Search This Blog

Showing posts with label Malicious Sites. Show all posts

BATLOADER and Atera Agent are Being Distributed Through an SEO Poisoning Campaign


A new SEO poisoning campaign is underway, with the purpose of infecting targeted systems with the BATLOADER and Atera Agent malware. It appears to be aimed at professionals looking to download productivity applications such as TeamViewer, Zoom, or Visual Studio. SEO poisoning is a tactic used by hackers in cyberattacks to build up malicious websites loaded with certain keywords that visitors typically seek up in search engines. Then they use various SEO (Search Engine Optimization) techniques to make these appear prominently in search results. 

According to a report by Mandiant researchers, in this malicious SEO campaign, threat actors attack legitimate websites in order to plant compromised files or URLs. Users are thus routed to websites that host malware posing as well-known applications. 

“The threat actor used “free productivity apps installation” or “free software development tools installation” themes as SEO keywords to lure victims to a compromised website and to download a malicious installer. The installer contains legitimate software bundled with the BATLOADER malware. The BATLOADER malware is dropped and executed during the software installation process.” said the researchers. 

“This initial BATLOADER compromise was the beginning of a multi-stage infection chain that provides the attackers with a foothold inside the target organization. Every stage was prepared for the next phase of the attack chain. And legitimate tools such as PowerShell, Msiexec.exe, and Mshta.exe allow proxy execution of malicious payloads to avoid detection,” they added. 

A file called "AppResolver.dll" was discovered in the attack chain as a significant sample. This DLL sample is an internal component of Microsoft's Windows Operating System, but it contains malicious VBScript inserted in such a way that the code signature stays valid. When run on its own, the DLL sample does not execute the VBScript. When ran with Mshta.exe, Mshta.exe locates and executes the VBScript without error. 

This vulnerability is similar to CVE-2020-1599 in that the PE Authenticode signature remains valid after appending HTA compatible scripts signed by any software developer. These PE+HTA polyglot (.hta files) can be used by Mshta.exe to circumvent security solutions that rely on Microsoft Windows code signing to determine whether or not files are trusted. 

In this case, researchers discovered that arbitrary script data was attached to the signature section of a legitimately signed Windows PE file at the end of the ASN.1. As long as the file extension is not '.hta,' the resulting polyglot file retains a valid signature. If this polyglot file is executed with Mshta.exe, the script contents will be successfully executed since Mshta.exe will skip the PE's bytes, locate the script at the end, and execute it.

Omicron Test Scam : A Free Test Is Available


Cybercriminals send emails containing malicious links and data, according to police sources. When individuals click on such a link or download a file, their system — whether it's a phone or a computer — is compromised, and hackers have access to sensitive data. The government recommended citizens examine the domain name and URL of websites to ensure their validity, and to report any such incidents to the portal. 

A warning has been issued by the Ministry of Home Affairs (MHA) against cybercriminals about offering free testing to potential victims in order to detect the Omicron variant. TheMHA's cyber and information security branch has issued the following advisory: "Due to the shift in focus to the health crisis, cybercriminals are taking advantage of the weakening of cyber defenses. Cybercriminals are always devising new methods of defrauding citizens. As time goes on, Omicron-themed cybercrime is becoming more prevalent. Cybercriminals are using a variety of strategies to commit cybercrime in order to take advantage of the continuously changing scenario and scam innocent victims."

Hackers in the United Kingdom have already begun to take advantage of the virus by sending out phishing emails offering free COVID-19 testing that claims to detect the new variant. In reality, hackers are attempting to dupe unwary users into divulging their personal data. According to a consumer watchdog group, the scam emails appear to come from the UK's National Health Service. The subject line of one email reads, "Get Your Free Omicron PCR Test - Apply Now to Avoid Restrictions. People who do not consent to a COVID-19 test and refuse to have a swab must be segregated," the email continues, in an attempt to terrify the user into complying. 

Users who fall for the ruse will be directed to a fake NHS website, which will ask for their full name, date of birth, address, phone number, and email address – all of which can be used to commit identity theft. The phishing emails are embellished with official-looking NHS logos by hackers. The scam emails were also received from the address "contact-nhs[AT]"

This WordPress Plugin Flaw Impacts 1M Sites & Allows Malicious Redirects


A high-severity issue in the OptinMonster plugin permits unauthorised API access and sensitive information leak on around a million WordPress sites. 

The flaw, identified as CVE-2021-39341, was found by researcher Chloe Chamberland on September 28, 2021, and a fix was made available on October 7, 2021. All OptinMonster plugin users are recommended to upgrade to version 2.6.5 or later, as all previous versions are impacted. 

OptinMonster is a popular WordPress plugin for creating stunning opt-in forms that assist site owners in converting visitors to subscribers/customers. It is primarily a lead generation and monetization tool, and it is used on roughly a million websites because of its ease of use and variety of features.

According to Chamberland's vulnerability disclosure report, OptinMonster's power is based on API endpoints that provide easy integration and a streamlined design process. However, the execution of these endpoints isn't always safe, with the '/wp-json/omapp/v1/support' endpoint being the most crucial example. 

This endpoint can provide information such as the site's entire route on the server, API keys used for site requests, and more. An attacker with access to the API key could make modifications to the OptinMonster accounts or even inject malicious JavaScript snippets into the site. Without anyone's knowledge, the site would run this code every time a visitor activated an OptinMonster element.

To make circumstances terrible, the intruder would not even need to authenticate on the targeted site in order to use the API endpoint, since an HTTP request would circumvent security checks under certain, simple conditions. While the '/wp-json/omapp/v1/support' endpoint is the worst-case scenario, it is not the only insecure REST-API endpoint that may be exploited. 

When the researcher's findings reached the OptinMonster team, the popular WordPress plugin's developers understood that the entire API needed to be revisited. As a result, all OptinMonster upgrades that appear on the WordPress dashboard in the next weeks must be installed, as they will most likely resolve further API issues. 

Meanwhile, any API keys that may have been stolen were instantly invalidated, forcing site owners to produce new keys. This case demonstrates how widely deployed and popular WordPress plugins can harbour several undetected flaws over extended periods.