Search This Blog

Showing posts with label malware. Show all posts

Golang: A Cryptomining Malware that Maybe Targetting Your PC


Cybersecurity experts at Barracuda Networks have discovered a unique kind of crypto mining malware called "Golang." The malware can attack Windows as well as Linux systems, according to the experts. This latest malware is targeting Monero cryptocurrency with the help of Xmrig, a popular miner. The number of attacks related to the malware may be relatively low, but the cybersecurity experts have discovered 7 IP addresses associated with this malware, all originating from China.


The experts also observed that the Golang malware's primary targets are non-HTTP features like MSSQL and Redis, app servers, web apps frameworks, whereas easy to attack targets like end-users are safe. If we look back into the issue, we will find that the earlier versions of Golang only affected the Linux systems; however, the present version targets Windows and the former. The attacks are carried out using various exploits such as IoT devices, Hadoop, Drupal, ElasticSearch, and Oracle Weblogic. For instance, in a recent malware attack in China, the malware used exploits that targeted ThinkPHP app frameworks widely used in the country.

According to the experts, the Golang malware is capable of evolving every day and using more exploits as each day passes by. Golang malware works by infiltrating the system, and once it does, it uses required files to complete the task. These may include downloaded update scripts, configuration files, scanner, and a miner. It all depends on the type of platform. Whereas, when attacking Windows, the hackers can use backdoors too. In recent times, more and more hackers have shifted towards using Golang as it can't be identified by anti-virus software.

The malware is infamous for targeting vulnerable servers, making it accessible among cybercriminals looking for vulnerabilities to exploit. The only way to be safe from this malware is to keep track of the CPU usage activity (when it goes unusually high) and observe any suspicious activity at the endpoints. Any threat, similar to the likes of Golang, can be avoided by vigilante inspections and immediate responses. Awareness about crypto mining threats is also a must.

Enel Group attacked by SNAKE ransomware same as Honda


The Enel Group, a power, and sustainability company were hit by EKANS (SNAKE) ransomware on June 7th affecting its internal network.


The company confirmed that their internal network was disrupted consequently had to isolate their corporate network segment but their security system caught the malware before it could infect and encrypt.
The EKANS (SNAKE) group was also responsible for a similar attack on Honda, a few days back.

The company recovered from the attack quite swiftly and all communication and network were restored the next day.

Though Enel didn't disclose which ransomware attacked them, security researchers are placing their bets on SNAKE. David Emm, a principal security researcher at Kaspersky, said: “While the company hasn’t confirmed which ransomware, there have been reports that it is SNAKE, which has been used in the past in targeted ransomware attacks. Nor is it clear how the attackers were able to gain a foothold in the company’s network.

 The spokesperson from Enel said, “The Enel Group informs that on Sunday evening there was a disruption on its internal IT network, following the detection, by the antivirus system, of ransomware."

 "As a precaution, the company temporarily isolated its corporate network in order to carry out all interventions aimed at eliminating any residual risk. The connections were restored safely on Monday early morning."

 “Enel informs that no critical issues have occurred concerning the remote control systems of its distribution assets and power plants, and that customer data have not been exposed to third parties. Temporary disruptions to customer care activities could have occurred for a limited time caused by the temporary blockage of the internal IT network.”

When SNAKE attacks and infects a system, it runs checks on domains and IP addresses to determine if it's working on the correct network, if not then the ransomware withdraws and doesn't perform encryption.

Oleg Kolesnikov, a threat researcher at Securonix Research Lab, Securonix says that SNAKE is different from its family of the virus in the way it uses "relatively high amount of manual effort/targeting typically involved in the operator placement activity, which can sometimes enable them to have a bigger impact on the victims."

Fake applications are replicating "TraceTogether," a Singapore Covid-19 contact tracing application


Recently, these counterfeit apps emerged on the internet, which alarmed the local authorities to warn the general public. A cybersecurity authority named "SingCert," which stands for the Singapore Computer Emergency Response Team, issued an advisory saying that cybercriminals have been copying contact tracing apps to spread malware as Singapore is currently on its way to move out from the lockdown phase. Hackers use these counterfeit apps and embed them with malware. Later, if successful, they can steal personal user data and monitor their device activity log, says the cybersecurity firm SingCert.


These fake apps use the same brand logo of the original contact tracing app TraceTogether, to prevent getting caught from the users or cyber authorities. However, the malware embedded in these apps is capable of stealing banking credentials and user data. As far as hacking incidents go, SingCert hasn't received any official user complaints of downloading any fake application. TraceTogether, a contact tracing app, detects people who may have come across in contact with any Covid-19 infected person. The app uses Bluetooth technology to trace these people and is very efficient in cases where the infected patient forgets the people he might have met, when or before he was diagnosed with the virus.

Anomali, a US-based cybersecurity firm, had recently on its blog post said that they had found at least 12 fake contact tracing applications that were used by hackers to spread malware and steal user information. Few of these apps behaved exactly like TraceTogether. Once the user downloads these apps, the apps self-install and download malware that is aimed to steal banking credentials. According to Anomali, these fake apps are not on official app distribution platforms like Google Playstore or iPhone's App store but rather are downloaded via 3rd party websites.

Meanwhile, SingCert has requested the users to install apps only from verified sources and cross-check their originality. It has also warned users to beware of applications that ask too many user access permissions. The users should read user reviews to make sure they have downloaded the right apps, and if the reviews are too poor, they should reconsider using that application. For users who have downloaded apps from 3rd party sources and websites, they should uninstall and run an anti-virus scan.

Largest ISP in Austria Hit by a Security Breach



The largest internet service provider in Austria was hit by a security breach this week, in the wake of enduring a malware infection in November 2019, following an informant's report.

A1 Telekom said that their security team identified the malware a month later; however, that expelling the infection was trickier than it was initially envisioned.

From December 2019 to May 2020, its security team had stood up to the malware's operators in endeavors to expel the entirety of their hidden backdoor components and kick out the intruders.

The Austrian ISP told a local blogger that the malware just infected computers on its office network, yet not its whole IT framework, which comprised of approximately more than 15,000 workstations, 12,000 servers, and a large number of applications.

In interviews with the Austrian press [1, 2, 3], A1 said that the multifaceted nature of its internal system kept the attacker from advancing toward various frameworks "because the thousands of databases and their relationships are by no means easy to understand for outsiders."

The attackers evidently assumed manual control for the malware and endeavored to extend this initial foothold on a couple of frameworks to the company's whole system.

A1 said the attacker figured out how to compromise a few databases and even ran database inquiries so as to become familiar with the company's interior system.

A1, which hadn't disclosed the nature of the malware, didn't state if the 'intruders' were 'financially-focused' cybercrime gang or a nation-state hacking group.

While A1 declined to remark on the informant's attribution. Christian Haschek, the Austrian blogger and security researcher who originally broke the story, said the informant asserted the hack was carried out by Gallium, a codename utilized by Microsoft to portray a Chinese nation-state hacking group specializing in hacking telecom providers across the world.


Gamaredon grows by targeting Microsoft Outlook and Office


ESET, an antivirus company has discovered that Gameradon has been growing fast by developing new tools that target Microsoft Office and Outlook.

Gameradon is an advanced persistent threat (APT) group, active since 2013 that mostly targets Ukrainian institutions. New tools have been attributed to the API, developing a module for Microsoft Outlook that creates mails and sends it to the victims or sends the mails from the victims' accounts to their contacts.

These emails contain malicious documents with macros and malware links. The hacker group runs macro scripts in Outlook by disabling protections and plants source files for spearfishing and rapidly spreading the malware to other systems.

 Gameradon uses a new method to target Outlook

Gameradon has been using an unusual way of attacking Outlook by a new package that contains Visual Basic for Applications (VBA) project (.OTM file) to target emails with macro scripts.

 “While abusing a compromised mailbox to send malicious emails without the victim’s consent is not a new technique, we believe this is the first publicly documented case of an attack group using an OTM file and Outlook macro to achieve it,” says researchers at ESET.

The process of attack starts from disabling the Outlook process with a VBScript. Then this script removes further security that would restrict executing VBA macros in Outlook. The macro script stores the OTM file on the disk that spreads the malicious emails to the contact list.

 "These macro injection modules also have the functionality to tamper with the Microsoft Office macro security settings. Thus, affected users have no idea that they are again compromising their workstations whenever they open the documents. We have seen this module implemented in two different languages: C# and VBScript" - ESET

Since the Outlook runs one VBA project at a time, the threat actors use the OTM file containing the VBA script in the email attachment. This VBA code can create emails fully efficient with a body, text, and the document containing malware.

Gamaredon's scripts, the researchers found relies and focus more on the speed of infection and development than quality as evident by mistakes found in source code and language.

Ransomwares evolving: Cybercriminals collaborating and auctioning data


Ransomware are soon becoming the most feared disease of cyber-world, started from simple encryption of the victim's computer and files, they have now evolved to stealing and selling data. But it's not limited to just that, now these stolen data will be auctioned off to the highest bidder if the ransom is not paid.


Sodinokibi/REvil group recently launched its auction website from its own blog. Their first debut was an auction of files retrieved (stolen) from a Canadian agriculture company whose ransom was not paid. The starting bid - $50,000 Monero cryptocurrency.

These auction websites are quite beneficial for these hackers, first by creating potential of monetization and second by putting additional pressure on the victims to pay up the ransom. Even governments and cybersecurity vendors spend millions for this kind of data, employing people to lurk the dark web for sensitive data on elite class. Now, they can directly buy this from these auction sites.

The REvil group was also rumored to sell files on pop singer Madonna which they hacked from entertainment law firm Grubman Shire Meiselas & Sacks.

Brett Callow, a threat analyst at Emsisoft says, “The auctions may be less about directly creating revenue than they are about upping the ante for future victims. Having their data published on an obscure site is bad enough, but the prospect of it being auctioned and sold to competitors or other criminal enterprises may chill companies to the bone and provide them with an additional incentive to meet the criminals’ demands.” 

He further thinks that soon other ransomware groups will follow REvil with their own auction schemes.

“REvil’s launch of [an] online auction was, in many ways, a logical and inevitable progression as ransomware groups constantly seek out new ways to monetize attacks and apply additional pressure to companies,” Callow said. “In the same way that other ransomware groups adopted [the Maze ransomware group’s] encrypt-and-exfiltrate strategy, it’s almost inevitable that other groups will also adopt REvil’s encrypt-exfiltrate-and-auction strategy.”

Joining Forces

Another tactic by these groups is joining forces, the idea of helping each other, and increasing their threat value. The infamous Maze ransomware has partnered with LockBit (not many financial details have been shared) and they even published LockBut's stolen data on their own data leak website.

Maze also announced that they are in talks with another ransomware group and may collaborate with a third ransomware operation.

The First Ransomware Attack and the Ripples It Sent Forward In Time


What was once a simple piece of malware discovered just 20 years ago this month exhibited its capacity which transformed the entire universe of cyber-security that we know of today?

Initially expected to just harvest the passwords of a couple of local internet providers, the malware, dubbed as 'LoveBug' spread far and wide, infecting more than 45 million devices to turn into the first piece of malware to truly take businesses offline.

LoveBug was the shift of malware from a constrained exposure to mass demolition. 45 million compromised devices daily could rise to 45 million daily payments.

Be that as it may, eleven years before anybody had known about LoveBug, the IT industry saw the first-ever main case of ransomware, as AIDS Trojan. AIDS Trojan which spread through infected floppy disks sent to HIV specialists as a feature of a knowledge-sharing activity.

The 'lovechild' of LoveBug and AIDS Trojan was the ransomware that followed, with GPCoder and Archievus hitting organizations around the globe through which the hackers additionally bridled ecommerce sites to discover better ways to receive payments.

The protection industry responded by taking necessary steps with 'good actors' cooperating to decipher the encryption code on which Archievus depended, and sharing it broadly to assist victim with abstaining from paying any ransom.

From that point forward the 'cat and mouse' game has proceeded with viruses like CryptoLocker, CryptoDefense, and CryptoLocker2.0 constructing new attack strategies, and the protection industry executing new defenses. Presently ransomware has become increasingly sophisticated and progressively prevalent as targets today are more averse to be individuals since large businesses can pay enormous sums of cash.

And yet, data protection has become progressively sophisticated as well, with certain four areas that should now be a part of each business' ransomware strategy: protect, detect, respond, and recover. Social engineering and phishing are also presently becoming progressively central to the success of a ransomware attack.

The LoveBug was effective in a scattergun fashion, yet at the same time depended on social engineering.

Had individuals been less disposed to open an email with the subject line ‘I love you', the spread of the malware would have been 'far more limited'.

Nevertheless, the users presently ought to be more alert of the increasingly diverse threats in light of the fact that inexorably, hackers are expanding their threats data exfiltration or public exposure on the off chance that they feel that leaking data may be progressively 'persuasive' for their targets.

Thus so as to react to the issue, it's essential to have backup copies of data and to comprehend the nature and estimation of the information that may have been undermined in any way.

Github Escapes from Octopus Malware that Affected its 26 Software Projects


Github, a platform where every malicious software report is equally different in its place, manages to escape from a malware threat.  Github, an organization that united the world's largest community of coders and software developers, revealed that hackers exploited an open-source platform on its website to distribute malware. The hackers used a unique hacking tool that enabled backdoors in each software project, which the hackers used to infiltrate the software systems.


"While we have seen many cases where the software supply chain was compromised by hijacking developer credentials or typosquatting popular package names, a malware that abuses the build process and its resulting artifacts to spread is both interesting and concerning for multiple reasons," said Github on its security blog. Fortunately, the hackers attempt to exploit the open-source platform was unsuccessful. Still, if it were, on the contrary, hackers could've secured a position in the softwares, which were to be used later by corporate applications and other websites.

Since recent times, open-source websites have become a primary target for hackers. It is because once the hackers exploit backdoor vulnerabilities on open-source platforms, thousands of apps are exposed to remote code execution. As for Github, the company's website currently has more than 10 Million users. In the Github incident, 26 software projects were infected through malicious codes, which is a severe warning for the potential threat of the open-source compromises. The experts have identified the malware as "Octopus Scanner," which is capable of stealing data by deploying remote access codes.

The malware spread with the help of projects using software called Apache Beans, tells Github. "On March 9, we received a message from a security researcher informing us about a set of GitHub-hosted repositories that were, presumably unintentionally, actively serving malware. After a deep-dive analysis of the malware itself, we uncovered something that we had not seen before on our platform: malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself," says Github on its blog. These attacks can be highly threatening as the tactics used here gives the hackers access to various systems.

The Blue Mockingbird Malware Group Exploits Vulnerabilities in Organizations' Networks


Another notorious crypto-currency mining malware has surfaced which allegedly has been infecting the systems of countless organizations. The group with the control of operations goes by the code name of “Blue Mockingbird”.

The researchers who discovered it have reasons to believe that the Blue Mockingbird has been active since 2019’s last month. Per them, it also targets “public-facing servers” that run “ASP.NET” apps that use the “Telerik framework” for their User Interface (UI) aspect.

Reportedly, the vulnerability that the hackers exploit in the process is the “CVE-2019-18395” vulnerability which is then employed to embed a web shell on the target’s server. Per the same report, later on they employ a version of “the Juicy Potato technique” to obtain the admin-access and alter the server settings to get access to the “(re)boot persistence”.

After having obtained complete access to a system, sources mention, the malware group installs a version of XMRRig which is a famous crypto-currency mining application particularly for the “Monero (XMR)” crypto-currency.

As per reports, if the public-facing IIS servers are linked with a company’s internal network, the malware group has a probability of trying to expand internally through an improperly-secured Server Message Block (SMB) connections or Remote Desktop Protocol ((RDP).

The exact number of infections that the botnet has caused isn’t all too clear but if an estimate was to be made the operations include 1,000 infections at the least. There also doesn’t seem to be a way to find the intensity of the threat.

Not many organizations out of the ones that were being observed by the researchers have been hit with this particular threat. And over a really little amount of time that they were tracked the above-mentioned number of infections surfaced.

Nevertheless, all companies alike are susceptible to this attack, even the ones that think they are safe and the number of infections could be more than estimated.

As per sources, the Telerik UI component which is allegedly vulnerable is a part of ASP.NET applications that run on their latest versions, even then the Telerik component may have versions that are out-dated but harmful to organizations, nonetheless. This component could exist in the applications used by a company and they might not even know about it leaving them endangered.

The Telerik UI CVE-2019-18935 vulnerability, per reports, has been widely let known as the one that is employed to embed web shells on servers. Another mentioned that this vulnerability is the most exploited and organizations need to better their firewalls to fight it. If for some reason the organizations don’t happen to have a web firewall they could always look for warning precursors in the server and workstation, reports cite.

ProLock Ransomware Operators Join Hands with QakBot Trojan to Infect Victims' Networks


'Human-operated ransomware' has been on a rise with the emergence of ProLock in the month of March, the new ransomware came as a successor to 'PwndLocker', another variant of malware targeting all the major industries from finance, retail to healthcare and governmental organizations as well. Notably, in late April, the attack targeting the largest ATM provider in the United States, Diebold Nixdorf was the first major attack carried by ProLock where the attackers only compromised the company's corporate network while their ATMs and customer networks were left untouched, according to the media reports.

In order to acquire access to targets' networks, ProLock has joined hands with financial malware primarily targeting businesses, QakBot. Since its initial online fraud attacks, the banking trojan has constantly evolved to specialize in SOCKS proxy, anti-research capabilities and to effectively steal victims' online banking credentials. The malware has been upgraded so much so that one of its present variants can even incapacitate securing software functioning at the endpoints. Interestingly, the assistance of QakBot that distinguishes the malware from other ransomware operators further strengthens the operations of ProLock as it helps the malware with credential dumping and anti-detection techniques.

ProLock makes use of RDP and QakBot to set the attack into motion, it assists the threat actors in evading detection and with persistence. Researchers told QBot specializes in bypassing detection as it is programmed to check out for its latest version and replace its current version with the newest one. Meanwhile, in order to acquire persistence in the network, the attackers use authentic accounts for RDP. RDP allows the malware to move laterally across networks and accumulate data, which later is exfiltrated through a command-line tool. Side by side, the files are being encrypted by ProLock that adds a .proLock, .pr0Lock or .proL0ck extension to all the encrypted files and leaves a ransom note demanding a ransom in turn for their data. However, as of now, ProLock doesn't have a website to publish victims' stolen data in case they are denied ransom.

“ProLock uses many similar techniques as other ransomware operators to achieve their goals,” said Oleg Skulkin, senior digital forensics analyst at Group-IB in a recent analysis. “At the same time, however, the group does have its own unique approach. With more and more cybercrime groups showing interest in enterprise ransomware deployment campaigns, some operators may be involved in deploying different ransomware families, so we’ll likely see more overlaps in tactics, techniques, and procedures.”

Sophos found the group abusing NSIS installers and deploying remote access tools (RATs)


Security Researchers at Sophos have found the hacking group that hacked industrial companies using NSIS installers in order to deploy remote access tools (RATs) and info- stealing malwares.


The hacking group was "RATicate's" which has been targeting companies from Europe, the Middle East, and the Republic of Korea in not one but five campaigns between November 2019 and January 2020. But Sophos researchers suspect that this group was behind other past attacks too.

These targeted companies were from the industrial sector, particularly companies focused on manufacturing to investment firms and internet companies. Namely,

  • "an electrical equipment manufacturer in Romania; 
  •  a Kuwaiti construction services and engineering company;
  •  a Korean internet company; 
  • a Korean investment firm;
  • a British building supply manufacturer; 
  • a Korean medical news publication; 
  • Korean telecommunications and electrical cable manufacturer; 
  • a Swiss publishing equipment manufacturer; 
  • a Japanese courier and transportation company." 
( as reported by bleeping computer in their blog)

 Two Infection Chains 

The hackers used two infection chains to infect the computers by using phishing emails to deploy payloads but with a small difference.

  •  The first chain had ZIP, UDF, and IMG attachments carrying NSIS (Nullsoft Scriptable Install System) installers. 
  •  The second chain had XLS and RTF docs that downloaded the payload from a remote server to the user's machine. 
"We considered two possible scenarios: either the malicious NSIS package is a generic packer sold on dark forums; or, the same threat actor is using a custom loader to deploy different payloads in a variety of their attacks," Sophos reports.

NSIS installers hid the dropped malware by spamming and dropping junk files like images, source code files, shell scripts, and Python binaries.

"During the analysis of the samples we collected—conducted both manually and with the aid of sandboxing tools—we found several different families of RATs and info stealers," Sophos explains. "These included Lokibot, Betabot, Formbook, and AgentTesla. But all of them followed the same multi-stage unpacking process when executed."

 One Actor-Multiple Campaign 

Sophos found that this group RATicate was the key player behind five sequential campaigns between November 2019 and January 2020 using similar payloads and commands.

 The security researchers "found that some of the different payloads from each campaign (mostly Betabot, Lokibot, AgentTesla, and Formbook) shared the same C&C," suggesting the same threat group.

"There was also a distinct clustering of the campaign timelines—there was never any overlap between them, suggesting that they were operated serially by the same threat actors."


"Some of the infrastructures were also shared across multiple campaigns, which also suggests the same actor was involved across all of them," states Sophos.

Now, the RATicates have found a new lure and payload - using COVID-19 to trick people into installing malwares in their systems.

Researchers Monitor Rise Of An Infostealer Dubbed As ‘Poulight’ That Most Likely Has A Russian Origin


In times where info-stealer is progressively becoming one of the most common threats, the Infostealer market has thus risen as one of the most lucrative for cyber crooks, for the data gathered from infected frameworks could be 'resold' in the cybercrime underground or utilized for credential stuffing attacks.

This class of malware is said to incorporate many well-known malware like Azorult, Tesla, and Hawkeye.

Recently over the two months, Researchers from Cybaze-Yoroi ZLab observed the evolution and the diffusion of an info stealer dubbed as Poulight that most probably has a Russian origin. First spotted by MalwareBytes specialists in middle March and indicators of compromise have been as of now shared among the security community.

The vindictive code has propelled further stealing capabilities and continues to evolve. 

Hash                                8ef7b98e2fc129f59dd8f23d324df1f92277fcc16da362918655a1115c74ab95
Threat                              Poulight Stealer
Brief Description             Poulight Stealer
Ssdeep                       1536:GJv5McKmdnrc4TXNGx1vZD8qlCGrUZ5Bx5M9D7wOHUN4ZKNJH:                                               GJeunoMXNQC+E5B/MuO0Ogt

Above is the sample information / Technical Analysis

Like a large portion of the malware of this particular family, it is created from a builder accessible to cyber-criminal groups that offer a 'subscription plan' for its "product". The outcome is a .NET executable:

Static information about the binary file

A quirk of this sample is that it doesn't have a minimal indication of obscurity; the analysis is very simple to depict the malware abilities/capabilities. When the malware is propelled, it plays out a classical evasion technique (as shown in Fig.3):

Figure 3: Evasion Technique

This implemented evasion technique is one of the most exemplary ones, where, through the utilization of Windows Management Instrumentation (WMI) by executing the inquiry "Select * from Win32_ComputerSystem". Specifically, along these lines, a few checks of the most relevant tracks of virtualization are given, as:
• “vmware”
• “VIRTUAL”
 • “VirtualBox”
• “sbiedll.dll” (Sandboxie)
• “snxhk.dll” (Avast sandbox)
• “SxIn.dll” (Avast sandbox)
• “Sf2.dll” (Avast Sandbox”)

These checks are additionally recorded from the Al-Khaser or Pafish tools which are planned to be a test suite to distinguish malware analysis environments and intended to test the strength of the sandboxes. At that point, the malware can continue with the infection beginning giving rise to another threat called "Starter".

Figure 4: Loader module of the malware

The "Starter" class contains the routine to load the segments of the malware. Prior to that, there is the initialization of certain directories and files utilized to store the accumulated data from the victim machine. This activity is performed by the primary instruction "global:: Buffer.Start()", the method is very simple and easy: a series of folders were created within Windows Special folders (AppData, Local AppData, Personal, Desktop) along these lines:

Figure 5: Creation of folders in the Windows Special Folders

From that point forward, the malware extracts the configuration document and its parameters from the asset named "String0", a Base64 encoded string and through the following strategy they are then decoded:

Figure 6: Routine to extract the configuration file

The primary data tag "prog.params" is quickly recovered in the instruction "HandlerParams.Start()" which can be seen in Figure 4. Presently, a check of a previous infection is performed before beginning another one. The instruction "AntiReplaySender.CheckReplayStart()" (in figure 4) is assigned.

Figure 7: Check of a previous infection

The malware attempts to discover the id of the mutex. In the event that the file is available, the malware doesn't execute itself some other time, else it composes this empty document to sign the infection is begun. From that point forward, it transforms into the real vindictive main contained inside the "XS" class, as seen in figure 4. The primary bit of the code is the following:


Figure 8: Initialization of the mail module 
The first instruction is "Information.Start()" where all the data about the hardware and software of the host is collected along these lines:
Figure 9: Routine for retrieving the configuration of the victim machine

It is clearly evident that the malware utilizes both English and Russian dialects to log the data assembled. From that point onward, the stealer turns to count and log all the active processes inside the operative system.

Figure 10: Routine to extract the process list

Now as seen in figure 8, a 'check' on the third parameter is performed. On the off chance that it is equivalent to one; the "clippers" module is executed.

Figure 11: Routine to decode and execute an embedded component

As show in the above figure, this code can decode a component contained inside the "clbase" tag with the AES key stored within the "update" tag. Be that as it may, in the particular configuration there is no "clbase" field, so we don't have any other component to install. The last instruction seen in Figure 8 is "CBoard.Start", which works in the following way:

Figure 12: Routine to steal clipboard data

The subsequent stage is to accumulate all the sensitive data on the victim machine:

Figure 14: Detail of the stealing modules

The malware steals an immense amount of data:
  • Desktop Snapshot 
  • Sensitive Documents 
  • Webcam snapshot 
  • Filezilla credentials 
  • Pidgin credentials 
  • Discord Credentials 
  • Telegram 
  • Skype 
  • Steam 
  • Crypto Currencies 
  • Chrome chronology  
The most fascinating part is that the module "DFiles" instructed to steal sensitive documents. It begins with looking through the records with one of the accompanying extensions:

Figure 15: Routine to search the documents with specific extensions
Within the gathered files, the malware searches for the classic keywords showing that the content of the files conserves some valuable accreditations. The keywords are the accompanying:

Figure 16: List of keywords searched within the documents

Then the malware proceeds to gather all the data inside a unique data structure and sends it to the C2 retrieved in another resource named "connect":

Figure 17: Routine to upload to the C2 the stolen information

At long last, it downloads and executes various components from the Internet. The parameters are recovered similarly observed in the past segment: a tag named "file" contains the component to download.
Figure 18: Routine to download other components from the Internet
Thus there is no doubt in the fact that Poulight stealer has a mind-boggling potential to steal delicate data and it ought not to be disregarded that later on, it may supplant other info stealers like Agent Tesla, remcos, etc.

In any case, the limitation of the embed is the absence of code obfuscation and data protection, however, this could be clarified due to the fact that, possibly, the malware is in its early stages of development.

Since now that the attackers likely will enhance these features, therefore, being aware of them is the best step forward for the users now. RN

Fileless Malware Attacks and How To Fight Them!



It has been crystal clear over these years with the increase in a number of cyber-attacks of an equally unique kind making it almost impossible for the out-dated or conventional security mechanisms to intercept and fight.

As if a single one-of-a-kind cyber-attack tool wasn’t enough, the threat actors now are laden with polymorphic tactics up their sleeves. Per sources, an entirely new version of a threat could be created every time after infection.

After "polymorphism" became apparent, the vendors as per reports engineered “generic signatures” had numerous variants in them. But the cyber-cons always managed to slip in a new kind.

This is when the malware authors came up with a concept of fileless attacking. They fabricated malware that didn’t need files to infect their targets and yet caused equal damage.

Per sources, the most common fileless attacks use applications, software, or authorized protocol that already exists on the target device. The first step is a user-initiated action, followed by getting access to the target’s device memory which has been infected by now. Here the malicious code is injected via the exploitation of Windows tools like Windows Management Instrumentation and PowerShell.

Per reports, the Modus Operandi of a fileless attack is as follows:
It begins with a spam message which doesn’t look suspicious at all and when the unaware user clicks on the link in it they are redirected to a malicious website.
The website kicks-off the Adobe Flash.
That initiates the PowerShell and Flash employs the command line to send it instructions and this takes place inside the target device’s memory.
The instructions are such that one of them launches a connection with a command and control server and helps download the malicious PowerShell script which ferrets down sensitive data and information only to exfiltrate it later.
Researchers note that as these attacks have absolutely nothing to do with stocking malicious files onto the target’s device, it becomes more difficult for security products to anticipate or perceive any such attack because they are evidently left with nothing to compare the attacks with. The fact that files less malware can hide from view in the legitimate tools and applications makes it all the worse.

Recently lots of fileless attacks surfaced and researchers were elbow deep in analyzing them. According to sources, some well-known corporate names that faced the attacks include, Equifax that had a data breach via a command injection vulnerability, the Union Crypto Trader faced a remote code execution in the memory, the version used was a 'trojanized' form a legitimate installer file and the U.S. Democratic National Committee faced two threat actors used a PowerShell backdoor to automatically launch malicious codes.

These attacks are obviously disconcerting and require a different kind of approach for their prediction or prevention. A conventional security system would never be the solution corporates and organizations need to stand against such attacks.

Per sources, the Network Detection and Response (NDR) seem to be a lucrative mechanism for detecting uncommon malicious activities. It doesn’t simply count on signatures but uses a combination of machine learning tactics to fetch out irregular network behaviors. It perceives what is normal in a particular system, then tries to comprehend what isn’t normal and alerts the overseers.

Researchers think an efficient NDR solution takes note of the entire surrounding of a device including what is in the network, cloud deployments, in the IoT sections and not to mention the data storage and email servers.

Per sources, NDR gradually works up to its highest efficiency. Its and its sensors’ deployment takes a considerable amount of time and monitoring. But the final results encompass enhanced productivity, decreased false alerts, and heightened security.

LeeHozer and Moobot Have The Same Attack Maneuvers?


Sharing has become a thing with cyber-criminals and their malware mechanisms. Reportedly, LeetHozer botnet was found to have similar attack tactics as that of the Mootbot malware family. Researchers have reasons to think that the party that created the Moobot also could be the ones who created the LeetHozer.

Per researchers, the LeetHozer botnet has been counting on other kinds of malware for a little bit of sharing here and there. Per sources, it has in the past used the loader and reporter system that the Mirai uses.

Apparently, despite using the same mechanisms as Mirai the LeetHoxer threat was a little different. According to researchers, other Mirai variations too were altered including the encryption procedure, the bot program, and the command and control protocol. The unique "string and downloader" too were revealed to be of the same kind as Mirai.

Per reports, the botnet was noticed when it was found to be manipulating a vulnerability in the “telenet service” of a device. It made use of the default password to get access to the device. Once the device got infected the LeetHozer sent the information of the device to its reporter mechanism which then got to the command and control server and then finally the instructions for the Denial-of-Service attack were received.

The history of various attacks has it that Moobot has been a part of quite a lot of attacks ever since it first surfaced last year. According to researchers, several threat actors have made use of it to exploit zero-day vulnerabilities. It was discovered by the researchers while it was manipulating a zero-day vulnerability in fiber routers, reports mention. It hence is needless to say that one of the major attack tactics of the Moobot is exploiting any zero-day flaw it could get it claws into.

There are numerous ways in which an organization can create a barricade against any such attacks. The cyber and technological security personnel could design a response plan and a contingency plan especially against DDoS attacks, the systems should be backed up at all times, and configuration could be done in a way that as soon as the network is attacked the back-up kicks in. Also, researchers suggest that Artificial Intelligence could prove to be a very lucrative solution for such problems.

Lucy: A File Encryption Android Malware that for Ransomware Operations


A malware that attacks Android smartphones has increased its Maas (malware-as-a-service) operations with file encryption capabilities to carry out ransomware attacks.


The malware, according to cybersecurity experts, is called "Lucy." The Lucy gang is a group of Russian hackers who became famous two years ago by launching the Black Rose Lucy service, a malware that allowed Botnet attacks on android smartphones.

According to Checkpoint Research, "Because the Android accessibility service can mimic a user's on-screen click, this is the crucial element for Black Rose to carry out malicious activities. Once the accessibility service is enabled, Black Rose can quickly shuffle through screens to grant itself device admin privileges." 

The Lucy service allows its users to attach files on vulnerable devices, which ask for $500 as a ransom in the browser window. The message says that it comes from the FBI, and the user must pay the ransom because he is found guilty of storing adult content on his android smartphone.

The FBI note here aims to frighten the victims into paying the ransom to hackers. The hackers demanding payment from their victims based on legal consequences is blackmail, as it is entirely unethical. The victims are blackmailed for storing pornographic content and visiting adult websites.

To make the ransom more serious and believing, the hackers say that they have the victim's photograph and location, which they have posted on the FBI's criminal investigation website. The ransom should be paid within three days of the notification, if not, the penalty triples, says the message warning.


It may sound strange, but the hackers don't demand cryptocurrency payments. Instead, they ask for credit card credentials, which is odd because, in most of the cases, the ransom is asked in terms of cryptocurrency as it is easy to cash in.

According to Check Point Research's 2010 data, "The Black Rose dropper family samples we acquired disguise either as an Android system upgrade or image files. Samples primarily leverage Android's accessibility service to install their payload without any user interaction and forge an interesting self-protection mechanism.

SeaChange, Video Delivery Software Solutions Provider Hit By Sodinokibi Ransomware


SeaChange, a leading supplier of video delivery software solutions has been attacked by the authors of Sodinokibi ransomware. Reportedly, the operators have published images of the data they claim to have obtained after encrypting the systems and are threatening the Waltham, Massachusets based company to leak the stolen data.

SeaChange International has offices in Poland and Brazil, it is a remotely managed video solution provider with around 50 million subscribers across the globe. BBC, DISH, COX, DNA, Quickline, RCN, and Starhub are a few names amongst their 200+ video provider customers.

The cybercriminals behind Sodinokibi ransomware have been actively involved in posting illegally obtained data of victims onto their leak website since 2019 and then demanding a ransom for the release of the same. Lately, attackers have increasingly employed this strategy of building pressure on non-paying victims and converting them into a paying one by releasing the stolen data bit by bit, starting from smaller parts.

In this particular case, the attackers created a webpage by the company's name and published the images of the allegedly stolen data on that page, it contained a screenshot of folders on one of the SeaChange's servers targeted by the attackers, a driver's license, insurance certificates and a cover letter for a proposal sent to Pentagon for video-on-demand service. However, the operators did not specify the ransom amount at that time.

While denying to provide further data, Sodinokibi operators said, "Thank you for your interest and your questions, but I really can't answer. We publish confidential information about companies if they ignore us for a long time or decide not to pay. Otherwise, we are not ready to share any information about them in their own interests, including share which companies we have encrypted, how much data we have stolen, etc."

BazarBackdoor: A Malware similar to Trickbot, targets Corporates


According to cybersecurity experts, a new phishing campaign is allowing malware backdoor entry. The malware which is said to be created by hacking group Trickbot will enable hackers to jeopardize and take control of an organization's network. It is a necessary measure to have a back door for hackers to gain entry access and control the company's network in sophisticated network attacks. It is required in the following cyberattacks- corporate espionage, data extraction attacks, specified ransomware attacks.


According to several reports, the attack was first discovered two weeks ago. The malware is called "BazarBackdoor" or simply "backdoor" by the cybersecurity experts. The malware serves as a tool kit for hackers to gain access to an enterprise's network. Trickbot is said to be the creator of this malware because of BazarBackdoor sharing similar coding, cryptos, and designs.

About BazarBackdoor 

The attacks first start in the form of phishing campaigns that try to lure victims through click baits like 'coronavirus relief funds,' 'customer complaints,' 'COVID reports' or merely a list of downsizing reports that are directly linked to google docs. The hackers, unlike other phishing campaigns, are using creative techniques to lure the users to different landing pages like fake customer complaints page or fake COVID fund relief page. The landing pages either pretend to be a PDF, Word, or Excel document, which can't be viewed appropriately. Hence, a link is provided to the users to view the document appropriately. When the users click the link, the documents get downloaded either in word or PDF format with a 'preview' title. Windows don't have a default file extension; therefore, the user thinks that these files are original. Thus, doing this enables the backdoor entry for the malware.

Attack linked to Trickbot 

According to cybersecurity experts, the malware targets explicitly companies and corporate enterprises. It is likely to be developed by the same hacking group responsible for creating another malware named Trickbot. Trickbot and BazarBackdoor share similar cryptos, and both use the same email patterns to launch their attacks. As a precaution, corporate companies are suggested to stay alert and ask their employees not to open any unknown link sent via email.

Maze Ransomware: What you need to know and How to protect from being hit by Maze!


Cognizant Technology Solutions Corp., an IT giant with 3000 employees was recently hit by a strain of sophisticated Windows Ransomware called Maze, encrypting its systems and threatening to make its data public if they don’t pay the supposed ransom.


This particular malware is proving to be quite lethal and is making headlines every week with their new victim. It has spread quite a disarray and chaos not only in the IT sector but even in other companies and firms which deal with sensitive user data. Maze, also known as “ChaCha Ransomware”, was first discovered in May 2019 and started attacking firms by encrypting files and blackmailing them by exposing their data to the public. It attacked Andrew Agencies in October then the city of Pensacola, US Insurance Company Chubb, the leading cable manufacturer Southwire Company (America), Medical Diagnostic Laboratories (MDLabs), Manitoba Law Firm (Canada) and now Cognizant.

How is it more Different and Lethal than other Ransomware? 

There have been other malware that encrypt files and demand ransom but what makes Maze more dangerous is that it encrypts the system and steal the data and export it to hackers or threaten to release it on their own website (yes, they have a website where they publish their new victim and their data) if the ransom is not paid thus it’s not just a malware attack but a fusion of ransomware attack and data breach.

So, the previous tactics like keeping backups and restoring backups and running again fail for Maze as they have your data and can use it maliciously.

How does it infect? 

This ransomware has been seen to use various ways to infect computers like emails, attachments, links, exploiting passwords, and even exploit kits like Fallout and Spelevo. After infiltrating the system it uses two different ciphers (RSA+ChaCha20) to encrypt files. When the file is successfully encrypted it adds more random extensions with 6-7 charts (For Example-“.rC0syGH”, “.DL1fZE”).

How to protect from Maze Ransomware?

Though Backups don’t do much with Maze, you should still deploy secure offsite backups, running up-to-date security measures and solutions and employee training in installing strong passwords and identifying unsecure and spam email attachments and files.

Most corporate use AppData to run the program and most malware like Maze, MedusaLocker, Sage exploit this and run files from here (AppData). Instead, if we install software from program files only administrators can install/copy files and since malware won’t have the license and permission, they won’t be able to run.

Even Chrome is installed into user AppData folder and when a user logs via AD into a computer, chrome gets installed in user AppData folder. Similarly, Microsoft Teams installs clients in AppData Local, instead, they should be installed from program files as then it would require admin Or user permissions and otherwise both chrome and Microsoft makes the system susceptible to malware.

Using software like “Ransomware Defender”, where AppData, User Profiles, and this kind of folders are blocked and blacklisted and provides for strong protection against ransomware like Maze.

Windows users can install ‘Ransomware Defender’ - Download from here:
https://www.cysecurity.co/ransom-defender-for-windows/

Linksys asks users to reset their smart wifi passwords after DNS routers were hacked


Linksys, a router developing firm asked its users to reset passwords to their smart wifi accounts after some of the accounts were hacked and illegally  accessed to direct users to a COVID-19 themed malware.



The reset took place after all accounts were locked in order to prevent further hacking on April 2nd. The hackers changed the home routers' DNS server settings and prevented users from accessing various domains like Amazon AWS, Disney or pornography. Instead, the users were directed to a webpage with a corona virus-themed app "that displays a message purportedly from the World Health Organization, telling users to download and install an application that offers instructions and information about COVID-19."

The app was a fluke and it attached the Oski info-stealing malware into the system. The malware uses the victim's login credentials to access various services like cryptocurrency wallets.

Linksys told it's customers to reset their passwords when they login and a confusing message about " The COVID-19 Malware ".

Jen Wei Warren from Belkin's global PR veep Linksys parent firm, told The Register that "the original illicit access to customer routers through their cloud-hosted Smart Wi-Fi accounts was a successful credential-stuffing attempt using login details harvested from previous breaches elsewhere."

She said: "Multiple factors lead us to the conclusion that credentials were stolen elsewhere: the majority of authentication requests contained usernames that have never registered on our system. We checked email addresses with services like haveibeenpwned.com which indicate the list of credentials being attempted on our system are known to have been exposed previously."

She further added, "Multiple attempts were made using the same username but different passwords, which would not be necessary if our own systems were compromised." But refused to mention how many accounts were affected from this hacking.

The email sent to the customers read, "All Linksys Smart Wi-Fi accounts were locked at 8:00 pm PDT on April 2 because someone was logging in with email address and password combinations stolen from other websites.
Your account was not compromised, but out of an abundance of caution we locked it to prevent unauthorized access. You need to change your password to log back in – unless you have already done so since we locked it."

Android users may face hacker attacks under the guise of applications about coronavirus


Cybercriminals attack users of Android mobile devices using malicious applications disguised as legitimate information software about the new COVID-19 coronavirus infection. After installing the malicious app, the hacker gained control of the victim's Android device through access to calls, SMS, calendar, files, contacts, microphone, and camera.

Hackers continue to exploit people's fear of spreading the virus: malicious applications were found by experts on sites with domains associated with the coronavirus. Researchers have not yet discovered such applications on the Google Play Store.

Experts report that the apps were created using the Metasploit tool used for penetration testing. This software allows anyone with basic computer knowledge to create malicious applications in just 15 minutes: it’s enough to configure Metasploit for your goal, select the exploit and payload.

Such applications can easily gain control of the device. After launching on a device running on the Android operating system, the application hides the icon from the screen so that it is more difficult to detect and remove it.

Vasily Diaghilev, head of Check Point Software Technologies representative office in Russia and the CIS, says that in the current situation, the most alarming thing is how quickly and easily malicious applications can be created and reminds us of the need to follow the rules of digital hygiene.

Check Point researchers previously reported that more than 30,103 new coronavirus-related domains were registered in the past few weeks, of which 0.4% (131) were malicious and 9% (2,777) were suspicious. In total, since January 2020, more than 51 thousand domains associated with the coronavirus have been registered.