Jump to content

Search the Community

Showing results for tags 'malware'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. Fake Windows 11 installer only installs ads and trojans Windows 11 leaked unofficially before Microsoft actually released it to Insiders 3 weeks ago, and unfortunately, this created a ready market for downloading Windows 11 ISOs from unofficial sources, which Kaspersky reports often contains malware. Kaspersky reports on one example, the 1.75 GB 86307_windows 11 build 21996.1 x64 + activator.exe. With a file size as large as 1.75GB, it certainly looks plausible, but in fact, the bulk of that space consists of one DLL file that contains a lot of useless information. Opening the executable starts the installer, which looks like an ordinary Windows installation wizard. However, its main purpose is to download and run another, more interesting executable. The second executable is an installer as well, and it even comes with a license agreement (which few people read) calling it a “download manager for 86307_windows 11 build 21996.1 x64 + activator” and noting that it would also install some sponsored software. If you accept the agreement, a variety of malicious programs will be installed on your machine. Kaspersky says they have detected several hundred infection attempts that used similar Windows 11–related schemes. A large portion of that malware consists of downloaders, whose task is to download and run other programs. Those other programs can be very wide-ranging — from relatively harmless adware, which our solutions classify as not-a-virus, to full-fledged Trojans, password stealers, exploits, and other nasty stuff. Given that Microsoft is making Windows 11 freely available, the best way to acquire the software is to join the Window 11 Insider program, which can be done by simply visiting the Update and Security tab in the Windows 10 Setting app and scrolling down to Windows Insider Program. Fake Windows 11 installer only installs ads and trojans
  2. XLoader malware steals logins from macOS and Windows systems A highly popular malware for stealing information from Windows systems has been modified into a new strain called XLoader, which can also target macOS systems. XLoader is currently being offered on an underground forum as a botnet loader service that can “recover” passwords from web browsers and some email clients (Chrome, Firefox, Opera, Edge, IE, Outlook,Thunderbird, Foxmail). Derived from the Formbook info-stealer for Windows, XLoader emerged last February and has grown in popularity, advertised as a cross-platform (Windows and macOS) botnet with no dependencies. The connection between the two malware pieces was confirmed after a member of the community reverse-engineered XLoader and found that it had the same executable as Formbook. The advertiser explained that Formbook’s developer contributed a lot to creating XLoader, and the two malware had similar functionality (steal login credentials, capture screenshots, log keystrokes, and execute malicious files). Customers can rent the macOS malware version for $49 (one month) and get access to a server that the seller provides. By keeping a centralized command and control infrastructure, the authors can control how clients use the malware. The Windows version is more expensive as the seller asks $59 for a one-month license and $129 for three months. As mentioned in the advertisement, the makers of XLoader also provide a Java binder for free, which allows customers to create a standalone JAR file with the Mach-O and EXE binaries used by macOS and Windows. Tracking XLoader 6-month activity up to June 1st, malware researchers at Check Point saw requests from 69 countries, indicating a significant spread across the globe, with more than half of the victims being in the United States. Although Formbook is no longer advertised on underground forums, it continues to be a prevalent threat. It was part of at least 1,000 malware camapaigns over the past three years and according to AnyRun’s malware trends, the info-stealer takes fourth place over the past 12 months, after Emotet If Formbook’s popularity is any indication, XLoader is likely to be more prevalent given that it targets the two most popular operating systems used by consumers. Check Point researchers say that XLoader is stealthy enough to make it difficult for a regular, non-technical user to spot it. They recommend using macOS’ Autorun to check the username in the OS and to look into the LaunchAgents folder [/Users/[username]/Library/LaunchAgents] and delete entries with suspicious filenames (random-looking name). Yaniv Balmas, Head of Cyber Research at Check Point Software, says that XLoader is “is far more mature and sophisticated than its predecessors [i.e. Formbook].” macOS’s growing popularity exposed it to unwanted attention from cybercriminals, who are now seeing the OS as an attractive target. “While there might be a gap between Windows and MacOS malware, the gap is slowly closing over time. The truth is that MacOS malware is becoming bigger and more dangerous” - Yaniv Balmas The researcher believes that more malware families will adapt and add macOS to the list of supported operating systems. XLoader malware steals logins from macOS and Windows systems
  3. Microsoft admits to signing rootkit malware in supply-chain fiasco Microsoft has now confirmed signing a malicious driver being distributed within gaming environments. This driver, called "Netfilter," is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs. G Data malware analyst Karsten Hahn first took notice of this event last week and was joined by the wider infosec. community in tracing and analyzing the malicious drivers bearing the seal of Microsoft. It turns out, the C2 infrastructure belongs to a company classified under "Communist Chinese military" by the US Department of Defense. This incident has once again exposed threats to software supply-chain security, except this time it stemmed from a weakness in Microsoft's code-signing process. "Netfilter" driver is rootkit signed by Microsoft Last week, G Data's cybersecurity alert systems flagged what appeared to be a false positive, but was not—a Microsoft signed driver called "Netfilter." The driver in question was seen communicating with China-based C&C IPs providing no legitimate functionality and as such raised suspicions. This is when G Data's malware analyst Karsten Hahn shared this publicly and simultaneously contacted Microsoft: The malicious binary has been signed by Microsoft (VirusTotal) "Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system." "Drivers without a Microsoft certificate cannot be installed by default," states Hahn. At the time, BleepingComputer began observing the behavior of C2 URLs and also contacted Microsoft for a statement. The first C2 URL returns a set of more routes (URLs) separated by the pipe ("|") symbol: Navigating to the C2 URL presents more routes for different purposes Source: BleepingComputer Each of these serves a purpose, according to Hahn: The URL ending in "/p" is associated with proxy settings, "/s" provides encoded redirection IPs, "/h?" is for receiving CPU-ID, "/c" provided a root certificate, and "/v?" is related to the malware's self-update functionality. As seen by BleepingComputer, for example, the "/v?" path provided URL to the malicious Netfilter driver in question itself (living at "/d3"): Path to malicious Netfilter driver Source: BleepingComputer The G Data researcher spent some time sufficiently analyzing the driver and concluded it to be malware. The researcher has analyzed the driver, its self-update functionality, and Indicators of Compromise (IOCs) in a detailed blog post. "The sample has a self-update routine that sends its own MD5 hash to the server via hxxp://," says Hahn. An example request would look like this: hxxp:// "The server then responds with the URL for the latest sample, e.g. hxxp:// or with 'OK' if the sample is up-to-date. The malware replaces its own file accordingly," further explained the researcher. Malware's self-update functionality analyzed by G Data During the course of his analysis, Hahn was joined by other malware researchers including Johann Aydinbas, Takahiro Haruyama, and Florian Roth. Roth was able to gather the list of samples in a spreadsheet and has provided YARA rules for detecting these in your network environments. Notably, the C2 IP that the malicious Netfilter driver connects to belonged to Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd, according to WHOIS records. The U.S. Department of Defense (DoD) has previously marked this organization as a "Communist Chinese military company," another researcher @cowonaut observed. Microsoft admits to signing the malicious driver Microsoft is actively investigating this incident, although thus far, there is no evidence that stolen code-signing certificates were used. The mishap seems to have resulted from the threat actor following Microsoft's process to submit the malicious Netfilter drivers, and managing to acquire the Microsoft-signed binary in a legitimate manner: "Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments." "The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party." "We have suspended the account and reviewed their submissions for additional signs of malware," said Microsoft yesterday. According to Microsoft, the threat actor has mainly targeted the gaming sector specifically in China with these malicious drivers, and there is no indication of enterprise environments having been affected so far. Microsoft has refrained from attributing this incident to nation-state actors just yet. Falsely signed binaries can be abused by sophisticated threat actors to facilitate large-scale software supply-chain attacks. The multifaceted Stuxnet attack that targeted Iran's nuclear program marks a well-known incident in which code-signing certificates were stolen from Realtek and JMicron to facilitate the attack. This particular incident, however, has exposed weaknesses in a legitimate code-signing process, exploited by threat actors to acquire Microsoft-signed code without compromising any certificates. Source
  4. Vigilante malware blocks victims from downloading pirated software A vigilante developer turns the tables on software pirates by distributing malware that prevents them from accessing pirated software sites in the future. Threat actors commonly use pirated software and fake crack sites to distribute malware to unsuspecting users who think they are downloading the latest game or movie. Malware distributed via these methods is typically information-stealing trojans, ransomware, or cryptominers that can be used to generate value for the threat actor. Malware blocks access to The Pirate Bay In a new report, SophosLabs shares how a vigilante malware is being distributed that prevents pirates from accessing the most popular copyrighted content torrent site, The Pirate Bay. "In one of the strangest cases I’ve seen in a while, one of my Labs colleagues recently told me about a malware campaign whose primary purpose appears to stray from the more common malware motives." explains SophosLabs Principal Researcher Andrew Brandt in the new report. "Instead of seeking to steal passwords or to extort a computer’s owner for ransom, this malware blocks infected users’ computers from being able to visit a large number of websites dedicated to software piracy by modifying the HOSTS file on the infected system." According to Brandt, the new malware is being distributed through Discord or pirated software torrent sites. On Discord, the malware is distributed as standalone executables pretending to be pirated software, as shown below. Malware hosted on Discord On sites like The Pirate Bay, the malware is being distributed in a similar way to other torrent files in the sense that they contain readme files, NFO files, and shortcut files back to thepiratebay.org. A fake Readme file in a malicious torrent However, many of the files contained in these torrent archives serve no purpose and are only added as filler to impersonate your typical pirated software/movie torrent. "Looking more closely at these files bundled with the installer, it’s clear that they have no practical benefit other than to give the archive the appearance of files typically shared over Bittorrent, and to modify hash values with the addition of random data," says Brandt in his report. Once a user runs the malware executable, it will modify the Windows HOSTS file to add numerous entries that point to for sites associated with The Pirate Bay. HOSTS file modified by the malware After adding these HOSTS entries, when a user attempts to access one of the listed sites, they will instead be redirected to their localhost and be unable to connect to the site's actual IP address. This effectively blocks access to the listed sites that are distributing torrents for copyrighted content. To make matters worse, when the vigilante malware is executed, it will connect to a remote host under the attacker's control and send the name of the fake pirated software that has infected the user. As web servers usually log a visitor's IP address, the attacker now has both the pirate's IP address and the name of the software or movie that they attempted to use. While it is unknown what this information is used for, the threat actors could share it with ISPs, copyright agencies, or even law enforcement. The attackers could also use this information in further attacks, such as email extortion campaigns where the attacker threatens to reveal the user's illegal activity if they don't pay a small extortion demand. Brandt told BleepingComputer that this malware campaign was live between October 2020 and January 2021, when the attacker's site went offline. According to Brandt, the malicious torrents have also stopped being distributed, likely after users stopped seeding them after learning that the files were malicious or fake. While rare, vigilantes have taken justice in their own hands in the past by hacking into Netgear to remove malware, distributing malware to secure IoT devices, releasing weaponized version. Vigilante malware blocks victims from downloading pirated software
  5. Mystery malware steals 26M passwords from 3M PCs. Are you affected? Massive trove can be used for ransomware, espionage, and more. Researchers have discovered yet another massive trove of sensitive data, a dizzying 1.2TB database containing login credentials, browser cookies, autofill data, and payment information extracted by malware that has yet to be identified. In all, researchers from NordLocker said on Wednesday, the database contained 26 million login credentials, 1.1 million unique email addresses, more than 2 billion browser cookies, and 6.6 million files. In some cases, victims stored passwords in text files created with the Notepad application. The stash also included over 1 million images and more than 650,000 Word and .pdf files. Additionally, the malware made a screenshot after it infected the computer and took a picture using the device’s webcam. Stolen data also came from apps for messaging, email, gaming, and file-sharing. The data was extracted between 2018 and 2020 from more than 3 million PCs. A booming market The discovery comes amid an epidemic of security breaches involving ransomware and other types of malware hitting large companies. In some cases, including the May ransomware attack on Colonial Pipeline, hackers first gained access using compromised accounts. Many such credentials are available for sale online. Alon Gal, co-founder and CTO of security firm Hudson Rock, said that such data is often first collected by stealer malware installed by an attacker attempting to steal cryptocurrency or commit a similar type of crime. The attacker “will likely then try to steal cryptocurrencies, and once he is done with the information, he will sell to groups whose expertise is ransomware, data breaches, and corporate espionage,” Gal told me. “These stealers are capturing browser passwords, cookies, files, and much more and sending it to the [command and control server] of the attacker.” NordLocker researchers said there’s no shortage of sources for attackers to secure such information. “The truth is, anyone can get their hands on custom malware,” the researchers wrote. “It’s cheap, customizable, and can be found all over the web. Dark web ads for these viruses uncover even more truth about this market. For instance, anyone can get their own custom malware and even lessons on how to use the stolen data for as little as $100. And custom does mean custom—advertisers promise that they can build a virus to attack virtually any app the buyer needs.” NordLocker hasn’t been able to identify the malware used in this case. Gal said that from 2018 to 2019, widely used malware included Azorult and, more recently, an info stealer known as Raccoon. Once infected, a PC will regularly send pilfered data to a command and control server operated by the attacker. In all, the malware collected account credentials for almost 1 million sites, including Facebook, Twitter, Amazon, and Gmail. Of the 2 billion cookies extracted, 22 percent remained valid at the time of the discovery. The files can be useful in piecing together the habits and interests of the victims, and if the cookies are used for authentication, they give access to the person’s online accounts. NordLocker provides other figures here. People who want to determine if their data was swept up by the malware can check the Have I Been Pwned breach notification service, which has just uploaded a list compromised accounts. Mystery malware steals 26M passwords from 3M PCs. Are you affected?
  6. FreakOut malware worms its way into vulnerable VMware servers A multi-platform Python-based malware targeting Windows and Linux devices has now been upgraded to worm its way into Internet-exposed VMware vCenter servers unpatched against a remote code execution vulnerability. The malware, dubbed FreakOut by CheckPoint researchers in January (aka Necro and N3Cr0m0rPh), is an obfuscated Python script designed to evade detection using a polymorphic engine and a user-mode rootkit that hides malicious files dropped on compromised systems. FreakOut spreads itself by exploiting a wide range of OS and apps vulnerabilities and brute-forcing passwords over SSH, adding the infected devices to an IRC botnet controlled by its masters. The malware's core functionality enables operators to launch DDoS attacks, backdoor infected systems, sniff and exfiltrate network traffic, and deploy XMRig miners to mine for Monero cryptocurrency. Malware upgraded with new exploits As Cisco Talos researchers shared in a report published today, FreakOut's developers have been hard at work improving the malware's spreading capabilities since early May, when the botnet's activity has suddenly increased. "Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code," Cisco Talos security researcher Vanja Svajcer said. FreakOut bots scan for new systems to target either by randomly generating network ranges or on its masters' commands sent over IRC via the command-and-control server. For each IP address in the scan list, the bot will try to use one of the built-in exploits or log in using a hardcoded list of SSH credentials. Image: Cisco Talos While early FreakOut versions were able to exploit only vulnerable versions of Lifearay, Laravel, WebLogic, TerraMaster, and Zend Framework (Laminas Project) web apps, the latest ones have more than double the number of built-in exploits. Newly added exploits to malware variants observed by Cisco Talos in May include: VestaCP — VestaCP 0.9.8 - 'v_sftp_licence' Command Injection ZeroShell 3.9.0 — 'cgi-bin/kerbynet' Remote Root Command Injection SCO Openserver 5.0.7 — 'outputform' Command Injection Genexis PLATINUM 4410 2.1 P4410-V2-1.28 — Remote Command Execution vulnerability OTRS 6.0.1 — Remote Command Execution vulnerability VMWare vCenter — Remote Command Execution vulnerability An Nrdh.php remote code execution exploit for an unknown app Python versions of EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0147) exploits Thousands of VMware servers exposed to attacks The VMware vCenter vulnerability (CVE-2021-21972) is present in the vCenter plugin for vRealize Operations (vROps) and is particularly interesting because it impacts all default vCenter Server installations. Thousands of unpatched vCenter servers are currently reachable over the Internet, as shown by Shodan and BinaryEdge. Attackers have previously mass scanned for vulnerable Internet-exposed vCenter servers after security researchers published a proof-of-concept (PoC) exploit code. Russian Foreign Intelligence Service (SVR) state hackers have also added CVE-2021-21972 exploits to their arsenal in February, actively exploiting them in ongoing campaigns. VMware vulnerabilities have also been exploited in the past in ransomware attacks targeting enterprise networks. As Cisco Talos revealed, FreakOut operators have also been seen deploying a custom ransomware strain showing that they are actively experimenting with new malicious payloads. Multiple ransomware gangs, including RansomExx, Babuk Locker, and Darkside, previously used VMWare ESXi pre-auth RCE exploits to encrypt virtual hard disks used as centralized enterprise storage space. "Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot. This increases its chances of spreading and infecting systems," Svajcer added. "Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems." FreakOut malware worms its way into vulnerable VMware servers
  7. New SkinnyBoy malware used by Russian hackers to breach sensitive orgs Security researchers have discovered a new piece of malware called SkinnyBoy that was used in spear-phishing campaigns attributed to Russian-speaking hacking group APT28. The threat actor, also known as Fancy Bear, Sednit, Sofacy, Strontium, or PwnStorm, used SkinnyBoy in attacks targeting military and government institutions earlier this year. Classic tactics, new tool SkinnyBoy is intended for an intermediary stage of the attack, to collect information about the victim and to retrieve the next payload from the command and control (C2) server. According to Cluster25 threat research company, APT28 likely started this campaign at the beginning of March, focusing on ministries of foreign affairs, embassies, defense industry, and the military sector. Multiple victims are in the European Union but the researchers told BleepingComputer that the activity may have impacted organizations in the United States, too. SkinnyBoy is delivered through a Microsoft Word document laced with a macro that extracts a DLL file acting as a malware downloader. The lure is a message with a spoofed invitation to an international scientific event held in Spain at the end of July. Opening the invitation triggers the infection chain, which starts with extracting a DLL that retrieves the SkinnyBoy dropper (tpd1.exe), a malicious file that downloads the main payload. Once on the system, the dropper establishes persistence and moves to extract the next payload, which is encoded in Base64 format and appended as an overlay of the executable file. This payload deletes itself after extracting two files on the compromised system: C:\Users\%username%\AppData\Local\devtmrn.exe (2a652721243f29e82bdf57b565208c59937bbb6af4ab51e7b6ba7ed270ea6bce) C:\Users\%username%\AppData\Local\Microsoft\TerminalServerClient\TermSrvClt.dll (ae0bc3358fef0ca2a103e694aa556f55a3fed4e98ba57d16f5ae7ad4ad583698) To keep a low profile, the malware executes these files at a later stage, after creating a persistence mechanism via a LNK file under Windows Startup folder, Cluster25 says in a report shared with BleepingComputer. The LNK file is triggered at the next reboot of the infected machine and looks for the main payload, SkinnyBoy (TermSrvClt.dll), by checking the SHA256 hashes of all the files under C:\Users\%username%\AppData\Local. SkinnyBoy’s purpose is to exfiltrate information about the infected system, download, and launch the final payload of the attack, which remains unknown at the moment. Collecting the data is done by using the systeminfo.exe and tasklist.Exe tools already present in Windows, which allow it to extract file names in specific locations: C:\Users\%username%\Desktop C:\Program Files - C:\Program Files (x86) C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools C:\Users\%username%\AppData\Roaming C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Templates C:\Windows - C:\Users\user\AppData\Local\Temp All the information extracted this way is delivered to the C2 server in an organized fashion and encoded in base64 format. Cluster25 says that the attacker used commercial VPN services to purchase elements for their infrastructure, a tactic that adversaries typicall use to better lose their tracks. After observing the tactics, techniques, and procedures, Cluster25 believes that the SkinnyBoy implant is a new tool from the Russian threat group known as APT28. The company has mid-to-high confidence in its attribution. In the report today, Cluster25 provides YARA rules for all the tools examined by its researchers (SkinnyBoy dropper, launcher, and the payload itself) as well as a list of observed indicators of compromise that can help organizations detect the presence of the new malware. New SkinnyBoy malware used by Russian hackers to breach sensitive orgs
  8. Malvertising Campaign On Google Distributed Trojanized AnyDesk Installer Cybersecurity researchers on Wednesday publicized the disruption of a "clever" malvertising network targeting AnyDesk that delivered a weaponized installer of the remote desktop software via rogue Google ads that appeared in the search engine results pages. The campaign, which is believed to have begun as early as April 21, 2021, involves a malicious file that masquerades as a setup executable for AnyDesk (AnyDeskSetup.exe), which, upon execution, downloads a PowerShell implant to amass and exfiltrate system information. "The script had some obfuscation and multiple functions that resembled an implant as well as a hardcoded domain (zoomstatistic[.]com) to 'POST' reconnaissance information such as user name, hostname, operating system, IP address and the current process name," researchers from Crowdstrike said in an analysis. AnyDesk's remote desktop access solution has been downloaded by more than 300 million users worldwide, according to the company's website. Although the cybersecurity firm did not attribute the cyber activity to a specific threat actor or nexus, it suspected it to be a "widespread campaign affecting a wide range of customers" given the large user base. The PowerShell script may have all the hallmarks of a typical backdoor, but it's the intrusion route where the attack throws a curve, signaling that it's beyond a garden-variety data gathering operation — the AnyDesk installer is distributed through malicious Google ads placed by the threat actor, which are then served to unsuspecting people who are using Google to search for 'AnyDesk.' The fraudulent ad result, when clicked, redirects users to a social engineering page that's a clone of the legitimate AnyDesk website, in addition to providing the individual with a link to the trojanized installer. CrowdStrike estimates that 40% of clicks on the malicious ad turned into installations of the AnyDesk binary, and 20% of those installations included follow-on hands-on-keyboard activity. "While it is unknown what percentage of Google searches for AnyDesk resulted in clicks on the ad, a 40% Trojan installation rate from an ad click shows that this is an extremely successful method of gaining remote access across a wide range of potential targets," the researchers said. The company also said it notified Google of its findings, which is said to have taken immediate action to pull the ad in question. "This malicious use of Google Ads is an effective and clever way to get mass deployment of shells, as it provides the threat actor with the ability to freely pick and choose their target(s) of interest," the researchers concluded. "Because of the nature of the Google advertising platform, it can provide a really good estimate of how many people will click on the ad. From that, the threat actor can adequately plan and budget based on this information. In addition to targeting tools like AnyDesk or other administrative tools, the threat actor can target privileged/administrative users in a unique way." Source
  9. Malware caught using a macOS zero-day to secretly take screenshots Image Credits: Made Kusuma Jaya / EyeEm (opens in a new window)/ Getty Images Almost exactly a month ago, researchers revealed a notorious malware family was exploiting a never-before-seen vulnerability that let it bypass macOS security defenses and run unimpeded. Now, some of the same researchers say another malware can sneak onto macOS systems, thanks to another vulnerability. Jamf says it found evidence that the XCSSET malware was exploiting a vulnerability that allowed it access to parts of macOS that require permission — such as accessing the microphone, webcam or recording the screen — without ever getting consent. XCSSET was first discovered by Trend Micro in 2020 targeting Apple developers, specifically their Xcode projects that they use to code and build apps. By infecting those app development projects, developers unwittingly distribute the malware to their users, in what Trend Micro researchers described as a “supply-chain-like attack.” The malware is under continued development, with more recent variants also targeting Macs running the newer M1 chip. Once the malware is running on a victim’s computer, it uses two zero-days — one to steal cookies from the Safari browser to get access to a victim’s online accounts, and another to quietly install a development version of Safari, allowing the attackers to modify and snoop on virtually any website. But Jamf says the malware was exploiting a previously undiscovered third zero-day in order to secretly take screenshots of the victim’s screen. macOS is supposed to ask the user for permission before it allows any app — malicious or otherwise — to record the screen, access the microphone or webcam, or open the user’s storage. But the malware bypassed that permissions prompt by sneaking in under the radar by injecting malicious code into legitimate apps. Jamf researchers Jaron Bradley, Ferdous Saljooki, and Stuart Ashenbrenner explained in a blog post, shared with TechCrunch, that the malware searches for other apps on the victim’s computer that are frequently granted screen-sharing permissions, like Zoom, WhatsApp and Slack, and injects malicious screen recording code into those apps. This allows the malicious code to “piggyback” the legitimate app and inherit its permissions across macOS. Then, the malware signs the new app bundle with a new certificate to avoid getting flagged by macOS’ built-in security defenses. The researchers said that the malware used the permissions prompt bypass “specifically for the purpose of taking screenshots of the user’s desktop,” but warned that it was not limited to screen recording. In other words, the bug could have been used to access the victim’s microphone, webcam or capture their keystrokes, such as passwords or credit card numbers. It’s not clear how many Macs the malware was able to infect using this technique. But Apple confirmed to TechCrunch that it fixed the bug in macOS 11.4, which was made available as an update today. Source: Malware caught using a macOS zero-day to secretly take screenshots
  10. ‘TeamTNT’ Has a New Credential Harvester Targeting Cloud Services on the Loose ‘TeamTNT’ is using a new harvester that targets a wide spectrum of cloud services and software apps. The actors are still targeting Monero wallets and configuration files and are still DDoSing some victims. The hacking group that started as an opportunistic actor is now evolving into a serious threat. ‘TeamTNT,’ the hacking group that was mostly occupied with disseminating XMR cryptominers on exposed Dockers last year, is now targeting cloud service credentials. This change in activity was first noticed and reported by researchers at TrendMicro at the beginning of March, and now, the same team has sampled and analyzed a new credential harvester used by the threat actors. The intruders deploy a rich repertoire to access the network, including the exploitation of vulnerabilities, using stolen passwords or taking advantage of the existence of misconfigurations. From there, they focus on a range of system types depending on what they can find, then perform network reconnaissance, and finally deploy their new credential harvester. This malware helps TeamTNT steal user IDs and passwords from the following software and services: Google Cloud Cloudflare Amazon Web Services Shodan Docker SSH Git FileZilla Jupyter Monero wallet SMB clients WebDAV Ngrok2 HexChat Pidgin PostgreSQL Source: TrendMicro So, why is TeamTNT interested in stealing cloud service and software app credentials? One very probable reason would be to engage in planting XMR cryptominers in places where they are unlikely to be found and uprooted before making significant amounts of money for the actors. Another would be to resell these credentials to ransomware groups on the dark web. And a third would be to exfiltrate data from cloud-hosted databases and then sell them to phishing actors and scammers. Source: TrendMicro TrendMicro points out that the malware actively looks for Monero configuration files and any accessible wallets, so the anonymous crypto remains a key motivation for the actors, or at least that’s what it looks like. When the malware reaches the end of its routine, it attempts to delete itself from the infected system. Still, according to the analysts, this function isn’t implemented properly yet, so it fails. One more thing to note is that TeamTNT also engages in DDoS attacks once inside a network, as long as they have some form of an RCE to execute it. This is happening through a special IRC bot called ‘TNTbotinger.’ DDoS attacks can help the actors draw the attention of response teams elsewhere, slow down malware detection and clean-up efforts, or even aid extortion efforts. In general, TeamTNT has evolved into a significant and wide-scope threat now. Their new harvester is an indication that the particular malware authors are serious about their operation and care to take things to the next level. Source: ‘TeamTNT’ Has a New Credential Harvester Targeting Cloud Services on the Loose
  11. Hackers Using Microsoft Build Engine to Deliver Malware Filelessly Threat actors are abusing Microsoft Build Engine (MSBuild) to filelessly deliver remote access trojans and password-stealing malware on targeted Windows systems. The actively ongoing campaign is said to have emerged last month, researchers from cybersecurity firm Anomali said on Thursday, adding the malicious build files came embedded with encoded executables and shellcode that deploy backdoors, allowing the adversaries to take control of the victims' machines and steal sensitive information. MSBuild is an open-source build tool for .NET and Visual Studio developed by Microsoft that allows for compiling source code, packaging, testing, deploying applications. In using MSBuild to filelessly compromise a machine, the idea is to stay under the radar and thwart detection, as such malware makes use of a legitimate application to load the attack code into memory, thereby leaving no traces of infection on the system and giving attackers a high level of stealth. As of writing, only two security vendors flag one of the MSBuild .proj files ("vwnfmo.lnk") as malicious, while a second sample ("72214c84e2.proj") uploaded to VirusTotal on April 18 remains undetected by every anti-malware engine. The majority of the samples analyzed by Anomali were found to deliver the Remcos RAT, with a few others also delivering the Quasar RAT and RedLine Stealer. Remcos (aka Remote Control and Surveillance software), once installed, grants full access to the remote adversary, its features ranging from capturing keystrokes to executing arbitrary commands and recording microphones and webcams, while Quasar is an open-source .NET-based RAT capable of keylogging, password stealing, among others. Redline Stealer, as the name indicates, is a commodity malware that harvests credentials from browsers, VPNs, and messaging clients, in addition to stealing passwords and wallets associated with cryptocurrency apps. "The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations," Anomali researchers Tara Gould and Gage Mele said. "This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially." Source: Hackers Using Microsoft Build Engine to Deliver Malware Filelessly
  12. A fake MSI Afterburner download page is spreading malware PC and component manufacturer MSI is warning users that malicious actors are leveraging its name to distribute malware. The attackers have created a fake download page for MSI's Afterburner software, and they're using an URL that's made to look official to an unsuspecting user. Afterburner is a graphics card tuning tool that allows users to set clock speeds for the GPU and memory, adjust the voltage, and monitor the temperature of the card. Typically, the software is available for anyone to download from MSI's website, but the official webpage - which you can access here - is currently undergoing maintenance. While the page can be accessed, download links don't work. The attackers seem to be leveraging that, and the website looks nearly identical to the official one, however, the MSI website header is missing, and the official website also features a small icon in the bottom left corner to customize the website cookie settings. This is also missing in the fake website. For reference, the URL being used to impersonate MSI is as follows: https://afterburner-msi.space/. Obviously, we strongly advise against opening the URL or downloading anything from it. If you don't happen to have MSI Afterburner currently installed, you may want to wait a little longer for the official page to be functional again. If you can't wait, at the very least make sure the website you're downloading from is one you can trust and isn't trying to pass itself off as an official MSI page. Source: A fake MSI Afterburner download page is spreading malware
  13. Microsoft: Threat actors target aviation orgs with new malware Microsoft warns of an ongoing spear-phishing campaign targeting aerospace and travel organizations with multiple remote access trojans (RATs) deployed using a new and stealthy malware loader. "In the past few months, Microsoft has been tracking a dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT," Microsoft said. Attackers' phishing emails spoof legitimate organizations and use image lures posing as PDF documents containing info relevant to several industry sectors, including aviation, travel, and cargo. As Microsoft observed while tracking this campaign, the threat actors' end goal is to harvest and exfiltrate data from infected devices using the RATs' remote control, keylogging, and password-stealing capabilities. Once deployed, the malware allows them to "steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587." Aviation-themed spear-phishing email (Microsoft) RAT loader designed to bypass detection The newly discovered loader monetized under a Crypter-as-a-Service model, named Snip3 by Morphisec malware analysts, is used to drop Revenge RAT, AsyncRAT, Agent Tesla, and NetWire RAT payloads on compromised systems. Links abusing legitimate web services and embedded within the phishing messages download the first-stage VBScript VBS files that execute a second-stage PowerShell script which in turn executes the final RAT payload using Process Hollowing. VBS files used as initial infection vector (Hossein Jazi) Snip3 also comes with the ability to identify sandboxing and virtual environments according to Morphisec, which makes it particularly capable of circumventing detection-centric anti-malware solutions. To evade detection, the malware loader uses additional techniques including the execution of PowerShell code with the 'remotesigned' parameter use of Pastebin and top4top for staging compilation of RunPE loaders on the endpoint in runtime Snip3 attack flow Organizations can use sample queries shared by Microsoft for advanced hunting using Microsoft 365 Defender to help them locate and investigate similar suspicious behavior related to this ongoing phishing campaign. Among the potentially malicious activity advanced hunting queries can unearth, they can help detect: Snip3 communication protocols (with recent campaigns targeting the aviation industry) malicious use of RegAsm, RegSvcs, and InstallUtil by Snip3 (potentially hollowed processes used to for command-and-control or exfiltration) Snip3 loader-encoded PowerShell command (obfuscated using UTF8 encoding) Snip3 loader call to DetectSandboxie function (used in RevengeRAT and AsyncRAT instance) keywords associated with Snip3 campaign emails from April and May 2021 Indicators of compromise associated with this spear-phishing campaign including malware sample hashes and RAT command and control domains can be found at the end of Morphisec's Snip3 report. Source: Microsoft: Threat actors target aviation orgs with new malware
  14. Bulletproof hosting admins plead guilty to running cybercrime safe haven Four individuals from Eastern Europe face 20 years in prison for Racketeer Influenced Corrupt Organization (RICO) charges after pleading guilty to running a bulletproof hosting service as a safe haven for cybercrime operations targeting US entities. The bulletproof hosting service was founded by Russian citizens Aleksandr Grichishkin and Andrei Skvortsov, who hired Lithuanian Aleksandr Skorodumov and Estonian Pavel Stassi as the organization's system admin and administrator, respectively. Grichishkin and Skvortsov were the ones overseeing marketing, personnel management, and client support, while Skorodumov and Stassi were responsible for keeping all systems running and helping clients behind malware and botnet operations to optimize their "services." A safe haven for malware operations According to a DOJ press release published today, their service provided multiple cybercrime-affiliated clients with the infrastructure needed in malicious campaigns running between 2008 and 2015. "The group rented Internet Protocol (IP) addresses, servers, and domains to cybercriminal clients, who used this technical infrastructure to disseminate malware used to gain access to victims’ computers, form botnets, and steal banking credentials for use in frauds," the DOJ said. "Malware hosted by the organization included Zeus, SpyEye, Citadel, and the Blackhole Exploit Kit, which rampantly attacked U.S. companies and financial institutions between 2009 and 2015 and caused or attempted to cause millions of dollars in losses to U.S. victims." Other services provided by their bulletproof hosting service included registering new infrastructure using false or stolen identities to help clients circumvent law enforcement efforts to block their attacks. A key service provided by the defendants was helping their clients to evade detection by law enforcement and continue their crimes uninterrupted; the defendants did so by monitoring sites used to blocklist technical infrastructure used for crime, moving “flagged” content to new infrastructure, and registering all such infrastructure under false or stolen identities. — DOJ Responsible for millions of dollars in losses "Over the course of many years, the defendants facilitated the transnational criminal activity of a vast network of cybercriminals throughout the world by providing them a safe-haven to anonymize their criminal activity," said FBI Special Agent in Charge Timothy Waters. "This resulted in millions of dollars of losses to U.S. victims. Today’s guilty plea sends a message to cybercriminals across the globe that they are not beyond the reach of the FBI and its international partners, and that anyone who facilitates or profits from criminal cyber activity will be brought to justice." All four defendants pleaded guilty to one count of RICO conspiracy in February, March, and May 2021. Stassi, Skorodumov, Grichishkin, and Skvortsov will receive their sentence on June 3, June 29, July 8, and Sept. 16. Each of the four defendants faces a maximum penalty of 20 years in prison that a federal district court judge will set after considering Sentencing Guidelines and other statutory factors. The FBI investigated the case with assistance from law enforcement partners from the United Kingdom, Germany, and Estonia. Source: Bulletproof hosting admins plead guilty to running cybercrime safe haven
  15. New Windows 'Pingback' malware uses ICMP for covert communication Today, researchers have disclosed their findings on a novel Windows malware sample that uses Internet Control Message Protocol (ICMP) for its command-and-control (C2) activities. Dubbed "Pingback," this malware targets Microsoft Windows 64-bit systems, and uses DLL Hijacking to gain persistence. Abuses real Windows service to load malicious DLL Today, Trustwave senior architect Lloyd Macrohon and principal security researcher Rodel Mendrez, have released their findings on a novel Windows malware that exists as a 64-bit DLL. Of note is the malware sample's choice of the communication protocol being ICMP, which is also used by the popular ping command and the Windows traceroute utility. The malicious file in question is a mere 66-KB DLL called oci.dll, and is typically dropped within Windows "System" folder by another malicious process or attack vector. The researchers soon realized that this DLL was not being loaded by the familiar Windows application rundll32.exe, but instead relied on DLL Hijacking. Process tree of the malicious DLL being loaded by legitimate Windows processes Source: Trustwave "We knew that the file was suspicious during our initial triaging, but we could not figure how it was loaded into the system because the DLL was not loaded through traditional rundll32.exe," state Macrohon and Mendrez. DLL Hijacking is a technique used by attackers on Windows systems that involves placing a malicious DLL file in one of the folders trusted by the Windows operating system, such that a legitimate system application picks up and runs the malicious DLL file. In this manner, attackers can exploit a real, trusted Windows process to execute their arbitrary malicious code. Last year, BleepingComputer had reported, about 300 Windows executables could be abused for DLL Hijacking. In this case, Trustwave's researchers identified it was the Microsoft Distributed Transaction Control (msdtc) service being abused to load the malicious oci.dll. In fact, msdtc.exe is present on the list of over 300 Windows executables that make the perfect candidates for DLL Hijacking, as compiled by PwC researcher Wietze Beukema. On launch, the Windows msdtc service searches for 3 DLLs to load: oci.dll, SqlLib80.dll, and xa80.dll. The real oci.dll represents an Oracle library (Oracle Call Interface) that exists for supporting and interacting with Oracle databases. But, here's the catch: "By default, the three Oracle DLLs do not exist in the Windows system directory." "So, in theory, an attacker with system privileges can drop a malicious DLL and save it using one of the DLL filenames that MTxOCI loads," explain the researchers. Although the researchers experimented with dropping all 3 DLL filenames on Windows, they found that only oci.dll could be seamlessly loaded by the msdtc service. But, where does the malicious oci.dll come from? While the initial entry vector is still being investigated, the researchers suspect that another malware sample, updata.exe is behind both dropping the malicious oci.dll in the Windows "System" folder and configuring msdtc to run on every startup. As analyzed by BleepingComputer, updata.exe indeed executes a sequence of commands to configure msdtc to run persistently and further drops oci.dll: sc stop msdtc sc config msdtc obj= Localsystem start= auto sc start msdtc updata.exe configures msdtc to run persistently Source: BleepingComputer (analyzed on ANY.RUN) Uses ICMP tunneling for covert communication The oci.dll malware once launched by msdtc, uses ICMP for stealthily receiving commands from its C2 server. Trustwave researchers who named this malware "Pingback," state that the advantage of using ICMP for communications is that Pingback remains effectively hidden from a user. That's because ICMP has no concept of "ports" and uses neither TCP nor UDP. As such, oci.dll may not be picked up by diagnostic tools like netstat. Every ICMP packet, however, does contain a "data" field with enough space to sneak in custom data within the field and to transmit it back and forth between two systems: ICMP packet with "data" field being used by malware to receive bot commands Source: Trustwave "The ICMP data section is where an attacker can piggyback an arbitrary data to be sent to a remote host. The remote host replies in the same manner, by [piggybacking] an answer into another ICMP packet and sending it back," explain Macrohon and Mendrez. Pingback malware (oci.dll) simply listens for any and all inbound ICMP packets on an infected system and selectively parses packets with sequence numbers: 1234, 1235, or 1236. An incoming ICMP packet with sequence number 1234 indicates to the malicious process that this request contains payload or commands, whereas 1235 and 1236 are Pingback's way of keeping track of and acknowledging if a request has been received on either end. The data received can contain C2 commands like shell, download, upload, exec, etc. In essence, these commands are used to transmit data back and forth between the attacker-controlled server and the infected system and enable a remote attacker to execute other arbitrary commands on the infected system. BleepingComputer also noticed, oci.dll referenced a fictitious file path named after Visual Studio 2008 that may appear to contain legitimate project data to a casual observer, but is likely used by the Pingback malware for its nefarious activities, such as data storage: c:\Users\XL\Documents\Visual Studio 2008\Projects\PingBackService0509\x64\Release\PingBackService0509.pdb "ICMP tunneling is not new, but this particular sample piqued our interest as a real-world example of malware using this technique to evade detection," state the researchers. But, since ICMP also has legitimate use-cases as a diagnostic tool, the researchers' advice is not to disable it, but rather putting monitoring mechanisms in place to detect any suspicious ICMP traffic. Trustwave's detailed technical findings are provided in a blog post. The researchers have also created a proof-of-concept C2 bot to demonstrate some of Pingback's commands. The Indicators of Compromise (IOCs) associated with the Pingback malware are provided below: File: oci.dll SHA256: E50943D9F361830502DCFDB00971CBEE76877AA73665245427D817047523667F SHA1: 0190495D0C3BE6C0EDBAB0D4DBD5A7E122EFBB3F MD5: 264C2EDE235DC7232D673D4748437969 Network: ICMP Type=8 Sequence Number: 1234|1235|1236 Data size: 788 bytes Source: New Windows 'Pingback' malware uses ICMP for covert communication
  16. New Buer Malware Downloader Rewritten in E-Z Rust Language It’s coming in emails disguised as DHL Support shipping notices and is apparently getting prepped for leasing on the underground. A variant of the Buer malware, which is being distributed in emails disguised as DHL support shipping notices, comes with a fresh code rewrite in the popular Rust language and looks like it may be in the process of prepping for rental to other cybercrooks. Using the increasingly popular, efficient and easy-to-use Rust programming language will help the malware to slip past detection, Proofpoint researchers said in a post on Monday morning. The rigged emails are coming in two flavors. One is written in the more typical C programming language. The other’s written in Rust: a tactical shift that will help it tiptoe past detection in order to get more clicks. Buer is what’s known as a first-stage downloader: a chunk of malware sold on the underground that threat actors use to get a foothold into compromised networks. These attack tools install other types of malware during and after phishing campaigns. Proofpoint research shows that these downloaders have become increasingly beefy over the past two years, boasting ever-more advanced profiling and targeting capabilities. Proofpoint first came across Buer in 2019, and its researchers spotted the new variant in early April. This is what the DHL-themed, boobytrapped email looks like: Any unfortunates who click on the malicious Microsoft Word or Excel attachment will trigger a drop of the new, Rust-written Buer variant, which researchers are calling RustyBuer. It’s cutting a wide path across the internet: More than 200 organizations across more than 50 verticals have been hit by the campaign, Proofpoint says. The first-stage downloader has a nasty second-stage delivery: In some instances, Proofpoint has seen the phishing campaigns drop a commodity Cobalt Strike beacon. Cobalt Strike is a legitimate penetration-testing tool that’s become a favorite among threat actors. But not all the time. In some campaigns, the attackers left out any second-stage payload. From what researchers can determine, that could be because the malware’s authors are setting up the new variant to lease out to other threat actors in the access-as-a-service model in underground marketplaces: a distribution service that’s already been used to profit off of Buer. Multilingual Malware: Not-So-Good News Researchers say that the new, completely rewritten Rust variant is an unusual departure from malware developers’ far more common preference of the C programming language. It’s not clear why the threat actors took the time and effort to translate the code, but there are a few likely possibilities: First, Rust is more efficient, has more features, and is increasingly popular. Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told Threatpost in an email on Monday that malware code tweaking is common, while a total rewrite is less so. “Malware authors, like software programmers, will choose a programming language that supports their requirements,” she said. “A complete change in language is rare but not unheard of. We typically see version increments adding features and evasion techniques, not a total switch to a new language. It’s a significant move on the part of the threat actor that is worth noting.” Besides detection evasion, the rewrite offers another benefit: it potentially defeats reverse engineering, which can make detecting it tough for engineers that don’t have prior experience with Rust and defeating anti-detection measures. DeGrippo said that Threatpoint researchers anticipate seeing yet more versions of both Rust and C versions of Buer. As always, the threat actors will use whatever’s at hand to evolve the malware, she said. For protection, implementation of a secure email gateway and network detections are a good place to start, DeGrippo said. After that, training comes in handy. “Blocking malicious email before it reaches a target and training users to identify and report suspicious emails is the first step in preventing exploitation of this threat,” DeGrippo said. Who Else Is Getting Rusty? Fellow Rust fans include Microsoft, which joined the Rust Foundation in February and is increasingly using the language in products. That’s notable, given that the company’s products are stuffed with C/C++. All that vitamin C isn’t good for us, apparently: In 2019, Alex Gaynor, a software resilience engineer and former director of the Python Software Foundation and the Django Software Foundation, argued that these “memory-unsafe” languages – i.e., C and C++ – introduce an unacceptable number of security vulnerabilities and that the industry as a whole needs to migrate to memory-safe languages like Rust and Swift by default. Are the Buer downloader developers looking to memory-bug-proof their code? Proofpoint researchers theorize that it’s likely got more to do with slipping past detection. “The rewritten malware, and the use of newer lures attempting to appear more legitimate, suggest threat actors leveraging RustyBuer are evolving techniques in multiple ways to both evade detection and attempt to increase successful click rates,” Proofpoint said in its advisory. “Rewriting the malware in Rust can enable the threat actor to evade existing Buer detections that are based on features of the malware written in C.” Unfortunately, the rewritten variant should maintain compatibility with existing Buer backend command-and-control (C2) servers and panels, researchers say. Don’t Click on the ‘Microsoft’-Labelled Pandora’s Box To beef up the legitimacy of the phishing emails, the malware authors have sprinkled them with logos. Here’s an example, sporting Microsoft branding and logos from a handful of security companies. Recipients need to click on the document’s macro in order to initiate an infection. After that the macro will run an application bypass (Windows Shell DLL via LOLBAS) to evade detection from endpoint security. Wondering where the name came from? According to a Wikipedia entry (albeit, one that needs additional citations), it’s a spirit that popped up in the 16th-century grimoire Pseudomonarchia Daemonum. It’s described as a Great President of Hell, is depicted as a lion’s head surrounded by a circle of five legs so it can walk in any direction, and is supposed to command 50 legions of demons: a decent metaphor for malware that gets leased out to cybercriminals and has a penchant for picking up a new tongue. Source: New Buer Malware Downloader Rewritten in E-Z Rust Language
  17. PortDoor Espionage Malware Takes Aim at Russian Defense Sector The stealthy backdoor is likely being used by Chinese APTs, researchers said. A previously undocumented backdoor malware, dubbed PortDoor, is being used by a probable Chinese advanced persistent threat actor (APT) to target the Russian defense sector, according to researchers. The Cybereason Nocturnus Team observed the cybercriminals specifically going after the Rubin Design Bureau, which designs submarines for the Russian Federation’s Navy. The initial target of the attack was a general director there named Igor Vladimirovich, researchers said, who received a phishing email. The attack began with the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder – a tool that Cybereason said is part of the arsenal of several Chinese APTs, such as Tick, Tonto Team and TA428. RoyalRoad generates weaponized RTF documents that exploit vulnerabilities in Microsoft’s Equation Editor (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802). The use of RoyalRoad is one of the reasons the company believes Chinese cybercriminals to be behind the attack. “The accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,” according to a Cybereason analysis, published Friday. A Quiet Espionage Malware The RoyalRoad tool was seen fetching the unique PortDoor sample once the malicious RTF document is opened, which researchers said was designed with stealth in mind. It has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation, static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more. Once executed, the backdoor decrypts the strings using a hardcoded 0xfe XOR key in order to retrieve its configuration information. This includes the command-and-control (C2) server address, a victim identifier and some other minor information. The malware then creates an additional file in %temp% with the hardcoded name “58097616.tmp” and writes the GetTickCount value multiplied by a random number to it: “This can be used as an additional identifier for the target, and also as a placeholder for the previous presence of this malware,” researchers explained. After that, it establishes its C2 connection, which facilitates the transfer of data using TCP over raw sockets, or via HTTPS – with proxy support. At this point, Cybereason said that PortDoor also has the ability to achieve privilege escalation by stealing explorer.exe tokens. Then, the malware gathers basic PC info to be sent to the C2, which it bundles with a unique identifier, after which is awaits further instructions. The C2 commands are myriad: List running processes Open process Get free space in logical drives Files enumeration Delete file Move file Create process with a hidden window Open file for simultaneous operations Write to file Close handle Open file and write directly to disk Look for the “Kr*^j4” string Create pipe, copy data from it and AES encrypt Write data to file, append with “\n” Write data to file, append with “exit\n” PortDoor also employs an anti-analysis technique known as dynamic API resolving, according to the analysis. “The backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports,” researchers explained. Chinese APTs in the Cyberattack Mix – Probably Cybereason’s analysis did not yield up a specific Chinese APT actor who would likely be responsible for the attack. However, the researchers said they could make some educated guesses. “There are a couple of known Chinese APT groups that share quite a few similarities with the threat actor behind the new malware samples analyzed,” according to the report. For instance, the RTF file used in the attack was weaponized with RoyalRoad v7, which was previously observed being used by the Tonto Team, TA428 and Rancor APTs. “Both the Tonto Team and TA428 threat actors have been observed attacking Russian organizations in the past, and more specifically attacking research and defense-related targets,” according to the analysis. “When comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the linguistic and visual style used by the attackers in the phishing emails and documents.” That said, the PortDoor malware doesn’t share significant code similarities with previously known malware used by those groups – leading Cybereason to conclude that it is not a variant of a known malware, which makes it useless in attribution efforts. “Lastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor,” researchers concluded. “We hope that as time goes by, and with more evidence gathered, the attribution could be more concrete.” Source: PortDoor Espionage Malware Takes Aim at Russian Defense Sector
  18. Stealthy RotaJakiro Backdoor Targeting Linux Systems Previously undocumented and stealthy Linux malware named RotaJakiro has been discovered targeting Linux X64 systems. It has been undetected for at least three years, and operates as a backdoor. Four samples have now been discovered, all using the same C2s. The earliest was discovered in 2018. None of the samples were labeled malware by VirusTotal. The discovery was made by researchers at Chinese security firm Qihoo 360 NETLAB after their BotMon system flagged a suspicious ELF file. Investigation revealed the backdoor malware they named RotaJakiro, because, say the researchers, “the family uses rotate encryption and behaves differently for root/non-root accounts when executing.” The malware supports 12 functions, three of which involve specific plug-ins that are downloaded from the C2s. The researchers have not managed to access any of the plug-ins, so cannot comment on their purpose. However, the functions built into the malware can be categorized as collecting device information, stealing sensitive information, and managing the plug-ins. The researchers do not yet know how the malware spreads or is delivered. Each of the four samples found have the same four C2s embedded. These are news(.)thaprior(.)net, blog(.)eduelects.com, cdn(.)mirror-codes(.)net, and status.sublineover.net. All of them were registered in December 2015, suggesting the malware is possibly older than the confirmed three years. The stealthy nature of the malware is partly down to its rotation through various encryption algorithms while communicating with its C2 servers. “At the coding level,” say the researchers, RotaJakiro uses techniques such as dynamic AES, double-layer encrypted communication protocols to counteract the binary & network traffic analysis.” There are two stages to its C2 communication. The initial phase decrypts the C2 list, establishes a connection with the C2, encrypts and sends the online information, and receives and decrypts the information returned by the C2. The second stage is to verify the information received from the C2, and then ‒ if verified ‒ to execute any commands received. Persistence and process guarding are handled differently for infected root and non-root accounts. For process guarding on root accounts, a new process is automatically created when the service process is terminated. On non-root accounts, the malware generates two processes that monitor each other. If one is terminated, the other restores it. It isn’t yet clear whether the malware is designed for a specific category of target, nor what the long-term intention might be. However, the ability to download multiple plug-ins means that its potential for malicious activity should not be underestimated. The researchers note that there are internal similarities between RotaJakiro and the Torii IoT botnet discovered by Avast in 2018. Torii is a full-fledged bot. The second stage can execute commands from the C2 server, while the malware also includes simple anti-debugging techniques, data exfiltration, multi-level encryption of communication, and other capabilities. “Even though our investigation is continuing,” said Avast at the time, “Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before. Once it infects a device, not only does it send quite a lot of information about the machine it resides on to the C&C, but by communicating with the C&C, it allows Torii authors to execute any code or deliver any payload to the infected device. This suggests that Torii could become a modular platform for future use,” Avast concludes. Source: Stealthy RotaJakiro Backdoor Targeting Linux Systems
  19. Cybercriminals Widely Abusing Excel 4.0 Macro to Distribute Malware Threat actors are increasingly adopting Excel 4.0 documents as an initial stage vector to distribute malware such as ZLoader and Quakbot, according to new research. The findings come from an analysis of 160,000 Excel 4.0 documents between November 2020 and March 2021, out of which more than 90% were classified as malicious or suspicious. "The biggest risk for the targeted companies and individuals is the fact that security solutions still have a lot of problems with detecting malicious Excel 4.0 documents, making most of these slip by conventional signature based detections and analyst written YARA rules," researchers from ReversingLabs said in a report published today. Excel 4.0 macros (XLM), the precursor to Visual Basic for Applications (VBA), is a legacy feature incorporated in Microsoft Excel for backward compatibility reasons. Microsoft warns in its support document that enabling all macros can cause "potentially dangerous code" to run. The ever-evolving Quakbot (aka QBOT), since its discovery in 2007, has remained a notorious banking trojan capable of stealing banking credentials and other financial information, while also gaining worm-like propagation features. Typically spread via weaponized Office documents, variants of QakBot have been able to deliver other malware payloads, log user keystrokes, and even create a backdoor to compromised machines. In a document analyzed by ReversingLabs, the malware not only tricked users into enabling macros with convincing lures, but also came with embedded files containing XLM macros that download and execute a malicious second-stage payload retrieved from a remote server. Another sample included a Base64-encoded payload in one of the sheets, which then attempted to download additional malware from a sketchy URL. "Even though backward compatibility is very important, some things should have a life expectancy and, from a security perspective, it would probably be best if they were deprecated at some point in time," the researchers noted. "Cost of maintaining 30 year old macros should be weighed against the security risks using such outdated technology brings." Source: Cybercriminals Widely Abusing Excel 4.0 Macro to Distribute Malware
  20. Phishing impersonates global recruitment firm to push malware An ongoing phishing campaign is impersonating Michael Page consultants to push Ursnif data-stealing malware capable of harvesting credentials and sensitive data from infected computers. Michael Page is a world-leading employment agency focused on recruiting at the qualified professional and management level for permanent, temporary, contract, or interim positions. The agency is part of the British-based PageGroup recruitment business with operations in the Americas, UK, Continental Europe, Asia-Pacific, and Africa. Attackers spoofing Michael Page UK "We are continuing to experience a global phishing campaign where our employees are being impersonated," Michael Page UK said. "We are confident that no PageGroup system has been compromised," the parent company added, confirming that the attackers haven't breached the recruitment consultancy's servers and are only spoofing employees in the phishing emails sent to random targets. "These phishing emails are being generated from publicly available information not linked to our business and are being then sent on to random email recipients," PageGroup revealed. PageGroup urges those who have received one of these phishing emails or any email coming from Michael Page that looks suspicious "not to reply or click" on any of the embedded links. Never rely on an email signature or name to check the validity of an email, and please never click on a link until you are satisfied that it is from a sender you know. (3/3) — Michael Page UK (@MichaelPageUK) April 22, 2021 Victims baited with executive positions In phishing emails sent as part of this campaign seen by BleepingComputer, attackers posing as Michael Page UK headhunters are luring targets with executive positions. These emails use embedded links to redirect potential victims to phishing landing pages featuring GeoIP and antibot checks, according to a security researcher known as TheAnalyst. The victims are then asked to download archives containing malicious macro-enabled Microsoft Excel spreadsheets (XSLM) and featuring DocuSign branding, asking the targets to enable editing to decrypt and open the document. Once the victims enable macros, they are shown a decoy document with information on a fake management position, while the Ursnif malware payload is downloaded and installed on their computer in the background. Malicious phishing document (InQuest) The Ursnif data-stealing malware Ursnif (also known as Gozi v2.0, Gozi ISFB, ISFB, and Pandemyia) is an information-stealing trojan and an offspring of the original Gozi banking trojan (Gozi CRM) whose source code accidentally leaked online in 2010. Since then, malware developers have used the code to build other banking trojan strains, such as GozNym. Once it infects a computer, Ursnif starts recording the victims' keystrokes, the sites they visit, harvests clipboard content, and collects all this info into log files and sent back to its operators' servers. Using this stolen info, the attackers can steal their victims' login credentials and other sensitive data to further compromise their accounts or networks. Source: Phishing impersonates global recruitment firm to push malware
  21. Cybercriminals Using Telegram Messenger to Control ToxicEye Malware Adversaries are increasingly abusing Telegram as a "command-and-control" system to distribute malware into organizations that could then be used to capture sensitive information from targeted systems. "Even when Telegram is not installed or being used, the system allows hackers to send malicious commands and operations remotely via the instant messaging app," said researchers from cybersecurity firm Check Point, who have identified no fewer than 130 attacks over the past three months that make use of a new multi-functional remote access trojan (RAT) called "ToxicEye." The use of Telegram for facilitating malicious activities is not new. In September 2019, an information stealer dubbed Masad Stealer was found to plunder information and cryptocurrency wallet data from infected computers using Telegram as an exfiltration channel. Then last year, Magecart groups embraced the same tactic to send stolen payment details from compromised websites back to the attackers. The strategy also pays off in a number of ways. For a start, Telegram is not only not blocked by enterprise antivirus engines, the messaging app also allows attackers to remain anonymous, given the registration process requires only a mobile number, thereby giving them access to infected devices from virtually any location across the world. The latest campaign spotted by Check Point is no different. Spread via phishing emails embedded with a malicious Windows executable file, ToxicEye uses Telegram to communicate with the command-and-control (C2) server and upload data to it. The malware also sports a range of exploits that allows it to steal data, transfer and delete files, terminate processes, deploy a keylogger, hijack the computer's microphone and camera to record audio and video, and even encrypt files for a ransom. Specifically, the attack chain commences with the creation of a Telegram bot by the attacker, which is then embedded into the RAT's configuration file, before compiling it into an executable (e.g. "paypal checker by saint.exe"). This .EXE file is then injected into a decoy Word document ("solution.doc") that, when opened, downloads and runs the Telegram RAT ("C:\Users\ToxicEye\rat.exe"). "We have discovered a growing trend where malware authors are using the Telegram platform as an out-of-the-box command-and-control system for malware distribution into organizations," Check Point R&D Group Manager Idan Sharabi said. "We believe attackers are leveraging the fact that Telegram is used and allowed in almost all organizations, utilizing this system to perform cyber attacks, which can bypass security restrictions." Source: Cybercriminals Using Telegram Messenger to Control ToxicEye Malware
  22. WhatsApp Pink is malware spreading through group chats If installed; the fake and malicious WhatsApp pink app takes full control of a targeted device. An unusual baiting technique has appeared with the WhatsApp users receiving links that claim to turn the application’s theme from its trademark green to pink. Simultaneously, it also promises ‘‘new features” that have not been specified. Cyber experts have warned users of the messaging application to refrain from opening any such link. The concerning part is that the link has been masked as an official update from WhatsApp which is making people oblivious to the malicious intent behind the circulation of the link. If a user ends up clicking on the link, their phones might get hacked and they may even lose access to their Whatsapp account. As is the norm with WhatsApp users, many of them have been sharing this link unknowingly, Hackread.com has discovered. The cybersecurity expert Rajshekhar Rajaharia, who initially discovered the link, warned users through his Twitter account. “Beware of WhatsApp Pink!! A Virus is being spread in Whatsapp groups with an APK download link. Don’t click any link with the name of #WhatsappPink. Complete access to your phone will be lost.” Additionally, users are strictly advised never to install any APK or mobile app other than those available on the official App store of Google or Apple. “Such malicious apps can be used to compromise your phone and steal personal data like photos, SMS, contacts, etc. When contacted, Whatsapp said, “Anyone can get an unusual, uncharacteristic or suspicious message on any service, including email, and anytime that happens we strongly encourage everyone to use caution before responding or engaging. On WhatsApp in particular, we also recommend that people use the tools that we provide within the app to send us a report, report a contact, or block contact.” Source: WhatsApp Pink is malware spreading through group chats
  23. HackBoss malware poses as hacker tools on Telegram to steal digital coins The authors of a cryptocurrency-stealing malware are distributing it over Telegram to aspiring cybercriminals under the guise of free malicious applications. Researchers have named the malware HackBoss and say that its operators likely stole more than $500,000 from wannabe hackers that fell for the trick. Fake user interface Although there is nothing sophisticated about HackBoss, the scheme proves to be effective as it tempts victims with the prospect of getting hacking tools, mostly for brute-forcing passwords for banking, dating, and social media accounts. Researchers at Avast analyzing HackBoss note that the malware is packed in a .ZIP file with an executable that launches a simple user interface. Regardless of the options available, the UI’s single purpose is to add the decrypt and execute the cryptocurrency-stealing malware on the victim’s system. This occurs when clicking any button in the fake interface. The action can also give HackBoss persistence on the system by setting up a registry key to run it at startup or by adding a scheduled task that runs the payload every minute. “The malicious payload keeps running on the victim’s computer even after the application’s UI is closed. If the malicious process is terminated — for example via the Task manager — it can then get triggered again on startup or by the scheduled task in the next minute” - Avast As for the functionality, there’s no complexity to it. The malware is designed to simply check the clipboard for a cryptocurrency wallet and replace it with one belonging to the attacker. When the victim initiates a cryptocurrency payment and copies the recipient’s wallet, HackBoss quickly replaces it, taking advantage of the fact that few users check the string before hitting the pay button. Easy money Despite the simple functions, maintaining the cover of a hacking tool distributor requires some effort as each post comes with a bogus description to make it a believable offer. But the endeavor appears to be profitable. Avast researchers say in a blog post today that they found over 100 cryptocurrency wallet addresses associated with the HackBoss operation that received more than $560,000 since November 2018. Not all the funds came from the cryptocurrency-stealing malware though as there some of the addresses have been reported in scams that tricked victims into buying fake software. Data from the Telemetrio service for Telegram and chat statistics shows that the Hack Boss channel has about nine posts per month, each with more than 1,300 views and that it grew to more than 2,800 subscribers. Avast researchers say that HackBoss authors also promote their fake hacking tools outside the Telegram channel, although this remains the main distribution path. One avenue is a blog (cranhan.blogspot[.]com) that advertises fake tools, provides promo videos, and also posts ads on public forums and discussions. Avast provides a lengthy list of indicators of compromise on its GitHub page with hashes and names of the fake applications disguising HackBoss malware and the cryptocurrency wallet addresses (Bitcoin, Ethereum, Litecoin, Monero, Dogecoin) associated with the actor. Source: HackBoss malware poses as hacker tools on Telegram to steal digital coins
  24. Malware Variants: More Sophisticated, Prevalent and Evolving in 2021 A malicious program intended to cause havoc with IT systems—malware—is becoming more and more sophisticated every year. The year 2021 is no exception, as recent trends indicate that several new variants of malware are making their way into the world of cybersecurity. While smarter security solutions are popping up, modern malware still eludes and challenges cybersecurity experts. The evolution of malware has infected everything from personal computers to industrial units since the 70s. Cybersecurity firm FireEye's network was attacked in 2020 by hackers with the most sophisticated form of hacking i.e., supply chain. This hacking team demonstrated world-class capabilities to disregard security tools and forensic examination, proving that anybody can be hacked. Also, the year 2021 is already witnessing a bump in COVID-19 vaccine-related phishing attacks. Let's take a look at the trends that forecast an increase in malware attacks: COVID-19 and Work-from-Home (WFH) In the wake of the COVID-19 pandemic last year, many companies offered remote access to their workforce. Poor remote infrastructure made their networks considerably less open and exposed. Recent research by Deloitte indicates that cybercriminals are exploiting the COVID-19 environment to attack companies, as approximately 24% of employees reported an increase in spam, fraudulent e-mails, and phishing attacks. As many as 26% of employees keep copies of their company's important data in case of technical difficulty when working remotely. This also poses serious data theft security concerns. This puts remote-working organizations at risk to hackers who use modern malware to target them. Evolution of Malware Variants in Q1 2021 This year has already seen several new malware variants appear. As of February 2021, some of the most dangerous malware reported can be seen as follows – Fake updates through e-mail —This method involves hackers sending a phony e-mail to users telling them that there is an important update to install. The update is ransomware that encrypts users' documents. By blackmailing the user with severe consequences, including data theft, then asks for a ransom. News updates — Cybercriminals send electronic news updates to users in this kind of attack. If the users unknowingly click one of these links, they provide the hackers with free access to their devices. AI and IoT attacks — The new trend in cybercrime is that criminals create some of the most deadly viruses using Artificial Intelligence to get inside any network. Moreover, they can penetrate IoT devices to gain access to confidential information like passwords. Cryptojacking — A hacker installs Crypto Jacking malware on mobile phones or computers and mines cryptocurrencies. Clop — Runs on Windows by blocking its different processes, Clop Ransomware that encrypts user files undetected. RaaS — Also known as Ransomware as a Service, has been hailed as one of the most widespread malware distribution methods this year. The term refers to cybercrime as a service provided by a network of hackers for someone else. Route to Adequate Malware Protection In today's environment of increasing complexity and advances in malware threats, it is imperative to safeguard against malware. Learning and Adapting Cybercriminals now use a variety of malicious software to compromise a computer system at every stage. For example, hackers can use phishing techniques to gain access to a network then use Emotet to spread across the system by exploiting network loopholes. After that, the attackers use malware such as Trickbot to collect valuable information such as financial details, customer details, credit card details, etc. In the final stage, malware like Conti would encrypt the files and ask for ransom. Security teams can stay updated with the best information on the latest variants, capabilities, and potential impact if they know how the malware operates at various stages in a system. Knowing this information will allow them to devise protective measures against the network's resources. Reducing remote work-related security vulnerabilities With the outbreak of the Coronavirus in early 2020, the work environment changed dramatically. It has been almost a year since the virus made employees stay indoors. With the proliferation and thinning of network perimeters, WFH has exposed its infrastructure to malware threats. Because of this, organizations must take into consideration the WFH's cybersecurity arrangements. Furthermore, they must use robust security software on employee systems and use VPN for all work-related activities on the internet. Employee awareness Employees play a vital role in ensuring their company's cybersecurity bubble remains intact. Many malware campaigns begin by sending an e-mail communication to employees. To learn basic cybersecurity hygiene, employees must become familiar with password management, identify and report security threats, and recognize suspicious behavior. Regular content and training will assist employees in countering any malware threats they encounter. Adopt a Culture of Comprehensive Security Given the ongoing evolution of malware attacks and their capability to surpass what they were capable of, organizations should prioritize a strong malware protection strategy. Consultation with experienced cybersecurity experts like Indusface can help them create a solution that meets their needs. Source: Malware Variants: More Sophisticated, Prevalent and Evolving in 2021
  25. Crooks abuse website contact forms to deliver IcedID malware Microsoft researchers spotted a malware campaign abusing contact forms on legitimate websites to deliver the IcedID malware. Security experts from Microsoft have uncovered a malware campaign abusing contact forms on legitimate websites to deliver the IcedID malware. Threat actors behind the operation are using contact forms published on websites to deliver malicious links to enterprises using emails with fake legal threats. The emails attempt to trick recipients into clicking a link to review supposed evidence behind their allegations, but instead, they start the IcedID malware infection. IcedID banking trojan first appeared in the threat landscape in 2017, it has capabilities similar to other financial threats like Gozi, Zeus, and Dridex. Experts at IBM X-Force that first analyzed it noticed that the threat does not borrow code from other banking malware, but it implements comparable capabilities, including launching man-in-the-browser attacks, and intercepting and stealing financial information from victims. “Attackers are abusing legitimate infrastructure, such as websites’ contact forms, to bypass protections, making this threat highly evasive. In addition, attackers use legitimate URLs, in this case Google URLs that require targets to sign in with their Google credentials.” reads the analysis published by Microsoft. “The emails are being used to deliver the IcedID malware, which can be used for reconnaissance and data exfiltration, and can lead to additional malware payloads, including ransomware.” The malicious emails tracked by the experts arrive in the recipient’s inbox from the contact form query appearing trustworthy as it was sent from trusted email marketing systems. The messages are originating from the recipient’s own contact form on their website, this means that appear as sent by an actual customer interaction or inquiry. “As attackers fill out and submit the web-based form, an email message is generated to the associated contact form recipient or targeted enterprise, containing the attacker-generated message. The message uses strong and urgent language (“Download it right now and check this out for yourself”), and pressures the recipient to act immediately, ultimately compelling recipients to click the links to avoid supposed legal action.” continues Microsoft. The messages composed by attackers include a link to a sites.google.com page to view the alleged stolen photos for the recipient to view. Upon clicking the link, the recipient is redirected to a Google page that requires them to authenticate using their Google credentials, this trick allows to avoid detection. Once the recipient will sign in, the sites.google.com page automatically downloads a malicious ZIP file, which contains a heavily obfuscated .js file which is executed via WScript to create a shell object for launching PowerShell to download the IcedID payload (a .dat file). The payload is decrypted by using a dropped DLL loader, as well as a Cobalt Strike beacon in the form of a stageless DLL, in this way threat actors could remotely control the infected device. Attackers also implemented a secondary attack chain, in case the sites.google.com page was not available users are redirected to a .top domain, while inadvertently accessing a Google User Content page, which downloads the malicious .ZIP file. “This campaign is not only successful because it takes advantage of legitimate contact form emails, but the message content also passes as something that recipients would expect to receive. This creates a high risk of attackers successfully delivering email to inboxes, thereby allowing for “safe” emails that would otherwise be filtered out into spam folders.” concludes the report. Source: Crooks abuse website contact forms to deliver IcedID malware
  • Create New...