Search This Blog

Showing posts with label Malicious Files. Show all posts

Russia Dubbed as the "Centre" of European-wide Cyber-Attacks

 

Since the beginning of Russia's invasion of Ukraine, the EU, UK, US, and other allies have recognized that Russia has been behind a wave of cyber-attacks. The most recent distributed denial-of-service (DDoS) attack on Viasat's commercial communications network in Ukraine, which occurred on the same day that Russia launched its full-fledged invasion, had a greater impact across Europe, disrupting wind farms and internet users. 

The outage on Viasat affected almost one-third of bigblu's 40,000 users throughout Europe, including Germany, France, Hungary, Greece, Italy, and Poland, according to Eutelsat, the parent company of bigblu satellite internet service. The incident impacted wind farms and internet users in central Europe, creating outages for thousands of Ukrainian customers. 

In the regard, the key statements by the West are as follows:

  • The European Union said that Russia was behind the strike, which occurred "one hour before" the invasion of Ukraine. 
  • Estonia: The member of the European Union went even further. With "high certainty," the country blamed the hack on Russia's military intelligence arm, saying it had "gone counter to international law." 
  • The United Kingdom's National Cyber Security Centre is "almost convinced" that Russia was behind the Viasat attack, according to the UK, citing "new UK and US intelligence." Meanwhile, the report said that "Russian Military Intelligence was probably certainly involved" in defacing Russian websites and releasing damaging spyware.
The main aim, according to the joint intelligence advisory, was the Ukrainian military. "Thousands of terminals have been destroyed, rendered useless, and are unable to be restored," according to Viasat. Russian military intelligence was likely certainly engaged in the January 13 attacks on Ukrainian official websites and the distribution of Whispergate harmful malware, according to the UK's National Cyber Security Centre (NCSC). 

"This is clear and alarming proof of an intentional and malicious attack by Russia against Ukraine, which had huge ramifications for ordinary people and businesses in Ukraine and across Europe," Foreign Secretary Liz Truss said. 

In the past Russian criminals hijacked the updater system of Ukrainian accounting software provider MEDoc in June 2017, infecting MEDoc users with the wiper virus NotPetya. The evidence suggests that Wiper malware infected several Ukrainian government networks again in 2022, and Gamaredon attacks targeted roughly 5,000 entities, including key infrastructure and government departments.

NCSC director of operations Paul Chichester addressed why the attribution was being done now, two and a half months after the occurrence, at a press conference at CYBERUK 2022. "We execute attributions in a process-driven manner; accuracy is extremely essential to us," he explained. Collaboration with international bodies such as the EU and the Five Eyes adds to the length of time it took to provide this material. 

Such cyber action aims to demoralize the public and degrade essential infrastructure. The perceived difficulties of precisely attributing the attack to any single aggressor is a benefit of conducting the earliest stages of kinetic activity in cyberspace. Putin has been emphatic in his denial of any Russian government participation in the attacks.

Vidar Spyware Exploits Microsoft Help Files to Bypass Detection

 

Vidar spyware has been discovered in a new phishing campaign that exploits Microsoft HTML help files. The spyware is hidden in Microsoft Compiled HTML Help (CHM) files to bypass detection in email spam campaigns, Trustwave cybersecurity expert Diana Lopera stated. 

Vidar is Windows spyware and an information stealer capable of harvesting both user data and data on the operating system, cryptocurrency account credentials as well as payment details such as credit card details. 

While threat actors often distribute malware via spam and phishing campaigns, Trustwave researchers have also uncovered the C++ malware being deployed via the pay-per-install PrivateLoader dropper, and the Fallout exploit kit. 

According to researchers, threat actors employ an age-old strategy of tricking people to download seemingly innocent files that are actually malicious. The malicious files contain a generic subject line and an attachment, "request.doc," which is actually a .iso disk image. The .iso contains two separate files: a Microsoft-compiled HTML help file (CHM), often titled pss10r.chm, and an executable file titled app.exe. 

The CHM format is a Microsoft online extension file used for accessing documentation and help files. The compressed HTML format allows the distribution of images, tables and links. However, when malicious actors abuse CHM, they can use the format to force Microsoft Help Viewer (hh.exe) to deploy CHM objects. 

When a malicious CHM file is unpacked, a JavaScript snippet will silently execute app.exe, and while both files have to be in the same directory, this can trigger the execution of the Vidar payload. 

The Vidar samples gathered by the attacker’s link to their command-and-control (C2) server via Mastodon, a multi-platform open-source social networking system. Specific profiles are searched, and C2 addresses are collected from user profile bio sections. This allows the spyware to design its configuration and start exfiltrating user data. 

To protect yourself against this campaign, you should strictly follow the standard protections against email spam, such as ensuring the source of email before downloading any attachments. It's also a good idea to use the best antivirus software to protect your PC. 

"Since this Vidar campaign utilizes social engineering and phishing, ongoing security awareness training for your staff is essential. Organizations should also consider implementing a secure email gateway for 'defense in depth' layered security in order to filter these types phishing attacks before they even get to any inboxes,” stated Karl Sigler, Trustwave threat intelligence manager. 

"Vidar itself is an information stealer type of malware. It grabs as much data as it can from the victim's system, sends it back to the attackers, and then deletes itself. This includes any local password stores, web browser cookies, crypto wallets, contact databases, and other types of potentially valuable data."