Search This Blog

Showing posts with label keylogger. Show all posts

 Bangladesh Cyber Incident Response Team has Issued a Warning About Malware Attacks Around Eid

 

Officials have warned of a possible cyber-attack on Bangladesh's financial and other key institutions' computer systems during the Eid vacations. According to a statement issued by the Digital Security Agency, the affected authorities must install or update anti-DDOS hardware and software. 

Officials believe the warning was sent by the government's specialized cyber-threat agency as a global cyberwar erupts in the Russia-Ukraine conflict, with NATO assisting the latter with arms support. 

The Bangladesh Computer Council's e-Government Computer Incident Response Team (BGD e-GOV CIRT) also recommends all key information facilities' internal systems be checked and monitored.

Following the current conflict between Ukraine and Russia, Tarique M Barkatullah, director (operations) of the Digital Security Agency and project director of the BGD e-GOV CIRT, stated “hackers from both sides are using important information infrastructures of different countries to spread botnets and malware and attack each other.” 

Botnets are computer networks infected with malware (such as computer viruses, key loggers, and other malicious code or malware) and remotely controlled by criminals, either for monetary gain or to launch assaults on websites or networks. 

BGD e-Gov CIRT discovered over 1400 IP numbers used in Russia after analyzing the warning message issued by the Russian Computer Security Incident Response Team. According to the CIA, hackers are using these IPs to spread propaganda and launch distributed denial of service (DDoS) operations. 

Tareq M Barkatullah, project director of BGD e-Gov CIRT, remarked in this reference: “The country's afflicted financial institutions and public service suppliers are being hampered in providing its usual services due to the exploitation of these IP-enabled Bangladeshi servers."

According to the Financial Express, Prof Dr. Md Salim Uddin, chairman of the executive committee of Islami Bank Bangladesh Limited (IBBL), several financial institutions have been targeted by cyber-attacks as a result of the current crisis between Ukraine and Russia.

IBBL is well-prepared to thwart any cyber-attack because it is always adopting new technological solutions. Among the internal systems, he emphasized strengthening cyber-security with new tech solutions and monitoring systems. To prevent all types of cyber threats, financial institutions should join an organization or platform to improve cooperation and integration. He further urges the government to expand collaboration and support in this area in order to combat rising cyber-threats in the future.

Gh0stCringe Malware Recently Attacked Insecure Microsoft SQL and MySQL Servers

 

Hackers are deploying the Gh0stCringe remote support trojans on vulnerable computers by inadequately targeting secured Microsoft SQL and MySQL database servers. 

Gh0stCringe, also known as CirenegRAT, is a Gh0st RAT malware variant that was most recently used in Chinese cyber-espionage activities in 2020, however, it has been around since 2018. The malware has several instructions and functionalities which can be activated after the malware connects to its command and control server, or through data stored in the virus's settings. 

Attackers can use Gh0stCringe to download payloads like crypto miners from C2 servers, access specified websites via the Internet Explorer web browser, and even wipe the start-up disk's Master Boot Record (MBR). The malware includes a keylogger, which records input data in the Default. key file in the Windows System directory if it is activated. 

Threat actors are infiltrating database servers and writing the malicious'mcsql.exe' executable to disc utilizing the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes. These assaults are comparable to the Microsoft SQL server attempts, which used the Microsoft SQL xp cmdshell command to drop Cobalt Strike beacons. In addition to Gh0stCringe, AhnLab's study notes the presence of numerous malware samples on the investigated servers, implying potentially competing threat actors are infiltrating the same servers to drop payloads with its own operations.

Gh0stCringe RAT is a strong virus that can connect to a C2 server to receive custom commands or exfiltrate stolen data to the enemies. For an endless loop, the keylogging component uses the Windows Polling method (GetAsyncKeyState API) to ask the state of each key. This otherwise dependable recording mechanism carries the risk of very high CPU utilization, however, this is unlikely to cause issues for threat actors on poorly maintained servers. The malware will also record keystrokes for the previous three minutes and send them to the infection's command and control servers along with basic system and network information. 

Threat actors will be able to steal login passwords and other sensitive information that logged-in users entered on the device using these logged keystrokes. CirenegRAT has four operational modes: 0, 1, 2, and a specific Windows 10 mode which the threat actor can choose from during deployment.

Update your server software to install the most recent security upgrades, which can help you avoid a variety of attacks to make use of known flaws. It's also critical to use a secure admin password that can't be brute-forced. The most important step is to put the database server behind a firewall to only allow authorized devices to connect to it.

Malware Seller Faces Charges for Peddling WhatsApp Espionage Tools

 

The US Justice Department (DoJ) reported a Mexican businessman named Carlos Guerrero admitted guilt in federal court for peddling spyware/hacking tools to clients in the United States and Mexico.

Authorities accused Guerrero of facilitating the sale of monitoring and surveillance technologies to both Mexican government users and private customers for commercial and personal purposes. Guerrero "knowingly arranged" for a Mexican mayor to obtain access to a political rival's email and social media accounts, according to the investigators. Guerrero also utilized the technology to listen in on the phone calls of a rival from the United States who had been in Southern California and Mexico at the time. 

Guerrero is also suspected of assisting a Mexican mayor in gaining unlawful access to his rival's iCloud, Hotmail, as well as Twitter pages, according to the Department of Justice's news release. A sales representative's phone and email data were hacked in another case, so he had to pay $25,000 to regain the information. The accused also utilized the gadgets to listen more into his rival's phone calls in Mexico and South California. Guerrero's company, Elite by Carga, imported surveillance technology and espionage tools from unknown Israeli, Italian, and other companies. 

Guerrero operated as a broker for an undisclosed Italian business, referred to only as Company A in the accusation, which offered bugging devices and tracking tools between 2014 and 2015. The organization is thought to be Hacking Team, a bankrupt Milan-based maker of offensive infiltration tools which was also breached in 2015 and had leaked emails leaked online, including a cache of Guerrero-related messages. 

Pegasus, strong mobile spyware created by Israeli corporation NSO Group which can acquire near-complete permissions on a target's smartphone, is among the most prominent and reported keylogging software used in Mexico. Over the last two decades, Mexico has spent $61 million on contracts, primarily targeting journalists, activists, and human rights defenders. According to a leaked list of phone numbers suspected to be NSO surveillance targets, Mexico has the most targets — around 700 phones — of any country on the list, which NSO has consistently denied.

Guerrero's information director Daniel Moreno, who is often mentioned in the hacking team's emails, is scheduled to file a similar pleading in the coming weeks.

The Hacking Group 'ModifiedElephant' Remained Undetected

 

SentinelLabs' IT security researchers have discovered information of growing cyber-attacks (APT) wherein the threat actors have been targeting human rights activists, free speech advocates, professors, and lawyers in India using readily available trojans via spear-phishing since 2012. The group known as ModifiedElephant has been found to be planting 'incriminating evidence' on the devices of its targets. 

"The goal for ModifiedElephant is long-term espionage which sometimes ends with the transmission of evidence – files that implicate the victim in criminal offenses – prior to conveniently synchronized arrests," stated Tom Hegel, a threat researcher at SentinelOne. According to the research, over the previous decade, ModifiedElephant hackers have been attacking their victims with spearphishing emails containing malicious file attachments, with their methods becoming more complex over time. 

Spearphishing is the technique of emailing victims that appear to come from a trustworthy source in order to either divulge sensitive information or install malware on their computers. ModifiedElephant usually uses infected Files to spread malware to its victims. The particular mechanism and content included in malicious files have varied over time, according to SentinelOne, the timeline has been given below: 
  • 2013 – An adversary sends malware via email attachments with phony double extensions (file.pdf.exe). 
  • 2015 – The group switches to encryption key RAR attachments including legitimate luring documents that hide malware execution signals. 
  • 2019 – Updated Elephant begins hosting malware-distribution sites and takes advantage of cloud hosting capabilities, transitioning from phony papers to malicious URLs.
  • 2020 – attackers circumvent identification by skipping scans by using big RAR files (300 MB).

The CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, and CVE-2015-1641 exploits, according to SentinelOne, were frequently utilized in luring documents, which attacked Microsoft Office Suite programs. 

Modified Elephant is not seen using any customized backdoors in its operational history, indicating the group isn't particularly sophisticated. NetWire and DarkComet, two publicly available remote access trojans extensively utilized by lower-tier hackers, were the principal malware used in the campaigns. 

ModifiedElephant's Visual Basic keylogger hasn't changed since 2012, and it's been open-source on hacking forums all that time. SentinelLabs remarks on the tool's history, pointing out that it no longer works on recent OS versions. The Android virus is likewise a commodity trojan that is distributed to users in order of an APK, luring them in by appearing like a news app or a secure messaging tool.

Threat Advert is a New Service Strategy Invented by AsyncRAT

 

AsyncRAT is a Remote Access Tool (RAT) that uses a secure encrypted connection to monitor and control other machines remotely. It is an open platform distributed processing tool but it has the potential to be used intentionally because it includes features like keylogging, remote desktop command, and other functionalities that could destroy the victim's PC. Furthermore, AsyncRAT can be distributed using a variety of methods, including spear-phishing, malvertising, exploit kits, and other means. 

Morphisec has detected a new, advanced campaign distribution that has been successfully eluding the radar of several security providers, thanks to the breach prevention using Moving Target Defense technology.

Potential hackers are spreading AsyncRAT to targeted machines with a simple email phishing method with an Html attachment. AsyncRAT is meant to remotely monitor and manipulate attacked systems through a protected, encrypted connection. This campaign ran for 4 to 5 months, with the lowest detection rates according to VirusTotal. 

Victims received the email notification with an HTML attachment in the manner of a receipt: Receipt-digits>.html in many cases. When the victim opens the receipt, users are sent to a webpage where a user must store a downloaded ISO file. The user believes it is a routine file download that will pass via all port and network security scanning channels. Surprisingly, this is not true. 

The ISO download, in fact, is created within the user's browser by the JavaScript code hidden within the HTML receipt file, rather than being downloaded from a remote server. 

To reduce the possibility of infection by AsyncRAT, users must follow the following steps:
  • Updating antivirus fingerprints and engines is a must. 
  • Enable automatic updates to ensure that the operating system is up to date with the most recent security fixes. 
  • Email addresses should not be made public on the internet. 
  • Don't click email attachments with strange-looking extensions. When opening any email attachment, especially the one from unknown senders, proceed with caution.
  • Exercise caution while opening emails with generic subject lines. 

Expert Malnev gave tips on detecting Keylogger

Alexey Malnev, head of the Jet CSIRT Information Security Monitoring and Incident Response Center of Jet Infosystems, spoke about how to detect a Keylogger.

According to the expert, this can be done by scanning the computer with antivirus software, as well as thanks to the built-in EDR (Endpoint Detection and Response) system that analyzes the processes and their memory operation within the operating system.

In the case of corporate devices, a traffic inspection system will help, which can detect a connection over a suspicious Protocol or to a suspicious server on the Internet. The presence of an incident monitoring center in an organization can help detect an entire cyber operation of attackers on its infrastructure, or targeted attacks.

According to the expert, the presence of Keylogger can be considered a symptom of a complete hacking of the user's computer, and this is very bad news for the user. The fact is that modern malicious software most often uses Keylogger as one of many modules.

"There is a high probability that there is already a whole set of other potential problems: theft of confidential files from the hard disk, interception of account data, hidden audio and video recording (if there are a microphone and video camera), the potential destruction of data (if there is a malicious ransomware encryption module), full remote access,” said he.

In such cases, users should immediately disconnect the computer from the local network and the Internet, and then, without restarting it, hand it over to specialists in cybercriminalism. According to Malnev, it is more important to determine how the computer was attacked.

Delving into PoSeidon malware

News of data breaches that have been occurring through card usage at infected point of sale (PoS) systems at retailers has become common now-a-days. There being a huge market for stolen credit card information, the companies are being targeted with newer and sophisticated malwares.

How do these malwares exactly work? During investigation of the cases of breaches, CISCO security solutions have discovered the working mechanism a new malware family which has been nicknamed PoSeidon malware.

The infection of the PoS system possibly arises from a keylogger which after getting installed deletes the profile log in information i.e passwords stored on the system. This forces the user to type down the information which gets recorded by the keylogger and sent back to the server which can then access the system remotely to infiltrate it with the Loader malware to steal card information.

What the Loader does is, it tries to get itself installed in the PoS system as a service that is run as Winhost, so that it can survive reboots of the system. This step is called persistence by which it maintains hold on the system. It then connects to the hardcoded command and control servers, which then sends the second executable part of the malware called the FindStr.

It also simultaneously installs another keylogger. FindStr goes through data on the infected system to look for number sequences that start with 6, 5, 4 with a length of 16 digits (Discover, Visa, Mastercard) or 3 with a length of 15 digits (AMEX).

It then runs the Luhn algorithm to verify whether its card information or not and sends the information along with data from keylogger to the exfiltration servers from where it can be harvested for further usage.

The malware can also update itself depending on communication from external server. Further investigation shows that developers are working to use these in other newer projects.Faced with such persistent threats organizations need to be vigilant and adopt a threat-centric approach to provide security during the full attack continuum – before, during, and after an attack.