Search This Blog

Showing posts with label password stealing trojans. Show all posts

Jupyter Trojan Steals Chrome Firefox Data and Opens Backdoor

Researchers at Morphisec has recently discovered a trojan malware campaign targeted at stealing information from businesses and higher education. Reportedly, the malware named Jupyter has been used by Russian speaking hackers to gather data from various software. 

Primarily targeting Google Chrome, Mozilla Firefox, and Chromium code in itself, Jupyter's attack chain, delivery, and loader demonstrate additional capabilities such as a C2 client, execution of PowerShell scripts and commands, hollowing shellcode into legitimate windows configuration applications, for full backdoor functionality. 

The infostealer's attack begins with a zip file containing an installer which typically impersonates legitimate software like Docx2Rtf. When the installer is executed, a .NET C2 client is inserted into memory. Jupyter loader has a well-defined protocol, persistence modules, and versioning matrix, it furthers with downloading the next stage, a PowerShell command to execute the Jupyter injected in memory earlier. Now using the commonalities between both the .Net components an end-to-end framework is developed for the implementation of the Jupyter infostealer as both have similar code, obfuscation, and unique UID implementation. 
 
As per the analysis published by Morphisec, "Jupyter is an infostealer that primarily targets Chromium, Firefox, and Chrome browser data. However, its attack chain, delivery, and loader demonstrate additional capabilities for full backdoor functionality.” 
 
"Morphisec has monitored a steady stream of forensic data to trace multiple versions of Jupyter starting in May 2020. While many of the C2s are no longer active, they consistently mapped to Russia when we were able to identify them," read the report. 

Over the last 6 months, these installers have given exceptional results at bypassing security scanning controls, some among these installers even maintained 0 detections in VirusTotal.

Multiple versions of Jupyter were traced back to Russia and the planet name was noticeably misspelled from Russian to English, as per the Morphisec researchers who also found out the same image on Russian-language forums upon running a reverse Google Image search of the C2 admin panel image, concluding that the attack has Russian origins. 
 
"This is the first version seen in the wild of the infostealer stealing information (autocomplete, cookies, and passwords) only from Chrome browsers," said researchers. 

"This version added Firefox information stealing (cookies, logins, certificates, and form history). This version uses the same technique of copying the stolen information before accessing it to evade detection." The researchers further added.

CISA Released A New Advisory on LokiBot Trojan


LokiBot, a trojan-type malware first identified in 2015 is popular amid cybercriminals as a means of creating a backdoor into compromised Windows systems to allow the attacker to install additional payloads.

It is an information stealer that uses a stealthy trick to evade detection from security software and steal personal data of victims including their usernames, passwords, bank details, and contents of cryptocurrency wallets – using a keyblogger that would monitor browser and desktop activities.

Recently, the U.S. government's cybersecurity and Infrastructure Security Agency (CISA) observed a significant increase in malicious infections via LokiBot malware starting from July 2020. During this period, CISA's EINSTEIN Detection System, responsible for protecting federal, civilian executive branch networks, noticed continuous malicious activity by LokiBot. Credited for being simple yet effective, the malware is often sent out as an infected attachment via email, malicious websites, texts, or personal messages to target Windows and Android operating systems.

Although LokiBot has been in cyberspace for a while now, attackers still often use it to illicitly access sensitive information. In a recent attack that was carried out in July, 14 different campaigns distributing payloads of LokiBot were launched by a group of threat actors popularly known as 'RATicate'. In another malspam campaign, attackers were found to be distributing payload of LokiBot in a spear-phishing attack on a U.S based manufacturing organization.

“LokiBot has stolen credentials from multiple applications and data sources, including Windows operating system credentials, email clients, File Transfer Protocol, and Secure File Transfer Protocol clients,” as per the alert issued on Tuesday.

Giving insights on the matter, Saryu Nayyar, CEO at Gurucul told via email, "The fact that LokiBot has been around for over four years and has gained in capability over time is a reflection of how much malicious actors have advanced the state of their art, leveraging the same development models we use in the commercial space."

New Chrome Password Stealer, 'CStealer' Sends Stolen Data to a MongoDB Database


The information collected by the Chrome browser including passwords, usernames, and other user credentials is being exposed to heavy risk as a new trojan known as CStealer attempts to steal the confidential data stored onto Google's Chrome browser.

Password stealer trojans include applications that tend to run in the background and silently gather sensitive information about the system such as connected users and network activity. It attempts to steal confidential information stored onto the system and the browsers like usernames, passwords and other credentials which once being stolen are sent to a specified destination by the attacker.

While the idea behind this info-stealing trojan is just like many others- which is to steal user credentials saved onto the browser's password manager, however, the fact that CStealer uses a remote MongoDB database to store the stolen data is what makes this case unprecedented and interesting.

The malware which was discovered by MalwareHunterTeam and was later analyzed by James does not compile and send the stolen data to a C2 under the author's command, rather, it is programmed to directly connect to a remote MongoDB data and utilize it to keep the stolen passwords stored, according to the findings.

As soon as the passwords are successfully stolen, the malware tends to link to the database and store the stolen data as per the network traffic created which was examined by James. In order to carry this out, the malware carries hardcoded MongoDB credentials and to connect to the database, it uses the MongoDB C Driver as the client library.

Notably, the approach is a bit more sophisticated and not as mainstream, however, ultimately it gets the agenda right as it successfully gets the credentials stolen. In doing so, indirectly it also gives a free invitation to other hackers to access the victim's confidential information as it tends to decrypt the privacy layers already. To exemplify, anyone who would examine the malware afterward, from law enforcers to security officers, will be able to retrieve the hardcoded passwords and employ them to get to the stolen data.

Astaroth- The Tojan That Abuses Anti-Virus Software To Steal Data




A new Trojan has surfaced which disguises itself as GIF and image files and tries to exploit the anti-virus software to harvest the data on the user’s PC.

A security research team brought the situation to everyone’s notice that this variant supposedly makes use of the modules in the cyber-security software.

The exploitation of the modules leads to the cyber-con getting hold of the victim’s data including online credentials

The Trojan in the guise of an extension-less files tries to move around the victim’s PC undetected.

By the use of spam emails and phishing messages, the victim’s lured into downloading the malicious file and then the actual Microsoft Windows BITSAdmin tool is used to download the full payload from a command-and-control (C2) server.

The malware then launches an XSL script and finalizes a channel with the C2 server. The script is obfuscated and contains functions to shroud itself from the anti-virus software.

The same script is responsible for the process which influences BITSAdmin to download payloads which include Astaroth from a different C2 server.

The old version of this Trojan used to launch a scan to look for the anti-virus programs, and in case of the presence of “Avast”, the malware used to quit.



But as it turns out with Astaroth, the antivirus software would now be abused and a malicious module would be injected into one of its processes.

The exploitation of these systems is called LOL bins, Living Off the Land binaries. GAS, an anti-fraud security program could be abused in the same way.

This Trojan first surfaced in the year 2017 in South America. It targets machines, passwords and other data. Astaroth is also capable of Keylog and could intercept calls and terminate processes.

The malware employs a “ fromCharCode() deobfuscation ” method to conceal code execution, which is an upgrade on older versions of Astaroth.

LOLbins seem to have a lot of malicious potential including stealing credentials and personal data. This method is highly attractive to cyber-cons and hence needs to be prepared against.

The Return Of Trojan Poses Substantial Hacking Threat To Businesses!




The Trojan malware has returned with its infectious ransomware attacks with an aim to harvest banking credentials and personal and property related data.




Business organizations have come out to become the latest targets of this malware.



With long-term and insidious operations as ambition, the Trojan poses a lot of threat even to intellectual property.



In one of the new reports of one of the reputed security companies, it was mentioned that backdoor attacks against businesses with Trojans as back power have subsequently increased.



According to the aforementioned security lab, “Trojans” and “Backdoors” are different.



A Trojan is supposed to perform one function but ends up performing another and a Backdoor is a type of Trojan which enables a threat actor to access a system via bypassing security.



“Spyware” attacks have also consequentially risen. A spyware is a malware which aids gaining information on a device and sending it to a third party, stealthily.



This concept, of a spyware, sure is old but still is as efficacious as any other powerful malware and strictly works towards data exfiltration.



The “Emotet Trojan” has been considered to be behind the information stealing campaigns all round last year and in the beginning of this moth too.



This Trojan could move through networks, harvest data, and monitor networks. Also, it could easily infect systems by reproducing with no substantial effort at all.



Emotet is a self-sufficient danger which tends to spread onto compromised systems in addition to installing other malware on them.

The menacing behavior of TrickBot was also inferred upon by the aforementioned report, as it’s one of the by-products of Emotet.



The constantly evolving TrickBot daily gets updated with new abilities, stealing passwords and browser histories and harvesting sensitive data being a few of them.



Consultancy firms seem to be the primary targets of the Trojan. It is disposed towards harvesting more than just banking details and personal information.



Intellectual property is another thing which is a major point of concern for everyone now that the cyber-cons have stooped down to breaching walls using Trojans.



These tactics were thought to be really boring and old but have taken serious tosses and turns and have evolved into something genuinely perilous.



Businesses should stop under-estimating the attacks and keep a keen eye towards any potentiality of such attacks.

Banking Trojan Vawtrak

Banking Trojan Vawtrak (aka Neverquest or Snifula) which additionally uses the Pony module to steal wide range of log-in credentials has been proliferating rapidly over the last few months

 USA, Germany, UK, Czech Republic are the  top  affected countries this year.

While Trojans like this are not new, what makes it remarkable is the  the multi-layered concealing processes and wide range of functions it can execute.

The Vawtrak Trojkan spreads via drive-by download – in the form of spam email attachments or links to compromised sites or  through malware downloaders such as Zemot or Chaintor or through exploit kits like Angler.

Tracking the Trojan  Vawtrak, AVG has revealed a detailed analysis of its installation and functionality.

Installation
The trojan was delivered through a spam email from Amazon which contained link to a zip archive stored on a compromised Wordpress site. The delivered file which actually was a executable tried to simultaneously look as  a pdf and a screen saver. It then installed itself into the system and ensured persistence by enabling auto-execution  Windows start-up. Without causing visible changes in the system, it then dropped the DLL into the program folder and deleted its original version.

This shorter second DLL decrypts its payload, which looks like  a normal Windows exe file but is a compressed file. The decompressed file replaces the second DLL and extracts the final module in a compressed format which further contains another two DLL files. The appropriate DLL then executes Vawtrak's main functionality.

Functionality
Once executed, Vawtrak disables antivirus protection of almost all known anti-viruses, steals multiple passwords from browsers (even obscure browsers such as K-Meleon or Flock) or applications, steals browser history, modifies browser settings, logs keystrokes, takes screenshots or records user actions on desktop, enables remote access to victim's system.

Further it communicates with remote Control & Command servers, executing commands from a remote server, sending stolen information, downloading new versions of itself and web-injection frameworks.
One fascinating feature is that it can connect to the update servers  hosted on the Tor hidden Web services via a Tor2web proxy without installing any special software such as Tor browser. Moreover, the communication with the remote server is done over SSL, which adds further encryption. Due to the use of steganography, the user remains totally ignorant of the working and updation of the Trojan.

Vawtrak is not as advanced as some others but its actions are too aggressive and they may cause stability or performance issues in the infected machines.

Staying vigilant about online phishing and scams is the most efficient way of avoiding Vawtrak but as it may still find its way, even without a user's direct interaction. So having an efficient and updated antivirus solution is of utmost importance.

For full analysis of the Trojan, read the complete report by AVG.

Passteal : password-stealing malware disguised as keygen and ebooks

Password stealing malwares

Passteal, the malware that steals passwords stored in the browser using a password recovery tools, disguised as Key generators and Ebooks.

This indicates that the malware targets users who frequently use Torrent and other file hosting website to get hold of illegal copies of software.

While older variants use the password recovery tool "PasswordFox", the new variant uses 'WebBrowserPassView' tool to steal credentials stored in major browser apps such as Internet Explorer ver. 4.0-8.0, Mozilla Firefox 1.x-4.x, Google Chrome, and Apple Safari.

Once the malware extracts the data, it stores the stolen credentials in an .XML file and send the file to a remote FTP server.

According to TrendMicro malware report, the password recovery tool enables PASSTEAL to acquire all login credentials stored in the browser- even from websites using secured connections (SSL or HTTPS).