Search This Blog

Showing posts with label malware. Show all posts

Rogue: An Android Malware That Gives Hackers Full Control Over a Phone

 

Another sort of Android malware that provides hackers with nearly-full access to a client's Android cell phone is doing rounds on underground forums. Colloquially known as 'Rogue' Remote Administration Tool (RAT), the malware infects victims with a keylogger – permitting attackers to effectively monitor the utilization of sites and applications to take usernames and passwords, just as more delicate data like a client's financial data. The malware, as per reports, is accessible on underground forums for as low as $29.99 (generally Rs 2,200).

This low-cost malware undermines a full-scale takeover of a victim's cell phone, observing the GPS area on the target, taking screenshots, utilizing the camera to take pictures, secretly recording sound from calls, and more. The virus does this while being hidden from the owner of the cell phone. All an attacker requires is their own cell phone to give commands on an infected device. This malware has been detailed by cybersecurity researchers at Checkpoint Research as a mix of two past groups of Android RATs - Cosmos and Hawkshaw - and exhibits the advancement of malware improvement on the dark web. 

Rogue is crafted by Triangulum and HeXaGoN Dev, known Android malware creators that have been selling their vindictive products on underground markets for quite a long while. For the development of Rogue, the malware creator evidently joined forces with HexaGoN Dev, which specializes in the building of Android RATs. Beforehand, Triangulum bought projects from NexaGoN Dev. "The mix of HeXaGon Dev's programming skills and Triangulum's social marketing abilities clearly posed a legitimate threat," Check Point's security researchers note.

While there is no single manner by which hackers introduce Rogue, it is normally pushed on a victim's cell phone either by phishing, malevolent applications, or other such techniques. In the wake of being downloaded on a cell phone, Rogue asks for permissions that it needs for the hacker to remotely get to a cell phone. When the permissions are in all actuality, Rogue registers itself as the device administrator and conceals its icon from the home screen. 

The best way to try not to succumb to this is to not click on suspicious links or download applications from outside sources other than Google Play and Apple App Store. Further, it is additionally imperative to ensure all security updates are installed on the device.

JetBrains – A possible Doorway to Massive Hacking Plot?

 

JetBrains a software company based in the Czech Republic could possibly be used as a doorway by Russian hackers to secure access to United States private sector systems and federal government systems. American intelligence agencies and private Cybersecurity researchers are investigating the position of a software company that could possibly be used as a pathway by Russian hackers to inject malware that would glide to several technology firms.

JetBrains a software company established in Prague, Czech Republic has more than 1,200 employees and the company’s products are widely used across the globe by more than 300,000 companies and 9,000,000 developers which include 79 Fortune Global 100 companies and 95 Fortune 100 companiesJetBrains is widely recognized as a leading instrument for developing software.

Numerous leading companies like Citibank, Google, Netflix, HP, Twitter, Volkswagen, Expedia, NASA, Valve, Ubisoft, VMware, The New York Times, and Hewlett-Packard are among its consumers and it also has a major say in developing the software for Siemens – a leading supplier of technology in a sensitive framework such as nuclear and power plants.

Maxim Shafirov, the company’s chief executive officer stated in a post that “we have not been contacted by any government or security agency regarding this matter, nor are we aware of being under any investigation, if such an investigation is undertaken, the authorities can count on our full cooperation”.

SolarWinds, the company stationed in Austin, Texas is one of the primary consumers of JetBrains. TeamCity software is a product of JetBrains, it is a continuous integration and deployment system used for unit testing and code quality analysis. The software was utilized as a weapon by the threat actors to gain access to the SolarWinds TeamCity server by manipulating high severity vulnerabilities. However, JetBrains’ CEO denied all the allegations regarding the involvement of the company in the SolarWinds hack.

Meet Oski Stealer: In-depth Analysis Of the Popular Credential Stealer


In the current scenario credential theft malware is one of the most frequently employed malware in cyber hacking. Many government and non-government organizations are becoming victims of such attacks as employees are being attacked for their credentials. 

The main objective of this malware is to actively acquire confidential and sensitive data, consisting of users' official names, passwords of their systems, and financial information. 

Credential theft Malware is something that can cause destruction to a computer system and its network. The threat actors just don’t use this malware to steal passwords, but also to delete files and render computers inoperable. Potentially, malware can lead to infections which in turn can cause many problems that affect daily operations and the long-term security of affected organizations. 

‘The Oski stealer’, is a credentials stealer, first, it was reported in November 2019. As the name suggests, ‘the Oski stealer’ works as a big information stealer consisting of personal and sensitive information from its victims. 'Oski', the name has been derived from an old Nordic word, meaning ‘Viking warrior’, which is quite fitting considering this popular info-stealer is extremely effective at pillaging privileged information from its targets.  

As per the sources, “the ‘Oski’ stealer’ is a classic information stealer platform that is being sold on Russian underground hacking forums at a low price of $70-$100. The stealer is written in C++ and it has all the typical features of credential theft malware”. 

According to the research, ‘Oski’ targets sensitive information including: 

• Login credentials from different applications 
• System information 
• Browser information (cookies, autofill data, and credit cards) 
• Screenshots 
• Crypto wallets 
• Different user files 

Besides, the stealer can also work as a Downloader to download a second-stage malware with modification of tools. 

Every infection involving three parties: 
1. Malware authors 
2. Malware customers 
3. Malware victims 

The customers contact ‘Oski actors’ on underground forums to buy the malware and, once purchased, they customize it and disperse it to their targets. Oski has become popular and has built a strong reputation within the underground community, with many of its buyers on regular basis providing positive feedback and reviews about the functions of the malware. 

While giving further insights, sources from Intelligence said, “Even we have to admit that Oski’s functionality works pretty well. From setting up and checking the environment to stealing information by application type, Oski’s code is written with purpose and care. The code is neat and clean, without any presence of useless code lines, however, it does lack sophisticated anti-analysis tricks like anti-debugging and dynamic anti-analysis tricks”.

December 2020’s Most Wanted Malware: Emotet Returns as Top Malware Threat

 

The threat Intelligence arm of Check Point Software Technologies Ltd., a world-leading cybersecurity solutions provider has recently published its Global Threat Index for December 2020. 

Global Threat Index for December 2020 has disclosed that the Emotet trojan, once again ranked at the top of the malware list. According to the sources, currently, the malware is affecting 7% of organizations worldwide following a spam campaign that has targeted over 100,000 people per day in December 2020. 

“In September and October 2020, Emotet was consistently at the top of the Global Threat Index and was linked to a wave of ransomware attacks. But in November it was much less prevalent, dropping to 5th place in the Index. It has now been updated with new malicious payloads and improved detection evasion capabilities: the latest version creates a dialogue box, which helps it evade detection from users. The new malicious spam campaign uses different delivery techniques to spread Emotet, including embedded links, document attachments, or password-protected Zip files,” the report reads. 

This malware was first identified in 2014, according to the data present, ‘Emotet developers’ have updated their tools to organize and maintain its continued effectiveness while executing their malicious motives. The Department of Homeland Security while making an estimation, stated, “each incident involving Emotet costs organizations upwards of 1 million dollars to rectify..” 

Additionally, the research team is also warning organizations against ‘MVPower DVR Remote Code Execution’ “which is the most commonly exploited vulnerability, impacting 42% of organizations globally, followed by ‘HTTP Headers Remote Code Execution (CVE-2020-13756)’ which is affecting 42% of organizations worldwide,” Researchers added. 

At present, ‘Emotet’ will remain on the top of the list as the most dangerous malware with a global impact of 7% on organizations, followed by Trickbot, Formbook, Dridex, XMRig, Qbot, Hiddad, RigEK, Ramnit, Glupteba malware. 

What is Emotet and what it does to your system? 


‘Emotet’ is a dangerously advanced malware, it's a self-propagating and modular Trojan. Originally Emotet had been discovered as a banking Trojan, but it has been modified to function as a distributor for other malware or cyber campaigns, through multiple methods. Operators constantly evaluate the malware for its maintenance, persistence, and evasion techniques to avoid any form of detection with ease. It is also noteworthy that this sophisticated malware can be distributed through phishing spam emails containing malicious attachments or links.

Ryuk Ransomware: What Can We Learn From DCH Cyberattack?

Hackers have profited a lot from the Covid-19 pandemic by targeting health institutions, let us look back and learn from these attacks. For a very long time, cybercriminals have been attacking healthcare institutions, one fine example is the "DCH ransomware" attack. E Hacking News in this article analysis the events of the DCH ransomware incident, and how Alabama healthcare dealt with the attack.  

About the attack
Alabama's DCH health system was hit by a ransomware attack in October 2019. The attack forced DHS to shut down its 3 state units named- Fayette Medical Center, Northport Medical Center, and Tuscaloosa’s DCH Regional Medical Center. Because of the attack, the computer systems in the 3 hospitals stopped working and the hospital staff couldn't access important files and patient records. DCH took applied emergency measures to deal with the crisis, the hospitals took in critical patients, whereas non-critical cases were transferred off to other health institutions, and only admitted after 10 days.  

About DCH Ransomware 
Hackers attacked DCH systems using a strain of Ryuk ransomware, the malware used by Wizard Spider, a Russian hacking group. Ryuk uses malicious social engineering techniques and uses phishing attacks to trick users into opening false links. Once opened, the malware deploys itself with the target device. When Ryuk is successfully deployed, it gets into the system codes and stops the device from functioning. It is followed by encryption and the last step is demanding ransom.  

Aftermaths of the Ransomware Attack 
DCH couldn't continue it's healthcare services for 10 days due to the partial disruption caused by the ransomware. Four patients filed a lawsuit against DCH for violating "information privacy law" and affecting their medical treatment during the ransomware attack. The lawsuit stated, "because of the ransomware attack, plaintiffs and class members had their medical care and treatment, as well as their daily lives, disrupted." "As a consequence of the ransomware locking down the medical records of plaintiffs and class members, plaintiffs and the class members had to forego medical care and treatment or had to seek alternative care and treatment."

Ezuri Crypter Being Used to Evade Antivirus Detection

 

As per a report delivered by AT&T Alien Labs, various cyber criminals are utilizing Ezuri crypter to pack their malware and dodge antivirus detection. Although Windows malware has been known to deploy similar tactics, cybercriminals are currently utilizing Ezuri for penetrating Linux systems too. Written in Golang, Ezuri acts both as a crypter and loader for ELF (Linux) binaries. Utilizing AES, it encrypts the malware code and, on decoding, executes the noxious payload directly inside memory without producing any records on the disk. 

Systems engineer and Ezuri's maker, Guilherme Thomazi Bonicontro ('guitmz'), had open-sourced the ELF loader on GitHub in 2019 and debuted the tool in his blog entry. In an email interview with, Bonicontro otherwise known as TMZ shared that he is a malware researcher and makes research apparatuses for spreading awareness and aiding defenders. 

“I'm an independent malware researcher, I do this as one of my leisure activities. The objective of my work is just to learn and bring awareness on assorted PoC assault and defense techniques, yet never bring on any harm. As a general guideline, I generally share samples of my ventures with antivirus organizations and I never discharge code with ruinous payload or anything with refined replication capabilities. I believe knowledge ought to be available to everybody and every individual ought to be answerable for their own activities to rest soundly at night,” said Bonicontro. 

Researchers Ofer Caspi and Fernando Martinez of AT&T Alien Labs noted in the wake of decrypting the AES-encrypted payload, Ezuri quickly passes the subsequent code to the runFromMemory work as a contention without dropping malware files anyplace on the tainted system. During the last few months, Caspi and Martinez distinguished a few malware creators that pack their samples with Ezuri. These incorporate the cybercrime group, TeamTnT, active since at least April 2020. 

TeamTnT is known to assault misconfigured Docker instances and exposed APIs to transform weak systems into DDoS bots and crypto miners. Later variations of TeamTnT's malware, for example, "Black-T" that install network scanners on tainted systems and extract AWS credentials from memory were likewise discovered to be bound with Ezuri. As indicated by the AT&T researchers, "the last Black-T sample distinguished by Palo Alto Networks Unit42 is really an Ezuri loader." The researchers additionally saw the presence of the 'ezuri' string in numerous Ezuri-packed binaries. 

Malware samples which were commonly distinguished by about 50% of antivirus engines on VirusTotal, yielded 0 detections when encoded with Ezuri, at the time of AT&T's research. Even today, the Ezuri-stuffed sample has less than a 5% detection rate on VirusTotal.

Cisco Talos Researchers Discovered Multiple Susceptibilities in SoftMaker Office TextMaker

 

Cisco Talos researchers exposed multiple vulnerabilities in SoftMaker Office TextMaker that can be exploited by cyber attackers. These vulnerabilities in SoftMaker office can be exploited for arbitrary code execution by generating malicious documents and deceiving victims into opening them. 

SoftMaker Office TextMaker is a German-based software developer; it has various suites like a spreadsheet, word processing, presentation, and database software components, and all these well-liked software suites are presented to individuals and enterprises. The common and internal document file formats also acquire the support of the SoftMaker office suite. 

The foremost issue is a sign extension bug, CVE-2020-13544 which influences the document-analyzing functionality of SoftMaker Office TextMaker 2021 and the subsequent vulnerability has been traced as CVE-2020-13545 which is a sign altering flaw in the same document-analyzing of the application. 

Cisco Talos researchers illustrated that “a specially crafted document can cause the document parser to sign-extend a length used to terminate a loop, which can later result in the loop’s index being used to write outside the bounds of a heap buffer during the reading of file data”. A heap-based memory can be corrupted by an attacker who can adeptly design a document which can lead to the document analyzer. 

The document analyzer can misjudge the length while assigning a buffer which will lead the application to be written outside the bounds of the buffer. Traced as CVE-2020-13546, the flaw is detected to affect the SoftMaker Office 2021 by integer overflow susceptibility. 

SoftMaker office 2021 was evaluated with a Common Vulnerability Scoring System (CVSS) of 8.8 and now all three vulnerabilities are secured. The most threatening issue was that the attacker can exploit the loophole in the SoftMaker office in 2021 from any remote location.

City of Cornelia Witnessed Fourth Ransomware Attack

                   

It seems like now the city of Cornelia has gotten quite used to the horrors of ransomware attacks as on Saturday, they witnessed their 4th ransomware attack within the last 2 years, the City Manager Donald Anderson on Tuesday. A day after Christmas eve, on the pleasant morning of the 26th of December 2020 the city of Cornelia got their Christmas gift as a malware attack. Experts say that this may not be the last incident but it is a part of the aggravated trend that the city may witness in the near future. 

Though the city has spent almost $ 30,000 for the upgradation of the firewall after the last attack that happened in September 2019 for better shielding of the system, still the hackers were able to take over the state’s administration and the data system offline.  

In a statement, the city’s manager said that they have “anticipated such situations in and out with abundance of caution”, moreover they have also “taken down our network while we investigate the situation and restore our data.” The aforementioned situation, owing to its gravity, is not only being monitored by officials from the state, but experts from outside have also stepped in to investigate the matter. 

According to Anderson the local services of the city like the emergency phone lines, garbage pickups and the utility work, etc, are not disturbed at all and are functioning properly. The email services and the city hall phones are also operating under normal conditions. However, since the city’s software data system is down, the employees and the natives are in a stalemate condition as they can neither lookup for the bill balances nor can accept any sort of credit card payments for the city services.  

Though the majority of the city functionalities are unaffected by this attack, still the operators behind the ransomware attack were able to incapacitate the newly installed water treatment plant of the city of Cornelia.  

“According to them the business model of those behind the ransomware is typically NOT to profit off of selling the personal information of the city employees or our citizens on the internet – it is to extract a payment from the city .” Anderson further added. Meanwhile, the city officials denied disclosing any further information and asked for cooperation and support from the city natives, telling them to stay patient and keep their calm until things are being resolved. 

New Self-Spreading Golang Worm Dropping XMRig Miner on Servers

 

Security researchers at Intezer have found a new self-spreading worm written in GoLang. The malware variant has been actively targeting both Windows and Linux servers, predominantly since December 2020. Researchers noted that the worm developed by China-based hackers attempts to mine Monero, an open-source cryptocurrency launched in 2014 which gained immense popularity and wide acceptance for its privacy-oriented features.
 
GoLang's rich library ecosystem makes it a top preference for malware developers, who can infiltrate the systems without being detected while working with GoLang's smooth malware creation process. The language makes it easier for hackers to bypass security as the malware written in GoLang is large-sized and scanning large files is beyond the capabilities of most of the antivirus software.

The 'GoLang' malware that has been dropping XMRig cryptocurrency miners on Windows and Linux servers, has worm-like capabilities that let it propagate itself to other systems through brute-forcing. 

The worm attacks application servers, non-HTTP services, and web application frameworks; it has targeted public-facing services rather than "the end-users". MySQL, Tomcat admin panel, and Jenkins are some of its latest victims. Besides, these public-facing services with weak passwords, the malware operators have also tried to compromise Oracle WebLogic Server by exploiting its remote code execution vulnerability – CVE-2020-14882, in an older variant.

Attack Execution 

The worm on the Command and Control (C&C) server was periodically updated by the operators, signifying the current "active" status of the malware. Once the target is being successfully compromised, the attack proceeds with deploying the loader script, a Golang binary worm, and an XMRig Miner – three files hosted on the aforesaid C&C server.

While giving insights into the matter, Chad Anderson, Senior Security Researcher at DomainTools said, “While it’s certainly alarming that there were no detections for this worm’s initial sample, that’s not surprising as Golang malware analysis tooling has still been playing a bit of catch up in the automation space,” 
 
“We would expect that with the rise in cryptocurrency prices over the last few weeks that actors looking to cash in for a few extra dollars would cause a surge in mining malware,” he further added. 
 
“The fact that the worm’s code is nearly identical for both its PE and ELF malware—and the ELF malware going undetected in VirusTotal—demonstrates that Linux threats are still flying under the radar for most security and detection platforms,” the report by Intezer read.

Kaspersky Lab and Yandex have detected malicious browser extensions

 Kaspersky Lab and Yandex have identified malicious code in browser extensions. Through them, attackers could gain access to the account in social networks and increase views of videos on various sites

Kaspersky Lab and Yandex experts have identified potentially malicious code that pulls more than twenty browser extensions, including Frigate Light, Frigate CDN and SaveFrom.

Through extensions, cybercriminals could, unnoticed by the user, gain access to his VKontakte account, and increase video views on various sites. Extensions received tasks from their own server, generated fraud traffic by playing videos in hidden tabs, and intercepted a token for access to the social network. The code was run only when the browser was actively used, activating the built-in detection protection.

The investigation began after users of Yandex.Browser began to complain about the sounds of advertising, although the video on the screen was not played. Yandex disabled extensions in Yandex. Browser after detecting a hidden traffic flow. Kaspersky lab blocks such activity on devices where the company's products are installed. The results of the investigation were sent to the developers of the social network and the most popular browsers.

According to Anton Mityagin, head of Yandex's Internet Security and Anti-Fraud Department, the traffic generated by extensions is very difficult to detect, as it is mixed with real user actions. He recalled that browser extensions are very popular and the total number of their installations has long been estimated in the tens or even hundreds of millions.

The leading expert of Kaspersky Lab Sergey Golovanov noted that more than 1 million users could become potential victims of the scheme. "The code from the browser extensions not only increased video views but also gained access to social network accounts, which could later be used, for example, to increase likes," added he.

New marketing campaign against UK subway by using TrickBot malware

 

UK subway market has disclosed that its marketing system has been hacked. The malicious actor was sending TrickBot malware-laden phishing emails to the customers by using its marketing system. 

Threat actor successfully accessed subway UK customers' confidential information such as names and email addresses by hacking a subcard server. This campaign has come to light when BleepingComputer observed a massive phishing campaign targeting U.K. citizens, pretending to be order confirmation from subway UK. 

According to the researchers, threat actor was distributing malicious Excel documents to the users that would install the updated version of the TrickBot malware into the system. As per the analysis, the downloaded TrickBot malware is a DLL that will be inserted into legitimate Windows Problem Reporting executable directly (wermgr.exe) from memory to avoid being caught by security software and would appear like an authentic task running in the task manager. 

What is TrickBot? 

Trickbot is a computer malware-trojan, which targets Microsoft Windows or other operating systems to get sensitive information and acts as a dropper for other malware. Mainly, the malware is configured to send direct links to users by emails to download malware from malicious websites and trick the users into opening malware through an attachment. 

It is about yesterday when Subway UK customers were receiving bogus emails from 'Subcard' of Subway about customers placed orders. The emails that were sent to the users comprised of certain links of documents that appeared to be a confirmation of the order. 

In a recent development, it has been observed that TrickBot malware expanded its arsenal by adding TrickBoot. 

In November, operators of TrickBot had added a new tool to its array with the name ‘LightBot’ to inspect the victim’s network for high-value targets. 

Subway said in a statement to BleepingComputer, "Having investigated the matter, we have no evidence that guest accounts have been hacked. However, the system which manages our email campaigns has been compromised, leading to a phishing campaign that involved first name and email. The system does not hold any bank or credit card details."

"Crisis protocol was initiated and compromised systems locked down. The safety of our guests and their personal data is our overriding priority and we apologies for any inconvenience this may have caused."

iPhones of Al Jazeera Journalists Being Snooped On Via Israeli Firm's Spyware

 

iPhones of around 36 Journalists at Al Jazeera news organisation have been hacked by nation-sponsored hackers who sent malware laden iMessages. The attackers who are suspected to be backed by the governments of the United Arab Emirates and Saudi Arabia, exploited a zero-day vulnerability in iMessage which was later fixed by Apple. 

In a technical report, experts have stated that the Journalists' iPhones were snooped on by attackers who employed NSO's Pegasus software to deploy spyware onto the iPhones of 36 journalists, executives and producers at the news agency, Al Jazeera. 

Pegasus is a modular malware developed by the Israeli firm NSO which is used for surveillance purposes and has also been linked to surveillance abuse at multiple occasions. The spyware allows hosts to remotely monitor and exploit devices. Reportedly, the attack took place invisibly and it didn't require the attackers to trick the victims into clicking on a malicious link – as opposed to conventional ways of deploying malware. 

While examining one of the victim's device, researchers discovered that spyware was deployed secretly through iMessage and was able to take images using iPhone's camera, access passwords, and victim's location. Besides, it's likely that the spyware was also recording phone calls and microphone.  

As per the researchers at Citizen Lab, a total of four operators belonging to Pegasus were observed to have assisted the hack. Two of the operators namely SNEAKY KESTREL and MONARCHY are suspected to be having links with the governments of Middle Eastern countries; to the UAE and Saudi Arabia, respectively.  

According to the reports by Citizen Lab, "In July and August 2020, government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The personal phone of a journalist at London-based Al Araby TV was also hacked." 

"The phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage. In July 2020, KISMET was a zero-day against at least iOS 13.5.1 and could hack Apple’s then-latest iPhone 11." 

"We do not believe that KISMET works against iOS 14 and above, which includes new security protections. All iOS device owners should immediately update to the latest version of the operating system," the report further read.

Hackers Dropping Malware via Free WinZip Trial Popup Vulnerability

 

Researchers have discovered a critical security flaw in WinZip 24 that targets users with malware. WinZip trial popup vulnerability allows hackers to perform arbitrary code execution and DNS poisoning.
 
When WinZip displays prompt informing about the expiry of the free trial and sends requests for checking updates, it communicates in plaintext over HTTP instead of HTTPS; the vulnerability has been reported to exist in the way WinZip communicated with its servers, making it susceptible to exploits by malicious actors who delivered malware through the same. 

WinZip is free to download ZIP tool program that is used to compress and decompress files easily. It enables users to zip and unzip almost all file formats including zip, tar, rar, and etc. However, the tool is available online free for a trial period, and to continue availing its services fully, users need to purchase a license for which the tool checks software status for users over a period of time, repeatedly. Once it detects the trial period being expired, the software displays a prompt using the abovementioned way of communication: That is where the bug was found.
 
It was in between that attackers could intercept the traffic and intervene in the communicated text and added an infected WinZip version. Furthermore, the users' concerns are aggravated by the fact that the update request also contains personal data of the user such as 'registered username', 'registration code', and other required information for the processing of the request. This information could also be accessed by the attacker meddling with the trial popup.
 
"WinZip 24 opens pop-up windows time to time when running in Trial mode. Since the content of these popups is HTML with JavaScript that is also retrieved via HTTP, it makes manipulation of that content easy for a network adjacent attacker," as told by Researchers from Trustwave.
 
"The application sends out potentially sensitive information like the registered username, registration code and some other information in query string as a part of the update request. Since this is over an unencrypted channel this information is fully visible to the attacker."
 
"This means anyone on the same network as user running a vulnerable version of WinZip can use techniques like DNS poisoning to trick the application to fetch “update” files from malicious web server instead of legitimate WinZip update host. As a result, unsuspecting user can launch arbitrary code as if it is a valid update," the researchers further added.

Updated Malware: Vietnamese Hacking Group Targeting MacOS Users

 

Researchers have discovered a new MacOS backdoor that steals credentials and confidential information. As cyber threats continue to rise, the newly discovered malware is believed to be operated by Vietnamese hacking group OceanLotus, colloquially known as APT 32. Other common names include APT-C-00, SeaLotus, and Cobalt Kitty. 
 
The nation-state backed hacking group has been operating across Asia and is known to target governments, media organizations, research institutes, human rights organizations, corporate sector, and political entities across the Philippines, Laos, Vietnam, and Cambodia. Other campaigns by the hacking group also focused on maritime construction companies. Notably, OceanLotus APT also made headlines for distributing malware through Apps on Google Play along with malicious websites. 
 
The attackers found the MacOS backdoor in a malicious Word document that supposedly came via an email. However, there is no information regarding the targets that the campaign is focusing on. In order to set the attack into motion, the victims are encouraged to run a Zip file appearing to be a Word document (disguised as a Word icon). Upon running the Zip file, the app bundled in it carrying the malware gets installed; there are two files in it, one is the shell script and another one is the Word file. The MacOS backdoor is designed by attackers to provide them with a window into the affected system, allowing them to steal sensitive data.

"Like older versions of the OceanLotus backdoor, the new version contains two main functions: one for collecting operating system information and submitting this to its malicious C&C servers and receiving additional C&C communication information, and another for the backdoor capabilities," TrendMicro explained in a blogpost. 

In an analysis, Researchers told, “When a user looks for the fake doc folder via the macOS Finder app or the terminal command line, the folder’s name shows ‘ALL tim nha Chi Ngoc Canada.doc’ (‘tìm nhà Chị Ngọc’ roughly translates to ‘find Mrs. Ngoc’s house’).”

“However, checking the original .zip file that contains the folder shows three unexpected bytes between ‘.’ and ‘doc’.”


A quick look into malwares that installs ransomware : Remove them form your system immediately

 

We recently looked into ways phishing mails are evolving, attackers getting creative by the day. But a new trend has taken up the dark web, and soon phishing campaigns for ransomware and malware will be a thing of the past. With the sources equable of a small government, malware gangs have started collaborating within themselves and have come up with "initial access brokers," what these groups do is provide ransomware and other groups with already infected systems.
Compromised systems through RDP endpoints, backdoored networking devices, and malware-infected computers install ransomware into the network, this makes the ransomware attacker work as swiftly as cutting into the cake. 

 There are currently three types of bookers that serve ransomware : 

Selling compromised RDP endpoints: These bookers carry a brute remote desktop protocol (RDP) into corporate systems, sold as "RDP Shops". Ransom groups often choose systems that are integrated well within the network.

Selling hacked networking devices: Hackers sell pre hacked devices exploiting publically known vulnerabilities or weak spots like firewalls, VPN servers or others. Access to these devices is auctioned off on dark web forums.

Selling computers pre-infected with malware: This is the most popular way ransomware is spread. Hacking gangs spread their malware bots into well-established systems and sell them to the highest bidder who further injects ransomware into the system. 

The best protection against these attacks is to prevent them from happening. The first two infiltrations can be fended off using strong passwords, security measures, and regular updates. The third means (malware) is a bit complicated as it uses human blunder and tricks to invade the device.

Following is a list of malware that if you find in your system, drop everything and fix them out for they are sure to inject ransomware in your network:

  •  Emotet (Emotet-Trickbot-Ryuk) 
  •  Trickbot (Ryuk - Conti)
  •  BazarLoader (Ryuk) 
  • QakBot (MegaCortex-ProLock-Egregor) 
  •  SDBBot (Clop)
  •  Dridex (BitPaymer-DoppelPaymer) 
  • Zloader (Egregor-Ryuk)
  •  Buer Loader (Ryuk)

Factories have become a major target for malware attacks

In the third quarter, the industry was attacked by various hacker groups - including RTM and TinyScouts, as well as ransomware operators. For example, according to Positive Technologies, the operators of the Maze ransomware program conducted a successful attack on Hoa Sen Group, the largest manufacturer of steel sheets in Vietnam. During the attack, personal data of employees, internal correspondence and other confidential information were stolen.

"This year, the vast majority of criminal groups switched to working with encryption programs since attackers realized that they can earn no less than in the case of a successful attack on a Bank, and technical execution is much easier," explained Anastasiya Tikhonova, head of APT Research at Group-IB.

According to her, more groups and partner programs have joined the "big game hunt”. 

"The size of the ransom has also increased significantly: cryptolocker operators often ask for several million dollars, and sometimes even several tens of millions. For example, the OldGremlin group, consisting of Russian-speaking hackers, actively attacks exclusively Russian companies: banks, industrial enterprises, medical organizations and software developers," explained Tikhonova.

The expert believes that one of the weakest links in the information security chain is still a person. "There are examples when an operator of a large industrial enterprise got bored, wanted to listen to music, and plugged a 3G modem directly into the USB port of the SCADA control and monitoring system.. And how many "trusted laptops” were there that employees brought from a business trip", concluded Tikhonova.

The expert believes that the danger of using Internet of things devices (IoT) is that it is problematic for advanced engineers to determine the fact of compromise. Target systems are assembled from a fairly large number of devices, and it is almost impossible to monitor and respond to possible security events and threats without additional solutions and human resources.

ESET has revealed a new series of Lazarus attacks

Experts of the antivirus company ESET have discovered a series of attacks, behind which is one of the most famous North Korean groups, Lazarus. The hackers targeted users of government and banking websites in South Korea. The cybercriminals used an unusual mechanism to deliver the malware, disguising themselves as stolen security software and digital certificates.

The spread of the Lazarus virus was facilitated by the fact that South Korean Internet users are often asked to install additional security programs when visiting government websites or Internet banking websites, explained the head of the investigation, Anton Cherepanov.

"The WIZVERA VeraPort integration installation program is widespread in South Korea. After installation, users can download the necessary software for a specific website. This scheme is usually used by the South Korean government and banking websites. For some of these sites, the presence of WIZVERA VeraPort is mandatory,” said Mr. Cherepanov.

Attackers used illegally obtained code signing certificates to inject malware samples. And one of these certificates was issued to a firm specializing in security - the American branch of a South Korean security company.

"Hackers disguised Lazarus malware samples as legitimate programs. These samples have the same file names, icons and resources as legitimate South Korean software," said Peter Kalnai, who was involved in the investigation of the attack.

ESET's analysis once again demonstrated the non-standard nature of the methods of intrusion, encryption and configuration of the network infrastructure, which has become the business card of Lazarus hackers.

It is worth noting that on November 13, Microsoft representatives reported that, according to their data, in recent months, three APT groups attacked at least seven companies engaged in COVID-19 research and vaccine development. The Russian-speaking group Strontium (Fancy Bear, APT28, and so on), as well as North Korean Zinc (Lazarus) and Cerium, are blamed for these attacks.

Hacker group Zinc (aka Lazarus) mainly relied on targeted phishing campaigns, sending potential victims emails with fictitious job descriptions and posing as recruiters.

Jupyter Trojan Steals Chrome Firefox Data and Opens Backdoor

Researchers at Morphisec has recently discovered a trojan malware campaign targeted at stealing information from businesses and higher education. Reportedly, the malware named Jupyter has been used by Russian speaking hackers to gather data from various software. 

Primarily targeting Google Chrome, Mozilla Firefox, and Chromium code in itself, Jupyter's attack chain, delivery, and loader demonstrate additional capabilities such as a C2 client, execution of PowerShell scripts and commands, hollowing shellcode into legitimate windows configuration applications, for full backdoor functionality. 

The infostealer's attack begins with a zip file containing an installer which typically impersonates legitimate software like Docx2Rtf. When the installer is executed, a .NET C2 client is inserted into memory. Jupyter loader has a well-defined protocol, persistence modules, and versioning matrix, it furthers with downloading the next stage, a PowerShell command to execute the Jupyter injected in memory earlier. Now using the commonalities between both the .Net components an end-to-end framework is developed for the implementation of the Jupyter infostealer as both have similar code, obfuscation, and unique UID implementation. 
 
As per the analysis published by Morphisec, "Jupyter is an infostealer that primarily targets Chromium, Firefox, and Chrome browser data. However, its attack chain, delivery, and loader demonstrate additional capabilities for full backdoor functionality.” 
 
"Morphisec has monitored a steady stream of forensic data to trace multiple versions of Jupyter starting in May 2020. While many of the C2s are no longer active, they consistently mapped to Russia when we were able to identify them," read the report. 

Over the last 6 months, these installers have given exceptional results at bypassing security scanning controls, some among these installers even maintained 0 detections in VirusTotal.

Multiple versions of Jupyter were traced back to Russia and the planet name was noticeably misspelled from Russian to English, as per the Morphisec researchers who also found out the same image on Russian-language forums upon running a reverse Google Image search of the C2 admin panel image, concluding that the attack has Russian origins. 
 
"This is the first version seen in the wild of the infostealer stealing information (autocomplete, cookies, and passwords) only from Chrome browsers," said researchers. 

"This version added Firefox information stealing (cookies, logins, certificates, and form history). This version uses the same technique of copying the stolen information before accessing it to evade detection." The researchers further added.

Cyber Attacks in India At A Steady Rise as Per India's Cybersecurity Chief

 

National Cyber Security Coordinator Lt Gen (retd) Rajesh Pant recently discussed cyberattacks in India 'having gone up a multifold' in the current environment and alluded to 'China' as a "major challenge" from a cybersecurity perspective for India.

"In such unprecedented times, you mentioned two Cs the challenge of corona and the challenge of cyber. Actually, at the perch which I sit, there are 3 Cs. The third 'C' of course is on our northern border, which is another challenge that we are facing”, Pant said at an event coordinated by the largest private sector lender HDFC Bank. 

He had assumed control over the role of India's cybersecurity chief, later added that almost consistently, 4 lakh malwares are found and 375 cyber-attacks are witnessed. 

Apart from falling prey to voice call-based frauds, individuals ought to likewise be cautious about the click-baits, which are conveyed to extract data from an internet user. 

"This disease of just clicking on the link, this is another reason where the malware drops,” he stated, requesting everyone to contemplate the ongoing cases of frauds at City Union Bank where an individual entered the core banking system through a simple click, and furthermore the ones at Bangladesh Bank and Cosmos Bank. 

"The issue is some of us get unaware and that's how problems start occurring. It's a question of being conscious all the time, not a question of not knowing," said chief risk officer of HDFC Bank Jimmy Tata, as HDFC Bank launched the 'Mooh Bandh Rakho' campaign with the Bank authorities stating that the objective is to zero in on the youth, to spread awareness through different mediums, including more than 1,000 secure banking workshops and furthermore even a rap-song.

Pant had likewise before called for setting up a dedicated industry forum for cybersecurity to develop trusted indigenous solutions for check cyber-attacks. 

“Last year, our official figures were Rs 1.25 lakh crore lost due to cybercrimes in India. Ransomware attacks are increasing every day and these criminals have been working from home. They have no qualms. They are heartless people. They are attacking hospitals because they know in an emergency hospital will pay,” Pant had said at an event organized by industry body Ficci.

Government in Australia issues Clop Ransomware warning to Healthcare Organizations

 

The Australian Cyber Security Center has issued a security alert for the health sector to check their barriers and defenses against potential ransomware attacks especially the Clop Ransomware that uses SDBBot Remote Access Tool (RAT).
The ACSC (Australian Cyber Security Center) wrote that they, "observed increased targeting activity against the Australian Health sector by actors using the SDBBot Remote Access Tool (RAT)." 

 The SDBBot RAT is almost exclusively used by the TA505 group, their attack technique follows phishing and spam email campaigns to infect malware but from 2019, they started using SDBBot payload as a remote way to access systems. 

 ACSC further mentioned, "SDBBot is comprised of 3 components. An installer that establishes persistence, a loader that downloads additional components, and the RAT itself. "Once installed, malicious actors will use SDBBot to move laterally within a network and exfiltrate data. SDBBot is [also] a known precursor of the Clop ransomware"

 As the Australian Government says, SDBBot is also known as a precursor of the Clop Ransomware, which in recent months have become one of the most lethal ransomware, researchers also call it "big-game hunting ransomware" or "human-operated ransomware." 

 The Clop ransomware group keep their eye on the big picture, they first choose to widen their access to a maximum number of systems, till then they hold back their playload, and only when they have reached the maximum or the whole network will they manually deploy the ransomware. This way, the organization has no way to stop the infection midway and the payout is huge in a hundred thousand dollars and if the victim fails to pay the ransom, all their data is leaked on the malware's "leak website". 

Other countries like the UK and the US also predict a potential attack by Ryuke or Trickbot and issues a similar warning some weeks back. Australian Cyber Security Centre (ACSC) also warned Australian companies in October about Emotet malware, which is used contemporaneity with Trickbot. "Upon infection of a machine, Emotet is known to spread within a network by brute-forcing user credentials and writing to shared drives. Emotet often downloads secondary malware onto infected machines to achieve this, most frequently Trickbot," the ACSC wrote. With the new alert, companies need to be very diligent in their protection and testing mechanism in order to prevent themselves from an attack.