Search This Blog

Showing posts with label Spyware. Show all posts

El Salvador Government is Employing Pegasus to Spy on Journalists


The warning came in August 2020. I was instructed to meet him at six o'clock at night in a deserted parking lot in San Salvador by a reliable source. He had my number but didn't want to leave a trail, so he reached me through a friend instead. He instructed me to leave my phone in the car when I got there, stated Nelson Rauda Zablah, a Salvadoran journalist whose work has been featured in the New York Times, the BBC, the Los Angeles Times, and the Economist among other publications. 

Moreover, he informed me as we walked that the negotiations between the president of El Salvador and the renowned MS-13 gang were the reason my colleagues at the Salvadoran news outlet El Faro were being watched. 

Although this may seem like a terrifying movie scene, several journalists from Central America have actually experienced it. Many people in my profession go about their daily lives with the sense that they are being watched, putting their phones away before meetings, utilizing encrypted messaging and email apps, communicating in code, and never sharing their real-time location. 

I wouldn't understand what my source meant in full until more than a year later. Not only were my colleagues being followed as they looked into that story. They had frequently been the targets of Pegasus, a type of weapons-grade espionage software, along with at least 18 other El Faro members, including myself. The shiny new toy of the Israeli spyware company NSO Group is called Pegasus. The Citizen Lab and other forensic analysis firms discovered that the Pegasus attacks in El Salvador began in June 2020 and persisted through November 2021. This technique was used to spy on 35 journalists and members of civil society in total. 

When you have the Pegasus virus, spies essentially have a duplicate of your phone. They have access to everything, including your private photos, texts, transactions, and app choices and usage. I had to take action when the surveillance was detected, which included closing my family group chat and uninstalling my financial apps. 

For journalists, this implies that spies can listen in on all of our phone calls and chats with sources. I was attacked while pursuing and publishing personal footage of President Nayib Bukele's siblings discussing the Bitcoin Law in El Salvador with foreign businessmen before it went into law. As my colleagues Carlos Martnez and Gabriela Cáceres continued to divulge additional information concerning the government's interactions with gangs and a related criminal investigation, they were hacked. I could continue forever. 

After the assaults, journalism has become much more challenging. Several sources jokingly returned our calls after the hacking was made public by wishing any decent people listening to a good day. However, a lot more people only picked up the phone to tell us to stop calling, and the majority of them didn't even answer. One person told me that he now knew why his wife had been let go from her government job, according to a source. I was miserable. Guilty. Powerless. 

Above all else, Pegasus makes you feel helpless. We think the infections in El Faro occurred as a result of a "zero-click exploit," which means we didn't even click on a fake link to let the spies in. Just now, they got in. Get a new phone, and change your number; they'll just break in there, too. 

However, we didn't want to be helpless. We shared our tale with press organizations worldwide. We appeared on TV, attended press conferences, and filed a complaint with the attorney general's office in El Salvador. Therefore, 14 of my coworkers at El Faro and I have chosen to sue NSO Group while being represented by the Knight First Amendment Institute at Columbia University. 

We're not in it for the money, I can tell you of that; otherwise, we wouldn't be independent journalists. This is a development of our ongoing efforts in El Salvador to expose corrupt government officials. We are taking this action in the United States because El Salvador's coopted institutions have run out of legal options. 

Additionally, this is not just for us. The gadgets of over 450 law-abiding men and women from all around the world whose devices had been compromised by NSO Group's Pegasus were listed by the Israeli newspaper Haaretz in April. Many of them don't reside in nations or occupations where they can file lawsuits. 

However, someone must. Executives of the NSO shouldn't be able to wash their hands after using their apparatus to harm journalists. In a practical sense, NSO let loose the hounds to hunt us down. And now we're retaliating.

Google Blames Spanish Spyware of Exploiting Chrome, Windows, and Firefox Zero-Days

Variston IT Spyware behind an attack on Google

A surveillance vendor from Barcelona called Variston IT is believed to deploy spyware on victim devices by compromising various zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of these go back to December 2018. 

Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said "their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device." 

Variston has a bare-bones website, it claims to provide tailor-made security solutions to its customers, it also makes custom security patches for various types of proprietary systems and assists in the discovery of digital information by law enforcement agencies, besides other services.

Google's Response 

Google said "the growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups. These abuses represent a serious risk to online safety which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry."

The vulnerabilities, which have been fixed by Google, Microsoft, and Mozilla in 2021 and early 2022, are said to have been used as zero-days to help customers deploy whichever malware they want to, on targeted systems. 

What is Heliconia vulnerability?

Heliconia consists of three components called Noise, Files, and Soft, each of these is responsible for installing exploits against vulnerabilities in Windows, Firefox, and Chrome, respectively. 

Noise is designed to exploit a security flaw in the Chrome V8 engine JavaScript that was fixed last year in August 2021, along with an unknown sandbox escape method known as "chrome-sbx-gen" to allow the final payload (also called an agent) to be deployed on select devices.  

But the attack works only when the victim accesses a malicious webpage intended to trap the user, and then trigger the first-stage exploit. 

Google says it came to know about the Heliconia attack framework after it got an anonymous submission in its Chrome bug reporting program. It further said that currently there's no proof of exploitation, after hinting the toolset has shut down or evolved further. 

Google blog said

Although the vulnerabilities are now patched, we assess it is likely the exploits were used as 0 days before they were fixed.

Heliconia Noise: a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape

Heliconia Soft: a web framework that deploys a PDF containing a Windows Defender exploit

Files: a set of Firefox exploits for Linux and Windows.

Cryptojacking Campaign Exploits OneDrive Vulnerability, Can Deploy Spyware and Ransomware Too

New cryptojacking campaign

Cryptojacking is becoming a nightmare for customers and enterprises, and threat actors have started using various techniques to deploy cryptojackers on victims' systems. As per recent developments, cybersecurity software developer Bitdefender found a crypto jacking campaign exploiting Microsoft OneDrive vulnerability to get access and run without getting caught on compromised devices. 

BitDefender report says:

"OneDrive was specifically chosen in this attack because it permits the actor to achieve easy persistence. Adding OneDrive to startup is an action done by the dropper malware, but even if it did not do so, OneDriveStandaloneUpdater.exe is by default scheduled to execute each day. Of the detections we received, 95.5% came from OneDriveStandaloneUpdater.exe loading the malicious secur32.dll."

From May 1 to July 1, Bitdefender identified around 700 users impacted by the campaign. The campaign operates using four cryptocurrency mining algorithms- Ton, XMR, Ethash, and Etchash. It makes an average of $13 worth of cryptocurrency per compromised device.

Cryptojacking uses OneDrive sideloading bug

Cryptojacking is an unauthenticated exploit of computer manufacture for mining cryptocurrency. The threat actors in the recent cryptojacking campaign used a DLL sideloading vulnerability in OneDrive by writing a fake secur32.dll file. After the file is loaded into the OneDrive process, the fake secur32.dll will download open-source cryptocurrency mining software and install it into genuine Windows processes. 

Sideloading is basically installing a code that has not been approved for running on a system by the developer of the machine's operating system. DLL files are a combination of small programs having instructions that can assist a larger program finish non-core tasks of the original program. 

The campaign also uses Spyware, Ransomware

Meanwhile, the OneDrive sideloading campaign is used only in cryptojacking, DLL side-loading is also used for the deployment of ransomware or spyware. Besides this, as cryptocurrency minutes are resource-sensitive, the victims can instantly see falling CPU and GPU performance, increased energy consumption, and overheating, these issues can ruin expensive hardware. 

OneDrive, by default, is set to reboot on a daily basis, and the threat actors behind the latest cryptojacking campaign were found to run the OneDrive.exe process to run after a reboot, even if the user shuts it down. The attackers use this method to gain persistence. In 95% (estimated) of the findings, the scheduled reboot was found to deploy the infected secur32.dll. 

"Given that the “per machine” installation method may not be suitable for all environments and privilege levels, user caution should be one of the strongest lines of defense against commodity malware. Bitdefender recommends that users ensure their AVs and operating systems are up to date, to avoid cracked software and game cheats, and to download software from trusted locations only"-Bitdefender report.

Fake Tor browser Containing Spyware Target Chinese Residents


Kaspersky threat analysts have unearthed multiple infections via malicious Tor Browser installers propagated via a Chinese-language YouTube video regarding the dark web. 

Dubbed OnionPoison, the malicious campaign targeted users located in China, where the Tor Browser is banned. Hence, internet users in China often attempt to download the Tor browser from third-party websites. 

“Most of the affected users were from China,” Kaspersky Leonid Bezvershenko and Georgy Kucherin said in findings published this week. “As the Tor Browser website is blocked in China, individuals from this country often resort to downloading Tor from third–party websites. And cybercriminals are keen on spreading their malicious activity via such resources.” 

The Chinese-language YouTube channel has more than 180,000 subscribers, and the video has been viewed more than 64,000 times. It is a major setback damaging discovery for TOR browser users as it is an anonymity-based browser, employed as a gateway to the Dark Web. 

The Chinese residents use the browser to bypass Beijing’s extensive surveillance and censorship technologies, which are linked with the country’s strict intolerance of political dissent. 

Tor, named for The Onion Router, was originally designed by the US Naval Research Laboratory as a way to securely communicate between government agencies. It includes a series of volunteer-run servers that route internet traffic through a series of encrypted tunnels. 

The researchers warn that the trojanized version of the browser acts differently from the normal version by storing browsing history and data entered into website forms. It also includes a library compromised with spyware that allows the hackers to scan “exfiltrated browser histories for traces of illegal activity, contact the victims via social networks and threaten to report them to the authorities.”

The best way to avoid OnionPoison is to download Tor from the official website or, if that’s not viable, to scan digital the digital signature if it’s from a third-party site. 

“Regardless of the actor’s motives, the best way to avoid getting infected with OnionPoison implants is to always download software from official websites. If that’s not an option, verify the authenticity of installers downloaded from third-party sources by examining their digital signatures,” the researchers added. 

Modified Tor versions have been employed previously by nation-state hackers. In 2019, security experts at the Slovakian-based cybersecurity firm ESET unearthed a version designed to siphon cryptocurrency from Russian residents.

Iranian Hackers Employ Novel RatMilad Spyware to Target Enterprise Android Users


Earlier this week, threat analysts at mobile security firm Zimperium Inc. zLabs detailed a newly unearthed form of Android spyware leveraged to target enterprise devices in the Middle East. 

Dubbed “RatMilad,” the original version of the spyware was identified as concealing behind a VPN and phone number spoofing app called Text Me. After discovering the spyware, the researchers also spotted a live sample of the malware family distributed through NumRent, an updated version of Text Me.

According to Zimperium, an Iran-based hacker group named AppMilad is distributing the phone spoofing app via links on social media and communication tools like Telegram, luring unsuspecting users into sideloading the app and granting it extensive permissions. Moreover, fraudsters have designed a product website to distribute the app and trick users into believing that it is an authentic app. 

Since the malicious app can trick users into obtaining a broad range of permissions, it can gain access to sensitive device data, such as location and MAC address, and user data, including phone calls, contact numbers, media files, and SMS messages. 

"Once installed and in control, the attackers could access the camera to take pictures, record video, and audio, get precise GPS locations, view pictures from the device, and more," Zimperium researcher Nipun Gupta stated.

Additionally, the hackers can access the camera and microphone of the device, which allows them to record audio/video and capture photos. Other features include collecting clipboard data, SIM information, and performing read/write activities. 

The scale of the infections is unknown, but the cybersecurity firm said it identified the spyware during a failed compromise attempt of a user's enterprise device. A post published on a Telegram channel employed to distribute the malware sample has been viewed over 4,700 times with more than 200 external shares, indicating a limited range.

"The RatMilad spyware and the Iranian-based hacker group AppMilad represent a changing environment impacting mobile device security," Richard Melick, director of mobile threat intelligence at Zimperium, explained. From Pegasus to PhoneSpy, there is a growing mobile spyware market available through legitimate and illegitimate sources, and RatMilad is just one in the mix." 

Prevention tips 

The easiest method to avoid falling victim to fake Android apps employed to propagate spyware and malware is to download new apps from official app stores like the Google Play Store, the Amazon Appstore, and the Samsung Galaxy Store. 

Additionally, the users are recommended to scan the app that is sideloaded onto a device and increase the mobile attack surface leaving data and users at risk.

Pegasus: Spyware Attacks Targets Journalists and Activists


Phones of at least two journalists and a human life defender have been hacked and accessed with the Pegasus spyware, between 2019 and 2021 during the term of current President Andres Manuel Lopez Obrador, despite the government guaranteeing that it would no longer be using the spyware technology.
The findings were made at Citizen Lab, a digital watchdog group based at the University of Toronto’s Munk School of Global Affairs and Public Policy. It was detected that the spyware in fact belonged to Israel’s NSO Group. Reportedly, Pegasus broke into victims’ phones, providing the actors access to their devices, which were then traded with the government and law enforcement. 
President Lopez, in a statement made in 2021 said there was “no longer any relation” with Pegasus.  In addition, Mexico’s financial crime chief stated that the administration had not signed contracts with companies that procured the spyware.
“This new report definitively shows that Mexico’s President Andrés Manuel López Obrador can no longer hide behind blaming his predecessor for widespread use of Pegasus in Mexico [...] Mexican authorities must immediately and transparently investigate the use of Pegasus and other spyware to target journalists during his administration, as well as push for more regulations to end the use of this technology against the press once and for all,” stated CPJ’S Mexico representative, Jan-Albert Hootsen.
The President’s statement promising that the country would not use the spyware was followed by a dozen media organizations revealing that the phone numbers of at least 50 people linked to the Mexican president were leaked. These people, popularly known as Amlo, included his wife, children, and doctor, with their leaked database at the heart of the Pegasus Project, an investigation into NSO.
The phone of an anonymous journalist of an online outlet Animal Politico was infected by the spyware in 2021, Journalist Ricardo Raphael, a columnist at news magazine Proceso and newspaper Milenio Diario who was previously infected in 2016 and 2017, was attacked with Pegasus in October, and December 2019 and December 2020, at least three times. 

While Citizen Lab reported that the recent attacks differ in numerous ways from the previous ones, including the use of zero-click attacks instead of malicious e-mails and messages with an intention of tricking the targets into clicking on links, triggering the infections. 
In regards to the recent attacks, Citizen Lab stated, “These latest cases, which come years after the first revelations of problematic Pegasus targeting in Mexico, illustrate the abuse potential of mercenary spyware in a context of flawed public accountability and transparency. Even in the face of global scrutiny, domestic outcry, and a new administration that pledged to never use spyware, the targeting of journalists and human rights defenders with Pegasus spyware continued in Mexico.”

Report: Mexico Continued to Utilize Spyware Against Activists


Despite President Andrés Manuel López Obrador's pledge to end such practices, the Mexican government or army is said to have continued to use spyware designed to hack into activists' cellphones. 

As per press freedom groups, they discovered evidence of recent attempts to use the Israeli spyware programme Pegasus against activists investigating human rights violations by the Mexican army. A forensic investigation by the University of Toronto group Citizen Lab confirmed the Pegasus infection. 

The targets included rights activist, Raymundo Ramos, according to a report by the press freedom group Article 19, The Network for the Defense of Digital Rights, and Mexican media organisations. Ramos has spent years documenting military and police abuses, including multiple killings, in Nuevo Laredo, a drug cartel-dominated border city. In 2020, Ramos' cellphone was apparently infected with Pesgasus spyware.

“They do not like us documenting these types of cases, for them to be made public and have criminal complaints filed,” Ramos said.

Other victims in 2019 and 2020 included journalist and author Ricardo Raphael and an unnamed journalist for the online media outlet Animal Politico. 

According to Daniel Moreno, director of Animal Politico, "if the president didn't know, that is very serious because it means the army was spying on him without his consent." If the president was aware, it would be extremely serious."

López Obrador took office in December 2018 with the promise of ending government spying. The president claimed that as an opposition leader, he had been subjected to government surveillance for decades. Lopez Obrador said in 2019, in response to questions about the use of Pegasus, “We are not involved in that. Here we have decided not to go after anybody. Before, when we were in the opposition, we were spied on.”

According to the report, the Mexican army requested price quotes for surveillance programmes from companies involved in the distribution of Pegasus, which the company claims is only sold to governments. The hacker group Guacamaya discovered army documents containing requests for price quotes from 2020, 2021, and 2022.

Because of the nature of their work and the timing of the espionage, the victims of the spyware attacks assumed the military was to blame. Leopoldo Maldonado, the director of Article 19, stated, “All of this indicates two possible scenarios: the first, that the president lied to the people of Mexico. The second is that the armed forces are spying behind the president’s back, disobeying the orders of their commander in chief.”

When reached for comment, a spokesman for Mexico's Defense Department stated that there was no immediate response to the allegations. In 2021, a Mexican businessman was arrested on suspicion of spying on a journalist with the Pegasus spyware, but the Israeli spyware firm NSO Group distanced itself from him. In Mexico, the businessman has long been described as an employee of a company that acted as an intermediary in spyware purchases.

According to López Obrador's top security official, two previous administrations spent $61 million on Pegasus spyware. The NSO Group has been linked to government surveillance of political opponents and journalists all over the world. 

"NSO's technologies are only sold to vetted and approved government entities," as per the company.

Mexico had the largest list — approximately 15,000 phone numbers — of more than 50,000 reportedly selected for potential surveillance by NSO clients.

López Obrador has relied on the military more and given it more responsibilities than any of his predecessors, from building infrastructure to overseeing seaports and airports. This has sparked concern that the Mexican army, which has traditionally avoided politics, is becoming a force unto itself, with little oversight or transparency.

7-year Android Malware Campaign Targeted Uyghurs: Report


A long-running surveillance and espionage campaign targeting one of China's largest ethnic minority groups has been revealed by researchers. Palo Alto Networks discovered the "Scarlet Mimic" group in 2016, which was initially spotted targeting Uyghur and Tibetan rights activists. 

Although the Chinese government has long oppressed and spied on these and other minority groups in the country, no direct attribution of this group's activities to Beijing is currently available. Check Point explained in a new report this week that Scarlet Mimic's mobile malware dates back to 2015. 

“The malware is relatively unsophisticated from a technical standpoint. However, its capabilities allow the attackers to easily steal sensitive data from the infected devices, even perform calls or send an SMS and track their location in real-time,” said Check Point.

“This makes it a powerful and dangerous surveillance tool. This tool also allows audio recording of incoming and outgoing calls, as well as surround recording.”

It has since identified 20 variants of the MobileOrder Android spyware, the most recent of which was discovered in mid-August of this year.

“The malware is relatively unsophisticated from a technical standpoint. However, its capabilities allow the attackers to easily steal sensitive data from the infected devices, even perform calls or send an SMS and track their location in real-time,” said Check Point.

“This makes it a powerful and dangerous surveillance tool. This tool also allows audio recording of incoming and outgoing calls, as well as surround recording.”

The malware is thought to be hidden in applications with Uyghur-language titles and disguised as PDF documents, photos, or audio. According to Check Point, it is spread through social engineering rather than being made available on the Google Play Store.

“When the victim opens the decoy content, the malware begins to perform extensive surveillance actions in the background. These include stealing sensitive data such as the device information, SMS messages, the device location, and files stored on the device,” the report continued.

“The malware is also capable of actively executing commands to run a remote shell, take photos, perform calls, manipulate the SMS, call logs and local files, and record the surround sound.”

Check Point advised anyone who might be a victim of this campaign to install anti-malware software on their device, use a VPN, and avoid clicking on suspicious links.

"Scarlet Mimic seems to be a politically motivated group. In the past, there have been reports from other researchers that it could be linked to China,” the vendor concluded.

“If true, it would make these surveillance operations part of a much wider issue, as this minority group has reportedly been on the receiving end of attacks for many years.”

This week, Beijing is on the defensive at the United Nations after a long-awaited report from the UN Human Rights Office confirmed evidence of serious human rights violations against Uyghur and other ethnic minority groups in Xinjiang.

Greek Intelligence Service Accepts Keeping Surveillance on Journalist

The head of Greek intelligence informed a parliamentary committee that his agency had spied on a journalist, two sources on the scene said, in a revelation that coincides with pressuring the government to give information about the use of surveillance malware. 

The committee's hearing recently was called when the leader of the socialist opposition PASOK party filed a complaint to the prosecutor when his phone was bugged with spyware software. 

Reuter reports "Predator spyware can extract passwords, files, photos, and contacts and activate a phone's camera and microphone, enabling surveillance of conversations nearby. Last year when the allegation was reported by Greek media, left-wing SYRIZA, Greece's largest opposition party, asked for the parliamentary committee to convene to look into the matter."

On the 29th July hearing, the chief of the EYP intelligence service told the parliamentary and transparency committee that his service had kept tabs on Thanasis Koukakis, a financial journalist working for CNN Greece. Lawmakers say that he admits to the surveillance. 

Giannis Oikonomou denies authorities using spyware that was deployed in the hacking of Koukakis and denied doing any business with companies selling it. The government has nothing to hide and has requested the justice system to enquire about the cases properly. 

He says without crossing to the extreme of technophobia, such malware does pose a threat and must be tackled efficiently.

Spy services in democratic countries always face pressure for being transparent, this includes lawmakers trying to prevent exploitation and better performance, public concern regarding spyware by authorities, and in a few countries, agencies are needed to make the work public to increase the chances of recruitment. 

Reuters says that agencies say they much balance those demands with the need for secrecy, arguing that much of their work to keep their countries safe should remain classified to protect sources. 

In April, a Greek prosecutor began an investigation into an allegation by Koukakis that his smartphone had been infected by surveillance software. 

The European Union regards using spyware against journalists as unacceptable. 

Austrian Firm DSIRF Under Investigation for Allegedly Developing Spyware


The Austrian government announced last week it was investigating a firm based within the nation’s territory for allegedly designing spyware targeting law firms, banks, and consultancies across Europe and Central America. 

The news comes after researchers at Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) linked a hacking group called Knotweed to an Austrian surveillance firm named DSIRF, known for multiple Windows and Adobe zero-day exploits. 

"Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama," the researchers stated, without identifying the victims. 

The researchers unearthed Subzero malware (CVE-2022-22047) deployed in 2021 and 2022 to hack a broad range of devices, phones, computers, and internet-connected devices. Additionally, multiple pieces of evidence were identified that linked DSIRF to Knotweed’s operation, including the C2 infrastructure used by Subzero, and the code signing certificate issued to DSIRF used to sign an exploit. 

According to the researchers, private sector offensive actors (PSOAs) such as DSIRF, makes their living by selling either full end-to-end hacking tools to the purchaser – identical to how Israeli spyware firm NSO operates – or by conducting offensive hacking operations itself. 

Austria’s interior ministry said it is not aware of any incidents and has no business relationships with it.

“Of course, DSN (the National Security and Intelligence Directorate) checks the allegations. So far, there is no proof of the use of spy software from the company mentioned,” reads a statement published by Austria’s interior ministry. 

Kurier, Austria’s local media outlet confirmed that the DSIRF manufactured the Subzero surveillance software, but added that it had not been misused and was developed exclusively for use by authorities in EU states- The newspaper also added that the spyware was not commercially available. 

According to a report by the German news site Netzpolitik, the DSIRF promotes Subzero as the ‘next generation cyber warfare’ tool. It can access passwords to hijack devices and reveal user locations. Another one of the slides in that presentation showed multiple uses for spyware, including anti-terrorism and targeting human trafficking, and child pornography rings.

Spyware Group ‘Knotweed’ Employs Windows and Adobe Bugs to Target Firms Worldwide


Microsoft has unearthed an Austrian “cyber mercenary” group employing Windows and Adobe exploits to target organizations with spyware since at least 2021. 

Security analysts at Microsoft’s Threat Intelligence Center and Security Response Center said the organization is a private-sector offensive actor (PSOA) called Decision Supporting Information Research Forensic (DSIRF), but dubbed by Microsoft with the codename Knotweed. 

A cyber-weapons broker has launched multiple attacks on law firms, banks, and strategic consultancies in countries across the globe via spyware — dubbed Subzero — that allows its users to remotely and silently infiltrate a victim’s computer, phone, network infrastructure, and internet-linked devices.

"DSIRF has been linked to the development and attempted sale of a malware toolset called Subzero, which enables customers to hack into their targets' computers, phones, network infrastructure, and internet-connected devices," Microsoft said in a blog post. 

DSIRF promotes Subzero as a “next generation cyber warfare” tool that can secure full control of a victim’s PC, steal passwords and disclose its real-time location, according to a copy of an internal presentation released by Netzpolitik, a German news website, in 2021. 

The report claims that DSIRF, which reportedly has links to the Russian state, promoted its tool for use during the 2016 U.S. presidential election. The German government was also considering the purchase and use of Subzero to enhance its cyber defense. 

Microsoft said it has issued a software update to mitigate the use of the identified vulnerabilities. The tech giant has also released signatures of the malware to shield Windows users from exploits Knotweed was employing to help deliver its malware. 

More action is needed on a broader level, given that DSIRF will not be the last PSOA to target organizations, as Microsoft researchers explained in a brief sent to Congress on Wednesday. 

"We are increasingly seeing PSOAs selling their tools to authoritarian governments that act inconsistently with the rule of law and human rights norms," researchers explained. "We welcome Congress's focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use both here in the United States and elsewhere around the world."

Experts Discover New CloudMensis Spyware Targeting Apple macOS Users


Researchers in cybersecurity have revealed previously unknown malware targeting Apple's macOS operating system. The malware, nicknamed CloudMensis by the Slovak cybersecurity firm ESET, is reported to exploit popular cloud storage systems like pCloud, Yandex Disk, and Dropbox only for receiving attacker orders and exfiltrating files. 

"Its capabilities clearly show that the intent of its operators is to gather information from the victims' Macs by exfiltrating documents, keystrokes, and screen captures," ESET researcher Marc-Etienne M.Léveillé stated in a report published. 

CloudMensis was found in April 2022, written in Objective-C, and is intended to attack both Intel and Apple semiconductor architectures. The initial infection vector for the attacks, as well as the targets, are yet unclear. However, the malware's limited dissemination suggests that it is being utilised as a part of a carefully targeted operation targeting businesses of interest. 

ESET discovered an attack chain that exploits code execution and administrative rights to launch a first-stage payload that is used to retrieve and run a second-stage malware housed on pCloud, which exfiltrates documents, screenshots, and email attachments, among other things. 

The first-stage downloader is also known to delete evidence of Safari sandbox escape and privilege escalation attacks in 2017 that make use of four now-resolved security flaws, implying that CloudMensis may have gone undetected for many years. The implant also includes capabilities that allow it to circumvent the Transparency, Consent, and Control (TCC) security system, which requires all programmes to seek user permission before accessing files in Documents, Downloads, Desktop, iCloud Drive, and network volumes. 

It accomplishes this by exploiting another fixed security flaw known as CVE-2020-9934, which was discovered in 2020. The backdoor also allows you to access a list of running processes, capture screenshots, list files from removable storage devices, and launch shell commands and other arbitrary payloads. 

Furthermore, an examination of information from the cloud storage infrastructure reveals that the pCloud accounts were established on January 19, 2022, with compromises beginning on February 4 and spiking in March. 

M.Léveillé said, "The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets."

Hackers Used Fake LinkedIn Job Offer to Steal $625M


Earlier this year, Ronin Network (RON), the blockchain network behind the popular crypto games Axie Infinity and Axie DAO, experienced the greatest crypto attack against a decentralised financial network ever reported. 

The United States issued advice in May 2022, stating that highly competent hackers from North Korea were attempting to get work by posing as IT freelancers. The Axie Infinity attack was socially engineered, with the North Korean government-backed hacker organisation Lazarus into Sky Mavis' network by giving one of the company's workers a PDF file carrying malware. Lazarus' participation in such a high-profile breach should come as no surprise. 

In January 2022, analysts from several crypto security organizations concluded that North Korean hackers had stolen $1.3 billion from cryptocurrency exchanges throughout the world, with the famed Lazarus group as their top suspect. 

Axie Infinity Hack 

The employee, an ex-senior engineer at the firm, fell for the trap and opened the PDF, believing it was a high-paying job offer from another company. However, this firm did not exist in reality.

During the recruitment process, the ex-employee disclosed sensitive personal information that attackers utilised to steal from the organisation. Sky Mavis' staff are regularly threatened by sophisticated spear-phishing attempts on multiple social networks, according to the company. In this case, one person, who does not even work at Sky Mavis, was duped. 

How was Ronin hacked? 

According to The Block, at the time of the attack, Axie Infinity had nine validators from its proof-of-authority, an Ethereum-based sidechain Ronin. 

“The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes,” Sky Mavis stated.

To get access to the company's networks, the attacker needed to seize five out of nine validators. The spyware-laced PDF allowed the attacker to gain control of four validators and get entry to the community-run Axie DAO (Decentralized Autonomous Organization), from which they gained control of the fifth validator. After breaching the network, the attackers took $25 million in USDC stablecoin and 173,600 ether (about $597 million) from Axie Infinity's treasury, totaling $625 million in crypto. 

Nonetheless, the Ronin sidechain upped the number of validators to 11 to improve security, and Sky Mavis is reimbursing Axie Players who lost crypto as a result of the hack. In April 2022, the company raised $150 million in funding. 

The US administration alleges that the assault was carried out by the renowned North Korean hacking organisation Lazarus. This organisation specialises in such attacks. This is hardly Lazarus' first foray into the blockchain sector. However, Lazarus using social engineering to infiltrate a company's networks is unusual. In reality, the Slovak internet security company ESET notified LinkedIn users in June 2020 about Lazarus' involvement in a complex LinkedIn recruiting fraud targeting military and aerospace industries.

'Hermit' Spyware Deployed in Syria, Kazakhstan, and Italy

Lookout Inc. discovered an enterprise-grade Android surveillanceware being used by the authorities operating within Kazakhstan's borders. Lookout researchers identified evidence of the spyware, called "Hermit," being used in Italy and northern Syria. 

Researchers got a sample of "Hermit" in April 2022, four months after a series of violently suppressed nationwide rallies against government policies. The Hermit spyware was most likely built by RCS Lab S.p.A, an Italian surveillance firm, and Tykelab Srl. 

The Hermit spyware was most likely produced by Italian surveillance vendor RCS Lab S.p.A and Tykelab Srl, a telecommunications solutions company accused of acting as a front company, according to Lookout. 

In the same market as Pegasus creator NSO Group Technologies and Gamma Group, which invented FinFisher, is a well-known developer with previous interactions with governments such as Syria. This appears to be the first time that a modern RCS Lab mobile spyware client has been publicly disclosed. 

The spyware is said to be spread by SMS messages that spoof users into installing what appear to be harmless apps from Samsung, Vivo, and Oppo, which, when launched, load a website from the impersonated company while silently initiating the kill chain. 

Spyware has been seen to infect Android smartphones in the past. The threat actor APT-C-23 (aka Arid Viper) was linked to a series of attacks targeting Middle Eastern users with new FrozenCell versions in November 2021. Last month, Google's Threat Analysis Group (TAG) revealed that government-backed actors in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia are purchasing Android zero-day exploits for covert surveillance efforts. 

As per Lookout, the samples studied used a Kazakh language website as a decoy, and the main Command-and-control (C2) server used by this app was a proxy, with the true C2 being located on an IP from Kazakhstan. "They call themselves 'lawful intercept' organizations since they claim to only sell to customers with legitimate surveillance purposes, such as intelligence and law enforcement agencies. Under the pretext of national security, similar technologies have been used to phish on corporate executives, human rights activists, journalists, academics, and government officials "as per the researchers. 

The revelations came as the Israel-based NSO Group is rumored to be in talks to sell its Pegasus technology to US defense contractor L3Harris, which makes StingRay cellular phone trackers, raising concerns it could allow law enforcement to deploy the controversial hacking tool.

Emotet Malware: Shut Down Last Year, Now Showing a Strong Resurgence


The notorious Emotet malware operation is exhibiting a strong resurgence more than a year after being effectively shut down. Check Point researchers put the Windows software nasty at the top of their list as the most commonly deployed malware in a March threat index, threatening or infecting as many as 10% of organisations around the world during the month – an almost unbelievable figure, and more than double that of February. 

Now, according to Kaspersky Labs, a swiftly accelerating and sophisticated spam email campaign is intriguing targets with fraudulent emails designed to swindle them into unpacking and installing Emotet or Qbot malware, which can steal data, collect information on a compromised corporate network, and move laterally through the network to install ransomware or other trojans on networked computers. 

Qbot, which is associated with Emotet's operators, is also capable of accessing and stealing emails. In a blog post this week, Kaspersky's email threats protection group manager, Andrey Kovtun, stated. In February, Kaspersky discovered 3,000 malicious Emotet-linked emails, followed by 30,000 a month later, in languages including English, French, Italian, Polish, Russian, and Spanish. 

Kovtun wrote, "Some letters that cybercriminals send to the recipients contain a malicious attachment. In other cases, it has a link which leads to a file placed in a legitimate popular cloud-hosting service. Often, malware is contained in an encrypted archive, with the password mentioned in the e-mail body." 

The spam email often claims to include essential information, such as a commercial offer, in order to persuade the recipient to open the attachment or download the harmful file via the link. "Our experts have concluded that these e-mails are being distributed as part of a coordinated campaign that aims to spread banking Trojans," he wrote further. 

Cryptolaemus, a group of security researchers and system administrators formed more than two years ago to combat Emotet, announced on Twitter this week that one of the botnet subgroups has switched from 32-bit to 64-bit for loaders and stealer modules, indicating the botnet's operators' continued development. Emotet immediately resurfaced in the malware world's upper echelons. Europol, along with police departments from the United States, Germany, the United Kingdom, and Ukraine, completed a multinational takedown of the primary botnet deploying Emotet in February 2021. Raids on the accused operators' houses in Ukraine were part of the operation. 

The raid, according to Europol, substantially impacted Emotet's operations, which were used to infiltrate thousands of firms and millions of computers around the world. However, in publishing its March threat index, Check Point Research stated that Emotet resurfaced in November 2021 and has gained traction after the Trickbot botnet infrastructure was shut down in February. It is once again the most common malware. 

The researchers wrote, "This was solidified even further [in March] as many aggressive email campaigns have been distributing the botnet, including various Easter-themed phishing scams exploiting the buzz of the festivities. These emails were sent to victims all over the world with one such example using the subject 'Buona Pasqua, happy easter,' yet attached to the email was a malicious XLS file to deliver Emotet." 

Google Researchers: 'Zero-Day’ Hacks Hit Record in 2021


Following a year marked by high-profile ransomware assaults and supply-chain hacks, Google researchers have uncovered another alarming cyber milepost for 2021: a record number of "zero-day" exploits. A zero-day exploit is a previously undisclosed flaw that gives software developers exactly 0 days to fix it. As a result, the technology in question is extremely lucrative to hackers - and a disaster for cyber-security experts. 

According to a report released Tuesday (April 19) by Google's Project Zero, a team of specialist bug hunters, hackers attacked a total of 58 zero-day defects affecting key software suppliers in 2021. In 2020, there were 25 flaws, compared to 21 in 2019. Since Project Zero began tracking zero-days in 2014, this is the largest number of zero-days ever recorded. 

Ms Maddie Stone, a security researcher at Project Zero, stated in a blog post about the findings that the trend could be attributed to an enhancement in identification from companies like Microsoft, Apple, and Google, who now publicly report their findings around zero-day concerns, rather than a spike in hacks. 

Hackers have utilized the attack approach in recent years to install powerful spyware on smartphones, which has then been used to spy on journalists, lawmakers, human rights activists, and others. Last year, suspected Chinese state-sponsored hackers used such vulnerabilities to compromise Microsoft Exchange servers. 

Ms Stone of Google stated that the data contained some surprises. Despite the recent attention on spyware abuse, cyber-security researchers are still unable to find zero-day vulnerabilities that allow hackers to exploit systems. 

She wrote, "We know that messaging applications like WhatsApp, Signal, Telegram, etc are targets of interest to attackers and yet there's only one messaging app, in this case, iMessage, zero-day found this past year." 

Since 2014, the team has discovered two such flaws, one in WhatsApp in 2019 and the other in iMessage in 2021. According to Ms Stone, the majority of individuals on the planet are not at risk of being targeted by a zero-day attack. 

Nonetheless, she believes that such attacks have a widespread influence. "These zero-days tend to have an outsized impact on society so we need to continue doing whatever we can to make it harder for attackers to be successful."

Vidar Spyware Exploits Microsoft Help Files to Bypass Detection


Vidar spyware has been discovered in a new phishing campaign that exploits Microsoft HTML help files. The spyware is hidden in Microsoft Compiled HTML Help (CHM) files to bypass detection in email spam campaigns, Trustwave cybersecurity expert Diana Lopera stated. 

Vidar is Windows spyware and an information stealer capable of harvesting both user data and data on the operating system, cryptocurrency account credentials as well as payment details such as credit card details. 

While threat actors often distribute malware via spam and phishing campaigns, Trustwave researchers have also uncovered the C++ malware being deployed via the pay-per-install PrivateLoader dropper, and the Fallout exploit kit. 

According to researchers, threat actors employ an age-old strategy of tricking people to download seemingly innocent files that are actually malicious. The malicious files contain a generic subject line and an attachment, "request.doc," which is actually a .iso disk image. The .iso contains two separate files: a Microsoft-compiled HTML help file (CHM), often titled pss10r.chm, and an executable file titled app.exe. 

The CHM format is a Microsoft online extension file used for accessing documentation and help files. The compressed HTML format allows the distribution of images, tables and links. However, when malicious actors abuse CHM, they can use the format to force Microsoft Help Viewer (hh.exe) to deploy CHM objects. 

When a malicious CHM file is unpacked, a JavaScript snippet will silently execute app.exe, and while both files have to be in the same directory, this can trigger the execution of the Vidar payload. 

The Vidar samples gathered by the attacker’s link to their command-and-control (C2) server via Mastodon, a multi-platform open-source social networking system. Specific profiles are searched, and C2 addresses are collected from user profile bio sections. This allows the spyware to design its configuration and start exfiltrating user data. 

To protect yourself against this campaign, you should strictly follow the standard protections against email spam, such as ensuring the source of email before downloading any attachments. It's also a good idea to use the best antivirus software to protect your PC. 

"Since this Vidar campaign utilizes social engineering and phishing, ongoing security awareness training for your staff is essential. Organizations should also consider implementing a secure email gateway for 'defense in depth' layered security in order to filter these types phishing attacks before they even get to any inboxes,” stated Karl Sigler, Trustwave threat intelligence manager. 

"Vidar itself is an information stealer type of malware. It grabs as much data as it can from the victim's system, sends it back to the attackers, and then deletes itself. This includes any local password stores, web browser cookies, crypto wallets, contact databases, and other types of potentially valuable data."

PseudoManuscrypt Malware Proliferating Similarly as CryptBot Targets Koreans


Since at least May 2021, a botnet known as PseudoManuscrypt has been targeting Windows workstations in South Korea, using the same delivery methods as another malware known as CryptBot. 

South Korean cybersecurity company AhnLab Security Emergency Response Center (ASEC) said in a report published, "PseudoManuscrypt is disguised as an installer that is similar to a form of CryptBot and is being distributed. Not only is its file form similar to CryptBot but it is also distributed via malicious sites exposed on the top search page when users search commercial software-related illegal programs such as Crack and Keygen."
According to ASEC, approximately 30 computers in the country are compromised on a daily basis on average. PseudoManuscrypt was originally discovered in December 2021, when Russian cybersecurity firm Kaspersky revealed details of a "mass-scale spyware attack campaign" that infected over 35,000 PCs in 195 countries around the world. 

PseudoManuscrypt attacks, which were first discovered in June 2021, targeted a large number of industrial and government institutions, including military-industrial complex firms and research in Russia, India, and Brazil, among others. The primary payload module has a wide range of spying capabilities, enabling the attackers virtually complete access over the compromised device. Stealing VPN connection data, recording audio with the microphone, and capturing clipboard contents and operating system event log data are all part of it. 

Additionally, PseudoManuscrypt can access a remote command-and-control server controlled by the attacker to perform malicious tasks like downloading files, executing arbitrary instructions, log keypresses, and capturing screenshots and videos of the screen. 

The researchers added, "As this malware is disguised as an illegal software installer and is distributed to random individuals via malicious sites, users must be careful not to download relevant programs. As malicious files can also be registered to service and perform continuous malicious behaviours without the user knowing, periodic PC maintenance is necessary."

Malware Seller Faces Charges for Peddling WhatsApp Espionage Tools


The US Justice Department (DoJ) reported a Mexican businessman named Carlos Guerrero admitted guilt in federal court for peddling spyware/hacking tools to clients in the United States and Mexico.

Authorities accused Guerrero of facilitating the sale of monitoring and surveillance technologies to both Mexican government users and private customers for commercial and personal purposes. Guerrero "knowingly arranged" for a Mexican mayor to obtain access to a political rival's email and social media accounts, according to the investigators. Guerrero also utilized the technology to listen in on the phone calls of a rival from the United States who had been in Southern California and Mexico at the time. 

Guerrero is also suspected of assisting a Mexican mayor in gaining unlawful access to his rival's iCloud, Hotmail, as well as Twitter pages, according to the Department of Justice's news release. A sales representative's phone and email data were hacked in another case, so he had to pay $25,000 to regain the information. The accused also utilized the gadgets to listen more into his rival's phone calls in Mexico and South California. Guerrero's company, Elite by Carga, imported surveillance technology and espionage tools from unknown Israeli, Italian, and other companies. 

Guerrero operated as a broker for an undisclosed Italian business, referred to only as Company A in the accusation, which offered bugging devices and tracking tools between 2014 and 2015. The organization is thought to be Hacking Team, a bankrupt Milan-based maker of offensive infiltration tools which was also breached in 2015 and had leaked emails leaked online, including a cache of Guerrero-related messages. 

Pegasus, strong mobile spyware created by Israeli corporation NSO Group which can acquire near-complete permissions on a target's smartphone, is among the most prominent and reported keylogging software used in Mexico. Over the last two decades, Mexico has spent $61 million on contracts, primarily targeting journalists, activists, and human rights defenders. According to a leaked list of phone numbers suspected to be NSO surveillance targets, Mexico has the most targets — around 700 phones — of any country on the list, which NSO has consistently denied.

Guerrero's information director Daniel Moreno, who is often mentioned in the hacking team's emails, is scheduled to file a similar pleading in the coming weeks.

Pay to Play PrivateLoader Disseminates Smokeloader, Redline &Vidar malware


An investigation at a pay-per-install loader has revealed its role in the distribution of famous malware variants including Smokeloader and Vidar. 

Intel 471 issued a report on PrivateLoader on Tuesday, analyzing cyberattacks that have used the loader since May 2021. The pay-per-install (PPI) malware service has been around for a time, but it's unclear who is responsible for its creation. Additional payloads are deployed on a target machine using loaders. 

PrivateLoader is a variation that is supplied to criminal customers on an installation basis, with payment based on the number of victims captured. PrivateLoader is managed by a collection of command-and-control (C2) servers and an AdminLTE 3-based administrator panel. 

Adding new users, configuring the loader to install a payload, picking target regions and nations, setting up payload download links, encryption, and selecting browser extensions for infecting target devices are all available through the front-end panel. 

The loader is mainly distributed through websites that sell pirated software. Cracked copies of popular software, which are occasionally included with key generators, are illegal versions of software that have been modified to avoid licencing or payment. On websites, download buttons for cracked software are included with JavaScript, which releases the payload in a.ZIP archive. 

The package contained a malicious executable, according to the cybersecurity firm's findings. A false GCleaner load reseller, PrivateLoader, and Redline are among the malware that is triggered by .exe file. 

Since at least May 2021, the PrivateLoader module has been used to run Smokeloader, Redline, and Vidar. Smokeloader is the most well-known of these malware families. Smokeloader is a distinct loader that can also be utilized for data theft and reconnaissance; Redline specializes in credential theft, whereas Vidar is spyware that can steal data from a variety of data types, including passwords, documents, and digital wallet details. 

A distribution link for Smokeloader also signals a possible connection to the Qbot banking Trojan. The Kronos banking Trojan and the Dridex botnet have both been disseminated using PrivateLoader bots. 

Although PrivateLoader isn't particularly linked to the distribution of ransomware, a loader associated with it, known as Discoloader, has been used in assaults aimed at spreading the malware. 

The researchers stated, "PPI services have been a pillar of cybercrime for decades. Just like the wider population, criminals are going to flock to software that provides them with a wide array of options to easily achieve their goals. By highlighting the versatility of this malware, we hope to give defenders the chance to develop unique strategies in thwarting malware attacks empowered by PrivateLoader."