Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Kapersky. Show all posts

Fake DeepSeek AI Installers Deliver BrowserVenom Malware



Cybersecurity researchers have released a warning about a sophisticated cyberattack campaign in which users are attempted to access DeepSeek-R1, a widely recognized large language model (LLM), which has been identified as a large language model. Cybercriminals have launched a malicious operation designed to exploit unsuspecting users through deceptive tactics to capitalise on the soaring global interest in artificial intelligence tools, and more specifically, open-source machine learning models (LLMs). 


As a result of a detailed investigation conducted by Kaspersky, a newly discovered Windows-based malware strain known as BrowserVenom is distributed by threat actors utilising a combination of malvertising and phishing techniques to distribute. In addition to intercepting and manipulating web traffic, this sophisticated malware enables attackers to stealthily retrieve sensitive data from users, including passwords, browsing history, and personal information.

It has been reported that cybercriminals are using Google Adwords to redirect users to a fraudulent website that has been carefully designed to replicate the official DeepSeek homepage by using a website name deepseek-platform[.]com. They are deceiving victims into downloading malicious files by imitating the branding and layout of a legitimate DeepSeek-R1 model installation, and they are deceiving them into doing so. 

The emergence of BrowserVenom has a significant impact on the cyber threat landscape, as attackers are utilising the growing interest in artificial intelligence technologies to deliver malware in order to increase the level of exposure. Aside from highlighting the sophistication of social engineering tactics that are becoming increasingly sophisticated, this campaign also serves as an effective reminder to verify the sources of software and tools that may be related to artificial intelligence. 

An analysis of security threats has revealed that attackers behind the BrowserVenom attack have created a deceptive installer posing as the authentic DeepSeek-R1 language model in order to deliver malicious payloads. This malicious software installer has been carefully disguised to make it seem authentic, and it contains a recently identified malware called BrowserVenom, an advanced malware that reroutes all browser traffic through the attacker's servers. 

Using this redirection capability, cybercriminals can intercept and manipulate internet traffic, giving them direct access to the sensitive personal information of millions of people. Despite the fact that BrowserVenom is an important piece of malware, its scope of functionality is especially worrying. Once embedded within a system, the malware can monitor user behaviour, harvest login credentials, retrieve session cookies, and steal financial data, emails, and documents that may even be transmitted in plaintext. 

As a result of this level of access, cybercriminals are able to access all the information they need to commit financial fraud, commit identity theft, or sell stolen data on underground marketplaces. Kaspersky reports that the campaign has already compromised systems in a number of countries. They have confirmed infection reports in Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt, highlighting the threat’s global reach. 

An infection vector for DeepSeek is a phishing site that is designed to look just like DeepSeek's official platform, which is the primary channel through which it gets infected, inducing users to download the trojanized installer. Because BrowserVenom is still spreading, experts warn that it poses a persistent and ongoing threat to users worldwide, especially those who use open-source AI tools without verifying the authenticity of the source they are using. 

According to a comprehensive investigation of the BrowserVenom campaign, it appears that a highly orchestrated infection chain has been crafted which begins at a malicious phishing website hosted at https[:]//deepseek-platform[.]com. Malvertising tactics have been employed by the attackers to place sponsored search results strategically atop pages when users search for terms like "DeepSeek R1" and similar. 

Deceptive strategies are designed to take advantage of the growing popularity of open-source artificial intelligence models and trick users into visiting a lookalike website that is convincingly resembling the DeepSeek homepage in order to trick them into visiting a website based on a fake DeepSeek lookalike website. Upon arrival at the fake site, the fake site detects the operating system of the visitor silently. 

A single prominent button labelled “Try now” is displayed on the interface for Windows users - the primary targets of this attack - in order to get a DeepSeek-R1 model for free. There have been occurrences of the site serving slightly modified layouts on other platforms, but all versions share the same goal of luring users into clicking and unintentionally initiating an infection, regardless of which platform they're on. This malware was developed by the operators of the BrowserVenom malware to enhance the credibility of the malicious campaign and reduce the suspicion of users. 

To accomplish this, multiple CAPTCHA mechanisms have been integrated into the attack chain at various points to confuse the user. In addition to providing the fake DeepSeek-R1 download website with a sense of legitimacy, this clever use of CAPTCHA challenges is also a form of social engineering, implying that it is secure and trustworthy, which in turn reinforces the illusion of security. When a user clicks the "Try Now" button on the fraudulent DeepSeek platform, the first CAPTCHA will be triggered, according to cybersecurity researchers.

It is at this point that a victim is presented with a fake CAPTCHA page that mimics the appearance of a standard bot-verification interface. Interestingly enough, this isn't just a superficial challenge for the victim. By using an embedded snippet of JavaScript code, the embedded code evaluates whether a person is actually conducting the interaction, performing several verification checks to identify and block automated access to the system. 

Once users click the button, they will be redirected to a CAPTCHA verification page, which is allegedly designed to stop automated robots from accessing the download. However, there is a layer of heavily obfuscated JavaScript behind this screen that performs advanced checks to ensure that a visitor is actually a human, and not a security scanner, by performing advanced checks. The attackers have been operating similar malicious campaigns in the past using dynamic scripts and evasion logic, which emphasises the campaign's technical sophistication. 

A user is redirected to a secondary page located at proxy1.php once they have completed the CAPTCHA, where a “Download now” button appears once they have completed the CAPTCHA. When users click on this final prompt, they are prompted to download the tampered executable file AI_Launcher_1.21.exe, which they can find at 
https://r1deepseek-ai[.]com/gg/cc/AI_Launcher_1.21.exe. 

Using this executable, the malware can be successfully installed in the browser. This entire process, from the initial search to the installation of the malware, has been cleverly disguised to appear as a legitimate user experience to illustrate how cybercriminals are using both social engineering as well as technical sophistication to spread their malware on an international scale. 

Once a user has successfully completed the initial CAPTCHA, they are directed to a secondary page which displays the "Download" button to what is supposed to be an official DeepSeek installer. It should be noted, however, that if users click on this link, they are downloading a trojanized executable file called AI-Launcher-1.21.exe, which stealthily installs BrowserVenom malware. As part of this process, a second CAPTCHA is required. In this case, the prompt resembles the Cloudflare Turnstile verification, complete with the familiar “I am not a robot” checkbox. As a result, the user is misled throughout the entire infection process, creating an illusion of safety. 

It is the victim's choice to choose between two AI deployment platforms after the second CAPTCHA has been completed- "Ollama" or "LM Studio," both of which are legitimate tools for running local versions of AI models like DeepSeek. However, regardless of which option users select, the end result is the same - BrowserVenom malware is silently downloaded and executed in the background without being noticed. 

Cybercriminals are increasingly weaponising familiar security mechanisms to disguise malicious activity in cybercrime, and this sophisticated use of fake CAPTCHAs indicates a broader trend. There has actually been a rise in similar attacks over the past few years, including recent phishing attacks involving Cloudflare CAPTCHA pages that coax users into executing malicious commands with the hope of getting them to do so. 

As soon as the installer is executed, it entails the installation of a dual-layered operation that mixes both visual legitimacy and covert malicious activity. The user is presented with a convincing installation interface which appears to be a large language model deployment tool, but a hidden background process simultaneously deploys the browser malware, thereby presenting the false appearance of a legitimate tool. During this behind-the-scenes sequence, an attempt is made to bypass traditional security measures to maintain stealth while bypassing traditional security measures. 

A crucial evasion technique is used in the installation of the infection: the installer executes an AES-encrypted PowerShell command to exclude the Windows Defender scan of the user's directory. In this case, attackers improve the likelihood that malware will install undetected and successfully if the malware's operating path is removed from routine antivirus oversight.

Once the malware is installed, the installer then proceeds to download additional payloads from obfuscated scripts, further complicating the detection and analysis of the malware. Ultimately, the payload, BrowserVenom, is injected directly into system memory using a sophisticated technique which avoids putting the malicious code on disk, thus evading signature-based antivirus detections. 

Once embedded in the system, BrowserVenom's primary function is to redirect all browser traffic towards a proxy server controlled by the attacker. As part of this process, the malware installs a rogue root certificate that facilitates HTTPS interceptions and modifies the configuration of browsers on multiple platforms, including Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium and Gecko-based browsers. 

By making these changes, the malware can intercept and manipulate secure web traffic without raising the suspicion of users. Furthermore, the malware updates user preferences as well as browser shortcuts to ensure persistence, even if the computer is rebooted or manual removal attempts are made. Researchers have found elements of Russian-language code embedded within the phishing website and distribution infrastructure of the malware that strongly suggests that Russian-speaking threat actors are involved in its development. 

This is the first case of confirmed infections reported by the FBI in Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt, demonstrating the campaign's global spread and aggressive campaign strategy. In addition to communicating with a command-and-control (C2) infrastructure at the IP address 141.105.130[.]106, the malware also uses port 37121 as its primary port to communicate, which is hardcoded into the proxy settings it uses. This allows BrowserVenom to hijack and route victim traffic through attacker-controlled channels without user knowledge. 

The growing threat of cyberattacks that exploit the AI boom, particularly the increasing use of popular LLM tools as bait, is emphasised by security experts. It is strongly recommended that users adhere to strict digital hygiene, which includes verifying URLs, checking SSL certificates, and avoiding downloading software from unauthorised sources or advertisements.

A growing interest in artificial intelligence has led to a surge in abuse by sophisticated cybercriminal networks, which has made proactive vigilance essential for users throughout all geographies and industries. In light of the recent BrowserVenom incident, which highlights the deceptive tactics that cybercriminals are using in order to get the user to take action, it highlights the urgency for users to be more aware of AI-related threats. 

Today, adversaries are blending authentic interfaces, advanced evasion methods, and social engineering into one seamless attack, which makes traditional security habits no longer sufficient to thwart them. The cybersecurity mindset of organizations and individuals alike requires a combination of real-time threat intelligence, behavioral detection tools, and cautious digital behavior that is based on real-time threat intelligence. Increasingly sophisticated artificial intelligence is changing the landscape of artificial intelligence threats, which requires continuous vigilance to prevent a malicious innovation from getting a step ahead.

Cybercriminals are Targeting Gamers Next

 


In 2023, cybercriminals will be seeking out your money and data to steal from you. That is the news gamers, and metaverse pioneers need to be aware of. 

It has been reported that while the objectives of those looking to break into consumers' personal information and steal their financial information will remain the same next year, they will be targeting new people and redeveloping platforms to try to get around the defenses set in place. 

There will be a variety of online frontiers, including gaming platforms and virtual reality worlds, that will be open to cyber criminals. This is because more people and businesses learn, how to deal with traditional email phishing, texting scams, and social media scams. This, according to Kaspersky researchers, could be an opportunity for cybercriminals as more people and companies learn about them. 

According to Kaspersky Researcher, Sony's PlayStation Plus gaming subscription service is currently competing against Microsoft's GamePass service across the globe. There is an expectation that this will encourage a wider number of people to play online games in general. 

There is also a significant increase in criminal behavior associated with those accounts, and related scams are on the rise, Kaspersky said that it is not unlike the subscription-related fraud that has been happening lately.  

Unless you know where your data is being stored or who it has been shared with, it can be challenging to ensure it is safe and private. 

Jeremy Snyder, founder, and CEO of FireTail, a cybersecurity firm that specializes in providing threat-aware technology, noted that even the most basic online activities, such as ordering takeout through a meal delivery service, could involve three or more companies and that no one knows how secure each company's system will be. 

Snyder believes that a lack of visibility will be an imminent risk to security and privacy heading into 2023 and beyond. There is a great deal of data that companies are gathering and sharing these days. However, their knowledge of where that data is or who has access to it is often limited. 

Snyder asked, "Will 2023 mark the year that companies finally start recognizing how serious this problem is?" and if so, what would it look like? In response to that question, I would say, that, "I hope so." 

Wildix explained in its statement that it will also be the responsibility of consumers to think about where their data will be stored. Particularly when it comes to the collection of Internet of Things devices that they have. 

In a recent instance, he noted having seen Wi-Fi traffic being collected by a robotic vacuum sent to a power station in Mongolia daily. He wondered, "How much of that traffic is coming from things in your house you aren't aware of ?" Many things are overlooked that no one thinks about. 

As a consumer, it is also imperative to maintain a record of personal information shared on social media, according to Jeff Hodgin, vice president of products for CyberGRX. People who post on social media are promoting themselves as a brand through these posts. This is similar to how a company posts on social media. The more popular the brand, the more lucrative the target is for cybercriminals. 

"A person wishing to promote themselves should think about the risks involved before making such a move," said Hodgin. The person should ask themselves: "What is my exposure? What would be the consequences of a breach? How likely is that to occur?"

Data Being Nuked by Malware Unseen Before in Russia's Courts and Mayors' Offices

 


According to Kaspersky and Russian news source Izvestia, mayors' offices and courts there are being attacked by never-before-seen malware masquerading as ransomware but wiping out data. 

It has been named CryWiper by Kaspersky researchers, which is a nod to the file extensions that are appended to deleted files after they are destroyed. Kaspersky says that its team has witnessed the malware deliver "pinpoint attacks" on Russian targets via a spyware program. On the other hand, the Izvestia newspaper reported that the targets of the attack were the office of the mayor and the court of the city. 

There was no immediate word on how many organizations were affected, how the malware managed to erase data, or whether data was successfully erased at this time. 

During the past decade, wiper malware has grown in popularity and become increasingly common. A virus called Shamoon was discovered in 2012 and caused havoc for companies named Saudi Aramco and RasGas of Qatar. In Saudi Arabia, Shamoon was again reworked four years later, and a version of the malware that was used to attack multiple organizations was introduced. There have been an approx. $10 billion of damage by the self-replicating malware dubbed NotPetya that spread across the globe within hours and has affected hundreds of thousands of computers worldwide. 

The past year has seen a slew of updated wiper blades emerge. Some examples include DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, and ransom. 

It has been reported by Kaspersky that the company has discovered recent attacks carried out by CryWiper. A note was left after the malware had infected a target. The message reportedly demanded 0.5 bitcoin and included the wallet address for payment. 

The results from Kaspersky's analysis of a sample of malware indicate that although this Trojan disguises itself as ransomware and extorts money from the victims for 'decrypting' their data, it does not encrypt data, but destroys it on purpose on the affected computer, according to the report from Kaspersky. A study of the Trojan's code showed that this was not a mistake made by the developer, but something that he had planned to do originally.

There are some similarities between CryWiper and IsaacWiper, which targeted organizations in Ukraine as part of its campaign. These two types of wipers are composed of pseudo-random numbers that are then used to corrupt targeted files by overwriting the contents of these files. There is a set of algorithms known as the Mersenne Vortex PRNG, these algorithms are rarely used, so the commonalities within these algorithms are striking. 

A unique characteristic that CryWiper shares with other ransomware families is its close connection with Trojan-Ransom.Win32.Xorist and Trojan-Ransom.MSIL.Agent. In particular, all three ransom notes contain the same email address. 

While analyzing the sample of CryWiper, Kaspersky discovered that it was a 64-bit Windows executable file. A C++ version of the software was written and compiled with the MinGW-w64 toolkit and the GCC compiler using the MinGW-w64 data set. 

Using Microsoft Visual Studio for malware that is written in C++ is quite unusual. This is because it is more common for malware written in C++ to use Microsoft Visual Studio for that purpose. 

This could have resulted from a choice to allow developers to port their code from Windows to Linux without going through a third-party compiler. 

Due to the large number of API calls that CryWiper makes to the Windows programming interface, it seems unlikely that this is the cause of the problem. In most cases, the developer who wrote the code was probably using a non-Windows device while writing the code. 

An attack that succeeds in wiping out a network often exploits the poor security of the network. Network engineers are advised by Kaspersky to take precautions by using the following tools:

  • A behavioral analysis-based endpoint protection solution is based on the analysis of files. 
  • When an intrusion is detected, security operations centers are responsible for managing detection, response, and taking action to resolve the problem.
  • Detects malicious files and URLs in your email attachments and blocks them to ensure that your mail is safe. Using such a system will make it much more difficult for attack vectors such as email attacks, which are the most common. 
  • Ensure that regular penetration testing and RedTeam projects are conducted. Identifying vulnerabilities in infrastructure and protecting them will help to reduce the attack surface for intruders, which in turn reduces the attack surface of the organization. 
  • Analyzing and monitoring threat data. There is a need to maintain up-to-date knowledge about the tactics intruders employ, the tools they use, and the infrastructure they use to detect and stop malicious activity promptly. 

There is no doubt that wiper malware is likely to continue to spread over the coming months. This is given Russia's invasion of Ukraine and other geopolitical conflicts around the world. 

According to the report by Kaspersky on Friday, "in many cases, wiper attacks and ransomware incidents are caused by weak network security, and it is critical to make sure that these security measures are strengthened." The firm also stated that it could be assumed that the number of cyberattacks, as well as those using wipers, will grow, in large part because of the unstable situation around the world.