version of a well-known information stealer named Formbook. 
  4. When analyzing sophisticated watering hole assaults targeting users to the Hong Kong websites of a media outlet and a pro-democracy organization, MacMa (OSX.CDDS) came up with a solution. To install the MacMa backdoor, the attackers used a zero-day privilege escalation vulnerability (CVE-2021-30869) in macOS Catalina. 
  5. XcodeSpy, a data-stealing malware tool that spread via sponsored search results on Baidu and installed the Cobalt Strike agent on compromised systems.
  6. ElectrumStealer, a cryptocurrency mining tool that Apple inadvertently signed digitally; WildPressure, a cross-platform Python backdoor that Kaspersky discovered targeting industrial companies in the Middle East.
  7. ZuRu, a data-stealing malware tool that spread via sponsored search results on Baidu and installed the Cobalt Strike.
Cryptominers like ElectroRAT and OSAMiner, adware loaders like Silver Sparrow, information stealers like Xloader and Macma, and cross-platform Trojans like WildPressure were among the most dangerous Mac malware threats last year, according to Willy Leichter, CMO of LogicHub.

Ursnif Trojan Steals Personal User Data, Proofpoint Report Says

 

Researchers at Proofpoint have found a a latest Ursnif banking malware used by a hacking group called TA544 which is attacking companies in Italy. Cybersecurity experts found 20 major campaigns providing harmful messages directed towards Italian organizations. 

TA544 is a threat actor working for financial purposes, it has been active since 2017, the group targets attacks on banking users, aggravating banking trojans and different payloads to compromise companies across the world, primarily in Italy and Japan. Experts observed that from the time period between January and August 2021, total number of identified Ursnif campaigns affecting Italian companies, was almost equal to the number of Ursnif campaigns attacks in Italy in 2020. 

"Today’s threats – like TA544’s campaigns targeting Italian organizations – target people, not infrastructure. That’s why you must take a people-centric approach to cybersecurity. That includes user-level visibility into vulnerability, attacks and privilege and tailored controls that account for individual user risk," suggests concludes Proofpoint. 

TA544 threat actor uses social engineering techniques and phishing to attract victims into clicking macro present in weaponized docs. Once the macro is enabled, the malware process starts. If we look into recent attacks against Italian companies, the threat actor impersonated an energy company or an Italian courier, scamming victims via payments. 

These spams use weaponized office docs to deploy Ursnif banking malware in the last stage. While investigating these campaigns, TA544 used geofencing methods to find if we're targeted in geographic areas before attacking them with the malware. If the user wasn't in the target area, the malware C2C would direct it to an adult site. As of now in 2021, experts have found around five lakhs messages related with the malware campaigns. The threat actor used file injectors to deploy malicious codes used to steal personal user data like login credentials and banking details. 

The research of web injections used by hacking groups reveals that hackers were also trying to steal website credentials with related to major sellers. 

Proofpoint reports "recent TA544 Ursnif campaigns included activity that targeted multiple sites with web injects and redirections once the Ursnif payload was installed on the target machine. Web injects refer to malicious code injected to a user’s web browser that attempts to steal data from certain targeted websites. The list included dozens of targeted sites."

Fake Windows 11 Installers are Being Used to Spread Malware

 

Although Windows 11 isn't expected to be released until later this year, hackers have already begun attempting to use it to infect victims with malware. On Friday, security firm Kaspersky warned that crooks were using bogus installers to take advantage of consumers eager to get their hands on the Microsoft operating system update, which is set to be released in the fall. 

“Although Microsoft has made the process of downloading and installing Windows 11 from its official website fairly straightforward, many still visit other sources to download the software, which often contains unadvertised goodies from cybercriminals (and isn’t necessarily Windows 11 at all),” Kaspersky wrote. The sarcastic "goodies" include anything from harmless adware to password stealers and trojans. 

An executable file called 86307 windows 11 build 21996.1 x64 + activator.exe is one example. It certainly appears credible, with a file size of 1.75GB. However, the majority of that space is taken up by a single DLL file that contains a lot of irrelevant data. 

When you run the application, the installer seems to be a standard Windows installation wizard. Its primary function is to download and execute a more intriguing executable. The second executable is likewise an installer, with a license agreement that describes it as a “download manager for 86307 windows 11 build 21996.1 x64 + activator” and notes that it will also install some sponsored applications. If you accept the agreement, your computer will be infected with a number of malicious programmes. 

It's not uncommon for hackers to take advantage of victims' demand for a product or service, whether it's coronavirus contact tracing apps or the Telegram encrypted messaging app. In late June, Microsoft announced Windows 11 and made an initial “insider preview” accessible. Security has been highlighted as a key driving factor in the development of the operating system upgrade. 

The bogus installers are proliferating as Microsoft battles a number of security threats directed at the firm. Last week, Microsoft revealed instructions on how to protect against the "PetitPotam" attack, which might allow attackers to take control of Windows domains, as well as a solution for the "SeriousSAM" vulnerability, which could let attackers get administrative access. Last week, the corporation also issued a warning about LemonDuck, a cryptocurrency mining malware that has been targeting Microsoft devices. 

CISA Released A New Advisory on LokiBot Trojan


LokiBot, a trojan-type malware first identified in 2015 is popular amid cybercriminals as a means of creating a backdoor into compromised Windows systems to allow the attacker to install additional payloads.

It is an information stealer that uses a stealthy trick to evade detection from security software and steal personal data of victims including their usernames, passwords, bank details, and contents of cryptocurrency wallets – using a keyblogger that would monitor browser and desktop activities.

Recently, the U.S. government's cybersecurity and Infrastructure Security Agency (CISA) observed a significant increase in malicious infections via LokiBot malware starting from July 2020. During this period, CISA's EINSTEIN Detection System, responsible for protecting federal, civilian executive branch networks, noticed continuous malicious activity by LokiBot. Credited for being simple yet effective, the malware is often sent out as an infected attachment via email, malicious websites, texts, or personal messages to target Windows and Android operating systems.

Although LokiBot has been in cyberspace for a while now, attackers still often use it to illicitly access sensitive information. In a recent attack that was carried out in July, 14 different campaigns distributing payloads of LokiBot were launched by a group of threat actors popularly known as 'RATicate'. In another malspam campaign, attackers were found to be distributing payload of LokiBot in a spear-phishing attack on a U.S based manufacturing organization.

“LokiBot has stolen credentials from multiple applications and data sources, including Windows operating system credentials, email clients, File Transfer Protocol, and Secure File Transfer Protocol clients,” as per the alert issued on Tuesday.

Giving insights on the matter, Saryu Nayyar, CEO at Gurucul told via email, "The fact that LokiBot has been around for over four years and has gained in capability over time is a reflection of how much malicious actors have advanced the state of their art, leveraging the same development models we use in the commercial space."

Trojan attempts to trick victims into transfering funds

A new banking trojan that attempts to lure the victim into transferring funds to the cyber-criminals' accounts. Once the malware infects a system, it waits until the victim logs into his bank account.

Then it shows a fake message stating that a credit has been made to his account by mistake and gives a warning that the account will be frozen until the errant payment is transferred back.

To make the ploy more plausible, the malware modifies the amount displayed in his browser when he tried to view his account balance.  So unwitting users believe the message is true.

"The malware presents an already filled-in online transfer form — with the account and routing numbers for a bank account the attacker controls." security blogger Brian Krebs said.

The German Federal Crime Police warned the consumers about the scam. It is unclear how many have fallen victim to the scam.