Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label skype. Show all posts

Word Document Scam Alert: Windows Users Vulnerable to Cyber Exploits

 


As a result of a recently discovered bug, hackers are able to execute remote code in all versions of Microsoft's proprietary MSHTML browser engine without having to install the application. There is a zero-day vulnerability in Microsoft Word that attackers are taking advantage of by crafting specially crafted documents. 

Microsoft's products such as Skype, Visual Studio, and Microsoft Outlook, as well as several others, also use MSHTML, so the problem really is widespread, since MSHTML is also used by several Microsoft products. A zero-day vulnerability in a Windows tool has been exploited by hackers via malicious Word documents to be able to compromise networks that have been protected by Microsoft's workaround for administrators. 

The Google-owned antivirus service VirusTotal detected a malicious Word document uploaded on 25 May from a Belarusian IP address on its website that was uploaded on the weekend.  As a result of Kevin Beaumont's analysis, he discovered that despite macros being disabled, the malicious document - or "malloc" - was able to generate code through the legitimate Microsoft Support Diagnostic Tool (msdt.exe) despite the fact that macros were enabled. 

MSDT is accessed through the ms-msdt URL protocol in Windows from the malicious Word document in order to execute the malware. There is now a "troubleshooter pack" available for download from the MSDT website.  Using malicious Microsoft Word documents, North Koreans are attempting to steal sensitive information from Russian targets by exploiting the weaknesses in the security software. 

A Fortinet researcher named Cara Lin made the following observation about how a group called Konni (although there are so many similarities between it and Kimsuky aka APT43 that it is also possible that it could be this group) attempted to deliver a malicious Russian-language Microsoft document in the form of an attachment. This malware has the appearance of a macro, which is typical of malware that is downloaded as a file. 

According to the document that is being distributed, there is an article in the Russian language, which apparently describes Western assessments on the progress of the Special Military Operation. It is noted in the piece that The Hacker News commented that Konni is a "notable" application for its anti-Russian values.  

A majority of the time, the group would engage in spear-phishing emails and malicious documents in an attempt to gain access to targets' endpoints, which was done by spear-phishing. It has been reported that earlier attacks taken advantage of a vulnerability in WinRAR (CVE-2023-38831) were spotted by cybersecurity researchers Knowsec and ThreatMon, it has been reported. 

A major objective of Konni is to smuggle data and conduct espionage activities around the world, as reported by ThreatMon. During this process, the group uses a wide array of malware and tools in order to accomplish its objectives, frequently adapting its tactics in order to avoid detection by the authorities. The sabotage of Russian firms by North Korean hackers is not the first instance on which we have seen similar attacks.

XCSSET, a MacOS malware, Targets Google Chrome and Telegram Software

 

As part of further "refinements in its tactics," a malware notorious for targeting the macOS operating system has been updated to add more elements to its toolset that allow it to accumulate and exfiltrate sensitive data saved in a range of programmes, including apps like Google Chrome and Telegram. This macOS malware can collect login credentials from a variety of apps, allowing its operators to steal accounts. 

XCSSET was discovered in August 2020, when it was found to be targeting Mac developers using an unusual method of propagation that entailed injecting a malicious payload into Xcode IDE projects, which is executed when the project files are built in Xcode. XCSSET collects files containing sensitive information from infected computers and delivers them to the command and control (C2) server. 

Telegram, an instant messaging service, is one of the apps that has been attacked. The virus produces the “telegram.applescript” archive in the Group Containers directory for the “keepcoder.Telegram” folder. By obtaining the Telegram folder, the hackers are able to log into the messaging app as the account's legal owner. The attackers gain access to the victim's account by moving the stolen folder to another machine with Telegram installed, according to Trend Micro researchers. Normal users have read and write permissions to the Application sandbox directory, XCSSET can steal sensitive data this way. 

The malware can read and dump Safari cookies, inject malicious JavaScript code into multiple websites, steal information from programmes like Notes, WeChat, Skype, and Telegram, and encrypt user files, among other things. Earlier this month, XCSSET received an update that allowed malware developers to target macOS 11 Big Sur as well as Macs with the M1 chipset by getting beyond Apple's new security standards in the current operating system. 

"The malware downloads its own open tool from its C2 server that comes pre-signed with an ad-hoc signature, whereas if it were on macOS versions 10.15 and lower, it would still use the system's built-in open command to run the apps," Trend Micro researchers previously noted. 

According to a new report released by the cybersecurity firm on Thursday, XCSSET uses a malicious AppleScript file to compress the Telegram data folder ("/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram") into a ZIP archive file before uploading it to a remote server under their control, allowing the threat actor to log in using the victim's account. 

"The discovery of how it can steal information from various apps highlights the degree to which the malware aggressively attempts to steal various kinds of information from affected systems," the researchers said.

Skygofree Malware: One of Most Advanced Spyware Ever Seen

Russian cybersecurity lab, Kaspersky, has found out a new advanced Android spyware having “never before seen” features that lets hackers carry out advanced surveillance on Android phones, such as location-based audio recording, WhatsApp message theft, and connecting an infected device to Wi-Fi networks controlled by cybercriminals.

The malware, dubbed as “Skygofree,” was reportedly found on malicious websites in Italy. According to Kaspersky, the malware is most likely an offensive security product sold by an Italy-based IT company that markets various surveillance wares.

More information including, Skygofree's commands, indicators of compromise, domain addresses, and device models targeted, can be found in their blog post on Securelist.

The spyware functions by tricking the “Accessibility” feature present in Android to help users with disabilities access their apps. Using this, the spyware can read the messages displayed on the screen, even those sent by the user.

Skygofree is also capable of taking pictures and video, recording audio and noise according to the location specified by the hacker, record Skype conversations, seizing call records, geolocation data, and other sensitive data.

Kaspersky believes that, just like an earlier hack in 2015 by Hacking Team, an Italy-based spyware developer, Skygofree was also developed by Italians.

Skygofree has allegedly been active since 2014 and has been targeting select individuals, who are all from Italy. The spyware has been undergoing regular development since then and as many as 48 commands were found in the latest version.