Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label DLL hijacking. Show all posts
VENON
Banking Trojans Brazil DLL hijacking malware VENON

Rust-Based VENON Malware Targets 33 Brazilian Banks

 


A newly identified banking malware strain called VENON is targeting users in Brazil and stands out for an unusual technical choice. Instead of relying on the Delphi programming language used by many long-running Latin American banking trojans, the new threat is written in Rust, a modern systems language that is increasingly appearing in intricately executed cyber operations.

The malware infects Windows machines and was first detected in February 2026. Researchers at the Brazilian cybersecurity firm ZenoX assigned the malware the name VENON after analyzing the threat.

Although it is written in a different programming language, the malware behaves similarly to several well-known banking trojans that have historically targeted financial institutions in Latin America. Analysts say the threat shares operational patterns with malware families such as Grandoreiro, Mekotio, and Coyote. These similarities include techniques like monitoring the active window on a victim’s computer, launching fake login overlays when banking applications open, and hijacking Windows shortcut files to redirect users.

At the moment, investigators have not linked VENON to any previously identified cybercriminal operation. However, forensic examination of an earlier version of the malware dating back to January 2026 revealed traces from the developer’s workstation. File paths embedded in the code repeatedly referenced a Windows user account named “byst4,” which may indicate the environment used during development.

Researchers believe the developer appears to be familiar with how Latin American banking trojans typically operate. However, the implementation in Rust suggests a higher level of technical expertise compared with many traditional banking malware campaigns. Analysts also noted that generative artificial intelligence tools may have been used to help reproduce and expand existing malware capabilities while rewriting them in Rust.

The infection process relies on a multi-stage delivery chain designed to avoid detection. VENON is executed through a technique known as DLL side-loading, where a malicious dynamic-link library runs when a legitimate application loads it. Investigators suspect the campaign may rely on social-engineering tactics similar to the ClickFix method. In this scenario, victims are persuaded to download a ZIP archive that contains the malicious components. A PowerShell script within the archive then launches the malware.

Before performing any harmful actions, the malicious DLL runs several checks designed to evade security tools. Researchers documented nine separate evasion methods. These include detecting whether the malware is running inside a security sandbox, using indirect system calls to avoid monitoring, and bypassing both Event Tracing for Windows (ETW) logging and the Antimalware Scan Interface (AMSI).

After completing these checks, the malware contacts a configuration file hosted on Google Cloud Storage. It then installs a scheduled task on the compromised machine to maintain persistence and establishes a WebSocket connection with a command-and-control server operated by the attackers.

Investigators also identified two Visual Basic Script components embedded in the DLL. These scripts implement a shortcut hijacking mechanism aimed specifically at the Itaú banking application. The technique replaces legitimate shortcuts with manipulated versions that redirect victims to a fraudulent webpage controlled by the threat actor.

The malware even includes an uninstall routine that can reverse these shortcut changes. This feature allows operators to restore the original system configuration, which could help remove evidence of the compromise after an attack.

VENON is configured to monitor activity related to 33 financial institutions and cryptocurrency services. The malware constantly checks the titles of open windows and the domains visited in web browsers. It activates only when a user accesses one of the targeted banking platforms. When triggered, the malware displays fake login overlays designed to capture credentials.

The discovery comes amid a broader wave of campaigns targeting Brazilian users through messaging platforms. Researchers recently observed threat actors exploiting the widespread popularity of WhatsApp in the country to spread a worm known as SORVEPOTEL. The worm spreads through the desktop web version of the messaging service by abusing already authenticated chat sessions to send malicious messages directly to contacts.

According to analysts at Blackpoint Cyber, a single malicious message sent from a compromised SORVEPOTEL session can initiate a multi-stage infection chain. In one observed scenario, the attack eventually deployed the Astaroth threat entirely in system memory.

The researchers noted that the combination of local automation tools, browser drivers operating without supervision, and runtime environments that allow users to write files locally created an environment that made it easier for both the worm and the final malware payload to install themselves with minimal resistance.

Read more »
Security Breach
Avast Cyber Attacks DLL hijacking eScan GuptiMiner malware Hackers HTTP Malware Attack North Korea Hackers Security Breach

The GuptiMiner Attack: Lessons Learned from a Five-Year Security Breach

 

In a startling revelation, security researchers from Avast have uncovered a sophisticated cyberattack that exploited vulnerabilities in the update mechanism of eScan, an antivirus service, for a staggering five years. The attack, orchestrated by unknown hackers potentially linked to the North Korean government, highlights critical flaws in cybersecurity infrastructure and serves as a cautionary tale for both consumers and industry professionals. 

The modus operandi of the attackers involved leveraging the inherent insecurity of HTTP protocol, enabling them to execute man-in-the-middle (MitM) attacks. By intercepting the update packages sent by eScan's servers, the perpetrators clandestinely replaced genuine updates with corrupted ones containing a nefarious payload known as GuptiMiner. This insidious malware facilitated unauthorized access and control over infected systems, posing significant risks to end users' privacy and security. 

What makes this breach particularly alarming is its longevity and the level of sophistication exhibited by the attackers. Despite efforts by Avast researchers to ascertain the precise method of interception, the exact mechanisms remain elusive. However, suspicions linger that compromised networks may have facilitated the redirection of traffic to malicious intermediaries, underscoring the need for heightened vigilance and robust cybersecurity measures. 

Furthermore, the attackers employed a myriad of obfuscation techniques to evade detection, including DLL hijacking and manipulation of domain name system (DNS) servers. These tactics, coupled with the deployment of multiple backdoors and the inclusion of cryptocurrency mining software, demonstrate a calculated strategy to maximize the impact and stealth of their operations. 

The implications of the GuptiMiner attack extend beyond the immediate scope of eScan's compromised infrastructure. It serves as a stark reminder of the pervasive threat posed by cyber adversaries and the imperative for proactive defense strategies. Moreover, it underscores the critical importance of adopting industry best practices such as delivering updates over secure HTTPS connections and enforcing digital signing to thwart tampering attempts. 

For users of eScan and other potentially affected systems, vigilance is paramount. Avast's detailed post provides essential information for identifying and mitigating the threat, while reputable antivirus scanners are likely to detect the infection. Additionally, organizations must conduct thorough security assessments and implement robust cybersecurity protocols to safeguard against similar exploits in the future. 
 
Ultimately, the GuptiMiner attack serves as a wake-up call for the cybersecurity community, highlighting the pressing need for continuous innovation and collaboration in the fight against evolving threats. By learning from this incident and implementing proactive measures, we can bolster our defenses and mitigate the risk of future breaches. Together, we can strive towards a safer and more resilient digital ecosystem.
Read more »
Vulnerabilities and Exploits
CISA cyber threat DLL hijacking North Korea North Korea Hackers Security Breach Vulnerabilities and Exploits

Navigating the Complex Landscape of Cyber Threats: Insights from the Sisense Breach and North Korean Tactics

 

In the intricate tapestry of cybersecurity, recent events have thrust vulnerabilities and threats into the spotlight once again. The breach of data analytics powerhouse Sisense, coupled with the emergence of novel sub-techniques utilized by North Korean threat actors, underscores the dynamic and relentless nature of cyber warfare. Let's delve deeper into these incidents and glean valuable insights for bolstering our defenses against evolving cyber threats. 

Sisense, a formidable player in the realm of business intelligence software, recently found itself ensnared in a security breach that rippled through critical infrastructure organizations. With offices sprawled across strategic locations such as New York City, London, and Tel Aviv, and a prestigious clientele including Nasdaq, ZoomInfo, Verizon, and Air Canada, Sisense's allure to cyber adversaries is palpable. 

The breach, currently under scrutiny by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), serves as a stark reminder of the precarious balance between innovation and security in today's digital landscape. At the heart of the Sisense breach lie two sub-techniques that have become favoured tools in the arsenal of North Korean threat actors. The first involves the manipulation of Transparency, Consent, and Control (TCC), a foundational security protocol governing application permissions on Apple's macOS. 

Despite the robustness of security measures such as Full Disk Access (FDA) and System Integrity Protection (SIP), attackers have exhibited a remarkable ability to circumvent these controls, gaining unfettered access to macOS environments. This tactic underscores the imperative of continuous monitoring and adaptive security strategies to thwart the nefarious designs of cyber adversaries. 

The second sub-technique, colloquially known as "phantom" Dynamic Link Library (DLL) hijacking, sets its sights on Windows environments, leveraging nonexistent DLL files referenced by the operating system. By capitalizing on this loophole, threat actors such as the Lazarus Group and APT 41 can inject malicious code undetected, posing a grave threat to system integrity. 

The clandestine nature of this tactic exemplifies the ingenuity and adaptability of cyber adversaries in navigating the labyrinthine landscape of cybersecurity defenses. Mitigating these sophisticated threats necessitates a multifaceted approach that encompasses both technical fortifications and user awareness initiatives. For macOS users, safeguarding the integrity of System Integrity Protection (SIP) and exercising caution with app permissions are imperative steps in mitigating the risk of TCC manipulation. 

In Windows environments, proactive monitoring, robust application controls, and preemptive measures to block remote DLL loading are indispensable in thwarting phantom DLL attacks. Moreover, fostering a culture of collaboration and information sharing between industry stakeholders and government agencies is paramount in confronting the ever-evolving threat landscape. 

By pooling resources, sharing threat intelligence, and adopting a unified front against cyber adversaries, organizations can amplify their collective resilience and fortify their defenses against emerging threats. 

In conclusion, the Sisense breach and the intricate tactics employed by North Korean threat actors serve as poignant reminders of the relentless onslaught of cyber threats. By remaining vigilant, proactive, and collaborative, organizations can navigate the turbulent waters of cybersecurity with resilience and fortitude, safeguarding their digital assets and preserving the integrity of our interconnected world.
Read more »
Windows 10
DLL hijacking malware QBot malware Windows 10

QBot Phishing Exploits Windows Control Panel EXE to Infect Devices


Phishing messages and emails across the QBot malware are allegedly utilizing a DLL hijacking vulnerability in the Windows10 Control Panel to infect PCs, most likely in an effort to avoid being detected by security software. 

DLL hijacking is an attack method used by threat actors to take advantage of the way Windows loads dynamic link libraries (DLLs). 

During the launch of a Windows executable, it will look for any DLL dependencies present in the Windows search path. The program would instead load a malicious DLL and infect the computer if a threat actor creates a malicious DLL with the same name as one of the program's necessary DLLs and retained it in the same folder as the executable. 

QBot, also known as Qakbot, is a Windows malware that was initially a banking trojan but later emerged as a full-featured malware dropper. The malware is also utilized by renowned ransomware gangs like Black Basta, Egregor, and Prolock in order to gain initial access to corporate networks. 

In July, security researcher ProxyLife found that threat actors were using the Windows 7 Calculator's DLL hijacking vulnerability, in order to spread the QBot malware. 

Meanwhile this week, ProxyLife reported that the threat actors have switched to utilizing a DLL hijacking flaw in the Windows10 Control Panel executable, namely control.exe. 

Abusing the Windows Control Panel:  

In a phishing campaign witnessed by ProxyLife, the hackers used stolen reply- chain emails to distribute an HTML file attachment, which downloads a password-protected ZIP archive consisting an ISO file inside. 

The HTML file, named similar to 'RNP_[number]_[number].html, displays an image personating Google Drive and a password for a ZIP archive that is downloaded automatically. This ZIP archive consists of an ISO disk image that, when double-clicked will automatically be displayed in a new drive letter in Windows10 and later. 

This ISO file contains a Windows Shortcut (.LNK) file, a ‘control.exe’ (Windows 10 Control Panel) executable, and two DLL files named edputil.dll (used for DLL hijack) and msoffice32.dll (QBot malware). 

The Windows shortcut (.LNK) included in the ISO uses an icon that attempts to make it look like a genuine folder. 

The shortcut, however, opens the Windows 10 Control Panel executable, control.exe, which is kept in the ISO file, when a user tries to open this fabricated folder. 

The genuine edputil.dll DLL, which is placed in the C:WindowsSystem32 folder, will automatically be loaded when control.exe is opened. It does not, however, look for the DLL in specific folders and will load any DLL with the same name that is put in the same folder as the program control.exe. 

As the hackers are bundling a malicious edputil.dil DLL in the same folder as control.exe, instead the fraudulent DLL will be loaded by the users. Once the malicious edputil.dll DLL is loaded, it infects the device with the QBot malware (msoffice32.dll) using the regsvr32.exe msoffice32.dll command.

Security software may not recognize QBot as malicious if it is installed using a trustworthy tool, such as the Windows 10 Control Panel, allowing the malware to avoid detection. 

QBot will now covertly run in the background, accessing and stealing emails to use them later for the phishing attacks and install additional payloads like Brute Ratel or Cobalt Strike, that are post-exploitations toolkits that hackers use to acquire remote access to corporate networks. This remote access further leads to corporate data theft and ransomware attacks.  

Read more »
Subscribe to: Comments (Atom)