Search This Blog

Showing posts with label Cisco Talos. Show all posts

Slack and Discord are Being Hijacked by Hackers to Distribute Malware

 

A few famous online collaboration tools, including the likes of Slack and Discord, are being hijacked by hackers to disperse malware, experts have cautioned.

Cisco's security division, Talos, published new research on Wednesday featuring how, throughout the span of the Covid-19 pandemic, collaboration tools like Slack and, considerably more generally, Discord have become convenient mechanisms for cybercriminals. With developing frequency, they're being utilized to serve up malware to victims in the form of a link that looks reliable. In different cases, hackers have integrated Discord into their malware to remotely control their code running on tainted machines, and even to steal information from victims. 

Cisco's researchers caution that none of the methods they found really exploits a clear hackable vulnerability in Slack or Discord, or even requires Slack or Discord to be installed on the victims' machine. All things considered, they essentially exploit some little-analyzed features of those collaboration platforms, alongside their ubiquity and the trust that both clients and systems administrators have come to place in them. 

"People are way more likely to do things like click a Discord link than they would have been in the past, because they’re used to seeing their friends and colleagues posting files to Discord and sending them a link," says Cisco Talos security researcher Nick Biasini. "Everybody’s using collaboration apps, everybody has some familiarity with them, and bad guys have noticed that they can abuse them." 

With regards to information exfiltration, the Discord API, for instance, has demonstrated to be quite an effective tool. As the webhook functionality (originally intended to send automated alerts) was intended to have the option to convey any kind of information, and malware oftentimes uses it to ensure stolen information arrives at its intended destination. 

“Webhooks are essentially a URL that a client can send a message to, which in turn posts that message to the specified channel — all without using the actual Discord application,” the researchers say. “The Discord domain helps attackers disguise the exfiltration of data by making it look like any other traffic coming across the network.”

As texting applications grow in popularity, the threats will develop with them. Organizations should know about the dangers, and cautiously pick which platform to utilize, the researchers concluded.

Masslogger Campaigns Exfiltrates Clients Credentials

 

Assailants are continually reinventing approaches to monetize their tools. Cisco Talos as of late found an intriguing campaign affecting Windows systems and focusing on clients in Turkey, Latvia, and Italy, albeit similar campaigns by the same actor have likewise been focusing on clients in Bulgaria, Lithuania, Hungary, Estonia, Romania, and Spain in September, October and November 2020. The threat actor utilizes a multi-modular approach that begins with the underlying phishing email and carries through to the final payload. The adversaries behind this campaign likely do this to evade detection. However, it can likewise be a shortcoming, as there are a lot of chances for defenders to break the kill chain. 

Conveyed through phishing emails, the Masslogger trojan's most recent variation is contained inside a multi-volume RAR archive using the .chm file format and .r00 extensions, said Switchzilla's security research arm. Cisco Talos added: “Masslogger is a credential stealer and keylogger with the ability to exfiltrate data through SMTP, FTP or HTTP protocols. For the first two, no additional server-side components are required, while the exfiltration over HTTP is done through the Masslogger control panel web application.” 

CHM is an arranged HTML file that contains an embedded HTML file with JavaScript code to start the active infection process. Each phase of the infection is obfuscated to avoid detection using simple signatures. The subsequent stage is a PowerShell script that eventually deobfuscates into a downloader and downloads and loads the main PowerShell loader. The Masslogger loaders appear to be facilitated on undermined authentic hosts with a filename containing one letter and one number linked with the filename extension .jpg. For instance, "D9.jpg". 

Masslogger is not an entirely new creation of the malware industry: Talos highlighted research by infosec chap Fred HK. He ascribed it to a malware underground persona who goes by the handle of NYANxCAT. Costs for Masslogger were apparently $30 for three months or $50 for a lifetime license. Cisco's analysis showed that Masslogger “is almost entirely executed and present only in memory” with just the email attachment and the HTML help file.

Cisco Talos Researchers Discovered Multiple Susceptibilities in SoftMaker Office TextMaker

 

Cisco Talos researchers exposed multiple vulnerabilities in SoftMaker Office TextMaker that can be exploited by cyber attackers. These vulnerabilities in SoftMaker office can be exploited for arbitrary code execution by generating malicious documents and deceiving victims into opening them. 

SoftMaker Office TextMaker is a German-based software developer; it has various suites like a spreadsheet, word processing, presentation, and database software components, and all these well-liked software suites are presented to individuals and enterprises. The common and internal document file formats also acquire the support of the SoftMaker office suite. 

The foremost issue is a sign extension bug, CVE-2020-13544 which influences the document-analyzing functionality of SoftMaker Office TextMaker 2021 and the subsequent vulnerability has been traced as CVE-2020-13545 which is a sign altering flaw in the same document-analyzing of the application. 

Cisco Talos researchers illustrated that “a specially crafted document can cause the document parser to sign-extend a length used to terminate a loop, which can later result in the loop’s index being used to write outside the bounds of a heap buffer during the reading of file data”. A heap-based memory can be corrupted by an attacker who can adeptly design a document which can lead to the document analyzer. 

The document analyzer can misjudge the length while assigning a buffer which will lead the application to be written outside the bounds of the buffer. Traced as CVE-2020-13546, the flaw is detected to affect the SoftMaker Office 2021 by integer overflow susceptibility. 

SoftMaker office 2021 was evaluated with a Common Vulnerability Scoring System (CVSS) of 8.8 and now all three vulnerabilities are secured. The most threatening issue was that the attacker can exploit the loophole in the SoftMaker office in 2021 from any remote location.