Search This Blog

Showing posts with label malware. Show all posts

Updated Malware: Vietnamese Hacking Group Targeting MacOS Users

 

Researchers have discovered a new MacOS backdoor that steals credentials and confidential information. As cyber threats continue to rise, the newly discovered malware is believed to be operated by Vietnamese hacking group OceanLotus, colloquially known as APT 32. Other common names include APT-C-00, SeaLotus, and Cobalt Kitty. 
 
The nation-state backed hacking group has been operating across Asia and is known to target governments, media organizations, research institutes, human rights organizations, corporate sector, and political entities across the Philippines, Laos, Vietnam, and Cambodia. Other campaigns by the hacking group also focused on maritime construction companies. Notably, OceanLotus APT also made headlines for distributing malware through Apps on Google Play along with malicious websites. 
 
The attackers found the MacOS backdoor in a malicious Word document that supposedly came via an email. However, there is no information regarding the targets that the campaign is focusing on. In order to set the attack into motion, the victims are encouraged to run a Zip file appearing to be a Word document (disguised as a Word icon). Upon running the Zip file, the app bundled in it carrying the malware gets installed; there are two files in it, one is the shell script and another one is the Word file. The MacOS backdoor is designed by attackers to provide them with a window into the affected system, allowing them to steal sensitive data.

"Like older versions of the OceanLotus backdoor, the new version contains two main functions: one for collecting operating system information and submitting this to its malicious C&C servers and receiving additional C&C communication information, and another for the backdoor capabilities," TrendMicro explained in a blogpost. 

In an analysis, Researchers told, “When a user looks for the fake doc folder via the macOS Finder app or the terminal command line, the folder’s name shows ‘ALL tim nha Chi Ngoc Canada.doc’ (‘tìm nhà Chị Ngọc’ roughly translates to ‘find Mrs. Ngoc’s house’).”

“However, checking the original .zip file that contains the folder shows three unexpected bytes between ‘.’ and ‘doc’.”


A quick look into malwares that installs ransomware : Remove them form your system immediately

 

We recently looked into ways phishing mails are evolving, attackers getting creative by the day. But a new trend has taken up the dark web, and soon phishing campaigns for ransomware and malware will be a thing of the past. With the sources equable of a small government, malware gangs have started collaborating within themselves and have come up with "initial access brokers," what these groups do is provide ransomware and other groups with already infected systems.
Compromised systems through RDP endpoints, backdoored networking devices, and malware-infected computers install ransomware into the network, this makes the ransomware attacker work as swiftly as cutting into the cake. 

 There are currently three types of bookers that serve ransomware : 

Selling compromised RDP endpoints: These bookers carry a brute remote desktop protocol (RDP) into corporate systems, sold as "RDP Shops". Ransom groups often choose systems that are integrated well within the network.

Selling hacked networking devices: Hackers sell pre hacked devices exploiting publically known vulnerabilities or weak spots like firewalls, VPN servers or others. Access to these devices is auctioned off on dark web forums.

Selling computers pre-infected with malware: This is the most popular way ransomware is spread. Hacking gangs spread their malware bots into well-established systems and sell them to the highest bidder who further injects ransomware into the system. 

The best protection against these attacks is to prevent them from happening. The first two infiltrations can be fended off using strong passwords, security measures, and regular updates. The third means (malware) is a bit complicated as it uses human blunder and tricks to invade the device.

Following is a list of malware that if you find in your system, drop everything and fix them out for they are sure to inject ransomware in your network:

  •  Emotet (Emotet-Trickbot-Ryuk) 
  •  Trickbot (Ryuk - Conti)
  •  BazarLoader (Ryuk) 
  • QakBot (MegaCortex-ProLock-Egregor) 
  •  SDBBot (Clop)
  •  Dridex (BitPaymer-DoppelPaymer) 
  • Zloader (Egregor-Ryuk)
  •  Buer Loader (Ryuk)

Factories have become a major target for malware attacks

In the third quarter, the industry was attacked by various hacker groups - including RTM and TinyScouts, as well as ransomware operators. For example, according to Positive Technologies, the operators of the Maze ransomware program conducted a successful attack on Hoa Sen Group, the largest manufacturer of steel sheets in Vietnam. During the attack, personal data of employees, internal correspondence and other confidential information were stolen.

"This year, the vast majority of criminal groups switched to working with encryption programs since attackers realized that they can earn no less than in the case of a successful attack on a Bank, and technical execution is much easier," explained Anastasiya Tikhonova, head of APT Research at Group-IB.

According to her, more groups and partner programs have joined the "big game hunt”. 

"The size of the ransom has also increased significantly: cryptolocker operators often ask for several million dollars, and sometimes even several tens of millions. For example, the OldGremlin group, consisting of Russian-speaking hackers, actively attacks exclusively Russian companies: banks, industrial enterprises, medical organizations and software developers," explained Tikhonova.

The expert believes that one of the weakest links in the information security chain is still a person. "There are examples when an operator of a large industrial enterprise got bored, wanted to listen to music, and plugged a 3G modem directly into the USB port of the SCADA control and monitoring system.. And how many "trusted laptops” were there that employees brought from a business trip", concluded Tikhonova.

The expert believes that the danger of using Internet of things devices (IoT) is that it is problematic for advanced engineers to determine the fact of compromise. Target systems are assembled from a fairly large number of devices, and it is almost impossible to monitor and respond to possible security events and threats without additional solutions and human resources.

ESET has revealed a new series of Lazarus attacks

Experts of the antivirus company ESET have discovered a series of attacks, behind which is one of the most famous North Korean groups, Lazarus. The hackers targeted users of government and banking websites in South Korea. The cybercriminals used an unusual mechanism to deliver the malware, disguising themselves as stolen security software and digital certificates.

The spread of the Lazarus virus was facilitated by the fact that South Korean Internet users are often asked to install additional security programs when visiting government websites or Internet banking websites, explained the head of the investigation, Anton Cherepanov.

"The WIZVERA VeraPort integration installation program is widespread in South Korea. After installation, users can download the necessary software for a specific website. This scheme is usually used by the South Korean government and banking websites. For some of these sites, the presence of WIZVERA VeraPort is mandatory,” said Mr. Cherepanov.

Attackers used illegally obtained code signing certificates to inject malware samples. And one of these certificates was issued to a firm specializing in security - the American branch of a South Korean security company.

"Hackers disguised Lazarus malware samples as legitimate programs. These samples have the same file names, icons and resources as legitimate South Korean software," said Peter Kalnai, who was involved in the investigation of the attack.

ESET's analysis once again demonstrated the non-standard nature of the methods of intrusion, encryption and configuration of the network infrastructure, which has become the business card of Lazarus hackers.

It is worth noting that on November 13, Microsoft representatives reported that, according to their data, in recent months, three APT groups attacked at least seven companies engaged in COVID-19 research and vaccine development. The Russian-speaking group Strontium (Fancy Bear, APT28, and so on), as well as North Korean Zinc (Lazarus) and Cerium, are blamed for these attacks.

Hacker group Zinc (aka Lazarus) mainly relied on targeted phishing campaigns, sending potential victims emails with fictitious job descriptions and posing as recruiters.

Jupyter Trojan Steals Chrome Firefox Data and Opens Backdoor

Researchers at Morphisec has recently discovered a trojan malware campaign targeted at stealing information from businesses and higher education. Reportedly, the malware named Jupyter has been used by Russian speaking hackers to gather data from various software. 

Primarily targeting Google Chrome, Mozilla Firefox, and Chromium code in itself, Jupyter's attack chain, delivery, and loader demonstrate additional capabilities such as a C2 client, execution of PowerShell scripts and commands, hollowing shellcode into legitimate windows configuration applications, for full backdoor functionality. 

The infostealer's attack begins with a zip file containing an installer which typically impersonates legitimate software like Docx2Rtf. When the installer is executed, a .NET C2 client is inserted into memory. Jupyter loader has a well-defined protocol, persistence modules, and versioning matrix, it furthers with downloading the next stage, a PowerShell command to execute the Jupyter injected in memory earlier. Now using the commonalities between both the .Net components an end-to-end framework is developed for the implementation of the Jupyter infostealer as both have similar code, obfuscation, and unique UID implementation. 
 
As per the analysis published by Morphisec, "Jupyter is an infostealer that primarily targets Chromium, Firefox, and Chrome browser data. However, its attack chain, delivery, and loader demonstrate additional capabilities for full backdoor functionality.” 
 
"Morphisec has monitored a steady stream of forensic data to trace multiple versions of Jupyter starting in May 2020. While many of the C2s are no longer active, they consistently mapped to Russia when we were able to identify them," read the report. 

Over the last 6 months, these installers have given exceptional results at bypassing security scanning controls, some among these installers even maintained 0 detections in VirusTotal.

Multiple versions of Jupyter were traced back to Russia and the planet name was noticeably misspelled from Russian to English, as per the Morphisec researchers who also found out the same image on Russian-language forums upon running a reverse Google Image search of the C2 admin panel image, concluding that the attack has Russian origins. 
 
"This is the first version seen in the wild of the infostealer stealing information (autocomplete, cookies, and passwords) only from Chrome browsers," said researchers. 

"This version added Firefox information stealing (cookies, logins, certificates, and form history). This version uses the same technique of copying the stolen information before accessing it to evade detection." The researchers further added.

Cyber Attacks in India At A Steady Rise as Per India's Cybersecurity Chief

 

National Cyber Security Coordinator Lt Gen (retd) Rajesh Pant recently discussed cyberattacks in India 'having gone up a multifold' in the current environment and alluded to 'China' as a "major challenge" from a cybersecurity perspective for India.

"In such unprecedented times, you mentioned two Cs the challenge of corona and the challenge of cyber. Actually, at the perch which I sit, there are 3 Cs. The third 'C' of course is on our northern border, which is another challenge that we are facing”, Pant said at an event coordinated by the largest private sector lender HDFC Bank. 

He had assumed control over the role of India's cybersecurity chief, later added that almost consistently, 4 lakh malwares are found and 375 cyber-attacks are witnessed. 

Apart from falling prey to voice call-based frauds, individuals ought to likewise be cautious about the click-baits, which are conveyed to extract data from an internet user. 

"This disease of just clicking on the link, this is another reason where the malware drops,” he stated, requesting everyone to contemplate the ongoing cases of frauds at City Union Bank where an individual entered the core banking system through a simple click, and furthermore the ones at Bangladesh Bank and Cosmos Bank. 

"The issue is some of us get unaware and that's how problems start occurring. It's a question of being conscious all the time, not a question of not knowing," said chief risk officer of HDFC Bank Jimmy Tata, as HDFC Bank launched the 'Mooh Bandh Rakho' campaign with the Bank authorities stating that the objective is to zero in on the youth, to spread awareness through different mediums, including more than 1,000 secure banking workshops and furthermore even a rap-song.

Pant had likewise before called for setting up a dedicated industry forum for cybersecurity to develop trusted indigenous solutions for check cyber-attacks. 

“Last year, our official figures were Rs 1.25 lakh crore lost due to cybercrimes in India. Ransomware attacks are increasing every day and these criminals have been working from home. They have no qualms. They are heartless people. They are attacking hospitals because they know in an emergency hospital will pay,” Pant had said at an event organized by industry body Ficci.

Government in Australia issues Clop Ransomware warning to Healthcare Organizations

 

The Australian Cyber Security Center has issued a security alert for the health sector to check their barriers and defenses against potential ransomware attacks especially the Clop Ransomware that uses SDBBot Remote Access Tool (RAT).
The ACSC (Australian Cyber Security Center) wrote that they, "observed increased targeting activity against the Australian Health sector by actors using the SDBBot Remote Access Tool (RAT)." 

 The SDBBot RAT is almost exclusively used by the TA505 group, their attack technique follows phishing and spam email campaigns to infect malware but from 2019, they started using SDBBot payload as a remote way to access systems. 

 ACSC further mentioned, "SDBBot is comprised of 3 components. An installer that establishes persistence, a loader that downloads additional components, and the RAT itself. "Once installed, malicious actors will use SDBBot to move laterally within a network and exfiltrate data. SDBBot is [also] a known precursor of the Clop ransomware"

 As the Australian Government says, SDBBot is also known as a precursor of the Clop Ransomware, which in recent months have become one of the most lethal ransomware, researchers also call it "big-game hunting ransomware" or "human-operated ransomware." 

 The Clop ransomware group keep their eye on the big picture, they first choose to widen their access to a maximum number of systems, till then they hold back their playload, and only when they have reached the maximum or the whole network will they manually deploy the ransomware. This way, the organization has no way to stop the infection midway and the payout is huge in a hundred thousand dollars and if the victim fails to pay the ransom, all their data is leaked on the malware's "leak website". 

Other countries like the UK and the US also predict a potential attack by Ryuke or Trickbot and issues a similar warning some weeks back. Australian Cyber Security Centre (ACSC) also warned Australian companies in October about Emotet malware, which is used contemporaneity with Trickbot. "Upon infection of a machine, Emotet is known to spread within a network by brute-forcing user credentials and writing to shared drives. Emotet often downloads secondary malware onto infected machines to achieve this, most frequently Trickbot," the ACSC wrote. With the new alert, companies need to be very diligent in their protection and testing mechanism in order to prevent themselves from an attack.

Katana: New Variant of Mirai Botnet Posing Serious Threat?




A new variant of the Mirai botnet, Katana is being identified recently by the Avira Protection Lab. The botnet is known to be under development, however, it already has various advanced capabilities like fast replication, secure C&C, layer 7 DDoS, and different encryption keys for each source. Katana has actively exploited security flaws in GPON, Linksys routers, and DLink to infected hundreds of devices.

The IoT botnet, Mirai has continually evolved since its source code was made publically available in 2017. A threat report published by Avira Protection Labs depicts this continuous evolution by highlighting how newer versions of Mirai are easily available — can be sold, bought, or sourced through YouTube channels, enabling amateur threat actors to develop malicious botnet. This increased the number of attacks. Furthermore, Katana is equipped with several classic features of the parent Botnet, Mirai, including running a single instance, a random process name. It also can edit and manipulate the watchdog to stop the system from restarting.
 

What is Mirai and how does it work? 

 
Mirai is a malicious program that replicates itself and therefore is also known as a 'self-propagating' worm. It does so by searching and infecting vulnerable IoT devices. Altogether, Mirai is constructed upon two modules; one being a replication module and the other one being an attack module. As the affected devices are managed and directed by a central set of command and control (C&C) servers, it is also regarded as a botnet. 
 
In one of their recent campaigns, attackers were seen downloading Sora, a variant of Mirai, from their server against vBulletin pre-auth RCE vulnerability. In another incident, a hacker was observed adopting Mirai source code to launch his variant of the malware named Scarface and Demon, which later were used to target YARN exploit and DVR exploit. 
 
While giving insights on the matter, Alexander Vukcevic, Director of Avira Protection Labs, told, "Katana contains several features of Mirai. These include running a single instance, a random process name, editing the watchdog to prevent the device from restarting, and DDoS commands," "The problem with new Mirai variants like Katana is that they are offered on the DarkNet or via regular sites like YouTube, allowing inexperienced cybercriminals to create their botnets."

US Security Department Issue Potential Trickbot and Malware Attack Warning to Health Department

 

The United States Healthcare providers have been alerted to vary of Trickbot and ransomware attacks by their Homeland Security department.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services of US-issued out a warning of "imminent cybercrime threat to US hospitals and healthcare providers" regarding an infection from Trickbot and ransomware. 

Already heavy with the burden of coronavirus, the US health department now faces another cybersecurity threat from Trickbot, one of the largest botnets worldwide, and Ryuk Ransomware, a lethal and savage malware on its own. Even Microsoft recently took legal action against Trickbots earlier this month.

Earlier, Trickbot was a banking trojan attacking users via Webfakes (where it redirects the user to a fake webpage made by the attackers instead of the original banking webpage; accessing the user's login and other credentials) and through WebInjections (wherewith the website that the user is trying to access, some malware injections will be initiated and downloaded). Now with a million infections, Trickbot has evolved into a full-fledged malware.

 "As part of the new Anchor toolset, Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling," CISA said in the alert. 

Using anchor DNS, lets the malware to bypass the legit DNS and with it bypassing network defense security and evade recognition.

Other countries like the UK and Australia also predict a potential attack by Ryuke or Trickbot. Australian Cyber Security Centre (ACSC) warned Australian companies about Emotet malware, which is used contemporaneity with Trickbot. "Upon infection of a machine, Emotet is known to spread within a network by brute-forcing user credentials and writing to shared drives. Emotet often downloads secondary malware onto infected machines to achieve this, most frequently Trickbot," the ACSC wrote in a warning.

Enel Group attacked by Netwalker, demanding a whooping $14 million

 

Energy Company Enel Group has yet again been hit by malware, making it a second this year. The energy group has been demanded a ransom of 14 million dollars for the decryption key and to not reveal the stolen data by Netwalker ransomware.
Enel Group is an Italian multinational Power company, operating in 30 countries working in electricity generation and distribution, as well as in the distribution of natural gas. With a revenue of $90 billion, it ranks 87th in Fortune Global 500. 

Earlier this year in June, Enel Group was attacked by Snake ransomware also known as EKANS but then the attack was caught beforehand and was not successful. Contrary to now, when Netwalker not only successfully encrypted the power company's system but also leaked their data on its website. 

Enel Group has still not confirmed if the attack was true but bleepingcomputer confirms the attack as data given by Netwalker reveals info of Enel employees. 

The attackers connected to Enel Group writs, "Hello Enel. Don't be afraid to write us.", and still the power company maintained their silence and as is the norm when the victim doesn't engage with the hackers the ransom doubles and now Enel Group's ransom stands at a whopping 14 million dollars.

 Netwalker claims that they stole 5 terabytes of data and today the ransomware leaked the Enel Group's data to their data leak site. This was bound to happen since Enel Group neither engaged the hackers nor did they in any way showed any signs of an attack. Now, Netwalker is pressuring the Resource company in succumbing to the demands as they leak their data and threaten to (in their words) "analyze every file for interesting things" to be further leaked on the dark web. 

 Enel Groups better have an ace in their sleeves or a very good cyber hacker to get their data back.

Emotet Returns: Here's a Quick Look into new 'Windows Update' attachment

 

Emotet Malware was first discovered by security researchers in the year 2014, but, the threats by Emotet have constantly evolved over the years. At present, the malware is highly active as its developers continue to evolve their strategies, devising more sophisticated tricks and advancements. Recently, it has been noticed to be delivering several malware payloads and is also one of the most active and largest sources of malspam as of now. 
 
The operators behind Emotet are sending spam emails to unsuspected victims to trick them into downloading the malware; botnet has started to employ a new malicious attachment that falsely claims to be a message from Windows Update asking victims to upgrade Microsoft Word. It begins by sending spam email to the victim containing either a download link or a Word document, now when the victim happens to ‘Enable Content’ to let macros run on their system, the Emotet Trojan gets installed. In their previous malspam campaigns, used by the criminals were said to be from Office 365 and Windows 10 Mobile. 
 

How does the malware works? 

 
Once installed, the malware tries to sneak into the victim’s system and acquire personal information and sensitive data. Emotet uses worm-like capabilities that help it spreading itself to other connected PCs. With add-ons to avoid detection by anti-malware software, Emotet has become one of the most expensive and dangerous malware, targeting both governments as well as private sectors. 

The malware keeps updating the way it delivers these malicious attachments as well as their appearances, ensuring prevention against security tools. The subject lines used in a particular malspam campaign are replaced by new ones, the text in the body gets changed and lastly the ‘file attachment type’ and the content of it are timely revised. 
 
Emotet malware has continuously evolved to the levels of technically sophisticated malware that has a major role in the expansion of the cybercrime ecosystem. After a short break, the malware made a comeback with full swing on October 14th and has started a new malspam routine. 
 
Originally discovered as a simple banking Trojan, Emotet’s roots date back to 2014 when it attempted to steal banking credentials from comrpmised machines. As per recent reports, Emotet also delivers third-party payloads such as IcedID, Qbot, The Trick, and Gootkit.

IBM discovers a new banking malware attached to Video Conferencing apps like Zoom

 

Researchers at IBM have discovered a new malware campaign VIZOME that hijacks bank accounts by the overlay.
Researchers Chen Nahman, Ofir Ozer, and Limor Kessem have found that the new malware targeting bank accounts in Brazil uses amusing tricks and tactics to stay hidden and attack devices - that is use of overlay and DLL highjacking. 

 It spreads via spam phishing and pretends to be a video conferencing software, much in use in these times. 

 After enlisting itself in the device, Vizome infiltrates the AppData directory by launching DLL highjacking. 

The malware loads it's own DLL files and names it such that seems legitimate. Vimoze then tricks the computer into loading the malware with the video conferencing app. The DLL is termed Cmmlib.dll, a file associated with Zoom. 

The malware then installs another playload, a Remote Access Trojan (RAT) which makes remote access and overlay possible. 

 "To make sure that the malicious code is executed from "Cmmlib.dll," the malware's author copied the real export list of that legitimate DLL but made sure to modify it and have all the functions direct to the same address -- the malicious code's address space," the researchers say. 

 While in the system, Vizome will wait for a Banking inquiry or search on the browser. When such a banking website is accessed, the attackers hijack the system remotely via RAT (Remote Access Trojan). Vizome through RAT can abuse Windows API functions, such as moving a mouse cursor, take screenshots, initiate keyboard input, and emulate clicks.

 "The remote overlay malware class has gained tremendous momentum in the Latin American cybercrime arena through the past decade making it the top offender in the region," IBM says. "At this time, Vizom focuses on large Brazilian banks, however, the same tactics are known to be used against users across South America and has already been observed targeting banks in Europe as well."

Haldiram attacked by ransomware, attackers demand USD 7,50,000 ransom

 

Haldiram foods were attacked by ransomware encrypting all their files, data, applications, and systems and demanded a ransom of USD 7, 50,000 for decrypting and granting access of their data back to them.
The complaint was filed on July 17 of this year but an FIR was registered on Oct 14 by cyber cell, making it the second recent case where there was such a delay by Cyber Cell.

According to the FIR, on July 12 at 1:30 am the first problem was noticed with the server as some of the dispatch orders were held up.

The company's servers were hacked and encrypted by malware and the hackers left the message that all their files, data, applications, and systems have been encrypted and demanded a ransom of USD 7,50,000 to decrypt the data and system and to delete all the stolen data from their end.

 “That on receipt of the aforesaid information, senior manager (IT) Ashok Kumar Mohanty informed Aziz Khan, DGM (IT) to resolve the issue. However, on accessing the servers of the company, Mr. Aziz Khan, found out that all the servers of the company had been hacked and hit by a cyber-attack/malware popularly called as a Ransomware Attack. Upon becoming aware of the attack, officials reached the corporate office of the company situated at C-31, Sector-62, Noida at about 02:30 am to analyze the situation and resolve the same. 

“That thus, in order re-analyze and confirm the problem with the servers and to find a resolution, officials decided to call another IT official who consequently accessed the firewall program on the company’s servers and found some traffic generating from servers, showing the following IP addresses i.e. 192.168.0.152 and 192.168.0.154. 7. The officials of the company found out that some program was being executed on the aforementioned servers and all the data of the company was being diverted from and going out from the servers of the company. Therefore, the said program was immediately terminated by the officials along with the connectivity to all systems at branch locations of the company. However, it is apprehended that till the said disconnection was undertaken by the officials, maybe the entire or substantial data may have already been stolen from the servers. Thus, it is evident that the accused persons unauthorizedly entered the servers with intent to commit the offense of theft and extortion, thereby committing the offense of criminal trespass,” reads the FIR lodged under IPC sections 384 (extortion), 420 (cheating), and section 66 of the IT Act.

 The company’s DGM (IT) and the complainant in this case Aziz Khan, said that the complaint was filed with the cyber cell in July but the FIR was registered two months later when they have internally cleared the issue and got their data back. 

 “We had given a complaint to the cyber cell in July itself but an FIR was lodged only after multiple rounds that too, two months later. We have restored all our data internally,” said Aziz Khan, DGM (IT).

Iranian Hackers Are Using Thanos Ransomware To Attack Organizations In the Middle East and South Africa

 

Cybersecurity experts discovered clues connecting cybersecurity attacks to Thanos ransomware, which is used by Iranian state-sponsored hackers. Researchers from ClearSky and Profero investigated significant Israel organizations and found cyberattacks linked to an Iranian state-sponsored hacking group named "Muddywater." Experts noticed repetitive patterns with two tactics in these attacks. Firstly, it uses infected PDF and Excel files to attach malware from the hackers' servers if they download and install them. Secondly, Muddywater mines the internet in search of unpatched MS Exchange email servers. 

It exploits the vulnerability "CVE-2020-0688" and deploys the servers with web shells, and again attaches the similar malware after downloading and installing the files. However, according to ClearSky, the second malware is not your everyday malware that is common but rather a unique malware with activities that have been noticed only once before. The Powershell threat is called "Powgoop" and was discovered last month by the experts. Palo Alto Network says that Thanos malware was installed using Powgoop. Besides this, Hakbit or Thanos malware has used other malware strains to install the ransomware called "GuLoader," coded in Visual Basic 6.0, different from other malware strains. 

"On July 6 and July 9, 2020, we observed files associated with an attack on two state-run organizations in the Middle East and North Africa that ultimately installed and ran a variant of the Thanos ransomware. The Thanos variant created a text file that displayed a ransom message requesting the victim transfer "20,000$" into a specified Bitcoin wallet to restore the files on the system," says the Palo Alto report. 

 According to ClearSky, they stopped these attacks before hackers could cause any damage; however, keeping in mind the earlier episodes, the company is now on an alarm. As per experts at ClearSky, they believe that Muddywater uses Thanos ransomware to hide its attacks and infiltrations. They say, "We assess that the group is attempting to employ destructive attacks via a disguised as ransomware attacks. Although we didn't see the execution of the destruction in the wild, due to the presence of the destructive capabilities, the attribution to nation-state sponsored threat actor."

Ryuk Ransomware Making Comeback with New Tools and Techniques

 

Ryuk ransomware has gained immense popularity in the notorious sphere of cybercrime by 2019. It has been on a rise both in terms of its reach and complexity as it goes about demanding ransoms worth multi-million-dollars from large organizations, local governments, and healthcare institutions. 
 
In one of their latest development, the operators of the malware have configured it to deploy a Trojan named ‘BazarLoader’ which is operated by the same threat group that is behind Trickbot. However, BazarLoader Trojan is equipped with advanced techniques to evade detection; the potential for long term infection in BazarLoader hints towards a change that the operators have brought in Ryuk’s plan of action. 
 
Ryuk is well-planned and targeted ransomware that is being operated since 2018 by WIZARD SPIDER, a Russia-based operator of the TrickBot banking malware, and the criminals behind this ransomware largely focus on big companies in order to acquire an exorbitant amount in ransom. 
 
After gaining access, Ryuk is programmed to permeate network servers as files are exchanged between systems. The malware is circulated via malicious email attachments and once it gathers all the important data from a given network, it lets the authors of Ryuk Ransomware acquire administrator credentials and gain access to the harvested data from the network, the malware does so by opening a shell back to the actors operating the threat. 
 
It takes only 29 hours to successfully carry out a complete attack on the network it is targeting; the process entails the entire series of incidents beginning from the spam mail to the successful encryption of data, as per the findings of DFIR. 
 
Threat actors behind ransomware attacks are rapidly evolving their attack vectors as the count of Ransomware attacks surge up to 365 percent over the past year. Owing to its ever-expanding operations, Ryuk made it to the notorious list of ransomware gangs having their own data leak websites wherein they release the data of companies who refuse to pay the demanded amount. 
 
The malware is continually changing itself to become more and more sophisticated, leaving companies with no option but to pay the extortionate amounts. The threat has expanded its reach beyond just private organizations and has also been recorded to target National services’ computers.

Kaspersky Lab detected a new threat to user data

 Kaspersky Lab experts discovered a targeted cyber espionage campaign, where attackers infect computers with malware that collects all recent documents on the victim's device, archives them and passes them back to them.

The UEFI program is loaded before the operating system and controls all processes at an "early start". Using it, an attacker can gain full control over the computer: change the memory, disk contents, or force the operating system to run a malicious file. Neither replacing the hard drive nor reinstalling the OS will help get rid of it.

"This file is a bootloader, it communicates with the control server, collects all recent documents on the computer, archives them, and sends them back to the server. In fact, this is just espionage. Now there is information about two victims of the UEFI bootkit, as well as several victims of the campaign who encountered targeted phishing. All of them are diplomats or members of nonprofit organizations, and their activities are related to North Korea," commented Igor Kuznetsov, a leading anti-virus expert at Kaspersky Lab.

The experts also found out that the components of the UEFI bootkit are based on the Vector-EDK code - a special constructor that was created by the cyber group Hacking Team and contains instructions for creating a module for flashing UEFI. In 2015, as a result of a leak, these and other sources of the Hacking Team were freely available, which allowed attackers to create their own software.

"Be that as it may, we are dealing with a powerful, advanced tool for cyber attacks, far from every attacker can do this. However, with the appearance of ready-made working examples, there is a danger of reusing the technology, especially since the instructions for it can still be downloaded by anyone,” added Kuznetsov.

Interestingly, five years ago, Kaspersky Lab already found undetectable viruses. Then the control servers and traces of attacks of the Equation hacker group were discovered, it was associated with the American special services.

'InterPlanetary Storm' Botnet Now Targeting MAC and IoT Devices


First discovered in 2019, the InterPlanetary Storm malware has resurfaced with a new variant targeting Mac and Android along with Windows and Linux machines, as per the findings by researchers at IT security firm, Barracuda Networks.

The malware is known as ‘InterPlanetary Storm’ as it makes use of InterPlanetary File System (IFES) peer-to-peer (p2p) network - using a legitimate p2p network makes it difficult to identify the malicious traffic because it gets intermixed with legitimate traffic. The malware targets Windows machines and lets the attacker execute any arbitrary PowerShell code on the compromised systems.

“The malware detects the CPU architecture and running OS of its victims, and it can run on ARM-based machines, an architecture that is quite common with routers and other IoT devices,” the researchers noted.

The earlier versions of the Interplanetary Storm malware that surfaced in May 2019 compromised Windows-based devices, however, by June 2019; the botnet could also infect Linux machines. The new versions with add-on capabilities attempt to infect machines via a dictionary attack, it’s a form of brute force attack technique that involves breaking into a password-protected system by systematically guessing passwords. The most recent version detected in August is configured to infect Mac along with IoT devices like televisions running the Android OS, as per a report published on Thursday by Barracuda Networks.

In the report, Erez Turjeman, a researcher with Barracuda, says, "The malware detects the CPU architecture and running OS of its victims, and it can run on ARM-based machines, an architecture that is quite common with routers and other [internet of things] devices.” "The malware is called InterPlanetary Storm because it uses the InterPlanetary File System (IPFS) p2p network and its underlying libp2p implementation," the report further notes.

"This allows infected nodes to communicate with each other directly or through other nodes (i.e., relays).”

The malware was found building a botnet that has infected approximately 13,000 devices in 84 different countries worldwide including the U.S., Brazil, Europe, and Canada. However, the majority of targets were based in Asia constituting a total of 64%. Infections found in South Korea, Taiwan, and Hong Kong amounted to a total of 59%. Russia and Ukraine constituted 8% to the total and United States and Canada did 5%. Rest, China and Sweden constituted 3% each.

WAP Fraud: Google Play Store Removes Android Apps Infected With Joker Malware



Google has now eliminated 17 infected android apps from its google play store. These apps contained the "Joker" malware, according to the findings by experts Zscaler. Joker is among the most effective malware that attacks Android applications.

The malware is infamous in the cybersecurity industry, but it always finds a new way to access Google's play store applications. Joker uses new codes, execution techniques, and retrieving methods to trespass the play store. The malware is used for stealing personal chats, contact information, call logs, and device data. Joker also secretly subscribes to users for premium WAP (wireless application protocol) services.

The research team at Zscaler kept an eye on the Joker spyware and recently noticed that the malware was uploaded continuously on the Google play store. It immediately informed Google about the issue, and the latter removed the 17 WAP apps with Joker malware from Google play store.

The Joker is also known as Bread malware. These infected android apps were uploaded last month on Google play store; however, they couldn't do much damage. Until the experts found these apps, the users downloaded them 1,20,000 times.

The 17 apps found with Joker malware are:
  1. All Good PDF Scanner 
  2. Hummingbird PDF Converter - Photo to PDF 
  3. Blue Scanner 
  4. Paper Doc Scanner 
  5. Part Message 
  6. Desire Translate 
  7. Talent Photo Editor - Blur focus 
  8. Care Message 
  9. Meticulous Scanner 
  10. Style Photo Collage 
  11. One Sentence Translator - Multifunctional Translator 
  12. Private SMS 
  13. Direct Messenger 
  14. Tangram App Lock 
  15. Unique Keyboard - Fancy Fonts and Free Emoticons 
  16. Mint Leaf Message-Your Private Message 
  17. All Good PDF Scanner 
Although the play store has disabled the apps, the users who might have downloaded the apps need to uninstall them manually. The malware uses the 'dropping' technique to avoid getting caught and sneak into google play store.

"We recommend paying close attention to the permission list in the apps that you install on your Android device. Always watch out for the risky permissions related to SMS, call logs, contacts, and more. Reading the comment or reviews on the app page also helps identify compromised apps," says researchers from Zscaler.

A new Malware that can intercept your OTP and bypass Two Factor Authentication


For most of our accounts be it Bank accounts or social media accounts, we rely on two-factor authentication and OTP (one time password); thinking it the most trustable and impenetrable security. But we ought to think again as a new android malware, "Alien" with its remote access threat tool can steal 2FA codes and OTP as well as sniff notifications.

Discovered by ThreatFabric, the Trojan Alien has been offered as a Malware-as-a-Service (MaaS) making rounds on underground hacking forums. Though this is not the first malware to access OTPs, Ceberus (malware gang with a similar code) has already been there and done that but Google's security found a way to detect and clean devises of Cerebus. Inspired and evolved from the same code, Alien has yet to be caught by a security server.

With the remote access feature, Alien can not only seize passwords and login credentials but also grant hackers access to the device to use the stolen passwords. Alien can also perform the following tasks: 

  • Overlay on another App 
  • Steal 2FA and OTP 
  • Read Notifications 
  • Collect Geo-location data 
  • Forward Calls 
  • Install other Apps 
  • Steal Contacts 
  • Provide access to the device 
  • Log Keyboard Input 
  • Send Messages 

This set of activities makes this malware highly dangerous and the device infected with it completely transparent to the hacker and to think it is offered as MaaS. The malware deploys TeamViewer and through it reads the devise's screen, notifications, harvest OTPs and other data - giving full reign of your device to the hacker to attempt fraud, steal money and data.

 How is it Spreading? 

According to ThreatFabric, the malware is transmitting via phishing emails and third-party applications. Researchers found that Alien was sporting fake logins for 226 android apps, some of them quite popular like Snapchat, Telegram, Facebook, Gmail, WhatsApp, etc. Many of them were banking and e-commerce apps, there's no surprise there! These banking apps were from Spain, Germany, the US, Italy, France, Poland, Australia, and the UK.

CISA Released A New Advisory on LokiBot Trojan


LokiBot, a trojan-type malware first identified in 2015 is popular amid cybercriminals as a means of creating a backdoor into compromised Windows systems to allow the attacker to install additional payloads.

It is an information stealer that uses a stealthy trick to evade detection from security software and steal personal data of victims including their usernames, passwords, bank details, and contents of cryptocurrency wallets – using a keyblogger that would monitor browser and desktop activities.

Recently, the U.S. government's cybersecurity and Infrastructure Security Agency (CISA) observed a significant increase in malicious infections via LokiBot malware starting from July 2020. During this period, CISA's EINSTEIN Detection System, responsible for protecting federal, civilian executive branch networks, noticed continuous malicious activity by LokiBot. Credited for being simple yet effective, the malware is often sent out as an infected attachment via email, malicious websites, texts, or personal messages to target Windows and Android operating systems.

Although LokiBot has been in cyberspace for a while now, attackers still often use it to illicitly access sensitive information. In a recent attack that was carried out in July, 14 different campaigns distributing payloads of LokiBot were launched by a group of threat actors popularly known as 'RATicate'. In another malspam campaign, attackers were found to be distributing payload of LokiBot in a spear-phishing attack on a U.S based manufacturing organization.

“LokiBot has stolen credentials from multiple applications and data sources, including Windows operating system credentials, email clients, File Transfer Protocol, and Secure File Transfer Protocol clients,” as per the alert issued on Tuesday.

Giving insights on the matter, Saryu Nayyar, CEO at Gurucul told via email, "The fact that LokiBot has been around for over four years and has gained in capability over time is a reflection of how much malicious actors have advanced the state of their art, leveraging the same development models we use in the commercial space."