Tag: malware

Antivirus updates hijacked to drop dangerous malware

Post author By lisa nichols
Post date April 24, 2024
No Comments on Antivirus updates hijacked to drop dangerous malware

[ad_1]

Imagine if your antivirus program infected your computer with malware – that’s exactly what happened to some eScan antivirus users recently.

A new report from Avast has explained how a threat actor, possibly of North Korean affiliation, used a vulnerability in the antivirus program to sideload a backdoor called GuptiMiner.

Apparently, after obtaining an adversary-in-the-middle (AitM) position on the target endpoint, hackers were able to hijack the virus definition update, and have it carry malware, as well. The virus definition database would be updated as normal, but the antivirus program would also be abused to execute and run GuptiMiner.

Kimsuki attacks

The backdoor’s name might be somewhat confusing, because this isn’t a miner – a piece of malicious code that secretly mines cryptocurrency for the attackers. GuptiMiner is a backdoor that analyzes the environment to see if it’s running in a sandbox, disables various antivirus and endpoint protection tools, and drops additional payloads.

Among those additional payloads is, ironically enough, XMRig – an actual cryptocurrency miner.

Avast has attributed this attack to Kimsuki since GuptiMiner is quite similar to the Kimsuky keylogger. Furthermore, in both instances the mygamesonline[.]org domain was used.

XMRig is not the only piece of malicious code that Kimsuki dropped on their targets. There was also an improved version of the Putty Link backdoor, as well as an unnamed, “complex modular malware” that steals private keys, crypto wallet information, and more.

The targets seem to be mostly big corporations.

Since the discovery of the campaign, eScan was notified and has subsequently plugged the hole. According to BleepingComputer, the company also said it received a similar report back in 2019. A year later, it implemented a robust checking mechanism, to ensure the rejection of non-signed binaries.

In conclusion, eScan users should update their antivirus programs immediately, as Kimsuki is still going after those who didn’t patch up.

TP-Link routers are still being bombarded with botnet and malware threats

Post author By lisa nichols
Post date April 19, 2024
No Comments on TP-Link routers are still being bombarded with botnet and malware threats

[ad_1]

More than a year after a patch was released, hackers are still competing to compromise vulnerable TP-Link Wi-Fi routers.

A report from Fortinet claims half a dozen botnet operators are scanning for vulnerable TP-Link Archer AX21 (AX1800) routers after cybersecurity researchers discovered a high-severity unauthenticated command injection flaw in the endpoints early last year.

The vulnerability, tracked as CVE-2023-1389, was patched a few months later, in March 2023.

Working in Russia’s interest

However, a year later, in March 2024, Fortinet discovered that attempts at leveraging this flaw rose beyond 40,000 and up to 50,000 a day. Apparently, multiple groups are doing it at the same time:

“Recently, we observed multiple attacks focusing on this year-old vulnerability, spotlighting botnets like Moobot, Miori, the Golang-based agent “AGoent,” and the Gafgyt Variant”, Fortinet said in its report.

Different Mirai variants, and a botnet named “Condi” have been identified as going after TP-Link routers since the vulnerability was first disclosed.

Mirai is considered one of the largest and most disruptive botnets out there.

Hackers are always on the lookout for vulnerable, internet-connected endpoints, such as smart home devices, smart speakers, routers, computers, and similar. When they find such devices, they infect them with malware that gives them the ability to run certain commands. The most popular use case is Distributed Denial of Service (DDoS) attacks, in which the compromised machines are tasked with sending meaningless traffic towards a single entity.

Due to the sheer number of traffic requests, the entity is unable to process them all – including legitimate traffic – and crashes, hence the name – denial of service.

To make sure your endpoints are not assimilated into a malicious botnet and used in DDoS attacks, apply the latest patches and firmware updates to all internet-connected devices and make sure they’re protected with a strong password.

Via BleepingComputer

Hackers are loading SVG files with multi-stage malware in new phishing attack

Post author By lisa nichols
Post date April 9, 2024
No Comments on Hackers are loading SVG files with multi-stage malware in new phishing attack

[ad_1]

A sophisticated new phishing attack was spotted in the wild, leveraging a wide variety of tools to bypass antivirus protections and ultimately deliver different Remote Access Trojan (RAT) malware.

According to cybersecurity researchers at Fortinet, an unidentified threat actor was seen sending phishing emails, stating a shipment has been delivered, and attaching an invoice. This attachment, however, is a Scalable Vector Graphics (SVG) file which, when run, triggers the infection sequence.

The SVG file drops a ZIP archive created with BatCloak – a tool designed to help malware bypass antivirus protection. This archive unpacks a ScrubCrypt batch file, which is another antivirus-evading tool which, in turn, sets up persistence, and bypasses AMSI and ETW protections to deliver the Venom RAT.

Rat infestation

While ScrubCrypt was first seen last year, and linked to the 8220 Gang threat actor, Fortinet does not mention if the same group was behind this campaign as well.

Venom RAT is described as a fork of Quasar RAT, and a powerful remote access trojan allowing threat actors full system takeover, sensitive data exfiltration, and more.

“While Venom RAT’s primary program may appear straightforward, it maintains communication channels with the C2 server to acquire additional plugins for various activities,” the researchers said in the report. “This includes Venom RAT v6.0.3 with keylogger capabilities, NanoCore RAT, XWorm, and Remcos RAT.

“This [Remcos RAT] plugin was distributed from VenomRAT’s C2 using three methods: an obfuscated VBS script named ‘remcos.vbs,’ ScrubCrypt, and Guloader PowerShell,” they added.

Besides Venom RAT, the researchers observed the malware dropping Remcos RAT, XWorm, NanoCore RAT, and a stealer that grabs information from cryptocurrency wallets such as Atomic Wallet, Electrum, Exodus, Jaxx Liberty, and others. Information from Foxmail and Telegram were also being exfiltrated to a remote server, they concluded.

The best way to protect against these attacks is to be extra careful when receiving emails with links, attachments, or similar calls to action.

Via The Hacker News

Visa warns dangerous new malware is attacking financial firms

Post author By lisa nichols
Post date April 5, 2024
No Comments on Visa warns dangerous new malware is attacking financial firms

[ad_1]

Visa is warning its partners, clients, and customers, of an ongoing phishing attack that aims to deliver a banking trojan.

The Visa Payment Fraud Disruption (PDF) unit sent out a security alert to card issuers, processors, and acquirers, noting it had observed a new phishing campaign that started in late March this year.

The campaign targets mostly financial institutions in South and Southeast Asia, the Middle East, and Africa, and aims to drop a new version of the banking trojan called JsOutProx. “While PFD could not confirm the ultimate goal of the recently identified malware campaign, this eCrime group may have previously targeted financial institutions to conduct fraudulent activity.”

Impersonating legitimate institutions

Unfortunately, we don’t know the name of the threat actor behind the campaign, or the number of companies that fell victim. The researchers speculate, based on the sophistication of the attacks, the profile of the victims, and their geographical location, that the attackers are most likely China-based, or at least China-affiliated.

We also know is that JsOutProx is a remote access trojan that was first spotted in late 2019, and is described as a “highly obfuscated” JavaScript backdoor that allows its users to run shell commands, download additional malware, run files, grab screenshots, control various peripherals, and establish persistence on the target endpoint. It’s hosted on a GitLab repository, apparently.

In the phishing emails, the attackers are impersonating legitimate institutions, showing victims fake SWIFT and MoneyGram payment notifications.

Phishing remains one of the most lucrative ways to deploy malware. It’s cheap and easily scalable, and now with the help of generative artificial intelligence, relatively difficult to spot. IT teams are advised to educate their employees to identify a phishing attack, as well as to install email security software, firewalls, and antivirus tools.

Via BleepingComputer

This previously unknown malware has some crafty tricks for avoiding antivirus

Post author By lisa nichols
Post date April 3, 2024
No Comments on This previously unknown malware has some crafty tricks for avoiding antivirus

[ad_1]

Cybersecurity researchers from Trend Micro have uncovered a brand new piece of malware that uses an unusual method of hiding from antivirus programs.

The malware is called UNAPIMON, and is apparently being used by Winnti, an established Chinese state-sponsored threat actor that was behind some of the most devastating attacks against governments, hardware and software vendors, think tanks, and more.

According to Trend Micro, many malware variants are using a method known as API hooking to eavesdrop on calls, grab sensitive data, and tweak different software. Therefore, many security tools also use API hooking to track the malware.

Simplicity and originality

“With UNAPIMON, things are different. It uses Microsoft Detours for hooking the CreateProcessW API function, which allows it to unhook critical API functions in child processes. As a result, it successfully evades antivirus detection.

A unique and notable feature of this malware is its simplicity and originality,” Trend Micro said in its report. “Its use of existing technologies, such as Microsoft Detours, shows that any simple and off-the-shelf library can be used maliciously if used creatively. This also displayed the coding prowess and creativity of the malware writer.”

“In typical scenarios, it is the malware that does the hooking. However, it is the opposite in this case.”

Using Microsoft Detours in this regard has other benefits, too, the researchers explained. As this is a legitimate debugging tool, it even evades behavioral detection.

In its writeup, BleepingComputer described Winnti hackers as “known for their novel methods of evading detection when conducting attacks.”

Back in 2020, the group was spotted abusing Windows print processors to hide a piece of malware and persist on the target network. Two years later, they broke a Cobalt Strike beacon into more than a hundred pieces, and only reconstructed it when they needed to use it.

Stay alert — this dangerous Android malware is pretending to be a McAfee security tool

Post author By lisa nichols
Post date April 1, 2024
No Comments on Stay alert — this dangerous Android malware is pretending to be a McAfee security tool

[ad_1]

A new version of a known Android banking trojan is making rounds on the internet, stealing sensitive data, and possibly even money, from its victims.

Cybersecurity researchers from NCC Group’s Fox-IT sounded the alarm of a new, upgraded version of the Vultur banking trojan, first spotted in early 2021 but having received a number of important changes and upgrades since then.

While previous versions were being distributed via dropper apps that were smuggled onto the Play Store, this new version uses a combination of smishing and legitimate app abuse. The researchers said that the attackers would first send an SMS message to their victims, warning them of an unauthorized payment transaction and sharing a phone number for the victim to call.

Full takeover

If the victim takes the bait and calls the number, the attacker then persuades them to download a compromised version of the McAfee Security app. While on the surface the app works as intended, in the background it delivers the Brunhilda malware dropper. This dropper drops three payloads, including two APKs and a DEX file which, after obtaining Accessibility Services, establish a connection with the command and control (C2) server, and grant the attackers remote control over the Android device.

For a trojan, Vultur is quite competent. It can record the screen, log keystrokes, and grant the attackers remote access via AlphaVNC and ngrok. Furthermore, it allows the attackers to download and upload files, install apps, delete files, click, scroll, and swipe through the device, and block different apps from running. It can also display custom notifications and disable Keyguard to bypass the lock screen.

Finally, Vultur encrypts its C2 communications to further evade detection.

As usual, the best way to defend against these threats is to use common sense, and only download apps from legitimate, proven repositories.

Via BleepingComputer

Linux servers targeted by dangerous espionage malware as Windows threat makes the jump

Post author By lisa nichols
Post date April 1, 2024
No Comments on Linux servers targeted by dangerous espionage malware as Windows threat makes the jump

[ad_1]

A dangerous espionage malware, previously only used against Windows devices, is increasingly being observed on Linux machines, too, experts have warned.

Following earlier reports by ESET and Trend Micro, Kaspersky is now warning of the Dinodas Remote Access Trojan (RAT), signaling the rising popularity of the malware.

Kaspersky claims the backdoor is “fully functional, granting the operator complete control over the infected machine, enabling data exfiltration and espionage”. DinodasRAT is designed to monitor, control, and steal data from target endpoints. Besides stealing data, it can run processes, create a remote shell for direct command, or file execution, update and upgrade itself, uninstall itself and delete all traces of its existence.

XDealer and DinodasRAT

Older reports indicate that DinodasRAT is a Linux version of a known Windows RAT dubbed XDealer. Earlier in March, Trend Micro observed the Chinese APT group known as “Earth Krahang” using XDealer against both Windows and Linux systems belonging to “governments worldwide”.

The researchers did not detail how the attackers managed to drop the malware onto target endpoints, but did stress that since October 2023, the targets were mostly located in China, Taiwan, Turkey, and Uzbekistan.

Today, many nation-states are engaged in cyber-warfare, disrupting operations and stealing sensitive data from their adversaries. Besides China, there are notable threats coming from North Korea (Lazarus Group, for example), Russia (Fancy Bear), Iran (Scarred Manticore), and others.

With war raging in Ukraine, China eyeing Taiwan, Israel engaged against Hamas, as well as other potential hotpots (the issues of migration in both Europe and the States, U.S. presidential elections), it is no wonder that not a day goes by without news of state-sponsored hacking groups engaging in cyber-espionage.

The rising popularity of DinodasRAT only demonstrates the increasing use of Linux-powered devices in government agencies around the world.

Via BleepingComputer

PyPI stops signing up new users to try and block malware campaign

Post author By lisa nichols
Post date March 29, 2024
No Comments on PyPI stops signing up new users to try and block malware campaign

[ad_1]

Python Package Index (PyPI), the largest repository of Python packages, has once again been forced to suspend new account and new project registrations.

Cybersecurity experts from both Checkmarx and Check Point observed a large-scale cyberattack in which threat actors tried to upload hundreds of malicious packages to the platform, in an attempt to compromise software developers and mount supply chain attacks.

The packages mimic legitimate ones already uploaded to PyPI, an attack usually called “typosquatting”. It relies on developers being reckless and picking up the malicious version of the package, instead of the legitimate one.

While Checkmarx says the attackers tried to upload some 365 packages, Check Point claims at least 500. Regardless of the total number, the attack’s goal is to get the victims to install an infostealer with persistence capabilities. This infostealer grabs, among other things, passwords stored in browsers, cookies, and cryptocurrency wallet-related information.

Registrations reopened

PyPi seems to have addressed the issue in the meantime, as at the time of writing, registrations were reopened.

PyPI is the world’s biggest repository for open-source Python packages, and as such, is facing a constant barrage of cyberattacks.

In late May 2023, the platform was forced to do the same thing, as it faced an “unimaginable flood of malicious code” being uploaded to the platform.

In an announcement posted on the PyPI status page, the organization said: “The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave.”

It took the company the entire weekend to lift the suspension.

Via BleepingComputer

Python devs are being targeted by this massive infostealing malware campaign

Post author By lisa nichols
Post date March 26, 2024
No Comments on Python devs are being targeted by this massive infostealing malware campaign

[ad_1]

Cybersecurity researchers from Checkmarx have discovered a new infostealing campaign that leveraged typosquatting and stolen GitHub accounts to distribute malicious Python packages to the PyPI repository.

In a blog post, Tal Folkman, Yehuda Gelb, Jossef Harush Kadouri, and Tzachi Zornshtain of Checkmarx said they discovered the campaign after a Python developer complained about falling victim to the attack.

Apparently, the company believes more than 170,000 people are at risk.

Infostealers and keyloggers

The attackers first took a popular Python mirror, Pythonhosted, and created a typosquatted website version. They named it PyPIhosted. Then, they grabbed a major package, called Colorama (150+ million monthly downloads), added malicious code to it, and then uploaded it on their typosquatted-domain fake-mirror. “This strategy makes it considerably more challenging to identify the package’s harmful nature with the naked eye, as it initially appears to be a legitimate dependency,” the researchers explained.

Another strategy involved stealing popular GitHub accounts. An account named “editor-syntax” got their account compromised, most likely via session cookie theft. By obtaining session cookies, the attackers managed to bypass any and all authentication methods and logged directly into the person’s account. Editor-syntax is a major contributor, maintaining the Top.gg GitHub organization whose community counts more than 170,000 members. The threat actors used the access to commit malware to the Top.gg Python library.

The goal of the campaign was to steal sensitive data from the victims. Checkmarx’s researchers said the malware stole browser data (cookies, autofill information, browsing history, bookmarks, credit cards, and login credentials, from the biggest browsers such as Opera, Chrome, Brave, Vivaldi, Yandex, and Edge), Discord data (including Discord tokens, which can be used to access accounts), cryptocurrency wallet data, Telegram chat sessions, computer files, and Instagram data.

Further analysis also discovered that the infostealer was able to work as a keylogger, as well.

Another Microsoft vulnerability is being used to spread malware

Post author By lisa nichols
Post date March 19, 2024
No Comments on Another Microsoft vulnerability is being used to spread malware

[ad_1]

Hackers are using a novel phishing technique to deliver remote access trojans (RAT) to unsuspecting victims.

According to the report, published this Monday, threat actors are using a technique called Object Linking and Embedding (OLE).

This is a Windows feature that allows users to embed and link documents within documents, resulting in compound files with elements from different programs.

New phishing methods

This is according to cybersecurity experts Perception Point, who recently detailed a campaign they dubbed Operation PhantomBlu.

The campaign starts with the usual phishing email, seemingly coming from the victim’s company accounting department. The emails are being sent from a legitimate marketing platform called Brevo, suggesting the platform was most likely compromised in some way.

Attached with the email is a Word “monthly salary report” document. The victims that download the file are first asked to enter a password to open it, and then double-click a printer icon embedded in the doc.

By doing that, the victim runs a ZIP archive file holding a Windows shortcut file, which runs a PowerShell dropper which deploys the NetSupport RAT from a remote server.

“By using encrypted .docs to deliver the NetSupport RAT via OLE template and template injection, PhantomBlu marks a departure from the conventional TTPs commonly associated with NetSupport RAT deployments,” said Ariel Davidpur, the report’s author, adding the updated technique “showcases PhantomBlu’s innovation in blending sophisticated evasion tactics with social engineering.”

NetSupport RAT is a weaponized version of NetSupport Manager, a legitimate remote control software, first released in 1989. For years now, NetSupport RAT was one of the most commonly used remote access trojans, allowing attackers unabated access to compromised devices. They can then use that access to deploy even more dangerous malware, including infostealers and ransomware.

The best way to protect against these attacks is to be vigilant when receiving emails and only downloading attachments from verified sources.