Search This Blog

Showing posts with label malware. Show all posts

Russia's APT29 is Actively Serving WellMess/WellMail Malware


A year ago, the United Kingdom, the USA, and Canada released a coordinated advisory, during the global pandemic, revealing a Russian espionage campaign targeting the vaccination research efforts of COVID-19 in their respective country. 

They have credited the operation to APT29 of Russia (The Dukes, Yttrium, and Cozy Bear) and have expressly designated it as a branch for the Foreign Intelligence Services of Russia (SVR). For the very first time, they officially connected the malware employed in the campaign with APT29 to WellMess and WellMail. 

RiskIQ has provided full information of the 30 servers which Russia's SVR-spy agency (aka APT29) has indeed been expected to utilize in its continued attempts to steal Western intellectual property. 

RiskIQ is a leading provider of Internet security information that provides the most comprehensive identification, intelligence, and mitigation of threats linked to the web presence of a company. RiskIQ offers businesses to have unified insight and control over Web, social and mobile exposures with over 75% of threats that originate outside firewalls. 

In 2018, the CERT in Japan recognized WellMess without mentioning targeting or involving a particular threat actor. Following the 2020 report by the Western Governments, RiskIQ's Team Atlas extended the campaign's familiar attacker footprint and identified more than a dozen additional control servers. 

The Atlas team of RiskIQ has now found yet another infrastructure that serves WellMess/WellMail effectively. Just a month earlier, the US and Russian chiefs of state conducted a summit in which the hostile cyber activities from Russia overtook the list of the key worries for President Biden. 

"Team Atlas assesses with high confidence that these IP addresses and certificates are in active use by APT29 at the time of this writeup," said RiskIQ in a blog post. "We were unable to locate any malware which communicated with this infrastructure, but we suspect it is likely similar to previously identified samples." 

SVR's campaigns against the West have been somewhat awkward, with replies ranging from silent alerts to explicit attribution — "they won't sodding well stop so we're telling you exactly what the naughty buggers have moved onto now" from a fed-up National Cyber Security Centre, in the United Kingdom. 

In November, the GCHQ branch also told national newspapers that perhaps the attempts of the SVR to enter into British research institutions were counteracted, suggesting that they deployed some type of encryption software (like ransomware without pay) against Russia.

Evidence Indicates Russia's SVR is Still Using 'WellMess' Malware, Despite US Warnings


President Joe Biden's appeal for Vladimir Putin to crack down on cyberattacks emanating from within Russia appears to have failed to persuade the Kremlin to give it up. 

In a report published Friday, RiskIQ stated it discovered ongoing hacking infrastructure that Western governments associated last summer to the Russian SVR intelligence agency-linked APT29 or Cozy Bear, which it utilized to obtain Covid-19 research data.

The malware, also known as WellMess or WellMail, led to official warnings in the United States, the United Kingdom, and Canada in July 2020. In April, the FBI urged companies to fix five known vulnerabilities that the SVR had exploited, according to US officials. 

RiskIQ detected three dozen command and control servers supplying WellMess which were under APT29 control, as per the firm. Following a US-Russia summit at which cyberattacks were discussed, the focus was on infrastructure. 

“The behaviour found was noteworthy considering the circumstances in which it emerged, following on the heels of President Biden's public condemnation of Russian hacking at a recent summit with President Putin,” stated RiskIQ's Team Atlas. 

Cozy Bear has not been openly accused of being involved in any recent ransomware operations, which were the focus of the White House's discussions with Russia. The organization has set itself apart by executing cyber-espionage against targets like the federal contractor SolarWinds and the Democratic National Committee. 

RiskIQ is perplexed as to how Russian agents are now utilizing the WellMess malware. The company stated, “Readers should note that much of this infrastructure is still in active use by APT29, though we do not have enough information to say how it is being used or who the targets are.” 

Biden has been urging Putin both personally and in public statements, to stop malicious cyber activities originating from Russia, notably ransomware assaults are believed to be conducted by criminal groups.

A phone call between the two men came after a series of high-profile ransomware attacks with suspected Russian roots, the most recent of which has affected hundreds of people as a result of an incident at the software company Kaseya. 

“I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden stated reporters about the call. 

In a speech last week, Biden told intelligence officials that if the US finds itself in a “shooting war” with a significant foreign power, it will probably come in response to a cyber attack.

Wiper Malware Used in Attack Against Iranian Railway


The cyber-attack that crippled Iran's national railway system at the beginning of the month was caused by a disk-wiping malware strain called Meteor, not a ransomware attack, as per the research published by security firms Amnpardaz and SentinelOne. 

According to Reuters, the attack caused train services to be affected as well as the transport ministry's website to fall down. But the assault wasn't simply meant to cause havoc. A number for travelers to contact for further information about the difficulties was also put into displays at train stations by the attackers. 

As per Juan Andres Guerrero-Saade, Principal Threat Researcher at SentinelOne, this is the first time this malware has been used and also stated Meteor is yet to be linked to a previously identified group. 

Meteor malware: A part of a well-planned attack

The Meteor wiper was precisely one of three components of a broader malware arsenal placed on the systems of the Iranian railway computers on July 9, according to the firm's research. 

The attacks, which SentinelOne tracked under the codename of MeteorExpress, and led to trains being canceled or delayed across Iran, involved: 
1.Meteor – malware that wiped the infected computer’s filesystem. 
2.A file named mssetup.exe that played the role of an old-school screen locker to lock the user out of their PC. 
3.And a file named nti.exe that rewrote the victim computer’s master boot record (MBR). 

Although Guerrero-Saade did not state how or where the attack began, he did mention that once inside a network, the attackers utilized group policies to deploy their malware, deleted shadow volume copies to stop data recovery, and disconnected infected hosts from their local domain controller, to avoid sysadmins from quickly fixing infected systems. 

Infected computers' filesystems were deleted after the attack, and their displays flashed a message instructing victims to contact a phone number associated with Supreme Leader Ayatollah Ali Khamenei's office, all as a prank from the attackers' perspective. 

The MeteorExpress campaign and wiper assaults appeared to be a witty prank directed at Iranian government officials, the malware employed was not. Meteor and all of the other MeteorExpress elements comprised "a bizarre amalgam of custom code," according to Guerrero-Saade, that combined open-source components with old software and custom-written parts that were "rife with sanity checks, error checking, and redundancy in accomplishing its goals." 

The Meteor code included some of the same features as the screen-locking component or the adjacent deployment batch scripts. The SentinelOne researcher stated, “Even their batch scripts include extensive error checking, a feature seldom encountered with deployment scripts.” 

While certain sections of the malware looked to have been developed by a skilled and professional developer, Guerrero-Saade also notes that the MeteorExpress attack's irregular nature indicates the malware and the overall operation were cobbled together in a hurry by several teams.

SentinelOne stated it's unknown if Meteor was put together especially for this operation or if we'll see the malware strain in a different form in the future because it was assembled just six months before the attack on the Iranian railway system.

XAMPP Hosts are Employed to Distribute Agent Tesla


RiskIQ's research team has evaluated the familiar fingerprints campaign in dangerous infrastructure from famous malware families. Their examination of Agent Tesla infrastructure leads them to discover the employment of web solution stack installations for XAMPP Web Server. They examine these identified campaigns using their Internet Intelligence Graph. 

The most recent investigation depicts a new insight into the ecosystem of Agent Tesla, the TTP its operatives utilize, and how RiskIQ users potentially can use the XAMPP web component to identify hosts that transmit malware and investigate other possibly harmful infrastructures. 

XAMPP is an open-source web server solution stack package produced by Apache Friends, composed primarily of Apache HTTP Server, MariaDB database, and script interpreters created in the PHP and Perl programming languages. XAMPP is a free server solution stack. As the majority of current web server operations employ the same components as XAMPP, it makes it feasible to move from a local test server to a live server. 

Neither the XAMPP is malevolent nor the hosts employing XAMPPA are always hostile. Everything which makes XAMPP useful for developers also provides an excellent tool for actors who threaten them and some malicious sites are using XAMPP to disseminate malware. 

The web component of XAMPP obtained by the Internet Intelligence Graph of RiskIQ demonstrates that there are numerous XAMPP Internet-faced servers despite developing XAMPP without an internet connection. 

For their March 2021 post about, Exploring Agent Tesla infrastructure, researchers first detected the use of XAMPP for malware propagation during the analysis of the Agent Tesla infrastructure. The Agent Tesla infrastructure, with the same MariaDB, Apache, and PHP Web service stack, was then detected – all with open SMBs sometimes with FTP or SMTP services. 

Agent Tesla is indeed a renowned "malware-as-a-service" RAT for stealing passwords, keystrokes, clipboard data as well as other important information. It is typically transmitted through phishing attempts since it initially surfaced around 2014 and was replicated several times. 

They could recognize hosts with this particular web service stack with the XAMPP web component of RiskIQ. Researchers would then detect malicious infrastructure and trends in that infrastructure using these hosts in conjunction with other data sources. 

An IP hosting Agent Tesla and a WBK file, a restorable file by Microsoft Word, are included within one instance. A link to the Hybrid Analysis Report in the related hashes list of the IP is provided for the file which initiates a GET request in a WBK file, and for another file to install a Tesla Agent file with a variety of commands and control (C2) domains. In many other instances, attackers' IPs utilized Agent Tesla, using a malicious XLSX document communicating with the IP to install the Agent Tesla file, which was subsequently renamed. Another IP attacker hosts harmful files and sends phishing emails to implant malware such as SnakeKeylogger or QuasarRAT. 

Evidence indicates that the attacker has installed XAMPP on hosts owned by the provider dynamic DNS[.]org that distributed the Tesla Agent. Other DDNS providers with preinstalled XAMPP stack malware packages have also been identified. 

The researchers state that “While we do not have confirmed malicious activity on this infrastructure, an illegitimate domain mimicking Microsoft Outlook was recently registered on July 23 and has linked to two PHP pages displaying what appears to be XAMPP notifications on settings not yet made.”

UBEL is the Android Malware Successor to Oscorp


As part of a fresh campaign that began in May 2021, an Android malware that was discovered misusing accessibility features in the device to steal user credentials from European banking applications has morphed into an altogether new botnet. Oscorp, a mobile malware built to attack several financial targets with the purpose of stealing funds from unsuspecting users, was revealed by Italy's CERT-AGID in late January. 

The Oscorp malware, like other Android malware, convinces users to provide them access to the Android Accessibility Service, which allows them to read text on the phone screen, determine an app installation prompt, traverse through the permission list, and install apps on the user's behalf. “Not being able to access the private files of other applications, the actions of these malicious apps are “limited” to the theft of credentials through phishing pages, to blocking the device and possibly to the capture of audio and video,” read the advisory published by Italy’s CERT-AGID. 

Malicious SMS messages were used to spread the malware, with attackers pretending as bank operators to deceive targets over the phone and secretly get access to the infected device using WebRTC protocol, allowing them to execute unlawful bank transfers. While no fresh activities have been detected since then, it appears as Oscorp has returned after a brief hiatus in the shape of the UBEL Android botnet. 

"By analysing some related samples, we found multiple indicators linking Oscorp and UBEL to the same malicious codebase, suggesting a fork of the same original project or just a rebrand by other affiliates, as its source-code appears to be shared between multiple [threat actors]," Italian cybersecurity company Cleafy said on Tuesday, charting the malware's evolution. 

UBEL, like its predecessor, is marketed on underground forums for $980 and asks for invasive permissions that allow it to read and send SMS messages, record audio, install and delete apps, initiate itself automatically after system boot, and exploit Android accessibility services to collect confidential data such as login credentials and two-factor authentication codes, the results of which are exfiltrated back to a remote server. 

Once installed on the system, the malware tries to disguise itself as a service and hide its presence from the target, allowing for long-term persistence. Surprisingly, using WebRTC to communicate with the hijacked Android phone in real-time eliminates the requirement to enroll a new device and take over an account in order to commit fraud. 

"The main goal for this [threat actor] by using this feature, is to avoid a 'new device enrolment', thus drastically reducing the possibility of being flagged 'as suspicious' since device's fingerprinting indicators are well-known from the bank's perspective," the researchers said.

Cyberattacks Zero in Tokyo Olympics as Games Begin


Malicious malware and websites have targeted both event organizers and regular spectators as the Tokyo Olympics' opening ceremony approaches. 

According to Tokyo-based Mitsui Bussan Secure Directions, this malware was published to the VirusTotal malware-scanning site on 20 July and has been identified by numerous antivirus software companies throughout the world. 

A fraudulent PDF file masquerades as a Japanese-language document on cyberattacks associated with the Olympics. When users open it, malware enters their computer and deletes the documents. The dubious PDF was allegedly sent to Japanese event officials by hackers in an effort to erase important Olympics-related data. 

Takashi Yoshikawa of MBSD cautioned concerning the "wiper" malware. The so-called Olympic Destroyer virus caused severe system interruptions at the 2018 Winter Games in Pyeongchang, South Korea. 

TXT, LOG, and CSV files, which can occasionally hold logs, databases, or password information, are targeted for deleting alongside Microsoft Office files. Furthermore, the wiper targets files generated using the Ichitaro Japanese word processor, leading the MBSD team to assume that the wiper was designed particularly for PCs in Japan, where the Ichitaro program is often installed. 

Yoshikawa added, "This is the type of attack we should be most concerned about for the Tokyo Olympics, and we need to continue keeping a close eye on this." 

Fraud streaming sites have also become a major source of concern for the Games, especially now that COVID-19 concerns have virtually prohibited viewers. The websites, which appeared when users searched for Olympic-related phrases on search engines like Google, require users to accept browser alerts so that malicious advertising can be shown. Numerous sites of this sort have previously been discovered by Trend Micro. 

In Japan, Olympic content is provided for free of cost on two official streaming service platforms: one operated by state broadcaster NHK, and the other named TVer, which is managed by commercial broadcasters. In the country, other streamers are not permitted. 

Trend Micro advises that clicking those links might expose the user to assault, advising viewers to watch the Olympics on officially recognized sites. Fake Olympics websites featuring important keywords like "Tokyo" or "2020" in their domain names are another concern. In a probable phishing attack, the login information of ticket purchasers and volunteers was also exposed online. Organizers are advising prudence in the wake of such dangers.

Hackers Applying HTML Smuggling To Distribute Malware


Another latest spam E-mail operation, which abused a technique named "HTML smuggling" to circumvent E-mail security measures and transmit malware on users' devices, was identified by Microsoft's security team. This campaign has been going on for weeks. 

Microsoft Corporation is an international American technology firm that develops computer software, consumer devices, computers, and associated services. 

HTML smuggling is a method used to overcome security systems by malicious HTML generation behind the firewall - in the browser at the targeted endpoint. 

Sandboxes, proxies, and sandboxes leveraging HTML5 and JavaScript characteristics bypass the conventional network security methods such as E-mail scanners. This is by producing the destructive HTML code on the target device in the browser that is already located within the network security perimeter. 

Typically network security solutions work by analyzing the 'wire' or information flows from the network to search for identified malware signatures and trends within the byte stream. The destructive payloads are built on the target device in the browser through the use of HTML smuggling so that no items are passed to the network's security systems for detection. 

The underlying concept behind an HTML email-based counterfeits is to include a link to an email document, which does not look harmful if it is scanned, or to a file type that email security programs, like EXE, DOC, MSI, and others, deem to be harmful. 

Furthermore, it does employ certain HTML elements, such as "href" and "download," as well as JavaScript code, while accessing the URL for an assembled harmful file within the browser. 

This approach isn't new and has been known since the mid-2010s, theoretically and malware programmers have used it from at least 2019 and have been detected throughout 2020. 

Microsoft stated in a series of tweets on Friday that it tracked an e-mail spam campaign that lasted weeks abusing HTML smuggling to put a destructive ZIP file on machines. 

Files in the ZIP file, unfortunately, infect the users with the banking trojan Casbaneiro (Metamorfo). Casbaneiro is indeed a traditional Latin American bank Trojan that focuses on Brazilian and Mexican banks and cryptocurrency services. It leverages the method of social engineering, which displays false pop-up windows. These pop-ups attempt to entice potential victims to provide critical information; this information is stolen if it succeeds. 

Although Microsoft has announced that Microsoft Defender for Office 365 might recognize HTML-contracted files, OS maker raises a warning on Friday for customers who are not their clients or those who are unaware of the technology or do not have email security devices that scan incoming emails.

Fake Windows 11 Installers are Being Used to Spread Malware


Although Windows 11 isn't expected to be released until later this year, hackers have already begun attempting to use it to infect victims with malware. On Friday, security firm Kaspersky warned that crooks were using bogus installers to take advantage of consumers eager to get their hands on the Microsoft operating system update, which is set to be released in the fall. 

“Although Microsoft has made the process of downloading and installing Windows 11 from its official website fairly straightforward, many still visit other sources to download the software, which often contains unadvertised goodies from cybercriminals (and isn’t necessarily Windows 11 at all),” Kaspersky wrote. The sarcastic "goodies" include anything from harmless adware to password stealers and trojans. 

An executable file called 86307 windows 11 build 21996.1 x64 + activator.exe is one example. It certainly appears credible, with a file size of 1.75GB. However, the majority of that space is taken up by a single DLL file that contains a lot of irrelevant data. 

When you run the application, the installer seems to be a standard Windows installation wizard. Its primary function is to download and execute a more intriguing executable. The second executable is likewise an installer, with a license agreement that describes it as a “download manager for 86307 windows 11 build 21996.1 x64 + activator” and notes that it will also install some sponsored applications. If you accept the agreement, your computer will be infected with a number of malicious programmes. 

It's not uncommon for hackers to take advantage of victims' demand for a product or service, whether it's coronavirus contact tracing apps or the Telegram encrypted messaging app. In late June, Microsoft announced Windows 11 and made an initial “insider preview” accessible. Security has been highlighted as a key driving factor in the development of the operating system upgrade. 

The bogus installers are proliferating as Microsoft battles a number of security threats directed at the firm. Last week, Microsoft revealed instructions on how to protect against the "PetitPotam" attack, which might allow attackers to take control of Windows domains, as well as a solution for the "SeriousSAM" vulnerability, which could let attackers get administrative access. Last week, the corporation also issued a warning about LemonDuck, a cryptocurrency mining malware that has been targeting Microsoft devices. 

WhatsApp CEO: US Allies' National Security Officials Targeted with NSO Malware


According to WhatsApp CEO Will Cathcart, governments used NSO group malware to target high-ranking government officials all around the world. 

Cathcart addressed the spyware assaults discovered by the Project Pegasus inquiry with The Guardian, noting they are similar to a 2019 attack against 1,400 WhatsApp users. 

Cathcart added, “The reporting matches what we saw in the attack we defeated two years ago, it is very consistent with what we were loud about then. This should be a wake-up call for security on the internet … mobile phones are either safe for everyone or they are not safe for everyone.” 

NSO Group's military-grade spyware is suspected of being utilized against heads of state, cabinet members, activists, and journalists. Over 50,000 phone numbers have been leaked from the Pegasus project's central breach. The inclusion of a person's phone number on the list, however, does not always indicate that they were efficiently targeted, according to The Guardian. 

The leak is said to have included French President Emmanuel Macron, although NSO denies that none of its clients targeted Macron. The IT company also stated that the reported 50,000 figure was overstated. 

Cathcart, on the other hand, tried to refute this portrayal, stating that his firm had documented a two-week-long attack in 2019 that affected 1,400 customers. He added, “That tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high. That’s why we felt it was so important to raise the concern around this.” 

According to The Guardian, WhatsApp lodged a lawsuit against NSO in 2019, saying that the corporation had transmitted malware to its customers' phones. NSO, an Israeli firm, argued that the responsibility should be put on its customers who are the foreign government. 

“NSO Group claims that a large number of governments are buying their software, that means those governments, even if their use of it is more controlled, those governments are funding this," Cathcart stated. "Should they stop? Should there be a discussion about which governments were paying for this software?” 

The NSO spokesperson told The Guardian, "We are doing our best to help to create a safer world. Does Mr. Cathcart have other alternatives that enable law enforcement and intelligence agencies to legally detect and prevent malicious acts of pedophiles, terrorists, and criminals using end-to-end encryption platforms? If so, we would be happy to hear."

Cloud-Delivered Malware Increased 68% in Q2, Netskope Reports


Cybersecurity firm Netskope published the fifth edition of its Cloud and Threat Report that covers the cloud data risks, menaces, and trends they see throughout the quarter. According to the security firm report, malware delivered over the cloud increased 68% in the second quarter.

"In Q2 2021, 43% of all malware downloads were malicious Office docs, compared to just 20% at the beginning of 2020. This increase comes even after the Emotet takedown, indicating that other groups observed the success of the Emotet crew and have adopted similar techniques," the report said.

“Collaboration apps and development tools account for the next largest percentage, as attackers abuse popular chat apps and code repositories to deliver malware. In total, Netskope detected and blocked malware downloads originating from 290 distinct cloud apps in the first half of 2021." 

Cybersecurity researchers explained that threat actors deliver malware via cloud applications “to bypass blocklists and take advantage of any app-specific allow lists.” Cloud service providers usually eliminate most malware instantly, but some attackers have discovered methods to do significant damage in the short time they spend in a system without being noticed.

According to the company's researchers, cloud storage apps account for more than 66% of cloud malware distribution. Approximately 35% of all workloads are also susceptible to the public internet within AWS, Azure, and GCP, with public IP addresses that are accessible from anywhere on the internet.

“A popular infiltration vector for attackers” are RDP servers which were exposed in 8.3% of workloads. Today, the average company with 500-2,000 employees uses 805 individual apps and cloud services, 97% of which are unmanaged and often free by business units and users.

According to Netskope's findings, employees leaving the organization upload three times more data to their personal apps in the last 30 days of employment. The uploads are leaving company data exposed because much of it is uploaded to personal Google Drive and Microsoft OneDrive, which are popular targets for cybercriminals. 

As stated by chief security scientist and advisory CISO at ThycoticCentrify Joseph Carson, last year’s change to a hybrid work environment requires cybersecurity to evolve from perimeter and network-based to cloud, identity, and privileged access management. 

Organizations must continue to adapt and prioritize managing and securing access to the business applications and data, such as that similar to the BYOD types of devices, and that means further segregation networks for untrusted devices but secured with strong privileged access security controls to enable productivity and access,” Carson said.

Discord CDN and API Exploits Drive Wave of Malware Detections


As per the researchers, the number of reported Discord malware detections has increased significantly since last year. Even users who have never interacted with Discord are at risk, even though the network is mostly utilized by gamers as Discord has a malware problem.

Discord develops servers, or unique groups or communities of people, who can communicate instantly via voice, text, and other media. 

According to research issued by Sophos, occurrences have increased 140 times since 2020. The major cause of the Discord spike is its content delivery network (CDN) and application programming interface (API), both of which have been exploited by cybercriminals. 

The CDN of Discord is being exploited to host malware, while its API is being utilized to exfiltrate stolen data and allow hacker command-and-control channels. 

Since Discord is extensively used by younger gamers who play Fortnite, Minecraft, and Roblox, most of the virus floating around involves pranking, such as using code to crash an opponent's game, as per Sophos. However, the increase in data thieves and remote access trojans is more concerning, according to the report. 

“But the greatest percentage of the malware we found have a focus on credential and personal information theft, a wide variety of stealer malware as well as more versatile RATs. The threat actors behind these operations employed social engineering to spread credential-stealing malware, then use the victims’ harvested Discord credentials to target additional Discord users,” the report added. “And this excludes the malware not hosted within Discord that leverage Discord’s application interfaces in various ways. At just before publication time, more than 4,700 of those URLs, pointing to a malicious Windows .exe file, remained active.” 

In April, Sophos discovered 9,500 malicious URLs on Discord's CDN. After a few months, the number had risen to 17,000 URLs. Sophos pointed out that Discord's "servers" are actually Google Cloud Elixir Erlang virtual machines with Cloudfare, and that they can be made "public" or "private" for a subscription, with keys to invite others to attend. 

According to the report, Discord's CDN is just Google Cloud Storage, which makes the information exchanged available on the internet. 

Discord: Easy Target
According to the report, “once files are uploaded to Discord, they can persist indefinitely unless reported or deleted.” 

Phishing messages and virus URLs may also be sent using Discord chat channels. Many Discord scams promise game "cheats," but instead send credential stealers of various kinds, as per Sophos. 

Sonatype discovered three malicious software packages in a prominent JavaScript code repository in January, including Discord token and credential stealers that allowed hackers to steal users' personal details. This isn't the first time a security concern has been brought to Discord's notice. Cisco's Talos released a report in April warning users that Discord and Slack were being frequently utilized to deploy RATs and data stealers. 

In February, Zscaler THreatLabZ reported that spam emails linked to the pandemic were spreading on Discord in an attempt to get users to download the XMRig cryptominer virus. PandaStealer, a data-stealing virus, was spreading through a spam operation on Discord by May. 

According to Sophos experts, Discord has responded positively to their findings and is actively trying to improve safety on the platform. However, as more businesses use Discord to provide services, Sophos advises that they should be mindful of the dangers that lie on the site. 

Sophos added, “With more organizations using Discord as a low-cost collaboration platform, the potential for harm posed by the loss of Discord credentials opens up additional threat vectors to organizations. Even if you don’t have a Discord user in your home or office, abuse of Discord by malware operators poses a threat.” On the Discord CDN, the team discovered old malware such as spyware and phoney app info stealers.

LemonDuck Targets Windows and Linux Systems


Initially, it was mainly a crypto-monetary botnet that allowed machine mining but later a transformation was initiated to make it a malware loader, bringing us to Microsoft's current update on this malevolent digital duck loaded with citrus. 

Microsoft warns users that LemonDuck's crypto-mining malware is aimed at both Windows and Linux, and distributes itself by phishing, exploiting, USB, and brute-force operations and attacks that exploit a serious vulnerability on the Exchange Server detected in March. 

In May, two years after the first bug appeared, the organization was found to be employing Exchange bugs for cryptocurrencies mining. 

Notably, throughout the period where security teams concentrate on correcting severe faults, and even eradicating competing spyware, the group behind LemonDuck makes use of high-profile weaknesses to protect the security system. 

The repercussions may be grave if one is attacked by the LemonDuck. Thus according to Microsoft, LemonDuck's capabilities include the robbing of key Windows and Linux PC credentials as well as the removal of security controls that make the system defenseless; email spreading (probably spearphishing attempts); and the reinstallation in devices to facilitate further execution of remote code (RCE) through back doors. 

Malware research teams from Cisco's Talos have indeed scoped the group's exchange activity. They observed that before loading payloads such as the Cobalt strike pentesting kit, a popular lateral movement tool, LemonDuck was utilizing automated tools to scan, detect, and exploit server software, which allows the malware to download additional modules. 

Microsoft post on the matter says, “(LemonDuck) uses a wide range of spreading mechanisms—phishing emails, exploits, USB devices, brute force, among others — and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using Covid-19-themed lures in email attacks. In 2021, it exploited newly patched Exchange Server vulnerabilities to gain access to outdated systems." 

It is also revealed by Microsoft that although the attackers have initially predominantly focused on China, India is now in the top ten countries most afflicted by this malware. Precisely, India is among the six top countries targeted by cybercriminals alongside the USA, Russia, China, Germany, and Great Britain, with production and IoT businesses being the main targets. 

The risk is also heightened by the expanding malware architecture, which makes the cybersecurity sector even more vulnerable to these attacks. 

The usage of LemonCat, a distinct yet equally harmful and highly developed focused malware tool often used to install backdoors in systems through RCE attacks, is also mentioned by Microsoft. 

Further, Microsoft’s threat intelligence team states, “The threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks."

XCSSET, a MacOS malware, Targets Google Chrome and Telegram Software


As part of further "refinements in its tactics," a malware notorious for targeting the macOS operating system has been updated to add more elements to its toolset that allow it to accumulate and exfiltrate sensitive data saved in a range of programmes, including apps like Google Chrome and Telegram. This macOS malware can collect login credentials from a variety of apps, allowing its operators to steal accounts. 

XCSSET was discovered in August 2020, when it was found to be targeting Mac developers using an unusual method of propagation that entailed injecting a malicious payload into Xcode IDE projects, which is executed when the project files are built in Xcode. XCSSET collects files containing sensitive information from infected computers and delivers them to the command and control (C2) server. 

Telegram, an instant messaging service, is one of the apps that has been attacked. The virus produces the “telegram.applescript” archive in the Group Containers directory for the “keepcoder.Telegram” folder. By obtaining the Telegram folder, the hackers are able to log into the messaging app as the account's legal owner. The attackers gain access to the victim's account by moving the stolen folder to another machine with Telegram installed, according to Trend Micro researchers. Normal users have read and write permissions to the Application sandbox directory, XCSSET can steal sensitive data this way. 

The malware can read and dump Safari cookies, inject malicious JavaScript code into multiple websites, steal information from programmes like Notes, WeChat, Skype, and Telegram, and encrypt user files, among other things. Earlier this month, XCSSET received an update that allowed malware developers to target macOS 11 Big Sur as well as Macs with the M1 chipset by getting beyond Apple's new security standards in the current operating system. 

"The malware downloads its own open tool from its C2 server that comes pre-signed with an ad-hoc signature, whereas if it were on macOS versions 10.15 and lower, it would still use the system's built-in open command to run the apps," Trend Micro researchers previously noted. 

According to a new report released by the cybersecurity firm on Thursday, XCSSET uses a malicious AppleScript file to compress the Telegram data folder ("/Library/Group Containers/") into a ZIP archive file before uploading it to a remote server under their control, allowing the threat actor to log in using the victim's account. 

"The discovery of how it can steal information from various apps highlights the degree to which the malware aggressively attempts to steal various kinds of information from affected systems," the researchers said.

Researchers Embedded Malware into an AI's 'Neurons' and it Worked Scarily Well


According to a new study, as neural networks become more popularly used, they may become the next frontier for malware operations. 

The study published to the arXiv preprint site stated, malware may be implanted directly into the artificial neurons that make up machine learning models in a manner that protects them from being discovered.

The neural network would even be able to carry on with its usual activities. The authors from the University of the Chinese Academy of Sciences wrote, "As neural networks become more widely used, this method will become universal in delivering malware in the future." 

With actual malware samples, they discovered that changing up to half of the neurons in the AlexNet model—a benchmark-setting classic in the AI field—kept the model's accuracy rate over 93.1 percent. The scientists determined that utilizing a method known as steganography, a 178MB AlexNet model may include up to 36.9MB of malware buried in its structure without being detected. The malware was not identified in some of the models when they were tested against 58 different antivirus programs. 

Other ways of invading businesses or organizations, such as attaching malware to papers or files, are frequently unable to distribute harmful software in large quantities without being discovered. As per the study, this is because AlexNet (like many machine learning models) is comprised mainly of millions of parameters and numerous complicated layers of neurons, including fully connected "hidden" layers, 

The researchers discovered that altering certain other neurons had no influence on performance since the massive hidden layers in AlexNet were still intact. 

The authors set out a playbook for how a hacker could create a malware-loaded machine learning model and distribute it in the wild: "First, the attacker needs to design the neural network. To ensure more malware can be embedded, the attacker can introduce more neurons. Then the attacker needs to train the network with the prepared dataset to get a well-performed model. If there are suitable well-trained models, the attacker can choose to use the existing models. After that, the attacker selects the best layer and embeds the malware. After embedding malware, the attacker needs to evaluate the model’s performance to ensure the loss is acceptable. If the loss on the model is beyond an acceptable range, the attacker needs to retrain the model with the dataset to gain higher performance. Once the model is prepared, the attacker can publish it on public repositories or other places using methods like supply chain pollution, etc." 

According to the article, when malware is incorporated into the network's neurons, it is "disassembled" and assembled into working malware by a malicious receiver software, which may also be used to download the poisoned model via an upgrade.  The virus can still be halted if the target device checks the model before executing it. Traditional approaches like static and dynamic analysis can also be used to identify it.

Dr. Lukasz Olejnik, a cybersecurity expert and consultant, told Motherboard, “Today it would not be simple to detect it by antivirus software, but this is only because nobody is looking in there.” 

"But it's also a problem because custom methods to extract malware from the [deep neural network] model means that the targeted systems may already be under attacker control. But if the target hosts are already under attacker control, there's a reduced need to hide extra malware." 

"While this is legitimate and good research, I do not think that hiding whole malware in the DNN model offers much to the attacker,” he added. 

The researchers anticipated that this would “provide a referenceable scenario for the protection on neural network-assisted attacks,” as per the paper. They did not respond to a request for comment from Motherboard.

This isn't the first time experts have looked at how malicious actors may manipulate neural networks, such as by presenting them with misleading pictures or installing backdoors that lead models to malfunction. If neural networks represent the future of hacking, major corporations may face a new threat as malware campaigns get more sophisticated. 

The paper notes, “With the popularity of AI, AI-assisted attacks will emerge and bring new challenges for computer security. Network attack and defense are interdependent. We hope the proposed scenario will contribute to future protection efforts.”

Pulse Security Devices Identified with Malware: Alerts CISA


A detailed warning concerning almost 13 malware samples associated with Pulse Secure operated devices has been issued by the Cybersecurity and Infrastructure Security Agency (CISA). These specimens were flown beneath the anti-virus radar. 

In Pulse Connect Secure's suite of virtual private network (VPN) devices, at least two main hacker groups have distributed a dozen malware families to spies on the US defense sector. Several hacking organizations supported by the Chinese are believed to be behind the attacks. 

Executives were urged to evaluate the document to identify the threat actor's strategies, techniques, and procedures while looking for any signs of data being compromised. 

Pulse Secure is indeed a global business with offices around the world. Its headquarters are situated in Silicon Valley, with development offices in Massachusetts and India. Pulse has sales offices located across America, Europe, the Middle East, and Asia. It's the most diverse SSL-VPN in the World to ensure user productivity, IT agility, and continuity in the enterprise. 

Pulse Secure devices, key infrastructure institutions, and other organizations in the commercial sector have been targeted by cyber threats ever since June 2020. Attackers used various vulnerabilities for the first entry and deployed backdoor web shells (CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, CVE-2021-2289). 

All of the documents examined by the CISA were identified on affected Pulse Connect Secure devices, including some updated versions of legal Pulse Secure scripts. 

In most cases, the Malevolent Files were web shells for remote persistence and remote controls to activate and execute, although other utilities were included. For one of these specimens, the CISA reports that it is a "modified version of the Secure Pulse Perl Module" - a fundamental firmware update file particularly - for hackers to retrieve and execute remote instructions converted to a web shell (ATRIUM). 

The embedded web shell was intended to accept an ID parameter from a web application post. The web shell processes the data offered by running it locally using a system() function within the 'id' parameter as a control of the operating system. 

In another examination, CISA discovered a customized Unix umount application designed to "hook" the environmentally friendly capabilities of a Unix device. 

The addition of this unmountable 'hook' feature results in many system changes providing persistent control and command (C2) remote operator access to an affected Pulse Secure device, as per CISA. 

The list of genuine CISA Pulse Secure files that the attacker has identified to modify include: 
  • licenseserverproto.cgi (STEADYPULSE) t
  • nchcupdate.cgi 
  • healthcheck.cgi 
  • compcheckjs.cgi 
  • (THINBLOOD LogWiper Utility Variant) 
  • compcheckjava.cgi (hardpulse) 
  • meeting_testjs.cgi (SLIGHTPULSE) 

In cases studied by Mandiant Cybersecurity firm, most of the above files were subjected to change for nefarious intent earlier this year. The researchers indicated in an April report that CVE-2021-22893 was used by the suspected Chinese threat actor. 

As per the report of Mandiant, the opponents converted the genuine files into the STEADYPULSE, HARDPULSE, and SLIGHTPULSE web shells and a variant of THINBLOOD LogWiper utility. 

Some of the documents CISA identified on hacked Pulse Secure devices at the time of investigation were uncovered by anti-virus solutions; just one of them was available on the VirusTotal file scanning portal which was uploaded two months ago and flagged as a variation of ATRIUM web shell by one antivirus engine. 

To ensure security posture in their systems, CISA administrators advised performing several actions. It suggested that antivirus and engines be kept up-to-date along with the patches. The experts also said that file sharing and printing services must be disabled. One must use strong passwords or Active Directory authentication if required.

This New Malware Hides Itself Among Windows Defender Exclusions to Avoid Detection


On Tuesday, security experts confirmed the existence of a previously undocumented malware strain named "MosaicLoader," which targets people looking for cracked software as part of a global campaign. 

Bitdefender researchers stated in a report shared with The Hacker News, "The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service." 

"The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links." 

The malware's name comes from its complex internal structure, which is designed to avoid reverse engineering and escape investigation. MosaicLoader attacks employ a well-known malware delivery technique known as search engine optimization (SEO) poisoning, in which hackers buy ad slots in search engine results to elevate their harmful URLs to the top of the results when users search for keywords linked to pirated software. 

Following a successful infection, the Delphi-based dropper which masquerades as a software installer and serves as an entry point for retrieving next-stage payloads from a remote server and adding local exclusions in Windows Defender for the two downloaded executables in an effort to circumvent antivirus scanning. 

It's important to note that such Windows Defender exclusions can be found in the registry keys listed below: 

1.File and folder exclusions - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 

2.File type exclusions - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions 

3.Process exclusions - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes 

One of the binaries, "appsetup.exe," is designed to attain system persistence, while the second, "prun.exe," is a downloader for a sprayer module that can obtain and deploy a range of attacks from a list of URLs, ranging from cookie stealers to cryptocurrency miners, and even more advanced implants like Glupteba. 

Because of MosaicLoader's broad capabilities, compromised systems can be co-opted into a botnet, which the threat actor can then use to spread a variety of malicious software, including both publicly available and customized malware, to gain, expand, and manage unauthorized access to victim computers and networks. 

The researchers added, "The best way to defend against MosaicLoader is to avoid downloading cracked software from any source."

Besides being against the law, cybercriminals look to target and exploit users searching for illegal software, adding it's essential to check the source domain of every download to make sure that the files are legitimate.

Caliente Bandits Target Spanish Speaking Individuals to Spread Bandook Malware


A new hacking gang TA2721 also commonly known as Caliente Bandits has been tracked by Proofpoint researchers since January 2021. As per the researchers, the group is actively targeting many industries, primarily focusing on entertainment and finance. 

The organization is distributing a known but rarely employed, RAT trojan known as Bandook; they are using the Spanish language lures to do so. Researchers have labeled the group 'Caliente Bandits' as they use the hot-mail accounts. The Spanish term "Caliente" refers to "hot." 

Researchers with evidence had started tracking this group in January 2021 and it was observed around April that TA2721 distributes Bándok's weekly email threats. Although the group is attacking several organizations across the world, those with Spanish surnames remain the primary target. It is worth noting that the ESET cybersecurity company initially disclosed malware data used by the group. 

The campaign uses the very same budget or transaction theme to encourage users to download a PDF repetitively. A URL and password are included in the attached PDF which leads to the installation of a Bandook password-protected package. 

According to Proofpoint, TA2721 sent emails in 2021, to fewer than 100 organizations. This list covered institutions in the United States, Europe, and South America. These attacks concentrated mostly on organizations with Spanish surnames like Pérez, Castillo, Ortiz, etc. 

Reportedly, two variants of Bandook, commodities malware, were spread by the threat actor. Meanwhile, scientists observed the wrongdoer adopting detection evasion measures such as infected archives' password encryption. 

The threat actor would often send links from Hotmail or Gmail addresses to the Bandook download. Terms such as "PRESUPUEST" and "COTIZACION" are generally found in subject lines and email names. However, the actor shared URLs directly in one effort in June. Researchers have found that URLs used abbreviated URLs from and, which they have observed from January to June 2021. These links redirected to Spideroak[.]com, a real hosting file, for a counterfeit RAR file to be downloaded. 

The Bandook - Remote Access Technology (RAT), which has been accessible commercially in the wild since 2007, was written in Delphi. It could be used for audio and video capturing and recording, keylogging, and data theft. 

The evidence suggests that TA2721 will continue to use a small number of malware variants from Bandook, a comparable chain of infections, and pick few C2 domains. The precise targeting shows that the threat actor recognizes target entities prior to email threats are sent.

Romanian Cryptojacking Gang Target Linux-based Machines to Install Cryptominer Malware


Romanian threat actors are employing a new brute-forcer “Diicot brute” to crack the passwords on Linux-based machines and install cryptominer malware. 

According to Bitdefender researchers, the cryptojacking gang employs a unique SSH brute-forcer dubbed Diicot to crack weak passwords on Linux machines and install code of a miner XMRig, a legitimate open-source miner that’s been adapted for cryptojacking by numerous hackers. 

The researchers said they connected the cryptojacking gang to at least two DDoS botnets: a variant of the Linux-based DDoS DemonBot botnet called “Chernobyl” and a Perl IRC bot. The main motive of this campaign is to deploy Monero mining malware, also their toolset can be used to steal sensitive information from users and perform other nefarious actions. 

Cryptojacking is a slow and tedious way to generate illicit income, that’s why the actor is using botnet to infect as many devices as possible. “Owning multiple systems for mining is not cheap, so attackers try the next best thing: To remotely compromise devices and use them for mining instead,” according to the report published by Bitdefender researchers.

Threat actors are targeting people with weak and default passwords that are easily broken through brute force. “People are the simple reason why brute-forcing SSH credentials still work,” researchers wrote.

“Hackers going after weak SSH credentials is not uncommon. The tricky part is not necessarily brute-forcing passwords but rather doing it in such a manner that attackers can’t go undetected,” Bitdefender says. Another feature of the Diicot Brute force attack implied the capability of the tool to filter honeypots, as per threat actors’ declarations.

The attackers started the campaign in January and have not yet moved to the worm phase, according to Bitdefender. The cybersecurity analysts tracked the Romanian cryptojacking Gang back in May. Then, they discovered the cryptojacking campaign based on the “.93joshua” loader. Surprisingly enough, it was easy to trace the malware to “http://45[.]32[.]112[.]68/.sherifu/.93joshua” in an open directory.

“It turns out that the server hosted other files. Although the group hid many of the files, their inclusion in other scripts revealed their presence. They found that the associated domain,, has hosted malware at least since February,” analysts noted

Israeli Firm Assisted Governments Target Journalists & Activists with Zero Days and Spyware


Microsoft as part of its Patch on Tuesday fixed two of the zero-day Windows flaws weaponized by Candiru, an Israeli firm in a series of "precision attacks" to hack more than 100 journalists, academics, activists, and political dissidents globally. 

According to a report published by the University of Toronto's Citizen Lab, the spyware vendor has also been formally identified as the commercial surveillance firm that Google's Threat Analysis Group (TAG) revealed was exploiting multiple zero-day vulnerabilities in Chrome browser to attack victims in Armenia. 

"Candiru's apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab researchers stated.

"This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services." 

Founded in 2014, the private-sector offensive actor (PSOA) — codenamed "Sourgum" by Microsoft — is stated to be the creator of DevilsTongue, an espionage toolkit able to infect and track a wide range of devices across multiple platforms, including iPhones, Androids, Macs, PCs, and cloud accounts. 

After gaining a hard drive from "a politically active victim in Western Europe," Citizen Lab stated it was able to restore a copy of Candiru's Windows spyware, which was then reverse engineered to identify two never-before-seen Windows zero-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771 that were leveraged to install malware on victim boxes. 

The infection chain used a combination of browser and Windows vulnerabilities, with the latter being transmitted through single-use URLs emailed on WhatsApp to targets. On July 13, Microsoft patched both privilege escalation issues, which allow an attacker to bypass browser sandboxes and obtain kernel code execution. 

The attacks resulted in the deployment of DevilsTongue, a modular C/C++-based backdoor capable of exfiltrating files, exporting messages saved in the encrypted messaging app Signal, and stealing cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers. Microsoft discovered that the digital weapon could gather data, read the victim's messages, get photos, and even send messages on their behalf using stolen cookies from logged-in email and social media accounts including Facebook, Twitter, Gmail, Yahoo,, Odnoklassniki, and Vkontakte.

Furthermore, the Citizen Lab study linked two Google Chrome vulnerabilities — CVE-2021-21166 and CVE-2021-30551 — to the Tel Aviv firm, citing similarities in the websites used to disseminate the exploits. 

A total of 764 domains related to Candiru's spyware infrastructure were discovered, many of which purported to be advocacy groups such as Amnesty International, the Black Lives Matter movement, media businesses, and other civil-society-oriented enterprises. 

Saudi Arabia, Israel, the United Arab Emirates, Hungary, and Indonesia were among the countries that ran systems under their authority. 

According to a Microsoft report, an Israeli hacking-for-hire firm has assisted government clients in spying on more than 100 people throughout the world, including politicians, dissidents, human rights activists, diplomatic staff, and journalists.

Among other well-known news outlets, the Guardian and the Washington Post released information of what they termed "global surveillance operations" using Pegasus. The surveillance is said to be aimed at journalists and according to the claims, Pegasus malware is being used to spy on people by over ten nations. 

SOURGUM's malware has so far targeted over 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore. 

These attacks mostly targeted consumer accounts, implying that Sourgum's users were pursuing part of the attack. TAG researchers Maddie Stone and Clement Lecigne noticed a rise in attackers utilizing more zero-day vulnerabilities in their cyber offensives in the early 2010s, which they attribute to more commercial vendors offering access to zero-day flaws. 

Microsoft Threat Intelligence Center (MSTIC) stated in a technical rundown, "Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets' computers, phones, network infrastructure, and other devices.” 

"With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only add to the complexity, scale, and sophistication of attacks," MSTIC added.

SpearTip: New Diavol Ransomware Does Steal Data


The Wizard Spider threat organization, which is behind the Trickbot botnet, has been connected to a new ransomware outbreak called Diavol, as per security experts. 

According to BleepingComputer, the ransomware families use almost similar command-line parameters for the same functionality and leverage the same I/O operations for file encryption queueing. 

Although there are some commonalities, as they've indicated and as SpearTip has confirmed, there are two key distinctions that make a direct link unlikely. By performing a location check, Diavol ransomware does not prevent its payloads from executing on Russian targets. This is significant since most malware avoids Russian systems. 

Data Exfiltration FortiGuard Labs explains in their analysis of Diavol that, “According to the note, the authors claim they stole data from the victim’s machine, though we did not find a sample that was capable of performing that. This is either a bluff or a placeholder for future capabilities.” 

Following additional analysis by SpearTip's engineers, the Diavol ransomware gang appears to be stealing data. Despite the lack of this capacity in the ransomware executable, the group employs techniques that allow for the exfiltration of data from a, particularly evasive environment. 

For Cobalt Strike, the Diavol ransomware gang utilizes an HTTP beacon, which appears to be used to assist data exfiltration. The beacon's name was sysr.dll, and it was kept in a folder made by the threat actors. This network connectivity, as well as the mechanism utilized by the beacon to inject into memory, are hard to trace. 

SpearTip has confirmed that the beacon had deleted files and exfiltrated them as well. SpearTip engineers acknowledged that the Diavol gang stole data and provided evidence of data exfiltrated from several organizations through threat actor interaction. When SpearTips's engineers looked into it, they discovered that the evasive Cobalt Strike’s HTTPS Beacon was utilized, which can be used to exfiltrate data. 

Over the past few years, the former Trickbot operators have been previously targeted by law enforcement actions, have proven resilient, and integrated themselves into different ransomware groups. It's not unexpected to see signs of their activities and tactics in another ransomware gang. When evaluating data exfiltration, it's critical to perform a thorough investigation and comprehend the growth of the group's techniques. These associations guarantee that forensic reporting is accurate.