Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
Ukraine
Fake Apps malware RSA Ukraine

Malware Targets Ukrainian Military via Fake App

 



Cybersecurity experts said that a malware campaign targeting Ukraine's military personnel has been released. The malware is spread with the help of a fake installer for an app called "Army+." That installer looks perfectly legitimate but embeds malicious code. It will install the Tor browser and use the hidden PowerShell script to carry on malicious activities; this means that there is misuse of the Tor browser for secretive purposes rather than any other purpose that it was used for.


How the Malware Works

The installation process starts with the fake app ArmyPlusInstaller. It launches a decoy application, ArmyPlus.exe, to avoid suspicion. In the background, a hidden script, init.ps1, works to bypass security restrictions on the system.

It would normally block such unauthorized scripts to keep a computer safe. But the malware will play with security settings by means of specific PowerShell commands to have the liberty of working freely. It even reduces the size of the console window to conceal all its actions and create further illusion. It plants files in strategic locations

The malware spreads its files throughout the folders of the system to remain hidden. For instance, the Tor browser files are stored in a directory called OneDriveData, while OpenSSH files, which give the attackers remote access, are kept in a folder called ssh.

This init.ps1 script plays a crucial role as it can pull down and install the Tor browser for use in secret operations. The init.ps1 script establishes communication between the compromised computer and the attacker, giving them an avenue through which to command the system from a stealth position.


Backdoor That Survives Reboot

After installation, it establishes a backdoor through which attackers secretly command the system remotely. The system information is then transmitted along with a public RSA key through Tor to a remote server. The latter facilitates communication from the attackers side encrypted through that public RSA key. In that manner, an attacker is in a position to issue commands, and if they have their ways, may end up commanding at a very high level within the system.


Exploiting User Trust

A devious malware installer masquerading as a program installation. Requesting administrative credentials, which may be granted unwarily by innocent users. Once the visible, front-end app fails, all the malicious instructions are executed on the backhand in silence silently, including accessing and transmitting some sensitive information it has gathered.


Why Is This Important

This incident highlights how cybercriminals exploit everyday tools, like PowerShell and Tor, to hide their attacks. In this way, they mimic legitimate software, making it harder for standard defenses to detect them.

It is a reminder for all of us to download software only from trusted sources and for organizations to regularly update their security measures. Being alert will help prevent such stealthy cyberattacks from succeeding.

This development underlines the increasing nuances in cyber threats in conflict zones as attackers continue to evolve their techniques to evade detection.


Read more »
Online attacks
cyberattack news malware Mobile Malware News Online attacks

FBI Warns Against Public USB Charging Stations Due to “Juice Jacking” Threat

The FBI has issued a cautionary alert for travelers, urging them to avoid using public USB charging stations found in airports, hotels, and other public spaces. A rising cyber threat, known as “juice jacking,” enables cybercriminals to steal sensitive data and install malware through these ports. While convenient for charging devices on the go, these stations are increasingly being exploited to compromise personal and financial security.

The Mechanics Behind Juice Jacking

Juice jacking takes advantage of a fundamental vulnerability in USB technology, which supports both power delivery and data transfer. When an unsuspecting user plugs their device into a compromised USB port, malware can be silently installed, or data can be extracted without their knowledge. The malicious software may remain dormant, activating later to steal passwords, lock files for ransom, or even mine cryptocurrency, which can drain the device’s battery and degrade its performance.

Adding to the complexity of this threat, even charging cables can be tampered with to include hidden components that extract data as soon as they are connected. This makes it possible for travelers to fall victim to juice jacking even if they avoid public charging stations but use unfamiliar or unverified cables.

The threat of juice jacking extends far beyond U.S. borders. Airports, hotels, and shopping malls worldwide have reported similar incidents, as the universal nature of USB charging technology makes it a convenient vector for cyberattacks. The rise in reported cases has prompted security experts to raise awareness about this subtle yet significant risk, urging travelers to rethink how and where they charge their devices.

How to Protect Yourself

To stay safe, the FBI and cybersecurity professionals recommend adopting these precautions:

  • Carry Personal Chargers: Use your own charging devices and power banks to avoid reliance on public USB ports.
  • Use a USB Data Blocker: This small device allows charging while preventing data transfer, effectively neutralizing the threat of juice jacking.
  • Opt for Wall Outlets: Whenever possible, plug devices directly into a wall outlet for charging, as this eliminates the risk of data theft.

Some airports and transportation hubs are beginning to address the issue by installing “charge-only” stations that disable data transfer capabilities. However, such solutions are not yet widespread, making it essential for individuals to remain vigilant and proactive in protecting their devices.

Corporate and Financial Sector Responses

Businesses are taking the juice jacking threat seriously, with many companies updating travel policies to discourage employees from using public USB ports. Instead, employees are being provided with approved chargers and power banks to ensure the safety of corporate devices and sensitive data.

The financial sector is also raising alarms, advising customers to avoid conducting banking transactions or accessing sensitive accounts while connected to public USB ports. Even a brief connection to a compromised charging station could lead to unauthorized access to financial apps and accounts, potentially resulting in significant losses.

While steps are being taken to make public charging safer, the onus remains on travelers to prioritize device security. By carrying personal charging equipment, avoiding unverified cables, and utilizing tools like USB data blockers, individuals can mitigate the risks of juice jacking and safeguard their personal and financial information against this evolving cyber threat.

Read more »
online games
Cookies Cyber Fraud Discord Email malware online games

Watch Out: Fake Game Invites on Discord Are Stealing Your Personal Data

 



There is a new online scam, where cyber criminals trick people into downloading harmful software under the pretext of beta testing a game. This campaign targets people on platforms such as Discord, email, and even text messages, aiming at stealing personal information and compromising accounts online. 


How does this work?

The scam starts by sending a harmless message. In this case, a user on Discord or elsewhere receives a direct message from a purported game developer claiming to have sent them a new game to play. The user is asked whether they would want to try the supposed game. In most cases, these messages come from compromised accounts, so the request seems all the more real.

If the victim consents, the attacker shares a download link and password to the target so that they can actually access and start downloading the game file. These links are usually Dropbox or even Discord's network because most malware authors upload their creations to an existing, popular platform. But what users download aren't games-these are referred to as information stealers.


What Do These Malware Applications Do?

Once installed, these programs, such as Nova Stealer, Ageo Stealer, or Hexon Stealer, begin extracting sensitive data. This may include: 

1. Saved browser passwords

2. Session cookies for services like Discord or Steam

3. Wallet information for cryptocurrencies

4. Credit card information

6. Two-factor authentication (2FA) backup codes

The Nova Stealer and Ageo Stealer are the new wave called Malware-as-a-Service (MaaS). This enables cybercriminals to rent these tools to conduct attacks. Nova Stealer even leverages a feature called a Discord webhook, allowing it to send information directly to hackers so they could know right away how much data had been stolen and not have to manually check.

Another tool that is used in these scams is the Hexon Stealer. It is a highly dangerous tool since it can gather a wide variety of personal information. Using such information, it hacks into Discord accounts and enables the attackers to send similar fake messages to the contacts of the victim, thereby further spreading the malware. 


Why Do Hackers Target Discord?

The main focus of these attacks is the Discord credentials. When hackers get access to a person's account, they can pretend to be that person, deceive their friends, and expand their network of victims. This cycle of exploitation of trust makes the scam so effective. 


How to Identify Fake Game Websites

Fake download pages are usually built using common web templates. Such sites appear legitimate but host malware. Among them are the following:  

  • dualcorps[.]fr
  • leyamor[.]com 
  • crystalsiege[.]com 
  • mazenugame[.]blogspot.com

These sites are hosted on platforms that are resistant to takedown requests, making it difficult for researchers to shut them down. If one site is removed, attackers can quickly set up a new one. 


How Can You Protect Yourself? 

To keep yourself safe, follow these simple guidelines:

1. Be cautious with unsolicited messages: If someone you don’t know—or even a known contact—sends a download link, verify its authenticity through another platform.  

2. Avoid downloading unknown files: Don’t download or install anything unless you’re certain it’s legitimate.  

3. Use updated security software: An active anti-malware program can block known threats.

4. Be watchful of phony websites: Be on the lookout for amateurism or copy-and-paste designs when viewing suspicious sites.


In the end, this scamming attack is meant to reap a financial reward; it may come in the form of stolen cryptocurrency, credit card information, or other sensitive details. Knowing how this attack works can help you safeguard your data from cybercrime attacks.

Stay informed and be careful—your online safety depends on it.

Read more »
Space Bear
Atos malware News Ransomware attack Space Bear

Atos Denies Ransomware Breach Allegations by Space Bears

French technology giant Atos has refuted claims by the ransomware group Space Bears that its systems were compromised, asserting that no evidence of a breach or ransom demand has been found. In a statement released on December 28, Atos clarified the results of its investigation, addressing concerns raised by the allegations.

“At this stage, the initial analysis shows no evidence of any compromise or ransomware affecting any Atos/Eviden systems in any country, and no ransom demand has been received to date,” the company stated.

Investigation and Clarifications

Although no compromise has been confirmed, Atos has deployed a dedicated cybersecurity team to thoroughly investigate the matter. The claims originated from Space Bears, a ransomware group with ties to Phobos Ransomware as a Service (RaaS). The group alleged that it had breached Atos' internal database and accessed sensitive data.

Atos clarified that the breach targeted “external third-party infrastructure, unconnected to Atos,” which “contained data mentioning the Atos company name but is not managed nor secured by Atos.”

The company emphasized its robust security operations, highlighting its global network of over 6,500 specialized cybersecurity experts and 17 next-generation security operations centers (SOCs) that operate around the clock to protect Atos and its customers.

“Atos has a global network of more than 6,500 specialized experts and 17 new-generation security operations centers (SOCs) operating 24/7 to ensure the security of the Group and its customers,” the statement emphasized.

Space Bears: A Rising Ransomware Threat

Space Bears, which emerged in April 2024, has gained notoriety for its sophisticated and aggressive extortion tactics. The group employs double extortion methods, encrypting victims’ data while threatening to release it publicly unless demands are met. Space Bears operates data leak sites on both the dark web and clearnet, leveraging tactics such as corporate imagery and “walls of shame” to maximize reputational damage.

The ransomware group has previously targeted organizations like Canadian software firm Haylem, orthophonics clinic Un Museau Vaut Mille Mots, and Lexibar, a language disorder provider. More recently, Space Bears claimed responsibility for attacks on Canada’s JRT Automatisation and India’s Aptus in December 2024.

While Atos maintains that no proprietary data, source code, or intellectual property was accessed, the company acknowledged the gravity of the situation. “We take such threats very seriously,” Atos affirmed.

This incident underscores the ever-evolving cyber threat landscape faced by multinational corporations and the growing sophistication of ransomware groups like Space Bears, highlighting the need for constant vigilance and robust cybersecurity measures.

Read more »
trending cybersecurity news
Data threats malware News Palo Alto Networks' Unit 42 research Phising Attacks Social Media threats trending cybersecurity news

Cybercriminals Leverage LLMs to Generate 10,000 Malicious Code Variants

Cybersecurity researchers are raising alarms over the misuse of large language models (LLMs) by cybercriminals to create new variants of malicious JavaScript at scale. A report from Palo Alto Networks Unit 42 highlights how LLMs, while not adept at generating malware from scratch, can effectively rewrite or obfuscate existing malicious code.

This capability has enabled the creation of up to 10,000 novel JavaScript variants, significantly complicating detection efforts.

Malware Detection Challenges

The natural-looking transformations produced by LLMs allow malicious scripts to evade detection by traditional analyzers. Researchers found that these restructured scripts often change classification results from malicious to benign.

In one case, 88% of the modified scripts successfully bypassed malware classifiers.

Despite increased efforts by LLM providers to impose stricter guardrails, underground tools like WormGPT continue to facilitate malicious activities, such as phishing email creation and malware scripting.

OpenAI reported in October 2024 that it had blocked over 20 attempts to misuse its platform for reconnaissance, scripting, and debugging purposes.

Unit 42 emphasized that while LLMs pose significant risks, they also present opportunities to strengthen defenses. Techniques used to generate malicious JavaScript variants could be repurposed to create robust datasets for improving malware detection systems.

AI Hardware and Framework Vulnerabilities

In a separate discovery, researchers from North Carolina State University revealed a side-channel attack known as TPUXtract, which can steal AI model hyperparameters from Google Edge Tensor Processing Units (TPUs) with 99.91% accuracy.

The attack exploits electromagnetic signals emitted during neural network inferences to extract critical model details. Although it requires physical access and specialized equipment, TPUXtract highlights vulnerabilities in AI hardware that determined adversaries could exploit.

Study author Aydin Aysu explained that by extracting architecture and layer configurations, the researchers were able to recreate a close surrogate of the target AI model, potentially enabling intellectual property theft or further cyberattacks.

Exploiting AI Frameworks

Morphisec researchers disclosed another AI-targeted threat involving the Exploit Prediction Scoring System (EPSS), a framework used to evaluate the likelihood of software vulnerabilities being exploited.

By artificially boosting social media mentions and creating GitHub repositories with placeholder exploits, attackers manipulated EPSS outputs.

This resulted in the exploitation likelihood for certain vulnerabilities increasing from 0.1 to 0.14 and shifting their percentile ranking from the 41st to the 51st percentile.

Ido Ikar from Morphisec warned that such manipulation misguides organizations relying on EPSS for vulnerability management, enabling adversaries to distort vulnerability assessments and mislead defenders.

The Double-Edged Sword of Generative AI

While generative AI offers significant potential for bolstering cybersecurity defenses, its misuse by cybercriminals presents a formidable threat.

Organizations must:

  • Invest in advanced AI-driven detection systems capable of identifying obfuscated threats;
  • Implement robust physical security measures to protect AI hardware from side-channel attacks;
  • Continuously monitor and validate AI framework outputs to mitigate manipulation risks.

As adversaries innovate, businesses and researchers must push their operations to stay ahead, leveraging the same AI advancements to fortify their defenses.

Read more »
OtterCookie
Infostealer Malicious Campaign malware North Korean Hackers OtterCookie

North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign

 

The North Korean hackers behind the ongoing Contagious Interview campaign have been observed launching a new JavaScript malware named OtterCookie. 

The campaign includes social engineering techniques, with the hacker team frequently posing as recruiters to trick job seekers into downloading malware during an interview process. This entails sharing malware-laced files via GitHub or the official package registry, paving the way for the propagation of malware like BeaverTail and InvisibleFerret. 

Palo Alto Networks Unit 42, which first detected the activity in November 2023, is tracking the cluster as CL-STA-0240. In September 2024, Singaporean cybersecurity company Group-IB disclosed the deployment of an upgraded version of BeaverTail that employs a modular approach, delegating its information-stealing capability to a collection of Python scripts known as CivetQ. 

According to the latest findings from Japanese cybersecurity company NTT Security Holdings, the JavaScript malware that launches BeaverTail is also designed to fetch and execute OtterCookie. 

The new malware is said to have been launched in September 2024, with a new variant identified in the wild last month. OtterCookie, upon running, establishes connections with a command-and-control (C2) server using the Socket.IO JavaScript library, and awaits further instructions. It is intended to execute shell commands that facilitate data theft, including files, clipboard items, and cryptocurrency wallet keys. 

The older OtterCookie variant discovered in September is functionally identical, but with a slight implementation difference: the cryptocurrency wallet key theft capability is directly incorporated into the malware, rather than a remote shell command. The discovery indicates that attackers are actively updating their tools while leaving the infection chain mostly intact, highlighting the campaign's efficacy. 

This comes as South Korea's Ministry of Foreign Affairs (MoFA) sanctioned 15 individuals and one organisation in connection with a fraudulent IT worker program engineered by North Korea to establish a regular source of funds. These funds are funnelled to North Korea, often through data theft and other illegal means. 

Kim Ryu Song, one of the 15 sanctioned individuals, was also charged by the U.S. Department of Justice (DoJ) earlier this month for allegedly participating in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organisations.
Read more »
Online Store Security
Cyberattacks CyberCrime Cyberfrauds Cyberhackers Cybersecurity CyberThreat JavaScript malware Online Store Security

Cyberattack Compromises European Space Agency Online Store Security

 


A malware attack on the European Space Agency's official web shop revealed that the application was hacked by loading a JavaScript script that generated a fake Stripe payment page at checkout. With an annual budget of more than 10 billion euros, the European Space Agency (ESA) is dedicated to extending the boundaries of space activity through the training of astronauts and the development of rockets and satellites for exploring our universe's mysteries. 

Thousands of people were put at risk of wire fraud after the European Space Agency (ESA) website was compromised due to the recent exploitation of a credit card skimmer, which was found to be malicious on ESA's webshop. According to researchers from Sansec, the script creates a fake Stripe payment page when the customer is at checkout, which collects information from the customer. 

As a result of the fake payment page being served directly from ESA's web shop, which mimicked an authentic Stripe interface, it appeared authentic to unsuspecting users, who were unaware of the fraudulent payment process. According to Source Defense Research, screenshots of the malicious payment page were provided alongside the real one in the post, but this attack took advantage of domain spoofing with a different top-level domain to exploit domain spoofing, using a nearly identical domain name for the attack. 

The official shop of the European Space Agency is located under the domain "esaspaceshop.com," but the attackers used the domain "esaspaceshop.pics" to deceive visitors. Sansec, who flagged the incident, emphasized that the integration of the webshop with ESA's internal systems could significantly increase the risks for both employees and customers of the agency. 

An examination of the malicious script revealed that its HTML code was obscured, which facilitated detection as well as the theft of sensitive payment information, as it contained obfuscated HTML code derived from the legitimate Stripe SDK. The malicious code was created to create a convincing fake Stripe payment interface that looked legitimate because it was hosted by the official ESA web store domain. 

Although the fake payment page was removed, researchers discovered that the malicious script remained in the source code of the site. As of today, the ESA website has been taken offline, displaying a message indicating it has been taken out of orbit for an extended period. The agency clarified that this store is not hosted by its infrastructure, and they do not manage its associated data. 

As confirmed by whois lookup records indicating different ownership between the main domain of ESA (esa.int) and the compromised web store, it is not known exactly how many customers were affected by the breach, nor what financial impact it had. According to ESA's website, the company is well known for its role in astronaut training and satellite launches. However, it has not yet provided details as to how it intends to strengthen its online security measures after the incident occurred. 

A recent cyberattack on well-respected institutions shows just how vulnerable they can be to cyber attacks, especially when their e-commerce systems are integrated into a broader organization's network. According to cybersecurity experts, e-commerce platforms are urged to prioritize robust security protocols to prevent similar incidents from occurring in the future. This can erode customer trust and result in significant financial consequences. 

The past few months have seen an increase in cyberattacks targeting e-commerce platforms, with criminals using digital skimming methods to steal payment information. Earlier in August 2024, Malwarebytes reported that it had infiltrated Magento-based e-commerce platforms with skimmer code, exposing sensitive customer information, such as credit card numbers, by November 2024, as described by Malwarebytes. 

Sucuri discovered several PHP-based skimmers, such as Smilodon, harvesting payment data covertly. Although these skimmers were highly obfuscated, their detection was significantly hindered. Finland's Cybersecurity Centre reported in December 2024 that skimming attacks were on the rise, where malicious code embedded on payment pages was used to steal credit card information. Those developments highlight the crucial need for e-commerce platforms to implement robust security measures to ensure their customers' data is protected from unauthorized access. 

It is still unclear who was responsible for these attacks, but Magecart, one of the most infamous threat groups around, has been previously linked to similar activities, including installing credit card skimmers on prominent websites, which are typical of such attacks. During March 2023, Malwarebytes speculated that this group was involved in an extensive series of attacks targeting multiple online retailers, but this was not the first mention of the group. 

The majority of victims of credit card fraud that results from such breaches can receive refunds from their banks. Cybercriminals, however, use the stolen funds to finance malicious campaigns, including malware distribution. Likely, significant damage has already been done by the time the affected cards are locked and the funds are returned, even though the stolen funds can be used to finance fraudulent campaigns.
Read more »
User Security
Data Theft Infostealer malware Python Package User Security

Fortinet Researchers Discover Two Malicious Python Packages

 

A new research published earlier this week by Fortinet Inc.'s FortiGuard Labs warns of two newly found malicious Python packages that indicate a major threat of credential theft, data exfiltration, and unauthorised system access.

The first flaw, Zebo-0.1.0, was discovered to exhibit sophisticated malware behaviour, including obfuscation tactics to hide its functionality and make it difficult for security tools to detect as malicious. The malware supports keylogging, screen capture, and the exfiltration of critical data to remote servers, posing a serious threat to user privacy and system integrity.

Zebo-0.1.0 makes use of libraries like pynput for keylogging and ImageGrab to take screenshots. This enables the malware to record every keystroke and regularly capture screenshots of the user's desktop, possibly exposing passwords, bank information, and other sensitive data. The malware stores the data locally before sending it to a Firebase database via obfuscated HTTP calls, allowing attackers to retrieve the stolen information undetected.

The malware also has a persistence technique to ensure that it is re-executed each time the infected system boots up. It accomplishes this by creating scripts and batch files in the Windows starting directory. They allow it to remain on the system without the user's knowledge, making it difficult to delete and enabling long-term data theft.

The second flaw, Cometlogger-0.1, includes a variety of malicious functionalities that target system credentials and user data. The virus dynamically injects webhooks into code during execution, allowing it to relay sensitive data, such as passwords and tokens, to remote attacker-controlled servers. 

Cometlogger-0.1 was also discovered to have features meant to evade discovery and disrupt analysis. One function, anti-virtual machine detection, looks for traces of sandbox environments, which are frequently employed by security researchers, and if it finds VM indicators, the malware stops running, allowing it to evade analysis and go unnoticed in live environments.

Though both types of malware have been flagged as dangerous, FortiGuard Lab experts state Cometlogger-0.1 takes things a step further by stealing a wide range of user data, including session cookies, saved passwords, and browsing history. It can also target data from services like Discord, X, and Steam, potentially leading to account hijacking and impersonation.

“The script (Cometlogger-0.1) exhibits several hallmarks of malicious intent, including dynamic file manipulation, webhook injection, steal information, ANTI-VM,” the researchers explained. “While some features could be part of a legitimate tool, the lack of transparency and suspicious functionality make it unsafe to execute.” 

The researchers believe that the most effective strategy to avoid infection is to always examine third-party scripts and executables before launching them. Organisations should also set up firewalls and intrusion detection systems to detect strange network activity, and personnel should be trained to recognise phishing attempts and avoid running unverified scripts.
Read more »
Spyware
Amazon App Store Android BMI Calculator malware Spyware

Hackers are Employing Amazon Appstore to Propagate Malware

 

'BMI CalculationVsn' is a malicious Android spyware app that was identified on the Amazon Appstore. It poses as a simple health tool while covertly harvesting data from compromised devices. 

Cybersecurity researchers from McAfee Labs discovered the app and notified Amazon, which resulted in the app being taken down from the app store. To get rid of any remaining traces, those who installed the app must manually uninstall it and run an extensive scan.

Amazon Appstore is a third-party Android software store that is pre-installed on Amazon Fire tablets and Fire TV devices. It also serves as a substitute to Google Play for Android device owners who can't or don't want to use Google's platform, and it even includes exclusive Amazon Prime games and entertainment. The BMI CalculationVsn spyware program, released by 'PT Visionet Data Internasional,' is marketed as a simple body mass index (BMI) calculator. 

Modus operandi

The user is greeted by an easy-to-use interface when they launch the compromised app, which offers the advertised features, such as calculating their BMI. However, there are other malicious activities going on in the background.

When the user taps the 'Calculate' button, the app first starts a screen recording service that asks for the required approval. This can be misleading and mislead users into giving their permission without thinking. 

McAfee claims that although the footage is locally stored in an MP4 file, it was not uploaded to the command and control (C2) server. This is probably because the app is still in the early stages of testing. 

The researchers' further investigation into the app's release history revealed that it was originally made available in the wild on October 8. By the end of the month, it changed the certificate information, added new malicious functions, and modified its icon. 

In order to help the attackers plan their next move, the app's second malicious operation is to scan the device and retrieve all installed applications. Finally, the spyware intercepts and gathers SMS messages, including verification codes and one-time passwords (OTPs), that are received and stored on the device.

Given that malicious apps can still escape through code review cracks in respectable and generally trustworthy stores like the Amazon Appstore, Android users should only install apps from reputable publishers. 

It is also advisable to review requested permissions and revoke problematic ones after installation. Google Play Protect can detect and block known malware detected by App Security Alliance partners such as McAfee, thus having it enabled on Android devices is critical.
Read more »
malware
Backdoor Badbox BSI Germany malware

Germany Warns of Pre-Installed Malware on 30,000 Devices

 

Earlier this week, Germany's cybersecurity office issued a warning about at least 30,000 internet-connected devices across the nation being compromised by pre-installed malware known as BadBox.

The Federal Office for Information Security (BSI) announced that it had successfully halted communication between the infected devices and the hackers' control servers, preventing further damage. However, devices with outdated software remain at significant risk.

BadBox: A Threat to Low-Cost Devices

The hacker group behind BadBox primarily targets Android devices by embedding malicious code into their firmware. Affected devices include:

  • Smartphones
  • Tablets
  • Connected TV streaming boxes

BadBox’s operators focus on low-cost devices distributed through online merchants or resale platforms. These devices come pre-installed with Triada malware, which opens a backdoor, enabling attackers to:

  • Remotely control the device
  • Inject new software
  • Perform illegal actions

Capabilities of the BadBox Malware

BSI discovered that the malware on compromised devices, such as digital photo frames and streaming gadgets, can discreetly:

  • Generate email and messenger accounts
  • Propagate fake news
  • Commit advertising fraud
  • Act as a proxy for cyberattacks or illegal content distribution

BSI’s Countermeasures

German cyber officials employed a technique known as sinkholing to redirect traffic from infected devices to secure servers, effectively limiting hackers' access. Additionally, the BSI mandated that all German internet service providers (ISPs) with over 100,000 subscribers reroute BadBox traffic to its sinkhole.

The BSI refrained from naming the manufacturers of the compromised devices but advised consumers who received warnings from authorities to disconnect or cease usage of the affected products immediately.

BSI President Claudia Plattner reassured consumers, stating: "There is no immediate danger for these devices as long as the BSI maintains the sinkholing measure. Malware on internet-enabled products is unfortunately not a rare phenomenon. Outdated firmware versions, in particular, pose a huge risk."

Plattner also stressed the need for collective action: "We all have a duty here: manufacturers and retailers have a responsibility to ensure that such devices do not come onto the market."

Takeaways for Consumers

To protect against threats like BadBox, consumers should:

  • Ensure devices are updated with the latest firmware
  • Purchase devices only from reputable manufacturers
  • Stay vigilant about warnings from cybersecurity authorities

As malware threats continue to evolve, proactive measures and industry accountability remain essential in safeguarding digital ecosystems.

Read more »
preinstalled malware
Android Malware BadBox threat digital frame vulnerabilities infected Android devices malware media player malware preinstalled malware

Malware Found Preinstalled on 30,000 Android Devices in Germany

 

A concerning cybersecurity issue has surfaced in Germany, where investigators uncovered that nearly 30,000 Android devices were sold with preinstalled malware.

The malware, dubbed “BadBox,” resides in the device firmware and affects various internet-enabled devices, including digital picture frames and media players operating on outdated Android versions, according to the Federal Office for Information Security (BSI).

“In all cases known to the BSI, the BadBox malware was already installed on the respective devices when they were purchased,” the agency confirmed in its report.

Once active, the malware can repurpose infected devices into tools for cybercriminals, enabling them to exploit home internet networks to launch attacks. It can also download additional malware and conduct fraudulent activities by accessing websites and ads in the background.

To mitigate the threat, the BSI has employed a method called “sinkholing,” which redirects internet traffic from compromised devices to servers controlled by the government. This measure prevents the malware from connecting to the hackers’ command systems.

“There is no acute danger for these devices as long as the BSI maintains the sinkholing measure,” the agency reassured. Nonetheless, users are strongly urged to disconnect any infected devices from the internet. Telecommunications companies in Germany are assisting by notifying affected users through IP address tracking.

The exact products impacted by this issue remain unidentified, leaving questions about how the malware was preinstalled. The BSI also warned that similar malware risks could affect tablets and smartphones.

This isn’t the first instance of preloaded malware on consumer electronics. Last year, a security researcher discovered an Android TV box sold on Amazon with hidden malware. The BSI advises consumers to prioritize security when purchasing electronics, emphasizing the importance of safety features, official manufacturer support, and updated operating systems.

Google also addressed the issue, clarifying:
“These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results.”

The company added, “Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified.”

This incident underscores the need for heightened awareness when purchasing electronics, particularly from lesser-known brands, to ensure devices meet security and quality standards.
Read more »
Pumakit Rootkit
Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Linux LKM malware PT Pumakit Rootkit

Pumakit Rootkit Challenges Linux Security Systems

 


According to the researchers from the Elastic Security Lab, a new rootkit called PUMAKIT can perform various advanced evasion mechanisms. When Elastic Security researchers discovered PUMAKIT while routinely hunting for threats on VirusTotal, they described it as PUMAKIT. Many stages are involved in deploying this multi-stage malware, including a dropper, two memory-resident executables, an LKM rootkit module, and a shared object rootkit, all of which are used in the userland. 

To manipulate core system behaviours, the rootkit component can hook into 18 different syscalls and several kernel functions using an internal Linux function tracer (ftrace), which enables it to control the behaviour of core system components. The rootkit is an advanced persistent threat (APT) that tends to target critical organizations with specific programs designed to establish persistence within compromised systems.

The rootkit is often used by APT groups in their attempts to target critical organizations with specific programs. As a result of the discovery of this Linux rootkit malware called Pumakit, it can evade detection and compromise systems through advanced stealth and privilege escalation techniques. Several components make up this sophisticated malware, including a dropper, a memory-resident executable, kernel module rootkits, and userland rootkits. 

The Pumakit malware family was discovered by Elastic Security in a suspicious binary 'cron' uploaded to VirusTotal on September 4, 2024. The details surrounding its identity and target remain vague. There are a variety of rootkits like this that are commonly used by advanced threat actors to undermine critical infrastructure, steal money, disrupt operations, and infiltrate enterprise systems to conduct espionage. As a sophisticated piece of malware, PUMAKIT was discovered via routine threat detection on VirusTotal as part of routine threat hunting. 

Its binary contains strings embedded by the developer that can be easily identified and accessed by developers. There is an internal structure to the malware that is based on a multi-stage architecture, which comprises a dropper component named "cron", two memory-resident executables called TGT and WPN, an LKM rootkit called Pumba and a shared object rootkit called Kitsune that is bundled in with the malware. This payload allows for loading the LKM rootkit ('puma.ko') into the kernel as well as the userland rootkit ('Kitsune SO') to intercept system calls via the userland.  

A kernel function, such as "prepare_creds" and "commit_creds," can also be used to alter core system behaviour and achieve its objectives. It includes the use of the internal Linux function tracer (trace) to hook into as many as 18 different system calls and various kernel functions, such as "prepare_creds." and "commit_creds." In addition, Elastic noted that every step of the infection chain is designed to conceal the malware's presence, leveraging memory-resident files, and doing specific checks before unleashing the rootkit, which will make it difficult for the user to detect it before it is launched. 

As of right now, the company has not linked PUMAKIT to any known threat actor or group and believes that the software most likely originated from unknown sources. As you may know, PUMAKIT is a sophisticated and stealthy threat, which utilizes advanced techniques like syscall hooks, memory-resident execution, and unique methods for escalating privileges. According to the researchers, it is a multi-architectural malware that demonstrates the increasing sophistication of malware aimed at Linux. For IForthe LKM rootkit to be able to manipulate the behaviour of a system, it must use the syscall table, as well as kallsyms_lookup_name() to find symbol names. 

Rootkits targeting kernel versions 5.7 and above tend to use probes, which means they are designed for older kernels which makes them more difficult to detect than modern rootkits. There has been a debate within the kernel development team about the unsporting of the kallsyms_lookup_name() code to prevent unauthorized or malicious modules from misusing it. As part of this tactic, modules are often added with fake MODULE_LICENSE("GPL") declarations that circumvent license checks, thereby allowing them to access non-exported kernel functions, which is not permitted under the GPL.

A Linux rootkit known as PUMAKIT, or Pumakkit for short, has been discovered that underscores the sophistication with which Linux systems are being targeted by targeted threats. This malware is one of the most dangerous adversaries because it can evade detection and execute advanced attacks. In any case, proactive measures can reduce the harm caused by these threats by recommending regular updates and by increasing monitoring capabilities, among other measures. 

To defend against attacks like PUMAKIT being carried out by hackers like Kumak, it is crucial to remain informed and vigilant in the face of evolving cybersecurity threats. Users must take every precaution to ensure that their Linux systems are protected from this and other advanced malware threats.
Read more »
Operational Technology
IoT Iran malware Operational Technology

IOCONTROL Malware: A Threat to Critical Infrastructure in Israel and the United States

 

A newly identified malware, IOCONTROL, is causing widespread alarm as it targets critical infrastructure in Israel and the United States. Developed by Iranian hackers, IOCONTROL is specifically designed to attack Internet of Things (IoT) devices and operational technology (OT) systems, posing a severe risk to essential services.

This highly sophisticated and adaptive malware can infect a wide range of industrial devices, including routers, programmable logic controllers, human-machine interfaces, IP cameras, firewalls, and systems for managing fuel operations. These devices often serve as the backbone of critical infrastructure, such as fuel supply chains and water treatment facilities.

The malware’s modular design allows it to adapt its behavior based on the targeted manufacturer. Security researchers from Claroty’s Team82 uncovered IOCONTROL and classified it as a nation-state cyberweapon capable of causing large-scale disruptions. Among the manufacturers affected are D-Link, Hikvision, Unitronics, and Phoenix Contact.

How Does IOCONTROL Work?

IOCONTROL boasts several advanced features that make it exceptionally dangerous:

  • Persistence: Once installed, the malware ensures it remains active even after device reboots by utilizing a script that reactivates it during boot-up.
  • Communication: It uses the MQTT protocol over port 8883 to connect with its command-and-control (C2) server, a common protocol for IoT devices that helps evade detection.
  • Stealth: The malware leverages DNS over HTTPS (DoH) for domain resolution, making its network communications encrypted and harder to monitor.
  • Encryption: Configuration files are encrypted using AES-256-CBC, preventing security analysts from easily accessing or interpreting them.

Functions of the Malware

IOCONTROL is designed to perform a variety of malicious tasks, making it one of the most dangerous malware targeting critical infrastructure. Its key functions include:

  1. Collecting and Sending System Information: The malware gathers device details, such as name, user credentials, and model, and transmits this data to its C2 server for attackers to control the device.
  2. Installation Verification: It ensures the malware is correctly installed and functioning as intended.
  3. Command Execution: Attackers can run operating system commands on infected devices, with results sent back to the C2 server.
  4. Self-Removal: To avoid detection, the malware can erase all traces, including files, scripts, and logs.
  5. Network Scanning: It scans networks for specific IP addresses and open ports, identifying new devices to infect.

These capabilities allow IOCONTROL to destroy systems, steal sensitive information, and propagate to other devices within a network.

Impact on Infrastructure

Claroty’s analysis reveals that IOCONTROL has been used to breach 200 fuel stations in the United States and Israel. In one attack, hackers infiltrated Gasboy fuel systems and point-of-sale terminals, potentially giving them control over fuel pumps and connected devices.

The hacking group CyberAv3ngers, linked to these attacks, has previously claimed responsibility for targeting water treatment facilities. These incidents underscore the malware’s ability to disrupt vital services, such as fuel and water supply, which are critical to daily life and economic stability.

Why Is This Alarming?

The IOCONTROL malware appears to be part of a larger effort by Iranian hackers to exploit vulnerabilities in industrial systems, particularly in nations perceived as adversaries. These attacks align with escalating geopolitical tensions and the growing prevalence of cyber conflicts between nations.

The malware’s modular structure makes it especially threatening, as it can be customized to target devices from multiple manufacturers. Its combination of stealth, persistence, and adaptability poses a significant challenge to global cybersecurity efforts.

Steps to Protect Systems

To mitigate the risks posed by IOCONTROL, Claroty’s report recommends the following measures for organizations managing critical infrastructure:

  • Regularly upgrade and patch device firmware.
  • Monitor network traffic for unusual activity or behavior.
  • Implement best practices in access control to minimize exposure to threats.
  • Review Claroty’s indicators of compromise (IoCs) to detect potential infections.

Conclusion

The rising number of attacks on critical infrastructure highlights the urgent need for vigilance and proactive defense measures. Organizations must take immediate steps to secure their systems against the evolving threat posed by IOCONTROL, which has already demonstrated its potential for widespread disruption.

Read more »
zero-day exploit
CVE-2024-11972 Flaws Hunk Companion plugin malware plugin security WordPress RCE flaws Wordpress Vulnerability zero-day exploit

Critical Security Flaw in "Hunk Companion" Plugin Exploited by Hackers

 


Hackers are actively exploiting a serious security vulnerability in the "Hunk Companion" plugin to install and activate other plugins that contain known vulnerabilities from the WordPress.org repository. This targeted attack allows the installation of plugins with a variety of vulnerabilities, including remote code execution (RCE), SQL injection, and cross-site scripting (XSS), and even enables the creation of unauthorized admin backdoors.

Exploitation of Outdated Plugins

By focusing on outdated plugins with existing exploits, attackers can execute malicious actions, compromising WordPress sites. WPScan discovered the malicious activity and reported the issue to the developers of Hunk Companion. In response, a security update addressing the zero-day vulnerability was released yesterday.

Hunk Companion is an add-on plugin designed to enhance WordPress themes developed by ThemeHunk. Although it is installed on over 10,000 WordPress sites, it remains a relatively niche tool within the WordPress ecosystem, according to WordPress.org statistics.

Details of the Vulnerability

The critical vulnerability, identified by WPScan researcher Daniel Rodriguez, is tracked as CVE-2024-11972. This flaw allows attackers to install plugins via POST requests without authentication, creating a serious security risk for affected WordPress sites.

All versions of Hunk Companion prior to version 1.9.0, released yesterday, are affected. During an investigation of an infected site, WPScan found evidence of active exploitation of CVE-2024-11972. This exploit enabled the installation of a compromised version of the WP Query Console plugin, which has not been updated in over seven years. The hackers used this plugin to execute malicious PHP code by exploiting the RCE flaw CVE-2024-50498.

According to WPScan, “In the infections we've analyzed, attackers use the RCE to write a PHP dropper to the site’s root directory. This dropper allows continued unauthenticated uploads via GET requests, enabling persistent backdoor access to the site.”

Previous Attempts to Fix the Vulnerability

A similar flaw was addressed in version 1.8.5 of Hunk Companion, tracked as CVE-2024-9707. However, this fix was found to be insufficient, and attackers managed to bypass it.

Due to the severity of this vulnerability and the ongoing exploitation, users of Hunk Companion are strongly advised to update to version 1.9.0 immediately. At the time of reporting, version 1.9.0 had been downloaded around 1,800 times, leaving approximately 8,000 sites still vulnerable to attacks.

Read more »
Windows
Amaday Bot Lumma Stealer malware Malware Campaign Manufacturing Windows

New Malware Campaign Attacks Manufacturing Industry


Lumma Stealer and Amaday Bot Resurface

In a recent multi-stage cyberattack, Cyble Research and Intelligence (CRIL) found an attack campaign hitting the manufacturing industry. The campaign depends upon process injection techniques aimed at delivering malicious payloads like Amaday Bot and Lumma Stealer.

Using a chain of evasive actions, the threat actor (TA) exploits diverse Windows tools and processes to escape standard security checks, which leads to persistent system control and potential data theft. 

About the campaign

CRIL found an advanced multi-level attack campaign that starts with a spear-phishing mail. The email has a link that directs to an LNK file, hidden as a PDF file. When the fake PDF is clicked, it launches a series of commands. The LNK file is hosted on a WebDAV server, making it challenging for security software to trace.

“For instance, one of the malicious links observed in the campaign was hxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-ns.shop. The attack’s effectiveness stems from its ability to exploit the name of a legitimate cloud-based document management system (LogicalDOC), commonly used in manufacturing and engineering industries, to convince targets into opening the file,” reports the Cyber Express.

How the campaign works

After executing the LNK file, it opens ssh.exe, a genuine system utility that can escape security software checks. Via ssh.exe, a PowerShell command is activated to retrieve an extra payload via a remote server from mshta.exe. 

Threat actors use this process to avoid detection via Google’s Accelerated Mobile Pages (AMP) framework merged with a compressed URL. The retrieved payload is a malicious script containing extra hacked commands that gradually deliver the last malicious payload to the target system.

Once the LNK file is executed, it launches ssh.exe, a legitimate system utility that can bypass security software’s detection. Through ssh.exe, a PowerShell command is triggered, which fetches an additional payload from a remote server using mshta.exe. This process is designed to evade detection by using Google’s Accelerated Mobile Pages (AMP) framework combined with a shortened URL. 

The payload fetched is a script that contains additional obfuscated commands that eventually deliver the final malicious payload to the victim’s system. 

CYBLE blog says, “The final payload, which involves the deployment of both Lumma stealer and Amadey bot, highlights the TA’s intent to steal sensitive information and maintain persistent control over compromised systems. Yara and Sigma rules to detect this campaign, are available for download from the linked GitHub repository.”    

Read more »
malware
Akira Ransomware Black Basta Ransomware Credential Theft malware

Black Basta Ransomware: New Tactics and Growing Threats

 


The Black Basta ransomware group, an offshoot of the now-defunct Conti group, has adapted its attack strategies by integrating sophisticated social engineering techniques. Recent trends include email bombing, malicious QR codes, and credential theft, showcasing the group’s commitment to exploiting vulnerabilities in organizational defenses. 
 
The group begins its operations with email bombing—flooding a target's inbox with subscription-based messages from various mailing lists. This overload often leads victims to seek assistance, creating an opportunity for attackers to impersonate IT staff or support teams. Since August 2024, impersonation tactics have extended to platforms like Microsoft Teams, where attackers persuade victims to install legitimate remote access tools such as AnyDesk, TeamViewer, or Microsoft’s Quick Assist. Microsoft has identified the misuse of Quick Assist by threat actors labeled "Storm-1811." 
 
Malicious QR codes are another tool in the group’s arsenal. Victims are sent codes via chats, claiming to link trusted mobile devices. These QR codes redirect users to malicious websites, enabling attackers to harvest credentials. Cybersecurity experts have noted that attackers sometimes use OpenSSH clients to open reverse shells, providing deeper system access. 
  
Malware Delivery and Payload Objectives 
 
After gaining initial access, Black Basta deploys malicious payloads designed to escalate the attack. Key malware tools include:
  • Zbot (ZLoader): Credential-harvesting malware.
  • DarkGate: Multi-purpose malware for executing subsequent attacks.
These tools allow attackers to steal sensitive information, such as user credentials and VPN configurations, which they use to bypass multi-factor authentication (MFA) and infiltrate organizational systems. Black Basta’s proprietary tools further enhance its effectiveness:
  • KNOTWRAP: Executes payloads directly in memory, bypassing traditional detection methods.
  • KNOTROCK: Specialized utility for deploying ransomware.
  • PORTYARD: Facilitates secure connections with command-and-control servers.
Emerging Ransomware Trends 
 
Black Basta’s innovations align with broader trends in ransomware development. New groups, like Akira and Rhysida, are also leveraging advanced techniques. Akira, developed in Rust, uses pre-built libraries to enhance efficiency, while Rhysida employs tactics like fake software websites and SEO poisoning to spread malware. These trends highlight the growing sophistication of ransomware operations. 
 
 
Defensive Measures for Organizations 
 

The Black Basta group exemplifies the evolution of cybercrime, combining email bombing, impersonation, and advanced malware tools in hybrid attack models. To counter these threats, organizations must:
  • Regularly update security systems to address vulnerabilities.
  • Implement robust training programs to help employees identify social engineering tactics.
  • Strengthen multi-factor authentication and endpoint protection measures.
As cybercriminals continue to adapt, proactive defense and vigilance remain essential to safeguarding organizational systems from these evolving threats.
Read more »
Visual Basic Script
Cloudflare Tunnels Cyber Attacks Gamaredon GammaDrop malware Recorded Future spear-phishing Visual Basic Script

Hackers Exploit Cloudflare Tunnels and DNS Fast-Flux to Conceal GammaDrop Malware

 A notorious threat actor known as Gamaredon has been observed employing Cloudflare Tunnels to hide its malware staging infrastructure, facilitating the deployment of GammaDrop malware. This technique is part of a spear-phishing campaign actively targeting Ukrainian organizations since early 2024. 

Campaign Details and Tactics 

According to Recorded Future's Insikt Group, the primary goal of this campaign is to deliver Visual Basic Script malware. The group, monitored under the alias BlueAlpha, has also been identified by several other names, including:

  • Aqua Blizzard
  • Armageddon
  • Hive0051
  • Iron Tilden
  • Primitive Bear
  • Shuckworm
  • Trident Ursa
  • UAC-0010
  • UNC530
  • Winterflounder
Active since 2014, BlueAlpha is linked to Russia's Federal Security Service (FSB). "BlueAlpha has recently started using Cloudflare Tunnels to obscure staging infrastructure for GammaDrop, a tactic gaining traction among cybercriminal groups," noted Insikt Group. Additionally, the group continues to use DNS fast-fluxing to complicate the tracking and disruption of command-and-control (C2) communications. 
 
Recent Observations 

The use of Cloudflare Tunnels by Gamaredon was first reported in September 2024 by ESET, a Slovak cybersecurity firm, during attacks targeting Ukraine and NATO countries, including Bulgaria, Latvia, Lithuania, and Poland. ESET described BlueAlpha's methods as "reckless and not particularly stealth-focused," although the group employs measures to evade detection and maintain access to compromised systems. These include deploying multiple simple downloaders or backdoors and frequently updating their malware tools with regularly changing obfuscation techniques. 
 
Malware Deployment Process 

The phishing campaign uses HTML attachments to initiate infections via HTML smuggling. This technique embeds JavaScript code to deliver malicious payloads. Key steps include:
  • Phishing emails with HTML attachments drop a 7-Zip archive ("56-27-11875.rar") containing a malicious LNK file.
  • The LNK file exploits mshta.exe to deliver GammaDrop malware.
  • GammaDrop deploys a custom loader, GammaLoad, which connects to a C2 server to retrieve additional malware.
The GammaDrop malware is staged on a server behind a Cloudflare Tunnel, with the domain amsterdam-sheet-veteran-aka.trycloudflare[.]com serving as a staging point. GammaLoad uses DNS-over-HTTPS (DoH) services like Google and Cloudflare to resolve C2 infrastructure, employing fast-flux DNS methods as a fallback. 
 
Implications and Future Threats 

Recorded Future warns that BlueAlpha is likely to continue refining its evasion techniques by exploiting legitimate services like Cloudflare. This approach complicates detection for traditional security systems. The group's enhancements to HTML smuggling and DNS-based persistence highlight evolving challenges for organizations with limited threat detection capabilities. "Organizations must strengthen their defenses against phishing campaigns and adopt advanced threat detection strategies to mitigate risks posed by actors like BlueAlpha," the report concluded.
Read more »
News
Andromeda APAC cyberattacks trending news malware News

Andromeda Malware Resurfaces: Targeting APAC Manufacturing and Logistics Industries

In a fresh revelation by the Cybereason Security Services Team, a new wave of attacks linked to the notorious Andromeda malware has been uncovered, focusing on manufacturing and logistics sectors in the Asia-Pacific (APAC) region. This decades-old malware, first detected in 2011, continues to evolve, proving itself as a relentless tool in the cybercriminal arsenal. 

Known for its modular nature, Andromeda has long been a favorite for hackers due to its versatility. Historically spread through malicious email attachments, infected USB drives, and secondary payloads, the malware is now leveraging more sophisticated techniques to wreak havoc. Once installed, Andromeda’s capabilities include stealing sensitive data, such as passwords, creating backdoor access, and downloading additional malware, making it a multipurpose threat for industrial espionage. 

One of its standout features is its use of “USB drop attacks.” Compromised USB drives can execute malicious files automatically, infecting systems upon connection. The malware’s disguise game is strong—DLLs with inconspicuous names like “~$W*.USBDrv” and “~$W*.FAT32” are loaded using rundll32.exe to fly under the radar. 

Additionally, “desktop.ini” files, typically seen as harmless system files, are being weaponized to trigger the malware’s activities. A critical part of Andromeda’s resurgence lies in its advanced command-and-control (C2) infrastructure. During Cybereason’s investigation, one such C2 domain, suckmycocklameavindustry[.]in, demonstrated agility by resolving to multiple IP addresses, ensuring constant communication between infected systems and the threat operators. 

The attackers also use WebDAV exploitation to download these malicious payloads. Their tactics highlight the ongoing evolution of Andromeda, as it adapts to modern cybersecurity challenges. Cybereason’s investigation suggests that this campaign may be tied to the infamous Turla group, also known as UNC4210. It also indicates that an older Andromeda sample may have been hijacked and repurposed by the group, further complicating attribution. 

The ultimate target of these attacks appears to be industrial espionage. Manufacturing and logistics companies in the APAC region are being infiltrated to steal valuable data, disrupt operations, and potentially execute further malicious actions. The campaign underscores the ongoing risks faced by industries heavily reliant on supply chains and operational technology.
Read more »
ransomware prevention
Black Basta Ransomware cybercrime group attack file-encrypting malware malware Microsoft Teams malware phishing campaigns 2024 ransomware prevention

Black Basta Targets Microsoft Teams with New Ransomware Tactics

 

The Black Basta ransomware group has resurfaced with a concerning method of spreading file-encrypting malware, now targeting Microsoft Teams. The group, notorious for cyberattacks on technology, finance, and public sector industries, exploits the popular collaboration platform to infiltrate networks.

First observed in October 2024, this new tactic shows a shift from previous approaches. Active since April 2022, Black Basta initially used spam and social engineering to distribute malware. Now, they impersonate IT support staff or colleagues, tricking users into providing credentials for fake network logins, enabling the deployment of malware. This deceptive method replaces older techniques like phone-based social engineering.

Microsoft Teams is a strategic target due to its global use in corporate communication. Many employees trust messages within the platform, often overlooking verification steps. This makes them more vulnerable to attackers who exploit this trust to gain unauthorized access.

In 2023, Black Basta was connected to email phishing campaigns involving links to malicious websites. While those campaigns focused on harvesting credentials and delivering malware, the group's shift to real-time platforms like Teams indicates a significant evolution in their strategy.

Microsoft urges users to exercise caution with suspicious messages, especially those requesting sensitive information or financial transactions. "If a message in Teams appears to ask for credentials or money transfers, users are advised to verify the sender’s identity through other channels," the company recommended. Avoiding unknown links and confirming requests through phone or email are key practices to prevent such attacks.
Read more »
UEFI Bootkit
Bookitty Data theft extortion Linux Systems malware Malware Attack News trending news UEFI Bootkit

Bootkitty: The Game-Changing Malware Targeting Linux Systems

 

This malware, named Bootkitty, introduces a new method of attacking Linux, which has traditionally been considered safer from such stealthy threats compared to Windows. Bootkits are highly dangerous because they infect a computer’s boot process, loading before the operating system starts. 

This allows them to take deep control of a system while avoiding detection by traditional security tools.   

Bootkitty specifically targets certain versions of Ubuntu Linux by bypassing critical security checks during system boot.   

How Bootkitty Works  


ESET discovered Bootkitty in November 2024 when a suspicious file, bootkit.efi, was uploaded to VirusTotal. The malware uses advanced techniques to bypass kernel signature verification and inject malicious components during the system boot process.   

It relies on a self-signed certificate, meaning it won’t function on systems with Secure Boot enabled.   The malware hooks into UEFI security protocols and GRUB bootloader functions, disabling key security checks and loading malicious modules into the Linux kernel.  Bootkitty also forces a malicious library to load into system processes upon startup.   

However, the malware is not without flaws.  It only works on specific GRUB and kernel versions, which limits its effectiveness.  It can cause system crashes due to compatibility issues.   

During their investigation, researchers also found another suspicious file, BCDropper, likely associated with Bootkitty. BCDropper installs a rootkit named BCObserver, which provides stealthy control by hiding files, processes, and open ports on the infected system.   

Growing Threat to Linux   


Although Bootkitty is not yet fully developed or actively deployed in real-world attacks, its discovery is concerning. It signals that cybercriminals are increasingly targeting Linux as more businesses rely on it for critical operations.  

To help organizations defend against Bootkitty, ESET has published indicators of compromise (IoCs) on GitHub.   

Recommendations for Protection   


  • Enable Secure Boot: Since Bootkitty cannot operate with Secure Boot enabled, this is a crucial defense. 
  • Update Security Tools: Keeping antivirus and other security software up to date can help detect and block new threats.  

This discovery underscores the growing sophistication of Linux-targeted malware and the need for robust security practices to safeguard critical systems.
Read more »
Subscribe to: Posts (Atom)