Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Python-based Malware. Show all posts
Python-based Malware
Cyber Attacks Cyber Security Threats data security GitHub Open Source Python-based Malware

GitHub Under Siege: Unraveling the Ongoing Automated Attack on Open-Source Repositories

 

GitHub, a cornerstone for programmers worldwide, faces a severe threat as an unknown attacker deploys an automated assault, cloning and creating malicious code repositories. The attack, involving sophisticated obfuscation and social engineering, poses a significant challenge to GitHub's security infrastructure. 

An assailant employs an automated process to fork and clone existing repositories, concealing malicious code under seven layers of obfuscation. These rogue repositories closely mimic legitimate ones, contributing to the challenge of detection. Developers unknowingly forking affected repos unintentionally amplify the attack. 

Once a developer utilizes a compromised repository, a hidden payload begins unpacking layers of obfuscation, revealing malicious Python code and a binary executable. The code then initiates the collection of confidential data and login details, which are subsequently uploaded to a control server. Security provider Apiiro's research and data teams report a substantial surge in the attack since its inception in May of the previous year. 

While GitHub diligently removes affected repositories, its automation detection system struggles to catch all instances. With millions of uploaded or forked repositories, even a 1% miss-rate translates to potentially thousands of compromised repos still operational. Initially modest in scale, the attack has grown in size and sophistication, presenting challenges for GitHub's security measures. 

Researchers attribute the operation's success to GitHub's vast user base and the increasing complexity of the attack technique. The attack's intrigue lies in the fusion of sophisticated automated methods and exploiting simple human nature. While obfuscation techniques become more intricate, the attackers heavily rely on social engineering to confuse developers, compelling them to select the malicious code. 

This unintentional spread exacerbates the attack's impact and heightens the difficulty of detection. As of now, GitHub has not issued a direct comment on the ongoing attack. However, the platform released a general statement reassuring users of its commitment to security. The platform employs manual reviews, at-scale detection utilizing machine learning, and continuously evolves to counter adversarial attacks. 

GitHub's popularity as a vital resource for developers globally has inadvertently made it a target. The platform's open-source nature and extensive user base create vulnerabilities that attackers exploit. Resolving the issue entirely proves to be an uphill battle, with GitHub still grappling with the effectiveness of the assailant's methods. 

GitHub, a linchpin for the global programming community, faces a formidable challenge as an automated attack exploits its open-source framework and vast user base. The ongoing assault, characterized by sophisticated obfuscation and social engineering, underscores the complexities of securing such a widely used platform. GitHub's response and adaptation will be crucial in mitigating the impact and fortifying defenses against evolving cyber threats.
Read more »
Threat actor
Cobalt Strike Beacon FTP malware Python-based Malware TA866 Tatar-language users Threat actor

TA866 Threat Actor: Python Malware Targets Tatar-language Users


Cybersecurity researchers have discovered a new Python malware that has been targeting Tatar language-speaking users. Tatar is a Turkish native language, spoken mostly by Tatars, an ethnic group based in Russia and its neighbouring nations. 

The Cyble-based Python malware is designed such that it can capture screenshots on the targeted systems and transfer them to a remote server through FTP (File Transfer Protocol).

FTP enables files and folders to be transferred from a host (targeted system) to another host via a TCP-based network, like the Internet. 

The threat actors behind the campaign are the notorious TA866, which has a history of targeting Tatar language speakers and utilizing Python malware to conduct their operations. 

How Does TA866 Use Python Malware? 

The Tartar Republic Day coincided with the use of this new Python malware by the threat actor TA866, according to CRIL. Up until the end of August, these attacks coincided with the Tartar Republic Day.

The report claims that the threat actor known as TA866 uses a PowerShell script "responsible for taking screenshots and uploading them to a remote FTP server."

Phishing emails are used by threat actors to select victims for the Python malware attack. These emails have a malicious RAR file encoded within them.

The file includes two innocuous files: a video file and a Python-based executable masquerading as an image file with a dual extension.

  • After being executed, the loader starts a chain of events. It downloads a zip file from Dropbox that contains two PowerShell scripts and an additional executable file.
  • These scripts make it easier to create a scheduled activity that will allow the malicious executable to run.

According to Proofpoint, the threat actor’s operations lead them to a financially motivated activity called “Screentime.” 

TA866 Threat Actors and Their Use of Custom Hacking Tools

The hackers are able to conduct these complex attacks because of their successful attempts to develop their own sophisticated tools and services. Notably, the financially motivated threat actor TA866 has connected similar operations targeting German and American organizations.

CRIL claims that the threat actor infects the victim's computers with the Python tool via the RAR file. However, it must first travel through a chain of infections before it can launch the final payload. This includes making use of Tatar-language filenames to hide. 

The threat actor employs a malicious application that shows the victims a message while covertly running PowerShell scripts to take screenshots and send them to an FTP site. 

The subsequent step of TA866 involves the deployment of further malicious software, which may include the Cobalt Strike beacon, RATs (Remote Access Trojans), stealers, and other harmful programs.

Considering the sophisticated payloads and malware used in the attacks, it can be concluded that it is definitely not a rookie organization, but a group of skilled cybersecurity personnel, including experts in designing advanced malware strains and payloads.  

Read more »
Vietnam
Cyberattacks GitLab Info Stealer malware MrTonyScam Phishing Attack Python-based Malware Vietnam

MrTonyScam: Python-based Stealers Deployed via Facebook Messenger


A new phishing attack has recently been witnessed in Facebook Messenger where messages are being transferred with malwares attached to them, hailing from a "swarm of fake and hijacked personal accounts" and their aim is accessing targets’ business accounts. 

The attack, referred to as ‘MrTonyScam,’ executes its attacks by sending messages to their targets compelling them to click on their RAR and ZIP archive attachments, and launching a dropper that downloads the subsequent stage from a GitHub or GitLab repository.

Oleg Zaytsev, Guardio Labs researcher states in an analysis published over the weekend, "Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods."

This payload is another archive file with a CMD file inside of it. The CMD file then contains an obfuscated Python-based stealer that exfiltrates all cookies and login information from various web browsers to a Telegram or Discord API endpoint that is under the control of an actor.

A significantly interesting tactic used by the threat actors is how they delete all cookies once they have stolen them in order to block their victims from their own accounts. They further hack the victim’s session with the help of the stolen cookies, changing passwords and thus acquiring complete control. 

Also, there have been speculations that the threat actors are based in Vietnam, considering the presence of Vietnamese language references in the source code of the Python stealer. For instance, there has been the inclusion of ‘Cốc Cốc,’ which is a Chromium-based browser used popularly in Vietnam. 

Guardio Labs discovered that the campaign has experienced a high success rate, with 1 out of 250 victims being estimated to have been infected over the last 30 days alone, despite the fact that the infection needs user input to download a file, unzip it, and execute the attachment.

Among other countries, the United States, Australia, Canada, France, Germany, Indonesia, Japan, Nepal, Spain, the Philippines, and Vietnam have reported the majority of the compromises.

"Facebook Accounts with reputation, seller rating, and high number of followers can be easily monetized on dark markets[…]Those are used to reach a broad audience to spread advertisements as well as more scams," Zaytsev noted.

The aforementioned reveal came in days after WithSecure and Zscaler ThreatLabz reported the newly launched Ducktail and Duckport campaigns that targeted Meta Business and Facebook accounts using ‘malverposting’ tactics.

"The Vietnamese-centric element of these threats and high degree of overlaps in terms of capabilities, infrastructure, and victimology suggests active working relationships between various threat actors, shared tooling and TTPs across these threat groups, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) centered around social media platforms such as Facebook," WithSecure noted.  

Read more »
Python-based Malware
Chaes Malware Financial Threat malware Python-based Malware

The Rise of Chaes Malware: A Threat to Financial and Logistics Industries


The world of cybersecurity is constantly evolving, with new threats emerging on a regular basis. One such threat is the Chaes malware, which has recently undergone major overhauls, making it even more dangerous to the financial and logistics industries.

What is Chaes Malware?

Chaes is a malware that first emerged in 2020, known for targeting e-commerce customers in Latin America, particularly Brazil, to steal sensitive financial information. 

The malware has undergone significant transformations and enhancements, including being rewritten entirely in Python, resulting in lower detection rates by traditional defense systems. 

The latest iteration of the malware, dubbed Chae$ 4, packs in an expanded catalogue of services targeted for credential theft and clipper functionalities.

How Does Chaes Malware Work?

Chaes malware targets banking and logistics industries, stealing sensitive financial information from customers. The malware has undergone a comprehensive redesign and an enhanced communication protocol, making it even more effective at evading detection. 

Once the malware has infected a system, it can steal login credentials, credit card information, and other sensitive data.

What's next?

The rise of Chaes malware is a serious threat to the financial and logistics industries. With its enhanced capabilities and ability to evade detection, it is important for businesses to take proactive measures to protect themselves from this dangerous malware. 

By staying informed about the latest threats and implementing strong cybersecurity measures, businesses can help protect themselves and their customers from the dangers of Chaes malware.

Read more »
Subscribe to: Posts (Atom)