Search This Blog

Showing posts with label RAT. Show all posts

Attention! Malvertising Campaigns Using Exploit Kits On The Rise


Of all the things that online advertising could be used for, spreading malware is the one that throws you off the list by surpassing them all.

Not of late, researchers found out a recent ‘Malvertising’ campaign and sources say that it was done by way of the “Domen Social Engineering Toolkit”.
‘Malvertising’ (malicious advertising) could be defined as using online advertising means for spreading malware. Most typically it is done by inserting malware or malicious advertisements into legitimate advertising web pages or networks.

Per informed sources, this campaign was uncovered while trying to influence a VPN service as bait. It displayed a group of domains that gave Domen’s attack mechanism a fresh bend.

The construction of the campaign, as mentioned in reports, was such that ‘search-one[.]info’ was comprised in it as the ‘fake’ page, ‘mix-world[.]best’ as the download site and ‘panel-admin[.]best as the backend panel.

As revealed in reports, the campaign managed to redirect the users and bare them to ‘Smoke Loader’. This is conceivably a downloader that installs secondary payloads. And that’s what it did. They consisted of a ‘Vidar stealer’, ‘Buran ransomware’ and ‘IntelRapid cryptominer’.

Need not to mention, this campaign isn’t the first one to surface which was focused on payloads. Women's malvertising per source had commenced in September last year. The social engineering toolkit was employed to exploit the website and fool users into clicking on a fake ‘Adobe Flash Player’ update. The clicking would start a download of “download.hta”. Afterward, by way of employing PowerShell to connect to “xyxyxyxyxy[.]xyz”, only to download the 'NetSupport Remote Access Trojan' (RAT), later.

With amplification in the usage of the internet and online means, it becomes a top priority to build up a structured and strong defense mechanism to fight and prevent Malvertising.

Hiring security professionals is a safe pre-requisite and a building block towards creating the defense structure. Keeping abreast of the latest updates and patches must be a primary priority.

Word has it that in most cases the ‘exploit kits’ are employed to disseminate the malware payloads. Hence the organizations should have a clear account of all its obstruction points so that Malvertising campaign’s attack payloads could be detected and dealt with in time.

Company Behind Orcus Malware Fined by Canadian Broadcasting Agency


Orcus Technologies, an organization that sold a remote access trojan (RAT) Orcus has been fined with 115,000 Canadian dollars (Approximately 87,000 US dollars). The fine was imposed by one of Canada's broadcasting agency, Canadian Radio-Television and Telecommunications Commission (CRTC).

Orcus Technologies was established in March 2016 by founders John Paul Revesz (also known by the names, Ciriis McGraw, Armada Angelis, among other aliases) and a Germany-based man, Vincent Leo Griebel (also known as Sorzus). Griebel was responsible for developing the malware while Revesz looked after the marketing, sales and support section for the software. The idea behind the operations was to deliver a remote management tool just like widely used TeamViewer and various other remote management applications, as per the investigation carried out by the CRTC in association with the cybercrime division of the Royal Canadian Mounted Police (RCMP).

"Proof got for the duration of the investigation allowed the Leader Compliance and Enforcement Officer (CEO) to conclude that the Orcus RAT was once now not the everyday management instrument Griebel and Revesz claimed, however, was once, if truth be told, a Far-flung Get right of entry to Trojan (RAT), an identified form of malware," as per the CRTC's findings.

The findings further claimed that the duo not only sold and promoted the malware but also assisted malicious actors in getting Orcus RAT installed on users' computers without their consent or knowledge.

In a similar context, last month, Revesz faced criminal charges against him, filed by the RCMP. Earlier in March, this year, the RCMP came up with an arrest warrant at Revesz apartment, meanwhile, there were separate arrest warrants aimed at Orcus RAT customers by Australian Police.

It was around 2016's summer, Orcus RAT starting making headlines in the cybersecurity ecosystem, the RCMP revealed that it started investigating the company behind the malware since July 2016 and have kept a continuous track of the activities revolving around Orcus Technologies since then. Before finally distributing the malware via malspam campaigns, the team behind Orcus announced the malware in a piracy forum in 2016 itself. Then same year also witnessed the publication of an article on the subject reporting the malicious intent of the authors in the month of July. In the wake of the publication which presented enough evidence against the malware, Revesz took to Twitter to defend the Orcus RAT, wherein he claimed that his tool amounts to nothing more than a remote administration application.

As an aftermath of Revenz's weak arguments and the disputes that followed on Twitter, various cybersecurity professionals and organizations filed complaints against the authors of Orcus RAT with corresponding Canadian authorities.

Although the duo is responsible for the creation of the malware and initiating its distribution, the buyers who extended the malicious operations by infecting the victims are equally responsible as the two.

OceanLotus’ Ratsnif (A Remote Access Trojan)- Thinngs You Need To Know




OceanLoutus’ Ratsnif, an especially undetected remote access Trojan which mainly is used for cyber-espionage purposes has become better and is now capable of SSL hijacking and modifying web pages.

The very prominent malicious actor OceanLotus is quite fairly known for its espionage campaigns in the Vietnam. APT32, CobaltKitty, SeaLotus and APT-C-oo are few of its aliases in the infosec community.

The hackers behind this malicious threat actor usually combine “commercially available tools” such as Cobalt Strike with unique malware.

Four separate variants of the Ratsnif RAT family were analysed by prominent researchers only to find out that it evolved from a debug build to a release version.

It now comes filled with fresh features like DNS and MAC spoofing, SSL Hijacking, packet sniffing, HTTP redirection and injection, setting up remote shell access and ARP poisoning.

Per sources, the three early versions were found out to have a compilation date from 2016 whereas the most recent one was from August 2018.

The oldest variant of the Ratsnif, per the researchers, apparently was a debug build compiled in August 2016. The domain for its command and control (C2) server was activated the very day.

A newer version with no so gigantic changes was compiled the very next day. Both the samples were tested for detection against the anti-virus engines present on VirusTotal service at the same time.

A third version with September 2016 as its compilation date appeared with almost similar functioning and is believed by the researchers to be one of the earlier builds.

It wasn’t loaded with all the features but surely was capable of setting up a remote shell and serve for ARP poisoning, DNS spoofing and HTTP redirection.

In its early stages it collects information such as usernames, computer names, Windows system directory, and network adapter info and workstation configuration and sends it to C2.



The fourth Ratsnif sample was no longer accompanied by a list of C2 servers and delegated communication to a different malware used on the host victim.

It also, originally happened to introduce a configuration file and to extend the set of features to make it more effectual.

If one wishes to decrypt the traffic it could be done by using version 3.11 of the wolfSSL library which was earlier known as CyaSSL.

The configuration file happens to be unsecured and is simply a “text file encoded in Base64 with a parameter on its own line”.

Ratsnif could also cause a memory red violation owing it to a bug, when parsing a specific parameter (“dwn_ip’). Due to this the value’s passed as a string when it should be a pointer to a string.

According to the analyzers, the 2016 versions of Ratsnif contained all packets to a PCAP file but the 2018 version employs multiple sniffer classes for wresting sensitive information from packets.

This lowers the amount of data the attacker requires to collect, exfiltrate and process and also shows what information the attacker is after.

Ratsnif has done an essentially tremendous job at staying out of the limelight. Nonetheless it is not up to the standards of OceanLotus’ other malware endeavors.

DarkCoderSc has pulled the DarkComet RAT and ended development

A popular Remote Administrator tool (RAT) that was used by many to controller there computers as well as malicious purposes. DarkCoderSc the coder of this tool, has been developing it for around 4 years now. Originally it was released on a popular programming forum Hackhound which has since been shutdown.

"I have devoted years with a nonprofit philosophy for you to enjoy without asking anything in return other than respect of the rules, unfortunately some of you couldn’t respect the terms so because of you (generally speaking) made the DarkComet RAT geo cruiser end."In DarkCoderSC’s message to the community which he announces this news.

The quote says that people where not respecting the rules, which leads many to believe he was forced to shutdown due to law enforcement. It seems as malware coders are now being targeted more then ever, last week the the Blackshades owner (Just realized the site is down now) was arrested for credit card fraud, the malware he was coding and distributing.

"source codes will remain private and not for sale. This was a very hard decision to take, probably the hardest i ever had because after so many years its more than just a project, its a piece of you."

Indian Primie Ministers office computers Hacked and RAT Installed

One of the Indian Hacker named "nomcat" claim to hack into the Indian Prime Ministers Office Computers and install R.A.T (remote administration tool ) in them. He also Expose the Vulnerability in Income Tax website and Database Information.


Press Release By Hacker :
Our team wanted to release this information with interests of the people and to expose out to the world how corrupt the Indian Government and this is one of the best examples ... The IT department of India is vulnerable to SQL injection it allows the "attacker" to view and edit all the databases ,tables ,columns and data stored within them since there a LOT of tables we are not yet done fully exploring them and we are letting out only the data we think is the least affecting to our country's security , But what we should learn is that this is one of the simplest hacking methods and most of the work can be done by point and click applications that need no knowledge of coding .Let this be a warning , we give the concerned officials until 17/09/11 to FIX all vulnerabilities in the major government systems else we will make all data public link to .hvj file that contains database structure (can be opened by this software) our humble request is that you only use and this is not the only website that we have control over , we would also like to mention that we have a R.A.T (remote administration tool ) installed in the PM's office computers

Few months Before, The hacker group Anonymous, which was famous for their alleged hacking on Sony PlayStation Network, announced war against corruption in India by hacking one of the government websites of an IT organisation. Not long ago, the website of India's top investigation agency CBI was too hacked by Pakistan hackers and had caused embarrassment to the government. It took several weeks to the authorities to get the CBI website back on track. The repeated incidents of hacking of the government websites, perhaps most secure ones, have certainly exposed the vulnerability of websites. The Indian government then announced several measures to prevent such cyber attacks.

source

Shady RAT attack hits 72 organizations-Cyber Attack Over 5 years

McAfee on Tuesday issued a warning that an attack, which it's dubbed "Shady RAT" for remote access tool, successfully compromised at least 72 organizations, across 14 countries, beginning in 2006.

Victims included government agencies in the United States, Canada and South Korea, defense contractors, and International Olympic Committees in three countries. All told, 49 of the exploited organizations were located in the United States.

McAfee released a related report on Tuesday, saying it first discovered signs of the Shady RAT attack in 2009, after a forensics investigation at a defense contractor found an infection that originated from a spear-phishing attack, which contained attached malware that uses "encrypted HTML comments in Web pages that serve as a command channel to the infected machine." While McAfee didn't name the malware in question, security experts said it sounds like malware that'


s been traced to a group known as the "Comment Crew."

Download the report from McAfee