Search This Blog

Showing posts with label Trojan Attacks. Show all posts

Analysis of Cyberthreats Linked to Gaming Industry in 2022

 

In 2022, the global gaming industry will surpass $200 billion, with 3 billion players worldwide, predicts the analytical firm Newzoo. Such committed, solvent and eager-to-win viewers have become a bit of trivia for botnets, that always look for ways to deceive their victims. 

According to data gathered by Kaspersky between July 2021 and July 2022, dangerous files that propagated through the misuse of gaming brands were mostly related to Minecraft (25%), FIFA (11%), Roblox (9.5%), Far Cry (9.4%), and Call of Duty (9%).

In specific, the report reviewed the most widespread PC game–related threats and statics on miner breaches, attacks disguised as game frauds, and thefts. Also, it examined several most energetic malware groups, offering them detailed, in-depth features.

In aspects of annual dynamics, Kaspersky reveals seeing a decline in both the quantities of distribution (-30%) and the number of users (-36%) compared to 2020.

Further, in the first half of 2022, Kaspersky said those who witnessed a notable increase in the number of consumers threatened by schemes that can deceive secret info, with a 13% increase over the first half of 2021.

In the same period, hackers also amplified their attempts to expand Trojan–PSW: 77% of secret-stealing spyware infection cases have been linked to Trojan–PSW.

A few recent cases of concealing malware in software encouraged as game frauds, installers, keygens, and the games themself are the following:
  • Minecraft alt lists on videogames forums dropping Chaos ransomware
  • NPM packages masquerading as Roblox libraries conveying malware and password stealers
  • Microsoft Store copies of games with malware loaders
  • Valorant cheats elevated via YouTube falling info-stealing malware
The cause why hackers exploit game titles to entice people is mainly the massive targeted pool, as the exploited game titles capture the interest of tens of millions of players.

A few instances of fake in-game item stores that copied the originals are highlighted by Kaspersky. These stores conned gamers into paying for stuff they would never receive while also phishing their login information.

Some users find the cost of games itself to be prohibitive and turn to pirated versions instead. Other games are being developed in closed beta, which excludes many potential players and forces users to look for alternate access points. Hackers take advantage of these circumstances by selling fraudulent, pirated beta testing launchers.

In terms of threat variants, Kaspersky reported that little had changed since last year in the environment that impacts gamers, with downloaders (88.56%) topping the list of harmful and unwanted software that is disseminated using the names of well-known games. Trojans (2.9%), DangerousObject (0.86%), and Adware (4.19%) are the next three most prevalent threats.

Finally, many developers advise users to disable antivirus software before installing game-related mods, cheats, and tools because many of them are created by unofficial one-person projects and may trigger false positive security detections.

As a result, players may disregard AV alerts and run malicious programs that have been found on their systems. Downloaders dominate because they can pass internet security checks without incident while still retrieving riskier payloads later on when the user runs the program.

Kaspersky claims that information thieves, cryptocurrency miners, or both are frequently dumped onto the victim's PC. As always, only download free software from reputable websites and exercise caution when doing so.

Defective WordPress Plugin Permits Full Invasion

 

According to security researchers, a campaign scanning almost 1.6 million websites was made to take advantage of an arbitrary file upload vulnerability in a previously disclosed vulnerable WordPress plugin.

Identified as CVE-2021-24284, the vulnerability that affects Kaswara Modern WPBakery Page Builder Addons, when exploited, gives an unauthorized attacker access to sites using any version of the plugin and enables them to upload and delete files or instead gain complete control of the website.

Wordfence reported the vulnerability over three months ago, and in a new alert this week it warned that attackers are scaling up their attacks, which began on July 4 and are still active. The WordPress security provider claims to have halted 443,868 attacks on client websites per day and strives to do the same till date. Daily, on average, 443,868 tries are made.

Malicious code injection  

The hacker attempts to upload a spam ZIP payload that contains a PHP file using the plugin's 'uploadFontIcon' AJAX function by sending a POST request to 'wp-admin/admin-ajax/php'.

Afterward, this file pulls the NDSW trojan, which inserts code into the target sites' legitimate Javascript files to reroute users to dangerous websites including phishing and malware-dropping sites. You've likely been infected if any of your JavaScript files contain the string "; if(ndsw==" or if these files themselves contain the "; if(ndsw==" string.

All versions of the software are vulnerable to an attack because the bug was never patched by the software creators, and the plugin is currently closed. The bug hunters stated that although 1,599,852 different sites were hit, a bulk of them wasn't hosting the plugin, and they believed that between 4,000 and 8,000 sites still have the vulnerable plugin installed.

Blocking the attackers' IP addresses is advised even if you are not utilizing the plugin. Visit Wordfence's blog for additional information on the indicators and the sources of requests that are the most common.

If you're still using it, you need to remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.

 GALLIUM APT Deployed a New PingPull RAT

According to Palo Alto Networks researchers, the PingPull RAT is a "difficult-to-detect" backdoor that uses the Internet Control Message Protocol (ICMP) for C2 connections. Experts also discovered PingPull variations that communicate with each other using HTTPS and TCP rather than ICMP.

Gallium, a Chinese advanced Trojan horse (APT), has an ancient legacy of cyberespionage on telecommunications companies, dating back to 2012. In 2017, the state-sponsored entity, also called Soft Cell by Cybereason, has been linked to a broader range of attacks aimed at five major Southeast Asian telecom businesses. However, during the last year, the group's victimology has expanded to include financial institutions and government agencies in Afghanistan, Austria, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. 

A threat actor can use PingPull, a Visual C++-based virus, to gain access to a reverse shell and run unauthorized commands on a compromised computer. File operations, detailing storage volumes, and timestamping files are all part of it now. 

The researchers explained that "PingPull samples which use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server." "The C2 server will send commands to the system by responding to these Echo queries with an Echo-Reply packet." 

PingPull variants that use HTTPS and TCP rather than ICMP to interact with its C2 server have been discovered, along with over 170 IP addresses associated with the company since late 2020. Although the threat actor is recognized to exploit internet-exposed programs to acquire an initial foothold and deploy a customized form of the China Chopper web shell to create persistence, it's not obvious how the targeted networks are hacked. 

Throughout Southeast Asia, Europe, and Africa, the GALLIUM trojan continues to pose a serious danger to telecommunications, finance, and government organizations. It is recommended all businesses use the results of researchers to inform the implementation of protective measures to guard against this threat group, which has deployed a new capability called PingPull in favor of its espionage efforts.

Clipminer Botnet Made 1.7 Million Dollars From Crypto Mining

 

Threat researchers have found a large-scale operation of Clipminer, a new cryptocurrency mining virus that netted its users at least $1.7 million in transaction hijacking.

Clipminer is built on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and mine cryptocurrency on affected computers. 

Clipminer is based on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and harvest cryptocurrency on affected computers. Researchers were taken aback by the new malware because it had fast grown in size by the time it was discovered. According to the Symantec team, these operations involved 4375 bitcoin wallet addresses that received stolen monies from victims.

Downloads or pirated software, are used to spread malware; malicious clipminer botnet files are distributed over torrent sites and other pirating methods. This bitcoin miner can be installed on the machine as a WinRAR archive, which will immediately start the extraction process and launch the control panel file, leading to the download of the dynamic link library. 

The infected DLL creates registry values and installs malware in several files in the Windows directory. Those files are named after ransoms so that the profile may be hosted and the main miner's payload can be downloaded and installed afterward. The system receives identification, which is sent on to the C&C server, which then sends out a request for the payload. The malware is delivered as a 10MB file in the Program Files directory. Once the trojan has been successfully executed, scheduled actions are set up to ensure the malware's persistence. To avoid re-infecting the same host, registry modification is also performed.

According to Symantec, the first Clipminer samples began to circulate in January 2021, with malicious activity picking up in February. Ever since the malware has spread over P2P networks, torrent indexers, YouTube videos, and through game and pirated software cracks. To avoid becoming infected with Clipminer or other malware, avoid downloading software from unknown sources. Verify the entered cryptocurrency wallet address before initiating the transaction to protect yourself from a clipboard hijacker.

Over 467 Apps Hit by the ERMAC 2.0 Android Banking Trojan

 

The ERMAC Android banking virus has been updated to version 2.0, increasing the number of apps targeted from 378 to 467, allowing attackers to steal account passwords and crypto wallets from a much greater number of apps.

Threatfabric researchers found ERMAC in July 2021, notably it is based on the well-known banking trojan Cerberus. Cerberus' source code was released in September 2020 on underground hacking forums after its operators failed an auction. The trojan's goal is to send stolen login credentials to threat actors, who then use them to gain access to other people's banking and cryptocurrency accounts and commit financial or other crimes.

ERMAC is currently available for subscription to members of darknet sites for $5,000 a month, that is a $2k increase over the first release's price, indicating the boost in features and popularity. A bogus Bolt Food application targeting the Polish market is the first malware campaign to use the new ERMAC 2.0 virus. According to ESET researchers, the threat actors disseminated the Android software by impersonating a reputable European food delivery business on the "bolt-food[.]site" website. This phony website is still active. 

Phishing emails, fraudulent social media posts, smishing, malvertising, and other methods are likely to lead users to the false site. If users download the program, they will be confronted with a request for complete ownership of private data.

Following ESET's early discovery, Cyble researchers examined the malware. ERMAC determines whether programs are installed on the host device before sending the data to the C2 server. The answer contains encrypted HTML injection modules which match the application list, which the virus decrypts and saves as "setting.xml" in the Shared Preference file. When the victim tries to run the real program, the injection operation takes place, and a phishing page is displayed on top of the original one. The credentials are forwarded to the same C2 that is responsible for the injections.

The following commands are supported by ERMAC 2.0:

  • downloadingInjections — sends the application list for injections to be downloaded.
  • logs — this command sends the injection logs to the server.
  • checkAP — check the status of the application and transmit it to the server. 
  • registration – sends information about the device.
  • updateBotParams — sends the bot parameters that have been updated.
  • downloadInjection — this function is used to download the phishing HTML page. 

EMAC 2.0 targets financial apps from all over the world, making it appropriate for use in a wide range of nations. A large number of apps supported makes this a dangerous piece of malware, but it's worth mentioning that it would have issues in Android versions 11 and 12, thanks to extra limits implemented by Google to prevent misuse of the Accessibility Service.

Three Malware Fileless Phishing Campaigns: AveMariaRAT / BitRAT /PandoraHVNC

 

A phishing effort that was distributing three fileless malware onto a victim's device was detailed by cybersecurity experts at Fortinet's FortiGuard Labs. AveMariaRAT, BitRAT, and PandoraHVNC trojan viruses are spread by users who mistakenly run malicious attachments delivered in phishing emails. The viruses are dangerously capable of acquiring critical data from the device.
 
Cybercriminals can exploit the campaign to steal usernames, passwords, and other sensitive information, such as bank account numbers. BitRAT is particularly dangerous to victims because it can take complete control of infected Windows systems, including viewing webcam activity, listening to audio through the microphone, secretly mining for cryptocurrency that is sent to the attackers' wallet, and downloading additional malicious files.

The first phishing mail appears to be a payment report from a reputable source, with a brief request to view a linked Microsoft Excel document. This file contains dangerous macros, and when you open it, Microsoft Excel warns you about using macros. If the user disregards the warning and accepts the file, malware is downloaded. The malware is retrieved and installed onto the victim's computer using Visual Basic Application (VBA) scripts and PowerShell. For the three various types of malware that can be installed, the PowerShell code is divided into three pieces. This code is divided into three sections and employs the same logic for each virus: 
  • A dynamic mechanism for conducting GZip decompression is included in the first "$hexString." 
  • The second "$hexString" contains dynamic PowerShell code for decompressing the malware payload and an inner.Net module file for deploying it. 
  • The GZip-compressed malware payload is contained in the "$nona" byte array. The following PowerShell scripts are retrieved from the second $hexString and are used to decompress the malware payload in $nona and to deploy the malware payload into two local variables using the inner.Net module. 
The study doesn't explain as to why the phishing email contains three malware payloads, but it's conceivable that with three different types of malware to deploy, the cybercriminals will have a better chance of gaining access to whatever critical information they're after. 

Phishing is still one of the most prevalent ways for cyber thieves to deliver malware because it works – but there are steps you can take to avoid being a victim. Mysterious emails claiming to offer crucial information buried in attachments should be avoided, especially if the file requires users to allow macros first. Using suitable anti-spam and anti-virus software and training workers on how to recognize and report phishing emails, businesses may help workers avoid falling victim to phishing emails.

 Hazardous Redirect Web Server Evokes Malicious Campaigns On Over 16,500 Sites

 

Parrot is a novel TDS system for online traffic redirection that runs on a few servers hosting over 16,500 sites from government agencies, universities, adult platforms, and personal blogs. The service was apparently also utilized in the context of various cyber-attacks aiming at diverting victims to phishing or sites which result in malware being installed on the systems. Reportedly, all of this is dependent on individual user characteristics such as location, language, operating system, and browser.

TDS services are purchased by threat actors undertaking malicious campaigns to filter incoming traffic and route it to a final destination which serves harmful material. Advertisers and marketers utilize TDS legitimately. Most TDS services are used regularly by professionals in the marketing industry, which is why there are credible reports demonstrating how similar campaigns were executed in the recent past. 

Security analysts working with Avast have revealed that the Parrot has been identified as they recently made assertions about how the campaign was used for FakeUpdate, which delivered update warnings regarding remote access trojans, sometimes known as RATs, using fake browsers. 

Avast threat experts found Parrot TDS, which is presently being utilized for a campaign called FakeUpdate, which distributes remote access trojans (RATs) via phony browser update alerts. The effort appears to have begun in February 2022, however, there have been traces of Parrot activity dating back to October 2021.

"One of the primary differences between Parrot TDS and other TDS is its broad nature and a large number of possible victims," says Avast in the research. "Apart from servers hosting poorly secured CMS sites, such as WordPress sites, the hijacked websites we discovered appear to have nothing in common."

Avast services prevented more than 600,000 of its users from visiting these compromised sites in March 2022 alone, demonstrating the Parrot redirection gateway's huge reach. The majority of the people who were redirected were from Brazil, India, the United States, Singapore, and Indonesia. 

They have been known to accomplish this by redirecting the victim to special URLs with extensive network profiles and meticulously built software. While the TDS may be primarily focused on the RAT initiative, security experts believe some of the impacted servers also serve as hosts for various phishing sites.  

Those landing sites seem just like a genuine Microsoft login page, prompting visitors to input there login credentials. The best strategy to deal with malicious redirections for web users is to keep an up-to-date internet security solution running at all times. Avast advises administrators of possibly compromised web servers to take the following steps: 

  •  Use an antivirus to scan all files on the webserver. 
  •  Replace all original JavaScript and PHP files on the webserver. 
  •  Use the most recent CMS and plugin versions. 
  •  Look for cron jobs or other automatically executing processes on the webserver. 
  •  Always use unique and strong credentials for all services and accounts, and utilize two-factor authentication whenever possible. 
  • Use some of the security plugins for WordPress and Joomla which are available.

Hackers in Dprk use Trojanized DeFi Wallet App to Steal Bitcoin

 

North Korean government-linked hackers have now been circulating a trojanized version of a DeFi Wallet for holding bitcoin assets to obtain access to cryptocurrency users' and investors' systems.

Securing economic benefits is one of the primary motives for the Lazarus threat actor, with a focus on the cryptocurrency industry. The Lazarus group's targeting of the financial industry is increasing as the price of cryptocurrencies rises and the appeal of the non-fungible asset (NFT) and decentralized finance (DeFi) enterprises grows.

In this attack, the threat actor used web servers in South Korea to distribute malware and communicate with the implants that had been placed. Kaspersky Lab researchers recently identified a malicious version of the DeFi Wallet software that installed both the legal app and a backdoor disguised as a Google Chrome web browser executable. When the trojanized DeFi application was launched on the machine, it introduced a full-featured backdoor with a compilation date of November 2021. It's unknown how the hackers spread the word, but phishing emails or contacting victims through social media are both possibilities. 

Although it's not clear how the threat actor persuaded the victim to run the Trojanized program (0b9f4612cdfe763b3d8c8a956157474a), it is believed they used a spear-phishing email or social media to contact the victim. The Trojanized application initiates the previously unknown infection technique. This installation package masquerades as DeFi Wallet software, but it actually contains a legal binary that has been packed with the installer. 

The virus installed in this manner, as per the researchers, has "sufficient capabilities to manage" the target host by issuing Windows commands, uninstalling, starting or killing processes, enumerating files and related information, or connecting the computer to a particular IP address. 

The malware operator can also collect relevant data (IP, name, OS, CPU architecture) and the discs (kind, free space available), files from the command and control server (C2), and retrieve a list of files stored in a specified area using additional functionalities. According to Japan CERT, the CookieTime malware group known as LCPDot has been linked to the DPRK operation Dream Job, which enticed victims with phony job offers from well-known firms. 

Google's Threat Analysis Group (TAG) revealed recent activity related to Dream Job earlier this month, finding North Korean threat actors used a loophole for a zero-day, remote code execution bug in Chrome to aim at people working for media, IT companies, cryptocurrency, and fintech companies. "The CookieTime cluster has linkages with the Manuscrypt and ThreatNeedle clusters, which are also attributed to the Lazarus organization," Kaspersky adds. 

The links between the current trojanized DeFiWallet software and other malware attributed to North Korean hackers go beyond the virus code to the C2 scripts, which overlap many functions and variable names. It's worth mentioning that Lazarus is the umbrella name for all state-sponsored North Korean threat operations. Within the DPRK, however, several threat groups are operating under different institutions/departments of the country's intelligence establishment. 

Mandiant analysts prepared an evaluation of the DPRK's cyber program structure using data collected over 16 months from its digital activity tracking for the entire country, OSINT monitoring, defector reporting, and imaging analysis. Targeting bitcoin heists is certainly within the scope of financially motivated units inside the country's Reconnaissance General Bureau's 3rd Bureau (Foreign Intelligence), according to their map (RGB).   

Spyware Infests the Microsoft Store with Classic Game Pirates

 



Electron Bot, a malware which infiltrated Microsoft's Official Store via clones of popular games like Subway Surfer and Temple Run, infected approximately 5,000 machines in Sweden, Israel, Spain, and Bermuda. 

Check Point discovered and studied the malware, which is a backdoor to give attackers unlimited control over infected PCs, allowing for remote command processing and real-time interactions. The threat actors' purpose is social media promotion and fraud, which is done by gaining control of social media profiles where Electron Bot allows for new account registration, commenting, and liking. 

An initial Electron Bot variant was uploaded to the Microsoft Store as "Album by Google Photos," published by a faked Google LLC business, and the operation was identified at the end of 2018. The malware, which is named after the Electron programming language, can mimic natural browsing behavior and perform acts as if it were a real website visitor. It accomplishes this by opening a new hidden browser window with the Electron framework's Chromium engine, setting the relevant HTTP headers, rendering the requested HTML page, and lastly performing mouse actions.

Threat actors develop rogue websites and employ search engine optimization strategies to push them to the top of the search results in an SEO poisoning campaign. SEO poisoning is also offered as a service to increase other websites' ranks, in addition to boosting bad sites' SEO rankings. The infection chain starts when the user downloads one of the infected apps from the Microsoft Store, which is otherwise a reliable source of software. When the application is launched, a JavaScript dropper is dynamically loaded in the side to fetch and install the Electron Bot payload. 

The malware links to the C2 (Electron Bot[.]s3[.]eu-central-1[.]amazonaws. com or 11k[.]online), acquires its configuration, and implements any commands in the pipeline at the next system startup. The JS files dumped on the machine's RAM are relatively short and appear to be benign because the major scripts are loaded flexibly at run time. 

Fraud, fleece wear, and financial trojans abound in official app shops. The Xenomorph banking malware was recently found by ThreatFabric, and the most humorous has to be Vultur, a trojan hidden inside a fully functional two-factor authentication (2FA) app which recently infected 10,000 people who downloaded it from Google Play. 

The successful entry of Electron Bot into Microsoft's official app store is only the most recent example of how consumers throw precaution into the breeze whenever a user views a bright new toy on the apps.

BazarBackdoor Abused Windows 10 Application Feature in 'Call me back' Attack

 

In a new phishing campaign spreading the BazarBackdoor malware, a Microsoft Windows 10 app feature is being exploited.

On Thursday, Sophos Labs experts reported that the attack was detected when spam emails were sent to the cybersecurity firm's own employees — but these emails weren't just any spam; they were written with at least a minimal amount of social engineering. 

One of the emails, from the non-existent "Adam Williams," a "Sophos Main Manager Assistant," requested to know why a researcher hadn't addressed a customer's complaint. The email also included a PDF link to the message to make resolution easy. The link, however, was a hoax that demonstrated a "new" approach for spreading the BazarBackdoor malware. 

Sophos researcher Andrew Brandt explained, "In the course of running through an actual infection I realized that this construction of a URL triggers the browser [in my case, Microsoft's Edge browser on Windows 10], to invoke a tool used by the Windows Store application, called AppInstaller.exe, to download and run whatever's on the other end of that link." 

Sophos stated to be "unfamiliar" with this strategy, which involves exploiting the Windows 10 App installation process to transmit malicious payloads. The phishing bait directs prospective victims to a website that uses the Adobe brand and invites them to click on a button to preview a PDF file. When users move the mouse over the link, the prefix "ms-appinstaller" appears. 

This link then links to a text file called Adobe.appinstaller, which in turn points to a larger file called Adobe_.7.0.0_x64appbundle, which is hosted on a different URL. A warning notification appears and a notice that software has been digitally signed with a certificate issued several months ago. (The certificate authority has been notified of the misuse by Sophos.) 

The victim is then urged to approve the installation of "Adobe PDF Component," and if they comply, the BazarBackdoor malware is installed and launched in seconds. BazarBackdoor is similar to BazarLoader in that it connects via HTTPS, but it is distinguished by the volume of noisy traffic it creates. BazarBackdoor can exfiltrate system data and has been connected to Trickbot and the probable deployment of Ryuk ransomware. 

Brandt stated, "Malware that comes in application installer bundles is not commonly seen in attacks. Unfortunately, now that the process has been demonstrated, it's likely to attract wider interest. Security companies and software vendors need to have the protection mechanisms in place to detect and block it and prevent the attackers from abusing digital certificates."

New Trojan Attack Campaign Prompted by Pegasus Spyware

 

An unexplored Sarwent Trojan is being distributed by a threat organization via a bogus Amnesty International website that claims to protect customers from the Pegasus smartphone spyware. 

The operation is intended towards those who feel they have been attacked by the NSO Group's Pegasus spyware and thus are tied to nation-state action, according to Cisco Talos security analysts, but Talos is yet to identify the exact threat actor. 

Pegasus is a piece of spyware created by the Israeli cyber arms firm NSO Group which can be loaded secretly on smartphones (and other devices) running most versions of iOS and Android. According to the disclosures from Project Pegasus 2021, the existing Pegasus program can attack all recent iOS versions up to iOS 14.6. Pegasus could intercept text messages, track calls, gather passwords, monitor position, access the target device's camera and microphone, and collect data from apps as of 2016. 

Despite the claims regarding authorized utilization, Pegasus - a contentious surveillance software technology has been allegedly used by tyrannical governments in operations targeting journalists, human rights activists, as well as other opponents of the state. 

Soon after the release of a comprehensive Amnesty International report on Pegasus in July of this year, as well as Apple's dissemination of updates for the ForcedEntry zero-day exploit, several users started exploring ways of protecting themselves from the spyware that was exploited by adversaries. 

On a bogus website that I identical to Amnesty International, the malicious actors claim to be delivering "Amnesty Anti Pegasus," an anti-virus tool that can allegedly guard against NSO Group's malware. 

Alternatively, customers are given the Sarwent remote access tool (RAT), which allows attackers to easily upload and run payloads on compromised PCs, as well as extract relevant and sensitive data. 

Despite its low intensity, the attack has struck individuals in the United States, the United Kingdom, Colombia, the Czech Republic, India, Romania, Russia, and Ukraine, as per Cisco Talos. 

“Given the current information, we are unsure of the actor’s objectives. The use of Amnesty International’s name, a group whose work frequently puts it at odds with governments around the world, as well as the Pegasus brand, malware that has been used to target dissidents and journalists on behalf of governments, raises questions about who is being targeted and why,” according to Cisco Talo. 

The campaign's adversary seems to be a Russian speaker who has been using Sarwent to target patients from different walks of life all across the globe since at least January 2021. The malicious actors have been using the Trojan and one with a comparable backdoor since 2014, according to security experts.

QakBot (QBot) Campaign: A thorough Analysis



Trojan-Banker QakBot, also known by the names - QBot, QuackBot, and Pinkslipbot, is a modular information stealer that has been active for almost 14 years. With the key agenda of stealing banking credentials, QakBot employs various tools to evade detection and hamper manual analysis. The authors have developed the trojan with an aggressive sophistication that allows its variants to essentially deploy additional malware, create a backdoor to infected systems, and log user keystrokes. 

Typically, QakBot attacks contain MS Office Word documents that are deployed via phishing emails constructed to trick the user into accessing it. However, in 2020, some of the QakBot campaigns featured ZIP attachments that contained macros within the word document enclosed in the ZIP file. These macros are configured to trigger the execution of a PowerShell script that further downloads the QBot payload from selected internet addresses. 

Spoofing the Victim: Opening the QBot Infected Word Doc 

The word document which carries a malicious macro, once accessed by the victim, leads him to the Word Program on his system wherein he is asked to click on "Enable Content" shown in a yellow-colored dialogue box appearing right below the header. It reads "Security Warning" in bold letters. Once the user clicks onto it, it spoofs him into believing that it is taking its time to load data as another gray-colored dialogue box appears, reading "Loading data. Please wait..."

However, behind the scenes, the malicious Macro is being executed. As a part of the process, the Macro creates a folder in which it attempts to download the QakBot payload; it's placed in 5 different places. Referencing from the 5 corresponding URLs, it could be easily concluded that they all were constructed with the same website builder, which possibly has an exploit that lets EXE files being uploaded onto it with a PNG extension.

In one of its previous campaigns, upon running, QBot replaced the original binary with a duplicate 'Windows Calculator app: calc.exe'. Then, it scanned the installed programs, compared process names to a blacklist, examined registry entries, and inspected hardware details to eventually look for a virtualization software like VMware or VirtualBox. If QBot fails to detect a virtualization software, it copies the legitimate executable into a folder; it disguises itself as a signed valid certificate. After setting the executable in place, QBot schedules a task to run the executable every 5 hours. Once the execution is completed, an explorer.exe process is launched by QBot, the code of the same is injected into the process' memory. QBot can also execute additional processes employing double process mechanisms. 

In order to safeguard against the ever-evolving threat of QakBot, experts recommend organizations provide training to their employees who could come up with alternative solutions when automated intrusion-detectors fail.

Turkey Dog Activity Continues to use COVID Lures

 

A year into the pandemic, Turkey Dog-related activity is ongoing with campaigns that keep on utilizing the "free internet" lures. These current campaigns use lure pages that guarantee cash payments of thousands of Turkish Lira, implying to be attached to the Turkish government. For instance, as indicated by Google Translate, a page states, "Final Phase Pandemic Support Application - 3,000TL State Support for All Applicants!" Another highlights a picture of Turkish Minister of Health Dr. Fahrettin Koca's and guarantees 1,000 lira for "everybody applying!" 

A portion of the lure pages, use whos.amung.us scripts for tracking purposes. RiskIQ's Internet Intelligence Graph, utilizes unique identifiers associated with these scripts to associate numerous Turkey Dog domains. For example, a RiskIQ crawl of pandemidesteklerim[.]com noticed the whos.amung.us ID loaded on the page, which was seen on 431 hosts since April 26, 2020. They additionally found a Google Analytics tracking ID associated with 52 Turkey Dog domains since October 25, 2020. 

In May 2020, threat researcher BushidoToken created a blog pulling together multiple indicators, some showing up as early as April 2020, from researchers following Cerberus and Anubis activity targeting Turkish speakers. These two remote access Trojans (RATs), which follow a malware-as-a-service model, steal client credentials to access bank accounts. Profoundly beguiling, they can overlay over other applications (dynamic overlays), capture keystrokes, SMS harvest and send, call forward, and access other sensitive information across the gadget. 

RiskIQ regularly crawls malignant app circulation URLs dependent on different internal and external feeds, they can directly notice the lure pages utilized by noxious Android applications. The mobile application landscape is likely overflowing with Turkey Dog mobile applications. A quick search for blacklisted samples of one known Turkey Dog APK, "edestek.apk" yields 90 outcomes from as many unique Turkey Dog URLs. Every one of the 90 of these samples can read, receive, and send SMS messages, allowing them to circumvent SMS two-factor authentication. Large numbers of them can likewise record audio, perform full-screen overlays to introduce a bogus login page for harvesting banking credentials, and download additional software packages.

After a year, cybercriminals keep on utilizing the COVID-19 pandemic as a lure for victims. Turkey Dog activity has gone on unabated for quite a long time, likely guaranteeing a huge gathering of victims and isolating them from their banking login credentials and other sensitive information.

Cybercriminals Spreading Node.js Trojan Promising Relief from the Outbreak of COVID-19


A java downloader going by the extension “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar” has been recently detected. Drawing inferences from its name, researchers suspected it to be associated with COVID-19 themed phishing attacks.

Running this file led to the download of an undetected malware sample that is written in Node.js; Node.js is an open-source, cross-platform, Javascript runtime environment that executes Javascript code outside of a browser and as it is primarily designed for web server development, there's a very less probability of it being already installed onto systems.

The trojan that is suspected of employing the unconventional platform for bypassing detection has been labeled as 'QNodeService'. The malware has been designed to perform a number of malicious functions including uploading, downloading, and executing files.

It is also configured to steal credentials stored in web browsers and perform file management etc. Currently, the malware appears to be targeting Windows systems only, however, the code signifies a potential for 'cross-platform compatibility', researchers concluded a possibility of the same being a 'future goal' for cybercriminals.

Cybercriminals are devising new methods all the time to design malware such as trojans to infect as many machines as possible without getting noticed.

To stay on a safer side, users are recommended to block malware from acquiring access via all the possible doorways like endpoints, networks, and emails.

Malware Campaigns Attacking Asian Targets Using EternalBlue and Mimikatz



Asian targets are falling prey to a cryptojacking campaign which takes advantage of 'Living off the Land' (LotL) obfuscated PowerShell-based scripts and uses EternalBlue exploit to land Monero coinminer and Trojans onto targeted machines.
At the beginning of this year, a similar malware campaign was identified by the research team of Qihoo 360; reportedly, the campaign was targeted at China at the time. Open source tools such as PowerDump and Invoke-SMBClient were employed to carry out password hashing and execute hash attacks.
The campaign resorts to an exploit which uses SMBv1 protocol which was brought into the public domain by the Shadow Brokers a couple of years ago. It has now become one of the standard tools used by the majority of malware developers.
Referenced from Trend Micro’s initial findings, the aforementioned cryptojacking campaign was only targeting Japanese computer devices but eventually the targets multiplied and now they encompassed Taiwan, India, Hong-Kong, and Australia.
Trend Micro’s research also stated that the EternalBlue exploit, developed by NSA is a new addition into the malware; alongside, they drew a co-relation between the exploit and the 2017 ransomware attacks.  
How does the malware compromise computers?
With the aid of "pass the hash" attacks, it inserts various infectious components into the targeted computer by trying multiple weak credentials in an attempt to log in to other devices which are connected to that particular network.
Upon a successful login, it makes changes in the settings concerning firewall and port forwarding of the compromised machine; meanwhile, it configures a task which is scheduled to update the malware on its own.
Once the malware has successfully compromised the targeted computer, it goes on to download a PowerShell dropper script from C&C server and then it gets to the MAC address of the device and terminates the functioning of all the antimalware software present on the system. Immediately after that, it furthers to place a Trojan strain which is configured to gather the information of the machine such as name, OS version, graphics detail, GUID and MAC address.
“We found the malware sample to be sophisticated, designed specifically to infect as many machines as possible and to operate without immediate detection. It leverages weak passwords in computer systems and databases targets legacy software that companies may still be using,” said Trend Micro.
Trend Micro advises users and enterprises to, “use complicated passwords, and authorize layered authentication whenever possible. Enterprises are also advised to enable multi-layered protection the system that can actively block these threats and malicious URLs from the gateway to the endpoint.”



The Return Of Trojan Poses Substantial Hacking Threat To Businesses!




The Trojan malware has returned with its infectious ransomware attacks with an aim to harvest banking credentials and personal and property related data.




Business organizations have come out to become the latest targets of this malware.



With long-term and insidious operations as ambition, the Trojan poses a lot of threat even to intellectual property.



In one of the new reports of one of the reputed security companies, it was mentioned that backdoor attacks against businesses with Trojans as back power have subsequently increased.



According to the aforementioned security lab, “Trojans” and “Backdoors” are different.



A Trojan is supposed to perform one function but ends up performing another and a Backdoor is a type of Trojan which enables a threat actor to access a system via bypassing security.



“Spyware” attacks have also consequentially risen. A spyware is a malware which aids gaining information on a device and sending it to a third party, stealthily.



This concept, of a spyware, sure is old but still is as efficacious as any other powerful malware and strictly works towards data exfiltration.



The “Emotet Trojan” has been considered to be behind the information stealing campaigns all round last year and in the beginning of this moth too.



This Trojan could move through networks, harvest data, and monitor networks. Also, it could easily infect systems by reproducing with no substantial effort at all.



Emotet is a self-sufficient danger which tends to spread onto compromised systems in addition to installing other malware on them.

The menacing behavior of TrickBot was also inferred upon by the aforementioned report, as it’s one of the by-products of Emotet.



The constantly evolving TrickBot daily gets updated with new abilities, stealing passwords and browser histories and harvesting sensitive data being a few of them.



Consultancy firms seem to be the primary targets of the Trojan. It is disposed towards harvesting more than just banking details and personal information.



Intellectual property is another thing which is a major point of concern for everyone now that the cyber-cons have stooped down to breaching walls using Trojans.



These tactics were thought to be really boring and old but have taken serious tosses and turns and have evolved into something genuinely perilous.



Businesses should stop under-estimating the attacks and keep a keen eye towards any potentiality of such attacks.

Trojan Neloweg operates similar to Zeus and steals Bank details

Symantec researchers currently tracking a banking Trojan called Trojan Neloweg.  According to their research, the threat has been localized to Europe.  This Trojan steals login credentials of infected users including banking data.

Neloweg operates similar to notorious banking Trojan Zeus. Like Zeus, Trojan.Neloweg can detect which site it is on and add custom JavaScript. But while Zeus uses an included configuration file, Trojan.Neloweg stores this on a malicious webserver.

Once a particular banking page has been matched, Trojan.Neloweg will cover part of the page in white, using a hidden DIV tag, and execute custom JavaScript located on the malicious server

Neloweg infection

The browser of Infected system can function like a bot and accept commands. It can process the content of the current page that it is on, redirect the user, halt the loading of particular pages, steal passwords, run executables, and even kill itself. Unfortunately the kill function is a bit excessive, and deletes critical system files, which in turn prevent users from logging in properly.

A Mac Trojan "DevilRobber" Upgraded to v3 and masquerades as PixelMator



DevilRobber(Backdoor:OSX/DevilRobber) is the Latest Malware that targets Mac OS X users, it is now upgraded and masquerades as PixelMator . Based on the malware's dump.txt file, this latest backdoor is identified as Version 3 (v3).

"The main point of difference in DevilRobberV3 is that it has a different distribution method — the 'traditional' downloader method." F-Secure Researchers says. 

The previous of Version of this Trojan masquerades as some other legitimate Mac Application, this time PixelMator Application.

Previously this Trojan log the number of files that match a certain set of criteria, and also steal the Terminal command history and Bitcoin wallet.  Also they performed the following;
  •  Opens a port where it listens for commands from a remote user.
  •  Installs a web proxy which can be used by remote users as a staging point for other attacks.
  • •Steals information from the infected machine and uploads the details to an FTP server for later retrieval.

Changelog for this Upgraded Trojan (This is first time we are posting changelog for a virus).
  • It no longer captures a screenshot
  • It no longer checks for the existence of LittleSnitch (a firewall application)
  • It uses a different launch point name
  • It harvests the shell command history
  • It harvests 1Password contents (a password manager from AgileBits)
  • It now also harvests the system log file

Unfortunately, It still attempts to steal Bitcoin wallet contents though.

Tsunami backdoor Trojan Horse for Mac OS X, port of Troj/Kaiten


Sophos researchers discovered a new Trojan Horse named as "Tsunami" that infects Mac OS X.  Researchers said it appears to be a port of Troj/Kaiten( a Linux backdoor Trojan horse that once it has embedded itself on a computer system listens to an IRC channel for further instructions)

An attacker can get access to infected system and launch DDOS Attack(Distributed Denial of service).

Sophos Anti virus included this OSX/Tsunami-A in virus Definitions, So it can detect these malwares. Don't forget to update your Antivirus.


Backdoor R2D2 ~Government Trojan discovered by Chaos Computer Club

The Famous European hacker club, Chaos Computer Club(CCC) discovered the backdoor Trojan horse capable of spying on online activity and recording Skype internet calls which, it says, is used by the German police force.

For some years, German courts have allowed the police to deploy a Trojan known colloquially as "Bundestrojaner" ("State Trojan") to record Skype conversations, if they have legal permission for a wiretap.

But the CCC's claim is controversial, as the Trojan they have uncovered has more snooping capabilities than that. For instance, it includes functionality to download updates from the internet, to run code remotely and even to allow remote access to the computer - something specifically in violation of Germany's laws.

The malware has the following of functionality as per the Sophos's analysis:
* The Trojan can eavesdrop on several communication applications - including Skype, MSN Messenger and Yahoo Messenger.
* The Trojan can log keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey.
* The Trojan can take JPEG screenshots of what appears on users' screens and record Skype audio calls.
* The Trojan attempts to communicate with a remote website.

A CCC spokesperson expressed the group's concern at the discovery:

"This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired. Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."

Was the Trojan horse really written by the German authorities?
We have no way of knowing if the Trojan was written by the German state - and so far, the German authorities aren't confirming any involvement.

The comments in the Trojan's binary code could just as easily be planted by someone mischievously wanting the Trojan to be misidentified as the infamous the Bundestrojaner.

What we can say is that the phrase "0zapftis" has raised some eyebrows amongst the German speakers at SophosLabs. It's a play on a Bavarian phrase "The barrel is open", said by the mayor of Munich when he opens the first barrel of beer at the Oktoberfest.

But there certainly have been claims of German state-sponsored cyber-spying in the past. For instance, in 2008, there were claims that the BND - Germany's foreign intelligence service - deployed spyware to monitor the Ministry of Commerce and Industry in Afghanistan.