Jump to content

Search the Community

Showing results for tags 'trojanized'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 2 results

  1. Malicious Tor Browser Steals Cryptocurrency from Darknet Market Users A trojanized version of the Tor Browser is targeting dark web market shoppers to steal their cryptocurrency and tracks the websites they visit. More than 860 transactions are registered to three of the attackers' wallets, which received about $40,000 in Bitcoin cryptocurrency. Careful impersonation The malicious Tor Browser is actively promoted as the Russian version of the original product through posts on Pastebin that are have been optimized to rank high in queries for drugs, cryptocurrency, censorship bypass, and Russian politicians. Spam messages also help the actor(s) distribute the trojanized variant, which is delivered from two domains claiming to provide the official Russian version of the software. Cybercriminals were careful with selecting the two domain names (created in 2014) since to a Russian user they appear to be the real deal: tor-browser[.]org torproect[.]org - for Russian-speaking visitors, the missing "j" may be seen as a transliteration from Cyrillic Furthermore, the design of the pages mimic, to some extent, the official site of the project. Landing on one of these pages shows the visitor a warning that their browser is updated, regardless of the version they run. Translated into English, the message reads: "Your anonymity is in danger! WARNING: Your Tor Browser is outdated. Click the button “Update" In Pastebin messages, the cybercriminals advertise that users would benefit from anti-captcha feature allowing them to get faster to the destination. This is not true, though. Underneath this Tor Browser impersonator is version 7.5 of the official project, released in January 2018. Getting the cryptocurrency The downloaded script can modify the page by stealing content in forms, hiding original content, showing fake messages, or add its own content. These capabilities allow the script to replace in real-time the destination wallet for cryptocurrency transactions. The JavaScript observed by ESET does exactly this. The targets are users of the three largest Russian-speaking darknet markets, the researchers say. For the payload they observed (image above), the script also alters the details for the Qiwi payment service provider. When victims add Bitcoin funds to their account, the script jumps in and changes the wallet address with one belonging to the attackers. Since cryptocurrency wallets are a large string of random characters, users are likely to miss the swap. Darknet profile with altered Bitcoin address At the moment of publishing, the three cryptocurency wallets controlled by the attackers recorded 863 transactions. These are small transfers, supporting the theory that the funds came via the trojanized Tor Browser. One of them received more than $20,000 from over 370 transactions. The largest balance, though, is currently around $50 in one wallet and less than $2 in the other two. The three wallets have been used for this purpose since 2017, the researchers found. Although the amount of Bitcoins that passed through these wallets is 4.8, the total proceedings for the attackers is likely higher because Qiwi payment details are also altered. Source: Malicious Tor Browser Steals Cryptocurrency from Darknet Market Users
  2. An active APT campaign aimed at tech companies is underway, which also uses a legitimate NVIDIA graphics function. A suspected Chinese advanced persistent threat (APT) group has been spotted attacking tech companies using a trojanized screen-reader application, replacing the built-in Narrator “Ease of Access” feature in Windows. The attackers also deploy a version of the open-source malware known as the PcShare backdoor to gain an initial foothold into victims’ systems. Using the two tools, the adversaries are able to surreptitiously control Windows machines via remote desktop logon screens, without the need for credentials. PcShare Backdoor The attacks begin by delivering the PcShare backdoor to victims via spearphishing campaigns. It has been modified and designed to operate when side-loaded by a legitimate NVIDIA application. It is “specifically tailored to the needs of the campaign, with additional command-and-control (C2) encryption and proxy bypass functionality, and any unused functionality removed from the code,” explained researchers with BlackBerry Cylance, in an analysis posted on Wednesday. The unused functionality includes audio/video streaming and keyboard monitoring, suggesting that it’s strictly being used to install other malware. Interestingly, it arrives with a bespoke loader that uses the aforementioned DLL sideloading technique. “The DLL is side-loaded by the legitimate NVIDIA Smart Maximise Helper Host application (part of NVIDIA GPU graphics driver), instead of the original NvSmartMax.dll that the program normally uses,” said the firm. “Its main responsibility is to decrypt and load the encoded payload stored either in its .data section, or in a separate DAT file.” The PcShare’s use of the legitimate application allows the attack takes on additional levels of stealthiness, said researchers. “The use of DLL side-loading technique together with a bespoke loader utilizing memory injection ensures that the main backdoor binary is never dropped to the disk,” the researchers explained. “A simple but effective anti-sandboxing technique of payload-encoding based on execution path is also implemented to avoid detection.” Further, the C2 infrastructure is also obfuscated; while the URL that the malware beacons to is delivered in plain text, the address actually points to a remote file containing the actual details of how to communicate with the C2. “This allows the attackers to easily change the preferred C2 address, decide the timing of the communication, and – by applying server-side filtering – restrict revealing the real address to requests coming from specific regions or at specific times,” said researchers. After gaining access to the victim’s machine, the attackers then deploy a range of post-exploitation tools, many of them based on publicly available code often found on Chinese programming portals, according to researchers. One of these is a bespoke trojan, Fake Narrator, that abuses Microsoft Accessibility Features to gain SYSTEM-level access on the compromised machine. Abusing Narrator Once the attackers have obtained administrative privileges in the victim’s system, the next order of business is to replace Narrator.exe with a trojanized version, which will give the attacker the ability to run any program with system privileges. The Narrator executable is a Windows utility that reads the text on the screen aloud for the visually impaired. It can be invoked on the login screen with a keyboard shortcut, which provides permanent system-level access. “Once the Fake Narrator is enabled at the logon screen via ‘Ease of Access’, the malware will be executed by winlogon.exe with SYSTEM privileges,” explained researchers. Upon execution, the trojanized fake Narrator will first run the original legitimate Narrator, then register a window class (“NARRATOR”) and create a window (“Narrator”). “The window procedure creates a dialog with an edit control and a button called ‘r,’ while a separate thread constantly monitors keyboard strokes,” researchers explained. “If the malware detects that a specific password has been typed (hardcoded in the binary as ‘showmememe’ string), it will display the previously created dialog. This will allow the attacker to specify the command, or the path to a file to execute via an edit control.” Typing the attacker’s defined password will allow the attacker to spawn any executable, also running under the SYSTEM account, at the logon screen. Researchers explained that this technique ultimately allows a malicious actor to maintain a persistent shell on a system without requiring valid credentials. “This binary is quite novel …[in that] it spawns a copy of the original Narrator.exe and draws a hidden overlapped window, where it waits to capture specific key combinations known only to the attacker,” researchers explained. “When the correct passphrase has been typed, the malware will display a dialog that allows the attacker to specify the path to a file to execute.” In the Wild So far, the attacks have hit tech companies in the Southeast Asia area, according to Cylance telemetry. As for who’s behind them, precise attribution of these attacks has proven elusive. “The use of PcShare backdoor, as well as the geographical location of the victims, bear similarities to a known threat actor called Tropic Trooper, which is actively targeting government institutions and heavy industry companies in Taiwan and Philippines,” the researchers said. Source
  • Create New...