Search This Blog

Showing posts with label Malware.. Show all posts

Acronis reports India to be third highest in terms of Malware attacks, after US and Japan

Acronis, a Switzerland based IT and cybersecurity company surveyed 3,400 IT managers from 17 countries across four continents: Australia, Bulgaria, Canada, France, Germany, India, Italy, Japan, Netherlands, Singapore, South Africa, Spain, Sweden, Switzerland, UAE, UK, and the US from both private and public sector. Their report investigates the increase/decrease of cyber attacks and cyber readiness of companies during covid-19 as in their own words, "the COVID-19 pandemic has crippled businesses worldwide".

According to their report, India was the third highest country in the number of malware attacks, after the U.S and Japan between the months' March to November. Of 1000 clients, 1168 attacks were detected in India in a month. 

 Acronis found that during the switch from office to remote work, weak points in cybersecurity were revealed, mainly 1) exposed servers (RDP, VPN, Citrix, DNS, etc.), 2) weak authentication techniques, and 3) insufficient monitoring.

 The companies increased their expenditure on IT (72% of organizations reported increases in their IT expenditure) but still faced difficulties with adjustments from office to remote work. 

 When it comes to security concerns vast vulnerabilities were noticed in monitoring phishing problems, lack of expertise in a cloud solution, and video conferencing attacks as the cybersecurity protocols placed are just up to par but not really updated with the latest threats and needs. 

 “The cyber threat landscape has changed dramatically during the past few years, and in the last six months in particular. Traditional stand-alone antivirus and backup solutions are unable to protect against modern cyberthreats,” said Serguei “SB” Beloussov, founder and CEO of Acronis. 

 Most of the attacks faced by organizations were phishing (53.4%), DDoS (44.9%), Video Conferencing (39.5%), and Malware (22.2%). The rate of phishing attacks, the reports say is because of the lack of active action taken against them as only 2% of organizations use URL filtering protocols, and India, Switzerland, Canada, and the UK were among the most affected by video conferencing attacks.

Fake Among Us apps floating over the internet can deploy malware and adware in your device

There is an imposter among us, quite literally - the popular gaming app has attracted many flukes and malware carrying apps made to look like the legit gaming application or mod. These malicious apps can range from harmlessly annoying to quite dangerous.

Players looking for Among Us should be cautious as to use only trustworthy sources to install the app from and look into mods and their legitimacy before using them.

These "fake" apps range from mock among us intending to swindle off from the game's success to mods, which attracts young players in the lure of hacks but actually drops malware in the system or steal data from the device.
A report from TechRadar says that currently there are 60 fake imposter apps of Among Us including apps that can i) install adware or bloatware or ii) apps that deploy malware and iii) steal financial data. 

Why Among Us? 

Among Us, a multiplayer PC and mobile game suddenly became popular in 2020. Though it was released in 2018, did not gain much attention until gaming streamers started broadcasting the game. Developed by InnerSloth, a small studio in Redmond, Washington, Among Us has stayed top five on Apple’s U.S. App Store since Sept. 1, with more than 158 million installs worldwide across the App Store and Google Play. 

Word to mouth marketing and pandemic imposed lockdown made the game quickly catch up with young players which these miscreants exploited. A young player looking for hacks and mods would be easy to dupe and install a fake app that installs adwares or one that's more damaging. 

Precautions to avoid Among Us imposter apps:

It's smart to avoid any website that claims to offer hacks, resources, packs, and mods as people without much background in gaming and the cyber world won't be able to detect malicious content. 

 
Always install the app from a trusted source and after reading comments as they would tell you if anything is wrong with the app. 

As to find out the legitimacy of mods it's best to use the community. In themselves mods are harmless but as told before some of these fake ones could add codes into your device. Use legitimate mod websites and if going for a private website then do read comments as someone would probably write any suspicious behavior on the discourse. Also, mods developed by semi-public figures or among us content creators will usually be safe.

Nefilim Ransomware Evolving Rapidly: Top Targets at a Glance


Ransomware has continually expanded both in terms of threat and reach as threat actors continue to devise fresh methods of introducing new ransomware variants and malware families. One such newly emerged ransomware that was first identified at the end of February 2020, Nefilim, threatens to release victims’ encrypted data if they are unable to pay the ransom. With a striking code resemblance to that of Nemty 2.5 revenge ransomware, Nefilim is most likely to be distributed via exposed Remote Desktop Protocol, according to Vitali Kremez, an ethical hacker at SentinelLabs.

Earlier this month, researchers from threat intelligence firm Cyble, discovered a post by the authors of Nefilim ransomware, claiming to have hacked The SPIE Group, an independent European market leader for technical services in the fields of energy. As per the claims made by the operators in the post, they are in the possession of around 11.5 GB of company’s sensitive data that include corporate operational documents- company’s telecom services contracts, dissolution legal documents, infrastructure group reconstruction contacts and a lot more.

Since April 2020, Nefilim has targeted multiple organizations around the globe, narrowing down on the regions- South Asia, South America, Oceania, North America, and Western Europe. Going by the count of attacks disclosed publicly, manufacturing comes on top as the most preferential and hence the most targeted industries by the operators of Nefilim ransomware; Mas Holdings, Fisher & Paykel, Aban Offshore Limited, Stadler Rail were some of the major targets. Other industries infiltrated by Nefilim are communication and transportation; Orange S.A. and Toll Group, Arteris SA being some of the top targets respectively. One important thing to notice here is that the ransomware has spared the healthcare and education sector entirely as of now, interestingly, no organization from the two aforementioned sectors has been targeted.

Nefilim uses a number of ways including P2P file sharing, Free software, Spam email, Torrent websites, and Malicious websites, to infiltrate organizations’ IT systems. Designed specially to penetrate Windows PCs, Nefilim actively abuses Remote Desktop Protocol and uses it as its primary attack vector to infiltrate organizations. It employs a combination of two distinct algorithms AES-128 and RSA-2048 to encrypt the target’s data that is later leaked on their websites known as Corporate Leaks- when victims’ fail to pay the ransom.

Users are advised to stay wary of exposed ports and security departments shall ensure closing off unused ports, experts have also recommended to ‘limit login attempts’ for Remote Desktop protocol network admin access from settings to stay guarded.

Houdini Worm’s WSH Remote Access Tool (RAT) for Phishing Tactic




A fresh modified version of Houdini Worm is out in the market which goes by the name of WSH Remote Access Tool (RAT) and has commercial banking customers on its radar.


The authors who created the malware released it earlier this June and the HWorm has things tremendously in common with the njRAT and njWorm. (existed in 2013)

WSH RAT uses the legitimate applications that are used to execute scripts on the Windows one of which is Legitimate Windows Script Host.

The malware is being distributed via phishing email campaigns per usual.

The malicious attachment is stuck with the MHT file which is used by the threat operators the very way they use HTML files.

The MTH files contain an “href” link which guides the user to download the malicious .zip archive which releases the original version of WSH RAT.


Researchers report that when WSH RAT’s executed on an endpoint it behaves like an HWorm to the very use of mangled Base64 encoded data.

The WSH RAT uses the very same configuration structure for the above process as HWorm.

It also seeds an exact copy of the HWorm’s configuration including the default variable and WSH RAT command and control server URL structure in similar to that of HWorm.


Firstly WSH Rat communicates with C2 server and then calls out the new URL that releases the three payloads with the .tar.gz extension.
But, it’s actually PE32 executable files and the three payloads act as follows:
·       A Key logger
·       A mail credential viewer
·       A browser credential viewer

These components are extracted from a third party and do not originate from the WSH RAT itself.

The underground price of the WSH RAT was around $50 USD a month with a plethora of features including many automatic startup tactics and remote access, evasion and stealing capabilities.

It’s becoming evident by the hour that by way of simple investment in cheap commands really threatening malware services could be developed and could put any company under jeopardy.



Undetected malware attacks Linux systems

A new sophisticated, unique Linux malware dubbed HiddenWasp used in targeted attacks against victim’s who are already under attack or gone through a heavy reconnaissance.

The malware is highly sophisticated and went undetected; the malware is still active and has a zero detection rate. The malware adopted a massive amount of codes from publically available malware such as Mirai and the Azazel rootkit.

Unlike Windows malware, Linux malware authors won’t concentrate much with evasion techniques, as the trend of using Anti-Virus solutions in Linux machine is very less when compared to other platforms.

However, the Intezer report shows “malware with strong evasion techniques does exist for the Linux platform. There is also a high ratio of publicly available open-source malware that utilizes strong evasion techniques and can be easily adapted by attackers.” In the past, we saw many malware focussed on crypto-mining or DDoS activity, but the HiddenWasp is purely a targeted remote control attack.

The malware is composed of a user-mode rootkit, a trojan, and an initial deployment script. Researchers spotted the files went undetected in VirusTotal and the malware hosted in servers of a hosting company ThinkDream located in Hong Kong.

While analyzing scripts, Intezer spotted a user named ‘sftp’ and hardcodes, which can be used for initial compromise and also the scripts has variable to clear the older versions from the compromised systems.

The scripts also include variables to determine server architecture of the compromised system and download components from the malicious server based on the compromised server architecture. Once the components installed, the trojan will get executed on the system.

“Within this script, we were able to observe that the main implants were downloaded in the form of tarballs. As previously mentioned, each tarball contains the main trojan, the rootkit, and a deployment script for x86 and x86_64 builds accordingly.”

Author of Three Critical Ransomware Families Arrested in Poland




A well-known cyber-criminal believed to be the author of the Polski, Vortex, and Flotera ransomware strains, Tomasz T. was arrested in Poland on Wednesday, but the announcement was made by the Polish Law Enforcement on Friday.

They had been tracking him for quite some time and were ready this time to go ahead with the arrest.
Tomasz T. a.k.a. Thomas or Armaged0n - a Polish citizen who lives permanently in Belgium is responsible for conducting cybercrime such as DDOS attacks, sending malicious software to compromise several computers and using ransomware to encrypt the files.

While working through Europol, the Polish police had alerted their Belgium counterparts, who thusly searched his house and seized the computer equipment, laptop and remote servers also including encryption keys.

 “Apparently, the suspect has been active since 2013, when he first started targeting users via a banking trojan that would replace bank account numbers in users' clipboards with one of his own, so to receive undeserved bank transfers.”
-          according to the Prosecutors.

He was able to spread this ransomware through the means of email by pretending to impersonate official correspondence from well-known companies such as DHL, Zara, Cinema City, PAY U, WizzAir and many more. While utilizing the Online portal, Tomasz operated under the epithet "Armaged0n," which he used on the infamous Hack Forums cybercrime portal too.

The Polish tech news site Zaufana Trzecia Strona (ZTS) was the first to draw the lines between the three ransomware strains to the Armaged0n persona and later tracked down an extensive email spear-phishing operation.

Armaged0n Hack forum profile

The police suspects that Tomasz infected thousands of users with ransomware and made over $145,000 from his criminal undertakings. ZTS, CERT Poland, security analysts, police, and the impersonated companies all worked together to track him down.

Polish Cybercriminal has been accused with various complaints such as accepting and transferring funds from crimes, infecting computer systems with malware such as the Polish Ransomware, Vortex or Floter and for influencing automatic data processing for financial benefits. All these ransomware’s Decryption keys have likewise been collected from his system.

The suspect, questioned by the prosecutor, conceded to the 181 different crimes that he was charged with.

Nonetheless, after performing the procedural steps, the prosecutor filed a motion to apply to him a temporary detention for a period of three months.

Prevalent Cyber threat group targets UK

As of late a well-known hacking group attempted is as yet trying to focus on the UK with an updated version of malware intended to install itself into the compromised systems and stealthily conduct surveillance. Within the most recent year, the group seems to have been especially centered on diplomatic targets, including consulates and embassies. 

Both the Neuron and Nautilus malware variations have already been credited to the Turla advanced persistent threat group, which is known to routinely carry out cyber-espionage against a range of targets, including government, military, technology, energy, and other business associations and commercial organisations. 

It basically targets Windows mail servers and web servers; the Turla group conveys uniquely made phishing emails to trade off targets in attacks that deploy Neuron and Nautilus in conjunction with the Snake rootkit. By utilizing a combination of these tools, Turla can increase diligent system access on compromised systems, giving secretive access to sensitive data or the capacity to utilize the system as an entryway for carrying out further attacks. 

However the UK's National Cyber Security Centre (NCSC) - the cyber security arm of GCHQ - has issued a notice that Turla is conveying another variant of Neuron which has been altered to sidestep disclosure. 

Alterations to the dropper and loading mechanisms of Neuron have been composed in such a way so as to avoid the malware being detected, enabling its pernicious activities to proceed without being intruded. 

While the creators of Neuron have additionally attempted to change the encryption of the new version, now configuring various hardcoded keys as opposed to simply utilizing one. In the same way as other of alternate changes, it's probably that these have been carried out to make detection and decryption by network safeguards more troublesome. 

At all might be the situation it is believed that the National Cyber Security Centre doesn't point to work by Turla being related with a specific danger on-screen character - rather alluding to it as:
                                 "A predominant digital danger group focusing on the UK".