Search This Blog

Showing posts with label Malware attacks. Show all posts

Experts Find Malware Controlling Thousands of Websites in Parrot TDS Network

The Parrot traffic direction system (TDS) that surfaced recently had a huge impact than what was thought earlier, research suggests. The malware affected more than 61,000 websites and was one of the top infections. Parrot TDS was first identified in April 2022 by cybersecurity company Avast, the PHP script had affected web servers that hosted more than 16,500 websites, acting as a gateway for future malware campaigns. It includes appending a part of infected code to all JavaScript files on affected web servers that host content management systems (CMS) like WordPress, these are attacked because of their weak login credentials and flawed plugins. 

"In 2021 alone, Sucuri said it removed Parrot TDS from nearly 20 million JavaScript files found on infected sites. In the first five months of 2022, over 2,900 PHP and 1.64 million JavaScript files have been observed containing the malware," reports The Hacker News. Alongside the use of sneaky techniques to hide the code, the "injected JavaScript may also be found well indented so that it looks less suspicious to a casual observer," said Denis Sinegubko, expert at Sucuri says. 

The aim of the JavaScript code is to jump-start the second phase of the attack, to deploy a PHP script that has been already injected on the server and is built to obtain information about website visitor, (for ex- IPs, browser, referrer, etc.) and send the details to a remote server. The third phase of the attack surfaces as a Javascript code, it works as a traffic direction system to find out the specific payload to send for a particular user based on the data which was shared in the second stage. 

When the TDS has confirmed the eligibility of a particular site visitor, the NDSX script deploys the final payload through a third-party website. The mostly used third-stage malware is a JavaScript downloader called FakeUpdates. 

"The NDSW malware campaign is extremely successful because it uses a versatile exploitation toolkit that constantly adds new disclosed and 0-day vulnerabilities. Once the bad actor has gained unauthorized access to the environment, they add various backdoors and CMS admin users to maintain access to the compromised website long after the original vulnerability is closed," said Sinegubko.

Qbot Malware: Steals Your Data In 30 Minutes


The large-scale spread of the Qbot malware (aka QuakBot or Qakbot) has taken up speed recently, as per the experts, it hardly takes around 30 minutes to steal Sensitive data after the early stage infiltration. The DFIR report suggests that Qbot was executing these fast data-stealing attacks in October 2021, and now it suggests that the hackers have resurfaced with similar strategies. Particularly, researchers believe that it takes around 30 minutes for the threat actors to steal browser info and emails from Outlook and around 50 minutes for the actors to switch to another workstation. 

The timeline suggests that Qbot travels fast to execute privilege escalation the moment an infection takes place, and a full-fledged monitoring scan can take up to ten minutes. Entry-level access to Qbot infections is generally obtained via phishing emails with harmful attacks, like Excel (XLS) documents that may use a macro to plant a DLL loader on the victim machine. Taking a look back, we have noticed that Qbot phishing campaigns use different infection file templates. If launched, the Qbot DLL payload is planted and deployed in genuine Windows applications to avoid detection, like Mobsync.exe or MSRA.exe. 

For instance, the DFIR report reveals that Qbot was planted into MSRA.exe and then creates a timelined task for privilege escalation. Besides this, Qbot DLL with the help of malware is added to Microsoft Defender's execution list, to avoid getting identified when planted into MSRA.exe. Qbot can steal mails in 30 minutes after the initial deployment, these mails are used in the future for phishing attacks. Experts observed that Qbot is also capable of stealing Windows credentials by dumping Local Security Authority Server Service (LSASS) process memory and stealing it from different browsers. 

The stolen credentials are later used for spreading the malware on other device networks laterally. The malware only took 50 minutes for dumping credentials after its execution. Bleeping Computer reports "Microsoft report from December 2021 captured the versatility of Qbot attacks, making it harder to evaluate the scope of its infections accurately. However, no matter how a Qbot infection unfolds precisely, it is essential to keep in mind that almost all begin with an email."

Cyber Attackers Exploiting Microsoft Excel add-in Files


Recently a unit of researchers delivered a detailed study on a new phishing campaign at HP Wolf Security. As per the report, threat actors are exploiting Microsoft Excel add-in files in order to send various forms of malware into the systems that could leave businesses vulnerable to data theft, ransomware, and other cybercrime. 

Researchers said that threat actors are excessively using malicious Microsoft Excel add-in (XLL) files to damage the systems and it has been observed that there was an almost six-fold (588%) increment in attacks using this technique during the final quarter of 2021 compared to the previous three months.

XLL add-in files are very famous among people because they provide users to execute a wide range of extra tools and functions in Microsoft Excel. But like macros, they're a tool that can be exploited by threat actors. 

According to the report, threat actors distributed malicious links via phishing emails related to payment references, quotes, invoices, shipping documents, and orders that come with malicious Excel documents with XLL add-in files. The recipient is then tricked into clicking a malicious link, which can lead to the installation and activate the add-in of malware, freezing of the system as part of a ransomware attack, or the revelation of sensitive information. 

Malware families that have been used in attacks leveraging XLL files include Dridex, BazaLoader, IcedID, Agent Tesla, Stealer, Raccoon Formbook, and Bitrat. Some of these forms of malware also create backdoors onto infected Windows systems, which gives attackers remote access to the system. 

Additionally, Some XLL Excel Dropper services are advertised as costing over $2,000, which is expensive for community malware but criminal forum users seem willing to pay the price. 

Alex Holland, senior malware analyst at HP Wolf Security said, "Abusing legitimate features in the software to hide from detection tools is a common tactic for attackers, as is using uncommon file types that may be allowed past email gateways. Security teams need to ensure they are not relying on detection alone and that they are keeping up with the latest threats and updating their defenses accordingly…” 

"…Attackers are continually innovating to find new techniques to evade detection, so it's vital that enterprises plan and adjust their defenses based on the threat landscape and the business needs of their users. Threat actors have invested in techniques such as email thread hijacking, making it harder than ever for users to tell friend from foe," he added.