Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cybersecurity threat. Show all posts
targeting VMware ESXi systems
Cyber Security cybersecurity threat ESXi environments Linux Security New Linux ransomware Play ransomware variant ransomware attacks ransomware protection targeting VMware ESXi systems

New Linux Play Ransomware Variant Targets VMware ESXi Systems

 

Attacks with a new Play ransomware variant for Linux have been deployed against VMware ESXi systems, most of which have been aimed at the U.S. and at organizations in the manufacturing, professional services, and construction sectors, according to The Hacker News.

Such a novel Play ransomware version was hosted on an IP address that also contained the WinSCP, PsExec, WinRAR, and NetScan tools, as well as the Coroxy backdoor previously leveraged by the ransomware operation, indicating similar functionality, an analysis from Trend Micro revealed. However, additional examination of the payload showed its utilization of a registered domain generation algorithm to bypass detection, a tactic similarly used by the Prolific Puma threat operation. 

"ESXi environments are high-value targets for ransomware attacks due to their critical role in business operations. The efficiency of encrypting numerous VMs simultaneously and the valuable data they hold further elevate their lucrativeness for cybercriminals," said researchers. Cybersecurity researchers have discovered a new Linux variant of a ransomware strain known as Play (aka Balloonfly and PlayCrypt) that's designed to target VMware ESXi environments.

"This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations," Trend Micro researchers said in a report published Friday.

Play, which arrived on the scene in June 2022, is known for its double extortion tactics, encrypting systems after exfiltrating sensitive data and demanding payment in exchange for a decryption key. According to estimates released by Australia and the U.S., as many as 300 organizations have been victimized by the ransomware group as of October 2023.

Statistics shared by Trend Micro for the first seven months of 2024 show that the U.S. is the country with the highest number of victims, followed by Canada, Germany, the U.K., and the Netherlands. Manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate are some of the top industries affected by the Play ransomware during the time period.

The cybersecurity firm's analysis of a Linux variant of Play comes from a RAR archive file hosted on an IP address (108.61.142[.]190), which also contains other tools identified as utilized in previous attacks such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor.

"Though no actual infection has been observed, the command-and-control (C&C) server hosts the common tools that Play ransomware currently uses in its attacks," it said. "This could denote that the Linux variant might employ similar tactics, techniques, and procedures (TTPs)."

The ransomware sample, upon execution, ensures that it's running in an ESXi environment before proceeding to encrypt virtual machine (VM) files, including VM disk, configuration, and metadata files, and appending them with the extension ".PLAY." A ransom note is then dropped in the root directory.

Further analysis has determined that the Play ransomware group is likely using the services and infrastructure peddled by Prolific Puma, which offers an illicit link-shortening service to other cybercriminals to help them evade detection while distributing malware. Specifically, it employs what's called a registered domain generation algorithm (RDGA)
Read more »
STR RAT
Credential Theft cybersecurity threat Java Malware keylogging Malicious Payloads malware Phishing Campaigns Remote Access Trojan STR RAT

STR RAT: A Persistent Remote Access Trojan

 

The STR RAT is a remote access trojan (RAT) written in Java, first detected in 2020. Like other RATs, it allows threat actors full control of an infected machine. STR RAT is capable of keylogging, credential theft, and deploying additional malicious payloads. 

The malware is updated annually, aligning with its renewed use by threat actors. Cofense's analysis from January 2023 to April 2024 reveals that 60% of STR RAT samples are delivered directly via email rather than embedded links.

History of STR RAT

STR RAT resembles a seasonal flu, with yearly updates making it more prominent for short periods. Initially discovered on an antivirus forum in 2020, version 1.2 already featured keylogging, password theft, and backdoor access, along with a fake “.crimson” ransomware module that only renamed files. In 2021, Microsoft Threat Intelligence highlighted STR RAT in phishing campaigns. By 2022, it spoofed the Maersk shipping brand and employed a polyglot file technique, allowing execution as an MSI or Java file. In 2023, version 1.6 used Zelix KlassMaster and Allatori for code obfuscation. In 2024, STR RAT was uploaded to legitimate services like GitHub and AWS, making it harder to detect.

STR RAT steals passwords from Chrome, Firefox, Internet Explorer, and email clients like Outlook, Thunderbird, and Foxmail. Key commands include o-keylogger for logging keystrokes, down-n-exec for file execution, remote-screen for commandeering the computer, and power-shell for PowerShell access.

Current Usage and Impact

Though not as prevalent as other RATs like Remcos, STR RAT showed sustained activity from March to August 2023, likely due to the new version and polyglot file technique. In March 2024, significant activity was noted again, attributed to the use of legitimate services like GitHub and AWS for hosting and delivering the malware. STR RAT is typically delivered via email as an archive containing a .jar file, requiring a Java Runtime Environment (JRE) to execute. These archives may also contain necessary JRE binaries or download them from Maven and GitHub repositories.

Delivery Mechanisms

STR RAT's second most common delivery mechanism is loaders, which reach out to a payload location to download and run the malware. Jar Downloaders, CVE-2017-11882 exploits in Microsoft Office, and Windows Registry File downloaders are commonly used loaders. Additionally, embedded URLs in emails or attached PDFs often lead to the malware hosted on legitimate services like AWS, GitHub, and Discord’s CDN.

Unlike loaders, droppers contain the malware to be deployed. STR RAT's most common dropper is the JavaScript Dropper (JS Dropper), a .js file that executes natively on Windows. JS Droppers are usually attached to emails and contain both the dropper and STR RAT.

Behavior and Capabilities

Upon execution, STR RAT places files, creates persistence, and installs dependencies. It uses geolocator services to geo-fingerprint infected computers and sends system information to its command-and-control (C2) server. The malware also uses legitimate Java libraries for keylogging and database connectivity.

Detection and Hunting

Different versions of STR RAT leave various indicators of compromise (IOCs). After execution, STR RAT copies itself to multiple locations, creates a \lib\ folder with legitimate files, and generates a XXXXlock.file in the user's local home profile. The configuration can be observed through memory analysis, revealing the C2 server, port, and domain.

Persistence

STR RAT can create persistence through Registry Run Keys, Startup Folder entries, or Scheduled Tasks, ensuring the malware runs every time the user logs in. Endpoint detection and response software can monitor specific locations for signs of STR RAT persistence.

Network Traffic

STR RAT communicates with C2 servers using subdomains of free dynamic DNS services and legitimate services like GitHub and Maven. HTTP is used for C2 communications, though the port is not the standard tcp/80.

Legitimate Services

STR RAT reaches out to legitimate services for hosting tools and malware. Indicators of suspicious activity include access to GitHub and Maven repositories in conjunction with other malicious behaviors.

By understanding STR RAT's history, capabilities, and delivery mechanisms, cybersecurity professionals can better detect and defend against this persistent threat.
Read more »
zero-day exploit
cryptomining malware cybersecurity threat edge devices malware PAN-OS vulnerability RedTail malware zero-day exploit

RedTail Cryptomining Malware Exploits Zero-Day Vulnerability in PAN-OS

 

Cryptomining malware, potentially of North Korean origin, is targeting edge devices, including a zero-day vulnerability in Palo Alto Networks' custom operating system that the company quickly patched in April. Researchers from Akamai identified the malware, dubbed RedTail due to its hidden "redtail" file name, indicating a sophisticated understanding of cryptomining.

The threat actors behind RedTail are likely operating their own mining pools or pool proxies instead of using public ones, aiming for greater control over mining outcomes despite the increased operational and financial costs of maintaining a private server. Akamai researchers noted that the hackers are using the newer RandomX algorithm for better efficiency and modifying the operating system configuration to use larger memory blocks, known as hugepages, to boost performance.

The use of private mining pools is a tactic reminiscent of North Korea's Lazarus Group, although Akamai has not directly attributed RedTail to any specific group. North Korea is known for its for-profit hacking operations, which include extensive cryptocurrency theft and other methods to evade sanctions (see: US FBI Busts North Korean IT Worker Employment Scams).

Initially spotted earlier this year, the RedTail malware has evolved to incorporate anti-research techniques, making it more difficult for security researchers to analyze and mitigate the threat. Akamai reports that the malware's operators quickly exploited the PAN-OS vulnerability, tracked as CVE-2024-3400, which allows attackers to create an arbitrary file enabling command execution with root user privileges (see: Likely State Hackers Exploiting Palo Alto Firewall Zero-Day).

Other notable targets include TP-Link routers, the China-origin content management system ThinkPHP, and Ivanti Connect Secure. Security researchers warn that advanced hackers, including state-sponsored threat actors, are increasingly focusing on edge devices due to their inconsistent endpoint detection and the proprietary software that complicates forensic analysis.
Read more »
Software Developers
bogus npm packages cybersecurity threat malware malware installation Safety social engineering campaign Software Developers

Fraudulent npm Packages Deceive Software Developers into Malware Installation

 

A new cyber threat dubbed DEV#POPPER is currently underway, targeting software developers with deceitful npm packages disguised as job interview opportunities, aiming to dupe them into downloading a Python backdoor. Securonix, a cybersecurity firm, has been monitoring this activity and has associated it with North Korean threat actors.

In this scheme, developers are approached for fake job interviews where they are instructed to execute tasks that involve downloading and running software from seemingly legitimate sources like GitHub. However, the software actually contains a malicious payload in the form of a Node JS script, which compromises the developer's system upon execution. The individuals involved in tracking this activity, namely Den Iuzvyk, Tim Peck, and Oleg Kolesnikov, have shed light on this fraudulent practice.

This campaign came to light in late November 2023 when Palo Alto Networks Unit 42 revealed an operation known as Contagious Interview. Here, threat actors pose as potential employers to entice software developers into installing malware such as BeaverTail and InvisibleFerret during the interview process. Moreover, in February of the following year, Phylum, a software supply chain security firm, uncovered similar malicious packages on the npm registry delivering the same malware families to extract sensitive information from compromised developer systems.

It's important to distinguish Contagious Interview from Operation Dream Job, associated with the Lazarus Group from North Korea. While the former targets developers primarily through fake identities on freelance job portals and utilizes developer tools and npm packages leading to malware distribution, the latter involves sending malicious files disguised as job offers to unsuspecting professionals across various sectors.

Securonix outlined the attack chain, which begins with a ZIP archive hosted on GitHub sent to the target as part of the interview process. Within this archive lies a seemingly harmless npm module containing a malicious JavaScript file, BeaverTail, which acts as an information stealer and a loader for a Python backdoor named InvisibleFerret retrieved from a remote server. This backdoor is capable of various malicious activities, including command execution, file enumeration, exfiltration, clipboard monitoring, and keystroke logging.

This development underscores the ongoing efforts of North Korean threat actors to refine their cyber attack techniques, continuously updating their methods to evade detection and maximize their gains. Maintaining a security-focused mindset, especially during high-pressure situations like job interviews, is crucial in mitigating such social engineering attacks, as highlighted by Securonix researchers. The attackers exploit the vulnerability and distraction of individuals during these situations, emphasizing the need for vigilance and caution.
Read more »
session cookie vulnerability
Cybercriminal Tactics cybersecurity threat data security risks Google cookie restoration LummaC2 malware exploit online account hijack session cookie vulnerability

Malware Developer Claims Ability to Reactivate Expired Google Authentication Cookies

 

The Lumma information-stealer malware, known as 'LummaC2,' is reportedly touting a novel functionality that claims to enable cybercriminals to revive expired Google cookies, potentially allowing them to take control of Google accounts. Session cookies, specialized web cookies facilitating automatic login during a browsing session, typically have a limited lifespan for security reasons. This measure prevents misuse in case the cookies are stolen, as possessing them grants access to the account.

The discovery of this feature came to light when Alon Gal from Hudson Rock identified a forum post by the malware's developers on November 14. The post announced an update boasting the "ability to restore dead cookies using a key from restore files (applies only to Google cookies)." Intriguingly, this capability was restricted to subscribers of Lumma's highest-tier "Corporate" plan, priced at $1,000 per month.

The forum post specified that each key could be utilized twice, allowing for a single instance of cookie restoration. While seemingly limiting, this still poses a significant threat, particularly for organizations adhering to robust security practices.

The introduction of this purported feature in recent Lumma releases is awaiting validation by security experts and Google. The uncertainty surrounds whether the functionality performs as claimed. It's noteworthy that another malware, Rhadamanthys, announced a similar capability in a recent update, hinting at a potential security vulnerability exploited by these malicious actors.

Efforts to obtain a comment from Google regarding the possibility of a session cookie vulnerability have been met with silence. Lumma's developers released an update shortly after being contacted by BleepingComputer, positioning it as an additional fix to circumvent new restrictions imposed by Google to hinder cookie restoration.

Despite attempts to glean insights directly from Lumma's operators, they remained tight-lipped about the workings of the feature. When confronted with Rhadamanthys' similar functionality, Lumma's representative asserted that their competitors had imitated the feature without understanding its intricacies.

If the claims about information-stealers restoring expired Google cookies are accurate, users may be powerless to safeguard their accounts until Google issues a fix. Precautions advised include steering clear of torrent files and executables from dubious sources, as well as being cautious with Google Search results.
Read more »
XLoader
Apple Apple MacOS Apps cybersecurity threat Data Data Safety data security iOS MacOS Malware malware OfficeNote productivity app Productivity Apps Safety Security XLoader

XLoader macOS Malware Variant Disguised as 'OfficeNote' Productivity App

 

A fresh variant of the Apple macOS malware known as XLoader has emerged, disguising its malicious intent through an office productivity app named "OfficeNote," according to cybersecurity experts from SentinelOne. 

In an analysis released on Monday, researchers Dinesh Devadoss and Phil Stokes revealed that the new form of XLoader is packaged within a regular Apple disk image, named OfficeNote.dmg. The application it contains bears the developer signature "MAIT JAKHU (54YDV8NU9C)."

XLoader, initially spotted in 2020, is categorized as an information stealer and keylogger that operates under the malware-as-a-service (MaaS) model. 

It follows in the footsteps of Formbook. While a macOS variant of XLoader emerged in July 2021, distributed as a Java program in the form of a compiled .JAR file, its execution was limited by the absence of the Java Runtime Environment in modern macOS installs.

To circumvent this constraint, the latest version of XLoader employs programming languages like C and Objective C. The disk image file carrying the malware was signed on July 17, 2023, a signature that has since been revoked by Apple.

SentinelOne reported discovering multiple instances of the malicious artifact on VirusTotal throughout July 2023, indicating a wide-reaching campaign. The researchers noted that the malware is advertised for rent on criminal forums, with the macOS version priced at $199 per month or $299 for three months.

Interestingly, this pricing is steeper than that of the Windows versions of XLoader, which are available for $59 per month or $129 for three months.

Once initiated, the seemingly harmless OfficeNote app displays an error message claiming it cannot be opened due to a missing original item. In reality, it surreptitiously installs a Launch Agent in the background to ensure its persistence.

XLoader's functionality centers around the collection of clipboard data and information stored within directories associated with web browsers like Google Chrome and Mozilla Firefox. However, Safari appears to be exempt from its targeting. 

Additionally, the malware is engineered to introduce sleep commands, delaying its execution and evading detection by both manual and automated security measures.

"XLoader continues to present a threat to macOS users and businesses," the researchers concluded.

"This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment. The malware attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further compromise."
Read more »
Subscribe to: Posts (Atom)