Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malicious Campaign. Show all posts
Targeted Attack
Cyber Attacks EU Diplomats Malicious Campaign PDF Exploits Targeted Attack

Hackers Employ Malicious PDF Files To Kickstart Infection Chain

 

Fine wine is a cultural trait that Europeans are renowned for, but attackers behind a recent threat campaign have exploited this to their advantage. By luring European Union (EU) diplomats with a fake wine-tasting event, the cyber operation aimed to deliver a unique backdoor. 

In a blog post published on February 27, researchers at Zscaler's ThreatLabz reported that they had found the campaign, which especially targeted officials from EU nations with diplomatic posts in India. The actor, dubbed "SpikedWine," used a PDF file in emails that pretended to be an invitation letter from India's embassy, inviting diplomats to a wine-tasting event on February 2. 

"We believe that a nation-state threat actor, interested in exploiting the geopolitical relations between India and diplomats in European nations, carried out this attack," Zscaler ThreatLabz researchers Sudeep Singh and Roy Tay explained in the post.

The campaign's payload is a backdoor known as "WineLoader," which has a modular design and uses tactics designed to avoid detection. These include re-encryption and zeroing out memory buffers, which serve to safeguard sensitive data in memory while evading memory forensics tools, the researchers stated. 

SpikedWine employed compromised websites for command-and-control (C2) at different phases of the attack chain, which started with a victim clicking on a link in the PDF and ended with the modular distribution of WineLoader. Overall, the cyber attackers exhibited a high degree of expertise, both in the creative design of the socially engineered campaign and in the delivery of the malware. 

Zscaler ThreatLabz found the PDF file, which was uploaded to VirusTotal from Latvia on January 30. The attackers meticulously built the contents to imitate India's ambassador, and the invitation contains a malicious link to a false questionnaire that must be completed in order to participate. 

Clicking on the link takes users to a hacked site where they can download a zip archive containing a file named "wine.hta." The downloaded file contains obfuscated JavaScript code that triggers the next stage of the attack. 

Eventually, the file runs sqlwriter.exe from the directory C:\Windows\Tasks\ to initiate the WineLoader backdoor infection chain by loading a malicious DLL called vcruntime140.dll. This, in turn, calls an exported method set_se_translator, which decrypts the embedded WineLoader core module within the DLL using a hardcoded 256-byte RC4 key before running it. 

Protection and detection 

Zscaler ThreatLabz warned contacts at India's National Informatics Centre (NIC) about the attack's usage of Indian official themes. 

The C2 server used in the assault only replies to specific types of queries at specific times, therefore automated analysis systems cannot acquire C2 responses and modular payloads for detection and analysis, according to the researchers. To assist defenders, they offered a list of indicators of compromise (IoCs) and URLs related to the attack in their blog post. 

A multilayered cloud security platform should detect IoCs linked to WineLoader at multiple levels, including any files containing the threat name Win64.Downloader.WineLoader, the researchers concluded.
Read more »
Malicious Campaign
Cryptojacking Campaign Cyber Attacks Docker API Malicious Campaign

Novel Crytpojacking Campaign is Targeting Docker APIs Across the Internet

 

Cado security researchers recently identified a sophisticated cryptojacking campaign that exploits exposed Docker API endpoints over the internet. 

The campaign, called “Commando Cat”, has been operating since early 2024, the researchers noted, claiming that this was the second such effort to be identified in only two months. The first container, created with the Commando open-source tool, seems innocent, but it allows the criminals to escape and launch several payloads on the Docker host itself.

The payloads delivered are determined by the campaign's short-term targets, which include establishing persistence, backdooring the host, exfiltrating cloud service provider credentials, and activating cryptocurrency miners, according to the researchers. This campaign's cryptocurrency miner is the famed XMRig, a popular cryptojacker that mines Monero (XMR), a privacy-oriented currency that is nearly impossible to track. 

Cado Security's researchers added that Commando cat temporarily stores stolen files in a separate folder, implying that this is done as an evasion tactic. Indeed, this complicates forensic analysis. 

At press time, the researchers had no idea who the threat actors behind Commando Cat were, although they did detect resemblance in shell scripts and C2 IP addresses with another cryptojacking outfit dubbed TeamTNT. Cado, however, does not believe TeamTNT is behind this particular effort and instead suspects a copycat organisation. 

The researchers advised that users should upgrade their Docker instances and install necessary security measures to safeguard themselves from such attacks. 

Last month, the same cybersecurity team uncovered a similar campaign that used insecure Docker hosts to install both XMRig and the 9Hits Viewer software. 9hits is an online traffic exchange platform that allows users to drive traffic to each other.

When a user installs 9hits, their device visits the websites of other members using a headless Chrome instance. In exchange, the user earns credits, which may subsequently be used to attract traffic to their own websites. Installing 9hits on compromised Docker instances generates more credits, which the attackers can then use to buy more traffic.
Read more »
Phishing scam
AI Phishing AI Scams ChatGPT Cyber Fraud Malicious Campaign Phishing scam

Watch Out For These ChatGPT and AI Scams

 

Since ChatGPT's inception in November of last year, it has consistently shown to be helpful, with people all around the world coming up with new ways to use the technology every day. The strength of AI tools, however, means that they may also be employed for sinister purposes like creating malware programmes and phishing emails. 

Over the past six to eight months, hackers have been observed exploiting the trend to defraud individuals of their money and information by creating false investment opportunities and scam applications. They have also been observed using artificial intelligence to plan scams. 

AI scams are some of the hardest to spot, and many people don't use technologies like Surfshark antivirus, which alerts users before they visit dubious websites or download dubious apps. As a result, we have compiled a list of all the prevalent strategies that have lately been seen in the wild. 

Phishing scams with AI assistance 

Phishing scams have been around for a long time. Scammers can send you emails or texts pretending to be from a trustworthy organisation, like Microsoft, in an effort to trick you into clicking a link that will take you to a dangerous website.

A threat actor can then use that location to spread malware or steal sensitive data like passwords from your device. Spelling and grammar mistakes, which a prominent corporation like Microsoft would never make in a business email to its clients, have historically been one of the simplest ways to identify them. 

However, in 2023 ChatGPT will be able to produce clear, fluid copy that is free of typos with just a brief suggestion. This makes it far more difficult to differentiate between authentic letters and phishing attacks. 

Voice clone AI scams

In recent months, frauds utilising artificial intelligence (AI) have gained attention. 10% of respondents to a recent global McAfee study said they have already been personally targeted by an AI voice scam. 15% more people claimed to be acquainted with a victim. 

AI voice scams use text-to-speech software to create new content that mimics the original audio by stealing audio files from a target's social network account. These kinds of programmes have valid, non-nefarious functions and are accessible online for free. 

The con artist will record a voicemail or voice message in which they portray their target as distressed and in need of money desperately. In the hopes that their family members won't be able to tell the difference between their loved one's voice and an AI-generated one, this will then be transmitted to them. 

Scams with AI investments

 
Scammers are using the hype surrounding AI, as well as the technology itself, in a manner similar to how they did with cryptocurrencies, to create phoney investment possibilities that look real.

Both "TeslaCoin" and "TruthGPT Coin" have been utilised in fraud schemes, capitalising on the attention that Elon Musk and ChatGPT have received in the media and positioning themselves as hip investment prospects. 

According to California's Department of Financial Protection & Innovation, Maxpread Technologies fabricated an AI-generated CEO and programmed it with a script enticing potential investors to make investments. An order to cease and desist has been given to the corporation. 

The DFPI claims that Harvest Keeper, another investment firm, collapsed back in March. According to Forbes, Harvest Keeper employed an actor to pose as their CEO in an effort to calm irate clients. This demonstrates the lengths some con artists will go to make sure their sales spiel is plausible enough.

Way forward

Consumers in the US lost a staggering $8.8 billion to scammers in 2022, and 2023 is not expected to be any different. Periods of financial instability frequently coincide with rises in fraud, and many nations worldwide are experiencing difficulties. 

Artificial intelligence is currently a goldmine for con artists. Although everyone is talking about it, relatively few people are actually knowledgeable about it, and businesses of all sizes are rushing AI products to market. 

Keeping up with the most recent scams is crucial, and now that AI has made them much more difficult to detect, it's even more crucial. Following them on social media for the most recent information is strongly encouraged because the FTC, FBI, and other federal agencies frequently issue warnings. 

Security professionals advised buying a VPN that detects spyware, such NordVPN or Surfshark. In addition to alerting you to dubious websites hidden on Google Search results pages, they both will disguise your IP address like a conventional VPN. It's crucial to arm oneself with technology like this if you want to be safe online.
Read more »
Media Outlets
Bangladeshi hackers Cyber Attacks Fake news Indian Media Hack Malicious Campaign Media Outlets

Bangladeshi Hacker Group Targets Multiple Indian News Agencies

 

An update regarding the cyberattack on Alt News has brought up cybersecurity news in Indian media once more. After focusing on Indian news agency ANI News for a few hours, the threat actor group "Mysterious Team Bangladesh" has now listed the well-known Indian fact-checking website "Alt News" as its latest victim. 

The hacktivist group claims that the purported ANI News and Alt News cyberattacks are a part of their ongoing OpIndia23 campaign against the Indian media for allegedly inciting hatred and false information. 

ANI News is a news organisation with its main office in New Delhi. Mohammed Zubair and Pratik Sinha, two former IT engineers, launched the fact-checking website Alt News, a non-profit organisation in India. 

Both organisations' websites were reachable at the time of writing. A number of cyberattacks on international targets included the claimed Alt News hack. 

Mysterious Team shared the hashtags "opindia23," "counterattack," and "OpTerrorismCountry" along with the Telegram message. The group has accounts on several social media networks and has 1,283 Telegram subscribers. 

The bio for the gang on its Twitter account, where they frequently discuss the specifics of their attacks and victims, reads, "We are cyber warriors of Bangladesh." 

Along with articles on hacking and cyberattacks, the group also publishes the names of other hackers. A name that came up was "_barbby," who according to his biography is a journalist and a human rights advocate. There were two hashtags on the profile: OpIsrael and FreePalestine.

In the bio of another hacker, YourAnonRiots, it was said, "Our mission is global peace." The profile's hashtag was HackThePlanet, which appears to be the case in light of the hacking attacks on numerous government and other organisation websites. Your Anon Story, MCA Ops, and Saudi Exile were the other hackers that had been identified.

In the past 24 hours, the Mysterious Team Bangladesh group has also listed TV7 Israel News, Uniurdu, an Urdu-language news website, and Univarta, a Hindi-language news website, as victims. Furthermore, the hacktivist group also targeted the website of The Press Trust of India.

Along with saying "Expect Us," the organisation also declared that it had attacked the Indian Computer Emergency Response Team. 

The Mysterious Team appears to be a sizable group made up of numerous hackers that use system weaknesses to get access. But nothing is known about their method of attack other than the fact that they effectively shut down the systems and publish screenshots of their hacks on their various social media platforms.
Read more »
User Security
AI Tool Artificial Intelligence Malicious Campaign Online Crime Technology User Security

How AI is Helping Threat Actors to Launch Cyber Attacks

 

Artificial intelligence offers great promise, and while many tech enthusiasts are enthusiastic about it, hackers are also looking to this technology to aid their illicit activities. The field of artificial intelligence is interesting, but it may also make us nervous. Therefore, how might AI support online criminals? 

Social engineering 

Every week, social engineering, a form of cybercrime, claims countless victims and is a big issue worldwide. In this technique, the victim is coerced into complying with the attacker's demands through manipulation, frequently without being aware that they are the target. 

By creating the text that appears in fraudulent communications like phishing emails and SMS, AI could aid in social engineering attempts. It wouldn't be impossible, even with today's level of AI development, to instruct a chatbot to create a compelling or persuasive script, which the cybercriminal could then employ against their victims. People have taken notice of this threat and are already worried about the dangers that lie ahead.

In this way, by correcting typos and grammatical errors, AI might potentially assist in making hostile communications appear more formal and professional. Therefore, it might be advantageous for cybercriminals if they can write their social engineering content more clearly and effectively. Such errors are frequently described as potential indicators of malicious activity. 

Analysing stolen data

Data is worth as much as gold. Sensitive information is currently regularly sold on dark web markets, and some dangerous actors are willing to pay a very high price for the information if it is sufficiently valuable. 

But data must first be stolen in order for it to appear on these marketplaces. Small-scale data theft is undoubtedly possible, particularly when an attacker targets single victims. However, larger hacks may lead to the theft of sizable databases. The cybercriminal must now decide whatever information in this database is worthwhile. 

A malicious actor would spend less time deciding what is worthwhile to sell or, on the other hand, directly exploit by hand if the process of identifying valuable information were to be expedited with AI. Since learning is the foundation of artificial intelligence, it might someday be simple to use an AI-powered tool to detect sensitive information that is valuable. 

Malware writing 

Some people would not be surprised to learn that malware can be created using artificial intelligence because this is a sophisticated form of technology. A combination of the words "malicious" and "software," malware refers to the various types of malicious software used in hacking. 

Malware must first be written, though, in order to be used. Cybercriminals aren't all skilled programmers; others just don't want to spend the time learning how to write new programmes. AI may prove useful in this situation. 

It was discovered that ChatGPT might be used to create malware for nefarious activities in the early 2023. An AI infrastructure supports OpenAI's wildly popular ChatGPT. Despite the fact that this chatbot is being used by hackers, it can perform many important tasks. 

In one particular instance, a user claimed in a forum for hackers that ChatGPT had been used to write a Python-based malware programme. Writing malicious software could be efficiently automated with ChatGPT. This makes it easier for novice cybercriminals with limited technical knowledge to operate. 

Instead of writing sophisticated code that poses serious hazards, ChatGPT (or at least its most recent version) is only capable of producing simple, occasionally problematic malware programmes. This does not preclude the employment of AI to create malicious software, either. Given that a modern AI chatbot is already capable of writing simple malicious programmes, it might not be long before we start to notice more heinous malware coming from AI systems. 

Bottom line 

Artificial intelligence has been and will continue to be abused by cybercriminals, as is the case with the majority of technological advancements. It's absolutely impossible to predict how hackers will be able to progress their attacks utilising this technology in the near future given that AI already has certain dubious skills. Cybersecurity companies may also use AI more frequently to combat similar threats, but only time will tell how this one develops.
Read more »
United States
Cyber Security Malicious Campaign National Security Swatting Calls Swatting Service United States

Digitally Crafted Swatting Service Is Wreaking Havoc Across United States

 

A Telegram user who claimed to have left bombs in places like high schools by using a digitally synthesised voice has been linked to a series of swatting calls that have occurred over several months across the United States. 

According to Vice, the user going by the alias "Torswats" on the messaging app Telegram provides a paid service to make swatting calls. Swatting is the act of lying to law authorities about a bomb threat or falsely accusing another person in a specific location of committing a crime or storing illegal materials. 

Customers may purchase "extreme swattings" for $50, which typically involve cops handcuffing a suspect and searching their home, and for $75, Torswats can reportedly lock down a school. In accordance with a story from Vice, Torswats would take bitcoin as payment, give loyal clients a discount, and will haggle over prices for well-known targets.

“Hello, I just committed a crime and I want to confess. I placed explosives in a local school,” says the voice on a tape of a Torswats call with law police. 

Torswats' voice is artificial intelligence generated digitally, however, it's not immediately clear whether this is the same technology that has made some voice performers obsolete by so expertly simulating human vocalisations. Vice found two recordings out of 35 that didn't employ a digital voice. Torswats threatened to detonate a bomb at Hempstead High School in Dubuque, Iowa, according to a phone call tape obtained by Vice. Local media reported on the threat. 

Torswats allegedly also targeted a CBD store in Florida, a business in Maryland, and homes in Virginia, Massachusetts, Texas, and California. 

Steve Bernd, FBI Seattle's public affairs officer, said, "The FBI takes swatting extremely seriously because it puts innocent people at harm." Since at least ten years ago, police have been discussing the "swatting" issue, and more recent headlines have been made about other incidents.

Indictments for extortion and threats were issued against a Seattle man just last month after more than 20 swat calls to the police were made by him. It is said that the man would broadcast these calls live to a certain Discord group.
Read more »
malware
Google Play Store Joker malware Kaspersky Malicious Apps Malicious Campaign malware

Harley Trojan Affecting the Users by Impersonating the Applications

 

There are numerous unpatched malwares hidden under the apps in the Google Play Store that seem to be harmless but are actually malicious programs. Google Play Store is an official platform that runs every process with careful monitoring carried out by the moderators. However, some apps may evade the moderator's check since it's not possible to check all the apps before they go live on the platform. 

One such popular malware, called Trojan Subscribers has been discovered by Kaspersky. It affects the users by signing up for paid services without their knowledge. The malware exhibits similarities with the Jocker Trojan subscriber, experts presume that the two have a common origin. 

A trojan is a malicious code or software that gets downloaded onto a system, disguised as an authorized application. 

In the past 3 years, over 190 apps have been found infected with Harly Trojan on the Google play store, and the number of downloads of such apps is more than 4.8 million.  

To spread the virus to different systems, the threat actors download the original applications and place their malicious code into them and later re-upload them to Google Play Store with some other name. 

The attackers play smart by keeping the same features in the app as listed in the description so that the users do not suspect a threat. The impersonating of legitimate apps also provides advertisement. 

The Trojan malware belonging to the Harley family includes a payload inside the application and uses numerous methods to decrypt and execute the payload. 

After the decryption, the Harley gathers information about the user’s device including the mobile network. By connecting to the mobile network, the malware opens up a list of subscription addresses from a C&C server, where it automatically enters the user's mobile number followed by other options to continue the process, including the OTP from messages. As a result, the user ends up with a paid subscription for a service without their knowledge or consent.  

To avoid being a victim of such apps, anti-virus experts suggest looking for reviews of the applications before downloading them. Google has been notified about such apps and asked to remove all the Trojan-infected apps from the platform and devices that are infected with them. 
Read more »
Vmware vulnerability
Chrome Malicious Campaign malware Malware Campaign VMware Vmware vulnerability

ChromeLoader: Microsoft, VMware Warns of the New Malware Campaigns

 

Microsoft and VMware are warning about the ongoing widespread malware campaign of ChromeLoader, which led to an “ongoing wide-ranging click frauds” later this year. 

The malware tool named ChromeLoader is apparently hijacking the browsers to redirect users to ad pages. The software has now evolved into a potential threat by deploying more potent payloads that go beyond malvertising. Variants of ChromeLoader have been dropping malicious browser extensions, node WebKit malware, and even ransomware on Windows PCs and Macs. 

Functioning of ChromeLoader 

Microsoft detected an ongoing widespread campaign of click frauds and attributed it to a threat actor DEV-0796. The malware attack begins with an ISO file that is downloaded when the user clicks a malicious ad, browser redirects, or Youtube comment. The attackers seek to profit from clicks generated by malicious browser extensions or node-WebKit that they have installed on the victim’s device, without being detected.  

The researchers from VMware’s Carbon Black Managed Detection and Response (MDR) team said they have seen the malware’s operators impersonating various legitimate services that would lead users to ChromeLoader. The researchers observed hundreds of attacks that included variants of the malware, targeting multiples sectors such as education, government, healthcare, and enterprises in business services. 

“This campaign has gone through many changes over the past few months, and we don’t expect it to stop [...] It is imperative that these industries take note of the prevalence of this threat and prepare to respond to it” warns the researchers. 

Rapid Evolution Of Malware

Earlier, the malware infected Chrome with a malicious extension that redirected the user traffic to advertising sites performing click frauds and generating income for the threat actors. “But, it later evolved into an ‘info-stealer’, stealing sensitive data stored in browsers and deploying zip bombs (i.e. malicious archive files) to crash systems, while still retaining its adware function,” said researchers, in an advisory released on September 19. 

Since Adware does not cause any significant damage to a victim’s software, the threat is not taken seriously by analysts. However, any software, such as ChromeLoader, that could enter a system undetected, is an immediate threat to a user, as the victim may as well apply modifications, facilitating monetization options for the malware. 

“The Carbon Black MDR team believes that this is an emerging threat that needs to be tracked and taken seriously [...] due to its potential for delivering more nefarious malware,” VMware said in the advisory. 
Read more »
URL Shorteners
Cyber Attacks Malicious Campaign Phishing Campaign Reverse Tunnels URL Shorteners

Reverse Tunnels and URL Shorteners Employed by Attackers to Launch Phishing Campaign

 

Security researchers at CloudSEK, a digital risk protection firm have witnessed a significant surge in the usage of reverse tunnel services and URL shorteners in conjunction with wide-scale phishing campaigns. 

The methodology employed by attackers is different from the more typical modus operandi of registering domains with hosting providers, who are more likely to react to complaints and shut down the malicious sites. 

The reverse tunnel services assist threat actors in hosting phishing pages locally using their devices and route connections via the external service. Additionally, they can develop new URLs through the URL shortening services as many times as required to bypass security detection. Many of the phishing URLs are updated in less than 24 hours, making it more difficult for researchers to spot and take down malicious domains. 

As reported by BleepingComputer, researchers have identified more than 500 sites hosted and distributed using a combination of reverse tunneling and URL shortening. Ngrok, LocalhostRun, and Argo were the most commonly abused reverse tunnel services, while Bit.ly, is.gd, and cutt.ly were the most prevalent URL shorteners. 

According to CloudSEK, cybercriminals may hide their identity by using URL shorteners to mask the name of the URL, which is typically a series of random characters. The malicious links are distributed via Telegram, WhatsApp, phony social media pages, texts, and emails. 

It is worth noting that the cybersecurity landscape is not unfamiliar with the exploit of reverse tunneling. For example, the digital banking platform of the State Bank of India had been previously impersonated for such phishing campaigns to exfiltrate users’ credentials. 

The malicious link was concealed behind “cutt[.]ly/UdbpGhs” and directed to the domain “ultimate-boy-bacterial-generates[.]trycloudflare[.]com/sbi” that employed Cloudflare’s Argo tunneling service. Subsequently, the malicious page requested bank account credentials, PAN card numbers, Aadhaar unique identification numbers, and mobile phone numbers. However, CloudSEK did not share how damaging this campaign was for bank users. 

Private details collected this way can be sold on the dark web or used by hackers to drain bank accounts. If the data is from a firm, the attackers could use it to launch ransomware attacks or business email compromise (BEC) scams. To mitigate the risks, users should avoid clicking on links received from an unfamiliar source.
Read more »
User Security
Info Stealer Malicious Campaign malware User Security

Researchers Warn of Fake Windows 11 Upgrade Containing Info Stealing Malware

 

Cybercriminals are tricking users into installing a fake Windows 11 upgrade that includes malware that steals data from web browsers and crypto-wallets. The malicious campaign that is still running operates by poisoning search results to drive traffic to a website impersonating Microsoft’s Windows 11 advertising page and offering the information stealer. 

According to CloudSEK threat researchers who analyzed the malware and published a technical report, malicious actors are focusing on people who rush to install Windows 11 without first learning that the OS must satisfy specific requirements. 

The rogue website advertising the false Windows 11 has official Microsoft logos, favicons, and a “Download Now” button. It looks legitimate at first glance, but the URL reveals the site as fraudulent. If visitors access the malicious website directly (download is not possible via TOR or VPN), they will receive an ISO file containing the executable for new information-stealing malware. 

The CloudSEK researchers named the new malware 'Inno Stealer' as it uses the Inno Setup Windows Installer. The researchers said that Inno Stealer has no code in common with other presently circulating info-stealers. Once active, the malware plants a pair of files that disable various Windows security measures, including those in the registry. They also wipe out software from anti-virus companies Emsisoft and ESET. 

Inno Stealer’s capabilities are typical for this kind of malware, including the ability to collect web browser cookies and passwords, data from cryptocurrency wallets, and data from the disk. The set of targeted browsers and crypto wallets is extensive, including Chrome, Edge, Brave, Opera, Vivaldi, 360 Browser, and Comodo. 

The malware can also steal extra payloads, an action only performed at night, potentially to take advantage of the victim’s absence from the computer. These additional Delphi payloads, which are TXT files, use the same Inno-based loader that fiddles with the host’s security tools and employs an identical persistence methodology. They also have the ability to grab clipboard data and exfiltrate directory enumeration data. 

To mitigate the risks, researchers recommended avoiding downloading ISO files from obscure sources and instead undertaking significant OS updates using the Windows 10 control panel or obtaining the installation files directly from the source. If you can’t upgrade to Windows 11, there’s no point in attempting to bypass the limitations manually since this will come with a slew of drawbacks and severe security risks.
Read more »
User Security
Cyber Scam Malicious Campaign Mobile Security User Privacy User Security

Scammers are Using Novel Technique to Target iPhone and Android Users

 

Cybersecurity researchers have unearthed a new methodology employed by fraudsters to target iPhone and Android users by tricking them into installing malware via dubious apps and use it to swipe thousands of dollars.

According to researchers at cybersecurity firm Sophos, a scam campaign dubbed CryptoRom typically begins with social-engineering attack, in which a scammer befriends a victim through dating apps like Tinder, Bumble, or Facebook Dating.

The scammer then moves their conversation to messaging apps such as WhatsApp and asks the victim to install a cryptocurrency trading application that's designed to mimic popular brands and lock people out of their accounts and freeze their funds. In some cases, victims are forced to pay a “tax” to withdraw their money, which they learn by chatting with an in-app customer service representative who is part of the malicious campaign. 

"This style of cyber-fraud, known as sha zhu pan — literally 'pig butchering plate' — is a well-organized, syndicated scam operation that uses a combination of often romance-centered social engineering and fraudulent financial applications and websites to ensnare victims and steal their savings after gaining their confidence," stated Sophos analyst Jagadeesh Chandraiah. 

The malicious campaign exploits iOS TestFlight and Apple WebClip to deploy fake mobile apps and websites onto victims’ phones without being subject to the rigorous app store approval process. The malicious campaign was initially used in Asia but has hit the U.S. and European victims since October 2021. 

TestFlight is used for testing the beta version of apps before they head to the App Store. It is used for small internal tests, sent out to 100 users by email, and public beta tests distributed to up to 10,000 users. But the scammers exploit the TestFlight feature, which provides a way for users to download bogus apps outside of the App Store, researchers explained. 

Sophos researchers said some victims installed malicious versions of the legitimate BTCBOX Japanese crypto exchange app that were made available through the TestFlight feature. 

The fraudsters also employed iOS WebClips to trick iPhone users, as they were sent malicious URLs via the service. WebClips offers fast access to favorite webpages or links, as Apple highlights, with researchers stating that it can be employed to design fake apps to appear more authentic.
Read more »
Universal Plug and Play
attacks Cyber Attacks Malicious Campaign Mallicious URLs Proxy Server Routers Security Silent Attacks Universal Plug and Play

2,77,000 Routers Vulnerable to 'Eternal Silence' Assaults via UPnP

 

'Eternal Silence,' a malicious campaign, is exploiting Universal Plug and Play (UPnP), which switches the router into a proxy server used to execute nefarious assaults while obscuring the threat actors' location. 

UPnP is a connection protocol that enables additional devices on a network to establish port forwarding rules on a router automatically and is optionally available in most modern routers. This allows remote devices to use a certain software function or device as needed, with minimal user configuration. 

However, it is another technology that compromises security for convenience, particularly when the UPnP implementation is subject to attacks that enable remote attackers to add UPnP port-forwarding entries over a device's exposed WAN connection. 

Akamai researchers discovered attackers exploiting this flaw to build proxies that conceal their harmful operations and termed the attack UPnProxy. 

277,000 of the 3,500,000 UPnP routers detected online are vulnerable to UPnProxy, with 45,113 already infected by hackers. 

Analysts at Akamai believe the perpetrators are attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, respectively. 

Exploiting these holes can result in a variety of issues, such as resource-intensive cryptominer infections, destructive worm-like attacks that quickly spread across entire corporate networks, or gaining initial access to corporate networks. 

The hackers' new rulesets include the phrase 'galleta silenciosa,' which means 'silent cookie'. 

The injections try to expose TCP ports 139 and 445 on devices connected to the targeted router, which totals around 1,700,000 machines that use SMB services. 

Although Akamai is unaware of the campaign's success rate, it did notice a methodical approach to the scans, focusing on devices that use static ports and routes for their UPnP daemons to inject port forwards.  

The perpetrators may be attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, according to Akamai's experts. 

"Because there is a decent possibility that (vulnerable) machines unaffected by the first round of EternalBlue and EternalRed attacks were safe only because they weren't exposed directly to the internet. They were in a relatively safe harbor living behind the NAT," explains Akamai's report 

"The EternalSilence attacks remove this implied protection granted by the NAT from the equation entirely, possibly exposing a whole new set of victims to the same old exploits." 

'Eternal Silence' is a clever attack since it makes the practice of network segmentation ineffective and provides no sign of what is happening to the victim. 

Scanning all endpoints and auditing the NAT table entries is the best technique to see if the devices have been captured. There are a variety of ways to achieve this, but Akamai has made it simple by providing a bash script that can be used to test a potentially vulnerable URL. 

Disabling UPnP won't erase existing NAT injections if someone found a device infected with Eternal Silence. Users will have to reset or flash the device instead. 

Applying the most recent firmware update should also be a priority, since the device vendor may have resolved any UPnP implementation problems via the system update.
Read more »
malware
cryptomining Evasive Techniques Malicious Campaign malware

Autom Cryptomining Malware Employs Upgraded Evasion Techniques

 

The malicious Autom crypto mining campaign has upgraded its weapons while adding new defense evasion methods that allow attackers to fly under the radar of anti-virus scanning tools. 

According to researchers at DevSecOps and cloud security firm AquaSecurity, the malicious campaign was first identified in 2019, and since then a total of 84 attacks against researchers’ honeypot servers have been reported, four of these occurring in 2021.

Preliminary attacks of this campaign involved implementing a malicious command, once a user runs a vanilla image with the name "alpine:latest.” That action resulted in a shell script named "autom.sh." being downloaded on the device. 

"Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use," the researchers explained in a blog post. "Over the years, the malicious command that was added to the official image to carry out the attack has barely changed. The main difference is the server from which the shell script autom.sh was downloaded."

The shell script initiates the attack sequence, allowing the attackers to create a new user account beneath the title "akay". Then, the account’s privileges are upgraded to a root user, enabling malicious actors to run arbitrary commands on the compromised machine and, eventually, abuse the available resources to mine crypto-currency. In the early stages of the 2019 campaign, there were no special methods to hide the mining activity, but the later versions depict the extreme measures its developers have taken to keep it hidden from scanning tools. 

The malicious campaigns carried out to hijack computers to mine cryptocurrencies have been dominated by several threat actors such as Kinsing, which has been spotted scanning the internet for misconfigured Docker servers to invade the unguarded hosts and install a previously undocumented coin miner strain. 

"Miners are a low-risk way for cybercriminals to turn a vulnerability into digital cash, with the greatest risk to their cash flow being competing miners discovering the same vulnerable servers," Sophos senior threat researcher Sean Gallagher explained in an analysis of a Tor2Mine mining campaign, which involves the use of a PowerShell script to disable malware protection, execute a miner payload, and harvest Windows credentials.
Read more »
Threat actors
Cobalt Strike Cyber Crime Malicious Campaign Microsoft Threat actors

Threat Actors use MSBuild to Execute Cobalt Strike Beacons

 

Malicious campaigns have recently been spotted abusing Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on vulnerable machines. MSBuild, which was designed for the construction of Windows applications, uses a project file element called 'Tasks' to designate components that are executed during project building, and threat actors are misusing these Tasks to launch malicious code disguised as MSBuild. Renato Marinho, a Morphus Labs security researcher, and SANS Internet Storm Center (ISC) handler claims that two different malicious campaigns have been discovered utilizing MSBuild for code execution in the last week. 

MSBuild is a build tool that aids in the automation of the software development process, including source code compilation, packaging, testing, deployment, and documentation creation. It is feasible to build Visual Studio projects and solutions with MSBuild even if the Visual Studio IDE is not installed. MSBuild is a free and open-source software. MSBuild was previously included with the.NET Framework; however, starting with Visual Studio 2013, it is now included with Visual Studio. MSBuild is a functional replacement for the nmake utility, which is still used in projects created with previous Visual Studio editions. 

MSBuild operates on MSBuild project files, which have an XML syntax comparable to Apache Ant or NAnt. Despite the fact that the syntax is based on a well-defined XML schema, the fundamental structure and operation are comparable to the traditional Unix make utility: the user specifies what will be used (typically source code files) and what the result should be (typically a static library, DLL, or executable application), but the utility decides what to do and in which order to carry out the build. 

Threat actors often obtain access to the target environment through the use of a genuine remote desktop protocol (RDP) account, then employ remote Windows Services (SCM) for lateral movement and MSBuild to execute the Cobalt Strike Beacon payload. The malicious MSBuild project was created to build and run certain C# code, which then decodes and executes Cobalt Strike. 

Marinho further claims that after confirming that Beacon was used in the attack, he was able to decrypt the SSL-encrypted communication with the command and control (C&C) server. To avoid such attacks, the researcher recommends that enterprises use the Windows Defender Application Control (WDAC) policy to restrict Microsoft-signed applications that potentially allow the execution of other malware. MSBuild generates a list of these apps. 

“There is a note for MSBuild.exe, though, that if the system is used in a development context to build managed applications, the recommendation is to allow MSBuild.exe in the code integrity policies,” Marinho concluded.
Read more »
Rapid Attacks
Botnet Malicious Campaign malware Rapid Attacks

Emotet Installs Cobalt Strike for Rapid Attacks

 

The notorious Emotet malware is now directly installing Cobalt Strike beacons for rapid cyberattacks, rather than dropping an intermediate payload first. 

Attackers are using Cobalt Strike, a legitimate penetration testing tool, to spread laterally through a firm and deploy ransomware on their network. Earlier this month, the malware started analyzing the installation of Cobalt Strike beacons instead of conventional payloads on exploited devices. The test was short and soon after the attackers returned to distributing their typical payloads.

According to researchers, the attackers using Emotet suspended their phishing and spamming campaigns and since then, they have been quiet. However, researchers believe the attackers are installing Cobalt Strike beacons on already compromised devices. They install the Cobalt Strike modules straight from their command-and-control (C2) server and then execute the modules on the infected devices.

Installing Cobalt Strike directly eliminates the time between initial infection and subsequent installation of the pen testing tool, giving victims less time to detect and mitigate the infection prior to the execution of ransomware. 

The malware communicates with the attacker’s command and control servers via a fake ‘jquery-3.3.1.min.js’ file in a sample of the Cobalt Strike beacon provided with BleepingComputer. Each time the malware interacts with the C2, it will attempt to download the jQuery file, which will have a variable changed with new instructions. 

As most of the file is valid jQuery source code, and only some content is changed, it blends into legitimate traffic and makes it easier to evade security software. The quick deployment of Cobalt Strike via Emotet is an important development that should be noted by all Windows and network administrators, as well as security specialists. 

In previous attacks, defenders had more time to spot the presence of Emotet or Trickbot, or QakBot and remediate before the ransomware infection took place. But now, the timeline is compressed and the chances of identifying and removing Emotet or the Cobalt Strike beacon before a ransomware infection are much lesser. 

“The old Emotet also used a multilayer communication protocol for all communication performed by the infected victim and the C2. However, the old protocol required the loader to also enumerate the victim’s process list, which was sent to the C2 during check-in. New Emotet strips out this process checking functionality from initial check-in and places it into a new module focused on process list checking,” researchers at Intel 471 stated.
Read more »
User Privacy
Banking Information Malicious Campaign malware User Privacy

Threat Actors are Using Malicious Microsoft Excel files to Steal Banking Credentials

 

Threat actors are spreading Excel XLL files that download and install the RedLine password and information-stealing malware via website contact forms and discussion forums. 

RedLine is a credential-theft malware that steals cookies, user names and passwords, and banking details stored in web browsers, as well as FTP credentials and files from a compromised device. 

The malware can also implement commands, download and operate further malware, and take screenshots of the active Windows screen. The stolen data is sent back to the hackers to be sold on the dark web or used for other malicious activities. 

The XLL files are identical to dynamic hyperlink libraries (DLLs), with the addition of an ‘xlAutoOpen’ option run by Excel. This function (an add-in, basically) allows Excel to read and write data, import it from other sources, design custom functions and perform multiple tasks. 

However, if the DLL is implemented manually via regsvr32.exe command or the 'rundll32 name.xll, xlAutoOpen' command will extract the wget.exe program to the %UserProfile% folder and use it to download the RedLine binary from a remote site.

Once the malware is installed by the victim, it will look out for valuable information to steal, including credentials and credit cards stored in the Chrome, Edge, Firefox, Brave, and Opera browsers. Therefore, if you receive an email or other message distributing these types of files, simply delete the message and report it as spam. 

As XLL files are executables, threat actors can use them to perform a variety of malicious behavior on a device. Users should be careful when receiving these files and should make sure they are getting the files from a trusted source before proceeding and opening them. 

According to security experts, XLL files are rarely sent as attachments but instead installed through another program or via your Windows admin. Thus, any such file that comes in the mail should be handled with extra precaution. Aside from being vigilant with attachments and links in emails, users should also make sure to keep their endpoints secure with strong and refreshed passwords, as well as that their system runs safeguards, such as antivirus solutions and firewalls.
Read more »
malware
Android APK Files Finland Flubot Malicious actor Malicious Campaign malware

Android Devices being Targeted by Flubot

 

The National Cyber Security Centre of Finland (NCSC-FI) has recently released a "severe alert" over a major campaign targeting the nation's Android users with Flubot banking malware delivered through text messages sent out by hacked devices. 

This is the second greatest Flubot operation to strike Finland this year, with a previous set of cyberattacks SMS spamming thousands of Finns each day from early June to mid-August 2021. The latest spam campaign, like the previous one, has a voicemail theme, encouraging recipients to click a link that will enable them to retrieve a voicemail message or a message from the mobile operator. 

Rather than being made to open a voicemail, SMS recipients are led to malicious websites that push APK installers to install the Flubot banking virus on their Android devices. 

“According to our current estimate, approximately 70,000 messages have been sent in the last 24 hours. If the current campaign is as aggressive as the one in the summer, we expect the number of messages to increase to hundreds of thousands in the coming days. There are already dozens of confirmed cases where devices have been infected," the Finnish National Cyber Security Centre said in the alert issued on Friday. 

"We managed to almost eliminate FluBot from Finland at the end of summer thanks to cooperation among the authorities and telecommunications operators. The currently active malware campaign is a new one because the previously implemented control measures are not effective," said NCSC-FI information security adviser Aino-Maria Väyrynen. 

Those who have been affected should do a factory reset on their Android device to remove the virus. When iOS users get FluBot messages and click on the associated link, they will be forwarded to fraud and phishing websites rather than being forced to install an app. 

FluBot, once installed on a device, may browse the contacts list, spam texts to other individuals, read messages, steal credit card information and passwords as they are typed into apps, install other apps, and engage in other nefarious activities. Android users who get Flubot spam messages or emails should avoid opening attached links or downloading files shared through the link to their cellphones. 

The virus family has also been discovered on other websites, where anybody can come into contact with the harmful code. Netcraft, a provider of internet services, announced on Monday that it had discovered nearly 10,000 websites that were disseminating FluBot malware.
Read more »
User Security
Android Banking Trojan Malicious Campaign Mobile Security User Security

Over 300,000 Devices Compromised by Four Android Banking Trojans

 

Researchers at cybersecurity firm ThreatFabric have unearthed four different Android banking trojans that were distributed via Google play store between August and November 2021 and infected more than 300,000 devices through multiple dropper apps. 

According to Threatfabric analysts, the dropper apps were manufactured to distribute the Android banking trojan Anatsa, Alien, ERMAC, and Hydra, and the malware campaign was designed in such a refined way that payloads were installed only on smartphones devices from specific areas and restricting the malware from being downloaded during the publishing process. 

Once installed, this banking malware can perform classic overlay assaults to siphon user passwords and SMS-based two-factor authentication codes, keystrokes, screenshots, and even drain users' bank accounts without their knowledge by using a weapon called Automatic Transfer System (ATSs). The apps have since been removed from the Play Store. 

“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization,” reads the analysis published by the Threatfabric researchers. 

“VirusTotal does not showcase the evolution of detections of antivirus products over time, but almost all campaigns have or had a 0/62 FUD score on VirusTotal at some point in time, confirming the difficulty of detecting dropper apps with a minimal footprint.” 

The list of malicious dropper apps is below - 

• Two Factor Authenticator (com.flowdivison) 
• Protection Guard (com.protectionguard.app) 
• QR CreatorScanner (com.ready.qrscanner.mix) 
• Master Scanner Live (com.multifuction.combine.qr) 
• QR Scanner 2021 (com.qr.code.generate) 
• QR Scanner (com.qr.barqr.scangen) 
• PDF Document Scanner – Scan to PDF (com.xaviermuches.docscannerpro2) 
• PDF Document Scanner Free (com.doscanner.mobile) 
• CryptoTracker (cryptolistapp.app.com.cryptotracker) 
• Gym and Fitness Trainer (com.gym.trainer.jeux)

Additionally, researchers uncovered multiple samples dropped by the Brunhilda hacking group, which was also responsible for spreading the Vultur Trojan in July 2021. In one case, the researchers observed Brunhilda masquerading as a QR code creator app used to drop Hydra and Ermac malware targeting users in the United States, a market previously not targeted by the two malware families.

“In the span of only 4 months, 4 large Android families were spread via Google Play, resulting in 300.000+ infections via multiple dropper apps. A noticeable trend in the new dropper campaigns is that actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques,” researchers concluded.
Read more »
ProxyShell Vulnerabilities
Cyber Security cybercriminals Malicious Campaign Microsoft Exchange ProxyShell Vulnerabilities

Attackers use ProxyLogon and ProxyShell Flaws to Hijack Email Threads

 

As part of an ongoing spam campaign that uses stolen email chains to bypass security protection and implant malware on vulnerable systems, threat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers. Trend Micro's discoveries are the result of an investigation into a series of Middle Eastern intrusions that resulted in the dissemination of a never-before-seen loader known as SQUIRRELWAFFLE. The attacks, which were first publicly disclosed by Cisco Talos in mid-September 2021, are thought to have started with laced Microsoft Office documents. 

"It is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim's guard against malicious activities," researchers Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar said in a report published last week. "To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits." 

According to Trend Micro, public exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell) were used on three of the Exchange servers that were compromised in separate intrusions, with the access being used to hijack legitimate email threads and send malicious spam messages as replies, increasing the likelihood that unsuspecting recipients will open the emails. 

Rogue email messages with a link that, when opened, drops a Microsoft Excel or Word file are part of the assault chain. When the recipient opens the document, the victim is prompted to allow macros, which leads to the download and execution of the SQUIRRELWAFFLE malware loader, which serves as a conduit for the final-stage payloads like Cobalt Strike and Qbot. 

Trend Micro's claim that SquirrelWaffle is operating as a malware dropper for Qbot or other malwares was disputed by Cryptolaemus researcher TheAnalyst. Rather, according to TheAnalyst on Friday, the threat actor is delivering both SquirrelWaffle and Qbot as separate payloads, with the most recent confirmed SquirrelWaffle drop occurring on Oct. 26. 

The actor/activity is recorded as tr01/TR (its QakBot affiliate ID) TA577 by Proofpoint and as ChaserLdr by Cryptolaemus, according to TheAnalyst, and the activity dates back to at least 2020. The actors are simple to follow, according to TheAnalyst, with minor adjustments to their tactics, techniques, and procedures (TTPs). According to TheAnalyst, one of tr01's favorite TTPs is including links to malicious documents in stolen reply chains. They stated the threat actor is notorious for delivering "a variety of malware," including QakBot, Gozi, IcedID, Cobalt Strike, and possibly more.
Read more »
United States
Cyber Crime Malicious Campaign passports Threat actors United States

HSI San Antonio Issues a Public Warning on Spoofing Phone Calls

 

The Homeland Security Investigations (HSI) department of US Immigration and Customs Enforcement (ICE) in Texas has issued a warning about a new phone scam. Threat actors have been impersonating special agents at the San Antonio HSI to engage members of the public in the malicious campaign. The victims are informed that a problem with their passport has been discovered. The fake agent then threatens them with arrest unless they make a payment to the HSI. 

Officials with the San Antonio ICE said in a scam warning published November 4 that the scammers say the passport is linked to a crime and scare the caller by threatening to dispatch police to their home to arrest them. The fraudsters have devised a method of convincing the victim that the call is coming from the HSI San Antonio main phone number, 210-979-4500. 

HSI is a directorate of ICE and the primary investigative arm of the United States Department of Homeland Security (DHS). It is responsible for investigating transnational crime and threats, particularly those perpetrated by criminal organizations that take advantage of the global infrastructure that facilitates international trade, travel, and finance. HSI's overseas presence is DHS's largest investigative law enforcement presence abroad and one of US law enforcement's largest foreign footprints.

“HSI special agents and local police do not call people on the phone to warn them they are about to be arrested,” said HSI officials. “Agents neither request financial information, such as bank account and credit card account information, nor demand money from someone to dismiss an investigation or remove an arrest warrant.”

"If you receive a threatening call or message from the number, do not give the person any personal or financial information, try to collect any contact information from the caller, end the conversation immediately if threats and intimidation persist, report the incident to the ICE tip line at 1 (866) 347-2423," added HSI officials. 

International students studying in the United States on student visas were informed in July by ICE officials in Virginia that their phone number was being faked to fool them into making fraudulent payments and disclosing sensitive personal information. Scammers behind the campaign demanded Bitcoin payments from international students, a currency that the federal government does not recognize.
Read more »
Subscribe to: Posts (Atom)