Jump to content

Search the Community

Showing results for tags 'malware'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. On October 12, after interviewing US Secretary of Homeland Security Alejandro Mayorkas, USA TODAY’s editorial board warned its readers about a dangerous new form of cyberattack under this eye-catching headline: “The next big cyberthreat isn’t ransomware. It’s killware. And it’s just as bad as it sounds.” But while “killware” sounds scary, the term itself is unhelpful when describing the many types of cyberattacks that, like USA TODAY wrote, “can literally end lives,” and that’s because nearly any type of hack, no matter the intention, can result in death. Complicating this is the fact that the known cyberattacks that have allegedly led to deaths already have a category: ransomware. Further, the term “killware” can confuse antivirus customers seeking reassurance that their own vendor is protecting them from this threat, but antivirus vendors do not stop attacks based on intent, they stop attacks based on method. As an example, Malwarebytes Director of Threat Intelligence Jerome Segura said that Malwarebytes does not have any specific Indicators of Compromise (IOCs) for “killware” and that, instead, “we continue to protect our customers with our different layers of protection.” “Killware” is too loose a term to be useful In February, an employee for a water treatment facility in Oldsmar, Florida, saw the mouse on his computer screen moving around without his involvement. The employee, according to Wired, thought this was somewhat normal, as his workplace used a tool that allowed for remote employees and supervisors to take control of computers at the plant itself. But when the employee saw the cursor move around a second time in the same day, he reportedly saw an attempt by an intruder to maliciously increase the chemical levels at the water treatment facility, upping the amount of sodium hydroxide—which can be corrosive in high quantities—to dangerous levels. Source : https://blog.malwarebytes.com/cybercrime/2021/10/killware-is-it-just-as-bad-as-it-sounds/
  2. Relying on a simple recipe that has proved successful time and time again, threat actors have deployed a malware campaign recently that used a Windows 11 theme to lure recipients into activating malicious code placed inside Microsoft Word documents. Security researchers believe that the adversary behind the campaign may be the FIN7 cybercrime group, also known as Carbanak and Navigator, that specializes in stealing payment card data. Tried and tested method The adversary took advantage of the buzz created around the details for Microsoft’s development of its next operating system release, which started in early June. Cybercriminals laced Microsoft Word documents with macro code that ultimately downloads a JavaScript backdoor that lets the attacker deliver any payload they want. Researchers at cybersecurity company Anomali analyzed six such documents and say that the delivered backdoor appears to be a variation of a payload commonly used by the FIN7 group since at least 2018. The names used in the campaign seem to indicate that the activity may have occurred between late June and late July, a period immediate to when news about Windows 11 started to emerge on a more regular basis. It is unclear how the malicious files were delivered but phishing email is typically how it happens. Opening the document shows Windows 11 imagery with text designed to trick the recipient into enabling macro content. The claim that the document was generated with a newer operating system may make some users believe that there is a compatibility issue that prevents accessing the content and that following the instructions eliminate the problem. If the user acts on the indication, they activate and execute the malicious VBA macro that the threat actor planted inside the document. The code is obfuscated to hinder analysis but there are ways to clean it of the surplus and leave only the relevant strings. unobfuscated macro Anomali researchers found that the included VBScript relies on some values encoded inside a hidden table in the document to perform language checks on the infected computer. Detecting a specific language (Russian, Ukrainian, Moldovan, Sorbian, Slovak, Slovenian, Estonian, Serbian) puts a stop to the malicious activity and deletes the table with encoded values. The code also looks for the domain CLEARMIND, which Anomali researchers say appears to refer to a point-of-sale (PoS) provider. Other checks that the code makes include: Reg Key language preference for Russian Virtual machine - VMWare, VirtualBox, innotek, QEMU, Oracle, Hyper and Parallels (if a VM is detected the script is killed) Available memory (stops if there is less than 4GB) Check for RootDSE via LDAP “If the checks are satisfactory, the script proceeds to the function where a JavaScript file called word_data.js is dropped to the TEMP folder” - Anomali FIN7 indications The JavaScript is heavily obfuscated and cleaning it up reveals a backdoor that resembles other backdoors connected to the FIN7 cybercrime group, Anomali researchers say. There is moderate confidence for the attribution, which is based on the following factors: Targeting of a POS provider aligns with previous FIN7 activity The use of decoy doc files with VBA macros also aligns with previous FIN7 activity FIN7 have used Javascript backdoors historically Infection stops after detecting Russian, Ukrainian, or several other Eastern European languages Password protected document Tool mark from Javascript file "group=doc700&rt=0&secret=7Gjuyf39Tut383w&time=120000&uid=" follows similar pattern to previous FIN7 campaigns FIN7 has been around since at least 2013 but became known on a larger scale since 2015. Some of its members got arrested and sentenced but attacks and malware continued to be attributed to the group even beyond 2018 when several of its members got arrested [1, 2]. The attackers focused on stealing payment card data belonging to customers of various businesses. Their activity in the U.S. caused above $1 billion in losses from stealing over 20 million card records processed by more than 6,500 point-of-sale terminals at around 3,600 separate business locations. Among the companies that FIN7 hit are Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli. Watch out for new malware campaign’s 'Windows 11 Alpha' attachment
  3. A new AdLoad malware variant is slipping through Apple's YARA signature-based XProtect built-in antivirus tech to infect Macs as part of multiple campaigns tracked by American cybersecurity firm SentinelOne. AdLoad is a widespread trojan targeting the macOS platform since at least since late 2017 and used to deploy various malicious payloads, including adware and Potentially Unwanted Applications (PUAs), This malware can also harvest system information that later gets sent to remote servers controlled by its operators. Increasingly active since July These massive scale and ongoing attacks have started as early as November 2020, according to SentinelOne threat researcher Phil Stokes, with an increase in activity beginning with July and the beginning of August. Once it infects a Mac, AdLoad will install a Man-in-The-Middle (MiTM) web proxy to hijack search engine results and inject advertisements into web pages for monetary gain. It will also gain persistence on infected Macs by installing LaunchAgents and LaunchDaemons and, in some cases, user cronjobs that run every two and a half hours. While monitoring this campaign, the researcher observed more than 220 samples, 150 of them unique and undetected by Apple's built-in antivirus even though XProtect now comes with roughly a dozen AdLoad signatures. Many of the samples detected by SentinelOne are also signed with valid Apple-issued Developer ID certificates, while others are also notarized to run under default Gatekeeper settings. XProtect AdLoad signatures (SentinelOne) "At the time of writing, XProtect was last updated around June 15th. None of the samples we found are known to XProtect since they do not match any of the scanner’s current set of Adload rules," Stokes concluded. "The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices." Hard to ignore threat To put things into perspective, Shlayer, another common macOS malware strain that has also been able to bypass XProtect before and infect Macs with other malicious payloads, has hit over 10% of all Apple computers monitored by Kaspersky. Its creators also got their malware through Apple's automated notarizing process and included the ability to disable the Gatekeeper protection mechanism to run unsigned second-stage payloads. Shlayer also recently exploited a macOS zero-day to bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads on compromised Macs. While both AdLoad and Shlayer now only deploy adware and bundleware as secondary payloads, their creators can quickly switch to more dangerous malware, including ransomware or wipers, at any time. "Today, we have a level of malware on the Mac that we don’t find acceptable and that is much worse than iOS," said Craig Federighi, Apple’s head of software, under oath while testifying in the Epic Games vs. Apple trial in May. New AdLoad malware variant slips through Apple's XProtect defenses
  4. A new Android threat that researchers call FlyTrap has been hijacking Facebook accounts of users in more than 140 countries by stealing session cookies. FlyTrap campaigns rely on simple social engineering tactics to trick victims into using their Facebook credentials to log into malicious apps that collected data associated with the social media session. Researchers at mobile security company Zimperium detected the new piece of malware and found that the stolen information was accessible to anyone who discovered FlyTrap’s command and control (C2) server. Luring with high-quality apps FlyTrap campaigns have been running since at least March. The threat actor used malicious applications with high-quality design, distributed through Google Play and third-party Android stores. The lure consisted of offers for free coupon codes (for Netflix, Google AdWords) and voting for the favorite soccer team or player, in tune with the delayed UEFA Euro 2020 competition. Getting the promised reward required logging into the app using Facebook credentials, authentication occurring on the legitimate social media domain. Since the malicious apps use the real Facebook single sign-on (SSO) service, they can’t collect users’ credentials. Instead, FlyTrap relies on JavaScript injection to harvest other sensitive data. “Using this technique, the application opens the legit URL inside a WebView configured with the ability to inject JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP address by injecting malicious JS code” All the information collected this way goes to FlyTrap’s C2 server. More than 10,000 Android users in 144 countries fell victim to this social engineering. The numbers come straight from the command and control server, which the researchers were able to access because the database with the stolen Facebook session cookies was exposed to anyone on the internet. Zimperium’s Aazim Yaswant says in a blog post today that FlyTrap’s C2 server had multiple security vulnerabilities that facilitated access to the stored information. The researcher notes that accounts on social media platforms are a common target for threat actors, who can use them for fraudulent purposes like artificially boosting the popularity of pages, sites, products, misinformation, or a political message. He highlights the fact that phishing pages that steal credentials are not the only way to log into the account of an online service. Logging onto the legitimate domain can also come with risks. “Just like any user manipulation, the high-quality graphics and official-looking login screens are common tactics to have users take action that could reveal sensitive information. In this case, while the user is logging into their official account, the FlyTrap Trojan is hijacking the session information for malicious intent” - Aazim Yaswant, Android malware researcher, Zimperium Despite not using a new technique, FlyTrap managed to hijack a significant number of Facebook accounts. With a few modifications, it could turn into a more dangerous threat for mobile devices, the researcher says. FlyTrap malware hijacks thousands of Facebook accounts
  5. With help from Google, impersonated Brave.com website pushes malware With a valid TLS certificate, faux Bravė.com could fool even security-savvy people. Scammers have been caught using a clever sleight of hand to impersonate the website for the Brave browser and using it in Google ads to push malware that takes control of browsers and steals sensitive data. The attack worked by registering the domain xn--brav-yva[.]com, an encoded string that uses what’s known as punycode to represent bravė[.]com, a name that when displayed in browsers address bars is confusingly similar to brave.com, where people download the Brave browser. Bravė[.]com (note the accent over the letter E) was almost a perfect replica of brave.com, with one crucial exception: the “Download Brave” button grabbed a file that installed malware known both as ArechClient and SectopRat. From Google to malware in 10 seconds flat To drive traffic to the fake site, the scammers bought ads on Google that were displayed when people searched for things involving browsers. The ads looked benign enough. As the images below show, the domain shown for one ad was mckelveytees.com, a site that sells apparel for professionals. But when people clicked on one of the ads, it directed them through several intermediary domains until they finally landed on bravė[.]com. Jonathan Sampson, a web developer who works on Brave, said that the file available for download there was an ISO image that was 303MB in size. Inside was a single executable. VirusTotal immediately showed a handful of antimalware engines detecting the ISO and EXE. At the time this post went live, the ISO image had eight detections and the EXE had 16. The malware detected goes under several names, including ArechClient and SectopRat. A 2019 analysis from security firm G Data found that it was a remote access trojan that was capable of streaming a user’s current desktop or creating a second invisible desktop that attackers could use to browse the Internet. In a follow-on analysis published in February, G Data said the malware had been updated to add new features and capabilities, including encrypted communications with attacker-controlled command and control servers. A separate analysis found it had “capabilities like connecting to C2 Server, Profiling the System, Steal Browser History From Browsers like Chrome and Firefox.” As shown in this passive DNS search from DNSDB Scout, the IP address that hosted the fake Brave site has been hosting other suspicious punycode domains, including xn--ldgr-xvaj.com, xn--sgnal-m3a.com, xn--teleram-ncb.com, and xn--brav-8va.com. Those translate into lędgėr.com, sīgnal.com teleģram.com, and bravę.com, respectively. All of the domains were registered through NameCheap. An old attack that’s still in its prime Martijn Grooten, head of threat intel research at security firm Silent Push, got to wondering if the attacker behind this scam had been hosting other lookalike sites on other IPs. Using a Silent Push product, he searched for other punycode domains registered through NameCheap and using the same web host. He hit on seven additional sites that were also suspicious. The results, including the punycode and translated domain, are: xn--screncast-ehb.com—screēncast.com xn--flghtsimulator-mdc.com—flīghtsimulator.com. xn--brav-eva.com—bravē.com xn--xodus-hza.com—ēxodus.com xn--tradingvew-8sb.com—tradingvīew.com xn--torbrwser-zxb.com—torbrōwser.com xn--tlegram-w7a.com—tēlegram.com Google removed the malicious ads once Brave brought them to the company’s attention. NameCheap took down the malicious domains after receiving a notification. One of the things that’s so fiendish about these attacks is just how hard they are to detect. Because the attacker has complete control over the punycode domain, the impostor site will have a valid TLS certificate. When that domain hosts an exact replica of the spoofed website, even security-aware people can be fooled. Sadly, there are no clear ways to avoid these threats other than by taking a few extra seconds to inspect the URL as it appears in the address bar. Attacks using punycode-based domains are nothing new. This week’s impersonation of Brave.com suggests they aren’t going out of vogue anytime soon. With help from Google, impersonated Brave.com website pushes malware
  6. Fake Windows 11 installer only installs ads and trojans Windows 11 leaked unofficially before Microsoft actually released it to Insiders 3 weeks ago, and unfortunately, this created a ready market for downloading Windows 11 ISOs from unofficial sources, which Kaspersky reports often contains malware. Kaspersky reports on one example, the 1.75 GB 86307_windows 11 build 21996.1 x64 + activator.exe. With a file size as large as 1.75GB, it certainly looks plausible, but in fact, the bulk of that space consists of one DLL file that contains a lot of useless information. Opening the executable starts the installer, which looks like an ordinary Windows installation wizard. However, its main purpose is to download and run another, more interesting executable. The second executable is an installer as well, and it even comes with a license agreement (which few people read) calling it a “download manager for 86307_windows 11 build 21996.1 x64 + activator” and noting that it would also install some sponsored software. If you accept the agreement, a variety of malicious programs will be installed on your machine. Kaspersky says they have detected several hundred infection attempts that used similar Windows 11–related schemes. A large portion of that malware consists of downloaders, whose task is to download and run other programs. Those other programs can be very wide-ranging — from relatively harmless adware, which our solutions classify as not-a-virus, to full-fledged Trojans, password stealers, exploits, and other nasty stuff. Given that Microsoft is making Windows 11 freely available, the best way to acquire the software is to join the Window 11 Insider program, which can be done by simply visiting the Update and Security tab in the Windows 10 Setting app and scrolling down to Windows Insider Program. Fake Windows 11 installer only installs ads and trojans
  7. XLoader malware steals logins from macOS and Windows systems A highly popular malware for stealing information from Windows systems has been modified into a new strain called XLoader, which can also target macOS systems. XLoader is currently being offered on an underground forum as a botnet loader service that can “recover” passwords from web browsers and some email clients (Chrome, Firefox, Opera, Edge, IE, Outlook,Thunderbird, Foxmail). Derived from the Formbook info-stealer for Windows, XLoader emerged last February and has grown in popularity, advertised as a cross-platform (Windows and macOS) botnet with no dependencies. The connection between the two malware pieces was confirmed after a member of the community reverse-engineered XLoader and found that it had the same executable as Formbook. The advertiser explained that Formbook’s developer contributed a lot to creating XLoader, and the two malware had similar functionality (steal login credentials, capture screenshots, log keystrokes, and execute malicious files). Customers can rent the macOS malware version for $49 (one month) and get access to a server that the seller provides. By keeping a centralized command and control infrastructure, the authors can control how clients use the malware. The Windows version is more expensive as the seller asks $59 for a one-month license and $129 for three months. As mentioned in the advertisement, the makers of XLoader also provide a Java binder for free, which allows customers to create a standalone JAR file with the Mach-O and EXE binaries used by macOS and Windows. Tracking XLoader 6-month activity up to June 1st, malware researchers at Check Point saw requests from 69 countries, indicating a significant spread across the globe, with more than half of the victims being in the United States. Although Formbook is no longer advertised on underground forums, it continues to be a prevalent threat. It was part of at least 1,000 malware camapaigns over the past three years and according to AnyRun’s malware trends, the info-stealer takes fourth place over the past 12 months, after Emotet If Formbook’s popularity is any indication, XLoader is likely to be more prevalent given that it targets the two most popular operating systems used by consumers. Check Point researchers say that XLoader is stealthy enough to make it difficult for a regular, non-technical user to spot it. They recommend using macOS’ Autorun to check the username in the OS and to look into the LaunchAgents folder [/Users/[username]/Library/LaunchAgents] and delete entries with suspicious filenames (random-looking name). Yaniv Balmas, Head of Cyber Research at Check Point Software, says that XLoader is “is far more mature and sophisticated than its predecessors [i.e. Formbook].” macOS’s growing popularity exposed it to unwanted attention from cybercriminals, who are now seeing the OS as an attractive target. “While there might be a gap between Windows and MacOS malware, the gap is slowly closing over time. The truth is that MacOS malware is becoming bigger and more dangerous” - Yaniv Balmas The researcher believes that more malware families will adapt and add macOS to the list of supported operating systems. XLoader malware steals logins from macOS and Windows systems
  8. Microsoft admits to signing rootkit malware in supply-chain fiasco Microsoft has now confirmed signing a malicious driver being distributed within gaming environments. This driver, called "Netfilter," is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs. G Data malware analyst Karsten Hahn first took notice of this event last week and was joined by the wider infosec. community in tracing and analyzing the malicious drivers bearing the seal of Microsoft. It turns out, the C2 infrastructure belongs to a company classified under "Communist Chinese military" by the US Department of Defense. This incident has once again exposed threats to software supply-chain security, except this time it stemmed from a weakness in Microsoft's code-signing process. "Netfilter" driver is rootkit signed by Microsoft Last week, G Data's cybersecurity alert systems flagged what appeared to be a false positive, but was not—a Microsoft signed driver called "Netfilter." The driver in question was seen communicating with China-based C&C IPs providing no legitimate functionality and as such raised suspicions. This is when G Data's malware analyst Karsten Hahn shared this publicly and simultaneously contacted Microsoft: The malicious binary has been signed by Microsoft (VirusTotal) "Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system." "Drivers without a Microsoft certificate cannot be installed by default," states Hahn. At the time, BleepingComputer began observing the behavior of C2 URLs and also contacted Microsoft for a statement. The first C2 URL returns a set of more routes (URLs) separated by the pipe ("|") symbol: Navigating to the C2 URL presents more routes for different purposes Source: BleepingComputer Each of these serves a purpose, according to Hahn: The URL ending in "/p" is associated with proxy settings, "/s" provides encoded redirection IPs, "/h?" is for receiving CPU-ID, "/c" provided a root certificate, and "/v?" is related to the malware's self-update functionality. As seen by BleepingComputer, for example, the "/v?" path provided URL to the malicious Netfilter driver in question itself (living at "/d3"): Path to malicious Netfilter driver Source: BleepingComputer The G Data researcher spent some time sufficiently analyzing the driver and concluded it to be malware. The researcher has analyzed the driver, its self-update functionality, and Indicators of Compromise (IOCs) in a detailed blog post. "The sample has a self-update routine that sends its own MD5 hash to the server via hxxp://," says Hahn. An example request would look like this: hxxp:// "The server then responds with the URL for the latest sample, e.g. hxxp:// or with 'OK' if the sample is up-to-date. The malware replaces its own file accordingly," further explained the researcher. Malware's self-update functionality analyzed by G Data During the course of his analysis, Hahn was joined by other malware researchers including Johann Aydinbas, Takahiro Haruyama, and Florian Roth. Roth was able to gather the list of samples in a spreadsheet and has provided YARA rules for detecting these in your network environments. Notably, the C2 IP that the malicious Netfilter driver connects to belonged to Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd, according to WHOIS records. The U.S. Department of Defense (DoD) has previously marked this organization as a "Communist Chinese military company," another researcher @cowonaut observed. Microsoft admits to signing the malicious driver Microsoft is actively investigating this incident, although thus far, there is no evidence that stolen code-signing certificates were used. The mishap seems to have resulted from the threat actor following Microsoft's process to submit the malicious Netfilter drivers, and managing to acquire the Microsoft-signed binary in a legitimate manner: "Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments." "The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party." "We have suspended the account and reviewed their submissions for additional signs of malware," said Microsoft yesterday. According to Microsoft, the threat actor has mainly targeted the gaming sector specifically in China with these malicious drivers, and there is no indication of enterprise environments having been affected so far. Microsoft has refrained from attributing this incident to nation-state actors just yet. Falsely signed binaries can be abused by sophisticated threat actors to facilitate large-scale software supply-chain attacks. The multifaceted Stuxnet attack that targeted Iran's nuclear program marks a well-known incident in which code-signing certificates were stolen from Realtek and JMicron to facilitate the attack. This particular incident, however, has exposed weaknesses in a legitimate code-signing process, exploited by threat actors to acquire Microsoft-signed code without compromising any certificates. Source
  9. Vigilante malware blocks victims from downloading pirated software A vigilante developer turns the tables on software pirates by distributing malware that prevents them from accessing pirated software sites in the future. Threat actors commonly use pirated software and fake crack sites to distribute malware to unsuspecting users who think they are downloading the latest game or movie. Malware distributed via these methods is typically information-stealing trojans, ransomware, or cryptominers that can be used to generate value for the threat actor. Malware blocks access to The Pirate Bay In a new report, SophosLabs shares how a vigilante malware is being distributed that prevents pirates from accessing the most popular copyrighted content torrent site, The Pirate Bay. "In one of the strangest cases I’ve seen in a while, one of my Labs colleagues recently told me about a malware campaign whose primary purpose appears to stray from the more common malware motives." explains SophosLabs Principal Researcher Andrew Brandt in the new report. "Instead of seeking to steal passwords or to extort a computer’s owner for ransom, this malware blocks infected users’ computers from being able to visit a large number of websites dedicated to software piracy by modifying the HOSTS file on the infected system." According to Brandt, the new malware is being distributed through Discord or pirated software torrent sites. On Discord, the malware is distributed as standalone executables pretending to be pirated software, as shown below. Malware hosted on Discord On sites like The Pirate Bay, the malware is being distributed in a similar way to other torrent files in the sense that they contain readme files, NFO files, and shortcut files back to thepiratebay.org. A fake Readme file in a malicious torrent However, many of the files contained in these torrent archives serve no purpose and are only added as filler to impersonate your typical pirated software/movie torrent. "Looking more closely at these files bundled with the installer, it’s clear that they have no practical benefit other than to give the archive the appearance of files typically shared over Bittorrent, and to modify hash values with the addition of random data," says Brandt in his report. Once a user runs the malware executable, it will modify the Windows HOSTS file to add numerous entries that point to for sites associated with The Pirate Bay. HOSTS file modified by the malware After adding these HOSTS entries, when a user attempts to access one of the listed sites, they will instead be redirected to their localhost and be unable to connect to the site's actual IP address. This effectively blocks access to the listed sites that are distributing torrents for copyrighted content. To make matters worse, when the vigilante malware is executed, it will connect to a remote host under the attacker's control and send the name of the fake pirated software that has infected the user. As web servers usually log a visitor's IP address, the attacker now has both the pirate's IP address and the name of the software or movie that they attempted to use. While it is unknown what this information is used for, the threat actors could share it with ISPs, copyright agencies, or even law enforcement. The attackers could also use this information in further attacks, such as email extortion campaigns where the attacker threatens to reveal the user's illegal activity if they don't pay a small extortion demand. Brandt told BleepingComputer that this malware campaign was live between October 2020 and January 2021, when the attacker's site went offline. According to Brandt, the malicious torrents have also stopped being distributed, likely after users stopped seeding them after learning that the files were malicious or fake. While rare, vigilantes have taken justice in their own hands in the past by hacking into Netgear to remove malware, distributing malware to secure IoT devices, releasing weaponized version. Vigilante malware blocks victims from downloading pirated software
  10. Mystery malware steals 26M passwords from 3M PCs. Are you affected? Massive trove can be used for ransomware, espionage, and more. Researchers have discovered yet another massive trove of sensitive data, a dizzying 1.2TB database containing login credentials, browser cookies, autofill data, and payment information extracted by malware that has yet to be identified. In all, researchers from NordLocker said on Wednesday, the database contained 26 million login credentials, 1.1 million unique email addresses, more than 2 billion browser cookies, and 6.6 million files. In some cases, victims stored passwords in text files created with the Notepad application. The stash also included over 1 million images and more than 650,000 Word and .pdf files. Additionally, the malware made a screenshot after it infected the computer and took a picture using the device’s webcam. Stolen data also came from apps for messaging, email, gaming, and file-sharing. The data was extracted between 2018 and 2020 from more than 3 million PCs. A booming market The discovery comes amid an epidemic of security breaches involving ransomware and other types of malware hitting large companies. In some cases, including the May ransomware attack on Colonial Pipeline, hackers first gained access using compromised accounts. Many such credentials are available for sale online. Alon Gal, co-founder and CTO of security firm Hudson Rock, said that such data is often first collected by stealer malware installed by an attacker attempting to steal cryptocurrency or commit a similar type of crime. The attacker “will likely then try to steal cryptocurrencies, and once he is done with the information, he will sell to groups whose expertise is ransomware, data breaches, and corporate espionage,” Gal told me. “These stealers are capturing browser passwords, cookies, files, and much more and sending it to the [command and control server] of the attacker.” NordLocker researchers said there’s no shortage of sources for attackers to secure such information. “The truth is, anyone can get their hands on custom malware,” the researchers wrote. “It’s cheap, customizable, and can be found all over the web. Dark web ads for these viruses uncover even more truth about this market. For instance, anyone can get their own custom malware and even lessons on how to use the stolen data for as little as $100. And custom does mean custom—advertisers promise that they can build a virus to attack virtually any app the buyer needs.” NordLocker hasn’t been able to identify the malware used in this case. Gal said that from 2018 to 2019, widely used malware included Azorult and, more recently, an info stealer known as Raccoon. Once infected, a PC will regularly send pilfered data to a command and control server operated by the attacker. In all, the malware collected account credentials for almost 1 million sites, including Facebook, Twitter, Amazon, and Gmail. Of the 2 billion cookies extracted, 22 percent remained valid at the time of the discovery. The files can be useful in piecing together the habits and interests of the victims, and if the cookies are used for authentication, they give access to the person’s online accounts. NordLocker provides other figures here. People who want to determine if their data was swept up by the malware can check the Have I Been Pwned breach notification service, which has just uploaded a list compromised accounts. Mystery malware steals 26M passwords from 3M PCs. Are you affected?
  11. FreakOut malware worms its way into vulnerable VMware servers A multi-platform Python-based malware targeting Windows and Linux devices has now been upgraded to worm its way into Internet-exposed VMware vCenter servers unpatched against a remote code execution vulnerability. The malware, dubbed FreakOut by CheckPoint researchers in January (aka Necro and N3Cr0m0rPh), is an obfuscated Python script designed to evade detection using a polymorphic engine and a user-mode rootkit that hides malicious files dropped on compromised systems. FreakOut spreads itself by exploiting a wide range of OS and apps vulnerabilities and brute-forcing passwords over SSH, adding the infected devices to an IRC botnet controlled by its masters. The malware's core functionality enables operators to launch DDoS attacks, backdoor infected systems, sniff and exfiltrate network traffic, and deploy XMRig miners to mine for Monero cryptocurrency. Malware upgraded with new exploits As Cisco Talos researchers shared in a report published today, FreakOut's developers have been hard at work improving the malware's spreading capabilities since early May, when the botnet's activity has suddenly increased. "Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code," Cisco Talos security researcher Vanja Svajcer said. FreakOut bots scan for new systems to target either by randomly generating network ranges or on its masters' commands sent over IRC via the command-and-control server. For each IP address in the scan list, the bot will try to use one of the built-in exploits or log in using a hardcoded list of SSH credentials. Image: Cisco Talos While early FreakOut versions were able to exploit only vulnerable versions of Lifearay, Laravel, WebLogic, TerraMaster, and Zend Framework (Laminas Project) web apps, the latest ones have more than double the number of built-in exploits. Newly added exploits to malware variants observed by Cisco Talos in May include: VestaCP — VestaCP 0.9.8 - 'v_sftp_licence' Command Injection ZeroShell 3.9.0 — 'cgi-bin/kerbynet' Remote Root Command Injection SCO Openserver 5.0.7 — 'outputform' Command Injection Genexis PLATINUM 4410 2.1 P4410-V2-1.28 — Remote Command Execution vulnerability OTRS 6.0.1 — Remote Command Execution vulnerability VMWare vCenter — Remote Command Execution vulnerability An Nrdh.php remote code execution exploit for an unknown app Python versions of EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0147) exploits Thousands of VMware servers exposed to attacks The VMware vCenter vulnerability (CVE-2021-21972) is present in the vCenter plugin for vRealize Operations (vROps) and is particularly interesting because it impacts all default vCenter Server installations. Thousands of unpatched vCenter servers are currently reachable over the Internet, as shown by Shodan and BinaryEdge. Attackers have previously mass scanned for vulnerable Internet-exposed vCenter servers after security researchers published a proof-of-concept (PoC) exploit code. Russian Foreign Intelligence Service (SVR) state hackers have also added CVE-2021-21972 exploits to their arsenal in February, actively exploiting them in ongoing campaigns. VMware vulnerabilities have also been exploited in the past in ransomware attacks targeting enterprise networks. As Cisco Talos revealed, FreakOut operators have also been seen deploying a custom ransomware strain showing that they are actively experimenting with new malicious payloads. Multiple ransomware gangs, including RansomExx, Babuk Locker, and Darkside, previously used VMWare ESXi pre-auth RCE exploits to encrypt virtual hard disks used as centralized enterprise storage space. "Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot. This increases its chances of spreading and infecting systems," Svajcer added. "Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems." FreakOut malware worms its way into vulnerable VMware servers
  12. New SkinnyBoy malware used by Russian hackers to breach sensitive orgs Security researchers have discovered a new piece of malware called SkinnyBoy that was used in spear-phishing campaigns attributed to Russian-speaking hacking group APT28. The threat actor, also known as Fancy Bear, Sednit, Sofacy, Strontium, or PwnStorm, used SkinnyBoy in attacks targeting military and government institutions earlier this year. Classic tactics, new tool SkinnyBoy is intended for an intermediary stage of the attack, to collect information about the victim and to retrieve the next payload from the command and control (C2) server. According to Cluster25 threat research company, APT28 likely started this campaign at the beginning of March, focusing on ministries of foreign affairs, embassies, defense industry, and the military sector. Multiple victims are in the European Union but the researchers told BleepingComputer that the activity may have impacted organizations in the United States, too. SkinnyBoy is delivered through a Microsoft Word document laced with a macro that extracts a DLL file acting as a malware downloader. The lure is a message with a spoofed invitation to an international scientific event held in Spain at the end of July. Opening the invitation triggers the infection chain, which starts with extracting a DLL that retrieves the SkinnyBoy dropper (tpd1.exe), a malicious file that downloads the main payload. Once on the system, the dropper establishes persistence and moves to extract the next payload, which is encoded in Base64 format and appended as an overlay of the executable file. This payload deletes itself after extracting two files on the compromised system: C:\Users\%username%\AppData\Local\devtmrn.exe (2a652721243f29e82bdf57b565208c59937bbb6af4ab51e7b6ba7ed270ea6bce) C:\Users\%username%\AppData\Local\Microsoft\TerminalServerClient\TermSrvClt.dll (ae0bc3358fef0ca2a103e694aa556f55a3fed4e98ba57d16f5ae7ad4ad583698) To keep a low profile, the malware executes these files at a later stage, after creating a persistence mechanism via a LNK file under Windows Startup folder, Cluster25 says in a report shared with BleepingComputer. The LNK file is triggered at the next reboot of the infected machine and looks for the main payload, SkinnyBoy (TermSrvClt.dll), by checking the SHA256 hashes of all the files under C:\Users\%username%\AppData\Local. SkinnyBoy’s purpose is to exfiltrate information about the infected system, download, and launch the final payload of the attack, which remains unknown at the moment. Collecting the data is done by using the systeminfo.exe and tasklist.Exe tools already present in Windows, which allow it to extract file names in specific locations: C:\Users\%username%\Desktop C:\Program Files - C:\Program Files (x86) C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools C:\Users\%username%\AppData\Roaming C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Templates C:\Windows - C:\Users\user\AppData\Local\Temp All the information extracted this way is delivered to the C2 server in an organized fashion and encoded in base64 format. Cluster25 says that the attacker used commercial VPN services to purchase elements for their infrastructure, a tactic that adversaries typicall use to better lose their tracks. After observing the tactics, techniques, and procedures, Cluster25 believes that the SkinnyBoy implant is a new tool from the Russian threat group known as APT28. The company has mid-to-high confidence in its attribution. In the report today, Cluster25 provides YARA rules for all the tools examined by its researchers (SkinnyBoy dropper, launcher, and the payload itself) as well as a list of observed indicators of compromise that can help organizations detect the presence of the new malware. New SkinnyBoy malware used by Russian hackers to breach sensitive orgs
  13. Malvertising Campaign On Google Distributed Trojanized AnyDesk Installer Cybersecurity researchers on Wednesday publicized the disruption of a "clever" malvertising network targeting AnyDesk that delivered a weaponized installer of the remote desktop software via rogue Google ads that appeared in the search engine results pages. The campaign, which is believed to have begun as early as April 21, 2021, involves a malicious file that masquerades as a setup executable for AnyDesk (AnyDeskSetup.exe), which, upon execution, downloads a PowerShell implant to amass and exfiltrate system information. "The script had some obfuscation and multiple functions that resembled an implant as well as a hardcoded domain (zoomstatistic[.]com) to 'POST' reconnaissance information such as user name, hostname, operating system, IP address and the current process name," researchers from Crowdstrike said in an analysis. AnyDesk's remote desktop access solution has been downloaded by more than 300 million users worldwide, according to the company's website. Although the cybersecurity firm did not attribute the cyber activity to a specific threat actor or nexus, it suspected it to be a "widespread campaign affecting a wide range of customers" given the large user base. The PowerShell script may have all the hallmarks of a typical backdoor, but it's the intrusion route where the attack throws a curve, signaling that it's beyond a garden-variety data gathering operation — the AnyDesk installer is distributed through malicious Google ads placed by the threat actor, which are then served to unsuspecting people who are using Google to search for 'AnyDesk.' The fraudulent ad result, when clicked, redirects users to a social engineering page that's a clone of the legitimate AnyDesk website, in addition to providing the individual with a link to the trojanized installer. CrowdStrike estimates that 40% of clicks on the malicious ad turned into installations of the AnyDesk binary, and 20% of those installations included follow-on hands-on-keyboard activity. "While it is unknown what percentage of Google searches for AnyDesk resulted in clicks on the ad, a 40% Trojan installation rate from an ad click shows that this is an extremely successful method of gaining remote access across a wide range of potential targets," the researchers said. The company also said it notified Google of its findings, which is said to have taken immediate action to pull the ad in question. "This malicious use of Google Ads is an effective and clever way to get mass deployment of shells, as it provides the threat actor with the ability to freely pick and choose their target(s) of interest," the researchers concluded. "Because of the nature of the Google advertising platform, it can provide a really good estimate of how many people will click on the ad. From that, the threat actor can adequately plan and budget based on this information. In addition to targeting tools like AnyDesk or other administrative tools, the threat actor can target privileged/administrative users in a unique way." Source
  14. Malware caught using a macOS zero-day to secretly take screenshots Image Credits: Made Kusuma Jaya / EyeEm (opens in a new window)/ Getty Images Almost exactly a month ago, researchers revealed a notorious malware family was exploiting a never-before-seen vulnerability that let it bypass macOS security defenses and run unimpeded. Now, some of the same researchers say another malware can sneak onto macOS systems, thanks to another vulnerability. Jamf says it found evidence that the XCSSET malware was exploiting a vulnerability that allowed it access to parts of macOS that require permission — such as accessing the microphone, webcam or recording the screen — without ever getting consent. XCSSET was first discovered by Trend Micro in 2020 targeting Apple developers, specifically their Xcode projects that they use to code and build apps. By infecting those app development projects, developers unwittingly distribute the malware to their users, in what Trend Micro researchers described as a “supply-chain-like attack.” The malware is under continued development, with more recent variants also targeting Macs running the newer M1 chip. Once the malware is running on a victim’s computer, it uses two zero-days — one to steal cookies from the Safari browser to get access to a victim’s online accounts, and another to quietly install a development version of Safari, allowing the attackers to modify and snoop on virtually any website. But Jamf says the malware was exploiting a previously undiscovered third zero-day in order to secretly take screenshots of the victim’s screen. macOS is supposed to ask the user for permission before it allows any app — malicious or otherwise — to record the screen, access the microphone or webcam, or open the user’s storage. But the malware bypassed that permissions prompt by sneaking in under the radar by injecting malicious code into legitimate apps. Jamf researchers Jaron Bradley, Ferdous Saljooki, and Stuart Ashenbrenner explained in a blog post, shared with TechCrunch, that the malware searches for other apps on the victim’s computer that are frequently granted screen-sharing permissions, like Zoom, WhatsApp and Slack, and injects malicious screen recording code into those apps. This allows the malicious code to “piggyback” the legitimate app and inherit its permissions across macOS. Then, the malware signs the new app bundle with a new certificate to avoid getting flagged by macOS’ built-in security defenses. The researchers said that the malware used the permissions prompt bypass “specifically for the purpose of taking screenshots of the user’s desktop,” but warned that it was not limited to screen recording. In other words, the bug could have been used to access the victim’s microphone, webcam or capture their keystrokes, such as passwords or credit card numbers. It’s not clear how many Macs the malware was able to infect using this technique. But Apple confirmed to TechCrunch that it fixed the bug in macOS 11.4, which was made available as an update today. Source: Malware caught using a macOS zero-day to secretly take screenshots
  15. ‘TeamTNT’ Has a New Credential Harvester Targeting Cloud Services on the Loose ‘TeamTNT’ is using a new harvester that targets a wide spectrum of cloud services and software apps. The actors are still targeting Monero wallets and configuration files and are still DDoSing some victims. The hacking group that started as an opportunistic actor is now evolving into a serious threat. ‘TeamTNT,’ the hacking group that was mostly occupied with disseminating XMR cryptominers on exposed Dockers last year, is now targeting cloud service credentials. This change in activity was first noticed and reported by researchers at TrendMicro at the beginning of March, and now, the same team has sampled and analyzed a new credential harvester used by the threat actors. The intruders deploy a rich repertoire to access the network, including the exploitation of vulnerabilities, using stolen passwords or taking advantage of the existence of misconfigurations. From there, they focus on a range of system types depending on what they can find, then perform network reconnaissance, and finally deploy their new credential harvester. This malware helps TeamTNT steal user IDs and passwords from the following software and services: Google Cloud Cloudflare Amazon Web Services Shodan Docker SSH Git FileZilla Jupyter Monero wallet SMB clients WebDAV Ngrok2 HexChat Pidgin PostgreSQL Source: TrendMicro So, why is TeamTNT interested in stealing cloud service and software app credentials? One very probable reason would be to engage in planting XMR cryptominers in places where they are unlikely to be found and uprooted before making significant amounts of money for the actors. Another would be to resell these credentials to ransomware groups on the dark web. And a third would be to exfiltrate data from cloud-hosted databases and then sell them to phishing actors and scammers. Source: TrendMicro TrendMicro points out that the malware actively looks for Monero configuration files and any accessible wallets, so the anonymous crypto remains a key motivation for the actors, or at least that’s what it looks like. When the malware reaches the end of its routine, it attempts to delete itself from the infected system. Still, according to the analysts, this function isn’t implemented properly yet, so it fails. One more thing to note is that TeamTNT also engages in DDoS attacks once inside a network, as long as they have some form of an RCE to execute it. This is happening through a special IRC bot called ‘TNTbotinger.’ DDoS attacks can help the actors draw the attention of response teams elsewhere, slow down malware detection and clean-up efforts, or even aid extortion efforts. In general, TeamTNT has evolved into a significant and wide-scope threat now. Their new harvester is an indication that the particular malware authors are serious about their operation and care to take things to the next level. Source: ‘TeamTNT’ Has a New Credential Harvester Targeting Cloud Services on the Loose
  16. Hackers Using Microsoft Build Engine to Deliver Malware Filelessly Threat actors are abusing Microsoft Build Engine (MSBuild) to filelessly deliver remote access trojans and password-stealing malware on targeted Windows systems. The actively ongoing campaign is said to have emerged last month, researchers from cybersecurity firm Anomali said on Thursday, adding the malicious build files came embedded with encoded executables and shellcode that deploy backdoors, allowing the adversaries to take control of the victims' machines and steal sensitive information. MSBuild is an open-source build tool for .NET and Visual Studio developed by Microsoft that allows for compiling source code, packaging, testing, deploying applications. In using MSBuild to filelessly compromise a machine, the idea is to stay under the radar and thwart detection, as such malware makes use of a legitimate application to load the attack code into memory, thereby leaving no traces of infection on the system and giving attackers a high level of stealth. As of writing, only two security vendors flag one of the MSBuild .proj files ("vwnfmo.lnk") as malicious, while a second sample ("72214c84e2.proj") uploaded to VirusTotal on April 18 remains undetected by every anti-malware engine. The majority of the samples analyzed by Anomali were found to deliver the Remcos RAT, with a few others also delivering the Quasar RAT and RedLine Stealer. Remcos (aka Remote Control and Surveillance software), once installed, grants full access to the remote adversary, its features ranging from capturing keystrokes to executing arbitrary commands and recording microphones and webcams, while Quasar is an open-source .NET-based RAT capable of keylogging, password stealing, among others. Redline Stealer, as the name indicates, is a commodity malware that harvests credentials from browsers, VPNs, and messaging clients, in addition to stealing passwords and wallets associated with cryptocurrency apps. "The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations," Anomali researchers Tara Gould and Gage Mele said. "This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially." Source: Hackers Using Microsoft Build Engine to Deliver Malware Filelessly
  17. A fake MSI Afterburner download page is spreading malware PC and component manufacturer MSI is warning users that malicious actors are leveraging its name to distribute malware. The attackers have created a fake download page for MSI's Afterburner software, and they're using an URL that's made to look official to an unsuspecting user. Afterburner is a graphics card tuning tool that allows users to set clock speeds for the GPU and memory, adjust the voltage, and monitor the temperature of the card. Typically, the software is available for anyone to download from MSI's website, but the official webpage - which you can access here - is currently undergoing maintenance. While the page can be accessed, download links don't work. The attackers seem to be leveraging that, and the website looks nearly identical to the official one, however, the MSI website header is missing, and the official website also features a small icon in the bottom left corner to customize the website cookie settings. This is also missing in the fake website. For reference, the URL being used to impersonate MSI is as follows: https://afterburner-msi.space/. Obviously, we strongly advise against opening the URL or downloading anything from it. If you don't happen to have MSI Afterburner currently installed, you may want to wait a little longer for the official page to be functional again. If you can't wait, at the very least make sure the website you're downloading from is one you can trust and isn't trying to pass itself off as an official MSI page. Source: A fake MSI Afterburner download page is spreading malware
  18. Microsoft: Threat actors target aviation orgs with new malware Microsoft warns of an ongoing spear-phishing campaign targeting aerospace and travel organizations with multiple remote access trojans (RATs) deployed using a new and stealthy malware loader. "In the past few months, Microsoft has been tracking a dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT," Microsoft said. Attackers' phishing emails spoof legitimate organizations and use image lures posing as PDF documents containing info relevant to several industry sectors, including aviation, travel, and cargo. As Microsoft observed while tracking this campaign, the threat actors' end goal is to harvest and exfiltrate data from infected devices using the RATs' remote control, keylogging, and password-stealing capabilities. Once deployed, the malware allows them to "steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587." Aviation-themed spear-phishing email (Microsoft) RAT loader designed to bypass detection The newly discovered loader monetized under a Crypter-as-a-Service model, named Snip3 by Morphisec malware analysts, is used to drop Revenge RAT, AsyncRAT, Agent Tesla, and NetWire RAT payloads on compromised systems. Links abusing legitimate web services and embedded within the phishing messages download the first-stage VBScript VBS files that execute a second-stage PowerShell script which in turn executes the final RAT payload using Process Hollowing. VBS files used as initial infection vector (Hossein Jazi) Snip3 also comes with the ability to identify sandboxing and virtual environments according to Morphisec, which makes it particularly capable of circumventing detection-centric anti-malware solutions. To evade detection, the malware loader uses additional techniques including the execution of PowerShell code with the 'remotesigned' parameter use of Pastebin and top4top for staging compilation of RunPE loaders on the endpoint in runtime Snip3 attack flow Organizations can use sample queries shared by Microsoft for advanced hunting using Microsoft 365 Defender to help them locate and investigate similar suspicious behavior related to this ongoing phishing campaign. Among the potentially malicious activity advanced hunting queries can unearth, they can help detect: Snip3 communication protocols (with recent campaigns targeting the aviation industry) malicious use of RegAsm, RegSvcs, and InstallUtil by Snip3 (potentially hollowed processes used to for command-and-control or exfiltration) Snip3 loader-encoded PowerShell command (obfuscated using UTF8 encoding) Snip3 loader call to DetectSandboxie function (used in RevengeRAT and AsyncRAT instance) keywords associated with Snip3 campaign emails from April and May 2021 Indicators of compromise associated with this spear-phishing campaign including malware sample hashes and RAT command and control domains can be found at the end of Morphisec's Snip3 report. Source: Microsoft: Threat actors target aviation orgs with new malware
  19. Bulletproof hosting admins plead guilty to running cybercrime safe haven Four individuals from Eastern Europe face 20 years in prison for Racketeer Influenced Corrupt Organization (RICO) charges after pleading guilty to running a bulletproof hosting service as a safe haven for cybercrime operations targeting US entities. The bulletproof hosting service was founded by Russian citizens Aleksandr Grichishkin and Andrei Skvortsov, who hired Lithuanian Aleksandr Skorodumov and Estonian Pavel Stassi as the organization's system admin and administrator, respectively. Grichishkin and Skvortsov were the ones overseeing marketing, personnel management, and client support, while Skorodumov and Stassi were responsible for keeping all systems running and helping clients behind malware and botnet operations to optimize their "services." A safe haven for malware operations According to a DOJ press release published today, their service provided multiple cybercrime-affiliated clients with the infrastructure needed in malicious campaigns running between 2008 and 2015. "The group rented Internet Protocol (IP) addresses, servers, and domains to cybercriminal clients, who used this technical infrastructure to disseminate malware used to gain access to victims’ computers, form botnets, and steal banking credentials for use in frauds," the DOJ said. "Malware hosted by the organization included Zeus, SpyEye, Citadel, and the Blackhole Exploit Kit, which rampantly attacked U.S. companies and financial institutions between 2009 and 2015 and caused or attempted to cause millions of dollars in losses to U.S. victims." Other services provided by their bulletproof hosting service included registering new infrastructure using false or stolen identities to help clients circumvent law enforcement efforts to block their attacks. A key service provided by the defendants was helping their clients to evade detection by law enforcement and continue their crimes uninterrupted; the defendants did so by monitoring sites used to blocklist technical infrastructure used for crime, moving “flagged” content to new infrastructure, and registering all such infrastructure under false or stolen identities. — DOJ Responsible for millions of dollars in losses "Over the course of many years, the defendants facilitated the transnational criminal activity of a vast network of cybercriminals throughout the world by providing them a safe-haven to anonymize their criminal activity," said FBI Special Agent in Charge Timothy Waters. "This resulted in millions of dollars of losses to U.S. victims. Today’s guilty plea sends a message to cybercriminals across the globe that they are not beyond the reach of the FBI and its international partners, and that anyone who facilitates or profits from criminal cyber activity will be brought to justice." All four defendants pleaded guilty to one count of RICO conspiracy in February, March, and May 2021. Stassi, Skorodumov, Grichishkin, and Skvortsov will receive their sentence on June 3, June 29, July 8, and Sept. 16. Each of the four defendants faces a maximum penalty of 20 years in prison that a federal district court judge will set after considering Sentencing Guidelines and other statutory factors. The FBI investigated the case with assistance from law enforcement partners from the United Kingdom, Germany, and Estonia. Source: Bulletproof hosting admins plead guilty to running cybercrime safe haven
  20. New Windows 'Pingback' malware uses ICMP for covert communication Today, researchers have disclosed their findings on a novel Windows malware sample that uses Internet Control Message Protocol (ICMP) for its command-and-control (C2) activities. Dubbed "Pingback," this malware targets Microsoft Windows 64-bit systems, and uses DLL Hijacking to gain persistence. Abuses real Windows service to load malicious DLL Today, Trustwave senior architect Lloyd Macrohon and principal security researcher Rodel Mendrez, have released their findings on a novel Windows malware that exists as a 64-bit DLL. Of note is the malware sample's choice of the communication protocol being ICMP, which is also used by the popular ping command and the Windows traceroute utility. The malicious file in question is a mere 66-KB DLL called oci.dll, and is typically dropped within Windows "System" folder by another malicious process or attack vector. The researchers soon realized that this DLL was not being loaded by the familiar Windows application rundll32.exe, but instead relied on DLL Hijacking. Process tree of the malicious DLL being loaded by legitimate Windows processes Source: Trustwave "We knew that the file was suspicious during our initial triaging, but we could not figure how it was loaded into the system because the DLL was not loaded through traditional rundll32.exe," state Macrohon and Mendrez. DLL Hijacking is a technique used by attackers on Windows systems that involves placing a malicious DLL file in one of the folders trusted by the Windows operating system, such that a legitimate system application picks up and runs the malicious DLL file. In this manner, attackers can exploit a real, trusted Windows process to execute their arbitrary malicious code. Last year, BleepingComputer had reported, about 300 Windows executables could be abused for DLL Hijacking. In this case, Trustwave's researchers identified it was the Microsoft Distributed Transaction Control (msdtc) service being abused to load the malicious oci.dll. In fact, msdtc.exe is present on the list of over 300 Windows executables that make the perfect candidates for DLL Hijacking, as compiled by PwC researcher Wietze Beukema. On launch, the Windows msdtc service searches for 3 DLLs to load: oci.dll, SqlLib80.dll, and xa80.dll. The real oci.dll represents an Oracle library (Oracle Call Interface) that exists for supporting and interacting with Oracle databases. But, here's the catch: "By default, the three Oracle DLLs do not exist in the Windows system directory." "So, in theory, an attacker with system privileges can drop a malicious DLL and save it using one of the DLL filenames that MTxOCI loads," explain the researchers. Although the researchers experimented with dropping all 3 DLL filenames on Windows, they found that only oci.dll could be seamlessly loaded by the msdtc service. But, where does the malicious oci.dll come from? While the initial entry vector is still being investigated, the researchers suspect that another malware sample, updata.exe is behind both dropping the malicious oci.dll in the Windows "System" folder and configuring msdtc to run on every startup. As analyzed by BleepingComputer, updata.exe indeed executes a sequence of commands to configure msdtc to run persistently and further drops oci.dll: sc stop msdtc sc config msdtc obj= Localsystem start= auto sc start msdtc updata.exe configures msdtc to run persistently Source: BleepingComputer (analyzed on ANY.RUN) Uses ICMP tunneling for covert communication The oci.dll malware once launched by msdtc, uses ICMP for stealthily receiving commands from its C2 server. Trustwave researchers who named this malware "Pingback," state that the advantage of using ICMP for communications is that Pingback remains effectively hidden from a user. That's because ICMP has no concept of "ports" and uses neither TCP nor UDP. As such, oci.dll may not be picked up by diagnostic tools like netstat. Every ICMP packet, however, does contain a "data" field with enough space to sneak in custom data within the field and to transmit it back and forth between two systems: ICMP packet with "data" field being used by malware to receive bot commands Source: Trustwave "The ICMP data section is where an attacker can piggyback an arbitrary data to be sent to a remote host. The remote host replies in the same manner, by [piggybacking] an answer into another ICMP packet and sending it back," explain Macrohon and Mendrez. Pingback malware (oci.dll) simply listens for any and all inbound ICMP packets on an infected system and selectively parses packets with sequence numbers: 1234, 1235, or 1236. An incoming ICMP packet with sequence number 1234 indicates to the malicious process that this request contains payload or commands, whereas 1235 and 1236 are Pingback's way of keeping track of and acknowledging if a request has been received on either end. The data received can contain C2 commands like shell, download, upload, exec, etc. In essence, these commands are used to transmit data back and forth between the attacker-controlled server and the infected system and enable a remote attacker to execute other arbitrary commands on the infected system. BleepingComputer also noticed, oci.dll referenced a fictitious file path named after Visual Studio 2008 that may appear to contain legitimate project data to a casual observer, but is likely used by the Pingback malware for its nefarious activities, such as data storage: c:\Users\XL\Documents\Visual Studio 2008\Projects\PingBackService0509\x64\Release\PingBackService0509.pdb "ICMP tunneling is not new, but this particular sample piqued our interest as a real-world example of malware using this technique to evade detection," state the researchers. But, since ICMP also has legitimate use-cases as a diagnostic tool, the researchers' advice is not to disable it, but rather putting monitoring mechanisms in place to detect any suspicious ICMP traffic. Trustwave's detailed technical findings are provided in a blog post. The researchers have also created a proof-of-concept C2 bot to demonstrate some of Pingback's commands. The Indicators of Compromise (IOCs) associated with the Pingback malware are provided below: File: oci.dll SHA256: E50943D9F361830502DCFDB00971CBEE76877AA73665245427D817047523667F SHA1: 0190495D0C3BE6C0EDBAB0D4DBD5A7E122EFBB3F MD5: 264C2EDE235DC7232D673D4748437969 Network: ICMP Type=8 Sequence Number: 1234|1235|1236 Data size: 788 bytes Source: New Windows 'Pingback' malware uses ICMP for covert communication
  21. New Buer Malware Downloader Rewritten in E-Z Rust Language It’s coming in emails disguised as DHL Support shipping notices and is apparently getting prepped for leasing on the underground. A variant of the Buer malware, which is being distributed in emails disguised as DHL support shipping notices, comes with a fresh code rewrite in the popular Rust language and looks like it may be in the process of prepping for rental to other cybercrooks. Using the increasingly popular, efficient and easy-to-use Rust programming language will help the malware to slip past detection, Proofpoint researchers said in a post on Monday morning. The rigged emails are coming in two flavors. One is written in the more typical C programming language. The other’s written in Rust: a tactical shift that will help it tiptoe past detection in order to get more clicks. Buer is what’s known as a first-stage downloader: a chunk of malware sold on the underground that threat actors use to get a foothold into compromised networks. These attack tools install other types of malware during and after phishing campaigns. Proofpoint research shows that these downloaders have become increasingly beefy over the past two years, boasting ever-more advanced profiling and targeting capabilities. Proofpoint first came across Buer in 2019, and its researchers spotted the new variant in early April. This is what the DHL-themed, boobytrapped email looks like: Any unfortunates who click on the malicious Microsoft Word or Excel attachment will trigger a drop of the new, Rust-written Buer variant, which researchers are calling RustyBuer. It’s cutting a wide path across the internet: More than 200 organizations across more than 50 verticals have been hit by the campaign, Proofpoint says. The first-stage downloader has a nasty second-stage delivery: In some instances, Proofpoint has seen the phishing campaigns drop a commodity Cobalt Strike beacon. Cobalt Strike is a legitimate penetration-testing tool that’s become a favorite among threat actors. But not all the time. In some campaigns, the attackers left out any second-stage payload. From what researchers can determine, that could be because the malware’s authors are setting up the new variant to lease out to other threat actors in the access-as-a-service model in underground marketplaces: a distribution service that’s already been used to profit off of Buer. Multilingual Malware: Not-So-Good News Researchers say that the new, completely rewritten Rust variant is an unusual departure from malware developers’ far more common preference of the C programming language. It’s not clear why the threat actors took the time and effort to translate the code, but there are a few likely possibilities: First, Rust is more efficient, has more features, and is increasingly popular. Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told Threatpost in an email on Monday that malware code tweaking is common, while a total rewrite is less so. “Malware authors, like software programmers, will choose a programming language that supports their requirements,” she said. “A complete change in language is rare but not unheard of. We typically see version increments adding features and evasion techniques, not a total switch to a new language. It’s a significant move on the part of the threat actor that is worth noting.” Besides detection evasion, the rewrite offers another benefit: it potentially defeats reverse engineering, which can make detecting it tough for engineers that don’t have prior experience with Rust and defeating anti-detection measures. DeGrippo said that Threatpoint researchers anticipate seeing yet more versions of both Rust and C versions of Buer. As always, the threat actors will use whatever’s at hand to evolve the malware, she said. For protection, implementation of a secure email gateway and network detections are a good place to start, DeGrippo said. After that, training comes in handy. “Blocking malicious email before it reaches a target and training users to identify and report suspicious emails is the first step in preventing exploitation of this threat,” DeGrippo said. Who Else Is Getting Rusty? Fellow Rust fans include Microsoft, which joined the Rust Foundation in February and is increasingly using the language in products. That’s notable, given that the company’s products are stuffed with C/C++. All that vitamin C isn’t good for us, apparently: In 2019, Alex Gaynor, a software resilience engineer and former director of the Python Software Foundation and the Django Software Foundation, argued that these “memory-unsafe” languages – i.e., C and C++ – introduce an unacceptable number of security vulnerabilities and that the industry as a whole needs to migrate to memory-safe languages like Rust and Swift by default. Are the Buer downloader developers looking to memory-bug-proof their code? Proofpoint researchers theorize that it’s likely got more to do with slipping past detection. “The rewritten malware, and the use of newer lures attempting to appear more legitimate, suggest threat actors leveraging RustyBuer are evolving techniques in multiple ways to both evade detection and attempt to increase successful click rates,” Proofpoint said in its advisory. “Rewriting the malware in Rust can enable the threat actor to evade existing Buer detections that are based on features of the malware written in C.” Unfortunately, the rewritten variant should maintain compatibility with existing Buer backend command-and-control (C2) servers and panels, researchers say. Don’t Click on the ‘Microsoft’-Labelled Pandora’s Box To beef up the legitimacy of the phishing emails, the malware authors have sprinkled them with logos. Here’s an example, sporting Microsoft branding and logos from a handful of security companies. Recipients need to click on the document’s macro in order to initiate an infection. After that the macro will run an application bypass (Windows Shell DLL via LOLBAS) to evade detection from endpoint security. Wondering where the name came from? According to a Wikipedia entry (albeit, one that needs additional citations), it’s a spirit that popped up in the 16th-century grimoire Pseudomonarchia Daemonum. It’s described as a Great President of Hell, is depicted as a lion’s head surrounded by a circle of five legs so it can walk in any direction, and is supposed to command 50 legions of demons: a decent metaphor for malware that gets leased out to cybercriminals and has a penchant for picking up a new tongue. Source: New Buer Malware Downloader Rewritten in E-Z Rust Language
  22. PortDoor Espionage Malware Takes Aim at Russian Defense Sector The stealthy backdoor is likely being used by Chinese APTs, researchers said. A previously undocumented backdoor malware, dubbed PortDoor, is being used by a probable Chinese advanced persistent threat actor (APT) to target the Russian defense sector, according to researchers. The Cybereason Nocturnus Team observed the cybercriminals specifically going after the Rubin Design Bureau, which designs submarines for the Russian Federation’s Navy. The initial target of the attack was a general director there named Igor Vladimirovich, researchers said, who received a phishing email. The attack began with the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder – a tool that Cybereason said is part of the arsenal of several Chinese APTs, such as Tick, Tonto Team and TA428. RoyalRoad generates weaponized RTF documents that exploit vulnerabilities in Microsoft’s Equation Editor (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802). The use of RoyalRoad is one of the reasons the company believes Chinese cybercriminals to be behind the attack. “The accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,” according to a Cybereason analysis, published Friday. A Quiet Espionage Malware The RoyalRoad tool was seen fetching the unique PortDoor sample once the malicious RTF document is opened, which researchers said was designed with stealth in mind. It has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation, static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more. Once executed, the backdoor decrypts the strings using a hardcoded 0xfe XOR key in order to retrieve its configuration information. This includes the command-and-control (C2) server address, a victim identifier and some other minor information. The malware then creates an additional file in %temp% with the hardcoded name “58097616.tmp” and writes the GetTickCount value multiplied by a random number to it: “This can be used as an additional identifier for the target, and also as a placeholder for the previous presence of this malware,” researchers explained. After that, it establishes its C2 connection, which facilitates the transfer of data using TCP over raw sockets, or via HTTPS – with proxy support. At this point, Cybereason said that PortDoor also has the ability to achieve privilege escalation by stealing explorer.exe tokens. Then, the malware gathers basic PC info to be sent to the C2, which it bundles with a unique identifier, after which is awaits further instructions. The C2 commands are myriad: List running processes Open process Get free space in logical drives Files enumeration Delete file Move file Create process with a hidden window Open file for simultaneous operations Write to file Close handle Open file and write directly to disk Look for the “Kr*^j4” string Create pipe, copy data from it and AES encrypt Write data to file, append with “\n” Write data to file, append with “exit\n” PortDoor also employs an anti-analysis technique known as dynamic API resolving, according to the analysis. “The backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports,” researchers explained. Chinese APTs in the Cyberattack Mix – Probably Cybereason’s analysis did not yield up a specific Chinese APT actor who would likely be responsible for the attack. However, the researchers said they could make some educated guesses. “There are a couple of known Chinese APT groups that share quite a few similarities with the threat actor behind the new malware samples analyzed,” according to the report. For instance, the RTF file used in the attack was weaponized with RoyalRoad v7, which was previously observed being used by the Tonto Team, TA428 and Rancor APTs. “Both the Tonto Team and TA428 threat actors have been observed attacking Russian organizations in the past, and more specifically attacking research and defense-related targets,” according to the analysis. “When comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the linguistic and visual style used by the attackers in the phishing emails and documents.” That said, the PortDoor malware doesn’t share significant code similarities with previously known malware used by those groups – leading Cybereason to conclude that it is not a variant of a known malware, which makes it useless in attribution efforts. “Lastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor,” researchers concluded. “We hope that as time goes by, and with more evidence gathered, the attribution could be more concrete.” Source: PortDoor Espionage Malware Takes Aim at Russian Defense Sector
  23. Stealthy RotaJakiro Backdoor Targeting Linux Systems Previously undocumented and stealthy Linux malware named RotaJakiro has been discovered targeting Linux X64 systems. It has been undetected for at least three years, and operates as a backdoor. Four samples have now been discovered, all using the same C2s. The earliest was discovered in 2018. None of the samples were labeled malware by VirusTotal. The discovery was made by researchers at Chinese security firm Qihoo 360 NETLAB after their BotMon system flagged a suspicious ELF file. Investigation revealed the backdoor malware they named RotaJakiro, because, say the researchers, “the family uses rotate encryption and behaves differently for root/non-root accounts when executing.” The malware supports 12 functions, three of which involve specific plug-ins that are downloaded from the C2s. The researchers have not managed to access any of the plug-ins, so cannot comment on their purpose. However, the functions built into the malware can be categorized as collecting device information, stealing sensitive information, and managing the plug-ins. The researchers do not yet know how the malware spreads or is delivered. Each of the four samples found have the same four C2s embedded. These are news(.)thaprior(.)net, blog(.)eduelects.com, cdn(.)mirror-codes(.)net, and status.sublineover.net. All of them were registered in December 2015, suggesting the malware is possibly older than the confirmed three years. The stealthy nature of the malware is partly down to its rotation through various encryption algorithms while communicating with its C2 servers. “At the coding level,” say the researchers, RotaJakiro uses techniques such as dynamic AES, double-layer encrypted communication protocols to counteract the binary & network traffic analysis.” There are two stages to its C2 communication. The initial phase decrypts the C2 list, establishes a connection with the C2, encrypts and sends the online information, and receives and decrypts the information returned by the C2. The second stage is to verify the information received from the C2, and then ‒ if verified ‒ to execute any commands received. Persistence and process guarding are handled differently for infected root and non-root accounts. For process guarding on root accounts, a new process is automatically created when the service process is terminated. On non-root accounts, the malware generates two processes that monitor each other. If one is terminated, the other restores it. It isn’t yet clear whether the malware is designed for a specific category of target, nor what the long-term intention might be. However, the ability to download multiple plug-ins means that its potential for malicious activity should not be underestimated. The researchers note that there are internal similarities between RotaJakiro and the Torii IoT botnet discovered by Avast in 2018. Torii is a full-fledged bot. The second stage can execute commands from the C2 server, while the malware also includes simple anti-debugging techniques, data exfiltration, multi-level encryption of communication, and other capabilities. “Even though our investigation is continuing,” said Avast at the time, “Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before. Once it infects a device, not only does it send quite a lot of information about the machine it resides on to the C&C, but by communicating with the C&C, it allows Torii authors to execute any code or deliver any payload to the infected device. This suggests that Torii could become a modular platform for future use,” Avast concludes. Source: Stealthy RotaJakiro Backdoor Targeting Linux Systems
  24. Cybercriminals Widely Abusing Excel 4.0 Macro to Distribute Malware Threat actors are increasingly adopting Excel 4.0 documents as an initial stage vector to distribute malware such as ZLoader and Quakbot, according to new research. The findings come from an analysis of 160,000 Excel 4.0 documents between November 2020 and March 2021, out of which more than 90% were classified as malicious or suspicious. "The biggest risk for the targeted companies and individuals is the fact that security solutions still have a lot of problems with detecting malicious Excel 4.0 documents, making most of these slip by conventional signature based detections and analyst written YARA rules," researchers from ReversingLabs said in a report published today. Excel 4.0 macros (XLM), the precursor to Visual Basic for Applications (VBA), is a legacy feature incorporated in Microsoft Excel for backward compatibility reasons. Microsoft warns in its support document that enabling all macros can cause "potentially dangerous code" to run. The ever-evolving Quakbot (aka QBOT), since its discovery in 2007, has remained a notorious banking trojan capable of stealing banking credentials and other financial information, while also gaining worm-like propagation features. Typically spread via weaponized Office documents, variants of QakBot have been able to deliver other malware payloads, log user keystrokes, and even create a backdoor to compromised machines. In a document analyzed by ReversingLabs, the malware not only tricked users into enabling macros with convincing lures, but also came with embedded files containing XLM macros that download and execute a malicious second-stage payload retrieved from a remote server. Another sample included a Base64-encoded payload in one of the sheets, which then attempted to download additional malware from a sketchy URL. "Even though backward compatibility is very important, some things should have a life expectancy and, from a security perspective, it would probably be best if they were deprecated at some point in time," the researchers noted. "Cost of maintaining 30 year old macros should be weighed against the security risks using such outdated technology brings." Source: Cybercriminals Widely Abusing Excel 4.0 Macro to Distribute Malware
  25. Phishing impersonates global recruitment firm to push malware An ongoing phishing campaign is impersonating Michael Page consultants to push Ursnif data-stealing malware capable of harvesting credentials and sensitive data from infected computers. Michael Page is a world-leading employment agency focused on recruiting at the qualified professional and management level for permanent, temporary, contract, or interim positions. The agency is part of the British-based PageGroup recruitment business with operations in the Americas, UK, Continental Europe, Asia-Pacific, and Africa. Attackers spoofing Michael Page UK "We are continuing to experience a global phishing campaign where our employees are being impersonated," Michael Page UK said. "We are confident that no PageGroup system has been compromised," the parent company added, confirming that the attackers haven't breached the recruitment consultancy's servers and are only spoofing employees in the phishing emails sent to random targets. "These phishing emails are being generated from publicly available information not linked to our business and are being then sent on to random email recipients," PageGroup revealed. PageGroup urges those who have received one of these phishing emails or any email coming from Michael Page that looks suspicious "not to reply or click" on any of the embedded links. Never rely on an email signature or name to check the validity of an email, and please never click on a link until you are satisfied that it is from a sender you know. (3/3) — Michael Page UK (@MichaelPageUK) April 22, 2021 Victims baited with executive positions In phishing emails sent as part of this campaign seen by BleepingComputer, attackers posing as Michael Page UK headhunters are luring targets with executive positions. These emails use embedded links to redirect potential victims to phishing landing pages featuring GeoIP and antibot checks, according to a security researcher known as TheAnalyst. The victims are then asked to download archives containing malicious macro-enabled Microsoft Excel spreadsheets (XSLM) and featuring DocuSign branding, asking the targets to enable editing to decrypt and open the document. Once the victims enable macros, they are shown a decoy document with information on a fake management position, while the Ursnif malware payload is downloaded and installed on their computer in the background. Malicious phishing document (InQuest) The Ursnif data-stealing malware Ursnif (also known as Gozi v2.0, Gozi ISFB, ISFB, and Pandemyia) is an information-stealing trojan and an offspring of the original Gozi banking trojan (Gozi CRM) whose source code accidentally leaked online in 2010. Since then, malware developers have used the code to build other banking trojan strains, such as GozNym. Once it infects a computer, Ursnif starts recording the victims' keystrokes, the sites they visit, harvests clipboard content, and collects all this info into log files and sent back to its operators' servers. Using this stolen info, the attackers can steal their victims' login credentials and other sensitive data to further compromise their accounts or networks. Source: Phishing impersonates global recruitment firm to push malware
  • Create New...