Search This Blog

Showing posts with label Malicious Campaign. Show all posts

BazarLoader Malware: Abuses Slack and BaseCamp Clouds

 

The primary feature of the BazarLoader downloader, which is written in C++, is to download and execute additional modules. BazarLoader was first discovered in the wild last April, and researchers have discovered at least six variants since then “signaling active and ongoing development”.

According to researchers, the BazarLoader malware is leveraging worker trust in collaboration tools like Slack and BaseCamp, in email messages with links to malware payloads. The attackers have also added a voice-call feature to the attack chain in a secondary campaign targeted at consumers. 

“With a focus on targets in large enterprises, BazarLoader could potentially be used to mount a subsequent ransomware attack,” states Sophos advisory released on Thursday. Adversaries are targeting employees of large companies with emails that purport to provide valuable details related to contracts, customer care, invoices, or payroll, they added. 

Since the links in the emails are hosted on Slack or BaseCamp cloud storage, they can appear genuine if the target works for a company that uses one of those platforms. When a victim clicks on the link, BazarLoader downloads and executes on their device. 

Usually, the links point to a digitally signed executable with an Adobe PDF graphic as its symbol and the files have names like presentation-document.exe, preview-document-[number].exe, or annualreport.exe, according to the researchers. These executable files, when run, inject a DLL payload into a legitimate process, such as the Windows command shell, cmd.exe. 

“The malware, only running in memory, cannot be detected by an endpoint protection tool’s scans of the filesystem, as it never gets written to the filesystem.” Sophos discovered that the spam messages in the second campaign are devoid of anything suspicious: there are no personal details of any sort in the email body, no connection, and no file attachment.

“All the message claims is that a free trial for an online service the recipient claims to be using is about to expire in the next day or two, and it includes a phone number the recipient must call to opt-out of a costly, paid renewal,” researchers explained. 

If a potential victim picks up the call, a friendly person on the other end of the line sends them a website address where they can unsubscribe from the service. These websites bury an unsubscribe button in a page of frequently asked questions and clicking that button delivers a malicious Office document (either a Word doc or an Excel spreadsheet) that, when opened, infects the computer with the same BazarLoader malware. 

The messages claimed to come from a company named Medical Reminder Service and included a phone number as well as a street address for a real office building in Los Angeles. However, starting in mid-April, the messages began to use a ruse involving a fraudulent paying online lending library named BookPoint. 

Researchers have been suspecting that BazarLoader could be related or authored by the TrickBot operators. TrickBot is another first-stage loader malware often used in ransomware campaigns. 

BazarLoader seems to be in its initial developmental stage and isn't as advanced as more mature families like TrickBot, researchers added. “While early versions of the malware were not obfuscated,” they explained, “more recent samples appear to encrypt strings that could expose the malware's intended use.”

Spear-Phishing Campaigns Targeting Tibet and Taiwan

 

Tibetan community is being targeted by a Spear-phishing campaign; it is suspected that malicious actors behind these operations are the ones formerly involved in campaigns attacking Taiwanese legislators as discovered in May 2020 during an investigation. Reportedly, the group is employing a novel malware variant called MESSAGEMANIFOLD, similar to the one employed in the abovementioned campaigns, further solidifying the links discovered between both the campaigns. 

Several other overlaps have also been noted between both the activities, including the application of the same email themes and identical hosting provider. Furthermore,  both the campaigns made use of Google Drive links for downloading the malware. 

The campaigners are attacking strategic targets that somehow align with the Chinese Government’s affairs. The threat actors used spear-phishing emails with the theme ‘conference invitations’, which included a direct download Google Drive link. According to the researchers two Google Drive links were there, with the name “dalailama-Invitations [.]exe” file. 

About the Attacks

The dropped files (HTTP POST) were being used for the requests to communicate with the control and command server which uses a fixed URL pattern, and for the next stage, malware needs a specific response. Those domains were being used in both campaigns were organized on AS 42159 (Zemlyaniy Dmitro Leonidovich) and AS 42331 (PE Freehost). 

Recent cyberattacks on Taiwanese and Tibetan entities don't come as a surprise, it has been observed that Beijing-based malicious actors actively attack these states in accordance with their state interests. A recent study at IBM disclosed that an email phishing scheme attacking Germany and Italy based COVID-19 vaccine supply chains. Other targets included the Czech Republic and South Korea amid a few more. 

Given the highly customized nature of the attacks against particular targets chosen strategically, the activity could possibly be aligned with Chinese nation-backed attackers; however, as of now, the campaigns could not be affiliated to a recognized cyber threat group. Therefore, experts have recommended employing a trustworthy anti-malware solution. Users are also advised to avoid opening attachments from anonymous sources. 

Criminals sending malicious emails claiming to be from the rector of Moscow State University

A malicious program that steals passwords was sent out in mid-September by scammers in letters claiming to be from the rector of Moscow State University. The recipients were financial, industrial, and government organizations in Russia.

The mailing, as noted in the company Group-IB, was held in the period from 9 to 16 September.

"In the letter, the attackers, on behalf of rector Viktor Sadovnichy, ask recipients to read the attached document “ A description of the budget for 2020” and promptly send their commercial offer,” reported the company's press service.

The texts of the letters are illiterate and contain stylistic errors. In addition, the order of words and sentences indicates that fraudsters use an automatic translation program. The authors of the letter were too lazy to change or check all the links in the template before sending them out. Probably, similar attacks have already been carried out on behalf of other universities, most likely foreign ones.

The addresses of Moscow State University were indicated as the sender in the letters. In fact, the correspondence was sent from the hacked mail server of the Hotel Alfonso V in the Portuguese city of Aveiro. The hotel has already been notified of the break-in.

All the scammers’ emails contained an archive called "Request for a commercial offer" with an executable .exe file inside. After it was launched, a malicious program was installed on the user's device that could steal usernames and passwords.

"In the future, hackers can use them to gain access to email accounts or crypto wallets, for financial fraud, espionage, or sell stolen data on hacker forums,” said Group — IB.

According to Vasily Kuzmin, Deputy head of the information technology department of Moscow State University, neither the rector nor the University administration ever send letters with such content.

Welcome Chat App Harvesting User Data and Storing it in Unsecure Location


A messaging platform for Android, Welcome Chat spies upon its users and stores their data in an unsafe location that is accessible to the public. The authors of the app claim it to be available on the Google Play store, meanwhile, marketing it to be a secure platform for exchanging messages which however is not true by any means.

The website of the malicious 'Welcome Chat' app publicizes the platform as a secure communication Android solution, however, security researchers from ESET discovered the app being associated to a malicious operation having links to a Windows Trojan called 'BadPatch' which was employed by Gaza Hackers in a malicious campaign – a long-running cyber espionage campaign in the Middle-East. While the origins of the website advertising the app are unknown, the domain was registered by the developers in October 2019. Interestingly, the app doesn't only function as spyware but works perfectly as a chatting platform as well.

After downloading the app, users need to give permission for allowing installation from unknown sources as the app was not installed via the official app store. Once the Welcome Chat is activated, it asks permission to access the user's contacts, files, SMS, location details, and record audio. Although the list of permissions gets pretty exhaustive for a user to not doubt it, then again they are used to it, especially in case of a messaging platform.

As soon as the app receives all the permissions, it starts mining the victim's data which includes phone recordings, location details, SMS messages and sends it to the cybercriminals behind the malicious operation.

While giving insights about the app, Lukáš Štefanko, researcher at ESET, told, “In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store.”

“We did our best to discover a clean version of this app, to make its developer aware of the vulnerability. But our best guess is that no such app exists. Naturally, we made no effort to reach out to the malicious actors behind the espionage operation,” added Štefanko.

Cisco “critical security advisory” part of a phishing campaign ?


Amidst the coronavirus pandemic, there is an influx of telecommuters who, have come to heavily depend on online conferencing tools like Webex, Zoom and a few others.

With this rise in online meetings and ongoing phishing campaign is affecting more and more users with a recycled Cisco security advisory that cautions of a critical vulnerability and further urges the victims to "update," with the sole aim to steal their credentials for Cisco's Webex web conferencing platform.

Ashley Tran in a recent analysis said with Cofense's phishing defense center stated, “Targeting users of teleconferencing brands is nothing new, but with most organizations adhering to guidelines that non-essential workers stay home, the rapid influx of remote workers is prime picking for attackers trying to spoof brands like WebEx. We anticipate there will continue to be an increase in remote work phishing in the months to come.”

Researchers are of the view that phishing emails are being sent with various 'attention-grabbing subject lines', for example, "Critical Update" or "Alert!" and originate from the spoofed email address, "meetings@webex[.]Com".

They said to Threatpost, this was a mass "spray and pray" phishing campaign with "numerous end-users" accepting and reporting the email from a few several industries, including the healthcare and financial ones. The body of the email installs content from a real Cisco Security Advisory from December 2016, alongside Cisco Webex branding.

The advisory is for CVE-2016-9223, a legitimate vulnerability in CloudCenter Orchestrator Docker Engine, which is Cisco's management tool for applications in numerous data-center, private-cloud and open cloud environments.

This critical flaw permitted unauthenticated, remote attackers to install Docker containers with high benefits on the influenced system; at the hour of disclosure in 2016, it was being exploited extensively. Notwithstanding, the vulnerability was fixed in the Cisco CloudCenter Orchestrator 4.6.2 patch discharge (likewise in 2016).
 


The email tells victims, “To fix this error, we recommend that you update the version of Cisco Meetings Desktop App for Windows” and directs them to a "Join" button to become familiar with the "update."

The attackers behind this campaign focus explicitly on the details, right down to the URL linked to the "Join" button. On the off chance that cautious email beneficiaries hover over the button to check the URL, they'll discover the URL [hxxps://globalpagee-goad webex[.]com/signin] to be strikingly like the authentic Cisco WebEx URL [hxxps://globalpage-prod[.]webex[.]com/signin].

Victims who click on the "Join" button are then diverted onto the phishing landing page, which is identical to the real Cisco WebEx login page.

Researchers said that there is one tiny difference is that when email addresses are typed into the authentic Webex page, entries are checked to confirm if there are associated accounts. On the phishing page, in the meantime, any email format entry takes the beneficiary straightforwardly to the following page to request a password.

Researchers, therefore, caution users to remain on the watch for bad actors 'spoofing' web conferencing and virtual collaboration applications on the grounds that in general.

The attackers are exploiting the frenzy around the coronavirus with phishing messages and emails around financial relied, guarantees of a cure and symptom data subtleties thus the users are advised to be on the lookout.

New Malicious Campaign Discovered Attacking Public and Private Entities via DNS Hijacking




A new malicious campaign called "Sea Turtle," as of late discovered by researchers allegedly, is said to have been attacking public and private elements in different nations utilizing DNS hijacking as a mechanism.

Moreover the campaign is known to have compromised no less than 40 different organizations across over 13 different nations amid this vindictive campaign in the first quarter of 2019.

Since DNS hijacking is a sort of malevolent attack that redirects the users to the noxious site by altering the DNS name records when they visit the site by means of compromised routers or attackers affecting a server's settings.

The attackers helped out their work through very industrious strategies and propelled apparatuses in order to gain access to the sensitive systems and frameworks as smoothly as possible.

By focusing on two distinct groups of victims they are focusing on a third party that is known to provide services to the primary targets to effectively play out the DNS seizing. The main aim of the attackers behind "Sea Turtle" is to ultimately aim to steal the credentials so as to access the systems and frameworks in the following manner:
  1.        Via establishing a means to control the DNS records of the target.
  2.        To modifying DNS records in order to point legitimate users of the target to actor-controlled servers.
  3.        To capturing legitimate user credentials when users interacted with these actor-controlled servers.
Researchers said that they "assess” with probably high certainty that these hijacking attacks are being propelled by an advanced, state-sponsored actor hoping to get to the sensitive systems and frameworks.

To ensure against these DNS hijacking attacks, the organizations are currently attempting to execute a registry lock service, multifaceted verification (to access the DNS records), and obviously keeping up to date on the patches, particularly on the internet facing machines.