Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label keylogger. Show all posts
Tools KLogEXE
APT C+++ Cybera Security Cyberattacks CyberCrime Cyberencryption CyberThreat Cybertools Firewell FPSpy keylogger Tools KLogEXE

Pisces Introduces Innovative Tools KLogEXE and FPSpy

 


In a recent study, Unit 42 researchers discovered that the Sparkling Pisces (aka Kimsuky) threat group uses two malware samples. A keylogger named KLogEXE by its authors is included in the list of malware, as is a variant of a backdoor known as FPSpy that is undocumented and potentially harmful. 

This is a significant addition to Sparkling Pisces' already extensive arsenal and shows that the group is continually advancing and developing its capabilities to meet the needs of its audience. Two malware tools have been discovered by researchers at Unit 42 that had never been documented before. Two tools are being used by the North Korean APT group, Sparkling Pisces, to conduct cyber espionage campaigns and spear phishing attacks. The tools being used are KLogExe and FPSpy. 

Moreover, customers can be better protected by using Cloud-Delivered Security Services as part of their Next-Generation Firewall, including Advanced WildFire, Advanced URL Filtering, Advanced DNS Security, and Advanced Threat Prevention, and can also improve their connectivity. In KLogExe, the company uses a C++-based keylogger to record keyboard input and mouse clicks and encrypt the data they record in a log file. 

The log file has the extension .ini. After the file has reached the size limit set by KLogExe, it is renamed with the current date, an auto-generated boundary is generated, and the data is sent via HTTP to a command and control server using a unique Uniform Resource Identifier (URI) and a unique executable file name. FPSpy is an early version of the group's KGHSpy backdoor and is similar to its earlier versions.

Unit 42 has detected that it has a unique export function called MazeFunc, which is suspected to have been timestamp-ed to obscure the time by which it was created. The custom loader that comes with FPSpy drops and runs sys.dll, which gives it the ability to execute arbitrary commands, collect system data, and download additional encrypted modules as well. 

One thread is responsible for downloading modules, while another thread is responsible for data exfiltration, and it also includes running PowerShell tree commands so you can see which drives and folders have been created. There is a strong connection between both tools, with similarities in code structure and in the way HTTP packets are constructed between them. There are many cyberespionage groups on the internet, however, Sparkling Pisces (aka Kimsuky, THALLIUM, Velvet Chollima) is made up of a group that is largely known for its spear-phishing attacks and sophisticated cyberespionage operations. 

It is noteworthy that the group attacked Korea Hydro and Nuclear Power (KHNP) in 2014 which was one of their most prominent attacks. There were initially several government agencies, research institutes, think tanks, and research institutions that were targeted by the group. With the development of its network, the group began to expand to Western countries, including the United States, which established its status as a global threat as the group continued to grow.

It has been nicknamed "the king of spear phishing," and through hundreds of attacks, it has lured victims to download and execute malicious payloads to successfully steal their identities. In a recent attack, they masqueraded as a legitimate Korean company and spread malware by using a valid certificate allegedly issued by the company to target South Koreans. 

There are several malware strains and campaigns in the world today that are associated with Sparkling Pisces, yet its infrastructure is complicated and constantly evolving. The tracking of Sparkling Pisces' infrastructure revealed connections between different operations and tools that allow it to operate effectively. It was also revealed that the group used newly discovered and undocumented malware in its attacks. 

Among the malware samples found was KLogEXE, which was found by tracking the infrastructure that this group used to control the PowerShell keylogger that is documented by JPCERT, which was used as a command and control (C2) facility for this keylogger. ASEC also published a report earlier this year about spear phishing campaigns that have been conducted to infect South Korean users with PowerShell keyloggers that were also distributed by the threat actor, which has mentioned a spear phishing campaign that has targeted South Korean users. 

During the decryption of the PowerShell keylogger from the aforementioned JPCERT report, it indicated that it communicated with www.vic.apollo-star7[.]kro. kr, which resolves to 152.32.138[.]167. The PowerShell keylogger appears to communicate with a different domain as a result of examining the file for that IP address that resolves to a different URL than the one used by the file. Moreover, Sparkling Pisces uses a pattern of Uniform Resource Identifier (URI) that people have not observed in any of the other malware they saw associated with Sparkling Pisces to identify its location.

Analysis of a recent malware campaign reveals overlaps between PowerShell-based malware and two newly identified PE malware variants, named KLogEXE and FPSpy. These overlaps include the registration of domains under similar registrant emails, suggesting a potential link between the malicious software samples. One of the discovered PE malware samples, FPSpy, has operated in relative obscurity since at least 2022. 

Upon further investigation, it appears to be a variant of malware previously documented by the AhnLab Security Emergency Response Center (ASEC) in 2022. FPSpy shares numerous characteristics with KGHSpy, a backdoor malware identified in 2020 by the group known as Sparkling Pisces. These similarities extend to the naming conventions of downloaded modules and logs, as well as their operational capabilities. 

One notable tactic employed by FPSpy is timestamp tampering, where the malware authors alter the file's compilation time to obscure the true creation date. This tactic is commonly used to avoid detection and forensic analysis. Although FPSpy was first uploaded to VirusTotal on June 26, 2024, its altered compilation timestamp falsely indicates that it was created in 2018. Further examination revealed that the hard-coded subdomain for the malware’s command-and-control (C2) server, bitjoker2024.000webhostapp[.]com, was first observed in 2024, providing additional evidence of recent activity. 

FPSpy distinguishes itself from KLogEXE by its structure as a dynamic-link library (DLL), named sys.dll. It contains a unique export function called MazeFunc. This DLL is embedded in a resource labelled "DB" within its custom loader. The loader's function is to extract sys.dll into the directory C:\Users\user\AppData\Local\Microsoft\WPSOffice\ and subsequently load it into the system, initiating its malicious operations. A detailed examination of the loader’s code can be found in Figure 4. Security measures, including Advanced URL Filtering and Advanced DNS Security, have classified domains related to the group responsible for FPSpy as malicious. 

Additionally, advanced detection platforms such as Cortex XDR and XSIAM have played a key role in identifying user and credential-based threats. These platforms utilize data from multiple sources to identify potential threats, including: - Endpoints - Network firewalls - Active Directory - Identity and access management (IAM) systems - Cloud workloads By employing machine learning, Cortex XDR and XSIAM create behavioural profiles of user activity over time. 

The platforms compare recent activity to historical user behaviour, peer activity, and expected norms to detect anomalies. These anomalies can serve as indicators of credential-based attacks, enabling rapid detection and response to potential security breaches. This advanced approach helps mitigate threats before they can inflict significant damage, making it an essential tool in cybersecurity defence.
Read more »
Security research
AI AI bots Artificial Intelligence ChatGPT Check Point Cyber Security Google Bard keylogger Law Enforcement Phishing emails Security flaw Security research

Forget ChatGPT, Google Bard may Possess Some Serious Security Flaws


A latest research claims that Google’s AI chatbot, Google Bard may let its users to use it for creating phishing emails and other malicious content, unlike ChatGPT.

At one such instances, cybersecurity researchers Check Point were able to produce phishing emails, keyloggers, and some basic ransomware code, by using the Redmond giant’s AI tool.

Using the AI tool of the Redmond behemoth, cybersecurity researchers Check Point were able to produce phishing emails, keyloggers, and some basic ransomware code.

The researchers' report further noted how they set out to compare Bard's security to that of ChatGPT. From both sites, they attempted to obtain three things: phishing emails, malicious keyloggers, and some simple ransomware code.

The researchers described that simply asking the AI bots to create phishing emails yielded no results, however asking the Bard to provide ‘examples’ of the same provided them with plentiful phishing mails. ChatGPT, on the other hand, refused to comply, claiming that doing so would amount to engaging in fraudulent activity, which is illegal.

The researchers further create malware like keyloggers, to which the bots performed somewhat better. Here too, a direct question did not provide any result, but a tricky question as well yielded nothing since both the AI bots declined. However, answers for being asked to create keyloggers differed in both the platforms. While Bard simply said, “I’m not able to help with that, I’m only a language model,” ChatGPT gave a much detailed explanation.

Later, on being asked to provide a keylogger to log their keys, both ChatGPT and Bard ended up generating a malicious code. However, ChatGPT did provide a disclaimer before doing the aforementioned.

The researchers finally proceeded to asking Bard to run a basic ransomware script. While this was much trickier than getting the AI bot to generate phishing emails or keylogger, they finally managed to get Bard into the game.

“Bard’s anti-abuse restrictors in the realm of cybersecurity are significantly lower compared to those of ChatGPT[…]Consequently, it is much easier to generate malicious content using Bard’s capabilities,” they concluded.

Why Does it Matter? 

The reason, in simpler terms is: Malicious use of any new technology is inevitable.

Here, one can conclude that these issues with the emerging generative AI technologies are much expected. AI, as an extremely developed tool has the potential to alter an entire cybersecurity script.

Cybersecurity experts and law enforcements have already been concerned for the same and have been warning against the AI technology for it can be well used in increasing the ongoing innovation in cybercrime tactics like convincing phishing emails, malware, and more. The development in technologies have made it accessible to users in such a way that now a cybercriminal can deploy a sophisticated cyberattack by only having minimal hand in coding.

While regulators and law enforcement are doing their best to impose limits on technology and ensure that it is utilized ethically, developers are working to do their bit by educating platforms to reject being used for criminal activity.

While generative AI market is decentralized, big companies will always be under the watch of regulatory bodies and law enforcements. However, smaller companies will remain in the radar of a potential cyberattack, especially the ones that are incapable to fight against or prevent the abuse.

Researchers and security experts suggests that the only way to improve the cybersecurity posture is to fight with full strength. Even though AI is already being used to identify suspicious network activity and other criminal conduct, it cannot be utilized to make entrance barriers as high as they once were. There is no closing the door ever again.

Read more »
User Privacy
Air-Gapped Computers Encryption keylogger Linux malware Phishing Attacks South Korea User Privacy

Korean University Disclosed a Potential Covert Channel Attack

The School of Cyber Security at the Korean University in Seoul has developed a novel covert channel attack called CASPER that may leak data from air-gapped computers to a nearby smartphone at a pace of 20 bits per second. 

What is CASPER?

Casper is a 'recognition tool,' built to characterize its targets and decide whether or not to keep tracking them. Prior to introducing more advanced persistent malware into the targeted systems for espionage, the Casper surveillance virus was employed as a starting point.

Data leak

The target needs to first be infected with malware by a rogue employee or a cunning attacker with physical access, which is the case with nearly all personal channel attacks that target network-isolated systems.

Attacks utilizing external speakers have been created in the past by researchers. External speakers are unlikely to be employed in air-gapped, network-isolated systems used in harsh settings like government networks, energy infrastructure, and weapon control systems.

The malicious software has the ability to search the target's filesystem on its own, find files or data formats that match a hardcoded list, and make an exfiltration attempt.

Keylogging is a more realistic option and is better suited for such a slow data transmission rate. The malware will use binary or Morse code to encrypt the information to be stolen from the target and then transmit it through the internal speaker utilizing frequency modulation to create an undetectable ultrasound between 17 kHz and 20 kHz.

The researchers tested the proposed model using a Samsung Galaxy Z Flip 3 as the receiver and an Ubuntu 20.04-based Linux computer as the target. Both were running a simple recorder application with a sampling frequency of up to 20 kHz.

In the Morse code study, the researchers employed 18 kHz for dots and 19 kHz for dashes, with a length per bit of 100 ms. The smartphone, which was 50 cm away, was able to interpret the word 'covert' that was sent. In the binary data study, each bit had a length of 50 ms and was transferred at a frequency of 18 kHz for zeros and 19 kHz for ones. Nonetheless, the overall experiment findings demonstrate that the length per bit impacts the bit error rate, and a max reliable transmitting bit rate of 20 bits/s is possible when the length per bit is 50 ms.

A standard 8-character password could be transmitted by the malware in around 3 seconds at this data transfer rate, while a 2048-bit RSA key could be transmitted in roughly 100 seconds. Even under ideal conditions and with no interruptions, anything larger than that, such as a little 10 KB file, would take longer than an hour to escape the air-gapped system.

"Because sound can only transmit data at a certain speed, our technology cannot transmit data as quickly as other covert channel technologies using optical or electromagnetic methods." – Korea University.

The attack is limited since internal speakers can only emit sound in a single frequency band. Changing the frequency band for several simultaneous transmissions would be a solution to the slow data rate. The simplest method of defense against the CASPER assault was to turn off the internal speakers in mission-critical computers, which was disclosed by the researchers. The defense team could also use a high-pass filter to keep all created frequencies inside the range of audible sound, preventing ultrasonic transmissions. 





Read more »
Stolen Data
Antivirus cybercriminals Hacking keylogger malware Phishing Campaign Phishing Mails Snake Keylogger Stolen Data

Here's all you Need to Know About Snake Keylogger


In this age of ever-evolving technological developments, crime pertaining to the same is also emerging at a higher scale. One of the most talked about and harsh cybercrimes are data breaches. 

In today’s world, a cybercriminal is capable of stealing data and money with the help of a number of malwares, including keyloggers. 

Snake Keylogger is a well-known example of this kind of malware. However, where did Snake Keylogger originate from, how did it operate, and how could you get rid of it? Here is all you need to know about Snake Keylogger. 

What Is Snake Keylogger? 

In order to get an idea of Snake Keylogger, let us first understand what keyloggers are in general. 

Keylogger is the kind of malicious program used in logging keystrokes. If your device is infected, the keylogger will record anything you input on the keyboard, including passwords, text messages, payment information, and just about anything else. Essentially, Snake Keylogger is a modular malware program, created by using the .NET developer platform. 

With this logging, the malicious operator is able to acquire access over controlling the program, it may as well be able to see what a user is typing into his or her device and even take screenshots, giving them an opportunity to steal a great heap of data.  

Discovered in November 2020, it has a history of stealing credentials, clipboard data, and other types of information. Snake Keylogger, a dangerous product that may be purchased on malicious markets like hacking forums, poses a threat to both individuals and companies.

How Does Snake Keylogger Operate? 

Snake Keylogger usually spreads through phishing campaigns, targeting victims with malicious mail. However, it can also be transmitted via spear phishing, where specific victims are targeted for specific goals. When a Snake Keylogger is sent to a potential victim, it is enclosed in an attachment. 

Once received, the user is asked to open a DOCX file. This file may contain a macro (a computer virus), that permits the launch of Snake Keylogger. In case the recipient possesses a version of Microsoft Office with security vulnerabilities, the malware tends to exploit them and infect the device. The same could be intended for PDF readers. 

The malware holds the capability of gaining access to recorded data and transferring the same to the attacker, who can exploit it further. The data can either be exploited directly (by hacking bank accounts with stolen credentials) or sell the information to other threat actors in illicit marketplaces, on the dark web. 

One of the other reasons why Snake Keyloggers possess threats is their ability to evade antivirus protection, which usually stands as the first line of defense for most devices. In many cases, devices only possess antivirus as their source of protection, thus if Snake Keylogger succeeds in evading the software with no other protection in place, the targeted device could easily and quickly be infected and exploited. 

How to Protect Yourself from Snake Keylogger? 

To avoid Snake Keylogger, one can opt for a number of measures: 

  • The first is by installing antivirus software on their devices. While Snake Keylogger can sometimes avoid detection by antivirus software, it is crucial to have a reliable and efficient antivirus provider installed on your devices in order to identify keyloggers and other types of malware. 
  • Additionally, one must always exercise caution when opening any email attachments, particularly those from unknown or dubious senders. The distribution of malware via attachments is fairly prevalent, and Snake Keylogger is only one of many examples. Consider passing an email attachment via an attachment scanner to identify any potential risks if you ever receive one from a sender you do not fully trust. 
  • To avoid fraudulent emails, one should make sure to enable their email provider’s spam filter. This way, the suspicious emails will be sent to a separate folder, rather than the main inbox. 
  • Moreover, one must ensure to frequently update their operating systems as well as the installed apps. Since Snake Keylogger infects devices by exploiting software flaws, frequent updates will iron out these flaws, meaning cybercriminals can no longer be able to abuse the software.  

Read more »
ZIP files
Agent Tesla Cyber Crime Dark Web Encryption keylogger PowerShell Quantum User Privacy ZIP files

Hackers Deploy Agent Tesla Malware via Quantum Builder

A campaign promoting the long-standing.NET keylogger and remote access trojan (RAT) known as Agent Tesla uses a program that is available on the dark web that enables attackers to create harmful shortcuts for distributing malware. 

In the campaign that the experts observed, malicious hackers were using the developer to generate malicious LNK, HTA, and PowerShell payloads used to produce Agent Tesla on the targeted servers. The Quantum Builder also enables the creation of malicious HTA, ISO, and PowerShell payloads which are used to drop the next-stage malware. 

When compared to previous attacks, experts have found that this campaign has improved and shifted toward LNK, and Windows shortcut files. 

A spear-phishing email with a GZIP archive is swapped out for a ZIP file in a second round of the infection sequence, which also uses other obfuscation techniques to mask the harmful behavior. 

The shortcut to run PowerShell code that launches a remote HTML application (HTA) using MSHTA is the first step in the multi-stage attack chain. In turn, the HTA file decrypts and runs a different PowerShell loader script, which serves as a downloader for the Agent Tesla malware and runs it with administrative rights. 

Quantum Builder, which can be bought on the dark web for €189 a month, has recently witnessed an increase in its use, with threat actors utilizing it to disseminate various malware, including RedLine Stealer, IcedID, GuLoader, RemcosRAT, and AsyncRAT. 

Malicious hackers often change their tactics and use spyware creators bought and sold on the black market for crimes. This Agent Tesla effort is the most recent in a series of assaults in which harmful payloads were created using Quantum Builder in cyber campaigns against numerous companies. 

It features advanced evasion strategies, and the developers frequently upgrade these techniques. To keep its clients safe, the Zscaler ThreatLabz team would continue to track these cyberattacks. 

Agent Tesla, one of the most notorious keyloggers used by hackers, was shut down on March 4, 2019, due to legal issues. It is a remote access program built on the.NET platform, that has long existed in the cyber realm, enabling malicious actors to obtain remote access to target devices and transmit user data to a domain under their control. It has been in the public since 2014 and is promoted for sale on dark web forums. 

In a recent attack, OriginLogger, a malware that was hailed as the replacement for the well-known data theft and remote access trojan (RAT) noted as Agent Tesla, had its functioning dissected by Palo Alto Networks Unit 42.



Read more »
Spam
Agent Tesla Cyber Crime Dark Web Domain keylogger Palo Alto Networks' Unit 42 Remote Access Trojan Spam

Analysis on Agent Tesla's Successor

OriginLogger, a malware that has been hailed as the replacement for the well-known data theft and remote access trojan (RAT) noted as Agent Tesla, had its functioning dissected by Palo Alto Networks Unit 42

Agent Tesla, one of the most notorious keyloggers used by hackers, was shut down on March 4, 2019, due to legal issues. It is a remote access program built on the.NET platform, that has long existed in the cyber realm, enabling malicious actors to obtain remote access to target devices and transmit user data to a domain under their control. It has been in the public since 2014 and is promoted for sale on dark web forums. Typically, attackers send it as an attachment in harmful spam emails.

Since Agent Tesla and OriginLogger are both commercialized keyloggers, it should not be assumed that one has a distinct advantage over the other in terms of initial droppers. 

Security company Sophos revealed two new versions of the common virus in February 2021, with the ability to steal login information from online browsers, email clients, and VPN clients as well as use the Telegram API for command and control.

According to Unit 42 researcher Jeff White, what has been labeled as Agent Tesla version 3 is OriginLogger, which is alleged to have emerged to fill the gap left by the former after its operators shut down the business.

A YouTube video explaining its features served as the foundation for the cybersecurity company's study, which resulted in the detection of a malware sample "OriginLogger.exe" that was added to the VirusTotal malware archive on May 17, 2022.

The binary is a developer code that enables a purchased client to specify the kind of data to be acquired, including screenshots, the clipboard, and the list of services and programs from which the keys are to be retrieved.

Unlike the IP addresses linked to originpro[.]me, 74.118.138[.]76 resolves to 0xfd3[.]com rather than any OriginLogger domains directly. Turning to this domain reveals that it has MX and TXT entries for mail. originlogger[.]com in the DNS.

Around March 7, 2022, the disputed domain started to resolve to IP 23.106.223[.]47, one octet higher than the IP used for originpro[.]me, which used 46. 

OrionLogger uses both Google Chrome and Microsoft Outlook, both of which were utilized by Unit 42 to locate a GitHub profile with the username 0xfd3 that had two source code repositories for obtaining credentials from those two applications.

Similar to Agent Tesla, OrionLogger is distributed via a fake Word file that, when viewed, is utilized to portray an image of a German passport, a credit card, and several Excel Worksheets that are embedded in it.

The files essentially include a VBA macro that uses MSHTA to call a remote server's HTML page, which contains obfuscated JavaScript code that allows it to access two encoded binaries stored on Bitbucket.

Advertisements from threat actors claim that the malware employs time-tested techniques and can keylog, steal credentials, and screenshots, download additional payloads, post your data in a variety of ways, and try to escape detection.

A corpus analysis of over 1,900 samples reveals that using 181 different bots and SMTP, FTP, web uploads to the OrionLogger panel, and Telegram are the most popular exfiltration methods for returning data to the attacker. The goal of this investigation was to automate and retrieve keylogger configuration-related information.





Read more »
malware
Cobalt Strike Crypter Crypto keylogger Malicious Payloads malware

'DarkTortilla' Crypter Produces Targeted Malware 

Researchers from Secureworks examined "DarkTortilla," a.NET-based crypter used to distribute both well-known malware and custom payloads. 

Agent Tesla, AsyncRat, NanoCore, and RedLine were among the information stealers and remote access trojans (RATs) delivered by DarkTortilla, which has probably been active since 2015. It was also detected distributing specific payloads like Cobalt Strike and Metasploit.

Software tools known as crypters enable malware to evade detection by security programs by combining encryption, obfuscation, and code manipulation.

Averaging 93 samples each week between January 2021 and May 2022, the highly adjustable and complicated crypter can also be used to send add-ons, such as additional payloads, decoy documents, and executables. It also looks to be particularly popular among hackers.

SecureWorks analysts have discovered code resemblances with a crypter employed by the RATs Crew threat organization between 2008 and 2011 as well as with malware discovered in 2021, Gameloader.

The malicious spam emails that transmit DarkTortilla include archives with an executable for an initial loader that is used to decode and run a core processor module, either hidden within the email itself or downloaded through text-storage websites like Pastebin.

The researchers have found spam email samples in English, German, Italian, Bulgarian, Romanian, and Spanish languages. These emails are adapted to the target's language.

A complex configuration file that enables the core processor to drop add-on packages like keyloggers, clipboard stealers, and cryptocurrency miners is then used to establish persistence and inject the main RAT payload into memory without leaving a trace on the file system.

The anti-tamper safeguards utilized by DarkTortilla are also significant since they guarantee that both processes used to run the components in memory are restarted right away after termination.

A second executable called a WatchDog, which is intended to monitor the targeted process and rerun it if it is destroyed, specifically enables the persistence of the first loader.

In addition to performing anti-VM and anti-sandbox checks, achieving persistence, migrating execution to the 'tmp' folder, processing add-on packages, and migrating execution to its install directory, DarkTortilla's core processor can be configured to do these things.

To prevent interference with the execution of DarkTortilla or the payload, it then injects its payload within the context of the configured subprocess and, if configured, can also provide anti-tamper protections.

This method is similar to the one used by the threat actor Moses Staff, who was discovered earlier this year using a watchdog-based strategy to prevent any interruption of his payloads. Two additional controls are also used to ensure the persistence of the initial loader as well as the continuing execution of the dumped WatchDog software itself.

Over 17 months from 2021 to May 2022, Secureworks claimed to have found an average of 93 different DarkTortilla samples being posted to the VirusTotal malware database per week. Only roughly nine of the 10,000 samples monitored during that period were used to propagate ransomware, with seven distributing Babuk and two more distributing MedusaLocker.






Read more »
NATO
Bangladesh Cyber Army Botnets CIA Cyber Attacks DDOS Tools keylogger Malicious actor NATO

 Bangladesh Cyber Incident Response Team has Issued a Warning About Malware Attacks Around Eid

 

Officials have warned of a possible cyber-attack on Bangladesh's financial and other key institutions' computer systems during the Eid vacations. According to a statement issued by the Digital Security Agency, the affected authorities must install or update anti-DDOS hardware and software. 

Officials believe the warning was sent by the government's specialized cyber-threat agency as a global cyberwar erupts in the Russia-Ukraine conflict, with NATO assisting the latter with arms support. 

The Bangladesh Computer Council's e-Government Computer Incident Response Team (BGD e-GOV CIRT) also recommends all key information facilities' internal systems be checked and monitored.

Following the current conflict between Ukraine and Russia, Tarique M Barkatullah, director (operations) of the Digital Security Agency and project director of the BGD e-GOV CIRT, stated “hackers from both sides are using important information infrastructures of different countries to spread botnets and malware and attack each other.” 

Botnets are computer networks infected with malware (such as computer viruses, key loggers, and other malicious code or malware) and remotely controlled by criminals, either for monetary gain or to launch assaults on websites or networks. 

BGD e-Gov CIRT discovered over 1400 IP numbers used in Russia after analyzing the warning message issued by the Russian Computer Security Incident Response Team. According to the CIA, hackers are using these IPs to spread propaganda and launch distributed denial of service (DDoS) operations. 

Tareq M Barkatullah, project director of BGD e-Gov CIRT, remarked in this reference: “The country's afflicted financial institutions and public service suppliers are being hampered in providing its usual services due to the exploitation of these IP-enabled Bangladeshi servers."

According to the Financial Express, Prof Dr. Md Salim Uddin, chairman of the executive committee of Islami Bank Bangladesh Limited (IBBL), several financial institutions have been targeted by cyber-attacks as a result of the current crisis between Ukraine and Russia.

IBBL is well-prepared to thwart any cyber-attack because it is always adopting new technological solutions. Among the internal systems, he emphasized strengthening cyber-security with new tech solutions and monitoring systems. To prevent all types of cyber threats, financial institutions should join an organization or platform to improve cooperation and integration. He further urges the government to expand collaboration and support in this area in order to combat rising cyber-threats in the future.
Read more »
SQL
Chinese Hackers Cobalt Strike Google Microsoft Internet Explorer keylogger malware MySQL RAT SQL

Gh0stCringe Malware Recently Attacked Insecure Microsoft SQL and MySQL Servers

 

Hackers are deploying the Gh0stCringe remote support trojans on vulnerable computers by inadequately targeting secured Microsoft SQL and MySQL database servers. 

Gh0stCringe, also known as CirenegRAT, is a Gh0st RAT malware variant that was most recently used in Chinese cyber-espionage activities in 2020, however, it has been around since 2018. The malware has several instructions and functionalities which can be activated after the malware connects to its command and control server, or through data stored in the virus's settings. 

Attackers can use Gh0stCringe to download payloads like crypto miners from C2 servers, access specified websites via the Internet Explorer web browser, and even wipe the start-up disk's Master Boot Record (MBR). The malware includes a keylogger, which records input data in the Default. key file in the Windows System directory if it is activated. 

Threat actors are infiltrating database servers and writing the malicious'mcsql.exe' executable to disc utilizing the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes. These assaults are comparable to the Microsoft SQL server attempts, which used the Microsoft SQL xp cmdshell command to drop Cobalt Strike beacons. In addition to Gh0stCringe, AhnLab's study notes the presence of numerous malware samples on the investigated servers, implying potentially competing threat actors are infiltrating the same servers to drop payloads with its own operations.

Gh0stCringe RAT is a strong virus that can connect to a C2 server to receive custom commands or exfiltrate stolen data to the enemies. For an endless loop, the keylogging component uses the Windows Polling method (GetAsyncKeyState API) to ask the state of each key. This otherwise dependable recording mechanism carries the risk of very high CPU utilization, however, this is unlikely to cause issues for threat actors on poorly maintained servers. The malware will also record keystrokes for the previous three minutes and send them to the infection's command and control servers along with basic system and network information. 

Threat actors will be able to steal login passwords and other sensitive information that logged-in users entered on the device using these logged keystrokes. CirenegRAT has four operational modes: 0, 1, 2, and a specific Windows 10 mode which the threat actor can choose from during deployment.

Update your server software to install the most recent security upgrades, which can help you avoid a variety of attacks to make use of known flaws. It's also critical to use a secure admin password that can't be brute-forced. The most important step is to put the database server behind a firewall to only allow authorized devices to connect to it.
Read more »
Twitter
keylogger malware Mexico NSO Group Pegasus Spyware Twitter

Malware Seller Faces Charges for Peddling WhatsApp Espionage Tools

 

The US Justice Department (DoJ) reported a Mexican businessman named Carlos Guerrero admitted guilt in federal court for peddling spyware/hacking tools to clients in the United States and Mexico.

Authorities accused Guerrero of facilitating the sale of monitoring and surveillance technologies to both Mexican government users and private customers for commercial and personal purposes. Guerrero "knowingly arranged" for a Mexican mayor to obtain access to a political rival's email and social media accounts, according to the investigators. Guerrero also utilized the technology to listen in on the phone calls of a rival from the United States who had been in Southern California and Mexico at the time. 

Guerrero is also suspected of assisting a Mexican mayor in gaining unlawful access to his rival's iCloud, Hotmail, as well as Twitter pages, according to the Department of Justice's news release. A sales representative's phone and email data were hacked in another case, so he had to pay $25,000 to regain the information. The accused also utilized the gadgets to listen more into his rival's phone calls in Mexico and South California. Guerrero's company, Elite by Carga, imported surveillance technology and espionage tools from unknown Israeli, Italian, and other companies. 

Guerrero operated as a broker for an undisclosed Italian business, referred to only as Company A in the accusation, which offered bugging devices and tracking tools between 2014 and 2015. The organization is thought to be Hacking Team, a bankrupt Milan-based maker of offensive infiltration tools which was also breached in 2015 and had leaked emails leaked online, including a cache of Guerrero-related messages. 

Pegasus, strong mobile spyware created by Israeli corporation NSO Group which can acquire near-complete permissions on a target's smartphone, is among the most prominent and reported keylogging software used in Mexico. Over the last two decades, Mexico has spent $61 million on contracts, primarily targeting journalists, activists, and human rights defenders. According to a leaked list of phone numbers suspected to be NSO surveillance targets, Mexico has the most targets — around 700 phones — of any country on the list, which NSO has consistently denied.

Guerrero's information director Daniel Moreno, who is often mentioned in the hacking team's emails, is scheduled to file a similar pleading in the coming weeks.
Read more »
URL
APK Files APT actors Cyber Security keylogger Microsoft SentineLabs Spear Phishing attacks Trojan URL

The Hacking Group 'ModifiedElephant' Remained Undetected

 

SentinelLabs' IT security researchers have discovered information of growing cyber-attacks (APT) wherein the threat actors have been targeting human rights activists, free speech advocates, professors, and lawyers in India using readily available trojans via spear-phishing since 2012. The group known as ModifiedElephant has been found to be planting 'incriminating evidence' on the devices of its targets. 

"The goal for ModifiedElephant is long-term espionage which sometimes ends with the transmission of evidence – files that implicate the victim in criminal offenses – prior to conveniently synchronized arrests," stated Tom Hegel, a threat researcher at SentinelOne. According to the research, over the previous decade, ModifiedElephant hackers have been attacking their victims with spearphishing emails containing malicious file attachments, with their methods becoming more complex over time. 

Spearphishing is the technique of emailing victims that appear to come from a trustworthy source in order to either divulge sensitive information or install malware on their computers. ModifiedElephant usually uses infected Files to spread malware to its victims. The particular mechanism and content included in malicious files have varied over time, according to SentinelOne, the timeline has been given below: 
  • 2013 – An adversary sends malware via email attachments with phony double extensions (file.pdf.exe). 
  • 2015 – The group switches to encryption key RAR attachments including legitimate luring documents that hide malware execution signals. 
  • 2019 – Updated Elephant begins hosting malware-distribution sites and takes advantage of cloud hosting capabilities, transitioning from phony papers to malicious URLs.
  • 2020 – attackers circumvent identification by skipping scans by using big RAR files (300 MB).

The CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, and CVE-2015-1641 exploits, according to SentinelOne, were frequently utilized in luring documents, which attacked Microsoft Office Suite programs. 

Modified Elephant is not seen using any customized backdoors in its operational history, indicating the group isn't particularly sophisticated. NetWire and DarkComet, two publicly available remote access trojans extensively utilized by lower-tier hackers, were the principal malware used in the campaigns. 

ModifiedElephant's Visual Basic keylogger hasn't changed since 2012, and it's been open-source on hacking forums all that time. SentinelLabs remarks on the tool's history, pointing out that it no longer works on recent OS versions. The Android virus is likewise a commodity trojan that is distributed to users in order of an APK, luring them in by appearing like a news app or a secure messaging tool.
Read more »
Remote Access Tool
Cyber Crime Email Frauds HTML keylogger Malvertising Phishing Attacks Remote Access Tool

Threat Advert is a New Service Strategy Invented by AsyncRAT

 

AsyncRAT is a Remote Access Tool (RAT) that uses a secure encrypted connection to monitor and control other machines remotely. It is an open platform distributed processing tool but it has the potential to be used intentionally because it includes features like keylogging, remote desktop command, and other functionalities that could destroy the victim's PC. Furthermore, AsyncRAT can be distributed using a variety of methods, including spear-phishing, malvertising, exploit kits, and other means. 

Morphisec has detected a new, advanced campaign distribution that has been successfully eluding the radar of several security providers, thanks to the breach prevention using Moving Target Defense technology.

Potential hackers are spreading AsyncRAT to targeted machines with a simple email phishing method with an Html attachment. AsyncRAT is meant to remotely monitor and manipulate attacked systems through a protected, encrypted connection. This campaign ran for 4 to 5 months, with the lowest detection rates according to VirusTotal. 

Victims received the email notification with an HTML attachment in the manner of a receipt: Receipt-digits>.html in many cases. When the victim opens the receipt, users are sent to a webpage where a user must store a downloaded ISO file. The user believes it is a routine file download that will pass via all port and network security scanning channels. Surprisingly, this is not true. 

The ISO download, in fact, is created within the user's browser by the JavaScript code hidden within the HTML receipt file, rather than being downloaded from a remote server. 

To reduce the possibility of infection by AsyncRAT, users must follow the following steps:
  • Updating antivirus fingerprints and engines is a must. 
  • Enable automatic updates to ensure that the operating system is up to date with the most recent security fixes. 
  • Email addresses should not be made public on the internet. 
  • Don't click email attachments with strange-looking extensions. When opening any email attachment, especially the one from unknown senders, proceed with caution.
  • Exercise caution while opening emails with generic subject lines. 
Read more »
Spyware Attack
Cyber Security Cyber Security News keylogger Spyware Spyware Attack

Expert Malnev gave tips on detecting Keylogger

Alexey Malnev, head of the Jet CSIRT Information Security Monitoring and Incident Response Center of Jet Infosystems, spoke about how to detect a Keylogger.

According to the expert, this can be done by scanning the computer with antivirus software, as well as thanks to the built-in EDR (Endpoint Detection and Response) system that analyzes the processes and their memory operation within the operating system.

In the case of corporate devices, a traffic inspection system will help, which can detect a connection over a suspicious Protocol or to a suspicious server on the Internet. The presence of an incident monitoring center in an organization can help detect an entire cyber operation of attackers on its infrastructure, or targeted attacks.

According to the expert, the presence of Keylogger can be considered a symptom of a complete hacking of the user's computer, and this is very bad news for the user. The fact is that modern malicious software most often uses Keylogger as one of many modules.

"There is a high probability that there is already a whole set of other potential problems: theft of confidential files from the hard disk, interception of account data, hidden audio and video recording (if there are a microphone and video camera), the potential destruction of data (if there is a malicious ransomware encryption module), full remote access,” said he.

In such cases, users should immediately disconnect the computer from the local network and the Internet, and then, without restarting it, hand it over to specialists in cybercriminalism. According to Malnev, it is more important to determine how the computer was attacked.

Read more »
Malware Report
Breaking News Credit Card hack keylogger malware Malware Report

Delving into PoSeidon malware

News of data breaches that have been occurring through card usage at infected point of sale (PoS) systems at retailers has become common now-a-days. There being a huge market for stolen credit card information, the companies are being targeted with newer and sophisticated malwares.

How do these malwares exactly work? During investigation of the cases of breaches, CISCO security solutions have discovered the working mechanism a new malware family which has been nicknamed PoSeidon malware.

The infection of the PoS system possibly arises from a keylogger which after getting installed deletes the profile log in information i.e passwords stored on the system. This forces the user to type down the information which gets recorded by the keylogger and sent back to the server which can then access the system remotely to infiltrate it with the Loader malware to steal card information.

What the Loader does is, it tries to get itself installed in the PoS system as a service that is run as Winhost, so that it can survive reboots of the system. This step is called persistence by which it maintains hold on the system. It then connects to the hardcoded command and control servers, which then sends the second executable part of the malware called the FindStr.

It also simultaneously installs another keylogger. FindStr goes through data on the infected system to look for number sequences that start with 6, 5, 4 with a length of 16 digits (Discover, Visa, Mastercard) or 3 with a length of 15 digits (AMEX).

It then runs the Luhn algorithm to verify whether its card information or not and sends the information along with data from keylogger to the exfiltration servers from where it can be harvested for further usage.

The malware can also update itself depending on communication from external server. Further investigation shows that developers are working to use these in other newer projects.Faced with such persistent threats organizations need to be vigilant and adopt a threat-centric approach to provide security during the full attack continuum – before, during, and after an attack.
Read more »
Subscribe to: Posts (Atom)