Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label malware. Show all posts

Upgraded Python NodeStealer Now Targets Facebook Ads Manager and Steals More Sensitive Data

 

Python NodeStealer, a notorious infostealer previously known for targeting Facebook Business accounts, has now been enhanced with new, dangerous capabilities that allow it to infiltrate Facebook Ads Manager accounts. This upgrade not only boosts its ability to steal more data but also paves the way for even more malicious campaigns.

In an extensive analysis by cybersecurity experts at Netskope Threat Labs, it was revealed that the infostealer is now capable of stealing credit card information in addition to previously targeted browser credentials. 

The new attack vector involves copying the “Web Data” from browsers, a SQLite database containing sensitive data like autofill details and saved payment methods.

“With these, the infostealer can now collect the victim’s credit card information which includes the cardholder’s name, card expiration date, and card number,” the researchers pointed out. To access this information, NodeStealer uses Python’s SQLite3 library to run specific queries on the stolen database, looking for credit card-related data.

The new version of Python NodeStealer also abuses Windows Restart Manager, a tool typically used to manage reboots after software updates. In this case, however, the tool is leveraged to bypass locked database files that contain valuable data. By extracting browser database files into a temporary folder, NodeStealer circumvents file locks, and exfiltrates the data via a Telegram bot.

Most likely developed by a Vietnamese cybercriminal group, Python NodeStealer’s primary targets are Facebook Business and Ads Manager accounts, which are then exploited in malvertising campaigns. Since Facebook’s stringent vetting process for ad purchases typically prevents unauthorized ads, cybercriminals now resort to stealing verified accounts to run their malicious ads instead.

Malware Campaign Expands Its Use of Fraudulent CAPTCHAs

 

Attackers are increasingly spreading malware using a unique method: a fake CAPTCHA as the initial infection vector. Researchers from multiple companies reported on this campaign in August and September. The attackers, who mainly targeted gamers, first transmitted the Lumma stealer to victims via websites hosting cracked games.

The recent adware research shows that this malicious CAPTCHA is spreading through a wide range of online resources unrelated to gaming, including adult sites, file-sharing services, betting platforms, anime resources, and web apps that monetise traffic. This shows that the distribution network is being expanded to reach a larger pool of victims. Furthermore, we discovered that the CAPTCHA distributes both Lumma and the Amadey Trojan. 

Malicious CAPTCHA

It's critical to comprehend how the attackers and their distribution network function in order to prevent falling for their tricks. Legitimate, non-malicious offers are also included in the ad network that pushes pages with the malicious CAPTCHA. 

It works as follows: the user is redirected to additional resources when they click anywhere on a page that uses the ad module. As is common with adware, the majority of redirects take users to websites that advertise security software, ad blockers, and similar products. Sometimes, though, the victim is directed to a page that contains the malicious CAPTCHA. 

Unlike genuine CAPTCHAs, which are intended to safeguard websites from bots, this copycat promotes illicit resources. As with the previous stage, the victim does not always come across malware. For example, the CAPTCHA on one of the sites invites the visitor to scan a QR code, which leads to a betting site. 

The Trojans are distributed using CAPTCHAs that provide instructions. By clicking the "I'm not a robot" button, you can copy the powershell line.exe -eC bQBzAGgAdABhA <...>MAIgA= to the clipboard and displays the following "verification steps": 

  • To open the Run dialogue box, use Win + R. 
  • Subsequently, paste the clipboard line into the text field using CTRL + V. 
  • Finally, press Enter to execute the code. 

Payload: Amadey trojan

Researchers have discovered that the same effort is also propagating the Amadey Trojan. Since 2018, Amadey has been the subject of multiple security reports. In short, the Trojan downloads multiple modules that steal credentials from major browsers and Virtual Network Computing (VNC) systems. 

It also detects cryptocurrency wallet addresses in the clipboard and replaces them with those owned by the attackers. One of the modules can also capture screenshots. In some cases, Amadey downloads the Remcos remote access tool to the victim's device, allowing the attackers complete control over it. 

From September 22 to October 14, 2024, over 140,000 users encountered ad scripts. According to Kaspersky's telemetry data, more than 20,000 of these 140,000 users were routed to infected sites, where some encountered a phoney update notification or a fake CAPTCHA. Users from Brazil, Spain, Italy, and Russia were the most commonly affected.

Guess Who's Back? LodaRAT, A Global Cybersecurity Threat



LodaRAT, a remote access tool active since 2016, has resurfaced in a new campaign that’s taking the cybersecurity world by storm. Originally designed for basic information theft, this tool has transformed into a sophisticated malware capable of carrying out global cyber-espionage operations. What’s alarming is that while LodaRAT hasn’t been updated since 2021, its reach and effectiveness have grown, making it a pressing concern for individuals and organisations worldwide.  

A Global Campaign with Far-Reaching Impact  

What sets this latest campaign apart is its global nature. Unlike previous efforts that targeted specific regions, LodaRAT is now aiming at victims across the world. Around 30% of related malware samples uploaded to VirusTotal came from the United States, suggesting widespread infection. This shift indicates that LodaRAT is no longer confined to limited geographic boundaries, and its operators are adapting to target more diverse networks and systems.  


How LodaRAT Works  

LodaRAT’s tactics have become more complex, allowing it to infiltrate systems and operate undetected. Its distribution relies on a mix of phishing emails, system vulnerabilities, and other malware like DonutLoader and Cobalt Strike. It also disguises itself as trusted software such as Skype, Discord, or Windows Update to trick users into installing it.  

Once installed, the malware carries out a variety of harmful activities, including:  

  • Spying on users by recording audio and video through webcams and microphones.  
  • Stealing credentials and cookies from popular browsers like Microsoft Edge and Brave.  
  • Disabling security measures such as the Windows Firewall to create backdoors.  
  • Spreading through networks, using SMB protocol exploits to infect other devices.  
  • Hiding its tracks by storing stolen data in concealed locations on the victim's system.  


Increased Risks for Organizations  

This new campaign has heightened risks for businesses and organisations. LodaRAT is capable of spreading within internal networks by exploiting specific vulnerabilities, particularly via port 445. This allows attackers to move laterally, targeting multiple devices in the same network. Such breaches can lead to stolen data, operational disruptions, and significant financial losses.  


Protecting Against LodaRAT 

To defend against LodaRAT, organisations and individuals need to take proactive measures:  

1. Strengthen security systems by using advanced endpoint protection tools.  

2. Monitor network activity to detect unusual behaviours that could indicate malware presence.  

3. Educate users on phishing tactics to prevent accidental downloads.  

4. Adopt strong authentication practices to make credential theft harder.  

5. Use tools like Rapid7’s Insight Agent to identify potential threats and weak points.  


The return of LodaRAT shows how minor tweaks to existing malware can make it highly effective. This campaign is a reminder that even older threats can evolve and remain dangerous. Staying vigilant and updating cybersecurity measures regularly are key to staying ahead of such attacks.  

By understanding how LodaRAT operates and taking the necessary precautions, organisations and individuals can better protect themselves in an increasingly complex digital ecosystem.  

Fake Antivirus App Hides SpyNote Malware on Android

 


SpyNote, a dangerous malware targeting Android users, has been discovered posing as a legitimate antivirus app. Disguised as "Avast Mobile Security," it deceives users into downloading it under the guise of device protection, according to a report by cybersecurity firm Cyfirma.  


Once installed, SpyNote requests permissions typical for antivirus applications, such as Accessibility Services. With these permissions, it secretly grants itself further access without notifying the user. Additionally, it excludes itself from battery optimization, allowing it to run uninterrupted in the background.  


How SpyNote Tricks Users  


SpyNote employs deceptive tactics to maintain its presence on infected devices. It mimics user gestures to stay active and displays fake system update notifications. When users interact with these alerts, they are redirected back to the malicious app, effectively trapping them in a loop. This method ensures the malware remains undetected and difficult to uninstall.  


Focus on Cryptocurrency Theft  


SpyNote is specifically designed to steal sensitive information, with a strong focus on cryptocurrency accounts. It extracts private keys and balance details for digital currencies such as Bitcoin, Ethereum, and Tether. The malware also monitors network activity to maintain a constant connection with its command-and-control servers, ensuring seamless data transmission.  


Stolen credentials are stored on the device’s SD card. Once sufficient data is collected, SpyNote erases the evidence by overwriting the card, leaving no trace of its malicious activities.  


Advanced Evasion Tactics  


SpyNote is highly skilled at avoiding detection. It uses techniques like code obfuscation and custom packaging to hide its true nature, making it difficult for security experts to analyze. The malware also identifies virtual environments, such as emulators, to evade research and detection.  


If users attempt to uninstall it, SpyNote blocks their efforts by simulating actions that prevent deactivation. For instance, it forces the device to return to the home screen whenever users try to access the app’s settings.  


Distributed Through Fake Antivirus Sites  


SpyNote spreads through phishing websites designed to look like Avast’s official download page. The malicious file, named "Avastavv.apk," is specifically targeted at Android devices. However, the phishing sites also redirect iOS users to the legitimate App Store download page for AnyDesk. Similarly, they offer AnyDesk downloads for Windows and Mac users, broadening their attack range.  


How to Stay Safe  


To avoid falling victim to SpyNote, only download apps from trusted sources like the Google Play Store. Be cautious of apps asking for unnecessary permissions, and verify download links before proceeding. Regularly updating your antivirus software and monitoring your device for unusual activity can also help protect against threats.  


SpyNote highlights the increasing complexity of malware targeting mobile users, emphasizing the importance of vigilance and proactive cybersecurity measures.

Volt Typhoon rebuilds malware botnet following FBI disruption

 


There has recently been a rise in the botnet activity created by the Chinese threat group Volt Typhoon, which leverages similar techniques and infrastructure as those previously created by the group. SecurityScorecard reports that the botnet has recently made a comeback and is now active again. It was only in May of 2023 that Microsoft discovered that the Volt Typhoon was stealing data from critical infrastructure organizations in Guam, which it linked to the Chinese government. This knowledge came as a result of a spy observing the threat actor stealing data from critical infrastructure organizations on US territory. 

Several Cisco and Netgear routers have been compromised by Chinese state-backed cyber espionage operation Volt Typhoon since September, to rebuild its KV-Botnet malware, which had previously been disrupted by the FBI and was unsuccessfully revived in January, reports said. A report by Lumen Technologies' Black Lotus Labs released in December 2023 revealed that outdated devices mostly powered Volt Typhoon's botnet from Cisco, Netgear, and Fortinet. 

The botnet was used to transfer covert data and communicate over unsecured networks. The US government recently announced that the Volt Typhoon botnet had been neutralized and would cease to operate. Leveraging the botnet's C&C mechanisms, the FBI remotely removed the malware from the routers and changed the router's IP address to a port that is not accessible to the botnet. 

Earlier this month, in response to a law enforcement operation aimed at disrupting the KV-Botnet malware botnet, Volt Typhoon, which is widely believed to be sponsored by the Chinese state, has begun to rebuild its malware botnet after law enforcement officials disrupted it in January. Among other networks around the world, Volt Typhoon is considered one of the most important cyberespionage threat groups and is believed to have infiltrated critical U.S. infrastructure at least for the past five years. 

To accomplish their objectives, they hack into SOHO routers and networking devices, such as Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras, and install proprietary malware that establishes covert communication channels and proxies, as well as maintain persistent access to targeted networks through persistent access. 

Volt Typhoon was a malicious botnet created by a large collection of Cisco and Netgear routers that were older than five years, and, therefore, were not receiving security updates as they were near the end of their life cycle as a result of having reached end-of-life (EOL) status. This attack was initiated by infecting devices with the KV Botnet malware and using them to hide the origin of follow-up attacks targeting critical national infrastructure (CNI) operations located in the US and abroad. 

There has been no significant change in Volt Typhoon's activity in the nine months since SecurityScorecard said they observed signs of it returning, which makes it seem that it is not only present again but also "more sophisticated and determined". Strike team members at SecurityScorecard have been poring over millions of data points collected from the organization's wider risk management infrastructure as part of its investigation into the debacle and have come to the conclusion that the organization is now adapting and digging in in a new way after licking its wounds in the wake of the attack. 

In their findings, the Strike Team highlighted the growing danger that the Volt Typhoon poses to the environment. To combat the spread of the botnet and its deepening tactics, governments and corporations are urgently needed to address weaknesses in legacy systems, public cloud infrastructures, and third-party networks, says Ryan Sherstobitoff, the senior vice president of SecurityScorecard's threat research and intelligence. "Volt Typhoon is not only a botnet that has resilience, but it also serves as a warning computer virus. 

In the absence of decisive action, this silent threat could trigger a critical infrastructure crisis driven by unresolved vulnerabilities, leading to a critical infrastructure disaster." It has been observed that Volt Typhoon has recently set up new command servers to evade the authorities through the use of hosting services such as Digital Ocean, Quadranet, and Vultr. Afresh SSL certificates have also been registered to evade the authorities as well. 

The group has escalated its attacks by exploiting legacy Cisco RV320/325 and Netgear ProSafe router vulnerabilities. According to Sherstobitoff, even in the short period that it took for the operation to be carried out, 30 per cent of the visible Cisco RV320/325 network equipment around the world was compromised. According to SecurityScorecard, which has been monitoring this matter for BleepingComputer, the reason behind this choice is likely to be based on geographical factors by the threat actors.

It would seem that the Volt Typhoon botnet will return to global operations soon; although the size of the botnet is nowhere near its previous size, it is unlikely that China's hackers will give up on their mission to eradicate the botnet. As a preventative measure, older routers should be replaced with more current models and placed behind firewalls. Remote access to admin panels should not be made open to the internet, and passwords for admin accounts should be changed to ensure that this threat is not created. 

To prevent exploitation of known vulnerabilities, it is highly recommended that you use SOHO routers that are not too old to install the latest firmware when it becomes available. Among the areas in which the security firm has found similarities between the previous Volt Typhoon campaigns and the new version of the botnet are its fundamental infrastructure and techniques. A vulnerability in the VPN of a remote access point located on the small Pacific island of New Caledonia was found by SecurityScorecard's analysis. As the network was previously shut down, researchers observed it being used once again to route traffic between the regions of Asia-Pacific and America, although the system had been taken down previously. 

Global Companies Targeted by "CopyR(ight)hadamantys" Phishing Scam Using Advanced Infostealer Malware

 

Hundreds of organizations worldwide have recently fallen victim to a sophisticated spear-phishing campaign, where emails falsely claiming copyright infringement are used to deliver an advanced infostealer malware.

Since July, Check Point Research has tracked the distribution of these emails across regions like the Americas, Europe, and Southeast Asia. Each email originates from a unique domain, and hundreds of Check Point’s clients have been targeted, suggesting the campaign's scope may be even broader.

The emails are designed to provoke recipients into downloading Rhadamanthys, a powerful infostealer capable of extracting sensitive data, such as cryptocurrency wallet information. Check Point researchers refer to the campaign as "CopyR(ight)hadamantys" and note the use of automated tools to send emails from different addresses. This automation can lead to awkward results, such as emails written in incorrect languages, limiting the emails’ ability to impersonate recognizable brands effectively. Roughly 70% of impersonated companies belong to the tech or media and entertainment sectors, including Check Point itself.

The phishing emails claim that the recipient has violated copyright laws by posting unauthorized content online. According to Sergey Shykevich, threat intelligence manager at Check Point, these accusations often cause recipients to question if they mistakenly used copyrighted material, increasing the chance they'll download the malware.

Recipients are directed to download a password-protected file, which contains a link leading to Dropbox or Discord. This file holds a decoy document, a legitimate program, and a malicious DLL (dynamic link library) that installs Rhadamanthys. Rhadamanthys stands out as one of the most sophisticated information-stealing tools sold on the dark web, priced around $1,000—significantly higher than other infostealers, which typically range from $100 to $200. Rhadamanthys is known for its modularity, obfuscation, and stealth, making detection much more challenging.

One notable feature of Rhadamanthys is its machine-learning-based OCR (optical character recognition) component. While limited in capability—it struggles with complex fonts and handwriting—this feature allows it to extract information from images and PDF files. The OCR module in the current campaign contains a dictionary of words tied to Bitcoin wallet security, suggesting a focus on cryptocurrency theft.

The CopyR(ight)hadamantys campaign aligns with financially motivated tactics, but Rhadamanthys has also been linked to state-sponsored actors, including Iran’s Void Manticore and the pro-Palestinian Handala group. Organizations are advised to enhance phishing defenses, though this campaign has an additional, unusual feature.

Once deployed, the malicious DLL creates a much larger file in the user’s Documents folder, disguised as a Firefox component. This larger version, though identical in function, uses an "overlay" of excess data, which serves two purposes: altering the file’s hash value, and potentially avoiding antivirus detection by exploiting a tendency of some programs to skip scanning large files.

According to Shykevich, organizations should monitor unusually large files downloaded via email, though legitimate files may also be large. He believes implementing effective download rules could help combat this tactic.

North Korean Hackers Employ macOS Malware to Target Crypto Firms

 

BlueNoroff, a North Korean threat actor, has been attacking crypto firms with a new multistage malware for macOS systems. 

According to the researchers, the campaign is known as Hidden Risk, and it lures victims with emails that include fake data on the current activities in the cryptocurrency market.

The malware employed in these attacks depends on a novel persistence method on macOS that does not generate any alerts on the most recent versions of the operating system, allowing it to bypass detection. 

BlueNoroff is known for cryptocurrency theft and has previously targeted macOS with a payload malware called 'ObjCShellz' that opens remote shells on affected Macs. 

Infection chain 

The attacks begin with a phishing email containing crypto-related news and subjects, disguised as if forwarded by a bitcoin influencer to boost credibility. The mail includes a link to a PDF containing the information, but it actually points to the attackers' "delphidigital[.]org" domain. 

According to SentinelLabs experts, the "URL currently serves a benign form of the Bitcoin ETF document with titles that change over time," but it also serves the first step of a malicious application bundle known as 'Hidden Risk Behind New Surge of Bitcoin Price.app'. 

The researchers state that for the Hidden Risk campaign, the threat actor employed an original academic paper from the University of Texas. The first stage is a dropper software signed and notarised with a valid Apple Developer ID, "Avantis Regtech Private Limited (2S8XHJ7948)," which Apple has since revoked. 

When activated, the dropper gets a decoy PDF from a Google Drive link and opens it in the default PDF browser to distract the victim. In the background, however, the following stage payload is downloaded from "matuaner[.]com.”

Interestingly, the hackers have effectively circumvented Apple's App Transport Security standards by altering the app's 'Info. plist' file to permit unsafe HTTP connections to the attacker-controlled site. 

The "Hidden Risk" campaign, according to SentinelLabs, has been in operation for the past 12 months or more. It employs a more straightforward phishing strategy that excludes the customary "grooming" on social media that other DPRK hackers partake in. 

In order to get beyond macOS Gatekeeper, the researchers also point out that BlueNoroff has demonstrated a consistent capacity to find new Apple developer accounts and have their payloads notarised.

New Malware ‘Pronsis Loader’ Uses Rare JPHP Language to Evade Detection and Deliver High-Risk Payloads

 

Trustwave SpiderLabs recently announced the discovery of a new form of malware named Pronsis Loader. This malware has already started to pose significant challenges for cybersecurity experts due to its unique design and operation. Pronsis Loader leverages JPHP, a lesser-known programming language, and incorporates sophisticated installation tactics, which complicates detection and mitigation efforts by standard security tools.

JPHP, a variation of the popular PHP programming language, is rarely seen in the world of malware development, especially for desktop applications. While PHP is commonly used for web applications, its adaptation into desktop malware through Pronsis Loader offers cybercriminals an advantage by making it harder to detect.

Pronsis Loader’s use of JPHP helps it bypass conventional detection systems, which often rely on identifying common programming languages in malware. This less common language adds an extra layer of “stealth,” allowing the malware to slip past many security tools. In addition, Pronsis Loader uses advanced obfuscation and encryption to hide during initial infection, silently installing itself by imitating legitimate processes. This stealth tactic hinders both automated and manual detection efforts.

Once Pronsis Loader is installed, it can download and execute other types of malware, such as ransomware, spyware, and data-theft tools. This modular approach makes it highly adaptable, allowing cybercriminals to customize payloads based on their target’s specific system or environment. As part of a broader trend in cybercrime, loaders like Pronsis are used in multi-stage attacks to introduce further malicious programs, providing attackers with a flexible foundation for varied threats.

To counter this evolving threat, security teams should consider adopting advanced behavioral monitoring and analysis techniques that identify malware based on its behavior, rather than relying solely on signature detection. Additionally, staying updated on threat intelligence helps to recognize rare languages and methods, such as those employed by Pronsis Loader.

 Shawn Kanady, Global Director at Trustwave SpiderLabs, emphasized the significance of Pronsis Loader’s stealth and adaptability, noting its potential to deliver high-risk payloads like Lumma Stealer and Latrodectus. Kanady concluded that understanding Pronsis Loader’s unique design and infrastructure offers valuable insights for strengthening cybersecurity defenses against future campaigns.







Growing Use of Winos4.0 Toolkit Poses New Threat to Windows Users

 



Advanced hacking toolkit Winos4.0 spreads across the globe, security experts warn. Originally reported by Trend Micro, this new toolkit-just like known kits Cobalt Strike and Sliver-was connected to a string of recent cyber attacks in China, having initially spread through fake software downloads. This year, Fortinet reported that the toolkit is also disseminated through game-themed files, which now tends to expand and might pose a risk to a larger user base.


Attack Framework

Winso4.0 is a post-exploitation toolkit: after successfully gaining initial access to a system, the attackers use it for further invasion and domination. First, it was discovered inside the applications downloaded by users who considered it software in their interest, including VPNs or Google Chrome downloads for the Chinese market. Under the aliases Void Arachne or Silver Fox, the attackers entice users with these very popular applications full of malicious components designed to compromise their systems.

New strategies involve attackers using game applications, via which they have broadcasted Winos4.0, again targeting Chinese users mainly. This way, hackers change and utilise attractive downloads to penetrate devices.


Infection Stages

When one of such benign-looking files is downloaded by a victim, the Winos4.0 toolkit initiates a four-phase infection:

1. Stage 1: After installation, a DLL file you.dll, was retrieved from a remote domain. This file installed persistence on the device by setting values in the Windows Registry such that the malware would persist after the system restarts:.

2. Stage 2: At this step, the injected shellcode is loaded to download necessary APIs and communicate with a C2 server, which enables hackers to send commands and retrieve files from the infected device.

3. Stage 3: It fetches more encoded data from the C2 server in a second DLL file named上线模块.dll which saves to the Windows Registry to be used later, apart from updating server addresses to maintain an active link between the malware and its operators.

4. Final Stage: The last stage (login module.dll) will activate all main functions of the toolkit, including detailed system data gathering (like IP address and type of OS), detection of security tools, searching for crypto-wallets, and keeping a hidden backdoor. Through this backdoor connection, hackers can exfiltrate data, execute commands, and sustain their activity monitoring.

 

Evasion Techniques

Winos4.0 already has an inbuilt scanner for the detection of security products, including commercial products by Kaspersky, Avast, Bitdefender, and Malwarebytes. It will then change its behaviour to avoid detection or even quit if the toolkit finds itself running in an environment that is under surveillance. This versatility makes the tool very dangerous when it gets into cybercriminals' hands.

 

Emerging Menace

The fact that the toolkit Winos4.0 is still being used and fine-tuned points towards the growing importance of this toolkit in cyberattack strategies. As explained by Fortinet, it is a versatile and powerful framework "designed for remote control of compromised systems." Ongoing activity like this indicates that Winos4.0 is becoming a tool hackers like to use to gain control over Windows machines.


Preventive Actions

Always ready for downloading is a constant warning from the security experts to users, especially when it comes to free softwares or games which seem popular.

Avoid downloading applications and other forms of files from unknown sources. Even verifying if the software or file is coming from a legitimate source may also save it from infection. Moreover, one's security software must be updated frequently.

Knowing the threats of Winos4.0 would prevent many users from this malicious software by making them aware of this sophisticated malware.


Windows PCs at Risk as SteelFox Malware Targets Driver Vulnerabilities

 


Several experts have warned that hackers are using malware to attack Windows systems with the intention of mining cryptocurrency and stealing sensitive information from their devices. The latest Kaspersky Security Report claims to have spotted tens of thousands of infected endpoints. Cybercriminals have obtained fake cracks and activators for several commercial software products, such as Foxit PDF Editor, JetBrains, or AutoCAD, which they are selling to users. 

There is a vulnerability in a driver called WinRing0.sys that is associated with some fake cracks. The victim of this attack has reintroduced the CVE-2020-14979 and the CVE-2021-41285 vulnerabilities back onto the system by adding this driver at the same time, two three-year-old vulnerabilities that extended the privileges of the attacker to the maximum possible. 

SteelFox is a malware package that has been designed to mine cryptocurrency and steal credit card details via SYSTEM privileges by taking advantage of the "bring your own vulnerable driver" attack method. In forums and torrent trackers, malware bundle droppers appear as crack tools. These tools act as crack tools that activate legitimate versions of various software, such as Foxit PDF Editor, JetBrains, and AutoCAD. 

To evade detection and evade detection, state-sponsored threat actors and ransomware groups are known to exploit vulnerable drivers to escalate privileges. As of late, however, this method seems to be extended to attack against information-stealing malware as well. According to Kaspersky researchers, the SteelFox campaign was discovered in August of this year, but they add that the malware has been active since February 2023 and has been distributed through various channels (such as torrents, blogs and forum posts) in the past few weeks. 

The Rhadamanthys data theft malware has been available for download for some time, but since July 2024 the virus' version has been updated with copyright-related themes in an ongoing phishing campaign. There is a large-scale cybercrime campaign being tracked by the checkpoint group under the name CopyRightAdamantys. In addition to targeting the U.S., Europe, East Asia, and South America, the organization targets other regions as well. 

The campaign tries to impersonate dozens of companies, while each email is sent from a different Gmail account, providing a tailored impersonation of the target company as well as a tailored language based on the targeted entity, according to a technical analysis provided by the company. In the case of impersonated companies, there is almost 70% of them from the entertainment/media/technology/software sector." 

There is an element that stands out about the attacks: the deployment of the Rhadamanthys stealer version 0.7, which, as described by Insikt Group, Recorded Future's security division, early last month, is utilized to carry out optical character recognition. Cisco Talos, an Israeli company that specializes in cyber security, disclosed last week that it had been targeting users of Facebook business and advertising accounts in Taiwan by delivering malware known as Lumma or Rhadamanthys, which is designed to steal information.

There are three components inside the RAR archive. A legitimate executable vulnerable to DLL side-loading, a malicious DLL containing the stealer payload, and a decoy document containing the stealer payload. After the binary has been executed, it will sideload the DLL file that will create the environment that will allow Rhadamanthys to be deployed. It is likely that the threat actors were using artificial intelligence tools to spread the malware, based on both the scale of the campaign and the variety of lures that were included in the campaign and the emails sent by the sender, which Check Point attributed to a possible cybercrime group. 

It seems likely that this campaign was orchestrated by a financially motivated cybercrime group and not a nation-state actor, particularly given the large number of organizations across multiple regions targeted in this campaign," he continued. In addition to its global reach, the use of automated phishing tactics, and the use of a variety of lures, this campaign demonstrates how attackers continue to enhance their success rates." 

As part of these findings, Kaspersky also revealed a full-featured crimeware bundle dubbed SteelFox, which has been spreading via forums posts, torrent trackers, and blogs, passing itself off as legitimate utilities like Foxit PDF Editor, JetBrains, and AutoCAD in order to steal personal information. In the last two years, the campaign of terrorism has claimed victims in nearly 50 countries. The majority of the victims were in Brazil, China, Russia, Mexico, the United Arab Emirates, Egypt, Algeria, Vietnam, India, and Sri Lanka, with many more in Brazil, China, Russia, and Mexico. 

At this point in time, there is no known threat actor or group associated with this attack. A security researcher, Kirill Korchemny, said: "Delivered via sophisticated execution chains, notably shellcode, this type of malware abuses both Windows services and drivers in an attempt to accomplish its objectives." As a result of it, he said that he used stealer malware to obtain details about the victim's device as well as his credit card information. 

A dropper program is the starting point of this setup, in the sense that it mimics cracked versions of popular software, so when it is run, the dropper application will request administrator permissions and drop a next-stage loader which, in turn, will establish persistence and launch the SteelFox module. It is Kaspersky's opinion that although SteelFox's C2 domain is hardcoded, it has managed to conceal its presence through the use of multiple IP addresses and using DNS over HTTPS to resolve its IP addresses in order to hide its presence. Although SteelFox attacks don't have specific targets, they seem to focus on users of AutoCAD, JetBrains, and Foxit's Adobe PDF Editor app. 

In accordance with Kaspersky's visibility information, Kaspersky indicates that the malware is compromising systems in Brazil, China, Russia, Mexico, the UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka among others. Researchers have identified a new and potent cyber threat: the SteelFox malware, a sophisticated crimeware bundle targeting Windows PCs through vulnerable drivers. This malware, still relatively new to the landscape, demonstrates advanced functionality and appears to be the product of a skilled C++ developer who has integrated multiple external libraries to enhance its capabilities. 

In a related development, analysts from FortiGuard Labs have reported the discovery of another malicious software framework named Winos4.0. This advanced framework, embedded in game-related applications, is engineered specifically to target Windows users. Originating as an evolved version of the Gh0strat malware, Winos4.0 enables attackers to remotely execute various actions, providing them with substantial control over compromised systems. The infection process for Winos4.0 is particularly deceptive. 

It spreads through game-related applications, such as installation utilities and performance enhancement tools, designed to appeal to gamers and other Windows users. Once an individual downloads and installs one of these compromised applications, a seemingly harmless BMP file is retrieved from a remote server. This file subsequently extracts and activates the Winos4.0 DLL file, initiating the malware’s operations. 

In its initial phase, Winos4.0 sets up an environment for deploying further modules and establishes persistence on the infected machine by modifying system registry keys or creating scheduled tasks. Through this multi-stage infection process, Winos4.0 builds a durable foothold on affected devices, opening avenues for continuous exploitation and control.

New Phishing Attacks Use Backdoored Linux VMs to Infect Windows Systems

 

A recent phishing campaign, named 'CRON#TRAP,' is targeting Windows systems by deploying a Linux virtual machine with an embedded backdoor, allowing covert access to corporate networks.

While attackers have previously used virtual machines in malicious activities like ransomware and cryptomining, these installations were often done manually after gaining initial access. However, Securonix researchers identified that this new campaign automates the installation of a Linux VM through phishing emails, giving attackers a persistent foothold in corporate environments.

The phishing emails mimic a "OneAmerica survey," including a 285MB ZIP file that sets up a Linux virtual machine with a backdoor once opened. The ZIP archive contains a Windows shortcut labeled "OneAmerica Survey.lnk" and a folder named "data," which houses the QEMU application disguised as "fontdiag.exe."

When executed, the shortcut triggers a PowerShell command, extracting files to the "%UserProfile%\datax" directory and launching "start.bat" to set up a QEMU Linux VM. During installation, a fake server error message in a PNG format is displayed as a decoy, suggesting a broken survey link. This custom VM, called 'PivotBox,' includes a preconfigured backdoor for continuous command-and-control (C2) communication, enabling covert background operations.

The use of QEMU—a legitimate, digitally signed virtualization tool—means Windows security systems often fail to detect these malicious processes within the virtual environment.

The campaign’s backdoor mechanism uses a tool called Chisel for secure tunneling over HTTP and SSH, allowing attackers to maintain contact with the compromised system, even if firewalls are in place. To ensure persistence, the QEMU VM is set to restart on reboot, while SSH keys are uploaded to eliminate re-authentication requirements.

Securonix researchers noted two critical commands: 'get-host-shell,' which opens an interactive shell on the host for command execution, and 'get-host-user,' which checks user privileges. These commands facilitate activities like surveillance, network management, payload deployment, file control, and data exfiltration, enabling attackers to adapt and maximize their impact on target systems.

The CRON#TRAP campaign is not the first instance of QEMU misuse in stealthy attacks. In March 2024, Kaspersky observed a similar tactic, where a lightweight backdoor within a 1MB Kali Linux VM used QEMU to create hidden network interfaces and connect to a remote server.

To mitigate these types of attacks, experts recommend monitoring for processes like 'qemu.exe' in user-accessible folders, blocking QEMU and similar virtualization tools, and disabling virtualization in critical systems’ BIOS configurations.

Meta Infostealer Malware Network Taken Down by Authorities

 


In the course of Operation Magnus, the FBI has partnered with various international law enforcement agencies to seize the servers, software, and source code of the RedLine and Meta thieves as part of an investigation into these two cyber-crime rings. RedLine's developer has been charged with a series of crimes by US authorities, including tax evasion and money laundering. 

Evidence suggests that the thieves allegedly stole millions of unique credentials from victims across the globe in the past year. There are several international agencies, including the US Department of Justice (DoJ) as well as the Intelligence Bureau — as well as the Dutch National Police, the Belgian Federal Police, the Belgium Federal Prosecutor's Office, the UK National Crime Agency, the Australian Federal Police, the Portuguese Federal Police, and Eurojust — that were involved in the October incident. 

According to authorities, the cybercriminal group responsible for the stealers has been disrupted by the incident, which they claim to be "pretty much the same" malware on the operation's website that disrupted the group's operations. There was an increased likelihood that RedLine and Meta would be able to steal personal information from infected devices. It is important to note that the data was compiled in a way that included saved usernames and passwords and automatically saved form data, such as addresses, email addresses, phone numbers, cryptographic wallets, and cookie information. 

As soon as the info thieves recovered the personal information, they sold the information to other criminals through criminal marketplaces so that they can make use of the information. A criminal syndicate that purchased the personal data the attacker used to steal money, and cryptocurrency, as well as carry out follow-on hacking activities in the future. According to the Dutch National Police, the Redline and Meta malware operations have been targeted as part of Operation Magnus, which comes as a warning to cybercriminals that their data is now in the hands of law enforcement officials. There was an announcement on a dedicated website regarding Operation Magnus, which disclosed the disruption of Redline and Meta operations. In addition, it was reported that legal action is currently being taken against the hacker organizations using the seized data. 

According to a brief announcement posted on the Operation Magnus site, on October 28th, 2024, the Dutch National Police, in coordination with the FBI and other members of the international law enforcement task force Operation Magnus, disrupted the operations of the Redline and Meta info stealers. Information thieves are a very common form of malware that is used to steal sensitive data from victim's computers such as usernames and passwords, financial information, system information, and even cookies and cryptocurrency accounts. 

There is a way for the stolen information—already known as "logs" in cybercrime circles—to be sold on cybercrime forums and used for further fraudulent activities and other attacks. A number of major corporations have been targeted using RedLine as a method to conduct intrusions. Cybercriminals have also discovered that RedLine and META infostealers can allow them to bypass multi-factor authentication (MFA) by accessing authentication cookies and other information that is not required by the security system. This particular form of malware, RedLine, as well as META, is sold via a decentralized Malware as a Service ("MaaS") model, in which affiliates purchase licenses for them to use the malware, and then launch their own campaigns to spread it to their intended targets. 

In order to spread the malware, it is distributed through malvertising, e-mail phishing, fraudulent software downloads, and malicious software sideloading through the use of malicious advertising. Law enforcement agencies have successfully dismantled operations associated with RedLine and META, two widespread malware variants involved in stealing sensitive information on a global scale. Deceptive schemes, such as fake COVID-19 updates and fraudulent Windows updates, were used to lure victims into downloading these malicious programs. Both RedLine and META malware have been advertised across cybercrime forums and Telegram channels, with sellers offering ongoing customer support and software updates. 

The malware has infected millions of computers worldwide, and RedLine is considered one of the most prevalent malware types in circulation. Through a detailed investigation, authorities have gathered extensive logs containing data stolen from infected devices, identifying millions of unique credentials, including usernames, passwords, email addresses, bank accounts, cryptocurrency addresses, and credit card numbers. However, investigators believe there may be additional stolen data yet to be uncovered. 

A warrant issued in the Western District of Texas has authorized law enforcement to seize two domains used by RedLine and META for command and control purposes. The U.S. Department of Justice unsealed this warrant, marking a significant step in disrupting the malware’s infrastructure. According to Recorded Future’s Identity Intelligence metrics, RedLine has enabled the theft of nearly a billion credentials since its inception. A joint report from Specops and KrakenLabs further estimates that RedLine facilitated the theft of over 170 million passwords in just six months. 

These stolen credentials are frequently sold to other cybercriminals, who exploit them to infiltrate corporate networks as part of larger cyberattack operations. The misuse of compromised credentials has contributed to several high-profile breaches, including the Snowflake data theft attacks and the Change Healthcare ransomware attack, which severely impacted the U.S. healthcare system. The investigation is ongoing as authorities work to recover stolen data and prevent further damage caused by this malware.

NEW Qilin Ransomware Variant Emerges with Improved Evasion Techniques

 



A much more potent version of the Qilin ransomware has been found, according to cybersecurity experts, showing a new and revamped kind that is ready to attack core systems using advanced encryption along with improved stealth techniques.


A Rebranding with a Twist: Qilin's Evolution

The Qilin ransomware operation, which first appeared in July 2022, has now morphed into a more formidable opponent with a new version dubbed "Qilin.B." Known previously as "Agenda," the malware was rebranded and rewritten in Rust, a programming language harder to detect and often used for high-performance systems. The Qilin group is notorious for demanding multi-million dollar ransoms, focusing on high-stakes sectors such as healthcare, where operational disruptions can be particularly severe.

Qilin's latest incarnation has been a powerful tool in mass-attack campaigns. Just last year, a significant cyber attack was launched against Synnovis, a pathology firm providing services to the United Kingdom's NHS, which resulted in the cancellation of thousands of hospital and family doctor appointments. In return for collaborating on campaigns, Qilin partners are promised a large percentage of ransom payments, up to 85% — an arrangement that is structured to encourage high-paying ransomware attacks with the highest payoffs.


Improved Encryption and Obfuscation

This variant, Qilin.B, has the following methods that make their detection a hard nut to crack by the standard systems of security. According to Halcyon, a research firm specialising in cybersecurity, enhanced encryption, such as AES-256-CTR systems that support AESNI, together with RSA-4096 and OAEP padding have been seen in this particular variant. Such standards ensure that decrypting files from this threat is impossible minus the private key, as the case of preventive actions being the only way forward.

Further, the obfuscation technique is available in Qilin.B with which the developers hide the coding language of malware in order to prevent detection via signature-based detection systems. Such evasion mechanisms make the detection and quick response even more difficult by the cyber security teams in case of infections. As reported by the researchers from Halcyon, who had studied malware upgrades, increasing sophistication can be seen in ransomware tactics, specifically Qilin.B was developed to resist reverse engineering as well as delay incident response.


New Tactics to Dodge System Defences

Qilin.B disables important system services such as backup and removes volume shadow copy to prevent rollback of the infected systems. In addition, it disables restarts and self-cleans up by removing the ransomware after a successful attack to minimise digital artefacts. All these features make it more robust for defence against evolving ransomware groups that will continue to change their approach to remain at least a step ahead of security patches.


Growing Need for Cross-Platform Security

As Qilin ransomware is becoming more agile, security experts say the cybersecurity posture of organisations must be more offensive-minded. Qilin.B is rebuilt in Rust and can be executed properly across different environments-from Linux to VMware's ESXi hypervisor. The required security monitoring needs to recognize stealthy methods identified with Qilin.B, including detection of code compiled in Rust because traditional systems would fail to counter it.


Advanced Configurations and Control

Qilin.B. This is another notable configuration option from the attackers so that one can personalise his attack. Thus, this version comes along with new names for some functions, encrypted strings and other complex code, in order to take more time for defence activities and forensic analysis of an incident. According to researchers of the Halcyon company, the best behaviour-based detecting systems should be implemented and it can easily find out what malware does, without the outdated method of searching for signatures by which malware has successfully dodged, in this case.

With the advancements of Qilin.B in terms of encryption and evasion, the security firm Halcyon recommends that organisations supplement their security infrastructure with cross-platform monitoring and backup solutions which are designed to fight against ransomware attacks' newest variations. A more complete system in detecting and responding to threats will still be an asset as ransomware advances through networks well-protected.

Continuous improvement in ransomware-as-a-service (RaaS) points to the intensifying threat that organisations have to grapple with as they secure sensitive data from increasingly sophisticated adversaries. The Qilin operation exemplifies how ransomware groups continue to adapt themselves to avoid defences, so proactive and adaptive security measures are justified in industries.


Bumblebee Malware Resurfaces in New Attacks Following Europol Crackdown

 

iThe Bumblebee malware loader, inactive since Europol's 'Operation Endgame' in May, has recently resurfaced in new cyberattacks. This malware, believed to have been developed by TrickBot creators, first appeared in 2022 as a successor to the BazarLoader backdoor, giving ransomware groups access to victim networks.

Bumblebee spreads through phishing campaigns, malvertising, and SEO poisoning, often disguised as legitimate software such as Zooom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Among the dangerous payloads it delivers are Cobalt Strike beacons, data-stealing malware, and ransomware.

Operation Endgame was a large-scale law enforcement effort that targeted and dismantled over a hundred servers supporting various malware loaders, including IcedID, Pikabot, TrickBot, Bumblebee, and more. Following this, Bumblebee activity appeared to cease. However, cybersecurity experts at Netskope have recently detected new instances of the malware, hinting at a possible resurgence.

The latest Bumblebee attack involves a phishing email that tricks recipients into downloading a malicious ZIP file. Inside is a .LNK shortcut that activates PowerShell to download a harmful MSI file disguised as an NVIDIA driver update or Midjourney installer.

This MSI file is executed silently, and Bumblebee uses it to deploy itself in the system's memory. The malware uses a DLL unpacking process to establish itself, showing configuration extraction methods similar to previous versions. The encryption key "NEW_BLACK" was identified in recent attacks, along with two campaign IDs: "msi" and "lnk001."

Although Netskope hasn't shared details about the payloads Bumblebee is currently deploying, the new activity signals the malware’s possible return. A full list of indicators of compromise can be found on a related GitHub repository.

Addressing Human Error in Cybersecurity: The Unseen Weak Link

 

Despite significant progress in cybersecurity, human error remains the most significant vulnerability in the system. Research consistently shows that the vast majority of successful cyberattacks stem from human mistakes, with recent data suggesting it accounts for 68% of breaches.

No matter how advanced cybersecurity technology becomes, the human factor continues to be the weakest link. This issue affects all digital device users, yet current cyber education initiatives and emerging regulations fail to effectively target this problem.

In cybersecurity, human errors fall into two categories. The first is skills-based errors, which happen during routine tasks, often when someone's attention is divided. For instance, you might forget to back up your data because of distractions, leaving you vulnerable in the event of an attack.

The second type involves knowledge-based errors, where less experienced users make mistakes due to a lack of knowledge or not following specific security protocols. A common example is clicking on a suspicious link, leading to malware infection and data loss.

Despite heavy investment in cybersecurity training, results have been mixed. These initiatives often adopt a one-size-fits-all, technology-driven approach, focusing on technical skills like password management or multi-factor authentication. However, they fail to address the psychological and behavioral factors behind human actions.

Changing behavior is far more complex than simply providing information. Public health campaigns, like Australia’s successful “Slip, Slop, Slap” sun safety campaign, demonstrate that sustained efforts can lead to behavioral change. The same principle should apply to cybersecurity education, as simply knowing best practices doesn’t always lead to their consistent application.

Australia’s proposed cybersecurity legislation includes measures to combat ransomware, enhance data protection, and set minimum standards for smart devices. While these are important, they mainly focus on technical and procedural solutions. Meanwhile, the U.S. is taking a more human-centric approach, with its Federal Cybersecurity Research Plan placing human factors at the forefront of system design and security.

Three Key Strategies for Human-Centric Cybersecurity

  • Simplify Practices: Cybersecurity processes should be intuitive and easily integrated into daily workflows to reduce cognitive load.
  • Promote Positive Behavior: Education should highlight the benefits of good cybersecurity practices rather than relying on fear tactics.
  • Adopt a Long-term Approach: Changing behavior is an ongoing effort. Cybersecurity training must be continually updated to address new threats.
A truly secure digital environment demands a blend of strong technology, effective policies, and a well-educated, security-conscious public. By better understanding human error, we can design more effective cybersecurity strategies that align with human behavior.

Vietnamese Hackers Target Digital Marketers in Malware Attack

 



Cyble Research and Intelligence Lab recently unearthed an elaborate, multi-stage malware attack targeting not only job seekers but also digital marketing professionals. The hackers are a Vietnamese threat actor who was utilising different sophisticated attacks on systems by making use of a Quasar RAT tool that gives a hacker complete control of an infected computer. 


Phishing emails and LNK files as entry points

The attack initiates with phishing emails claiming an attached archive file. Inside the archive is a malicious LNK, disguised as a PDF. Once the LNK is launched, it executes PowerShell commands, which download additional malicious scripts from a third-party source, thus avoiding most detection solutions. The method proves very potent in non-virtualized environments in which malware remains undiscovered inside the system.


Quasar RAT Deployment

Then, the attackers decrypt the malware payload with hardcoded keys. Quasar RAT - a kind of RAT allowing hackers to obtain total access over the compromised system - is started up. Data can be stolen, other malware can be planted, and even the infected device can be used remotely by the attackers.

The campaign targets digital marketers primarily in the United States, using Meta (Facebook, Instagram) advertisements. The malware files utilised in the attack were designed for this type of user, which has amplified its chances.


Spread using Ducktail Malware

In July 2022, the same Vietnamese threat actors expanded their activities through the launch of Ducktail malware that specifically targeted digital marketing professionals. The group included information stealers and other RATs in its attacks. The group has used MaaS platforms to scale up and make their campaign versatile over time.


Evasion of Detection in Virtual Environments

Its superiority in evading virtual environment detection makes this malware attack all the more sophisticated. Here, attackers use the presence of the "output.bat" file to determine whether it's running in a virtual environment or not by scanning for several hard drive manufacturers and virtual machine signatures like "QEMU," "VirtualBox," etc. In case malware detects it's been run from a virtual machine, it lets execution stop analysis right away.

It proceeds with the attack if no virtual environment is detected. Here, it decodes more scripts, to which include a fake PDF and a batch file. These are stored in the victim's Downloads folder using seemingly innocent names such as "PositionApplied_VoyMedia.pdf."


Decryption and Execution Methods

Once the PowerShell script is fully executed, then decrypted strings from the "output.bat" file using hardcoded keys and decompressed through GZip streams. Then, it will produce a .NET executable running in the memory which will be providing further evasion for the malware against detection by antivirus software.

But the malware itself, also performs a whole cycle of checks to determine whether it is running in a sandbox or emulated environment. It can look for some known file names and DLL modules common in virtualized settings as well as measure discrepancies in time to detect emulation. If these checks return a result that suggests a virtual environment, then the malware will throw an exception, bringing all subsequent activity to a halt.

Once the malware has managed to infect a system, it immediately looks for administrative privileges. If they are not found, then it uses PowerShell commands for privilege escalation. Once it gains administrative control, it ensures persistence in the sense that it copies itself to a hidden folder inside the Windows directory. It also modifies the Windows registry so that it can execute automatically at startup.


Defence Evasion and Further Damage 

For the same purpose, the malware employs supplementary defence evasion techniques to go unnoticed. It disables Windows event tracing functions which makes it more difficult to track its activities by security software. In addition to this, it encrypts and compresses key components in a way that their actions are even more unidentifiable.

This last stage of the attack uses Quasar RAT. Both data stealing and long-term access to the infected system are done through the use of a remote access tool. This adapted version of Quasar RAT is less detectable, so the attackers will not easily have it identified or removed by security software.

This is a multi-stage malware attack against digital marketing professionals, especially those working in Meta advertising. It's a very sophisticated and dangerous operation with phishing emails, PowerShell commands combined with advanced evasion techniques to make it even harder to detect and stop. Security experts advise on extreme caution while handling attachment files from emails, specifically in a non-virtualized environment; all the software and systems must be up to date to prevent this kind of threat, they conclude.