Dharma: A Malicious Ransomware In The Skin of an Anti-Virus Software

A family of ransomware has been infecting organizations around the globe and now has a new trick up its sleeve. A file-locking malware is being distributed disguised as anti-virus software.

“Dharma” happens to be the name of the infamous ransomware which has been linked to tens of cyber-crime episodes.

Dharma’s "executive working team" is all about creating and fabricating state-of –the-art attacks that are lucrative to the highest extent.

And by way of the recent stunt they’ve pulled they stand a handsome chance of extorting ransom payments in exchange for decrypting files and locked networks on the Windows system.

Actually, the ransomware poses to be an anti-virus software and hence the users are tricked into downloading and installing it.

The attacks like many others begin with “phishing emails” that claim to be from Microsoft and stating that the victim’s PC is under some risk, threat or is corrupted.

Luring the user into downloading the anti-virus by assessing a download link, if the user goes through with it, two downloads are retrieved.

According to sources, they are Dharma ransomware payload and an old version of anti-virus software from cyber security company ESET.

After the self-extracting archive runs, Dharma starts the file encrypting process. The user is guided to follow the installation instructions for ESET AV remover.

The interface gets displayed on their desktop but still requires user interaction during the installation process all the while distracting the user from the actual con.

The victim would immediately be confronted with a ransom note, once the installation gets done with, demanding crypto-currency in exchange for unlocking the file.

Malware have usually been hidden under skins of actually legitimate applications and software, in the above scenario an official unmodified ESET AV Remover was made use of.

Any other potential application could be exploited and used in this way to fool the not so well cyber-educated and even tech savvy users.

The file-locking malware is relatively new in the market but powerful nonetheless and with the enhanced tendencies of tactic and work being done on it.

Various cyber-cons still try to upgrade old threats and make use of latest techniques to wreak as much havoc as possible.

Ransomware happens to be an especially costly and dynamic threat which could hit in more than one ways.

The only way to not fall prey to such devastating attacks is securing email gateways, embracing better cyber-security manoeuvres, backing up files and constantly patching and updating.

A Defensive Malware On The Cyber To-Do List of Japanese Government

Japanese government likes to stay ahead of disasters, be it natural or for that matter, cyber-crime related.

In the same spirit Japan’s Defense Ministry has decided to create and maintain cyber-weapons in the form of “Malware”.

The malware is all set to contain viruses and backdoors and would be the first ever cyber-weapon of Japan’s.

According to sources, it will be fabricated not by government employees but professional contractors tentatively by the end of this fiscal year.

The capabilities and the purpose or the way of usage hasn’t been out in the open yet.

Reports have it that the malware is just a precautionary measure against the attacker if in case the Japanese institutions are ever under attack.

As it turns out the malware is one of the endeavors of the Japanese government towards modernizing and countering China’s growing military threat.

The country also plans on widely expanding its reach into cyber battlefield (which is now an actual battle field) tactics.

Many major countries ambiguously have been using cyber weapons and now Japan’s next on the list.

The country’s government believes, being cyber ready and holding a major cyber-weapon in hand would keep countries that wish to attack at bay.

But as it turns out, this tactic hasn’t fared well with other countries as much as they’d like to believe.

This happens to be the second attempt at creating a cyber-weapon stash after 2012 which didn’t bear results like it should’ve.

Earlier this year the Japanese government passed a legislation allowing the National Institute of Information Communications Technology to hack into the citizens’ IoT devices using default or weak credentials during a survey of insecure Iot devices.

All this was planned to secure the Iot devices before the Tokyo 2020 Olympics to avoid Olympic Destroyer and attacks like VPNFilter.

So it turns out, that these efforts at strengthening the cyber game of Japan’s originate from the chief of Japan’s Cyber-security department who happens to not even OWN or USE a computer.

There are tens of thousands of cyber criminals in the world, says kaspersky

Russian experts from Kaspersky Lab, the company, specializing in the development of protection systems against computer viruses, spam, hacker attacks and other cyber threats, revealed the details of hackers. According to them, there are currently tens of thousands of cybercriminals on the Internet, of which at least 14 hacker groups specializing in certain groups of users and organizations are Russians.

According to experts, financial cybercriminals are the largest group. They attack banking infrastructure, business and individuals. There are several schemes giving the opportunity to withdraw funds from corporate accounts and go unpunished.

There are also a number of hacker groups developing phishing and spyware programs. They are the most technically equipped.

The drops, which are responsible for contacts with the physical world, risk more than others. Next in the list are botters, or operators, who remotely control malicious computer software.

"In total, there are several tens of thousands of hackers in the world who must be constantly trained. Inexperienced hackers can simply lose their jobs without new knowledge due to the active development of technology ", — said the experts of Kaspersky Lab.

Hackers mainly communicate among themselves in half-closed or closed forums. They have the opportunity to discuss, group and involve third-party experts to cooperate. Every day several dozens of new topics appear on such forums. An entry ticket to closed forums can be an entrance fee or recommendation from a hacker with a reputation. Top spyware developers usually ignore the forums. According to experts, only several hundred people in the world are in the highest category of hackers.

Hackers reportedly helped the daughter of a celebrity to win the show "The Voice Kids Russia"

A loud scandal occurred on the weekend at the Russian television program "Voice of Children". The reason is the final vote, as a result of which Mikella Abramova, the daughter of the famous Russian singer Alsu, won the final of the show with a huge difference of votes. The management of the First Channel Russia demanded a thorough investigation of the incident. Some stars of show business expressed that there was a falsification.

The experts believe that there are several possibilities why the daughter Alsu unexpectedly won with a huge margin, without being the favorite in the final. Experts do not exclude that there was a hacker attack.

Alsu's family decided not to comment on the incident until the results of the vote verification in the final of the show, which the First channel instructed to make an international company Group-IB, are announced. It is noteworthy that this company is an official partner of Interpol. It is known that the counting of votes took place automatically, so now there is a manual verification of each vote, which can take a long time.

A specialist in independent cybercrime investigations said that high-level hackers could substitute the final results of the vote or install an algorithm in the automatic vote counting system, according to which one vote was taken as several.

"It is quite easy to check, there will be a significant difference between the recorded votes and the controversial result. Also, insiders, who in their own interests influence the process, can conduct an attack,” the expert explained.

The expert noted that his colleagues will first analyze the electronic journals of the site to identify deviations. Moreover, manual cheating was used when interested people buy several SIM cards and send SMS in favor of the desired people. The specialist stressed that they need more time and court permission to check this method of fraud.

According to the expert, the second possibility why the daughter Alsu unexpectedly won the show, is the mistakes of the voting system. The expert does not completely exclude the second possibility because from time to time there are news that bugs were discovered on the websites of law enforcement agencies. And not so long ago, students found a vulnerability in the ambulance substation program.

Attackers Exploiting Oracle Weblogic Server Vulnerability to Encrypt User Data

In order to install a new variant of a malware known as "Sodinokibi", con men are taking advantage of the remote code execution vulnerability in Oracle Weblogic Server.

The vulnerability which has been recently discovered on versions
10.3.6.0, 12.1.3.0 of Oracle WebLogic Server, allows people with HTTP access to execute the attack without any verification.
Reportedly, a patch has been issued by the computer sofyware company on April 26.

The foundation of the attacks was laid around April 25 and it was on the next day, i.e., April 26, the hackers secured connections with multiple HTTP servers which were vulnerable, as per the findings of Talos Investigation.

The vulnerability has been exploited by the hackers to download the malware copies from servers administered by con men and to corrupt various legitimate sources and make alterations to repurpose it.

“Cisco IR Services and Talos observed the attack requests originating from 130.61.54[.]136 and the attackers were ultimately successful at encrypting a number of customer systems.”

How does the ransomware infects?

It begins with the HTTP POST request which carries certutil command to execute the infectious files upon downloading.

As soon the malicious process starts, it triggers the vssadmin.exe utility, which on being executed assists Windows in generating some sort of backup, either automatic or manual.

After this, the ransomware attempts to hinder the recovery process by terminating backup mechanism.

Users can reach the security alert posted by Oracle and are advised to fix the forementioned (CVE-2019-2725) vulnerability.

Justdial Smacked By a Subsequent Security Breach in Two Weeks; Poor OpSec To Blame!

Justdial is a renowned Indian hyper-local search engine which recently became prone to two security breaches in the span of two weeks.

Only a few weeks ago, the database of all the customers of Justdial was laid bare on the dark web and now the reviewers’ data got on the line.

The company that has beyond 134 million QUA can’t afford to make such reckless mistakes.

April 18^th saw the private data including names, addresses, email IDs etc. of over 100 million users which was stored in the search engine’s database to be laid out in the open.

The organization owed the breach to an expired API which allowed anyone to access the data of users. Major percentage of the affected included the hotline number users.

Security researchers were the first to discover the breaches that so thrashed Justdial. They also cited that no specific actions against them were taken.

These claims were denied by Justdial mentioning that the data was stored in a double-encrypted format.

The same group of researchers again found out a lacuna in the API of Justdial on April 29^th.

Herein the people who post reviews were harmed in the form of their data being exposed.

Reportedly, the API connected to Justdial’s reviewers’ database had been unprotected since the company’s foundation.

Hence, the reviewers’ names, mobile numbers, locations and all became easily accessible thanks to the loophole.

But this issue was immediately fixed, according to the reporters.

No matter what happened, the unprotected database and the loophole contributed largely to the data breaches.

Justdial employs a humongous database and hence has large number of data stored within it.

Weak API and poor “Operation Security” is majorly to blame for all the breaches Justdial saw in these couple of weeks.

According to security researchers, API handlers and managers should be employed. Also easily implemented software switch could help in protecting the access points.

Also the first breach should have been taken seriously and used as a means of learning to help secure the system from future attacks.

It is evident that the company needs to strengthen their operational security and up their game in terms of securing the present loopholes and possible lacunae.

UK : Social Media Executives To Be Held Accountable For Destructive Content!

Reports have it, that according to a recent proposal of the UK authorities, social media executives shall be personally blamable for the harmful content on their platforms.

The freshly published paper in which the details were mentioned is just a tactic to restrict the spread of violent and detrimental content related to suicides and cyber bullying.

Disinformation, is another theme eluded upon along with the rising need for companies to hold their ground against terroristic, child abusive, and sexually abusive content.

The regulations and guidelines in the aforementioned paper also mention the requirement for every individual regulator to impose the rules.

Its’s high time, the online companies took responsibility for what content their platforms displayed, in an attempt to reinstate trust in technology within the society.

Files hosting sites, chat forums, messaging services, search engines and social media platforms alike will come under the belt of the aforementioned measures.

If not adhered to, the policies also mention within them strong punishments for companies including substantial fines and blocking access.

This is a great action which has potential to bring change. The implementation although could not be as simple as it all sounds.

The above-mentioned set of guidelines would provide for a stable code of conduct for everyone on the social media which if complied to, will lead to safer platforms.

But, the implementation, is still in question along with other questions like, Will the regulatory approach be different for smaller companies?

Social media regulation and the improvements it requires is on everyone’s mind, of late because of the mosque shooting in New Zealand.

The shooting was live streamed on Facebook and other social media sites like Instagram, YouTube and etc. were rushed to block and delete the copies of the video which has instantly gone viral.

A legislation not very different from the one in UK that was discussed above was passed in Australia meaning to hold the executives responsible for whatever is posted on their platforms.

“BasBanke”: Android Malware That Hacks Financial/ Personal Data!

Introducing “BasBanke”, another malware in the already long list of Android malware, with Brazilians’ financial and personal details on the target.

Credit/debit card numbers, other financial data, and personal data of Brazilians is what the cyber-cons are hunting for, via the malware.

This malware has been effective through malicious applications since 2018 Brazilian elections. Downloads of over 10,000 from the Google store were made.

By way of social media platforms like Facebook and WhatsApp the user were tricked into downloading the malware.

Later on attacks like ‘keystroke logging’, ‘SMS interception’ and ‘screen recording’ were also observed.

The advertising campaign’s URL hinted to the legitimate Google Play Store.

A malicious app which goes by the name of “CleanDroid” is another of the malicious apps which was advertised about on Facebook along with a download link.

The aforementioned application pretends to help in protecting the victim’s device from viruses and optimizing memory space.

Google play store hosts a lot of such illegitimate android apps who pretend to be QR readers or travel guides all the way tricking the victim.

A similar malicious campaign was discovered by a leading anti-virus organization but with relatively less distribution rates.

On the distributor front, social media played a vital role in it too.

Hunting and hacking down the metadata such as IMEI, telephone numbers, device names along with other personal stuff is the main agenda.

This data after getting collected is sent to the HQ of the cyber-hackers via C2 server.

Platforms like Netflix, YouTube and Spotify immediately turned up their security measures after perceiving that the banking details were being hunted.

US Court Authorizes Microsoft to be in Charge of 99 Hacking Sites

Microsoft has been legally given the control of 99 websites which were being operated in association with an Iranian hacking group, Phosphorus.

In order to prevent the sites from being employed for the execution of cyber attacks, a US court authorized Microsoft's Digital Crimes Unit to be in charge of these websites related to the aforementioned hacking group which is also known as Charming Kitten, Ajax Security Team and APT 35.

The malicious group, Phosphorus is configured to employ spear-phishing to sneak into private accounts of individuals. Cybercriminals at Phosphorus resort to social engineering in order to lure individuals to click on the links, at times sent via fake accounts that appear to be of familiar contacts. The link carries infectious software which allows Phosphorus to sneak into the computer systems.

Basically, it performs malicious activity to acquire access to sensitive data stored onto the computer systems of government agencies and businesses.

Putting the same into context in a blog post, Tom Burt, Corporate Vice President, Customer Security and Trust at Microsoft, said, "Its targets also include activists and journalists - especially those involved in advocacy and reporting on issues related to the Middle East,"

"Microsoft's Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013,"

"Phosphorus also uses a technique, whereby it sends people an email that makes it seem as if there's a security risk to their accounts, prompting them to enter their credentials into a web form that enables the group to capture their passwords and gain access to their systems," Burt told in his blog post.

Commenting on the matter, Microsoft said, "The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crime Unit's sinkhole."

Ukrainian cyber police again caught Russian hackers

It is not the first time when the Ukrainian cyber police declared about declassifying a group of Russian hackers.

According to police officers, hackers created a mailbox, using the Anonymizer and worked from the territory of Russia.

It turned out that they sent fake emails on behalf of Interior Minister Arsen Avakov. Emails contained rules of conduct for police officers during the elections. In addition, the police were required to take certain actions in favor of one of the candidates.

On the Internet, there is an opinion that the news is fake. Many people know that real hackers do not even need to create a mail to send messages. They can go to the server of the police and send emails directly. And can do it from any other host on which the port number 25 is open, intended for the SMTP protocol.

Perhaps citizens of Ukraine decided to joke this way. They just installed a browser with VPN and created mail. That's enough to hide location. Moreover, this incident was another reason to accuse Russia of intervening in the Ukrainian presidential election.

Zero-day Stored XSS Vulnerability Allowed Attackers to Compromise 70,000 Websites

Researchers found out that "Social Warfare", a social sharing plug-in powered by Warfare Plugins is infected with a critical Stored XSS Zero-day flaw which allows cybercriminals to place malicious scripts and conquer the assailable WordPress websites.

'Social Warfare' is a social sharing plugin which is essentially used to accumulate more website traffic by receiving more social shares for website developers.

Amidst some of the plugins debugging features, the plug-in carries an exploitable code which assists the payload in being stored in the website's database and reclaimed with every page request.

Referencing from Sucuri research, “These features aren’t directly used anywhere and rely on various $_GET parameters to be executed, which makes it easy to see if your site was attacked using this vulnerability."

The exploit which was rampantly distributed across the globe is a critical flaw that has allowed hackers to entirely gain control of the ill-protected websites in the sphere.

As the abuse of the exploit continued, multiple ongoing attempts from over a hundred distinct IPs were noticed by the analysts.

Reportedly, around 70,000 websites have the plugin installed and the attacks are likely to multiply if the flaw is left unpatched. Meanwhile, users are advised by the experts to get an update to version 3.5.3.

Hacker who was offering Cybercrime-as-a-service detained in Novokuznetsk

Employees of the Ministry of Internal Affairs of Russia with the assistance of experts of Group-IB, an international company specializing in the prevention of cyber attacks, detained a hacker in Russian city Novokuznetsk who hacked computers around the world.

The detainee offered Cybercrime-as-a-service services to cyber criminals. He created and maintained admin panels for managing malware and botnets.

According to the local report, he infected more than 50 thousands computers across the world. He managed to steal usernames and passwords from browsers, mail clients of the infected computers. He also reportedly stole financial information such as bank card details.

The investigation began in the spring of 2018, when the hacker infected around 1000 of computers with malicious software Formgrabber.

"He administered the botnet, which counted several thousand infected computers of Russian and foreign users,” the press service of the Ministry of Internal Affairs reported.

It turned out that the hacker is only 26 years old, since 15 he has earned money by creating websites for computer games, but then he decided to learn the profession of a hacker. More recently, he was testing malware targeting Android platform.

He has already been charged under the article "Creation and distribution of malicious computer programs". He completely admitted his guilt.

Citrix Discloses Data Breach By International Cyber Criminals

An enormous data breach by "international cyber criminals" of the famous enterprise software company Citrix was unveiled a weekend ago, reporting the breach of its internal network.

The software company which is known to provide its services, especially to the U.S. military, the FBI, numerous U.S. organizations, and different U.S. government offices was cautioned by the FBI of foreign hackers compromising its IT systems and sneak "business documents," likewise including that the company did not know exactly which records and documents the hackers acquired nor how they even got in, in the first place.

In a blog post Citrix says that, “While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security...”

"Password spraying” is an attack where the attackers surmise weak passwords to pick up an early toehold in the company's system in order to launch more extensive attacks.

The enormous data breach at Citrix has been distinguished as a part of "a sophisticated cyber espionage campaign supported by nation-state due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of the economy," said Rescurity, an infosec firm in a blog post.

The researchers at Resecurity shed all the more light on the episode when Citrix refused to disclose the numerous insights regarding the breach, guaranteeing that it had prior cautioned the Feds and Citrix about the "targeted attack and data breach."

In spite of the fact that Resecurity says that the Iranian-backed IRIDIUM hacker group hit Citrix in December a year ago and yet again on Monday i.e. the 4th of March and purportedly stole approximately 6 terabytes of sensitive internal files including messages, emails, blueprints and various other documents as well.

While this Florida-based company focused on the fact that there was no sign that the hackers bargained any Citrix product or service, and that it propelled a "forensic investigation," procured the best cyber security company, and took "actions" to skilfully secure its internal network.

Since the consequences of the Citrix 'security incident' are grave and they could influence a more extensive scope of targets, as the company holds sensitive data on other companies as well, including critical infrastructure, government and enterprises, therefore, strict measures will be thusly taken to secure it inside-out.

Enterprise VPN Provider Citrix, Hacked; 6TB of Sensitive Data Stolen

Enterprise VPN provider, Citrix, was subjected to a hack which is doubted to have stolen private data pertaining to the company’s technology.

On Friday, Citrix told that FBI informed them about "international cyber criminals" working their way into the organization’s networks.

They were further told that most probably the criminals resorted to the technique of “password spraying” to break into the company’s networks. They did do by appropriately guessing the password to an account which belongs to the company.

The hackers involved are reported to be a part of an Iranian Hacking group which has attacked over 200 companies, along with multiple government agencies, technology firms and gas, and oil companies.

Referenced from a blog post by Resecurity, the cybersecurity firm contacted Citrix in an attempt to warn them about the hack which was on the way.

And, while refraining from telling the origins of the source from where the firm learned of the hack, it said that it "has shared the acquired intelligence with law enforcement and partners for mitigation."

While FBI denied commenting on the matter, Resecurity drew a connection between the hackers and a nation state, "due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of economy."

Citrix expressed a probability of business documents being acquired and downloaded by the attackers and told in a notice, "The specific documents that may have been accessed, however, are currently unknown."

"Citrix has taken action to contain this incident. We commenced a forensic investigation; engaged a leading cybersecurity firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI," the company further included in the notice.

Anonymous Threat Group Compromised 1 Million Web Pages of Popular Brands like Coca-Cola and McDonalds’s

Around 1 million Israeli based webpages owned by renowned brands like McDonalds’s and Coca-Cola have been compromised by an anonymous group of hackers who notably breached the websites of leading brands which were introduced for Israel natives with address ‘co.il’ – Cocacola.co.il and McDonalds.co.il and etcetera.

The hacker group employed third-party accessibility plug-in known as ‘nagich.co.il’ which loaded infected JavaScript code that compromised the website and assisted the threat actors in exploiting and corrupting a million of web pages.

There’s a critical vulnerability which existed in the disabled page accessibility plug-in, Nagich, it permitted access to more than 1 million Israel based webpages and primarily assisted the attackers in corrupting the webpages.

Besides websites of renowned brands – Coca-Cola, McDonald’s and Toys"R"Us, other popular websites namely Ynet and Calcalist also fall prey to this breach. Reportedly, the attackers corrupted these websites and displayed political messages.

The Nagich website is not a usual site, it’s a website which contains an accessibility plugin - a Javascript which runs on a website which opts for this service and provides it a multitude of options.

On giving necessary permissions, the severe vulnerability can run code on the website which means it can make any changes in our site and do whatever it wants. Hackers exploited it to replace the malicious code with an embedded link with the motives of corrupting webpages.

Due to the delay in taking remedial measures to patch the vulnerability, Nagich officials, in a way led hackers to compromise hundreds of webpages.

Attackers Launched a Rapidly Changing Malware which uses .DOC Extension

A new malware has been discovered by security experts, they observed that it is constantly altering its behavioral patterns in an attempt to bypass the email security protection.

As dissemination of malware through email campaigns is becoming common day by day, email security providers are devising new ways to battle and terminate such malicious activities.

However, cybercriminals are employing subtle and sophisticated methods to bypass all the layers of security, which has led to a massive upsurge in successful malware campaigns.

In the aforementioned case, the infected emails are sent to the potential victims, which on being accessed leads to the downloading of a word template with a .doc extension.

Notably, the attack is configured quite differently than most of the attacks which make use of a single pattern with little customizations. In this attack, a number of different email addresses, subject headings, display name spoofs, body content, and URLs are used.

The attackers send the malspam email which entails an infected link which takes the user to a corrupted website that has the malware all set to sneak into the system and infect it.

Referencing from the findings of researchers at the only cloud-native security platform, Greathorn, “Initially, this attack pattern identified at 12:24pm on Wednesday, February 20^th, the attack has (so far) consisted of three distinct waves, each wave corresponding with a different destination URL, one at 12:24pm ET, one 2:05pm ET, and a third at 2:55pm ET, suggesting an attack pattern that anticipated and planned for relatively quick shutdowns of the destination URLs. “

File-less Malware Is Wreaking Havoc Via PowerShell.

File-less Malware Is Wreaking Havoc Via PowerShell

Advanced Volatile Threats (AVTs) also known as the File-less Malware, is another threat which works directly from the memory. PowerShell is a major course adapted by the cyber-cons to achieve the attack.

The malware first suspends a malicious code into the target’s system. Whenever the system is working the code begins to collect the credentials on the system.

In case of a victimized company, the malicious code had started gathering the credentials of its employees, along with the administrator permissions.

The next step it took was to hunt for the most valuable assets of the organization and beeline them.

The code was too cleverly designed to be spotted by the company’s security system and the organization was never alerted.

After doing so much damage to the company and its credibility, the code disappeared without a trace.

These AVTs had surfaced around a year ago, and it works especially on working on the memory rather than on the hard drive.

The traditional and old-fashioned threat detection systems would never in a million chances sense that something’s fishy.

PowerShell is the very basic medium they use to employ the file-less malware attack.

PowerShell lets systems administrators completely automate the tasks on the servers and computers.

Meaning, if the cyber-cons happen to take control of the server and computer they could easily get hold of as many permissions as they’d wish for.

Windows is not a platform PowerShell is limited to. Microsoft Exchange, IIS and SQL servers also fall into line.

What file-less malware does is that it forces PowerShell to institute its malicious code into the console and the RAM.

It becomes a “lateral” attack once the code gets executed, meaning the attack propagates from the central server.

As after the dirty work’s done the malware leaves no traces behind, traditional security solutions are never able to place what was behind the attack.

Only heuristic monitoring systems, if run constantly could help in tracing the attack’s culprit.

Precautionary Measures Against Fileless Malware

Disable PowerShell (If it’s not required to administer systems)
If it can’t be disabled, ensure that you’re using the latest version of it. (PowerShell 5 has better security measures in Windows)
Only enable specific features of PowerShell via “Constrained Language” mode.
Enable automatic transcription of commands which will help in making the system suspicious about file-less attacks.
Employ advanced cyber-security methods such as permanent anti-malware services.
Do constant research on unknown processes occurring within the system which could generate file-less malware.

Hackers Targeting Retail Websites and Online Shoppers via Formjacking

With the advent of online shopping, the e-commerce market has skyrocketed and by 2022, the figures are expected to touch a whopping $150 billion. The ever-expanding arena of e-shopping has given cybercriminals even more reasons to exploit user data employing all new ways. The most recent hacking method which affects online shoppers is known as ‘Formjacking’.

What is Formjacking?

It is a virtual ATM skimming method which is employed by cybercriminals to insert malicious codes into retail websites. These codes are programmed to leak payment details of the shoppers along with their card details.

A report from Symantec suggests that every month, over 4,800 different websites fall prey to Formjacking. It has also been observed that the number of Formjacking attacks has been increased over the past year and the data is also being sold on the dark web.

Referencing from the report, “By conservative estimates, cybercriminals may have collected tens of millions of dollars last year, stealing consumers’ financial and personal information through credit card fraud and sales on the dark web, with a single credit card fetching up to $45 in the underground selling forums,”

Expressing concern on the matter, Greg Clark, CEO, Symantec, said “Formjacking represents a serious threat for both businesses and consumers,”

“Consumers have no way to know if they are visiting an infected online retailer without using a comprehensive security solution, leaving their valuable personal and financial information vulnerable to potentially devastating identity theft. For enterprises, the skyrocketing increase in Formjacking reflects the growing risk of supply chain attacks, not to mention the reputational and liability risks businesses face when compromised,”

Attacks on the US Companies by Chinese and Iranian Hackers Renewed

As a result of Trump pulling the U.S out of the Iran nuclear deal last year and the trade disputes between the U.S and China, Iranian and Chinese hackers heavily attacked corporations and government agencies in the United States. Security experts are of the opinion that these hackers have been fuelled by the conflicts of the past.

Referencing from the briefing of seven people who gave a glimpse of the incidents, the recent attacks which targeted multiple US corporations, government agencies, American banks, and various businesses were more brutal than those which were carried out in past. These people were not permitted to publicly discuss the details.

Analysts and security researchers at National Security Agency sourced the attacks to Iran. Meanwhile, FireEye, which is a privately owned security firm, instigated an emergency order when the government shutdown took place last month. They did so by the Department of Homeland Security.

Reportedly, these Iranian attacks occurred simultaneously with a renewed Chinese offensive configured to steal sensitive data related to military and trade from U.S tech companies and military contractors.

Commenting on the matter, Joel Brenner, a former leader of United States counterintelligence under the director of national intelligence said, “Cyber is one of the ways adversaries can attack us and retaliate in effective and nasty ways that are well below the threshold of an armed attack or laws of war,”

Astaroth- The Tojan That Abuses Anti-Virus Software To Steal Data

A new Trojan has surfaced which disguises itself as GIF and image files and tries to exploit the anti-virus software to harvest the data on the user’s PC.

A security research team brought the situation to everyone’s notice that this variant supposedly makes use of the modules in the cyber-security software.

The exploitation of the modules leads to the cyber-con getting hold of the victim’s data including online credentials

The Trojan in the guise of an extension-less files tries to move around the victim’s PC undetected.

By the use of spam emails and phishing messages, the victim’s lured into downloading the malicious file and then the actual Microsoft Windows BITSAdmin tool is used to download the full payload from a command-and-control (C2) server.

The malware then launches an XSL script and finalizes a channel with the C2 server. The script is obfuscated and contains functions to shroud itself from the anti-virus software.

The same script is responsible for the process which influences BITSAdmin to download payloads which include Astaroth from a different C2 server.

The old version of this Trojan used to launch a scan to look for the anti-virus programs, and in case of the presence of “Avast”, the malware used to quit.

But as it turns out with Astaroth, the antivirus software would now be abused and a malicious module would be injected into one of its processes.

The exploitation of these systems is called LOL bins, Living Off the Land binaries. GAS, an anti-fraud security program could be abused in the same way.

This Trojan first surfaced in the year 2017 in South America. It targets machines, passwords and other data. Astaroth is also capable of Keylog and could intercept calls and terminate processes.

The malware employs a “ fromCharCode() deobfuscation ” method to conceal code execution, which is an upgrade on older versions of Astaroth.

LOLbins seem to have a lot of malicious potential including stealing credentials and personal data. This method is highly attractive to cyber-cons and hence needs to be prepared against.