Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label threats from ransomware. Show all posts

New PindOS JavaScript Dropper Deploys Bumblebee, IcedID Malware

A newly identified malicious tool dubbed PindOS has been uncovered by security researchers. This particular tool functions as a JavaScript-based malware dropper, specifically designed to retrieve subsequent-stage payloads responsible for delivering the final payload utilized by attackers. 

The delivered payloads are associated with notorious malware strains such as Bumblebee and IcedID, commonly employed in ransomware attacks. In the past, Bumblebee and IcedID have been observed as effective means of deploying various types of malware, including ransomware, on compromised computer systems. 

These two malware strains have gained notoriety for their involvement in facilitating cyberattacks and enabling unauthorized access to targeted machines. Now, the newly discovered PindOS emerges as a JavaScript-based malware dropper, serving as a delivery mechanism for these well-known threats. 

Its primary purpose is to fetch subsequent-stage payloads that ultimately deliver the attackers' final payload, which often leads to devastating consequences for the targeted systems and their owners. According to a recent report by cybersecurity firm DeepInstinct, the newly discovered PindOS malware dropper demonstrates a straightforward yet effective functionality. 

It encompasses a single function accompanied by four parameters, enabling the download of the desired payload. This payload can either be the notorious Bumblebee malware or the IcedID banking trojan, which has been repurposed as a malware loader. Initially presented in an obfuscated form, the JavaScript dropper, upon decoding, exposes its surprisingly simplistic nature. 

Its configuration includes the provision to specify a user agent for downloading a DLL payload. Additionally, it incorporates two designated URLs, namely "URL1" and "URL2," where the payload is stored. Furthermore, the configuration allows for the definition of a RunDLL parameter, which dictates the exported function within the payload DLL to be executed. 

As highlighted by the researchers, an interesting observation about PindOS is its utilization of a redundant second URL parameter. This redundancy serves as a fallback mechanism when the initial attempt to retrieve the payload from the first URL fails. In such cases, PindOS employs a combination of PowerShell commands and Microsoft's rundll.exe. Adversaries often leverage rundll.exe as a common method for launching malicious code. 

Therefore, PindOS capitalizes on this frequently exploited technique to execute the payload and accomplish its malicious objectives. Upon successful retrieval, PindOS proceeds to download the payload to a specific location: "%appdata%/Microsoft/Templates/". 

The payload is saved as a DAT file, with a randomized name consisting of six numbers. Notably, the malware employs a tactic known as the "on-demand" generation of malware samples. This strategy ensures that each sample possesses a distinct hash when obtained, thereby evading signature-based detection mechanisms commonly employed by security systems to identify known threats.

Black Shadow Leaked Hundreds of Thousands Data--Israel Internet Association

 

A group of Iranian hackers called Black Shadow has leaked the personal credentials of hundreds of thousands of Israeli medical patients’ appointment details and members of аn LGBTQ site in a ransomware attack on Tuesday night. 

According to the local reports, the information that has been released in public includes names, addresses, personal information, appointments and medical test results of more than 290,000 patients of a specific medical center and vaccine status, the info on blood tests, treatments, CT scans, colonoscopies, and ultrasounds. The group has also released the full database from LGBTQ dating service Atraf, including their names, locations, and in some cases, their HIV status too. 

Also, reports reveal that the Black Shadow group has stolen the data after targeting Israeli hoster CyberServe, which has denied paying a $1m ransom. 

“Describing this as one of the most serious attacks on privacy that Israel has ever seen," the Head of the Israel Internet Association Yoram Hacohen told the Times of Israel that "Israeli citizens are experiencing cyber terrorism. This is terrorism in every sense and the focus now must be on minimizing the damage and suppressing the distribution of the information as much as possible." 

Times of Israel reported that several other customers of CyberServe have been victimized on the same line, including transportation companies, museums, and tourism organizations. The information was reportedly uploaded to a Telegram channel. 

The Head of the Israel Internet Association Yoram Hacohen has blamed Telegram for the surge in cyber crimes activities in the nation. The chief said that “Telegram has failed to establish boundaries and is partially responsible for this as the social media platform does not limit the spread of private information”. 

The patients' data was released a few hours after the same cybercriminal group leaked the whole user database of an LGBTQ dating website in the country. The reports suggest that the data has been leaked as a threat to the dating app website as the owners of the app had refused to pay a ransom.