Jump to content

Search the Community

Showing results for tags 'malware'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. Microsoft said Windows automatically blocked dangerous drivers. It didn't. For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months. Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows. It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks. As attacks surge, Microsoft countermeasures languish Drivers typically allow computers to work with printers, cameras, or other peripheral devices—or to do other things such as provide analytics about the functioning of computer hardware. For many drivers to work, they need a direct pipeline into the kernel, the core of an operating system where the most sensitive code resides. For this reason, Microsoft heavily fortifies the kernel and requires all drivers to be digitally signed with a certificate that verifies they have been inspected and come from a trusted source. Even then, however, legitimate drivers sometimes contain memory corruption vulnerabilities or other serious flaws that, when exploited, allow hackers to funnel their malicious code directly into the kernel. Even after a developer patches the vulnerability, the old, buggy drivers remain excellent candidates for BYOVD attacks because they’re already signed. By adding this kind of driver to the execution flow of a malware attack, hackers can save weeks of development and testing time. BYOVD has been a fact of life for at least a decade. Malware dubbed "Slingshot" employed BYOVD since at least 2012, and other early entrants to the BYOVD scene included LoJax, InvisiMole, and RobbinHood. Over the past couple of years, we have seen a rash of new BYOVD attacks. One such attack late last year was carried out by the North Korean government-backed Lazarus group. It used a decommissioned Dell driver with a high-severity vulnerability to target an employee of an aerospace company in the Netherlands and a political journalist in Belgium. In a separate BYOVD attack a few months ago, cybercriminals installed the BlackByte ransomware by installing and then exploiting a buggy driver for Micro-Star’s MSI AfterBurner, a widely used graphics card overclocking utility. In July, a ransomware threat group installed the driver mhyprot2.sys—a deprecated anti-cheat driver used by the wildly popular game Genshin Impact—during targeted attacks that went on to exploit a code execution vulnerability in the driver to burrow further into Windows. A month earlier, criminals spreading the AvosLocker ransomware likewise abused the vulnerable Avast anti-rootkit driver aswarpot.sys to bypass virus scanning. Entire blog posts have been devoted to enumerating the growing instances of BYOVD attacks, with this post from security firm Eclypsium and this one from ESET among the most notable. Microsoft is acutely aware of the BYOVD threat and has been working on defenses to stop these attacks, mainly by creating mechanisms to stop Windows from loading signed-but-vulnerable drivers. The most common mechanism for driver blocking uses a combination of what's called memory integrity and HVCI, short for Hypervisor-Protected Code Integrity. A separate mechanism for preventing bad drivers from being written to disk is known as ASR, or Attack Surface Reduction. Unfortunately, neither approach seems to have worked as well as intended. For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months. Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows. It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks. As attacks surge, Microsoft countermeasures languish Drivers typically allow computers to work with printers, cameras, or other peripheral devices—or to do other things such as provide analytics about the functioning of computer hardware. For many drivers to work, they need a direct pipeline into the kernel, the core of an operating system where the most sensitive code resides. For this reason, Microsoft heavily fortifies the kernel and requires all drivers to be digitally signed with a certificate that verifies they have been inspected and come from a trusted source. Even then, however, legitimate drivers sometimes contain memory corruption vulnerabilities or other serious flaws that, when exploited, allow hackers to funnel their malicious code directly into the kernel. Even after a developer patches the vulnerability, the old, buggy drivers remain excellent candidates for BYOVD attacks because they’re already signed. By adding this kind of driver to the execution flow of a malware attack, hackers can save weeks of development and testing time. BYOVD has been a fact of life for at least a decade. Malware dubbed "Slingshot" employed BYOVD since at least 2012, and other early entrants to the BYOVD scene included LoJax, InvisiMole, and RobbinHood. Over the past couple of years, we have seen a rash of new BYOVD attacks. One such attack late last year was carried out by the North Korean government-backed Lazarus group. It used a decommissioned Dell driver with a high-severity vulnerability to target an employee of an aerospace company in the Netherlands and a political journalist in Belgium. In a separate BYOVD attack a few months ago, cybercriminals installed the BlackByte ransomware by installing and then exploiting a buggy driver for Micro-Star’s MSI AfterBurner, a widely used graphics card overclocking utility. In July, a ransomware threat group installed the driver mhyprot2.sys—a deprecated anti-cheat driver used by the wildly popular game Genshin Impact—during targeted attacks that went on to exploit a code execution vulnerability in the driver to burrow further into Windows. A month earlier, criminals spreading the AvosLocker ransomware likewise abused the vulnerable Avast anti-rootkit driver aswarpot.sys to bypass virus scanning. Entire blog posts have been devoted to enumerating the growing instances of BYOVD attacks, with this post from security firm Eclypsium and this one from ESET among the most notable. Microsoft is acutely aware of the BYOVD threat and has been working on defenses to stop these attacks, mainly by creating mechanisms to stop Windows from loading signed-but-vulnerable drivers. The most common mechanism for driver blocking uses a combination of what's called memory integrity and HVCI, short for Hypervisor-Protected Code Integrity. A separate mechanism for preventing bad drivers from being written to disk is known as ASR, or Attack Surface Reduction. Unfortunately, neither approach seems to have worked as well as intended. Another approach The Microsoft instructions linked above work, but they’re written for admins who may need to test the blocklist before actually enforcing it. This flexibility is great for people responsible for ensuring they don't cripple big fleets of devices; for average users, it creates unnecessary complexity that may cause them to give up. To address this, Dormann has created and published a script that normal (i.e., non-enterprise) users will likely find easier to use than Microsoft’s convoluted method. Dormann’s script runs in PowerShell, the command-line shell that's built into Windows. As with any PowerShell script you find on the Internet, be mindful of running this on any computer you care about. It worked for us, but we can't vouch for its effectiveness on every system. After opening PowerShell with administrator rights, copy the entire contents of Dormann’s script, paste it into the PowerShell window using the ctrl-V keys on your keyboard, and hit enter. Next, type ApplyWDACPolicy -auto -enforce and hit enter. When I did that, my ThinkPad was no longer able to load a long list of known buggy drivers, including many that have been used for years in recent BYOVD attacks. Or at least, that was my hope. Given Microsoft’s recent inattention to detail and lack of transparency, I wanted to make sure. To confirm that driver blocking was working as expected, I checked to see if my machine would load mhyprot3.sys, a successor to the Genshin Impact anti-cheat driver. This driver, as mentioned earlier, was recently used by a ransomware threat group during targeted attacks that went on to exploit a code-execution vulnerability in the driver to disable antivirus scanning. Prior to running Dormann's PowerShell script, my ThinkPad installed mhyprot3.sys just fine. After I ran the script, the driver was blocked. This can be confirmed by responses in both the Windows command window and the Windows event viewer. These images are a striking illustration of the difference between the way that Microsoft claimed Windows driver blocking worked and the way it has actually worked for the past two years. It seems clear that at least some recent malware campaigns using BYOVD would have been less successful had driver blocklist updating lived up to Microsoft’s promises. Indeed, research from ESET's Kálnai found that in the last year, drivers that have been added to Microsoft's driver blocklist were actually used in in-the-wild BYOVD attacks. These include: DBUtil_2_3.sys by Dell ene.sys by ENE Technology HW.sys by Marvin Test Solutions, Inc. physmem.sys by Hilscher Gesellschaft für Systemautomation mbH rtcore64.sys by Micro-Star mhyprot2.sys by miHoYo Co asWarPot.sys by Avas nvflash.sys by NVIDIA Stay safe For now, people should make sure they have driver blocking turned on with the latest blocklist installed using either Microsoft's instructions or Dormann's PowerShell script. People should also await further updates from Microsoft about if and when driver blocklists will automatically be updated through the Windows Update mechanism. In the longer term, Microsoft's leadership will hopefully recognize the ways that its company culture is becoming increasingly insular and defensive. Had it not been for Dormann and other researchers, like Kevin Beaumont and Brian in Pittsburgh, reporting the problems they were having with driver blocklist updates, Microsoft still might not understand what had gone wrong. In many cases, these critics know Microsoft products better than executives like Weston. Instead of portraying the critics as uninformed complainers, Microsoft should publicly embrace them—and provide more actionable guidance they and others can use to make the Internet safer. How a Microsoft blunder opened millions of PCs to potent malware attacks
  2. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a list of the topmost detected malware strains last year in a joint advisory with the Australian Cyber Security Centre (ACSC). "Most of the top malware strains have been in use for more than five years with their respective code bases evolving into multiple variations," the cybersecurity agencies said. "The most prolific malware users of the top malware strains are cyber criminals, who use malware to deliver ransomware or facilitate theft of personal and financial information." The top malware strains observed in 2021 include Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot, and GootLoader. Out of these, Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos, and TrickBot have been used in attacks for at least the last five years, while Qakbot and Ursnif have been used for over a decade. These malware families' longevity is due to their developers' ongoing efforts to upgrade them by adding new capabilities and ways to evade detection. "Developers of these top 2021 malware strains continue to support, improve, and distribute their malware over several years. Malware developers benefit from lucrative cyber operations with low risk of negative consequences," the agencies added. "Many malware developers often operate from locations with few legal prohibitions against malware development and deployment." Malware defense tips The joint advisory includes Snort signatures for all malware in the top to detect payloads by monitoring network traffic and a list of mitigation measures. CISA and ACSC encourage admins and security teams to apply the following mitigations to defend against malware attacks: Update software, including operating systems, applications, and firmware, on I.T. network assets Enforce MFA to the greatest extent possible If you use RDP and/or other potentially risky services, secure and monitor them closely Maintain offline (i.e., physically disconnected) backups of data Provide end-user awareness and training to help block social engineering and spearphishing attacks Implement network segmentation to separate network segments based on role and functionality In April, cybersecurity authorities worldwide, in partnership with the NSA and the FBI, also released a list of the top 15 vulnerabilities routinely exploited in attacks during 2021. CISA and the FBI have also published a list of the top 10 most exploited security bugs between 2016 and 2019 and a top of most routinely abused bugs in 2020 in collaboration with the ACSC and U.K.'s National Cyber Security Centre (NCSC). In June, MITRE also shared this year's list of top 25 most dangerous software bugs after revealing the topmost dangerous programming, design, and architecture security flaws plaguing hardware in November 2021. Cybersecurity agencies reveal last year’s top malware strains
  3. One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks. Some of these tricks include masquerading malware executables as legitimate applications, signing them with valid certificates, or compromising trustworthy sites to use them as distribution points. According to VirusTotal, a security platform for scanning uploaded files for malware, some of these tricks are happening on a much larger scale than initially thought. The platform has compiled a report presenting stats from January 2021 until July 2022, based on the submission of two million files daily, illustrating trends in how malware is distributed. Abusing legitimate domains Distributing malware through legitimate, popular, and high-ranking websites allows threat actors to evade IP-based blocklists, enjoy high availability, and provide a greater level of trust. VirusTotal detected 2.5 million suspicious files downloaded from 101 domains belonging to Alexa’s top 1,000 websites. The most notable abuse case is Discord, which has become a hotbed of malware distribution, with hosting service and cloud service providers Squarespace and Amazon also logging large numbers. Most abused domains for malware distribution (VirusTotal) Using stole code-signing certificates Signing malware samples with valid certificates stolen from companies is a reliable way to evade AV detection and security warnings on the host. Of all the malicious samples uploaded to VirusTotal between January 2021 and April 2022, over a million were signed, and 87% used a valid certificate. The most common certification authorities that are used to sign the malicious samples submitted to VirusTotal include Sectigo, DigiCert, USERTrust, and Sage South Africa. Signing authorities used by malware authors (VirusTotal) Disguised as popular software Masquerading a malware executable as a legitimate, popular application has seen an upward trend in 2022. Trend of disguising malware as real apps (VirusTotal) Victims download these files thinking they’re getting the applications they need, but upon running the installers, they infect their systems with malware. The most mimicked applications (by icon) are Skype, Adobe Acrobat, VLC, and 7zip. App icons used are lures for malware (VirusTotal) The popular Windows optimization program CCleaner that we saw in a recent SEO poisoning campaign is among the hackers’ prominent choices and features an exceptionally high infection ratio for its distribution volume. Infection ratio of malware by mimicked app (VirusTotal) Lacing legitimate installers Finally, there’s the trick of hiding malware inside legitimate application installers and running the infection process in the background while the real apps execute in the foreground. This process helps in tricking the victims and also evades some antivirus engines that don’t scrutinize PR resource structure and content in executables. Legitimate installers laced with malware (VirusTotal) Based on VirusTotal stats, this practice also appears to be on the rise this year, using Google Chrome, Malwarebytes, Windows Updates, Zoom, Brave, Firefox, ProtonVPN, and Telegram as lures. How to stay safe When looking to download software, either uses your OS’s built-in app store or visit the application’s official download page. Also, beware of promoted ads on search results that may rank higher as they can easily be spoofed to look like legitimate sites. After downloading an installer, always perform an AV scan on the file before executing it to ensure they are not malware in disguise. Finally, avoid using torrent sites for cracks or keygens for copyrighted software, as they commonly lead to a malware infection. Wolf in sheep’s clothing: how malware tricks users and antivirus
  4. Several adware apps promoted aggressively on Facebook as system cleaners and optimizers for Android devices are counting millions of installations on Google Play store. The apps lack all of the promised functionality and push advertisements while trying to last as long as possible on the device. To evade deletion, the apps hide on the victim's device by constantly changing icons and names, masquerading as Settings or the Play Store itself. Installed app changing icon and name (McAfee) The adware apps abuse the Contact Provider Android component, which enables them to transfer data between the device and online services. The subsystem is called every time a new app is installed, so the adware might be using it to initiate the ad-serving process. To the user it may look like the ads are pushed by the legitimate app they installed. Researchers at McAfee discovered the adware apps. They note that users don't have to launch them after installation to see the ads because the adware initiates itself automatically without any interaction. The first action from these annoying apps is to create a permanent service for displaying the advertisements. If the process is "killed" (terminated), it re-launches immediately. Malicious service re-launched almost immediately (McAfee) The following video shows how the name and icon of the adware changes automatically and how the ad-serving occurs without any interaction from the user. Millions of downloads on Google Play As McAfee comments in the report, users are convinced to trust the adware apps because they see a Play Store link on Facebook, leaving little margin for doubt. Facebook promotion for a cleaner app (McAfee) This has resulted in unusually high download numbers for the particular type of applications, as shown in the list below: Junk Cleaner, cn.junk.clean.plp, 1M+ downloads EasyCleaner, com.easy.clean.ipz, 100K+ downloads Power Doctor, com.power.doctor.mnb, 500K+ downloads Super Clean, com.super.clean.zaz, 500K+ downloads Full Clean -Clean Cache, org.stemp.fll.clean, 1M+ downloads Fingertip Cleaner, com.fingertip.clean.cvb, 500K+ downloads Quick Cleaner, org.qck.cle.oyo, 1M+ downloads Keep Clean, org.clean.sys.lunch, 1M+ downloads Windy Clean, in.phone.clean.www, 500K+ downloads Carpet Clean, og.crp.cln.zda, 100K+ downloads Cool Clean, syn.clean.cool.zbc, 500K+ downloads Strong Clean, in.memory.sys.clean, 500K+ downloads Meteor Clean, org.ssl.wind.clean, 100K+ downloads Most affected users are based in South Korea, Japan, and Brazil, but the adware has unfortunately reached users worldwide. Heatmap of infected Android users (McAfee) The adware apps are no longer available on the Play Store. However, users that installed them have to remove them manually from the device. System cleaners and optimizers are popular software categories despite the low benefits they provide. Cybercriminals know that a large number of users would try such solutions to prolong the life of their devices and often guise malicious apps as such. Facebook ads push Android adware with 7 million installs on Google Play
  5. Chinese-speaking hackers have been using since at least 2016 malware that lies virtually undetected in the firmware images for some motherboards, one of the most persistent threats commonly known as a UEFI rootkit. Researchers at cybersecurity company Kaspersky called it CosmicStrand but an earlier variant of the threat was discovered by malware analysts at Qihoo360, who named it Spy Shadow Trojan. It is unclear how the threat actor managed to inject the rootkit into the firmware images of the target machines but researchers found the malware on machines with ASUS and Gigabyte motherboards. Mystery UEFI rootkit The Unified Extensible Firmware Interface (UEFI) software is what connects a computer’s operating system with the firmware of the underlying hardware. UEFI code is the first to run during a computer’s booting sequence, ahead of the operating system and the security solutions available. Malware planted in the UEFI firmware image is not only difficult to identify but is also extremely persistent as it cannot be removed by reinstalling the operating system or by replacing the storage drive. A report from Kaspersky today provides technical details about CosmicStrand, from the infected UEFI component to deploying a kernel-level implant into a Windows system at every boot. The entire process consists of setting up hooks to modify the operating system loader and take control of the entire execution flow to launch the shellcode that fetches the payload from the command and control server. Overview of CosmicStrand UEFI malware execution source: Kaspersky Mark Lechtik, a former Kaspersky reverse engineer, now at Mandiant, who was involved in the research, explains that the compromised firmware images came with a modified CSMCORE DXE driver, which enables a legacy boot process. “This driver was modified so as to intercept the boot sequence and introduce malicious logic to it,” Lechtik notes in a tweet on Monday. While the CosmicStrand variant Kaspersky discovered is more recent, researchers at Qihoo360 disclosed in 2017 the first details about an early version of the malware. The Chinese researchers got to analyzing the implant after a victim reported that their computer had created a new account out of the blue and the antivirus software kept alerting of a malware infection. According to their report, the compromised system ran on a second-hand ASUS motherboard that the owner had purchased from an online store. Kaspersky was able to determine that the CosmicStrand UEFI rootkit was lodged in firmware images of Gigabyte or ASUS motherboards that have in common designs using the H81 chipset. This refers to old hardware between 2013 to 2015 that is mostly discontinued today. It is unclear how the implant was placed on the infected computers since the process would involve either physical access to the device or through a precursor malware capable of automatically patching the firmware image. Victims identified by Kaspersky also provide few clues about the threat actor and their objective since the identified infected systems belong to private individuals in China, Iran, Vietnam, and Russia that could not be linked to an organization or industry. CosmicStrands victims across the globesource: Kaspersky However, the researchers connected CosmicStrand to a Chinese-speaking actor based on code patterns that were also seen in the MyKings cryptomining botnet, where malware analysts at Sophos found Chinese-language artifacts. Kaspersky says that the CosmicStrand UEFI firmware rootkit can persist on the system for the entire life of the computer and has been used in operations for years, since the end of 2016. UEFI malware becoming more common The first widespread report about a UEFI rootkit found in the wild, LoJax, came in 2018 from ESET and it was used in attacks by Russian hackers in the APT28 group (a.k.a. Sednit, Fancy Bear, Sofacy). Almost four years later and accounts of UEFI malware attacks in the wild have grown more frequent, and it wasn’t just advanced hackers exploring this option: We learned about MosaicRegressor from Kaspersky in 2020, although it was used in attacks in 2019 against non-governmental organizations. At the end of 2020 came the news that TrickBot developers had created TrickBoot, a new module that checked compromised machines for UEFI vulnerabilities. Another UEFI rootkit was revealed in late 2021 to be developed by the Gamma Group as part of their FinFisher surveillance solution. The same year, details emerged from ESET about yet another bootkit called ESPecter, believed to be used mainly for espionage and with origins as far back as 2012. MoonBounce, considered to be one of the most sophisticated UEFI firmware implants, was disclosed this year in January as being used by Winnti, a Chinese-speaking hacker group (also known as APT41). CosmicStrand UEFI malware found in Gigabyte, ASUS motherboards
  6. A newly discovered multistage remote access trojan (RAT) dubbed ZuoRAT has been used to target remote workers via small office/home office (SOHO) routers across North America and Europe undetected since 2020. In a report today, security researchers at Lumen’s Black Lotus Labs who spotted the malware said that this highly targeted campaign's complexity and the attackers' tactics, techniques, and procedures (TTPs) are the hallmarks of a state-backed threat actor. The start of this campaign roughly lines up with a quick shift to remote work after the start of the COVID-19 pandemic which drastically increased the number of SOHO routers (including ASUS, Cisco, DrayTek, and NETGEAR) used by employees to access corporate assets from home. "This gave threat actors a fresh opportunity to leverage at-home devices such as SOHO routers – which are widely used but rarely monitored or patched – to collect data in transit, hijack connections, and compromise devices in adjacent networks," Lumen says. "The sudden shift to remote work spurred by the pandemic allowed a sophisticated adversary to seize this opportunity to subvert the traditional defense-in-depth posture of many well-established organizations." Once deployed on a router (unpatched against known security flaws) with the help of an authentication bypass exploit script, the multi-stage ZuoRAT malware provided the attackers with in-depth network reconnaissance capabilities and traffic collection via passive network sniffing. ZuoRAT also allows moving laterally to compromise other devices on the network and to deploy additional malicious payloads (such as Cobalt Strike beacons) using DNS and HTTP hijacking. Two more custom trojans were delivered onto hacked devices during these attacks: one C++ based one named CBeacon targeting Windows workstations and a Go-based one dubbed GoBeacon that could likely infect Linux and Mac systems besides Windows devices. ZuoRAT campaign (Lumen Black Lotus Labs "The capabilities demonstrated in this campaign – gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multi-stage siloed router to router communications – points to a highly sophisticated actor that we hypothesize has been living undetected on the edge of targeted networks for years," the researchers added. The additional malware deployed onto systems within victims' networks (i.e., CBeacon, GoBeacon, and Cobalt Strike) provided the threat actors with the ability to download and upload files, run arbitrary commands, hijack network traffic, inject new processes, and gain persistence on compromised devices. Some compromised routers were also added to a botnet and used to proxy command and control (C2) traffic to hinder defenders' detection efforts. Based on the age of VirusTotal submitted samples and nine months' worth of Black Lotus Labs telemetry, the researchers estimate that the campaign has so far impacted at least 80 targets. "Organizations should keep a close watch on SOHO devices and look for any signs of activity outlined in this research," said Mark Dehus, Black Lotus Labs' director of threat intelligence. "This level of sophistication leads us to believe this campaign might not be limited to the small number of victims observed. To help mitigate the threat, they should ensure patch planning includes routers, and confirm these devices are running the latest software available." New ZuoRAT malware targets SOHO routers in North America, Europe
  7. Hi, sometimes in win11 22H2 build ...105 I receive these kinds of errors. are these kinds of error due to virus or wrong settings. https://drive.google.com/file/d/1zm1V6t1MQV9vkzpv2WLa46Jof2rmRORQ/view?usp=sharing how to fix it. thanks.
  8. Malware that steals your passwords, credit cards, and crypto wallets is being promoted through search results for a pirated copy of the CCleaner Pro Windows optimization program. This new malware distribution campaign is dubbed “FakeCrack,” and was discovered by analysts at Avast, who report detecting an average of 10,000 infection attempts every day from its customer telemetry data. Most of these victims are based in France, Brazil, Indonesia, and India. The malware distributed in this campaign is a powerful information stealer that can harvest personal data and cryptocurrency assets and route internet traffic through data-snatching proxies. A Black Hat SEO campaign The threat actors follow Black Hat SEO techniques to rank their malware-distribution websites high in Google Search results so that more people will be tricked into downloading laced executables. The lure seen by Avast is a cracked version of CCleaner Professional, a popular Windows system cleaner and performance optimizer that is still considered a “must-have” utility by many users. Google Search results pointing to malicious sites (Avast) The poisoned search results take the victim through several websites that ultimately display a landing page offering a ZIP file download. This landing page is commonly hosted on a legitimate file hosting platform like filesend.jp or mediafire.com. Malware-distribution portal (Avast) The ZIP is password-protected using a weak PIN like “1234,” which is merely there to protect the payload from anti-virus detection. The file inside the archive is usually named “setup.exe” or “cracksetup.exe,” but Avast has seen eight different executables used in this campaign. A dangerous info-stealing malware The malware victims are tricked into installing attempts to steal information stored in web browsers, like account passwords, saved credit cards, and cryptocurrency wallet credentials. Additionally, it monitors the clipboard for copied wallet addresses and replaces them with those under the malware operators’ control to divert payments. This clipboard hijacking feature works with various cryptocurrency addresses, including those for Bitcoin, Ethereum, Cardano, Terra, Nano, Ronin, and Bitcoin Cash addresses. Script monitoring the clipboard (Avast) The malware also uses proxies to steal cryptocurrency market account credentials using a man-in-the-middle attack that’s very hard for the victim to detect or realize. “Attackers were able to set up an IP address to download a malicious Proxy Auto-Configuration script (PAC),” explains Avast in the report. “By setting this IP address in the system, every time the victim accesses any of the listed domains, the traffic is redirected to a proxy server under the attacker’s control.” This proxying mechanism is added via a new registry key in “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings”. Victims can disable it by navigating to Network & internet on Windows Settings and switching the “Use a proxy server” option to Off. The campaign is already widespread, and the infection rates are high, so avoid downloading cracked software from anywhere, even if the download sites rank high on Google Search. Poisoned CCleaner search results spread information-stealing malware
  9. A stealthy and modular malware used to hack into Linux devices and build a DDoS botnet has seen a massive 254% increase in activity during the last six months, as Microsoft revealed today. This malware (active since at least 2014) is known as XorDDoS (or XOR DDoS) due to its use of XOR-based encryption when communicating with command-and-control (C2) servers and being employed to launch distributed denial-of-service (DDoS) attacks. As the company revealed, the botnet's success is likely due to its extensive use of various evasion and persistence tactics which allow it to remain stealthy and hard to remove. "Its evasion capabilities include obfuscating the malware's activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis," Microsoft 365 Defender Research Team said. "We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte." XorDDoS is known for targeting a multitude of Linux system architectures, from ARM (IoT) to x64 (servers), and compromising vulnerable ones in SSH brute-force attacks. To propagate to more devices, it uses a shell script that will attempt to log in as root using various passwords against thousands of Internet-exposed systems until it finally finds a match. XorDDoS attack flow (Microsoft) Besides launching DDoS attacks, the malware's operators use the XorDDoS botnet to install rootkits, maintain access to hacked devices, and, likely, drop additional malicious payloads. "We found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner," Microsoft added. "While we did not observe XorDdos directly installing and distributing secondary payloads like Tsunami, it's possible that the trojan is leveraged as a vector for follow-on activities." The huge boost in XorDDoS activity Microsoft detected since December lines up with a report by cybersecurity firm CrowdStrike which said that Linux malware had seen a 35% growth during 2021 compared to the previous year. XorDDoS, Mirai, and Mozi were the most prevalent families, accounting for 22% of all malware attacks targeting Linux devices observed in 2021. Of the three, CrowdStrike said that XorDDoS saw a notable year-over-year increase of 123%, while Mozi had an explosive activity growth, with ten times more samples detected in the wild throughout last year. A February 2021 report from Intezer also revealed that Linux malware families increased by roughly 40% in 2020 compared to 2019. Microsoft detects massive surge in Linux XorDDoS malware activity
  10. Privacy and security are becoming higher priorities for Google when it comes to the Play Store. It recently announced that it is effectively killing third-party call recording apps and is also introducing a "data safety" section on its storefront, requiring developers to provide more information on any user data they are collecting and the purpose behind it. Now, it has offered some statistics about Play Store safety in 2021. Google has highlighted that it banned 190,000 malicious and spammy developer accounts in 2021 alone. For context, this number was at 119,000 in 2020. In the same vein, 1.2 million apps which violated Google Play policies were removed, and the company says that this means that it prevented billions of potential harmful installs. Over 500,000 inactive and abandoned developer accounts were closed as well. Google also gave a recap of its recent efforts in making Play Store a safer space for consumers. It referenced the launch of the data safety section, a central app policy management interface for developers, and efforts to make SDKs safer for the billions of consumers who use apps built using these SDKs. The firm noted that 98% of apps which migrated to Android 11 reduced their access to sensitive APIs. This includes the Accessibility API, which is now only allowed for its intended use-cases rather than call recording. Google also mentioned that: We also continued in our commitment to make Android a great place for families. Last year we disallowed the collection of Advertising ID (AAID) and other device identifiers from all users in apps solely targeting children, and gave all users the ability to delete their Advertising ID entirely, regardless of the app. Finally, on the Pixel front, there is a Security hub that gives you a holistic view and recommendations about your device's security status. Google's smartphone hardware also utilizes newer machine learning models that leverage federated analytics to detect malicious apps. Google banned 190,000 malicious developers from the Play Store last year
  11. Ever since Windows 11 was first announced back in June of 2021, there have been many campaigns aimed at duping people into downloading fake malicious Windows 11 installers. While that activity seemed to die down for a while, it looks like it is back again and this time, the situation is probably much deadlier. That's because Windows 11 back then was not available to the public but only to Insiders, who are presumably more tech-savvy and informed. However, Windows 11 has since been generally available making it a dangerous scenario nowadays. A new malware campaign of similar nature was discovered by CloudSEK cybersecurity firm as it noticed a new impostor website that looks like Microsoft's, but in reality, distributes files containing what the researchers are calling "Inno Stealer" malware due to the use of Inno Setup Windows installer. This is a novel stealer malware as no similar sample was found on Virus Total. The malicious website's URL is "windows11-upgrade11[.]com" and it appears that the threat actors of the Inno Stealer campaign took a page from another similar malware campaign a couple of months ago which was using the same trick to fool potential victims. The last one was already taken down at the time of reporting but the new one is still up so it is advised to readers to trade carefully. CloudSEK says that upon downloading the infected ISO, multiple processes are run in the background to neutralize an infected user's system. It creates Windows Command Scripts to disable Registry security, adds Defender exceptions, uninstalls security products, and deletes shadow volumes. Finally, an .SCR file is created which is the one which actually delivers the malicious payload, in this case, the novel Inno Stealer malware in the following directory of a compromised system: C:\Users\\AppData\Roaming\Windows11InstallationAssistant The name of the malware payload file is "Windows11InstallationAssistant.scr". Here is the entire process explained in a diagram: CloudSEK has identified the following targets, including browsers and crypto wallets, that the Inno info stealer malware is after. These are shown in the image below. First up we have the browsers followed by the crypto wallets: Here is the official link to download Windows from the real Microsoft website. You can also follow reputed news websites like Neowin, among others, as we often link to official Microsoft ISO download pages when they are released by the Redmond firm. Source and images: CloudSEK via BleepingComputer Beware: Microsoft lookalike fake Windows 11 download website unsurprisingly downloads virus
  12. Today, one of the top priority dimensions of raising capabilities of cyberoperations is the creation of special hardware and software appliances and information technologies to carry out intelligence-gathering and offensive operations. It involves active development of so-called information weapons, a category that encompasses the whole range of means of attacking the adversary’s information resources. This type of attack mainly affects computer and telecommunications systems, including software, databases, computing and data processing, and also communications networks. Of particular importance is the establishment of dedicated offensive technologies that can be applied covertly against command and control infrastructure in order to disrupt the orderly functioning of their key components, and to seize control over them. Intellligence-gather cyber tools are intended to collect information about adversary, including structure, functioning, and vulnerabilities of its command systems. To achieve that, automated workstations will have malware inserted in order to establish a distributed, remotely controlled, intelligence gathering network. It may include thousands of computers in government and military facilities in various countries. The definition of malware includes external or internal programming code possessing various destructive functions, such as: destroying or changing software, destroying or corrupting data after a certain condition is met (“logic bombs”); exceeding the user’s authority in order to copy confidential information or to make such copying possible (“trojan horses”); corrupting protection systems or making it possible to bypass them; intercepting user login credentials through phishing or keystroke logging; intercepting data flowing within a distributed systems (monitors, sniffers); concealing one’s presence; self-replication, associating with other software and/or embedding own fragments into other operating or external memory not originally targeted by the malware; destroying or corrupting software code in operating memory; corruption, blocking, or supplanting data created by applications and entered into data links or external memory. Overall, there are three main types of destructive functions that may be performed by malware: Preserving or collection of fragments of data created by user, applications, uploading and downloading data, in external memory (local or remote) in the net or a stand-alone computer, including passwords, keys, and other access credentials, confidential documents in electronic form, or simply general corruption of fragments of sensitive data; Changing application algorithms (deliberate action against external or operating memory), in order to change the basic logic of their functioning; imposing a specific work regime or changing data being recorded by data produced by malware. Overall, the use of malware assumes the existence of an internal distribution mechanism to spread it to global or local networks, including the internet, to carry out specific tasks. These may include: penetrating remote computers to completely or partially seize control; launching own copies of malware on the infected computer; possible further penetration of all available networks. Such malware is mainly distributed as files attached to emails and electronic messages, and also through specially placed hyperlinks. This type of attack is distinguished by its scale and high speed of infection. Internet sites engaged in spreading malware increase by a factor of two every year. These sites attract attention of internet users by posting current informational content: news, analysis, overview of information technologies, and also commercial and entertainment articles. More than 20% of sites are specifically intended for malware distribution. Other means of using malware include: distributed denial of service (DDOS) attacks by generating intense traffic from false requests, which makes it impossible for actual users to gain access to the network or servers; dissemination of malware through USB memory devices, the most efficient means of doing so; embedding and activating code inserts. At the same time, many NATO countries have established military units for cyber-operations, and also pursue the development of scientific and technical infrastructure to develop special information technologies for offensive use, including self-multiplying and self-distributing malware, and developing doctrines for their use. Moreover, there is the so-called file-less (packet) malware distributed as net packets and penetrating computers through OS vulnerabilities or security holes in applications. In order to embed malware remotely, one can use social engineering or weaknesses in organizational network administration, such as unprotected local disks. The most widespread means of embedding malware is the Internet. Offensive malware targets both individual computers and networks. It accomplishes penetration using known and newly discovered weaknesses of both software and hardware developed by the potential adversary, but also in devices and programs developed by the world’s leading IT firms, most of which are based in the US. Other means of embedding malware are: agents, remote technical means including peripheral appliances of the system being attacked, combined attacks, etc. Malware developers focus on the ability to maintain stealthy presence amidst the target’s software and remain there even after an upgrade or software renewal. Main means of covert embedding of malware include: Pretending to be ordinary software. This approach assumes embedding malware using the process of installing a new application. It may be embedded in graphic or text editors, system utilities, screensaver, etc. Its existence is not concealed after installation; Pretending to be a module for expanding the computing environment. It’s a frequent variation on the previous one, and uses access to the ability to expand environments. For example, for Microsoft Windows OS such modules may include DLL modules and drivers, potentially containing malware; Malware replacing one of several application modules of the attacked environment. This method consists of choosing one or several modules for replacement with malware-infected modules in order to carry out the intended tasks. Such malware should externally be able to carry out the normal functions of the software thus targeted; Direct association. This method consists of associating malware with executable files of one or several legal programs in the system. This is the simplest method for single-task, single-user systems; Indirect association. It consists of associating malware with the code of a software module loaded into operating memory. In this instance the executable file remains unchanged, which makes malware detection harder. It’s also necessary to ensure the installable part of the virus already is present in the system. The most potentially useful means of embedding malware, not including through global networks, in order to gain covert access to enemy networks are: IRATEMONK allows embedding of malware in order to conduct surveillance on desktop and portable computers through recording onto the hard-drive BIOS, giving it the ability to implement its code by replacing the MBR. It works on various types of hard drives, including Western Digital, Seagate, Maxtor, and Samsung. It supports FAT, NTFS, EXT3, and UFS file systems, but systems with RAID are not. After embedding, IRATEMONK launches its payload every time the target computer is turned on. SWAP allows embedding malware for espionage by using motherboard BIOS and HPA domain of the hard drive by running the OC launch code. This program allows remote access to various operating systems (Windows, FreeBSD, Linux, Solans) with various file systems (FAT32, NTFS, EXT2, EXT3, UFS 1.0). Two utilities are used for installation: ARKSTREAM (it spoofs the BIOS) and TWISTEDKILT (it writes SWAP protocol and the malware payload to the HPA area of hard drive, and is used mainly against cell phones). COTTONMOUTH is a USB device insert providing a wireless bridge to the target network and also for loading exploits to the target system. It may open a covert channel to send commands and data. Built-in radio transmitter allows it to collaborate with other COTTONMOUTH. It’s based on TRINITY component base, with HOWLERMONKEY used as the transmitter. There’s also a version called MOCCASIN, which is inserted into a USB keyboard’s commutation matrix. FIREWALK is an insert used to passively collect Gigabit Ethernet traffic, and to embed malware into Ethernet packets. It can create a VPN tunnel between the targeted network and the center. It’s possible to establish wireless communications with other HOWLERMONKEY-compatible devices. This insert is similar in execution to COTTONMOUTH. It uses TRINITY component base, and HOWLERMONKEY as transmitter. NIGHTSTAND is a mobile system for active attacks on Wi-Fi nets, with the target being Windows machines when direct access is not possible. The system is based on a notebook-type portable computer running Linux and equipped with radio communications. External amplifiers and antennas give it range of up to 13km. DEITYBOUNCE delivers programming access to Dell PowerEdge servers with the help of motherboard BIOS and the use of the SMM regime to obtain the ability to launch itself before the system is launched. After set-up, it will run every time the system is switched on. FEEDTROUGH is equipment for installing two types of malware, BANANAGLEE and ZESTYLEAK, used to overcome network firewalls. This method is used when the firewall is launch. Malware’s installation is performed if operating system is present in the database, otherwise it is installed normally. FEEDTROUGH remains in place when the firewall operating system is updated. CTX4000 is a portable continuous emitter. It is used to obtain data from inserts installed on targeted systems. NIGHTWATCH is a PC-based system, used to process signals from the targeted monitor. Signals may be obtained using data collection systems (inserts in fiberoptic cables) or from a general purpose receiver. HOWLERMONKEY is a short- and medium-range radio transmitter. It is a special radio module for other inserts. It is used to collect data from inserts and enabling remote access to it. Moreover, there are other methods of embedding malware, through transceivers installed in USB cables or devices, through Wi-Fi, Bluetooth, GSM devices and cables attached to the targeted computer. One of the promising methods of remote malware placement is the unmanned aerial vehicle (UAV). USAF specialists have developed the WASP (Wireless Aerial Surveillance Platform) UAV on the basis of the FMQ-117B aerial target. It’s main mission are reconnaissance cyberoperations. Thanks to its onboard equipment, it may break into detected Wi-Fi networks, intercept cell phone conversations. WASP equipment includes HD-resolution camera, 11 antennas for various radio communications, GPS receiver, and onboard computer running Linux. Its memory contains a malware arsenal to break into wireless networks and a dictionary with 340 thousand words for “brute force” attacks. Obtained data and intercepted conversations are recorded in the onboard computer memory (solid-state hard drive with 500 GB memory) and may also be sent using internet channels to a special server using 3G and 4G networks, or the compromised Wi-Fi hot-spots. The UAV’s GPS allows it to operate autonomously along an assigned route, but it needs operator’s involvement for take-off and landing. Each system costs about $6 thousand, not including the cost of the UAV. Similar efforts are underway by US Army Cyber Command in order to interfere with automated command points at tactical and operational levels. The Sun Eagle tactical reconnaissance UAV is being used to test equipment for remote malware insertion into Wi-Fi and LTE wireless networks. Overall, United States and NATO are developing various methods and means for remote malware insertion. They include various physical data processing and transmission, and also different environments for proliferation. Countering such types of cyber weapons is a difficult and complex task, demanding considerable research efforts and financial expenditures.
  13. Live Coronavirus Map Used to Spread Malware Cybercriminals constantly latch on to news items that captivate the public’s attention, but usually they do so by sensationalizing the topic or spreading misinformation about it. Recently, however, cybercrooks have started disseminating real-time, accurate information about global infection rates tied to the Coronavirus/COVID-19 pandemic in a bid to infect computers with malicious software. A recent snapshot of the Johns Hopkins Coronavirus data map, available at coronavirus.jhu.edu. In one scheme, an interactive dashboard of Coronavirus infections and deaths produced by Johns Hopkins University is being used in malicious Web sites (and possibly spam emails) to spread password-stealing malware. Late last month, a member of several Russian language cybercrime forums began selling a digital Coronavirus infection kit that uses the Hopkins interactive map as part of a Java-based malware deployment scheme. The kit costs $200 if the buyer already has a Java code signing certificate, and $700 if the buyer wishes to just use the seller’s certificate. “It loads [a] fully working online map of Corona Virus infected areas and other data,” the seller explains. “Map is resizable, interactive, and has real time data from World Health Organization and other sources. Users will think that PreLoader is actually a map, so they will open it and will spread it to their friends and it goes viral!” The sales thread claims the customer’s payload can be bundled with the Java-based map into a filename that most Webmail providers allow in sent messages. The seller claims in a demonstration video that Gmail also allows it, but the video shows Gmail still warns recipients that downloading the specific file type in question (obscured in the video) can be harmful. The seller says the user/victim has to have Java installed for the map and exploit to work, but that it will work even on fully patched versions of Java. “Loader loads .jar files which has real working interactive Coronavirus realtime data map and a payload (can be a separate loader),” the seller said in the video. “Loader can predownload only map and payload will be loaded after the map is launched to show map faster to users. Or vice versa payload can be predownloaded and launched first.” It’s unclear how many takers this seller has had, but earlier this week security experts began warning of new malicious Web sites being stood up that used interactive versions of the same map to distract visitors while the sites tried to foist the password-stealing AZORult malware. As long as this pandemic remains front-page news, malware purveyors will continue to use it as lures to snare the unwary. Keep your guard up, and avoid opening attachments sent unbidden in emails — even if they appear to come from someone you know. A tip of the hat to @holdsecurity for a heads up about this malware offering. Source: Live Coronavirus Map Used to Spread Malware (KrebsOnSecurity - Brian Krebs)
  14. Gmail Is Catching More Malicious Attachments With Deep Learning Users of Gmail get 300 billion attachments each week. To separate legitimate documents from harmful ones, Google turned to AI—and it’s working. Photograph: Getty Images Distributing malware by attaching tainted documents to emails is one of the oldest tricks in the book. It's not just a theoretical risk—real attackers use malicious documents to infect targets all the time. So on top of its anti-spam and anti-phishing efforts, Gmail expanded its malware detection capabilities at the end of last year to include more tailored document monitoring. Good news, it's working. At the RSA security conference in San Francisco on Tuesday, Google's security and anti-abuse research lead Elie Bursztein will present findings on how the new deep-learning scanner for documents is faring against the 300 billion attachments it has to process each week. It's challenging to tell the difference between legitimate documents in all their infinite variations and those that have specifically been manipulated to conceal something dangerous. Google says that 63 percent of the malicious documents it blocks each day are different than the ones its systems flagged the day before. But this is exactly the type of pattern-recognition problem where deep learning can be helpful. Currently 56 percent of malware threats against Gmail users come from Microsoft Office documents, and 2 percent come from PDFs. In the months that it's been active, the new scanner has increased its daily malicious Office document detection by 10 percent. "Ten percent matters," Bursztein told WIRED. "We're trying to close the gap as much as possible. We want to keep adding machine learning everywhere we can, where it makes sense. Machine learning does amazing things sometimes, but sometimes it’s overhyped. We try to use it as an extra layer rather than the only layer. We think that works way better." The document analyzer looks for common red flags, probes files if they have components that may have been purposefully obfuscated, and does other checks like examining macros—the tool in Microsoft Word documents that chains commands together in a series and is often used in attacks. The volume of malicious documents that attackers send out varies widely day to day. Bursztein says that since its deployment, the document scanner has been particularly good at flagging suspicious documents sent in bursts by malicious botnets or through other mass distribution methods. He was also surprised to discover how effective the scanner is at analyzing Microsoft Excel documents, a complicated file format that can be difficult to assess. Though a 10 percent detection increase may not sound like a lot, it's a massive improvement at the scale Google is working on, and any gains are productive given that the threat of malicious documents is a real concern around the world. Bursztein says that companies and nonprofits are three times more likely to be targeted by malicious documents than other organizations, and that government entities are five times more likely. Some industries are more likely than others to be targeted, as well. Transportation and critical infrastructure utilities, for example, have a much higher risk than the education sector. The prevalence of malicious document attacks varies around the world, but for attackers the approach is always an option. Bursztein points out that kits for crafting malicious documents and tailoring them to evade antivirus scanners are readily available in online criminal forums, ranging in price from about $400 to $5,000. While the scanner is catching more malicious documents than ever, Bursztein and his colleagues will continue to refine it in the hopes of blocking an even bigger chunk of the malware sent to Gmail accounts worldwide. "Malware is something we did after spam and phishing, because malware is a bit harder," he says. "We don't have the malware itself in an email; the documents are all we have at that point. But we always want to improve our detection capabilities and with malicious documents we chose the one where we could make the most impact for our users." When a full-blown hack is just a rogue Word document download away, users will take whatever extra protections they can get. Source: Gmail Is Catching More Malicious Attachments With Deep Learning (Wired)
  15. Major vulnerabilities found in top free VPN apps on Google Play store SuperVPN Free VPN Client is one of the most popular free VPN apps you can find on the Google Play store, having gained more than 100 million installs already. But besides being a very popular app, there’s something else you need to know about this free VPN: SuperVPN Free VPN Client is also very dangerous. You see, our analysis shows that this app has critical vulnerabilities that opens it up to dangerous attacks known as man-in-the-middle (MITM) hacks. These vulnerabilities will allow hackers to easily intercept all the communications between the user and the VPN provider, letting the hackers see everything the user is doing. This is actually quite the opposite of what a VPN is supposed to do. A VPN is supposed to keep your online activities private and secure from all snooping eyes. In fact, a VPN is supposed to be so safe that, even if a hacker could intercept these communications, it would take them longer than the age of the universe to even begin to decrypt the data. But that’s not what SuperVPN has done here. The implications here are pretty dire. Based on our research, more than 105 million people could right now be having their credit card details stolen, their private photos and videos leaked or sold online, every single minute of their private conversations recorded and sent to a server in a secret location. They could be browsing a fake, malicious website set up by the hacker and aided by these dangerous VPN apps. But what’s even worse is that this app isn’t alone: of the top VPN apps we analyzed, 10 free VPN apps have similar critical vulnerabilities. If you’ve installed any of these dangerous VPN apps, you should delete them immediately: Vulnerable VPN apps on Google Play Store About this research In order to undertake our analysis, we first developed a proof of concept for creating a man-in-the-middle (MITM) attack. We then looked at the top apps in Google Play that were returned when searching for the keyword “vpn” in January 2019. We first attempted our MITM attack on two top-10 VPNs – SuperVPN and Best Ultimate VPN – and then filtered and tested the remaining apps. We disclosed these vulnerabilities to all 10 affected VPN apps in October 2019 and provided them with enough time to fix these issues. Unfortunately, only one of them, Best Ultimate VPN, answered and ultimately patched their app based on the information we provided within this 90-day period. The others did not respond to our queries. We’ve also reported these vulnerabilities to Google, but so far haven’t heard anything back from them yet. Key takeaways 10 of the top free VPN apps in the Google Play store have significant vulnerabilities, affecting nearly 120 million users These vulnerabilities allow hackers to easily intercept user communications, including seeing the visited websites and stealing usernames and passwords, photos, videos, and messages 2 apps use hard-coded cryptographic keys, and 10 apps are missing encryption of sensitive data. 2 of these apps suffer from both vulnerabilities. One app was already identified as malware, but never removed from the Play store, gaining 100 million installs in the meantime. In earlier research, we identified this app for potentially manipulating Google Play in order to rank highly and get more installs 4 of the affected apps are located in Hong Kong, Taiwan or mainland China Some apps have their encryption keys hard-coded within the app. This means that, even if the data is encrypted, hackers can easily decrypt this data with the included keys Because of the vulnerabilities, hackers can easily force users to connect to their own malicious VPN servers Let’s take an in-depth look at one app to show what kind of vulnerabilities we found. SuperVPN putting 100 million users at risk SuperVPN is a highly popular Android VPN that was in position 5 for the “vpn” keyword at the time of our analysis. According to Google Play, the app has been downloaded more than 100 million times (in January 2019 it only had 50 million installs): SuperVPN app installs Just to show you how big of a number that is for any VPN, this is the same number of installs for much more popular apps like Tinder and AliExpress: Tinder app installs AliExpress app installs What we did In our tests, we noticed that SuperVPN connects with multiple hosts, with some communications being sent via unsecured HTTP. This communication contained encrypted data. But after more digging, we found that this communication actually contained the key needed to decrypt the information. What we found After decrypting the data, we found sensitive information about SuperVPN’s server, its certificates, and the credentials that the VPN server needs for authentication. Once we had this information, we replaced the real SuperVPN server data with our own fake server data. Who is behind SuperVPN? SuperVPN and its developer SuperSoftTech have been in our sights before. Our previous research analyzed the few companies secretly behind many VPN products. From that, we know that SuperSoftTech claims to be based in Singapore, but it actually belongs to the independent app publisher Jinrong Zheng, a Chinese national likely based in Beijing. We also discovered that SuperVPN had been called out before in a 2016 Australian research article as being the third-most malware-rigged VPN app. This is only one example of vulnerabilities we found in all 10 apps listed in this article. A reputation for manipulation SuperVPN was discussed before in our earlier research on the potential manipulation tactics the top VPNs were using to seemingly rank higher in Google Play results. In that research, we discovered that the top 10 results for the “vpn” keyword in Google Play were all free VPNs. They were ranking more highly than market leader VPNs, such as NordVPN and ExpressVPN. Our research discovered that these better-ranked apps seemed to be using three easy manipulation techniques to get such high rankings. That means that SuperVPN by SuperSoftTech seems to not only be using manipulation techniques to rank highly in Google Play, but is also dangerously vulnerable. We attempted to contact Mr. Zheng on multiple occasions, but we have not heard back from him. How MITM hackers penetrate VPN apps In order to really understand how critical and dangerous these vulnerabilities are, you have to understand a little of how users normally connect to VPNs. The exact process for VPNs can seem a bit complicated, but the connection is pretty simple. Now, with a hacked VPN connection, there’s a MITM hacker who positioned himself right in the middle of your app and the VPN’s backend server: And this is the dangerous part: by changing the details, he can now force you to connect to his malicious server instead of the real VPN server. While everything will appear to work normally, and you think that you’re being extra safe and secure, you’re actually being seriously exposed. In total, your personal life is exposed, and it’s only limited by the hacker’s imagination what he can do with all that data. What this means for your safety This is a disastrous finding on two levels. In the broader sense, it’s disastrous that any app that participates in user data would have these wide-open vulnerabilities that make it particularly easy for hackers and government agencies to monitor user communications. In a more specific, and more dangerous, sense, it’s disastrous that a VPN would have these vulnerabilities. After all, users are connecting to VPNs in order to increase their privacy and security. For that reason, they’re more willing to transmit sensitive information on VPN apps than on other apps. For a VPN app to then be so vulnerable is a betrayal of users’ trust and puts them in a worse position than if they hadn’t used any VPN at all. However, there could be something larger at play here. When looking at these apps together, there seem to be two essential possibilities: These core vulnerabilities are intentional for these free VPN apps. After all, since a successful MITM attack would allow someone the ability to monitor sensitive user data (or reroute users to fake VPN servers) without the user’s knowledge, that’s a useful tool for any surveillance-hungry organization or nation. On the other hand, we should probably not attribute to malice what can be explained by stupidity – or here, laziness. In simple terms, the app developers here are so focused on getting high amounts of users and stuffing their app with ads, that they placed lower priority on the core security features of their apps. While one possibility may seem worse than another, at some point only the result matters: people using these vulnerable apps are putting their data – and possibly their lives – in danger. Based on that essential fact alone, we highly recommend users avoid these vulnerable VPN apps at all costs. When looking for an effective VPN, we recommend users do their due diligence. Ask yourself the following questions: Do I know this VPN developer or brand? Do they seem trustworthy? Where is the VPN located? Is it in a privacy-friendly country? For mobile apps, what permissions are they requiring? Do they actually need those permissions to function (such as the camera, GPS, microphone)? Free is great – but can you trust this VPN? There are a few commendable free VPNs or VPNs with free options from reputable brands. Taking an active role in filtering out the good VPNs from the bad ones will save users a lot of trouble later on. Source
  16. US government goes all in to expose new malware used by North Korean hackers The US Pentagon, the FBI, and the Department of Homeland Security on Friday exposed a North Korean hacking operation and provided technical details for seven pieces of malware used in the campaign. The US Cyber National Mission Force, an arm of the Pentagon’s US Cyber Command, said on Twitter that the malware is “currently used for phishing & remote access by [North Korean government] cyber actors to conduct illegal activity, steal funds & evade sanctions.” The tweet linked to a post on VirusTotal, the Alphabet-owned malware repository, that provided cryptographic hashes, file names, and other technical details that can help defenders identify compromises inside the networks they protect. An accompanying advisory from the DHS’s Cybersecurity and Infrastructure Security Agency said the campaign was the work of Hidden Cobra, the government’s name for a hacking group sponsored by the North Korean Government. Many security researchers in the private sector use other names for the group, including Lazarus and Zinc. Six of the seven malware families were uploaded to VirusTotal on Friday. They included: Bistromath, a full-featured remote access trojan and implant that performs system surveys, file uploads and downloads, process and command executions, and monitoring of microphones, clipboards, and screens Slickshoes, a “dropper” that loads, but doesn’t actually execute, a “beaconing implant” that can do many of the same things Bistromath does Hotcroissant, a full-featured beaconing implant that also does many of the same things listed above Artfulpie, an “implant that performs downloading and in-memory loading and execution of DLL files from a hardcoded url” Buttetline, another full-featured implant, but this one uses fake a fake HTTPS scheme with a modified RC4 encryption cipher to remain stealthy Crowdedflounder, a Windows executable that’s designed to unpack and execute a Remote Access Trojan into computer memory But wait... there’s more Friday’s advisory from the Cybersecurity and Infrastructure Security Agency also provided additional details for the previously disclosed Hoplight, a family of 20 files that act as a proxy-based backdoor. None of the malware contained forged digital signatures, a technique that’s standard among more advanced hacking operations that makes it easier to bypass endpoint security protections. Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, posted an image on Twitter that showed the relationship between the malware detailed on Friday with malicious samples the Moscow-based security firm has identified in other campaigns attributed to Lazarus. Friday’s joint advisory is part of a relatively new approach by the federal government to publicly identify foreign-based hackers and the campaigns they carry out. Previously, government officials mostly steered clear of attributing specific hacking activities to specific governments. In 2014, that approach began to change when the FBI publicly concluded that the North Korean government was behind the highly destructive hack of Sony Pictures a year earlier. In 2018, the Department of Justice indicted a North Korean agent for allegedly carrying out the Sony hack and unleashing the WannaCry ransomware worm that shut down computers worldwide in 2017. Last year, the US Treasury sanctioned three North Korean hacking groups widely accused of attacks that targeted critical infrastructure and stole millions of dollars from banks in cryptocurrency exchanges. As Cyberscoop pointed out, Friday marked the first time that the US Cyber Command identified a North Korean hacking operation. One reason for the change: although the North Korean government hackers often use less advanced malware and techniques than counterparts from other countries, the attacks are growing increasingly sophisticated. News agencies including Reuters have cited a United Nations report from last August that estimated North Korean hacking of banks and cryptocurrency exchanges has generated $2 billion for the country’s weapons of mass destruction programs. Source
  17. French Firms Rocked by Kasbah Hacker? A large number of French critical infrastructure firms were hacked as part of an extended malware campaign that appears to have been orchestrated by at least one attacker based in Morocco, KrebsOnSecurity has learned. An individual thought to be involved has earned accolades from the likes of Apple, Dell, and Microsoft for helping to find and fix security vulnerabilities in their products. In 2018, security intelligence firm HYAS discovered a malware network communicating with systems inside of a French national power company. The malware was identified as a version of the remote access trojan (RAT) known as njRAT, which has been used against millions of targets globally with a focus on victims in the Middle East. Further investigation revealed the electricity provider was just one of many French critical infrastructure firms that had systems beaconing home to the malware network’s control center. Other victims included one of France’s largest hospital systems; a French automobile manufacturer; a major French bank; companies that work with or manage networks for French postal and transportation systems; a domestic firm that operates a number of airports in France; a state-owned railway company; and multiple nuclear research facilities. HYAS said it quickly notified the French national computer emergency team and the FBI about its findings, which pointed to a dynamic domain name system (DNS) provider on which the purveyors of this attack campaign relied for their various malware servers. When it didn’t hear from French authorities after almost a week, HYAS asked the dynamic DNS provider to “sinkhole” the malware network’s control servers. Sinkholing is a practice by which researchers assume control over a malware network’s domains, redirecting any traffic flowing to those systems to a server the researchers control. While sinkholing doesn’t clean up infected systems, it can prevent the attackers from continuing to harvest data from infected PCs or sending them new commands and malware updates. HYAS found that despite its notifications to the French authorities, some of the apparently infected systems were still attempting to contact the sinkholed control networks up until late 2019. “Due to our remote visibility it is impossible for us to determine if the malware infections have been contained within the [affected] organizations,” HYAS wrote in a report summarizing their findings. “It is possible that an infected computer is beaconing, but is unable to egress to the command and control due to outbound firewall restrictions.” About the only French critical infrastructure vertical not touched by the Kasbah hackers was the water management sector. HYAS said given the entities compromised — and that only a handful of known compromises occurred outside of France — there’s a strong possibility this was the result of an orchestrated phishing campaign targeting French infrastructure firms. It also concluded the domains associated with this campaign were very likely controlled by a group of adversaries based in Morocco. “What caught our attention was the nature of the victims and the fact that there were no other observed compromises outside of France,” said Sasha Angus, vice president of intelligence for HYAS. “With the exception of water management, when looking at the organizations involved, each fell within one of the verticals in France’s critical infrastructure strategic plan. While we couldn’t rule out financial crime as the actor’s potential motive, it didn’t appear that the actor leveraged any normal financial crime tools.” ‘FATAL’ ERROR HYAS said the dynamic DNS provider shared information showing that one of the email addresses used to register a key DNS server for the malware network was tied to a domain for a legitimate business based in Morocco. According to historic records maintained by Domaintools.com [an advertiser on this site], that email address — [email protected] — was used in 2016 to register the Web site talainine.com, a now-defunct business that offered recreational vehicle-based camping excursions just outside of a city in southern Morocco called Guelmim. Archived copies of talainine.com indicate the business was managed by two individuals, including someone named Yassine Algangaf. A Google search for that name reveals a similarly named individual has been credited by a number of major software companies — including Apple, Dell and Microsoft — with reporting security vulnerabilities in their products. A search on this name at Facebook turned up a page for another now-defunct business called Yamosoft.com that lists Algangaf as an owner. A cached copy of Yamosoft.com at archive.org says it was a Moroccan computer security service that specialized in security audits, computer hacking investigations, penetration testing and source code review. A search on the [email protected] address at 4iq.com — a service that indexes account details like usernames and passwords exposed in Web site data breaches — shows this email address was used to register an account at the computer hacking forum cracked[.]to for a user named “fatal.001.” A LinkedIn profile for a Yassine Algangaf says he’s a penetration tester from the Guelmim province of Morocco. Yet another LinkedIn profile under the same name and location says he is a freelance programmer and penetration tester. Both profiles include the phrase “attack prevention mechanisms researcher security tools proof of concepts developer” in the description of the user’s job experience. Searching for this phrase in Google turns up another Facebook page, this time for a “Yassine Majidi,” under the profile name “FatalW01.” A review of Majidi’s Facebook profile shows that phrase as his tag line, and that he has signed several of his posts over the years as “Fatal.001.” There are also two different Skype accounts registered to the ing.equipepro.com email address, one for Yassine Majidi and another for Yassine Algangaf. There is a third Skype account nicknamed “Fatal.001” that is tied to the same phone number included on talainine.com as a contact number for Yassine Algangaf (+212611604438). A video on Majidi’s Facebook page shows him logged in to the “Fatal.001” Skype account. On his Facebook profile, Majidi includes screen shots of several emails from software companies thanking him for reporting vulnerabilities in their products. Fatal.001 was an active member on dev-point[.]com, an Arabic-language computer hacking forum. Throughout multiple posts, Fatal.001 discusses his work in developing spam tools and RAT malware. In this two-hour Arabic language YouTube tutorial from 2014, Fatal.001 explains how to use a RAT he developed called “Little Boy” to steal credit card numbers and passwords from victims. The main control screen for the Little Boy botnet interface includes a map of Morocco. Reached via LinkedIn, Algangaf confirmed he used the pseudonyms Majidi and Fatal.001 for his security research and bug hunting. But he denied ever participating in illegal hacking activities. He acknowledged that [email protected] is his email address, but claims the email account was hacked at some point in 2017. “It has already been hacked and recovered after a certain period,” Algangaf said. “Since I am a security researcher, I publish from time to time a set of blogs aimed at raising awareness of potential security risks.” As for the notion that he has somehow been developing hacking programs for years, Algangaf says this, also, is untrue. He said he never sold any copies of the Little Boy botnet, and that this was one of several tools he created for raising awareness. “In 2013, I developed a platform for security research through which penetration test can be done for phones and computers,” Algangaf said. “It contained concepts that could benefit from a controlled domain. As for the fact that unlawful attacks were carried out on others, it is impossible because I simply have no interest in blackhat [activities].” Source: French Firms Rocked by Kasbah Hacker? (KrebsOnSecurity - Brian Krebs)
  18. Nasty Android malware reinfects its targets, and no one knows how Users report that xHelper is so resilient it survives factory resets. Enlarge A widely circulating piece of Android malware primarily targeting US-based phones used a clever trick to reinfect one of its targets in a feat that stumped researchers as to precisely how it was pulled off. xHelper came to light last May when a researcher from security firm Malwarebytes published this brief profile. Three months later, Malwarebytes provided a deeper analysis after the company’s Android antivirus app detected xHelper on 33,000 devices mostly located in the US, making the malware one of the top Android threats. The encryption and heavy obfuscation made analysis hard, but Malwarebytes researchers ultimately concluded that the main purpose of the malware was to act as a backdoor that could remotely receive commands and install other apps. On Wednesday, Malwarebytes published a new post that recounted the lengths one Android user took to rid her device of the malicious app. In short, every time she removed two xHelper variants from the device, the malware would reappear on her device within the hour. She reported that even performing a factory reset wasn't enough to make the malware go away. Blind alleys Company researchers initially suspected that pre-installed malware was the culprit. They eventually dropped that theory after the user performed a technique that prevented system apps from running. Malwarebytes analysts later saw the malware indicating that Google Play was the source of the reinfections, but they ruled out this possibility after further investigation. Eventually (and with the help of the Android user), company researchers finally identified the source of the reinfections: several folders on the phone that contained files that, when executed, installed xHelper. All of the folders began with the string com.mufc. To the researchers’ surprise, these folders weren’t removed even though the user performed a factory reset on the device. “This is by far the nastiest infection I have encountered as a mobile malware researcher,” Malwarebytes’ Nathan Collier wrote in Wednesday’s post. “Usually a factory reset, which is the last option, resolves even the worst infection. I cannot recall a time that an infection persisted after a factory reset unless the device came with pre-installed malware.” Malwarebytes Hidden inside a directory named com.mufc.umbtts was an Android application package, or APK, that dropped an xHelper variant. The variant, in turn, dropped more malware within seconds. And with that, xHelper once again menaced the user’s device. The user finally rid her device of the malware after using an Android file manager to delete the mufc folders and all their contents. Because the malware was somehow identifying Google Play as the source of the reinfection, Collier recommends people in a similar position disable the Google Play Store app before removing the folders. Collier still isn’t sure how the mufc folders came to reside on the phone in the first place or why they weren’t deleted during factory reset. In October, security firm Symantec also reported that users were complaining that factory resets didn’t kill xHelper, but company researchers were also unable to explain why. One theory, Collier said, is that an xHelper variant installed the folders and made them appear as an SD card that wasn’t affected by the factory reset (the user reported that her device didn’t have an SD card). “I was under the assumption that files/directories were removed after a factory reset, but this proves that some things can be left over,” Collier wrote in an email. “There are still a lot of unknowns with this one. We’re just glad to have a resolution for our customers who may be struggling with this infection.” Source: Nasty Android malware reinfects its targets, and no one knows how (Ars Technica)
  19. Industrial giant Honeywell says it has ‘returned to service’ after cyber intrusion A worker at a Honeywell International Inc. factory(Photo by BRENDAN SMIALOWSKI/AFP via Getty Images) Honeywell, a Fortune 100 firm that makes aerospace and energy equipment, said Tuesday that malware had disrupted “a limited number” of its computer systems. Honeywell said it had “returned to service” following the incident, but the Charlotte, North Carolina-based firm’s statement did not elaborate on how service was disrupted. A Honeywell spokesperson did not immediately respond to questions on the incident, including whether ransomware was involved and who was responsible. Honeywell, which reported some $33 billion in sales last year, said it did not expect the malware disruption to have a “material impact” on the firm. Honeywell called in Microsoft to help remediate the intrusion, and the computer systems have “since been secured,” the statement said. “Our investigation is ongoing, but at this point, we have not yet identified any evidence that the attacker exfiltrated data from our primary systems that store customer information,” Honeywell added. “If we discover that any customer information was exfiltrated, we will contact those customers directly.” Ransomware attacks have been reported with increasing frequency in the manufacturing sector in the last year. Reported ransomware incidents struck carmaker Honda last June and steel manufacturer Evraz a year ago. In the U.S., the Department of Homeland Security has undertaken a new initiative, backed by $25 million in additional funding, to combat a steady stream of ransomware attacks. The Honeywell intrusion comes as a Washington, D.C.-area event-management firm and a Canadian wireless technology provider grapple with ransomware incidents this week. Source: Industrial giant Honeywell says it has ‘returned to service’ after cyber intrusion
  20. Researchers Uncover Widely Used Malware Crypter Avast Says OnionCrypter Has Been in Use Since 2016 Security researchers at Avast have discovered that more than 30 hacker groups have been using a malware crypter dubbed OnionCrypter. A crypter is used for encrypting, obfuscating and manipulating malware to make detection more difficult. Hacker groups - including Lokibot, Zeus, AgentTesla and Smokeloader - have been using the recently discovered multilayer OnionCrypter since 2016, Avast says. "Its widespread use and length of time in use make it a key malware infrastructure component," says Avast threat researcher Jakub Kaloč. "We believe that likely the authors of OnionCrypter offer it as an encrypting service. Based on the uniqueness of the first layer, it is also safe to assume that authors of OnionCrypter offer the option of a unique stub file to ensure that encrypted malware will be undetectable." Crypter Infrastructure Avast says OnionCrypter, 32-bit software written in C++, has three layers: Layer 1: This outer layer has one main function, which varies based on the encrypted malware. For example, it can allocate and load data to memory, decrypt the loaded data and pass execution of the decrypted data to the second layer. Layer 2: This is a shell code that decrypts another layer. It uses a complex process, decrypting chunks of data according to size and then putting them together. When all the pieces have been decrypted and joined, execution is passed to the place where the decrypted data is stored and the crypter starts execution of the third layer. Layer 3: This layer uses the same decryption processes as the second layer to load important API functions to change permissions of memory. It then copies decrypted data and overwrites itself, after which the payload is injected into the crypter. "OnionCrypter is a malware family which has been around for some time," Kaloč notes. "Combined with the prevalence of this crypter and the fact that samples have such a unique first layer, it’s logical to assume that crypter wasn’t developed as a one-time thing. On the contrary, according to analysis of multiple samples and their capture date, it was possible to see multiple versions of some parts of OnionCrypter.” Encryption as a Service Some security experts say the demand for crypters and for encryption as a service is growing, with some facilitators offering free samples to entice customers. Some hackers have also been partnering with malware crypter services as part of their campaigns. For instance, in 2018, the operators of the GandCrab ransomware-as-a-service affiliate operation announced their partnership with NTCrypt, a malware crypter service (see: GandCrab Ransomware Partners With Crypter Service). Last year, Europol arrested the operators of the CyberSeal and Dataprotector encrypting services that enabled hackers to test their malware against antivirus tools (see: 2 Arrested for Operating Malware Encryption Service). Source: Researchers Uncover Widely Used Malware Crypter
  21. ESET Exposes Malware Disguised as Clubhouse App ESET has uncovered malware designed to leverage the growing popularity of invite-only social media app Clubhouse. Revealing its findings in a blog post, the cybersecurity firm said the Trojan malware aims to steal users’ login information for a variety of online services. Disguised as an Android version of the audio chat app (which does not current exist), it is capable of taking credentials for over 450 apps and is also able to bypass SMS-based two factor authentication (2FA). In the scheme, users are tricked into downloading the fake app from a website that has the look and feel of the genuine Clubhouse website. Once the malware, nicknamed “BlackRock,” is downloaded onto a device, it can set about stealing login details for 458 online services. The online services targeted include Twitter, WhatsApp, Facebook, Amazon, Netflix, Outlook, eBay, Coinbase, Plus500, Cash App, BBVA and Lloyds Bank. BlackRock uses an overlay attack to try and steal the victim’s credentials whenever one of the targeted applications is launched. Following the overlay, the user is requested to login, unwittingly handing over their credentials to the attackers. Worryingly, the malware can also intercept text messages, meaning SMS-based 2FA will not necessarily help. Additionally, the malicious app asks the victim to enable accessibility services, which would allow the cyber-criminals to effectively take control of the device. ESET malware researcher Lukas Stefanko said: “The website looks like the real deal. To be frank, it is a well-executed copy of the legitimate Clubhouse website. However, once the user clicks on ‘Get it on Google Play’, the app will be automatically downloaded onto the user’s device. By contrast, legitimate websites would always redirect the user to Google Play, rather than directly download an Android Package Kit, or APK for short.” Commenting on the research, Tom Lysemose Hansen, CTO at app security company Promon outlined: “It was only a matter of time before malicious actors capitalized on the growing demand for Clubhouse to release an Android app. This is a classic case of malware, once downloaded onto the device, using a system of overlays to steal login credentials from a list of targeted applications. The convincing nature of the website and the fact that the malware is able to steal login credentials from more than 450 apps and bypass SMS-based two-factor authentication, makes this extremely concerning.” He added: “Smartphone users (and Android users in particular) should be on the lookout for common tell-tale signs that indicate a website is not legitimate. These can include not being secure (if the webpage starts with HTTP instead of HTTPS) or if the domain looks strange (in this case it was .mobi instead of .com used by the legitimate website).” Source: ESET Exposes Malware Disguised as Clubhouse App
  22. New CopperStealer Malware Hijacks Social Media Accounts Proofpoint researchers say it steals logins and spreads more malware. Researchers with Proofpoint released details today on new undocumented malware called CopperStealer. CopperStealer has many of the same targeting and delivery methods as SilentFade, a Chinese-sourced malware family first reported by Facebook in 2019. Proofpoint believes Copperstealer is a previously undocumented family within the same class of malware as SilentFade. The Copperstealer malware attempts to steal the account passwords to Facebook, Instagram, Google, and other major service providers, according to Proofpoint. The stolen passwords are used to run malicious ads for profit and spread more malware. "CopperStealer is going after big service provider logins like social media and search engine accounts to spread additional malware or other attacks," says Sherrod DeGrippo, senior director of threat research at Proofpoint. "These are commodities that can be sold or leveraged. Users should turn on two-factor authentication for their service providers." Researchers were first alerted to the malware sample in late January. The earliest discovered samples date back to July 2019. "While we analyzed a sample that targets Facebook and Instagram business and advertiser accounts, we also identified additional versions that target other major service providers, including Apple, Amazon, Bing, Google, PayPal, Tumblr and Twitter," Proofpoint said in a blog post. The full post can be found here. Source: New CopperStealer malware steals Google, Apple, Facebook accounts
  23. Phishing campaign uses US tax season to lure victims Researchers at Cybereason have detected a new campaign targeting US taxpayers with documents that purport to contain tax-related content. These deliver NetWire and Remcos -- two powerful and popular RATs which can allow attackers to take control of the victims' machines and steal sensitive information. The malicious documents used are roughly 7MB in size, which allows them to evade traditional AV mechanisms and heuristic detection. "Social engineering via phishing emails continues to be the preferred infection method among both cybercriminals and nation-state threat actors. The potential for damage is serious and the malware allows threat actors to gain full control over a victim's machine and steal sensitive information from users or their employers. In this research, we demonstrate how the attackers are leveraging the US tax season to infect targets at will," says Assaf Dahan, senior director and head of threat research at Cybereason. The malicious payloads are concealed and downloaded within image files using steganography techniques. This, combined with the fact they are hosted on public cloud services such as 'imgur', makes them even harder to detect. As a part of the infection process, a legitimate OpenVPN client is downloaded and executed which then sideloads a malicious DLL that drops the NetWire/Remcos malware. "The use of various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a legitimate software makes these campaigns very difficult to detect," Dahan adds. "The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud." The campaign has similarities with another campaign seen in April of 2020 which also delivered the NetWire RAT. Both NetWire and Remcos are commercial RATs that are available for purchase online for as little as $10 per month. Both offer various licensing plans and follow the Malware-as-a-Service (MaaS) model, offering their customers a subscription-based model with services such as 24/7 support and software updates. You can read more, including tips on staying safe, on the Cybereason blog. Photo Credit: Vitalii Vodolazskyi / Shutterstock Source: Phishing campaign uses US tax season to lure victims
  24. New XcodeSpy malware targets iOS devs in supply-chain attack A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply-chain attack to install a macOS backdoor on the developer's computer. Xcode is a free application development environment created by Apple that allows developers to create applications that run on macOS, iOS, tvOS, and watchOS. Like other development environments, it is common for developers to create projects that perform specific functions and share them online so that other developers can add them to their own applications. Threat actors are increasingly creating malicious versions of popular projects hoping that they are included in other developer's applications. When those applications are compiled, the malicious component will infect their computer in a supply-chain attack. Xcode project used in a supply-chain attack Researchers from cybersecurity firm SentinelOne have discovered a malicious version of the legitimate iOS TabBarInteraction Xcode project being distributed in a supply-chain attack. As part of the attack, threat actors have cloned the legitimate TabBarInteraction project and added an obfuscated malicious 'Run Script' script to the project, as shown below. This malicious version of the project has been named 'XcodeSpy' by SentinelOne. Malicious TabBarInteraction with obfuscated Run Script When the project is built, Xcode will automatically execute the Run Script to open a remote shell back to the threat actor's server, cralev.me. "The script creates a hidden file called .tag in the /tmp directory, which contains a single command: mdbcmd. This in turn is piped via a reverse shell to the attackers C2," SentinelOne researcher Phil Stokes explains in a new report. Deobfuscated Run Script command By the time SentinelOne learned of this malicious project, the command and control server was no longer available, so it is unclear what actions were performed through the reverse shell. However, SentinelOne discovered two malware samples uploaded to VirusTotal that contain the same "/private/tmp/.tag" string to indicate that they were part of this attack. "By the time we discovered the malicious Xcode project, the C2 at cralev[.]me was already offline, so it was not possible to ascertain directly the result of the mdbcmd command. Fortunately, however, there are two samples of the EggShell backdoor on VirusTotal that contain the telltale XcodeSpy string /private/tmp/.tag.," says the report. The EggShell backdoor allows threat actors to upload files, download files, execute commands, and snoop on a victim's microphone, camera, and keyboard activity. At this time, SentinelOne is only aware of one in-the-wild victim of this attack, and it is not clear how the malicious Xcode project was being distributed. "We don’t have any data on distribution and that’s something we’d very much like to hear more about from the wider community. Part of our motivation for publishing this now is to raise awareness and see if more of the missing details come to light from the exposure," Stokes told BleepingComputer. Dev projects also targeted Windows Malicious development projects have also been used recently to target Windows developers. In January, Google disclosed that the North Korean Lazarus hacking group was conducting social engineering attacks against security researchers. To perform their attacks, the threat actors created online 'security researcher' personas used to contact security researchers for collaboration on vulnerability and exploit development. As part of this collaboration, the attackers sent malicious Visual Studio Projects that would install custom backdoors on the researcher's computers when built. To prevent these types of attacks, when developers utilize third-party packages in their own projects, they should always analyze them for build scripts that are executed when the project is compiled. If anything at all looks suspicious, developers should not use the package. Source: New XcodeSpy malware targets iOS devs in supply-chain attack
  25. A newly-wormable Windows botnet is ballooning in size Image Credits: Bryce Durbin / TechCrunch Researchers say a botnet targeting Windows devices is rapidly growing in size, thanks to a new infection technique that allows the malware to spread from computer to computer. The Purple Fox malware was first spotted in 2018 spreading through phishing emails and exploit kits, a way for threat groups to infect machines using existing security flaws. But researchers Amit Serper and Ophir Harpaz at security firm Guardicore, which discovered and revealed the new infection effort in a new blog post, say the malware now targets internet-facing Windows computers with weak passwords, giving the malware a foothold to spread more rapidly. The malware does this by trying to guess weak Windows user account passwords by targeting the server message block, or SMB — a component that lets Windows talk with other devices, like printers and file servers. Once the malware gains access to a vulnerable computer, it pulls a malicious payload from a network of close to 2,000 older and compromised Windows web servers and quietly installs a rootkit, keeping the malware persistently anchored to the computer while also making it much harder to be detected or removed. Once infected, the malware then closes the ports in the firewall it used to infect the computer to begin with, likely to prevent reinfection or other threat groups hijacking the already-hacked computer, the researchers said. The malware then generates a list of internet addresses and scans the internet for vulnerable devices with weak passwords to infect further, creating a growing network of ensnared devices. Botnets are formed when hundreds or thousands of hacked devices are enlisted into a network run by criminal operators, which are often then used to launch denial-of-network attacks to pummel organizations with junk traffic with the aim of knocking them offline. But with control of these devices, criminal operators can also use botnets to spread malware and spam, or to deploy file-encrypting ransomware on the infected computers. But this kind of wormable botnet presents a greater risk as it spreads largely on its own. Serper, Guardicore’s vice president of security research for North America, said the wormable infection technique is “cheaper” to run than its earlier phishing and exploit kit effort. “The fact that it’s an opportunistic attack that constantly scans the internet and looks for more vulnerable machines means that the attackers can sort of ‘set it and forget it’,” he said. It appears to be working. Purple Fox infections have rocketed by 600% since May 2020, according to data from Guardicore’s own network of internet sensors. The actual number of infections is likely to be far higher, amounting to more than 90,000 infections in the past year. Guardicore published indicators of compromise to help networks identify if they have been infected. The researchers do not know what the botnet will be used for but warned that its growing size presents a risk to organizations. “We assume that this is laying the groundwork for something in the future,” said Serper. Source: A newly-wormable Windows botnet is ballooning in size
  • Create New...