Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label C2. Show all posts
Vidar Stealer
C2 Crypto Cyber Security Raccoon Infostealer Software Vidar Stealer

Introducing Stealc, a New Infostealer

Stealc, a new data stealer that has emerged on the dark web, is gaining popularity largely to heavy marketing of its theft capability and resemblances to related viruses like Vidar, Raccoon, Mars, and Redline.

Researchers at SEKOIA.IO in January 2023 came upon a brand-new information thief called Stealc that was marketed in dark web forums. The info-stealer was created by a threat actor going by the handle Plymouth, who claims it supports a broad range of stealing abilities.

Stealc has been promoted on hacker forums by a user going by the handle "Plymouth," who described the malware as having strong data-stealing abilities and a simple administrative interface.Plymouth released multiple iterations of Stealc and shared changelogs on various message boards and a dedicated Telegram channel.

Several Stealc samples were discovered in the wild in February by specialists; these samples resembled raccoons and vidars. More than 40 Stealc C2 servers were found by SEKOIA, indicating the malware's rising ubiquity among cybercriminals that distribute stealers. Considering users who have access to the administration panel can create fresh stealer samples, which raises the likelihood that the virus will spread to more people, this popularity may be explained.

Stealc's functionality

Stealc is capable of stealing private information from widely used online browsers, desktop cryptocurrency wallets, browser extensions for cryptocurrency wallets, and other software including email and instant messaging clients. Stealc implements a programmable data gathering setup and supports a programmable file grabber, in contrast to existing stealers.

Stealc gathers information from the victim's browser, extensions, and programs. If the grabber rules are activated, it also captures files that fit those rules. The malware then deletes both itself and the downloaded DLL files from the infected system after data have been sent to the C2.

The malware is spread by attackers via YouTube videos. Together with links to a download site, the videos offer instructions on how to set up cracked software. This website is used to deceive the victims into downloading malware-filled software. With the use of YARA and Suricata rules, SEKOIA published signals of compromise (IoCs) for such a threat.






Read more »
Ukraine
APT C&C C2 Encryption malware Payload Russian Hackers SSH Threat actors Ukraine

Data Theft Feature Added by Russian Nodaria APT

An updated piece of information-stealing malware is being used against targets in Ukraine by the Nodaria spy organization, also known as UAC-0056. The malware was created in Go and is intended to gather a variety of data from the infected computer, including screenshots, files, system information, and login passwords.

The two-stage threat known as graphiron consists of a downloader and a payload. The downloader has the addresses of command-and-control (C&C) servers hardcoded in. It will look for active processes when it is executed and compare them to a blacklist of malware analysis tools.

If no processes on the blacklist are discovered, this will connect to a C&C server, download the payload, and then decrypt it before adding it to autorun. The downloader is set up to run only once. It won't try again or send a signal if it is unable to download and run the payload.

Graphiron shares several characteristics with earlier Nodaria tools like GraphSteel and GrimPlant. Advanced features allow it to execute shell commands, gather system data, files, login passwords, screenshots, and SSH keys. Further, it uses port 443 to communicate with the C2 server, and all communications are encrypted using an AES cipher.

Attacks against Georgia and Kyrgyzstan have been carried out by Nodaria since at least March 2021. The recognized tools used by the group include WhisperGate, Elephant Dropper and Downloader, SaintBot downloader, OutSteel information stealer, GrimPlant, and GraphSteel information stealer.



Read more »
Software
C2 Cyber Security Google Google Ads HTTP Attacks ICedID Malware Attack Microsoft SentineLabs Software

Installing Software via Google Poses Concerns

Researchers and a keystream sample of inquiries claim that while browsing Google for downloads of well-known software has always had certain dangers, in recent months it has become downright risky. 
On Thursday, volunteers at Spamhaus stated that threat researchers were accustomed to receiving a moderate volume of malicious advertising through Google Ads. 

Multiple malware groups, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader, are responsible for the rise. In the past, these groups frequently depended on spam attachments with malicious Microsoft Word papers that had booby-trapped macros. The past month has seen Google Ads develop into the preferred channel for thieves to disseminate their malicious software, which is disguising itself as a legitimate download by mimicking well-known companies including Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, and Thunderbird.

This week, researchers from the security firm Saiflow discovered two flaws in older versions of the Open Charge Point Standard, an open-source protocol used to operate many electric vehicle charging stations (OCPP). An attacker might take control of a charger, disable groups of chargers, or steal electricity from a charger for their own use by utilizing weak instances of the OCPP standard, which is used to communicate between charges and management software. To reduce the risks posed by the vulnerabilities, Saiflow claims to be collaborating with manufacturers of EV chargers.

Hegel from Sentinel One provides one case: Real C2 traffic is masked by Formbook and XLoader's HTTP requests to several sites that are randomly chosen from an embedded list and sent with encoded and encrypted content. The rest of the domains are merely ruses; only one is the actual C2 server. A sample that we examined sent HTTP GET and/or POST requests to the 17 domains (16 endpoints) specified in the IOC table below while encoding and encrypting the HTTP data. The implementation of this technology in particular by XLoader is covered in length in prior research.

The strategy of disguising the genuine C2 domain by beaconing to many domains continues to be supported by earlier studies. The malicious software sends beacons to websites that have valid or unregistered domains. The accompanying figure, which is a snapshot of some of the domains the virus contacts, demonstrates the vast range of domain ages, hosting companies, and registration dates.

The use of decoy domains or other obfuscation techniques to hide the real control servers used in the pervasive MalVirt and other malvertising campaigns continues to be effective unless Google develops new protections. MalVirt also spreads malware that is difficult to detect.


Read more »
Vidar Stealth
C2 Cybersecurity malware SM Platforms Social Media Vidar Stealth

To Avoid Detection, Vidar Stealth Operators Use SM Platforms

 


Several days ago, the commercially available off-the-shelf malware BitRat was observed with a newly discovered distribution method for how it was spread. Now, a new information theft malware called Vidar Stealer has been discovered. This malware uses advanced techniques to exploit popular social media platforms as an intermediary server to send valuable information to the attacker. 

Using Social Media Platforms as a Means of Hiding 

Researchers from AhnLab have discovered that Vidar Stealer is constantly creating throwaway accounts on popular social media platforms, such as TikTok, Telegram, Steam, and Mastodon.  
  • To commit attacks, attackers create their own social media profiles and add identifying characters, along with their C2 address, to the profile. 
  • In addition to its advantages, such traffic can be very challenging to identify and block using trivial security strategies since such traffic is difficult to detect and block. 
  • If the C2 server becomes unavailable or is blocked, attackers can set up an account and edit the account pages from this newly created server. Through this protocol, previously distributed malware can be contacted by the server.  
An In-Depth Look  

The experts discovered that an attacker had taken control of an account on the Ultimate Guitar platform and described how it was operating.  
  • The malware attacks infected systems by decrypting strings and passing garbage codes as arguments used to modify strings by executing string-modifying instructions. 
  • The malware checks the name and username of the computer to determine if it is a Windows Defender emulator. Once detected, the malware automatically ceases to function, and the computer shuts down. 
  • As a next step, a malware file connects to the threat actor's account page to grab the C2 address that is hard-coded inside the binary so the malware can download further information. 
  • This malware variant provides the ability to collect data and compress it into a ZIP file. It does this by encoding it in Base64 before it is transmitted to the C2 server using the latest encryption method. 
Compared to Previous Strategies 

Vidar Stealer is a malware infection that was first identified in 2018. According to researchers, it uses various delivery mechanisms for spreading, including phishing emails and cracked software. 
  • As part of the existing malware variants, data was collected and sent in the format of compressed files containing plaintext data. 
  • A variety of methods have been used in recent campaigns to distribute this malware, including malicious Google Ads, as well as a malware loader called Bumblebee. This malware loader automates the distribution of malware. 
  • Further, experts discovered another piece of malware that was installed on a computer when the victim clicked an ad in a Google search result for the GIMP open-source image editor. This ad led the victim to a typo-squatted domain that contained malware.  
As a result, malware like Vidar Stealer, which uses platforms like Google Chrome and Microsoft Exchange as the intermediate C2, has a longer lifespan. In the opinion of experts, this malware is just one of many that constantly update its delivery methods. This is probably a result of Microsoft's decision to block macros by default in Office files to prevent automated attack attacks.  

Due to this, it is expected that malware will follow this path more often in the future.  
Read more »
Subscribe to: Posts (Atom)