Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label SEO. Show all posts
Websites
Artificial Intelligence Fake AI SEO URL Websites

Cybercriminals Target AI Enthusiasts with Fake Websites to Spread Malware

 


Cyber attackers are now using people’s growing interest in artificial intelligence (AI) to distribute harmful software. A recent investigation has uncovered that cybercriminals are building fake websites designed to appear at the top of Google search results for popular AI tools. These deceptive sites are part of a strategy known as SEO poisoning, where attackers manipulate search engine algorithms to increase the visibility of malicious web pages.

Once users click on these links believing they’re accessing legitimate AI platforms they’re silently redirected to dangerous websites where malware is secretly downloaded onto their systems. The websites use layers of code and redirection to hide the true intent from users and security software.

According to researchers, the malware being delivered includes infostealers— a type of software that quietly gathers personal and system data from a user’s device. These can include saved passwords, browser activity, system information, and more. One type of malware even installs browser extensions designed to steal cryptocurrency.

What makes these attacks harder to detect is the attackers' use of trusted platforms. For example, the malicious code is sometimes hosted on widely used cloud services, making it seem like normal website content. This helps the attackers avoid detection by antivirus tools and security analysts.

The way these attacks work is fairly complex. When someone visits one of the fake AI websites, their browser is immediately triggered to run hidden JavaScript. This script gathers information about the visitor’s browser, encrypts it, and sends it to a server controlled by the attacker. Based on this information, the server then redirects the user to a second website. That second site checks details like the visitor’s IP address and location to decide whether to proceed with delivering the final malicious file.

This final step often results in the download of harmful software that invades the victim’s system and begins stealing data or installing other malicious tools.

These attacks are part of a growing trend where the popularity of new technologies, such as AI chatbots is being exploited by cybercriminals for fraudulent purposes. Similar tactics have been observed in the past, including misleading users with fake tools and promoting harmful applications through hijacked social media pages.

As AI tools become more common, users should remain alert while searching for or downloading anything related to them. Even websites that appear high in search engine results can be dangerous if not verified properly.

To stay safe, avoid clicking on unfamiliar links, especially when looking for AI services. Always download tools from official sources, and double-check website URLs. Staying cautious and informed is one of the best ways to avoid falling victim to these evolving online threats.

Read more »
VPN
CyberCrime Cybersecurity CyberThreat Fake VPN Google malware SEO VPN

Malware Infections Surge from Fake VPN Downloads

 


An attacker is reportedly injecting malware into infected devices using popular VPN applications to gain remote control of the devices they are attacking. Google's Managed Defense team reported this disturbing finding, which sheds light on how malicious actors use SEO poisoning tactics to spread what is known as Playfulghost.

It has become increasingly important for individuals who prioritize the protection of their personal data and online privacy to use virtual private networks (VPNs). VPNs establish a secure, encrypted connection between users' devices and the internet, protecting their IP addresses and online activity against prying eyes. 

However, it should be noted that not all VPN applications are trustworthy. The number of fake VPN apps being distributed under the guise of legitimate services is increasing, stealing the sensitive information of unsuspecting users. Researchers have discovered that during the third quarter of 2024, fake VPN applications have become increasingly widespread globally, which is a worrying trend. In comparison to the second quarter, security analysts have reported a 2.5-fold increase in user encounters with fraudulent VPN apps.

These apps were either infected with malware or were built in such a way that they could be exploited by malicious actors. As a result of this alarming development, it is critical to be vigilant when choosing VPN services. Users should take precautionary measures when choosing VPN services and ensure that the apps they download are legitimate before downloading to safeguard their data and devices. 

As more and more home users turn to virtual private networks (VPNs) as a means to safeguard their privacy, to ensure their internet activity is secure, and to circumvent regional content blocks, these VPNs are becoming increasingly popular. Scammers and hackers are aware that the popularity of VPNs is growing, and so they intend to take advantage of that trend as much as possible. 

As an example, recently it has been found that some VPNs have been found to have security vulnerabilities that do not make them as secure as they should be. Playfulghost is a backdoor similar to Gh0st RAT, a remote administration tool that is well-known in the security community. According to Google's expert, Playfulghost is "a backdoor that shares functionality with Gh0st RAT." The latter has been around since 2008, and it is considered one of the best. 

The traffic patterns of Playfulghost can be distinguished from those of other known threats, especially in terms of encryption and traffic patterns. There are several ways hackers use phishing and SEO poisoning to trick their victims into downloading malicious software onto their computers, and according to a Google expert, one victim was tricked into opening a malicious image file for Playfulghost to run remotely from a remote location, which results in the malware being downloaded onto his computer. In the same vein, SEO poisoning techniques employed trojanized virtual private network (VPN) apps to download Playfulghost components from a remote server on the victims' devices (see GIF below). 

Infected with Payfulghost, an attacker can remotely execute a wide range of tasks on the device once it has been infected. It is particularly dangerous as a virus. Data mining is capable of capturing keystrokes, screenshots, and audio, as well as capturing screenshots. In addition to this, attackers can also perform file management activities, including opening, deleting, and writing new files. Security experts from Google have warned that a new malware threat has been detected that is very dangerous. It is known as Playfulghost and is distributed worldwide via fraudulent VPN apps. Researchers have warned that this scam uses sophisticated techniques to trick users into downloading infected VPN software, including what is called "SEO poisoning". 

There is something especially cruel about this latest cyberattack because signing up for one of the best VPN deals is usually an easy way to improve users' level of privacy and security online. Unfortunately, those who installed the fake VPN applications laced with malware in the last few days have now found themselves in the worst possible position due to the malware they have installed. As people know, the purpose of Playfulghost is to allow hackers to monitor every letter users type on their keyboard, a practice known as keylogging. 

It can also record audio from the built-in microphone on users' computers, laptops, tablets, or desktops, and it can also be used as a tool to record what they are seeing on the screen, which is often used for blackmail. The dangerous malware also enables attackers to remotely execute various file management activities, including opening, deleting, and writing new files, This can enable hackers to download and install other types of malware on machines infected with Playfulghost. Playfulghost also makes it possible for attackers to perform various file management activities remotely, such as opening, deleting, and creating files, allowing hackers to download and install other kinds of malware on computers infected with this dangerous malware. 

As it turns out, Playfulghost's functionality is quite similar to Gh0st RAT, which has wreaked havoc on PCs since 2001 and is now a public open-source tool, whose source code was released in 2008. Since this code is widely available, there have been several copies and clones created, including the latest variant. In addition to utilizing distinct traffic patterns and encryption, Google security researchers have pinpointed two methods by which the malware is being spread by hackers, according to their study. The first is using the infected computers' network cables and the second is via the Internet. 

 The first thing to know is that cybercriminals are utilizing phishing emails — unsolicited messages that entice people to download malicious software. One of the earliest examples that was spotted by Google's team involved emails with themes such as "Code of Conduct" which trick users into downloading the attached file, which turned out to be Playfulghost, a nasty infection. 

Another documented case has also been found in which a victim was tricked into opening a malicious image file and when they opened it in the background Playfulghost was automatically installed and activated on their computer from a remote server. Secondly, the malware may also be spread by bundling it with popular VPN apps in a process known as SEO poisoning. This method has been gaining popularity recently among virus creators. Search engine poisoning is the act of manipulating or hacking a search engine to make malicious downloads appear as an official import.
Read more »
Technology
Algorithm Filter Bubble Google Internet SEO Technology

Behind the Search Bar: How Google Algorithm Shapes Our Perspectives

Behind the Search Bar: How Google Shapes Our Perspectives

Search engines like Google have become the gateway to information. We rely on them for everything from trivial facts to critical news updates. However, what if these seemingly neutral tools were subtly shaping the way we perceive the world? According to the BBC article "The 'bias machine': How Google tells you what you want to hear," there's more to Google's search results than meets the eye.

The Power of Algorithms

At the heart of Google's search engine lies an intricate web of algorithms designed to deliver the most relevant results based on a user's query. These algorithms analyze a myriad of factors, including keywords, website popularity, and user behaviour. The goal is to present the most pertinent information quickly. However, these algorithms are not free from bias.

One key concern is the called "filter bubble" phenomenon. This term, coined by internet activist Eli Pariser, describes a situation where algorithms selectively guess what information a user would like to see based on their past behaviour. This means that users are often presented with search results that reinforce their existing beliefs, creating a feedback loop of confirmation bias.

Confirmation Bias in Action

Imagine two individuals with opposing views on climate change. If both search "climate change" on Google, they might receive drastically different results tailored to their browsing history and past preferences. The climate change skeptic might see articles questioning the validity of climate science, while the believer might be shown content supporting the consensus on global warming. This personalization of search results can deepen existing divides, making it harder for individuals to encounter and consider alternative viewpoints.

How Does It Affect People at Large?

The implications of this bias extend far beyond individual search results. In a society increasingly polarized by political, social, and cultural issues, the reinforcement of biases can contribute to echo chambers where divergent views are rarely encountered or considered. This can lead to a more fragmented and less informed public.

Moreover, the power of search engines to influence opinions has not gone unnoticed by those in positions of power. Political campaigns, advertisers, and interest groups have all sought to exploit these biases to sway public opinion. By strategically optimizing content for search algorithms, they can ensure their messages reach the most receptive audiences, further entrenching bias.

How to Address the Bias?

While search engine bias might seem like an inescapable feature of modern life, users do have some agency. Awareness is the first step. Users can take steps to diversify their information sources. Instead of relying solely on Google, consider using multiple search engines, and news aggregators, and visiting various websites directly. This can help break the filter bubble and expose individuals to a wider range of perspectives.

Read more »
US Department Of Justice
Algorithm Data Breach Data Leak Google Google Hacked Google Search History search engine SEO US Department Of Justice

Google Confirms Leak of 2,500 Internal Documents on Search Algorithm

 

In a significant incident, Google has confirmed the leak of 2,500 internal documents, exposing closely guarded information about its search ranking algorithm. This breach was first highlighted by SEO experts Rand Fishkin and Mike King of The Verge, who sought confirmation from Google via email. After multiple requests, Google spokesperson Davis Thompson acknowledged the leak, urging caution against making inaccurate assumptions based on potentially out-of-context, outdated, or incomplete information.  

The leaked data has stirred considerable interest, particularly as it reveals that Google considers the number of clicks when ranking web pages. This contradicts Google’s longstanding assertion that such metrics are not part of their ranking criteria. Despite this revelation, The Verge report indicates that it remains unclear which specific data points are actively used in ranking. It suggests that some of the information might be outdated, used strictly for training, or collected without being directly applied to search algorithms. 

Thompson responded to the allegations by emphasizing Google's commitment to transparency about how Search works and the factors their systems consider. He also highlighted Google's efforts to protect the integrity of search results from manipulation. This response underscores the complexity of Google's algorithm and the company's ongoing efforts to balance transparency and safeguarding its proprietary technology. The leak comes when the intricacies of Google's search algorithm are under intense scrutiny. 

Recent documents and testimony in the US Department of Justice antitrust case have already provided glimpses into the signals Google uses when ranking websites. This incident adds another layer of insight, though it also raises questions about the security of sensitive information within one of the world’s largest tech companies. Google’s decisions about search rankings have far-reaching implications. From small independent publishers to large online businesses, many rely on Google’s search results for visibility and traffic. 

The revelation of these internal documents not only impacts those directly involved in SEO and digital marketing but also sparks broader discussions about data security and the transparency of algorithms that significantly influence online behaviour and commerce. As the fallout from this leak continues, it serves as a reminder of the delicate balance between protecting proprietary information and the public’s interest in understanding the mechanisms that shape their online experiences. Google’s ongoing efforts to clarify and defend its practices will be crucial in navigating the challenges posed by this unprecedented exposure of its internal workings.
Read more »
SEO
Cyber Security digital data emerging asset class fund manager investment Safety SEO

Fund Manager Outlines Digital Data as Rising Asset Class

 

In a recent dialogue, Roundtable host Rob Nelson and Lisa Wade, CEO of wholesale fund manager DigitalX, explored the burgeoning data revolution, discussing the profound implications of data ownership and the transformative potential of Web3 and blockchain technology on traditional economic and investment frameworks.

Nelson initiated the conversation by emphasizing the dawn of the data revolution, highlighting the significant potential and influence of owning personal data. He suggested that as society becomes more aware of this potential, innovative applications of data will emerge, reshaping financial and economic paradigms. This perspective aligns with the growing belief that traditional economic models may soon be supplemented or challenged by new principles driven by advancements in data science and technology.

Wade contributed to the discussion by expressing her enthusiasm for recognizing data as a crucial asset class and the role of Web3 (and potentially Web5) in redefining data ownership. Her insights envisioned a future where individuals have control over their data, disrupting the traditional narrative surrounding data ownership. This shift, she argued, not only empowers individuals but also makes data more attractive for investment, diverging from the current landscape where personal financial information is fragmented and susceptible to online threats.

Additionally, Wade elaborated on DigitalX's innovative investment approach, employing a "universal scoring matrix" that utilizes data asset classifications to develop investment algorithms. This approach symbolizes a shift towards a new financial era where investment strategies are increasingly influenced by network effects and the intrinsic value of cryptocurrencies, rather than conventional metrics such as the Federal Reserve’s risk-free rate.

Referencing a Citigroup report, Wade described the current period as a "financial revolution," emphasizing the transition towards new financial models centered around staking rates within reputable networks. This transition is not merely theoretical but is being put into practice by DigitalX, demonstrating the tangible implications of these concepts on investment strategies and the broader economic landscape.
Read more »
Telegram
Amazon Bitcoin Cybeattacks Cyber Threats CyberCrime Cybersecurity OLVX SEO Telegram

Rise of OLVX: A New Haven for Cybercriminals in the Shadows

 


OLVX has emerged as a new cybercrime marketplace, quickly gaining a loyal following of customers seeking through the marketplace tools used to conduct online fraud and cyberattacks on other websites. The launch of the OLVX marketplace follows along with a recent trend in cybercrime marketplaces being increasingly hosted on the clearnet instead of the dark web, which allows for wide distribution of users to access them and for them to be promoted through search engine optimization (SEO). 

Research conducted by Zerofox cybersecurity researchers discovered that there is a new underground market called OLVX (olvx[.]cc) that was advertising a wide variety of hacking tools for illicit purposes and was linked to a large number of hacking tools and websites. 

Researchers at ZeroFox, who detected OLVX at the end of July 2023, have noted a marked increase in activity on the new marketplace in the fall, noticing that both buyers and sellers are increasing their activity on the marketplace. 

There have been several illicit tools and services offered to threat actors by OLVX since its launch on July 1, 2023. As opposed to the other markets that OLVX operates in, it focuses on providing cyber criminals with tools that they can take advantage of during the 2023 holiday peak season in retail. 

ZeroFox found that OLVX marketplace activity spiked significantly in fall 2023 due to more items selling on the marketplace, and buyers rushing to the new store to purchase those items. OLVX is estimated to be the result of leaked OLUX code from 2020/2021, according to an investigation. 

Post-leak stores use improved versions of OLUX code, even though the old OLUX code is outdated. For better accessibility and better web hosting, OLVX hides the contents of its website on Cloudflare. For customer growth, OLVX does not make use of the dark web; instead, it relies on SEO and forums to grow customers.

For customer support, OLVX runs a Telegram channel to provide support. The company's reputation and earnings are boosted by strong relationships with its customers.  Unlike most other markets of this nature, OLVX does not rely on an escrow service to ensure funds are protected.

Instead, it offers a "deposit to direct payment" system which supports Bitcoin, Monero, Ethereum, Litecoin, TRON, Bitcoin Cash, Binance Coin, and Perfect Money as cryptocurrencies. By doing this, users are encouraged to spend more, because funds are always available, so browsing leads to more frequent purchases for the user. 

To maintain privacy and security, customers who are running low on funds are advised to use time-limited anonymous cryptocurrency addresses to "top-off" their accounts, in order to maintain funds. During the holiday season, OLVX and similar marketplaces thrive as cybercriminal hubs, supplying tools for targeting campaigns to cybercriminals during the colder months. 

On the site, OLVX offers hosting via Cloudflare and advertises DDoS protection through Simple Carrier LLC, which is a substandard hosting provider.  Consumers are increasingly putting their security at risk as they shop. 

OLVX is one of the leading tools that criminals use during the holiday season for illicit activities, making this the time of year when criminals run their heists. Due to the unique nature of the platform, an independent verification team can not verify that the above quality and validity claims are accurate, however, users believe that OLVX's rising popularity and established reputation lend credibility to the majority of the claims. 

Interestingly, Zerofox indicates that fraudulent activity on the platform starts to increase as users get closer to the holiday shopping season, which means that buyers should maintain heightened vigilance so as to avoid scams and identify fraud.
Read more »
website optimization
content creation digital marketing keyword research online presence online strategy search engine ranking SEO Social Media web analytics website optimization

China Issues Warning About Theft of Military Geographic Data in Data Breaches

 

China issued a cautionary notice regarding the utilization of foreign geographic software due to the discovery of leaked information concerning its critical infrastructure and military. The Ministry of State Security, while refraining from assigning blame, asserted that the implicated software contained "backdoors" deliberately designed for unauthorized data access.

Prompted by this revelation, the Chinese government has called upon organizations to conduct thorough examinations for potential security vulnerabilities and incidents of data breaches. Through its official WeChat account, the government emphasized that foreign software had collected data encompassing state secrets, posing a substantial threat to China's national security.

The compromised data reportedly involves precise geographic information and three-dimensional geomorphological mapping crucial to key sectors such as transportation, energy, and the military, as reported by Reuters. Against the backdrop of heightened global tensions, China has prioritized enhancing the security of vital industries, particularly in response to increased geopolitical tensions with Taiwan and ongoing reassurances from the United States to the island nation.

Suspicions surround China's involvement in recent cyberattacks targeting U.S. infrastructure, purportedly aimed at formulating a strategic playbook for potential conflicts between the two superpowers. In parallel, the United States has taken proactive measures to bolster its domestic semiconductor production for military applications. 

Through substantial investments, as outlined in the CHIPS Act, the U.S. aims to establish semiconductor factories across the country, deeming this move crucial for national security. The rationale behind this initiative lies in mitigating the risk of Chinese espionage associated with current semiconductor imports from East Asian production hubs.
Read more »
SEO
Analytics Cybersecurity Google Google URLs Mobile Security SEO

Google Completes Mobile-First Indexing After 7 Years


Google has finally announced that it has completed its mobile-first indexing initiative, which means that it will use the mobile version of websites for indexing and ranking purposes. This is a major change that affects how Google crawls, indexes, and ranks web pages, and it has implications for webmasters, SEOs, and users alike. In this blog post, we will explain what mobile-first indexing is, why it matters, and how you can optimize your website for it.

What is Mobile-First Indexing?

Mobile-first indexing is a process that Google uses to determine which version of a website to use for indexing and ranking. It means that Google will use the mobile version of a website as the primary source of information, and the desktop version as a fallback option. This differs from the previous approach, where Google used the desktop version as the primary source of information, and the mobile version as a secondary option.

Google started experimenting with mobile-first indexing in November 2016 and gradually rolled it out to more and more websites over the years. On October 31, 2023, Google announced that it had completed the switch to mobile-first indexing for all websites and that it would stop using its legacy desktop crawler and remove the indexing crawler information from Google Search Console.

Why Does Mobile-First Indexing Matter?

Mobile-first indexing matters because it reflects the growing importance of mobile devices and user experience. According to Google, more than half of the global web traffic comes from mobile devices, and users expect fast and easy access to information on any device. Therefore, Google wants to ensure that its search results are relevant and useful for mobile users and that its ranking algorithm is aligned with the mobile web.

Mobile-first indexing also matters because it affects how webmasters and SEOs optimize their websites for Google. If a website has different versions for desktop and mobile, or if the mobile version is not optimized for speed, usability, and content, it may suffer from lower rankings and traffic. Therefore, webmasters and SEOs need to make sure that their websites are mobile-friendly and consistent across devices.

How to Optimize Your Website for Mobile-First Indexing?

To optimize your website for mobile-first indexing, you need to follow some best practices that Google recommends. Here are some of them:

  • Use responsive web design, which adapts to the screen size and orientation of the device. This way, you can have one website that works well on both desktop and mobile and avoid having duplicate or conflicting content.
  • Ensure that your mobile version has the same content and functionality as your desktop version and that it is not missing any important information or features. For example, do not hide or remove text, images, videos, or links on mobile, and do not use different URLs or redirects for mobile and desktop.
  • Optimize your mobile version for speed, usability, and accessibility. For example, use compressed images, minified code, and lazy loading techniques to reduce the loading time, use clear and legible fonts, buttons, and menus to improve readability and navigation, and use descriptive and concise titles, headings, and meta tags to enhance the visibility and relevance.
  • Test and monitor your mobile version using Google's tools and resources. For example, use the Mobile-Friendly Test, PageSpeed Insights, and the Lighthouse tools to check the performance and quality of your mobile version, and use the Google Search Console and Google Analytics to track the indexing and traffic of your mobile version. 

What's next for Google?

Mobile-first indexing is a significant milestone for Google and the web industry, as it shows the shift from desktop to mobile as the primary platform for web browsing and searching. It also presents new challenges and opportunities for webmasters and SEOs, who need to adapt their websites to the mobile web and provide the best possible experience for their users. By following the best practices and using the tools that Google provides, you can optimize your website for mobile-first indexing and benefit from the mobile web.

Read more »
User Privacy
Cobalt Strike Malicious Payloads malware PowerShell SEO User Privacy

Gootkit Loader: Targets Victims via Flawed SEO Tactics

 

Gootkit previously concealed dangerous files using freeware installers and now, it is deceiving users to download these files by engineering them as lawful documents. Looking at a flag for a PowerShell script, researchers were able to stop it from doing any harm and from delivering its payload. This approach was discovered through managed extended detection and response (MxDR). 

In order to compromise unwary users, the creators of the Gootkit access-as-a-service (AaaS) virus have reemerged. Gootkit has a history of disseminating threats including the SunCrypt ransomware, REvil (Sodinokibi) malware, Kronos trojans, and Cobalt Strike via fileless tactics.

The discoveries add to a prior report by eSentire, which stated in January that numerous attacks targeted the staff of accounting and law companies to propagate malware on compromised systems.

Gootkit is a tool of the rising underground ecosystem of access brokers, who are well-known for charging money to provide other hackers access to corporate networks, opening the door for real destructive operations like ransomware.
 
Upgraded Tactics

A search engine user initiates the attack chain by entering a specific query. A website infiltrated by Gootkit operators is displayed among the results using a black SEO method used by hackers.

The website is presented to the victim as an online forum that answers his question directly when they visit it. The malicious.js code, which is used to create persistence and inject a Cobalt Strike binary into the target system's memory, was housed in a ZIP download that was made available by this forum.

"The obfuscated script that was run when the user downloaded and accessed this file used registry stuffing to install a section of encrypted codes in the registry and add scheduled tasks for persistence. Then, utilizing PowerShell's reflective loading of the encrypted registry code, the Cobalt Strike binary that runs entirely in memory was rebuilt," reads Trend Micro's analysis.

Experts drew attention to the fact that proprietary text replacement technology has replaced base64 encoding in encrypted registries.

The Cobalt Strike binary loaded straight into the victim's system's RAM has been seen connecting to the Cobalt Strike C2's IP address, which is 89[.]238[.]185[.]13. The major payload of Cobalt Strike, a tool used for post-exploitation actions, is the beacon component.

Defensive measures

This case demonstrates,  that Gootkit is still active and developing its methods. This danger demonstrates that SEO poisoning continues to be a successful strategy for enticing unwary users. 

User security awareness training, which tries to enable people to identify and defend themselves against the most recent risks, is something that organizations can do to help. 

This incident emphasizes the value of round-the-clock supervision. Notably, cross-platform XDR stopped this assault from getting worse since it allowed us to rapidly isolate the compromised system and prevent the threat from causing more harm to the network.
Read more »
Windows
C2C Cyber Security DLL PDF Exploits PowerShell SEO Windows

The Wizard of Deception: Jupyter Infostealer

 

Researchers recently discovered a new variant of SolarMarker, a malware family which is mostly transmitted using SEO manipulation to persuade people into downloading malicious documents. SolarMarker uses defense evasion to extract auto-fill data, saved passwords, and stored credit card information from victims' web browsers. It offers extra features which are unusual to be seen in info stealers, such as file transfer and command execution from a C2 server.

Jupyter packaged itself with legal executables when it was first detected towards the end of 2020. When it was run, it revealed a PowerShell script that had been obfuscated. The threat group is improving layers of stealth and obfuscation, such as loading the Jupyter Dynamic-Link Library (.DLL) into memory rather than writing the file to disk. Now, it is frequently packaged in massive Windows® installer packages (.MSI) which can reach 100 MB in size. 

To further conceal its motives, these packages are still integrated with legitimate software and signed with valid digital certificates. The installer will load and seek to install the bundled genuine application after installation. However, buried deep within the Trojan installer's code is a small, extensively obfuscated, and encrypted PowerShell script which runs in the background. 

Jupyter has masked itself as a variety of programs and installers. The malware's main file extension has been changed to.MSI, and it executes its obfuscated PowerShell script via several techniques. Jupyter is usually hosted on phony downloading websites which pose as real hosts. These websites typically offer a free PDF book. These can be accessed accidently by a victim or via a link in a spam email. 

It is often packaged with freeware software and certified with unrevoked digital certificates, making the installation appear more authentic. When the Windows installer package is loaded, it will present an installer pop-up for the targeted legitimate application, while loading data and running in the background. 

Jupyter has deployed itself in a variety of ways in the past campaign. The malware usually has two primary files: 
  • An executable and a Windows PowerShell script that contains the harmful code.
  • Some Jupyter variants have also dumped a temporary file (.TMP) into the victim’s %AppData%\Roaming\Temp\ directory, to construct the normal content of Jupyter's main malicious PowerShell script. 

PowerShell is used by the virus to conceal and execute its harmful code without ever publishing itself to disk on the victim's PC. It avoids writing to disk by loading Jupyter's DLL into memory reflectively. DLLs are usually injected into a process from a file written to a disk. 

Reflective DLL injection is a technique for injecting code into a victim process directly from memory rather than from disk. Because the fully un-obfuscated malware does not live on disk, it necessitates the creation of a persistence mechanism, such as registry keys that reload the malware when the victim machine boots up. As a result, Jupyter DLL is difficult to both identify and use. 

Jupyter's basic PowerShell may be split down into six different phases or components. Each phase aids in the achievement of a given objective, function, or capability. Though many Jupyter samples follow the same procedures, differences in Jupyter's PowerShell code exist, and certain samples have been observed to work in slightly different methods to achieve the same goals. 

One can make a modest tweak to the attacker's PowerShell script to save the assembly to disk instead of loading it into memory. This will also assist us in comprehending the operation of this version of SolarMarker. One can see the decompiled code, as well as the names of the classes and functions, are incorrect. Instead, they appear to be obfuscated. 

The SolarMarker backdoor is a.NET C2 client which uses an encrypted channel to interact with the C2 server. HTTP is used for communication, with POST requests being the most common. The data is secured with RSA encryption and symmetric encryption using the Advanced Encryption Standard (AES). Internal reconnaissance is carried out by the client, who gathers basic information about the victim's system and exfiltrates it through an existing C2 channel. The infostealer module has a structure that is quite identical to the backdoor module we discussed earlier, but it has more features.

By reading files relevant to the target browser, the SolarMarker infostealer module obtains login data, cookies, and web data (auto-fill) from web browsers. To decrypt the credentials, SolarMarker uses the API method CryptUnprotectData (DPAPI). 

The usefulness of behavior-based detectors in reducing the stay time of threats inside a network has been recognized by the security industry in recent years. 
Read more »
Threat actors
Cyber Security DLL Malicious Sites Microsoft SEO Threat actors

BATLOADER and Atera Agent are Being Distributed Through an SEO Poisoning Campaign

 

A new SEO poisoning campaign is underway, with the purpose of infecting targeted systems with the BATLOADER and Atera Agent malware. It appears to be aimed at professionals looking to download productivity applications such as TeamViewer, Zoom, or Visual Studio. SEO poisoning is a tactic used by hackers in cyberattacks to build up malicious websites loaded with certain keywords that visitors typically seek up in search engines. Then they use various SEO (Search Engine Optimization) techniques to make these appear prominently in search results. 

According to a report by Mandiant researchers, in this malicious SEO campaign, threat actors attack legitimate websites in order to plant compromised files or URLs. Users are thus routed to websites that host malware posing as well-known applications. 

“The threat actor used “free productivity apps installation” or “free software development tools installation” themes as SEO keywords to lure victims to a compromised website and to download a malicious installer. The installer contains legitimate software bundled with the BATLOADER malware. The BATLOADER malware is dropped and executed during the software installation process.” said the researchers. 

“This initial BATLOADER compromise was the beginning of a multi-stage infection chain that provides the attackers with a foothold inside the target organization. Every stage was prepared for the next phase of the attack chain. And legitimate tools such as PowerShell, Msiexec.exe, and Mshta.exe allow proxy execution of malicious payloads to avoid detection,” they added. 

A file called "AppResolver.dll" was discovered in the attack chain as a significant sample. This DLL sample is an internal component of Microsoft's Windows Operating System, but it contains malicious VBScript inserted in such a way that the code signature stays valid. When run on its own, the DLL sample does not execute the VBScript. When ran with Mshta.exe, Mshta.exe locates and executes the VBScript without error. 

This vulnerability is similar to CVE-2020-1599 in that the PE Authenticode signature remains valid after appending HTA compatible scripts signed by any software developer. These PE+HTA polyglot (.hta files) can be used by Mshta.exe to circumvent security solutions that rely on Microsoft Windows code signing to determine whether or not files are trusted. 

In this case, researchers discovered that arbitrary script data was attached to the signature section of a legitimately signed Windows PE file at the end of the ASN.1. As long as the file extension is not '.hta,' the resulting polyglot file retains a valid signature. If this polyglot file is executed with Mshta.exe, the script contents will be successfully executed since Mshta.exe will skip the PE's bytes, locate the script at the end, and execute it.
Read more »
Windows
Adobe Acrobat File Encryption malware PDFs PowerShell SEO Windows

SolarMarker Malware Utilize Cutting-Edge Techniques


The SolarMarker data thief and gateway operators have been identified using devious Windows Registry ways to maintain long-term persistence on infected systems, indicating that the malicious actors are constantly changing strategy and improving defensive mechanisms.

The. NET-based malware, which boasts data harvesting and backdoor capabilities, has been linked to at least three consecutive attack waves in 2021. The first batch revealed in April, employed search engine poisoning to trick business executives by visiting dodgy Google pages which downloaded SolarMarker on users' PCs. In August, the malware was discovered to be stealing accounts and sensitive information from the healthcare and education sectors.

In the following infection chains revealed by Morphisec in September 2021, the usage of MSI installers to assure malware dissemination was observed. SolarMarker's technique begins with users being directed to decoy sites with drop MSI installer payloads which, while downloading ostensibly legitimate software like Adobe Acrobat Pro DC, Nitro Pro, or Wondershare PDFelement, really launch a PowerShell script.

According to cybersecurity firm Sophos, which noticed the new behavior, despite the operation's end in November 2021, remote management implants are still located on targeted networks."Such SEO efforts, which blended Google Groups consultations with deceitful web pages and PDF documents hosted on infected sites, are beneficial, the SolarMarker lures were ordinarily at or near the top of the search engines for phrases the SolarMarker actors targeted," said Sophos researchers Gabor Szappanos and Sean Gallagher. 

To assure persistence, the PowerShell installer modifies the Registry Entries and drops a.LNK file into Windows' starting directory. This unlawful alteration causes the malware to be delivered from an encrypted payload concealed behind a "smokescreen" of 100 to 300 garbage files built particularly for this purpose.

The researchers explained, "Usually, one might assume this associated file to be an operable or script file." "However, the linked file for these SolarMarker operations is one of the random trash files, therefore cannot be performed by itself."

Furthermore, the linked junk file's unique and random file extension is used to build a custom file type key, which is then used to run an Executable from the Registry to run the malware during system startup. The backdoor, on the other hand, is constantly growing, with features that allow it to capture information from online browsers, facilitate bitcoin theft, and run arbitrary instructions and programs, with the results being sent to a remote server.

The backdoor is continually being updated with new capabilities that make it possible to steal data from the web browsers, ease bitcoin theft, and execute arbitrary commands and applications with the results related to a remote server. 
Read more »
WordPress hacks
education sector Financial Data Hotel Malware Attack Ransom SEO Vulnerability and Exploits WordPress hacks

The GootLoader Hackers are After Law Firms and Accounting Firms

 

GootLoader is a piece of initial access malware that allows its operators to install a variety of other malware families, including ransomware, on affected devices. It was first discovered in December 2020. The GootLoader hacking organization has been primarily targeting personnel at law and accounting firms in recent weeks, with the most recent attack occurring on January 6. So far, eSentire claims to have intercepted three such assaults. Potential victims are directed to hacked genuine websites that include hundreds of pages of business-related content, including free document samples for download, but they are instead infected with GootLoader. 

GootLoader is distributed using Drive-By-Download programmes, which are driven by SEO, specifically through Google. The hackers are enticing business professionals to authentic but compromised websites that they have packed with hundreds of pages of content, including multiple connections to business agreements, including legal and financial agreements, in these recent attacks.
 
The content claims to provide free downloads of these documents. eSentire's Threat Response Unit (TRU) discovered that the GootLoader hackers set up over 100,000 malicious webpages marketing various forms of commercial deals during an intensive GootLoader campaign that began last December. 

How are the GootLoader threat actors able to infiltrate reputable websites with hundreds of pages of malicious content? 

Tragically, it is just too simple. Hundreds of legitimate websites employing WordPress as the content management system have been detected by the GootLoader gang. WordPress, like many other content management systems, has several vulnerabilities, which hackers may simply exploit to load websites with as many harmful pages as all without the knowledge of the website owner. These websites, according to the TRU team, encompass a wide spectrum of industries, including hotel, high-end retail, education, healthcare, music, and visual arts. 

"The abundance of content that threat actors have pushed onto the web, when professional looks for a sample business agreement on Google, the hackers' malicious web pages appear in the top Google searches," said Keegan Keplinger, TRU's research and reporting lead. 

Three law businesses and an accounting firm were targeted by the cybersecurity services provider, which said it intercepted and demolished the attacks and the victims' identities have not been revealed. Organizations should implement a vetting process for business agreement samples, train staff to open documents only from reputable sources, and confirm that the content downloaded matches the content intended for download.
Read more »
WordPress Plugin
All In One Cyber Security SEO WordPress WordPress Plugin

All In One SEO Plugin Affects Millions of WordPress Websites

 

All in One SEO, a popular WordPress SEO-optimization plugin, contains a combination of security flaws that, when coupled into an exploit chain, might expose website owners to website takeover. 

As per Sucuri researchers, an attacker with an account on the site – such as a subscriber, shopping account holder, or member – can exploit the weaknesses, which is a privilege-escalation bug and a SQL-injection problem. 

“WordPress websites by default allow any user on the web to create an account,” researchers said in a posting on Wednesday. “By default, new accounts are ranked as a subscriber and do not have any privileges other than writing comments. However, certain vulnerabilities, such as the ones just discovered, allow these subscriber users to have vastly more privileges than they were intended to have.” 

Furthermore, the pair is ideal for straightforward exploitation, thus users must upgrade to the patched version, v. 4.1.5.3. The issues in the plugin utilized by more than 3 million websites, were discovered by Marc Montpas, an Automattic security researcher. 

The more serious of the two issues is the privilege-escalation problem, which affects All in One SEO versions 4.0.0 and 4.1.5.2. It has a significant vulnerability-severity rating of 9.9 out of 10 on the CVSS vulnerability-severity scale, owing to its simplicity of exploitation and the possibility to install a backdoor on the webserver. 

Sucuri researcher indicated that the vulnerability "can be exploited by simply changing a single character of a request to upper-case." 

Fundamentally, the plugin can send commands to different REST API endpoints while also performing a permissions check to ensure that no one is doing anything they are not authorized to do. According to the post, the REST API routes are case-sensitive, thus an attacker only needs to change the case of one character to circumvent the authentication checks. 

“When exploited, this vulnerability can overwrite certain files within the WordPress file structure, effectively giving backdoor access to any attacker,” Sucuri researchers said. “This would allow a takeover of the website, and could elevate the privileges of subscriber accounts into admins.” 

The second bug has a CVSS severity of 7.7 and impacts All in One SEO versions 4.1.3.1 and 4.1.5.2. The problem is on an API endpoint called "/wp-json/aioseo/v1/objects." As per Sucuri, if attackers abused the prior vulnerability to get admin capabilities, they would gain entry to the endpoint and also be capable of sending malicious SQL instructions to the back-end database to collect user passwords, admin information, and other sensitive information. 

In order to safeguard themselves, All in One SEO customers should update to the patched version, researchers advised.
Read more »
Subscribe to: Posts (Atom)