Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cybersecurity threat. Show all posts
session cookie vulnerability
Cybercriminal Tactics cybersecurity threat data security risks Google cookie restoration LummaC2 malware exploit online account hijack session cookie vulnerability

Malware Developer Claims Ability to Reactivate Expired Google Authentication Cookies

 

The Lumma information-stealer malware, known as 'LummaC2,' is reportedly touting a novel functionality that claims to enable cybercriminals to revive expired Google cookies, potentially allowing them to take control of Google accounts. Session cookies, specialized web cookies facilitating automatic login during a browsing session, typically have a limited lifespan for security reasons. This measure prevents misuse in case the cookies are stolen, as possessing them grants access to the account.

The discovery of this feature came to light when Alon Gal from Hudson Rock identified a forum post by the malware's developers on November 14. The post announced an update boasting the "ability to restore dead cookies using a key from restore files (applies only to Google cookies)." Intriguingly, this capability was restricted to subscribers of Lumma's highest-tier "Corporate" plan, priced at $1,000 per month.

The forum post specified that each key could be utilized twice, allowing for a single instance of cookie restoration. While seemingly limiting, this still poses a significant threat, particularly for organizations adhering to robust security practices.

The introduction of this purported feature in recent Lumma releases is awaiting validation by security experts and Google. The uncertainty surrounds whether the functionality performs as claimed. It's noteworthy that another malware, Rhadamanthys, announced a similar capability in a recent update, hinting at a potential security vulnerability exploited by these malicious actors.

Efforts to obtain a comment from Google regarding the possibility of a session cookie vulnerability have been met with silence. Lumma's developers released an update shortly after being contacted by BleepingComputer, positioning it as an additional fix to circumvent new restrictions imposed by Google to hinder cookie restoration.

Despite attempts to glean insights directly from Lumma's operators, they remained tight-lipped about the workings of the feature. When confronted with Rhadamanthys' similar functionality, Lumma's representative asserted that their competitors had imitated the feature without understanding its intricacies.

If the claims about information-stealers restoring expired Google cookies are accurate, users may be powerless to safeguard their accounts until Google issues a fix. Precautions advised include steering clear of torrent files and executables from dubious sources, as well as being cautious with Google Search results.
Read more »
XLoader
Apple Apple MacOS Apps cybersecurity threat Data Data Safety data security iOS MacOS Malware malware OfficeNote productivity app Productivity Apps Safety Security XLoader

XLoader macOS Malware Variant Disguised as 'OfficeNote' Productivity App

 

A fresh variant of the Apple macOS malware known as XLoader has emerged, disguising its malicious intent through an office productivity app named "OfficeNote," according to cybersecurity experts from SentinelOne. 

In an analysis released on Monday, researchers Dinesh Devadoss and Phil Stokes revealed that the new form of XLoader is packaged within a regular Apple disk image, named OfficeNote.dmg. The application it contains bears the developer signature "MAIT JAKHU (54YDV8NU9C)."

XLoader, initially spotted in 2020, is categorized as an information stealer and keylogger that operates under the malware-as-a-service (MaaS) model. 

It follows in the footsteps of Formbook. While a macOS variant of XLoader emerged in July 2021, distributed as a Java program in the form of a compiled .JAR file, its execution was limited by the absence of the Java Runtime Environment in modern macOS installs.

To circumvent this constraint, the latest version of XLoader employs programming languages like C and Objective C. The disk image file carrying the malware was signed on July 17, 2023, a signature that has since been revoked by Apple.

SentinelOne reported discovering multiple instances of the malicious artifact on VirusTotal throughout July 2023, indicating a wide-reaching campaign. The researchers noted that the malware is advertised for rent on criminal forums, with the macOS version priced at $199 per month or $299 for three months.

Interestingly, this pricing is steeper than that of the Windows versions of XLoader, which are available for $59 per month or $129 for three months.

Once initiated, the seemingly harmless OfficeNote app displays an error message claiming it cannot be opened due to a missing original item. In reality, it surreptitiously installs a Launch Agent in the background to ensure its persistence.

XLoader's functionality centers around the collection of clipboard data and information stored within directories associated with web browsers like Google Chrome and Mozilla Firefox. However, Safari appears to be exempt from its targeting. 

Additionally, the malware is engineered to introduce sleep commands, delaying its execution and evading detection by both manual and automated security measures.

"XLoader continues to present a threat to macOS users and businesses," the researchers concluded.

"This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment. The malware attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further compromise."
Read more »
Subscribe to: Posts (Atom)