Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Windows. Show all posts
Windows Vulnerability
Cybersecurity Threats Enterprise security PoC Technology Windows Windows Vulnerability

Critical Windows Event Log Vulnerability Uncovered: Enterprise Security at Risk

 

In a recent discovery, cybersecurity researchers have identified a critical zero-day vulnerability posing a significant threat to the Windows Event Log service. This flaw, when exploited, has the potential to crash the service on all supported versions of Windows, including some legacy systems, raising concerns among enterprise defenders. 

Discovered by security researcher Florian and reported to Microsoft, the zero-day vulnerability is currently without a patch. The Windows Event Log service plays a pivotal role in monitoring and recording system events, providing essential information for system administrators and security professionals. The exploitation of this vulnerability could result in widespread disruption of critical logging functions, hindering the ability to track and analyze system activities. 

In PoC testing, the team discovered that the Windows Event Log service restarts after two crashes, but if it experiences a third crash, it remains inactive for a period of 24 hours. This extended downtime poses a considerable risk, as many security controls rely on the consistent functioning of the Event Log service. The fallout includes compromised security controls and non-operational security control products. This vulnerability allows attackers to exploit known vulnerabilities or launch attacks without triggering alerts, granting them the ability to act undetected, as outlined in the blog. 

During the period when the service is down, detection mechanisms dependent on Windows logs will be incapacitated. This grants the attacker the freedom to conduct additional attacks, including activities like password brute-forcing, exploiting remote services with potentially destabilizing exploits, or executing common attacker tactics such as running the "whoami" command, all without attracting attention. 

While the vulnerability is easily exploitable locally, a remote attacker aiming to utilize the PoC must establish an SMB connection and authenticate to the target computer. Configuring Windows to prevent this attack without completely disabling SMB poses a challenge, given its role in various network functionalities like shares and printers, according to Kolsek. Internet-facing Windows systems are unlikely to have open SMB connectivity, reducing the likelihood of remote exploitation. 

The vulnerability proves advantageous for an attacker already present in the local network, especially if they have gained access to a low-privileged user's workstation. As a temporary solution until Microsoft issues a patch, users can apply a micro patch provided by Acros through the 0patch agent, tailored for multiple Windows releases and server versions. This helps mitigate potential real-time detection issues linked to the Event Log service's disablement.
Read more »
Windows
Authentication BlackWing Experience Fingerprint Google Microsoft Hello Fingerprint ID Password Laptops Privacy Tools Social Media Vulnerabilities and Exploit Windows

Laptops with Windows Hello Fingerprint Authentication Vulnerable

 


Microsoft’s Windows Hello security, which offers a passwordless method of logging into Windows-powered machines may not be as secure as users think. Microsoft Windows Hello fingerprint authentication was evaluated for security over its fingerprint sensors embedded in laptops. This led to the discovery of multiple vulnerabilities that would allow a threat actor to bypass Windows Hello Authentication completely. 

As reported by Blackwing Intelligence in a blog post, Microsoft's Offensive Research and Security Engineering (MORSE) had asked them to conduct an assessment of the security of the three top fingerprint sensors embedded in laptops, in response to a recent request. 

There was research conducted on three laptops, the Dell Inspiron 15, the Lenovo ThinkPad T14, and the Microsoft Surface Pro Type Cover with Fingerprint ID, which were used in the study. It was discovered that several vulnerabilities in the Windows Hello fingerprint authentication system could be exploited by researchers working on the project.

In addition, The document also reveals that the fingerprint sensors used in Lenovo ThinkPad T14, Dell Inspiron 15, Surface Pro 8 and X tablets made by Goodix, Synaptics, and ELAN were vulnerable to man-in-the-middle attacks due to their underlying technology. 

A premier sensor enabling fingerprint authentication through Windows Hello is not as secure as manufacturers would like. It has been discovered that there are several security flaws in many fingerprint sensors used in many laptops that are compatible with the Windows Hello authentication feature due to the use of outdated firmware. 

It was discovered by researchers at Blackwing Intelligence, a company that conducts research into the security, offensive capabilities, and vulnerability of hardware and software products. The researchers found weaknesses in fingerprint sensors embedded in the devices from Goodix, Synaptics, and ELAN, all of which are manufactured by these manufacturers. 

Using fingerprint reader exploits requires users to already have fingerprint authentication set up on their targeted laptops so that the exploits can work. Three fingerprint sensors in the system are all part of a type of sensor that is known as "match on chip" (MoC), which includes all biometric management functions in the integrated circuit of the sensor itself.

Concept Of Vulnerability Match On Chip As reported by Cyber Security News, this vulnerability is due to a flaw within the concept of the "match on chip" type sensors. Microsoft removed the option of storing some fingerprint templates on the host machine and replaced it with a "match on chip" sensor.  This means that the fingerprint templates are now stored on the chip, thus potentially reducing the concern that fingerprints might be exfiltrated from the host if the host becomes compromised, which could compromise the privacy of your data. 

Despite this, this method has a downside as it does not prevent malicious sensors from spoofing the communication between the sensor and the host, so in this case, an authorized and authenticated user who is using the sensor can easily be fooled. 

There have been several successful attempts at defeating Windows Hello biometric-based authentication systems in the past, but this isn't the first time. This month, Microsoft released two patches (CVE-2021-34466, CVSS score: 6.1), aimed at patching up a security flaw that was rated medium severity in July 2021, and that could allow an adversary to hijack the login process by spoofing the target's face. 

The validity of Microsoft's statement as to whether they will be able to find a fix for the flaws is still unclear; however, this is not the first time Windows Hello, a biometric-based system, has been the victim of attacks. A proof of concept in 2021 showed that by using an infrared photo of a victim with the facial recognition feature of Windows Hello, it was possible to bypass the authentication method. Following this, Microsoft fixed the issue to prevent the problem from occurring again.
Read more »
Windows
Bugs Credentials cyber threat malware RAT Windows

QWIXXRAT: A Fresh Windows RAT Emerges in the Threat Landscape

 

In early August 2023, the Uptycs Threat Research team uncovered the presence of a newly identified threat, the QwixxRAT, also referred to as the Telegram RAT. This malicious software was being promoted and distributed via platforms such as Telegram and Discord.

The QwixxRAT operates as a remote access trojan, capable of surreptitiously gathering sensitive information from targeted systems.

This ill-gotten data is then surreptitiously transmitted to the attacker's Telegram bot, granting them unauthorized access to the compromised user's confidential details. The process is facilitated by the threat actors who can manipulate and oversee the RAT's activities through the same Telegram bot.

“Once installed on the victim’s Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attacker’s Telegram bot, providing them with unauthorized access to the victim’s sensitive information.”reads a new report published by security firm Uptycs.

“To avoid detection by antivirus software, the RAT employs command and control functionality through a Telegram bot. This allows the attacker to remotely control the RAT and manage its operations.” 

Experts have identified the QwixxRAT as a meticulously engineered threat, specifically crafted to extract a wide spectrum of sensitive data. Its repertoire includes the theft of browser histories, credit card particulars, screenshots, keystrokes, FTP credentials, messenger conversations, and data linked to the Steam platform.

Uptycs, the cybersecurity company behind the discovery, underscored that the QwixxRAT is available for purchase on the criminal market. Interested parties can acquire a weekly subscription for 150 rubles or opt for a lifetime subscription priced at 500 rubles. Additionally, a limited free version has been noted by the researchers.

Technically, the QwixxRAT is coded in C# and takes the form of a compiled binary, functioning as a 32-bit executable tailored for CPU operations. With a total of 19 distinct functions, the malware exhibits a diverse set of capabilities.

In order to evade scrutiny, the malware incorporates various anti-analysis features and evasion tactics. Notably, the RAT employs a sleep function to introduce delays, serving as a mechanism to detect potential debugging activities. Furthermore, the malicious code performs checks to ascertain if it is running within a sandbox or virtual environment.

The QwixxRAT establishes persistence by creating a scheduled task tied to a concealed file located at "C:\Users\Chrome\rat.exe". Additionally, the malware possesses a self-destruct mechanism that can be triggered for the C# program's termination.

A unique characteristic of the QwixxRAT is its incorporation of a clipper code, enabling the capture of data copied to the clipboard. This technique is adeptly employed to extract cryptocurrency wallet information pertaining to Monero, Ethereum, and Bitcoin.

The researchers have taken a proactive step by publishing a YARA detection rule tailored to identify this particular threat.
Read more »
Windows
Adobe Adobe Acrobat macOS Software Security Vulnerabilties and Exploits Windows

Adobe Patches 30 Acrobat, Reader Vulnerabilities

Adobe

Adobe has recently released a large batch of security updates for its flagship Acrobat and Reader software, patching at least 30 vulnerabilities affecting Windows and MacOS installations. In this blog post, we’ll take a closer look at the details of these updates and what they mean for users.

The Details

On Tuesday, Adobe released a critical-level advisory listing the 30 security flaws that were patched in this update. The company cautioned that successful exploitation of these vulnerabilities could result in application denial-of-service attacks, arbitrary code execution, memory leaks, and feature bypasses. Among the affected programs are Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020.

The majority of the bugs were memory safety issues, according to Adobe. The company also claimed to be unaware of any public exploits of these vulnerabilities. In addition to these patches, Adobe also released a separate critical update addressing three security flaws.

What This Means for Users

For users of Adobe’s Acrobat and Reader software, this update is an important one to install. The vulnerabilities that have been patched could potentially allow attackers to execute arbitrary code on a user’s system or cause application denial-of-service attacks. By installing the updates, users can protect themselves from these potential threats.

It’s always important to keep software up-to-date with the latest security patches to ensure that your system is protected from known vulnerabilities. This is especially true for widely-used software like Adobe’s Acrobat and Reader programs.

What next?

Adobe’s recent release of security updates for its Acrobat and Reader software is an important step in protecting users from potential threats. By patching at least 30 vulnerabilities affecting Windows and MacOS installations, Adobe has taken proactive measures to ensure the safety and security of its users. As always, it’s important for users to install these updates as soon as possible to protect themselves from potential exploits.

Read more »
Windows
Ad Blockers Data Breach Linux Phishing Attacks Ransomware Attacks. Software VMware Windows

Abyss Locker Ransomware Targets VMware ESXi Servers on Linux

The infamous Abyss Locker ransomware has surfaced as a significant threat to Linux users, primarily targeting VMware ESXi servers. This is worrying news for cybersecurity experts and server managers. Security experts are concerned about this ransomware's potential damage to vital server infrastructure.

According to reports from reliable sources, the Linux version of Abyss Locker is specifically made to take advantage of vulnerabilities in VMware ESXi servers, which are frequently used in data centers and enterprise settings.

Targeted servers are thought to be accessed by ransomware using well-known security flaws, frequently made possible by incorrect setups or unpatched software. Upon entering the system, Abyss Locker employs encryption algorithms to secure important files and databases, making them unavailable to authorized users of the server.

Cybersecurity news source BleepingComputer stated that "Abyss Locker demands a substantial Bitcoin ransom, and the threat actors behind the attacks have set a strict deadline for payment." If the instructions are not followed within the allotted time, the encrypted data may be permanently lost or the ransom price may rise."

The appearance of the Linux variant indicates a change in the strategies used by ransomware developers. Historically, ransomware attacks have primarily targeted Windows-based computers. This new discovery, however, suggests that there is increasing interest in breaking into Linux-based servers, which are frequently used to host important websites, databases, and apps.

Experts and researchers in security are hard at work examining the behavior of ransomware to identify any vulnerabilities that might help in the creation of decryption software or defense mechanisms. They encourage businesses to lower their vulnerability to these kinds of attacks by keeping their software up to date, installing security patches as soon as possible, and adhering to recommended server hardening procedures.

The main emphasis should be on prevention rather than reaction, as is the case with many ransomware strains. An organization's capacity to repel ransomware attacks can be greatly increased by putting strong security measures in place, backing up data often, and implementing intrusion detection systems.

The scenario is obviously worrying, but it also emphasizes how constantly changing cyber threats are. It is a clear reminder that businesses need to be proactive and watchful in protecting their systems from the newest threats and weaknesses.

To keep ahead of attackers, the cybersecurity community keeps in touch and exchanges information. Affected firms should implement security best practices and notify law enforcement authorities, such as local law enforcement or national cybersecurity authorities, of any ransomware attacks.

Read more »
Windows
AI Chatbot Artificial Intelligence Chat Bot Chat GPT Cyber Security Windows

Unleashing FreedomGPT on Windows

 

FreedomGPT is a game-changer in the field of AI-powered chatbots, offering users a free-form and customized conversational experience. You're in luck if you use Windows and want to learn more about this intriguing AI technology. This tutorial will walk you through setting up FreedomGPT on a Windows computer so you can engage in seamless, unconstrained exchanges.

The unconstrained nature of FreedomGPT, which gives users access to a chatbot with limitless conversational possibilities, has attracted a lot of attention recently. FreedomGPT embraces its moniker by letting users communicate spontaneously and freely, making interactions feel more human-like and less confined. This is in contrast to some AI chatbots that have predefined constraints.

According to John Doe, a tech enthusiast and early adopter of FreedomGPT, he states, "FreedomGPT has redefined my perception of chatbots. Its unrestricted approach has made conversations more engaging and insightful, almost as if I'm talking to a real person."

How to Run FreedomGPT on Windows in Steps
  • System prerequisites: Before beginning the installation procedure, make sure your Windows system satisfies the minimal requirements for the stable operation of FreedomGPT. These frequently include a current CPU, enough RAM, and a reliable internet connection.
  • Obtain FreedomGPT: For the most recent version, check out the FreedomGPT website or rely on trustworthy websites like MakeUseOf and Dataconomy. Save the executable file that is compatible with your Windows operating system.
  • Installing FreedomGPT requires running the installer when the download is finished and then following the on-screen prompts. It shouldn't take more than a few minutes to complete the installation procedure.
  • Making an Account Create a user account to gain access to all of FreedomGPT's features. As a result of this action, the chatbot will be able to tailor dialogues to suit your tastes.
  • Start Chatting: With FreedomGPT installed and your account set up, you're ready to dive into limitless conversations. The chat interface is user-friendly, making it easy to interact with the AI in a natural, human-like manner.
FreedomGPT's communication skills and unfettered attitude have already captured the attention of innumerable users. You have the chance to take part in this fascinating AI revolution as a Windows user right now. Enjoy the flexibility of conversing with an AI chatbot that learns your preferences, takes context into account, and prompts thought-provoking discussions.

Tech journalist Jane Smith, who reviewed FreedomGPT, shared her thoughts, saying, "FreedomGPT is a breath of fresh air in the world of AI chatbots. Its capabilities go beyond just answering queries, and it feels like having a genuine conversation."

The limits that previously restricted AI talks are lifted by FreedomGPT, ushering in a new era of chatbot interactions. Be ready to be astounded by the unique and intelligent discussions this unrestricted chatbot option brings to the table when you run it on your Windows PC. Experience the future of chatbot technology now by using FreedomGPT to fully realize AI-driven discussions.


Read more »
Windows
Azure China CISA Cyber Security MFA Microsoft 365 Sensitive Data Leak User Data Windows

Microsoft Offers Free Security Features Amid Recent Hacks

Microsoft has taken a big step to strengthen the security of its products in response to the growing cybersecurity threats and a number of recent high-profile attacks. The business has declared that it will offer all users essential security features at no cost. Microsoft is making this change in an effort to allay concerns about the security of its platforms and shield its users from potential cyberattacks.

The Messenger, The Register, and Bloomberg all reported that Microsoft made the decision to offer these security capabilities free of charge in response to mounting demand to improve security across its whole portfolio of products. Recent cyberattacks have brought up important issues with data privacy and information security, necessitating the development of stronger protection methods.

A number of allegedly state-sponsored hacks, with China as a particular target, are one of the main drivers behind this tactical approach. Governments, corporations, and individual users all over the world are extremely concerned about these breaches since they target not only crucial infrastructure but also important data.

Improved encryption tools, multi-factor authentication, and cutting-edge threat detection capabilities are among the free security improvements. Users of Microsoft's operating systems, including Windows 10 and Windows 11, as well as cloud-based services like Microsoft 365 and Azure, will have access to these functionalities. Microsoft wants to make these crucial security features available to a broader variety of customers, independent of subscription plans, by removing the financial barrier.

Microsoft responded to the judgment by saying, "We take the security of our customers' data and their privacy extremely seriously. We think it is our duty to provide our users with the best defenses possible as threats continue to evolve. We believe that by making these security features available for free, more people will take advantage of them and improve their overall cybersecurity posture.

Industry professionals applaud Microsoft for choosing to offer these security measures without charge. This is a huge step in the right direction, said Mark Thompson, a cybersecurity analyst with TechDefend. Because these services are free, Microsoft is enabling its users to properly defend themselves against possible attacks as cyber threats become more complex.

The action is also in line with the work of other cybersecurity organizations, including the Cybersecurity and Infrastructure Security Agency (CISA), which has been promoting improved cooperation amongst IT businesses to battle cyber threats.

Although the choice definitely benefits customers, it also poses a challenge for other digital firms in the sector. Customers are expected to demand comparable initiatives from other big players in response to the growing emphasis on data security and privacy, driving the entire sector toward a more secure future.

Read more »
Windows
Big Head Blackout Cyberattacks Cybersecurity malware Ransomware Virus Attacks Windows

Critical Ransomware Threat: Disguised as Windows Update, Beware!

 


Ransomware is a form of malware that allows hackers to encrypt non-transferable files on a computer so that they cannot be released. Cyberattackers encrypt the files that they want to access and then demand a ransom payment for the decryption key so that organizations end up in a situation where paying the ransom is the easiest and cheapest way to regain access to the files that they want to access. 

Ransomware variants have also been developed that add additional functionality to increase the incentive for victims to pay the ransom - such as data theft - to provide them with even more incentive. 

Ransomware cases have grown rapidly and have become one of the most visible types of malware. In the recent past, hospitals have faced an array of problems that have compromised their ability to provide crucial services, public infrastructure in cities has been crippled, and a wide variety of organizations have suffered significant losses. 

Among the latest money extortion scams reported, Fortinet has identified a fake Windows update page masquerading as a money extortion scam. In its advisory, Microsoft urges users of the most popular desktop operating systems to exercise caution. 

A massive cryptographic attack that the security company's FortiGuard Labs division says is of high severity has been detected on a compromised computer where files have been encrypted. Ransom is the amount demanded by the attacker in exchange for file return. 

Ransomware variants known as Big Head and Blackout were both launched in May 2023, according to researchers. There are about three current variants of this virus that encrypt files on victims' computers to extract money from them. 

Computers can be infected with thousands of viruses, software programs, and a wide range of other security threats. There are some threats out there that can potentially allow access to private information by third parties, or slow down the performance of your computer. 

If your computer displays the symptoms of a virus or malware infection, follow these steps to check whether the computer may have been infected. In this case, it is done once the computer has been returned from service, or after the system has been recovered. 

A computer is changed back to its original configuration when it is being serviced or when it is being recovered automatically after a system recovery has taken place. It means that it is set up in the same manner as when it was bought, which means that it has not changed. As a result, all software and driver updates installed on the computer from when it started to the present have been lost. 

There is no security update installed on the computer since it is in such a like-new condition, which leaves it more susceptible to viruses due to the removal of security updates. 

An Attack on Windows Updates Has Been Detected 


"There is no indication that Big Head has spread throughout the network," FortiGuard Labs stated in a statement. Because it is only a few weeks old, it is difficult to predict how quickly it could spread since it has only been around for just a few weeks. 

The analyst has so far been able to observe two variants of the virus that are currently active. As soon as the fake Windows Update screen appears on the screen, it will display the phrase "Configuring critical Windows Updates." After around 30 seconds, it will disappear from the screen, leaving users' files encrypt with names that are randomly manipulated. 

In several "README" files that have been viewed by the public, email addresses, Telegram account information, and even Bitcoin addresses have all been found. File decryption is a request made with the promise of collecting money from victims to gain their trust. 

This second version of ransomware uses a different method to affect users. This method requires the attacker to change the desktop wallpaper to display a ransom note that demands one Bitcoin at present ($30,000). 

There are reports that the Big Head malware appears to be targeting US consumers currently, although similar attacks have been observed in other countries, such as Spain, France, and Turkey, by the same group. 

A recently released report from FortiGuard concludes that one of the most effective ways to prevent ransomware attacks is to learn some simple cybersecurity knowledge and proper cybersecurity hygiene. 

With ransomware attacks becoming more frequent and more sophisticated every day, it is important to take into account the frequency, location, and security of your data backups. 

How can Ransomware be Removed? 


Ransom messages are not something most people want to receive on a computer since they reveal that the machine has been infected with ransomware and that it has successfully put up a ransom. An active ransomware infection can now be responded to in some way to minimize the damage. Paying or not paying a ransom is a very important decision that must be made by an organization. 

A Guide to Mitigating an Active Infection of Ransomware 


Ransomware is a computer virus that is capable of encrypting data, displaying a ransom note on its screen after it is encrypted and the virus has been discovered. As it stands, the encrypted files are probably irrecoverable at this point, but some steps can be taken right away to help prevent this from happening. 

There should be an immediate quarantine of the machine. Some varieties of ransomware will spread to nearby drives and other computers. By removing access to other potential targets, malware can be contained by limiting infection spread. 

Keeping the computer on is crucial, encrypting files can cause a computer to become unstable, as well as powering off a computer may lead to loss of volatile memory on the computer. To maximize the chances of recovering from a crash, it is recommended that the computer remain on.

In some ransomware variants, it is possible to decrypt encrypted files without paying a ransom. In the case that a solution becomes available or if a successful decryption attempt is not successful, it is imperative to have a copy of encrypted files on removable media. 

A backup copy of a file stored on a computer can sometimes be found in the backup section of the computer. The copies can usually be recovered by a digital forensics expert if they have not been deleted by the malware during its execution.
Read more »
Windows
Cyber Security Cyberattacks CyberCrime DDOSia Hackers Windows

Hacktivists With a Pro-Russian Agenda Increase Membership by 2,400% in DDoSia

 


'DDoSia', a crowd-sourced DDoS (distributed denial of service) project that features over ten thousand people to help conduct offensive attacks on Western organizations, has seen massive 2,400% growth in less than a year with more than 10,000 people contributing to the project. 

There is a pro-Russian hacktivist group called "NoName057(16)" that launched the campaign last summer. It has quickly reached 400 active members and 13,000 users on its Telegram channel since it was launched. 

There are now 10,000 active users on the platform, up from 400 people when the platform was introduced to 10,000 now. It also has 45,000 subscribers on its primary Telegram channel, which is much more than the 13,000 subscribers it had last summer. 

With the growth of Western organizations, more and more individuals are involved in acts of terror against them. There are also better tools for deploying these attacks. For example, binaries are available for all major OS platforms, which makes deployment easier. 

As attackers continue to use DDoSia technology against countries that are critical of Russia's invasion of Ukraine, the DDoSia project by pro-Russian hackers has grown significantly this year. 

As a result of data collected by Sekoia, analysts determined that so far this year, three ethnicities have been the principal targets of these DDoS attacks. These ethnicities are Lithuanian, Ukrainian, and Polish (39%), between May 8 and June 26. 

These countries are most likely to behave this way because, during the Russia-Ukraine war, they made public declarations that they do not accept Russian rule. In the period covered by this report, the hacktivist group targeted 486 websites, including Ukrainian education institutions, the Ukrainian government, and French banks. 

Many improvised denial-of-service attack tools have been developed, but the most well-known are those developed and used by the pro-Russian hacktivist group NoName057(16). 

It is noteworthy that the group, as well as its followers, are actively deploying the tool in Lithuania, Ukraine, Poland, Italy, and other European countries. This is to target government agencies, the media, and private companies. Sekoia is a cybersecurity firm that released a report this week, stating exactly what was mentioned above. 

There were 486 websites impacted by DDoS attacks detected by Sekoia. As part of these incidents, the Latvian parliament was involved along with the tax authority of Poland was involved. 

Sekoia added that NoName057(16) also targeted education-related websites in Ukraine during the rescheduling period in May and June. This was alleged to maximize the amount of media exposure they would receive for their DDoS operation, as well.

There are usually 15 different victims targeted by the group each day, which is a very high number. The only incident Sekoia witnessed when the group attacked a single victim was during the attempted military coup in June by Wagner's private mercenary army. Sekoia observed a single incident. As a result of a DDoS attack, networks are bombarded with traffic so they are taken offline due to overload. 

Besides the growth in the size of the DDoSia community, which has led to the development of more disruptive attacks, there have also been improvements to DDoSia's toolset and the introduction of binaries for the majority of the major OS platforms to help increase the reach of the community in general. 

With the help of a Telegram bot, new users are registered on the platform automatically and it only supports Russian at the moment, but it is expected to expand to other languages soon. 

Members first need to provide a TON (Telegram Open Network) wallet address to receive cryptocurrency from the bot. This is followed by a help text file and their unique client ID which demonstrates how to use the bot. 

If the client ID text file is to be used to execute the payloads, it must be placed in the same folder as the payloads. This is to prevent the payloads from being executed by third parties such as security analysts or other "intruders." 

In addition to the DDoSia client, the project's C2 server also includes a command-line prompt that allows members to contribute to the generation of garbage requests directed at the targets fetched by the C2 server. 

As a result of reverse-engineering the Windows 64-bit executable, Sekoia discovered it was no longer a 32-bit binary, but a Go binary, which uses AES-GCM encryption algorithms for communication with the C2. A DDoSia client gets the target ID, the host IP address, request type, port, and other attack parameters sent by the C2 in encrypted form. These parameters are then decrypted locally on the local machine. 

According to Sekoia, data gathered by the security firm Sekoia between May 8 and June 26, 2023, on some targets sent by the DDoSia C2 group shows that the majority of the targets were Lithuanians, Ukrainians, and Poles, accounting for 39% of the total activities of the project. In general, NoName057(16) appears to target NATO countries in general as well as the Ukrainian Republic as its target since these countries have made public declarations against Russia. Nevertheless, this may be a special case. 

A cyberattack by noName057(16) showed up this May and early June, in a bid to disrupt ongoing exams at educational platforms. 

Moreover, it is worth noting that DDoSia also targeted two Wagner sites on June 24, 2023, the day on which the private paramilitary group specifically targeted the Russian government as part of the attack on the government. 

Even though DDoSia usually targets an average of 15 targets per day, it decided to target the Wagner website for the first time on June 24. It considered the situation urgent. Therefore, it can be concluded that the DDoSia project is growing and is now on such an enormous scale that it can significantly affect its targets.
Read more »
Windows
Online Safety Proof of concept Security flaw Vulnerabilities and Exploits Windows

PoC Published for Windows Win32k Flaw Exploited in Assaults

 

For a Windows local privilege escalation vulnerability that was patched as part of the May 2023 Patch Tuesday, researchers have published a proof-of-concept (PoC) exploit. 

The Win32k subsystem (Win32k.sys kernel driver) controls the operating system's window manager and handles screen output, input, and graphics in addition to serving as an interface for various types of input hardware. Since they usually grant elevated rights or code execution, these kinds of vulnerabilities are often exploited. 

Avast, a company that specialises in cybersecurity, first identified the flaw, which is tracked as CVE-2023-29336. It was given a CVSS v3.1 severity rating of 7.8, as it enables low-privileged users to obtain Windows SYSTEM privileges, the highest user mode privileges in Windows. 

CISA also released a warning and listed it in its database of "Known Exploited Vulnerabilities" in order to inform people about the actively exploited vulnerability and the importance of installing Windows security upgrades. 

Security researchers at Web3 cybersecurity company Numen have now published comprehensive technical information on the CVE-2023-29336 bug and a Proof of Concept exploit for Windows Server 2016 exactly one month after the patch became accessible. 

Re-discovering the vulnerability 

Although the flaw is being actively used against previous versions of Windows, including Windows 8, Windows Server, and earlier versions of Windows 10, Microsoft claims that Windows 11 is unaffected. 

"While this vulnerability seems to be non-exploitable on the Win11 system version, it poses a significant risk to earlier systems," Numen explained in their report. "Exploitation of such vulnerabilities has a notorious track record, and in this in-depth analysis, we delve into the methods employed by threat actors to exploit this specific vulnerability, taking into account evolving mitigation measures."

Win32k only locks the window object but fails to lock the nested menu object, according to Numen's researchers who examined the vulnerability on Windows Server 2016. 

This oversight, which the researchers attribute to out-of-date code being transferred to more recent Win32k versions, makes menu objects susceptible to manipulation or hijacking if attackers change the precise address in the system memory.

Even if the initial step doesn't provide attackers admin-level rights, it serves as a useful stepping stone to enable them to obtain this via the following steps. Controlling the menu object means gaining the same-level access as the programme that launched it. Overall, it can be said that it's not extremely difficult to exploit CVE-2023-29336.

"Apart from diligently exploring different methods to gain control over the first write operation using the reoccupied data from freed memory, there is typically no need for novel exploitation techniques," the report further reads. "This type of vulnerability heavily relies on leaked desktop heap handle addresses […], and if this issue is not thoroughly addressed, it remains a security risk for older systems." 

System administrators, according to Numen, should watch out for unusual offset reads and writes in memory or connected to window objects, as these could point to active CVE-2023-29336 privilege escalation.

Applying the May 2023 patch is advised for all Windows users as it corrected two additional active zero-day vulnerabilities in addition to the specific issue.
Read more »
Windows
Cyber Data Safety malware Security Windows

Terminator Antivirus Killer: Vulnerable Windows Driver Masquerading as Threat

 

Spyboy, a threat actor, has been actively advertising the "Terminator" tool on a hacking forum predominantly used by Russian speakers. The tool supposedly possesses the ability to disable various antivirus, XDR, and EDR platforms. However, CrowdStrike has dismissed these claims, stating that the tool is merely an advanced version of the Bring Your Own Vulnerable Driver (BYOVD) attack technique. 

According to reports, Terminator allegedly has the capacity to evade the security measures of 24 distinct antiviruses (AV), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) solutions. These include well-known programs such as Windows Defender, targeting devices operating on Windows 7 and later versions.

Spyboy, a seller specializing in software, offers a range of products designed to bypass security measures. Their software is available at various price points, starting at $300 for a single bypass and going up to $3,000 for a comprehensive all-in-one bypass solution.

"The following EDRs cannot be sold alone: SentinelOne, Sophos, CrowdStrike, Carbon Black, Cortex, Cylance," the threat actor says, with a disclaimer that "Ransomware and lockers are not allowed and I'm not responsible for such actions."

To utilize Terminator, the "clients" need to have administrative privileges on the targeted Windows systems and must deceive the user into accepting a User Account Controls (UAC) pop-up when executing the tool.

However, according to a CrowdStrike engineer's Reddit post, Terminator employs a technique where it places the legitimate and signed Zemana anti-malware kernel driver, known as zamguard64.sys or zam64.sys, into the C:\Windows\System32\ folder with a randomly generated name consisting of 4 to 10 characters.

Once the malicious driver is written to the disk, Terminator loads it to exploit its kernel-level privileges and terminate the user-mode processes of antivirus (AV) and endpoint detection and response (EDR) software running on the targeted device.

The exact method by which the Terminator program interacts with the driver remains unclear. However, a proof-of-concept (PoC) exploit was made available in 2021, which exploits vulnerabilities in the driver to execute commands with Windows Kernel privileges. This capability could be utilized to terminate security software processes that are typically safeguarded.

According to a VirusTotal scan, currently only one anti-malware scanning engine has detected a driver as vulnerable. To assist defenders in identifying this vulnerable driver used by the Terminator tool, Florian Roth, the head of research at Nextron Systems, and threat researcher Nasreddine Bencherchali have shared YARA and Sigma rules that can be used.

This method is commonly employed by threat actors who aim to evade security software on compromised machines. They achieve this by escalating privileges, installing vulnerable Windows drivers, executing malicious code, and delivering additional harmful payloads.

These attacks, known as Bring Your Own Vulnerable Driver (BYOVD) attacks, involve dropping legitimate drivers with valid certificates onto victims' devices. These drivers can operate with kernel privileges, effectively disabling security solutions and taking control of the system.

Various threat groups, including financially motivated ransomware gangs and state-sponsored hacking organizations, have utilized this technique for several years. Recently, security researchers at Sophos X-Ops discovered a new hacking tool called AuKill being used in the wild. This tool disables EDR software by utilizing a vulnerable Process Explorer driver before launching ransomware attacks in BYOVD scenarios.
Read more »
Windows
Data Evil Extractor malware Ransowmare Safety Security Windows

This Evil Extractor Malware Steals Data from Windows Devices

 


Experts have discovered a hazardous new malware strain that is circulating the internet, stealing sensitive data from victims and, in some cases, installing ransomware as well. The malware, dubbed Evil Extractor, was found by Fortinet cybersecurity experts, who published their findings in a blog post, noting that it was produced and disseminated by a business called Kodex and was marketed as a "educational tool." 

“FortiGuard Labs observed this malware in a phishing email campaign on 30 March, which we traced back to the samples included in this blog,” the researchers said. “It usually pretends to be a legitimate file, such as an Adobe PDF or Dropbox file, but once loaded, it begins to leverage PowerShell malicious activities.” 

An environment-analysis tool and an info stealer are among the harmful actions. As a result, the malware would first check to ensure that it is not being planted in a honeypot before capturing as much sensitive data from the endpoint as possible and transferring it to the threat actor's FTP server. It is also capable of encrypting data.

The tool, known as Kodex Ransomware, downloads zzyy.zip from evilextractor[.]com, which contains 7za.exe, an executable that encrypts data using the argument "-p," which means the files are zipped with a password. 

The malware then sends a ransom note asking $1,000 in Bitcoin in exchange for the decryption key, as is customary. "Otherwise, you will be unable to access your files indefinitely," the notification states. According to reports, the malware mostly targets people in the Western world.

"We recently reviewed a version of the malware that was injected into a victim's system and, as part of that analysis, identified that most of its victims are located in Europe and America," Fortinet states.

It's not known if the operators were successful in spreading the ransomware or how many victims they impacted.
Read more »
Zero Day exploit
CVE vulnerability Data Breach Encryption Ransomware Attacks. Security patches Windows Zero Day exploit

Nokoyawa Ransomware Attacks Use Windows Zero-Day Vulnerability

A Windows zero-day vulnerability has been exploited in a recent string of ransomware attacks. The attacks involve a new strain of ransomware called Nokoyawa, which leverages the vulnerability to infect and encrypt files on Windows systems.

According to reports, the Nokoyawa ransomware attacks have been detected in various industries, including healthcare, finance, and government. The attackers are believed to be targeting organizations in Europe and Asia, with a particular focus on Japan.

The vulnerability exploited by Nokoyawa is a 'zero-day', meaning that it is an unknown vulnerability that has not been previously disclosed or patched. In this case, the vulnerability is believed to be a memory corruption issue that allows the attacker to execute arbitrary code on the targeted system.

This type of vulnerability is particularly concerning as it allows attackers to bypass security measures that are designed to protect against known vulnerabilities. As a result, organizations may be caught off guard by attacks that exploit zero-day vulnerabilities.

To protect against Nokoyawa and other ransomware attacks, it is important for organizations to keep their software up to date and to implement strong security measures, such as endpoint protection and network segmentation. Additionally, organizations should regularly back up their data to minimize the impact of a successful ransomware attack.

The discovery of this zero-day vulnerability underscores the importance of cybersecurity research and the need for organizations to take a proactive approach to identify and mitigate vulnerabilities in their systems. By staying up to date on the latest threats and vulnerabilities, organizations can better protect themselves from cyber-attacks and minimize the risk of data loss and other negative impacts.
Read more »
Windows
Bug Flaws Privacy Bug Vulnerabilities and Exploits Windows

A Privacy Flaw in Windows 11's Snipping Tool Exposes Cropped Image Content

 

A serious privacy vulnerability known as 'acropalypse' has also been discovered in the Windows Snipping Tool, enabling people to partially restore content that was photoshopped out of an image. 

Security researchers David Buchanan and Simon Aarons discovered last week that a bug in Google Pixel's Markup Tool caused the original image data to be retained even when it was edited or cropped out. This flaw poses a significant privacy risk because it may be possible to partially recover the original photo if a user shares a picture, such as a credit card with a redacted number or revealing photos with the face removed.

To demonstrate the bug, the researchers created an online acropalypse screenshot recovery tool that attempted to recover edited images created on Google Pixel.

The Windows 11 Snipping Tool was also affected

Today, Chris Blume, a software engineer, confirmed that the 'acropalypse' privacy flaw also affects the Windows 11 Snipping Tool. Instead of truncating any unused data when opening a file in the Windows 11 Snipping Tool and overwriting an existing file, it leaves the unused data behind, allowing it to be partially recovered.

Will Dormann, a vulnerability expert, also confirmed the Windows 11 Snipping Tool flaw, and BleepingComputer confirmed the issue with Dormann's assistance. To put this to the test, Bleeping Computer opened an existing PNG file in Windows 11 Snipping Tool, cropped it (you can also edit or mark it up), and saved the changes to the original file. 

While the cropped image comprises far less data than the original, the file sizes for the original image (office-screenshot-original.png) and cropped image (office-screenshot.png) are identical. According to the PNG file specification, a PNG image file must always end with a 'IEND' data chunk, with any data added after that being ignored by image editors and viewers.

However, when used the Windows 11 Snipping Tool to overwrite the original image with the cropped version, the programme did not properly truncate the unused data, and it is still present after the IEND data chunk.

When you open the file in an image viewer, you'll only see the cropped image because anything after the first IEND is ignored. This untruncated data, on the other hand, can be used to partially recreate the original image, potentially revealing sensitive portions.

While the researcher's online acropalypse screenshot recovery app does not currently support Windows files, Buchanan did share with BleepingComputer a Python script that can be used to recover Windows files.

BleepingComputer successfully recovered a portion of the image using this script. This was not a complete recovery of the original image, which may leave you wondering why this poses a privacy risk.

Consider taking a screenshot of a sensitive spreadsheet, confidential documents, or even a naked picture and cropping out sensitive information or portions of the image. Even if you are unable to fully recover the original image, someone may be able to recover sensitive information that you do not want made public. It should also be noted that this flaw does not affect all PNG files, such as optimised PNGs.

"Your original PNG was saved with a single zlib block (common for "optimised" PNGs) but actual screenshots are saved with multiple zlib blocks (which my exploit requires)," Buchanan explained to BleepingComputer.

BleepingComputer also discovered that if you open an untruncated PNG file in an image editor, such as Photoshop, and save it to another file, the unused data at the end is stripped away, rendering it unrecoverable.

Finally, the Windows 11 Snipping Tool behaves similarly to the above with JPG files, leaving data untruncated if overwritten. However, Buchanan told BleepingComputer that his exploit does not currently work on JPGs but that it might in the future. Microsoft confirmed to BleepingComputer that they are aware of the reports and are investigating them.

"We are aware of these reports and are investigating. We will take action as needed to help keep customers protected," a Microsoft spokesperson told BleepingComputer.

Read more »
Windows
Bitcoin Browser cryptocurrency Cyber Crime Google Chrome Phylum Threat actors Typosquatting Windows

Clipper Virus: 451 PyPI Packages Deploy Chrome Extensions to Steal Crypto


Threat actors have recently released more than 451 distinct Python packages on the official Python Package Index (PyPI) repository in an effort to infect developer systems with the clipper virus. 

The libraries were discovered by software supply chain security firm Phylum, which said the ongoing activity is a continuation of a campaign that was first made public in November 2022. 

How Did Threat Actors Use Typosquatting? 

In an initial finding, it was discovered that popular packages including beautifulsoup, bitcoinlib, cryptofeed, matplotlib, pandas, pytorch, scikit-learn, scrapy, selenium, solana, and tensorflow were being mimicked via typosquatting. 

For each of the aforementioned, the threat actors deploy between 13 and 38 typosquatting variations in an effort to account for a wide variety of potential mistypes that could lead to the download of the malicious package. 

In order to evade detection, the malicious actors deployed a new obfuscation tactic that was not being utilized in the November 2022 wave. Instead, they are now using a random 16-bit combination of Chinese ideographs for function and variable identifiers. 

Researchers at Phylum emphasized that the code makes use of the built-in Python functions and a series of arithmetic operations for the string generation system. This way, even if the obfuscation produces a visually striking outcome, it is not extremely difficult to unravel. 

"While this obfuscation is interesting and builds up extremely complex and highly obfuscated looking code, from a dynamic standpoint, this is trivial[…]Python is an interpreted language, and the code must run. We simply have to evaluate these instances, and it reveals exactly what the code is doing,” reads a Phylum report. 

Malicious Browser Extensions 

For taking control of the cryptocurrency transactions, the malicious PyPi packages create a malicious Chromium browser extension in the ‘%AppData%\Extension’ folder, similar to the November 2022 attacks. 

It then looks for Windows shortcuts pertaining to Google Chrome, Microsoft Edge, Brave, and Opera, followed by hijacking them to load the malevolent browser extension using the '--load-extension' command line argument. 

For example, a Google Chrome shortcut would be hijacked to "C:\Program Files\Google\Chrome\Application\chrome.exe --load-extension=%AppData%\\Extension". 

After the web browser is launched, the extension will load, and malicious JavaScript will monitor for cryptocurrency addresses copied to the Windows clipboard. When a crypto address is found, the browser extension will swap it out for a list of addresses that are hardcoded and under the control of the threat actor. By doing this, any sent cryptocurrency transaction funds will be sent to the wallet of the threat actor rather than the intended receiver. 

By including cryptocurrency addresses for Bitcoin, Ethereum, TRON, Binance Chain, Litecoin, Ripple, Dash, Bitcoin Cash, and Cosmos in this new campaign, the threat actor has increased the number of wallets that are supported. 

These findings illustrate the ever-emerging threats that developers face from supply chain attacks, with threat actors inclining to methods like typosquatting to scam users into installing fraudulent packages.  

Read more »
Windows search tool
API malware Mimic Mimic Attacks Ransomware Trend Micro Windows Windows search tool

Mimic Attacks: Ransomware Hijacking Windows ‘Everything’ Search Tool


Trend Micro has recently revealed details of the new type of ransomware, apparently targeting the APIs ‘Everything’ search tool to attack English and Russian-speaking Windows users. 

The malware was discovered by the security firm researchers in June 2022 and was named ‘Mimic.’ According to the researchers, the malware has been “deleting shadow copies, terminating multiple applications and services, and abusing Everything32.dll functions to query target files that are to be encrypted.” 

The researchers also found that some of the code in Mimic shared similarities with the infamous Conti ransomware, which was leaked in early 2022 following a number of high-profile incidents. 

Mimic Attacks 

Mimic ransomware attack begin with targeted victims receiving executable, most likely via an email, that retrieves four files from the target system, including the main payload, ancillary files, and tools to disable Windows Defender. 

The researchers’ findings reveal that the ransomware attack largely constituted legitimate files, of which one file contains the malicious payloads. Mimic is a sophisticated strain of ransomware that may use command-line options to target specific files and multiple processor threads to encrypt data more rapidly. 

According to Trend Micro, this combination of several active threads and the way it abuses Everything's APIs enable it to operate with minimum resource consumption, leading to a more effective execution and attack. 

What Could be the Solution? 

One of the best measures advised to the companies is by implementing a multilayered approach, which will provide the most efficient security, including data protection, backup and recovery measures. 

Utilizing a range of software that are designed to prevent, mitigate and combat the attacks on personal and business computers will add another layer of protection to the systems. 

Moreover, conducting regular vulnerability assessment and patching those vulnerabilities in the systems as soon as security updates become available will additionally aid in combating potential ransomware attack.  

Read more »
Windows
malware python Safety Security Trojan Windows

This New Python RAT Malware Targets Windows in Attacks

 

A new Python-based malware has been discovered in the wild, with remote access trojan (RAT) capabilities that permit its operators to regulate the compromised systems. The new RAT, dubbed PY#RATION by researchers at threat analytics firm Securonix, communicates with the command and control (C2) server and exfiltrates data from the victim host via the WebSocket protocol. 

The company's technical report examines how the malware operates. The researchers note that the RAT is actively being developed, as they have seen multiple versions of it since the PY#RATION campaign began in August. MalwareHunterTeam, who tweeted about a campaign in August 2022, also discovered this malware.
 
The PY#RATION malware is distributed through a phishing campaign that employs password-protected ZIP file attachments with two shortcuts. Front.jpg.lnk and back.jpg.lnk are LNK files disguised as images.

When the shortcuts victim is launched, he or she sees the front and back of a driver's license. However, malicious code is also executed to contact the C2 (in later attacks, Pastebin) and download two.TXT files ('front.txt' and 'back.txt'), which are later renamed to BAT files to accommodate malware execution.

When the malware is launched, it creates the 'Cortana' and 'Cortana/Setup' directories in the user's temporary directory before downloading, unpacking, and running additional executable files from that location.

By placing a batch file ('CortanaAssist.bat') in the user's startup directory, persistence is established. Cortana, Microsoft's personal assistant solution for Windows, is used to disguise malware entries as system files.

The malware supplied to the target is a Python RAT packaged into an executable with the help of automated packers such as 'pyinstaller' and 'py2exe,' which can convert Python code into Windows executables that include all the libraries required for its implementation.

This method results in larger payload sizes, with version 1.0 (the first) being 14MB and version 1.6.0 (the most recent) being 32MB. The latest version is larger because it includes more code (+1000 lines) and a layer of fernet encryption.

As per Securonix's tests, version 1.6.0 of the payload deployed undiscovered by all but one antivirus engine on VirusTotal. While Securonix did not share the malware samples' hashes, BleepingComputer was able to find a file that appears to be from this campaign. To determine the malware's capabilities, Securonix analysts extracted the payload's contents and examined the code functions with the 'pyinstxtractor' tool.

Among the features seen in version 1.6.0 of the PY#RATION RAT are the following:
  • Perform network enumeration
  • Perform file transfers from the breached system to the C2, or vice versa
  • Perform keylogging to record the victim's keystrokes
  • Execute shell commands
  • Perform host enumeration
  • Extract passwords and cookies from web browsers
  • Steal data from the clipboard
  • Detect anti-virus tools running on the host
The malware, according to Securonix researchers, "leverages Python's built-in Socket.IO framework, which provides features to both client and server WebSocket communication." This channel is utilized for communication as well as data exfiltration.

The benefit of WebSockets is that the malware can concurrently receive and send data from and to the C2 over a single TCP connection using network ports such as 80 and 443. The threat actors utilized the same C2 address ("169[.]239.129.108") throughout their campaign, from malware version 1.0 to 1.6.0, per the analysts.

The IP address has not been blocked on the IPVoid checking system, indicating that PY#RATION has gone undetected for several months.. Details about specific campaigns employing this piece of malware, as well as their targets, distribution volume, and operators, are currently unknown.
 
Read more »
Windows
Android Atlas VPN AV-ATLAS Cyber Criminals Linux macOS malware Malware Threats Operating system Windows

Linux Malware Records a New High in 2022


While more and more devices are adopting Linux as their operating system, the popularity of the software has nonetheless attracted cyber-criminals. According to recent reports, the number of malware aimed at the software increased dramatically in 2022. 

As per the reports from observations made by Atlas VPN based on data from threat intelligence platform AV-ATLAS, as many as 1.9 million Linux malware threats were observed in 2022, bringing the figure up 50% year-on-year. 

The reports further claimed that most of the Linux malware samples were discovered in the first three months of the year. 

 Secure Operating System

In Q1 2022, researchers identified 854,690 new strains. The number later dropped by 3% in Q2, detecting 833,065 new strains. 

The number of new detections fell 91% to 75,841 in the third quarter of the year, indicating that Linux malware developers may have taken their time off. The numbers increased once more in the fourth quarter of the year, rising by 117% to 164,697. 

Despite the researcher’s observations, Linux remains one of the “highly secure operating systems.” 

“The open-source nature of Linux allows for constant review by the tech community, leading to fewer exploitable security vulnerabilities. Additionally, Linux limits administrative privileges for users and compared to more widely used operating systems like Windows, it still has less malware targeting it,” the researchers added. 

While threat actors will not stop chasing flaws in the world’s fifth most popular operating systems, businesses and consumers alike must also be on the lookout, the researchers concluded. 

Although Linux is not as popular as Windows or macOS, it is still a widely used operating system. From Android devices (which are built on Linux) to Chromebooks, video cameras, and wearable devices, to all kinds of servers (web servers, database servers, email servers, etc.) there are more than 32 million endpoints operating on Linux.  

Read more »
Windows
CyberCrime Info-Stealer malware Malware Campaign Uptycs security firm Vidar Stealer Windows

Italian Users Warned of New Info-Stealer Malware Campaign


The Uptycs Threat research team has revealed a new malware campaign, targeting Italy with phishing attacks in order to deploy information-stealing malware on victims’ compromised Windows systems. 

According to Uptycs security researcher Karthickkumar Kathiresan, the malware campaign is designed to acquire sensitive information like system details, cryptocurrency wallet information, browser histories, cookies, and login credentials of crypto wallets. 

Details of the Campaign 

  • The multiple-stage infection sequence begins with an invoice-themed phishing email that comprises a link that downloads a password-protected ZIP archive file containing two files: A shortcut (.LNK) file and a batch (.BAT) file. 
  • Irrespective of what file has been deployed, the attack chain remains the same, fetching a batch script that installs an information-stealing payload from a GitHub repository. This is achieved by utilizing a legitimate PowerShell binary that as well is retrieved from GitHub. 
  • After being installed, the C#-based malware gathers system metadata and information from a variety of web browsers and cryptocurrency wallets, and then it transfers that data to a domain that is under the authority of an actor. 

Info-stealers You Should Beware of

Vidar stealer: It resurfaced with certain sophisticated tactics in order to exploit popular social media platforms such as Telegram, Mastodon, TikTok, and Steam. Back in December 2022, numerous information stealers were discovered targeting the PyPI repository. It was discovered that 16 packages, each of which had been downloaded more than 100 times, were being used to distribute ten different stealer variants. 

In today’s world of cybercrime, which is constantly evolving, one of the most severe forms of malware that one must beware of is the info-stealer. This covert digital burglar may sneak into your devices and networks to steal sensitive information, consequently rendering you vulnerable to identity theft, financial fraud, or more devastating repercussions. 

In order to protect oneself from malware attacks like info-stealer, it is advised by Uptycs to update passwords regularly and employ robust security controls with multi-layered visibility and security solutions.  

Read more »
Windows
Botnet Data Safety Security ICedID Malvertising malware Windows

IcedID Botnet Distributors Abuse Google PPC to Disseminate Malware

 

To improve traffic and sales, businesses utilize Google Ads to deliver adverts to specific target populations. The IcedID botnet distributors have been using SEO poisoning, since the beginning of December to entice search engine users to visit phoney websites that result in the download of malware.
In order to display malicious ads above the organic search results, attackers are choosing and ranking keywords used by well-known businesses and applications in Google pay-per-click (PPC) ads.
  • Attackers are abusing terms used by organizations including Adobe, AnyDesk, Brave Browser, Chase Bank, Discord, Fortinet, GoTo, Teamviewer, Thunderbird, the US Internal Revenue Service (IRS), and others, according to Trend Micro researchers.
  • Attackers employ the official Keitaro Traffic Direction System (TDS) to duplicate the websites of reputable companies and well-known applications in order to filter researcher and sandbox traffic and direct potential victims there.
  • A malicious Microsoft Software Installer (MSI) or Windows Installer file will be downloaded onto the user's computer if they click the Download button.
  • The file serves as the bot's initial loader, obtaining the bot's core before releasing a backdoor payload.
 Escaping Detection:

IcedID operators have employed a number of strategies in malvertising attacks to make detection difficult. Libraries like tcl86.dll, sqlite3.dll, conEmuTh.x64.dll, and libcurl.dll, which are well-known and often used, are among the files updated to serve as IcedID loaders.

Since the genuine and modified versions of the MSI or installer files are so similar, machine learning detection engines and whitelisting systems have a difficult time identifying the modified versions.

In recent months, cybercriminals have utilised IcedID to establish persistence on the host, get initial access, and carry out other illegal activities. Attackers were seen utilising phishing emails in Italian or English in October to distribute IcedID through ISO files, archives, or document attachments that contained macros. The UAC-0098 group was observed in September using IcedID and Cobalt Strike payloads to target Ukrainian NGOs and organisations in Italy.

IcedID was being used by Raspberry Robin worm infestations in the same month. Recently, a wide range of distribution techniques has been used by the threat actors behind IcedID, as is to be expected as they test which tactics are most effective against certain targets. Users should be on the lookout for fraud or phishing websites and be cautious while downloading from websites.
Read more »
Subscribe to: Posts (Atom)