Confluence servers hacked to install malware

Cybercriminals are now exploiting a vulnerability in Confluence servers to install cryptojacking malware. According to a report by Trend Micro, the vulnerability has been well documented in the past. However, at the time, it was being used to target victims with DDoS attacks.

Confluence is a widely popular planning and collaboration software developed by the Australian software giant, Atlassian. Trend Micro reported that it had noticed one of the vulnerabilities, CVE-2019-3396, in April, a month after Atlassian published an advisory covering the same. CVE-2019-3396 is a template injection in the Widget Connector that allows cybercriminals to execute code remotely on their victims’ machines.

The vulnerability was first used for a DDoS attack in Romania. However, the cybersecurity and analytics company revealed that hackers are now using it to install a Monero crypto miner that comes with a rootkit. The rootkit serves to hide the malware’s network activity. It also shows false CPU usage on the affected machine, misleading the user and further concealing the mining process. The report further revealed that the rootkit re-installs the malware should the victim manage to remove it.

The attack begins by sending a command to download a shell script hosted on Pastebin, an online content hosting service where users store plain text for a set period of time. The malware then kills off some of the processes running on the host machine before downloading other resources, also from Pastebin.

The vulnerability mainly targets older versions of Confluence, with Atlassian urging its users to download patched versions of Confluence Server and Data Center to protect themselves.

In recent times, cryptojacking has become increasingly popular with cybercriminals. The tactics are also advancing, with the criminals seeking to stay ahead of the security experts. As we reported recently, a new malware that targets Linux servers has been modified to shut down other crypto miners in the host’s system. Known as Shellbot, the malware uses the SSH brute force technique to infect servers that are connected to the internet and that have a weak password.

US issues warning against malware 'Electricfish' linked with North Korea








The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued a joint security warning about a new malware called "Electricfish,’’ which is allegedly linked to a state-sponsored North Korean cyberattack group.

The investigators uncovered the malware while they were tracking the activities of Hidden Cobra, it is believed that the group is sponsored by the North Korean government. 

The warning released by the US Computer Emergency Readiness Team on Thursday says that the malware is a 32-bit Windows executable program. After reverse engineering the sample, the malware was found to contain a custom protocol which permits traffic to be funneled between source and destination IP addresses.

‘’The malware implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) addressaa. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session.’’

‘’The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network,’’ read warning. 


The whole list of Indicators of Compromise (IOC) for Electricfish can be downloaded here


A Defensive Malware On The Cyber To-Do List of Japanese Government




Japanese government likes to stay ahead of disasters, be it natural or for that matter, cyber-crime related.

In the same spirit Japan’s Defense Ministry has decided to create and maintain cyber-weapons in the form of “Malware”.

The malware is all set to contain viruses and backdoors and would be the first ever cyber-weapon of Japan’s.

According to sources, it will be fabricated not by government employees but professional contractors tentatively by the end of this fiscal year.

The capabilities and the purpose or the way of usage hasn’t been out in the open yet.



Reports have it that the malware is just a precautionary measure against the attacker if in case the Japanese institutions are ever under attack.

As it turns out the malware is one of the endeavors of the Japanese government towards modernizing and countering China’s growing military threat.

The country also plans on widely expanding its reach into cyber battlefield (which is now an actual battle field) tactics.

Many major countries ambiguously have been using cyber weapons and now Japan’s next on the list.

The country’s government believes, being cyber ready and holding a major cyber-weapon in hand would keep countries that wish to attack at bay.

But as it turns out, this tactic hasn’t fared well with other countries as much as they’d like to believe.

This happens to be the second attempt at creating a cyber-weapon stash after 2012 which didn’t bear results like it should’ve.

Earlier this year the Japanese government passed a legislation allowing the National Institute of Information Communications Technology to hack into the citizens’ IoT devices using default or weak credentials during a survey of insecure Iot devices.

All this was planned to secure the Iot devices before the Tokyo 2020 Olympics to avoid Olympic Destroyer and attacks like VPNFilter.

So it turns out, that these efforts at strengthening the cyber game of Japan’s originate from the chief of Japan’s Cyber-security department who happens to not even OWN or USE a computer.

A2 Hosting finds 'restore' the hardest word as Windows outage slips into May

The great A2 Hosting Windows TITSUP has entered its second week as the company continues to struggle to recover from a security breach that forced its System Operations team to shut down all its Windows services.

To recap, things went south on 23 April as malware spread over the company's Windows operation, causing a problem so severe that the A2 Hosting team decided the only way to recover was to restore data from backups. The company told furious customers last week that "Restores continue to progress at a steady pace".

Except, alas, things have not gone smoothly.

As some services gradually tottered into life, users made the horrifying discovery that the backups being restored from were less than minty fresh.

A "day or two" is bad enough for an ecommerce site, but the loss of several months' worth of data is an altogether angrier bag of monkeys. To make matters worse, the company has left it to users to work out just how whiffy those backups are.

Register reader David Sapery, who was lucky enough to see his services stagger back to life after a five-day liedown, was then somewhat embarrassed when his customers, finally able to access his sites, told him things looked a tad outdated.

Sapery told us: "Anything on any of my websites that was updated over the past 2+ months is gone."

Still, Sapery was at least able to recover. Another reader was not so lucky, describing his experience as "an unmitigated disaster."

Having spent eight months and "thousands of dollars", the unfortunate A2 Hosting customer told us that "my business and all my hard work has been gutted within seven days by a hosting company that clearly did not have robust security in place."

A2 Hosting will, of course, point to its Terms of Service where it makes it quite clear that it is not responsible for any data loss and that users are responsible for their own backups.

WannaCry hero pleads guilty to malware charges

Marcus Hutchins who authors the popular blog MalwareTech, the famous British cybersecurity expert credited with stopping the WannaCry attack in 2017, now faces up to 10 years in prison after pleading guilty on Monday to writing malware to steal banking information in the years prior to his prodigious career as a malware researcher.

Hutchins stated on his website that he has "pleaded guilty to two charges related to writing malware" and added that he now regrets those actions.

Marcus posted a statement on his website and on his Twitter feed too, “I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Hutchins is a rare talent who has since fallen from the heights of his reputation, after having been associated with multiple malware developments and ransomware cases, as well as lying to the FBI.

Federal prosecutors in Wisconsin and Marcus Hutchins’ attorneys said in a joint court filing Friday that the 24-year-old agreed to plead guilty to developing malware called Kronos and conspiring to distribute it from 2012 to 2015. In exchange for his plea to those charges, prosecutors dismissed eight more.

Marcus was virtually unknown to most in the security community until May 2017 when the UK media revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before. Hutchins’ arrest in Las Vegas in August 2017, as he was about to board a flight to England, came as a shock. At the time, he told The Associated Press in an interview that he didn’t consider himself a hero but that he was combating malware because “it’s the right thing to do.”

According to security experts, the malware could have infected many more systems worldwide had Hutchins not stemmed the spread of the infection after a spotting a weakness in WannaCry's code. 

Hutchins could receive a more lenient sentence for accepting responsibility, the court filing said. Attorneys said Hutchins understands he could be deported. The sentencing has not been scheduled.

Emotet trojan one of the biggest malware

Emotet is a banking Trojan that started out stealing information from individuals, like credit card details. It has been lurking around since 2014 and has evolved tremendously over the years, becoming major threat that infiltrates corporate networks and spreads other strains of malware.

The U.S. Department of Homeland Security published an alert on Emotet in July 2018, describing it as “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans,” and warning that it’s very difficult to combat, capable of evading typical signature-based detection, and determined to spread itself. The alert explains that “Emotet infections have cost SLTT (state, local, tribal, and territorial) governments up to $1 million per incident to remediate.”

Emotet poses a grave risk for individuals and businesses of all sizes. Here's a look at what you can do to safeguard your business against this pernicious Trojan malware.

Emotet infections typically start with a simple phishing email that contains an attachment or a link to download a file. The recipient is persuaded to click the link or open the file and they unwittingly set in motion a macro that downloads a malicious payload. As soon as the device is infected, Emotet starts trying to spread to other devices on the network.

The addition of new capabilities into Emotet, inspired by other successful malware such as WannaCry, has made it a much more potent threat capable of moving laterally and infecting entire networks alarmingly quickly. It’s a modular Trojan that’s often employed as the vanguard of a bigger attack, piercing the outer defenses and then downloading other banking Trojans and spreading them around.

As persistent and pernicious as Emotet is, you can take effective action to guard against it.

First, ensure that you don’t have unsecured devices on your network. Take steps to identify and secure unmanaged devices. Eradicate potential blind spots like internet of things devices. Even if Emotet appears to be confined to an unsecured machine, the threat has not been neutralized because it’s polymorphic, constantly updating itself and working towards spreading further. Given enough time, it has a good chance of finding a weakness in your defenses that can be exploited.

Malware Campaigns Attacking Asian Targets Using EternalBlue and Mimikatz



Asian targets are falling prey to a cryptojacking campaign which takes advantage of 'Living off the Land' (LotL) obfuscated PowerShell-based scripts and uses EternalBlue exploit to land Monero coinminer and Trojans onto targeted machines.
At the beginning of this year, a similar malware campaign was identified by the research team of Qihoo 360; reportedly, the campaign was targeted at China at the time. Open source tools such as PowerDump and Invoke-SMBClient were employed to carry out password hashing and execute hash attacks.
The campaign resorts to an exploit which uses SMBv1 protocol which was brought into the public domain by the Shadow Brokers a couple of years ago. It has now become one of the standard tools used by the majority of malware developers.
Referenced from Trend Micro’s initial findings, the aforementioned cryptojacking campaign was only targeting Japanese computer devices but eventually the targets multiplied and now they encompassed Taiwan, India, Hong-Kong, and Australia.
Trend Micro’s research also stated that the EternalBlue exploit, developed by NSA is a new addition into the malware; alongside, they drew a co-relation between the exploit and the 2017 ransomware attacks.  
How does the malware compromise computers?
With the aid of "pass the hash" attacks, it inserts various infectious components into the targeted computer by trying multiple weak credentials in an attempt to log in to other devices which are connected to that particular network.
Upon a successful login, it makes changes in the settings concerning firewall and port forwarding of the compromised machine; meanwhile, it configures a task which is scheduled to update the malware on its own.
Once the malware has successfully compromised the targeted computer, it goes on to download a PowerShell dropper script from C&C server and then it gets to the MAC address of the device and terminates the functioning of all the antimalware software present on the system. Immediately after that, it furthers to place a Trojan strain which is configured to gather the information of the machine such as name, OS version, graphics detail, GUID and MAC address.
“We found the malware sample to be sophisticated, designed specifically to infect as many machines as possible and to operate without immediate detection. It leverages weak passwords in computer systems and databases targets legacy software that companies may still be using,” said Trend Micro.
Trend Micro advises users and enterprises to, “use complicated passwords, and authorize layered authentication whenever possible. Enterprises are also advised to enable multi-layered protection the system that can actively block these threats and malicious URLs from the gateway to the endpoint.”




Emotet trojan is back with a bang

Emotet gang takes their operation to a whole new level, showing why they're today's most dangerous malware. It would seem it now has taken on new tactics in the form of hijacking users old email chains and then responding from a spoofed address to portray legitimacy, this additional tactic can heighten a hackers chances when stealing financial information once a victim has been lured into clicking on said malicious content. Targeted emails appears to affect both private and public sectors, including government, particularly those that provide financial and banking services.

Emotet is a known banking Trojan, discovered five years ago, first in Europe and the USA. It started out stealing information from individuals, like credit card details. It has been lurking around since 2014 and has evolved tremendously over the years, becoming major threat that infiltrates corporate networks and spreads other strains of malware.

It injects itself into a user’s device via malspam links or attachments, with the intent to steal financial data. It targets banking emails and can sometimes deploy further attacks once inside a device.

The Emotet malware gang is now using a tactic that has been previously seen used by nation-state hackers.

The U.S. Department of Homeland Security published an alert on Emotet in July 2018, describing it as “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans,” and warning that it’s very difficult to combat, capable of evading typical signature-based detection, and determined to spread itself. The alert explains that “Emotet infections have cost SLTT (state, local, tribal, and territorial) governments up to $1 million per incident to remediate.”

This campaign targeted mainly Chile and used living off the land techniques (LotL) to bypass Virus Total detections. This up and coming tactic uses already installed tools on a users’ device to remain undetected for as long as possible.

Hackers Utilize Hosting Infrastructure in the United States and Host 10 Malware Families



Hackers host10 malware families and distribute them through mass phishing campaigns via utilizing the hosting infrastructure method in the US.

The cybercriminals have been said to reuse similar servers so as to easily host diverse malware that demonstrate the coordination of a common entity between the malware operators.

The said hosted malware families incorporate five banking Trojans, two ransomware and three information stealer malware families. The malware incorporates the easily recognizable ones, like the Dridex, GandCrab, Neutrino, IcedID, and others.

Bromium, a venture capital–backed startup working with virtualization technology subsequent to tracking the operations for just about a year says that, “Multiple malware families were staged on the same web servers and subsequently distributed through mass phishing campaigns.”

The malware families hosted in the server have separation with the C2 servers, which shows that one threat actor is in charge of email and 'hosting' and another for the malware tasks.

The malware facilitated servers run the default establishments of CentOS and Apache HTTP, and the payloads are ordered and hosted in less than 24 hours. All the malware are disseminated with phishing messages that convey macro implanted pernicious word documents that consist of links indicating the malware hosted servers.



Bromium said, “63% of the campaigns delivered a weaponized Word document that was password protected, with a simple password in the message body of the email, such as ‘1234’ or ‘321’.”

Albeit strict measures are being taken to predict any further troubles similar to this one however an ongoing report from IBM, states that the major cybercrime groups associated together in 'explicit collaboration' and keeps on exchanging their contents, strategies, and systems to sidestep the security and to dodge from the law  enforcement agencies with ease.


Canadian Internet Registration Authority’s Car Parking System Struck By Ransomware!








Reportedly, CIRA’s car parking system was infected via a ransomware and was hacked into to let people park for free.


Canadian Internet Registration Authority is a gigantic internet domain which has 2.8 million, under its wings with a .ca domain.

The yet anonymous cyber-cons compromised CIRA’s car parking system, aiding people to park without getting their parking passes scanned.

Allegedly, some other company manages the car parking under CIRA.

Initially the cause which was thought to be a power failure or mechanical system crash, turned out to be a ransomware attack.



The database which was used by the car parking system for management was specifically compromised.

That very database also holds tens and tens of employee credit cards which if in wrong hands could wreak serious havoc.

After further analysis it was discovered that the ransomware in question could possibly be “Darma”.

This ransomware goes about infecting computers by way of RDP connections restricting to system that run on RDP (Remote Desktop Protocol) online.

These cyber-cons target the RDP protocol which runs on 3389. After performing a brute force attack they tried to harvest administrative credentials.


Later on an attempt at performing malicious activities on the system as made.

The silver lining happens to be that the stored card details would reclaim all the damage done by the free parking.

According to CIRA’s security survey, 37% of businesses don’t employ anti-malware protections.

CIRA also cited that they have no way whatsoever of knowing what sort of security measures are employed by the car parking in question.


Attackers Launched a Rapidly Changing Malware which uses .DOC Extension




A new malware has been discovered by security experts, they observed that it is constantly altering its behavioral patterns in an attempt to bypass the email security protection.

As dissemination of malware through email campaigns is becoming common day by day, email security providers are devising new ways to battle and terminate such malicious activities.

However, cybercriminals are employing subtle and sophisticated methods to bypass all the layers of security, which has led to a massive upsurge in successful malware campaigns.

In the aforementioned case, the infected emails are sent to the potential victims, which on being accessed leads to the downloading of a word template with a .doc extension.

Notably, the attack is configured quite differently than most of the attacks which make use of a single pattern with little customizations. In this attack, a number of different email addresses, subject headings, display name spoofs, body content, and URLs are used.

The attackers send the malspam email which entails an infected link which takes the user to a corrupted website that has the malware all set to sneak into the system and infect it.

Referencing from the findings of researchers at the only cloud-native security platform, Greathorn, “Initially, this attack pattern identified  at 12:24pm on Wednesday, February 20th, the attack has (so far) consisted of three distinct waves, each wave corresponding with a different destination URL, one at 12:24pm ET, one 2:05pm ET, and a third at 2:55pm ET, suggesting an attack pattern that anticipated and planned for relatively quick shutdowns of the destination URLs. “



Hackers Delivering New Muncy Malware Worldwide through DHL Phishing Campaign



With malicious intentions of targeting the users across the globe, attackers are reported to be disseminating new dubbed Muncy malware in the form of EXE file through DHL phishing campaigns.

Resorting to malspam emails, DHL phishing is amongst the most far-reaching campaigns which distributed several sophisticated malware. They made it appear legitimate by exploiting the deplorable configuration of SMTP servers and by employing email spoofing techniques.

DHL is a company of global repute which specializes in providing express mail services, international couriers and parcels. The reputation of the well-established company took some hits by the cybercriminals as they abused it to distribute malware. 

They did so by configuring the malicious emails to appear to be coming from DHL express. The email comprised of an infected attachment in PDF format.

How the malware is executed?

As soon as the targeted user accesses the PDF attachment, Muncy Trojan file sneaks into the system. Then the packed malware is unpacked and once unpacked it scans the whole C:\ drive for the files containing sensitive data. 

Expert takes

Commenting on the matter, Pedro Tavares, Founder, and Pentester at CSIRT.UBI told the GBHackers, “The phishing campaign is trying to impersonate DHL shipment notification and the malware is attached in the email.”

“This malware is on the rise and is affecting user’s in-the-wild while stealing sensitive information from their devices.”





CookieMiner: Steals Passwords From Cookies, Chrome And iPhone Texts!



There’s a new malware CookieMiner, prevalent in the market which binges on saved passwords on Chrome, iPhone text messages and Mac-tethered iTunes backups.

A world-wide cyber-security organization not of very late uncovered a malicious malware which gorges on saved user credentials like passwords and usernames.

This activity has been majorly victimizing passwords saved onto Google Chrome, credit card credentials saved onto Chrome and iPhone text messages backed up to Mac.

Reportedly, what the malware does is that it gets hold of the browser cookies in relation with mainstream crypto-currency exchanges which also include wallet providing websites the user has gone through.

The surmised motive behind the past acts of the miner seems to be the excruciating need to bypass the multi-factor authentication for the sites in question.

Having dodged the main security procedure, the cyber-con behind the attack would be absolutely free to access the victim’s exchange account or the wallet so being used and to exploit the funds in them.

Web cookies are those pieces of information which get automatically stored onto the web server, the moment a user signs in.

Hence, exploitation of those cookies directly means exploiting the very user indirectly.

Cookie theft is the easiest way to dodge login anomaly detection, as if the username and passwords are used by an amateur, the alarms might set off and another authentication request may get sent.

Whereas if the username passwords are used along with the cookie the entire session would absolutely be considered legit and no alert would be issued after all.

Most of the fancy wallet and crypto-currency exchange websites have multi-factor authentication.

All that the CookieMiner does is that it tries to create combinations and try them in order to slide past the authentication process.

A cyber-con could treat such a vulnerable opportunity like a gold mine and could win a lot out of it.

In addition to Google’s Chrome, Apple’s Safari is also a web browser being openly targeted. As it turns out, the choice for the web browser target depends upon its recognition.

The malware seems to have additional malignancy to it as it also finds a way to download a “CoinMiner” onto the affected system/ device.

Malware Alert: Mirai Alias Miori Is Being Dispensed Via RCE Exploits




To add on to the latest list of raging malware, the cyber-cons decided on changing names of some older ones.

Malware Mirai, is now being dispensed by the name of Miori, by way of malicious remote code execution exploits.


The Mirai Malware has a really solid history of wreaking havoc by executing DDOS (Distributed Denial of Service) attacks on various platforms among IoT devices.


The botnet in question has previously executed some truly jeopardizing DDOS attacks and has been the culprit for computer fraud and abuse.


The malware would need to function equally well on different architectures in order to run on cross-platforms.


Now, Miori can easily exploit internet connected devices by abusing their vulnerabilities. The smart devices are always on the radar for this malware.


The above-mentioned malware is being dispensed through Remote Code Execution vulnerability in the PHP structure of the name ThinkPHP. The exploit especially has targeted, versions previous to 5.0.23 and 5.1.31.


 The security researchers who are on to the malware, have alluded that the rate of infection is increasing in the case of ThinkPHP RCE in smart devices.


Numerous other Mirai malware which exploit the ThinkPHP RCE vulnerability are also being dispensed.


Researchers also confirmed that a Linux device was made to perform the DDOS attack because of the infection dispensed via other connected devices as the default credentials got reset through a telnet.


Reportedly, Miori is merely a subdivision which the cyber-cons use to fabricate vulnerable devices via Thinkpad RCE.


The malware variant could be downloaded from the following command and control server. Hxxp://144[.]202[.]49[.]126/php


Once the malware is executed a console gets generated which switches the Telnet on, to brute force other IP addresses.


On the port 42352 (TCP/UDP) the C&C server keeps a check to receive further commands.


The configuration table, of the Miori malware was de-crypted by researchers, which was instated in its binary strings.


The username passwords and other credentials which were used by the malware were also found out by the researchers as they were fairly easy to speculate.


A scrutinized look resulted in the discovery of two URLs that were employed by the two variants of Mirai, namely APEP and IZIH9. Both were employing the same string  anti-obfuscation procedure as Miarai and Miori.


APEP also spreads by exploiting CVE-2017-17215 which encompasses of one other RCE vulnerability which can seriously affect router devices.


Sextortion Scams At a Rise Yet Again; Now Leading To Ransomware



In the recent times the sextortion email scams have been at a high rise as they have proved time and time again to being quite a significant and effective method for producing easy money for the hoodlums. A sextortion scam is basically when an individual receives an email stating that they have been spied upon while they were browsing adult websites.

The sextortion campaign which traps recipients into installing the Azorult data stealing Trojan, then further downloading and installing the GandCrab ransomware is in the highlight now.

The first infection, Azorult, will be utilized to steal data from the user's PC, for example, account logins, cookies, documents, chat history, and that's just the beginning. At that point it installs the GandCrab Ransomware, which will encrypt the computer's information.

There have been numerous cases of such scams being accounted for generally where the emails may likewise contain passwords of the users that were leaked amid information breaches so as to make the scams look progressively genuine.

Experts at ProofPoint detected another campaign that as opposed to containing a bitcoin addresses to send a blackmail payment to prompts the user to download a video they made of them indulging in certain "exercises". The downloaded compress document, however, contains an executable that will further install the malware onto the computer.

"However, this week Proofpoint researchers observed a sextortion campaign that also included URLs linking to AZORult stealer that ultimately led to infection with GandCrab ransomware," stated ProofPoint's research.

The downloaded documents will be named like Foto_Client89661_01.zip and the full text of the sextortion trick email is below:




This new strategy is turned out to be significantly hazardous, as when the recipients are already terrified with the need to affirm if a video exists. They download the document, endeavor to open the compressed file, and thusly find themselves infected with two distinct sorts of malware.

Consequently, it is recommended for the user's to not believe anything they receive via email from a strange address and rather do a few inquiries on the Web to check whether others have experienced emails this way or not.


New Ransomware Strain Hits the Chinese Web; Infects 100K PCs




More than 100,000 Chinese users have had their Windows PCs infected with yet another strain of ransomware that encodes their records and files all the while requesting a 110 yuan (~$16) ransom. The inadequately composed ransomware is known to have been scrambling local documents and taking credentials for various Chinese online services.

As of now there has been no threat made to international users as the ransomware is only determined to focusing on the Chinese web only.

The individual or the group behind the activity are only utilizing Chinese-themed applications to appropriate the ransomware by means of local sites and discussions at the same time asking for ransom payments through the WeChat payment service, just accessible in China and the contiguous areas.


A report from Chinese security firm Huorong, the malware, named 'WeChat Ransom' in a few reports, came into existence on December 1 and the quantity of infected systems has developed to more than 100,000 as of December 4.

Security specialists who analysed the attack said that other than encoding records, the ransomware additionally incorporated an information-stealing component that collected login credentials for a few Chinese online services, like Alipay, Baidu Cloud, NetEase 163, Tencent QQ, and Taobao, Tmall, and Jingdong.

Chinese security organizations examining the malware concur that it is a long way from a complex risk that can be effortlessly defeated. Although it professes to delete the decryption key if the victim neglects to pay the ransom by a specific date, document recuperation is as yet conceivable in light of the fact that the key is hardcoded in the malware.

Specialists from Huorong examining this ransomware string have found a name, a cell phone number, a QQ account, and an email address that could enable police to identify and catch the thief.

This most recent ransomware campaign anyway is additionally not the first occasion when those Chinese-based ransomware creators have utilized WeChat as a ransom payment dealing strategy. The ones who committed this deadly error in the past have been captured by the officials within months.

The Chinese police, in general, have a decent reputation of capturing the hackers within weeks or months after a specific malware crusade stands out as truly newsworthy.


Most Common Types of Cyberattacks as Seen Today





As cyber-attacks are on a continuous rise they have resulted in being one of the major threats to the world. Since 2008 there has never been much concern given about the imminent threat of cyber-attacks but the steady and rapid evolution of time and technology has changed it. It is a major wake up call to the various existing companies and organisation to secure themselves as well as their customers to not fall victim to such attacks.

Therefore in order to comprehend different ways through which an attacker might resort to for hacking into an organisation, here’s an overview of some of the most common types of attacks seen today:
  • MALWARE

Alluding to the different types of harmful software, for example, viruses and ransomware. Once the malware enters the computer system it is more than capable of causing quite havoc. From taking control of the PC to observing your activities, to quietly sending a wide range of classified information from your PC or system to the attacker's home base.

Attackers will utilize a miscellany of techniques to get the malware into your PC; however at some stage it regularly requires the user to make a move to install the malware. This can incorporate clicking a link to download a document, or opening an attachment that may look safe but in reality it has a malware installer hidden inside.
  •   PHISHING

At the point when an attacker needs the user to install the malware or unveil any sensitive data, they frequently resort to phishing attacks, an attacker may send you an email that will appear to be rather legitimate, it will contain an attachment to open or a link to click. When you do so it'll thereby install malware in your computer. There is likewise a probability that the link will connect you to a website that appears quite legitimate and requests you to sign in, in order to access a critical document—with the exception of the website actually being a trap used to capture your credentials when you attempt to sign in.
  •  CROSS-SITE SCRIPTING

When the attacker specifically focuses on a specific site's users it settles on Cross-Site Scripting attack. The attack includes infusing malignant code into a site; however for this situation the site itself isn't being attacked. Rather, the pernicious code the assailant has infused just keeps running in the user's program when they visit the infected site, and it pursues the user directly and not the site.

Cross-webpage scripting attacks can altogether harm a website's notoriety by setting the users' data in danger without any sign that anything pernicious even happened. Any sensitive data a user sends to the website, for example, their qualifications, credit card information, or other private information—can be captured by means of cross-site scripting without the site owners acknowledging there was even an issue in the first place.

  • CREDENTIAL REUSE

When it comes to credentials, variety is always essential. Users today however have so many logins and passwords to remember from that it's very tempting to reuse some of them to make life somewhat less demanding. Now despite the fact that it is suggested that you have interesting passwords for every one of your applications and sites, numerous individuals still reuse their passwords which unfortunately is a fact that attackers heavily rely upon. Once these attackers have a compilation of these usernames and passwords from an already breached site, they then utilize these same credentials on different sites where there's a shot they'll have the chance to sign in.

This nonetheless, is only a small selection of some very common attack types and methods as likewise with the advancement in time and innovation, new techniques will be developed by attackers. The users however are advised to be aware of such attacks and fundamentally try at enhancing their available security.


Malware Stealing Credentials via Office Documents



Recently the threat actors in charge of the AZORult malware released a refreshed variant with upgrades on both the stealer and the downloader functionalities. This was altogether done within a day after the new version had released a dark web user AZORult in a large Email campaign to circulate the Hermes ransomware.

The new campaign with the updated adaptation of AZORult is in charge of conveying thousands of messages focusing on North America with subjects, such as, "About a role" or "Job Application" and even contains the weaponized office document "firstname.surname_resume.doc” attached to it.




Researchers said, “The recent update to AZORult includes substantial upgrades to malware that was already well-established in both the email and web-based threat landscapes.”

Attackers have made use of the password-protected documents keeping in mind the end goal to avoid the antivirus detections. Once the client enters the password for documents, it requests to enable macros which thusly download the AZORult, and at that point it connects with the C&C server from the already infected machine and the C&C server responds with the XOR-encoded 3-byte key. 

Finally after exfiltrating stolen credentials from the infected machine, it additionally downloads the Hermes 2.1 ransomware.

Security analysts from Proofpoint even recognized the new version (3.2) of AZORult malware publicized in the underground forum with full changelog.

UPD v3.2
[+] Added stealing of history from browsers (except IE and Edge)
[+] Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC
[+] Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works. For example: if there are cookies or saved passwords from mysite.com, then download and run the file link[.]Com/soft.exe. Also, there is a rule “If there is data from cryptocurrency wallets” or “for all”
[+] Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly (just in case)
[+] Reduced the load in the admin panel.
[+] Added to the admin panel a button for removing “dummies”, i.e. reports without useful information
[+] Added to the admin panel guest statistics
[+] Added to the admin panel a geobase

As indicated by the scientists, the malware campaign contains both the password stealer as well as the ransomware, which is astounding on the grounds that it is not so common to see both. Therefore, before causing a ransomware attack, the stealer would check for cryptocurrency wallets and steal the accreditations before the files are encrypted.


Mylobot Turns your PC into a Zombie system



Tom Nipravsky, a security researcher at Deep Instinct, discovered another 'never seen before' malware that could transform a Windows PC into a botnet. Named as 'Mylobot', this malware has developed from the 'Dark Web'. It was finished up in the wake of following its server that was additionally utilized by other malware from the dark web.

The powerful botnet is said to consolidate various noxious systems, generally including:

·       Anti-VM techniques
·       Anti-sandbox techniques
·       Anti-debugging techniques
·       Wrapping internal parts with an encrypted resource file
·       Code injection
·       Process hollowing (a technique where an attacker creates a new process in a suspended state and replaces its image with the one that is to be hidden)
·       Reflective EXE (executing EXE files directly from memory, without having them on disk)
·       A 14-day delay before accessing its C&C servers.

"On a daily basis we come across dozens of highly sophisticated samples, but this one is a unique collection of highly advanced techniques," says Arik Solomon, vice president of R&D at Deep Instinct. "Each of the techniques is known and used by a few malicious samples, but the combination is unique."

As indicated by the researcher, Mylobot likewise bears contrary to the botnet property. The reason, as indicated by the researcher, for this conduct being is, possibly to prevail upon the "opposition" on the dark web.

 “Part of this malware process is terminating and deleting instances of other malware. It checks for known folders that malware “lives” in (“Application Data” folder), and if a certain file is running – it immediately terminates it and deletes its file. It even aims for specific folders of other botnets such as DorkBot.”

The researchers say it's vital to take note that Mylobot was found in the wild, at a Level 1 communication and telecommunication equipment manufacturer and not in a proof-of-idea show.

Also, in conclusion the one thing they are extremely sure about is the modernity of the malware's creators as, according to ZDNet, the real author(s) of this malware are yet obscure, be that as it may, the malware utilizes a similar server which is connected to the scandalous Locky ransomware, Ramdo, and DorkBot.


Zacinlo Malware; Yet another Threat for All Windows 10 Users


Researchers at Bitdefender have recently discovered a powerful malware that takes control over the PC and spams with advertisements. They have named it 'Zacinlo' after the last and final payload, looking at this as a transitory name for an intricate code. In any case, the Zacinlo malware has been around for almost six years extremely contaminating various Windows users.

The researchers at the Cyber Threat Intelligence Lab, following a year of research have published a rather detailed paper about this malware. Despite the fact that the malware has been around since 2012, it became the most active in late the 2017, state the researchers while clarifying about their work.

Zacinlo is said to be so powerful to the point that it has the capability of deactivating the most anti- malware directly accessible. Well known targets of Zacinlo incorporate Bitdefender, Kingsoft, Symantec, Microsoft, Avast, and various different programs.

Once installed, it altogether takes control over the user's framework for noxious exercises. These incorporate controlling the OS, forestalling against malware activities, at last accomplishing its fundamental objective – to display ads and generate income. This is accomplished by infusing contents in webpages.

 “The infection chain starts with a downloader that installs an alleged VPN application. Once executed, it downloads several other components, as well as a dropper or a downloader that will install the adware and rootkit components.”

Zacinlo effectively keeps running on most commonly utilized programs, including Chrome, Firefox, Internet Explorer, Edge, Safari, and Opera. As this adware starts working, it wipes out some other adware exhibit in the victim's PC to accomplish its main objectives. It at that point shows advertisements in order to produce income by getting the snaps.

The advancement of this malware makes its detection extremely hard. However, there is one route through which you can detect the presence of Zacinlo in the victim's PC. As stated by Bogdan Botezatu, the senior e-Threat Analyst at Bitdefender.

“Since the rootkit driver can tamper with both the operating system and the anti-malware solution, it is better to run a scan in this rescue mode rather than running it normally.”

Regardless of this all the windows users are thus instructed to stay wary while downloading any outsider applications or applications from untrusted sources to shield themselves from any malware attacks.