Search This Blog

Showing posts with label Phishing email. Show all posts

ToxicEye: Trojan Abuses Telegram to Steal Data

 

The Telegram service is being exploited by operators of a new Remote Access Trojan (RAT) to keep control of their malware. ToxicEye is a ransomware that uses Telegram as part of its command-and-control (C2) infrastructure to steal data. 

In a blog post published on Thursday, Check Point Research's Omer Hofman stated that the latest remote malware has been seen in the wild, with over 130 attacks reported in the last three months.

Telegram is a communication platform and instant messaging service that has recently seen a boost in popularity as a result of the recent controversy surrounding WhatsApp's data-sharing policies with Facebook. The platform, which has over 500 million monthly active users, has also proven popular among cybercriminals who use it to distribute and execute malicious software. 

ToxicEye operators start the attack chain by creating a Telegram account and a bot. Bots are used for several tasks, such as reminders, searches, issuing orders, and launching surveys. In this case, however, the malware's configuration includes a bot for malicious purposes. 

According to researchers, "Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user's device back to the attacker's C2 via Telegram." 

Phishing emails with malicious document attachments are sent to intended victims. ToxicEye is launched if a victim allows the resulting malicious.exe file to be downloaded. The ToxicEye RAT has a variety of features, which include the ability to search for and steal credentials, computer OS data, browser history, clipboard content, and cookies, as well as pass and deletes files, disable PC processes, and hijack task management. 

Furthermore, the malware can install keyloggers and gain access to microphones and camera peripherals to capture audio and video. The researchers discovered ransomware characteristics such as the ability to encrypt and decrypt victim data. 

The user should check for "C:UsersToxicEyerat.exe" if suspects an infection. This applies to both personal and business use, and if a file is discovered, it should be deleted immediately. 

Researchers stated, "Given that Telegram can be used to distribute malicious files, or as a C2 channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future.”

Hackers use BazarCall Malware to Infect Victims

 

The most current strategy for tainting your PC is astoundingly antiquated: It utilizes a telephone call. Online researchers are documenting a new malware campaign that they've named "BazarCall." One of its primary malware "payloads" is the BazarLoader remote-access Trojan, which can give a hacker full authority over your PC and be utilized to install more malware. 

In the same way as other malware campaigns, BazarCall begins with a phishing email but from that point goes amiss to a novel distribution method - utilizing phone call centers to circulate pernicious Excel documents that install malware. Rather than bundling attachments with the email, BazarCall emails brief clients to call a telephone number to cancel a subscription before they are naturally charged. These call centres would then direct clients to a specially crafted website to download a "cancellation form" that installs the BazarCall malware. 

All BazarCall assaults begin with a phishing email targeting corporate clients that express the recipient's free trial is about to run out. Be that as it may, these emails don't give any insights about the supposed subscription. The emails at that point brief the client to contact a listed telephone number to cancel the subscription before they are charged $69.99 to $89.99 for a renewal. While the greater part of the emails seen by BleepingComputer has been from a fictitious company named "Medical reminder service, Inc.", the emails have additionally utilized other phony organization names, for example, 'iMed Service, Inc.', 'Blue Cart Service, Inc.', and 'iMers, Inc.' 

All these emails use similar subjects, for example, "Thank you for using your free trial" or "Your free trial period is almost over!" Security researcher ExecuteMalware has put together a more broad list of email subjects utilized by this assault. At the point when a recipient calls the listed telephone number, they will be set on a short hold and afterward be welcomed by a live individual. When asked for more data or how to cancel the subscription, the call center agent asks the victim for a unique customer ID enclosed in the email.

Randy Pargman, Vice President of Threat Hunting and Counterintelligence at Binary Defense, disclosed to BleepingComputer that this unique customer ID is a core component of the assault and is utilized by the call center to decide whether the caller is a targeted victim.

Google reCAPTCHA used by Phishing Attackers

 


Thousands of phishing emails threaten Microsoft users to obtain their Office 365 credentials during an active attack. The attackers add to the campaign an air of authenticity by the use of a bogus Google reCAPTCHA scheme and top domain landing pages which include symbols of victims' organizations. Though more than 2,500 phishing emails connected with the campaign have been blocked by the organization. Security company Zscaler's Threat Analysis Unit, ThreatLabZ, has noticed that since December 2020 phishing is increasing, with mostly senior staff working in the banking industry being targeted. 

Google reCAPTCHA is a service that effectively prevents spam and misuse on websites by using a Turing test to separate human beings and bots (by asking the user to click on a fire hydrant out of a series of images, for instance). The campaign starts with an attacker sending phishing emails to targets, which tend to come from some kind of single contact system to simplify corporate communication. There is a malicious email attachment in the email. The victims are diverted to a .xyz phishing website, which is masked by the official Google reCAPTCHA page, to trick visitors when they open the embedded HTML file. This shows that an attacker has done his research which allows him to configure his landing pages to fit his victim's profile, also making the attack more credible. Phishing emails claim to be programmed emails from the unified communication resources of victimizations which say they have a voice message link. 

Following, checking the reCAPTCHA, the victims will be sent to a false Microsoft login page. When victims submit their username and password, they are encouraged to add credibility to the campaign by falsifying a message " validation successful." The researchers added that “Users are then shown a recording of a voicemail message that they can play, allowing threat actors to avoid suspicion.” 

"These attacks can be categorized as BEC [business email compromise] although the sender, in this case, involves the use of popular unified communication systems used by the organizations," Gayathri Anbalagan, the lead researcher on the Zscaler study points out. "We are not able to attribute this campaign to a specific threat actor but looking at the operational theme and the target profiles, it is likely to be a single coordinated campaign." 

“Similar phishing campaigns utilizing fake Google reCAPTCHA have been observed for several years, but this specific campaign targeting executives across specific industry verticals started in December 2020,” noted researchers. Phishing attackers have also acquired multiple approaches to make the scams look more credible, such as Google Translate or customized font.