Search This Blog

Showing posts with label malware. Show all posts

Understand BatLoader Malware and its Working


The BatLoader follows the common practice that all cybercriminals use to target victims and get maximum output. They prefer to target large organizations, companies, or firms instead of targeting individuals, as the profit of payoff from these firm attacks is huge than targeting potential individuals.

The researchers at VMware Carbon Black stated in their research that the operators of BatLoader are using a dropper to spread a variety of malware tools, along with a banking Trojan, an information stealer, and the Cobalt Strike post-exploit toolkit on the target’s system. 

The researchers at VMware also stated that “the threat actors utilize search engine optimization (SEO) poisoning to lure users to downloading the malware from compromised websites.” 

The research highlighted the similarity of BatLoader with Conti ransomware. The team at VMware found that some attributes in BatLoader's attack chain were similar to past incidents in Conti ransomware. 

Mandiant, a subsidiary of Google, has also pointed out the similarities in the techniques employed by BatLoader and Conti. However, the team at VMware clearly stated that there is no link to Conti in the origin of the BatLoader. 

The carbon Black MDR team of VMware has disclosed that there have been 43 successful attacks by BatLoader in the past 90 days. There were some unsuccessful cases also in which the threat operators successfully delivered the initial harm, but the victim did not use it, nullifying the harm. In a further report, the team mentioned the number of affected organizations and their sectors. They targeted five companies in the manufacturing industry, seven in financial services, and nine in business services. There were numerous cases of attempts in the education, IT, healthcare, and retail sector. 

BatLoader’s process of infecting the target’s system 

The process of infecting the target’s system by BatLoader includes incorporation inside Windows MSI installers for software like TeamViewer, LogMeIn, and Anydesk. 

After that, the criminals purchase the adverts to direct the victims to the replica websites like logmein-cloud.com. These purchased adverts pop up on the top of the page where users search for that software like Zoom, Anydesk, etc. 

Later, when the victims follow the adverts, download the software, and execute it, their system gets opened up for the threat actors. 

BatLoader has advanced capabilities, especially for harming businesses, as it is half-automated. It is controlled by a person or group of people in place of additional code. BatLoader operates by the “Living off the land” command to distribute more malware. 

“Living off the Land” attack denotes if the malicious actors have complete control of your system, they can utilize the pre-existing software like Windows PowerShell and scripting tools in your system to administer the system by directing commands without installing any other malware. 

The researchers concluded BatLoader is more dangerous because, after the installation and execution of links that include BatLoader, it will also download and install the banking malware and information. Along with it, the BatLoader can find if it has other linked networks, and it will install remote monitoring and management malware to target all connected systems. 

Even after updates in technology in cyber security, BatLoader and similar threats pose a clear need for more tools and knowledge to detect the source and block the spread of such threats. Considering the regular emergence of new threat vectors, the dynamic of threats is changing, and the demand for updated ways of fighting against these cyberattacks, opting for an online course for gaining cybersecurity knowledge is also an innovative decision to decrease the chances of facing losses due to cyber-attacks.

Beware of this Lethal Malware that Employs Typosquatting to Siphon Banking Data

 

Disneyland Team, a Russian-speaking financial hacking group was identified using lethal info-stealing malware with confusing typosquatted domains to siphon login data for banking sites. 

The malicious campaign was discovered by Alex Holden, the founder of cybersecurity consulting firm Hold Security, and reported on by KrebsOnSecurity. 

According to the report, the hacking group specifically targets individuals compromised with a powerful banking malware called Gozi 2.0 (AKA Ursnif), which can siphon the data of internet-linked devices, and install additional malware.  

But Gozi is not as powerful as it used to be because search engine designers have launched multiple security measures over the years to nullify the threat of banking malware. But this is where typosquatting plays an important role by designing phishing websites with domain names that are common misspellings of websites. 

Take U.S. financial services company Ameriprise for example. Ameriprise employs the domain ameriprise.com. The Disneyland Team's domain for Ameriprise users is ạmeriprisẹ[.]com (the way it displays in the browser URL bar). The brackets are added to defang the domain.  

On observing carefully, you can make out small dots under the "a" and the second "e," and if you thought them to be specs of dust on your screen, you wouldn’t be the first one to fall for the visually confusing scam. These are not specs, though, but rather Cyrillic letters that the browser renders as Latin. 

So, when an individual falls into the trap laid by scammers and visits these bogus bank websites, it gets overlaid with the malware, which forwards anything the victim types into the legitimate bank’s website, while keeping a copy for itself. That way, when the real bank website returns with a multi-factor authentication (MFA) request, the fake website will request it too, effectively making the MFA useless.

“In years past, crooks like these would use custom-made “web injects” to manipulate what Gozi victims see in their Web browser when they visit their bank’s site, KrebsOnSecurity reported. “These could then copy and/or intercept any data users would enter into a web-based form, such as a username and password. Most Web browser makers, however, have spent years adding security protections to block such nefarious activity.”

QBot Phishing Exploits Windows Control Panel EXE to Infect Devices


Phishing messages and emails across the QBot malware are allegedly utilizing a DLL hijacking vulnerability in the Windows10 Control Panel to infect PCs, most likely in an effort to avoid being detected by security software. 

DLL hijacking is an attack method used by threat actors to take advantage of the way Windows loads dynamic link libraries (DLLs). 

During the launch of a Windows executable, it will look for any DLL dependencies present in the Windows search path. The program would instead load a malicious DLL and infect the computer if a threat actor creates a malicious DLL with the same name as one of the program's necessary DLLs and retained it in the same folder as the executable. 

QBot, also known as Qakbot, is a Windows malware that was initially a banking trojan but later emerged as a full-featured malware dropper. The malware is also utilized by renowned ransomware gangs like Black Basta, Egregor, and Prolock in order to gain initial access to corporate networks. 

In July, security researcher ProxyLife found that threat actors were using the Windows 7 Calculator's DLL hijacking vulnerability, in order to spread the QBot malware. 

Meanwhile this week, ProxyLife reported that the threat actors have switched to utilizing a DLL hijacking flaw in the Windows10 Control Panel executable, namely control.exe. 

Abusing the Windows Control Panel:  

In a phishing campaign witnessed by ProxyLife, the hackers used stolen reply- chain emails to distribute an HTML file attachment, which downloads a password-protected ZIP archive consisting an ISO file inside. 

The HTML file, named similar to 'RNP_[number]_[number].html, displays an image personating Google Drive and a password for a ZIP archive that is downloaded automatically. This ZIP archive consists of an ISO disk image that, when double-clicked will automatically be displayed in a new drive letter in Windows10 and later. 

This ISO file contains a Windows Shortcut (.LNK) file, a ‘control.exe’ (Windows 10 Control Panel) executable, and two DLL files named edputil.dll (used for DLL hijack) and msoffice32.dll (QBot malware). 

The Windows shortcut (.LNK) included in the ISO uses an icon that attempts to make it look like a genuine folder. 

The shortcut, however, opens the Windows 10 Control Panel executable, control.exe, which is kept in the ISO file, when a user tries to open this fabricated folder. 

The genuine edputil.dll DLL, which is placed in the C:WindowsSystem32 folder, will automatically be loaded when control.exe is opened. It does not, however, look for the DLL in specific folders and will load any DLL with the same name that is put in the same folder as the program control.exe. 

As the hackers are bundling a malicious edputil.dil DLL in the same folder as control.exe, instead the fraudulent DLL will be loaded by the users. Once the malicious edputil.dll DLL is loaded, it infects the device with the QBot malware (msoffice32.dll) using the regsvr32.exe msoffice32.dll command.

Security software may not recognize QBot as malicious if it is installed using a trustworthy tool, such as the Windows 10 Control Panel, allowing the malware to avoid detection. 

QBot will now covertly run in the background, accessing and stealing emails to use them later for the phishing attacks and install additional payloads like Brute Ratel or Cobalt Strike, that are post-exploitations toolkits that hackers use to acquire remote access to corporate networks. This remote access further leads to corporate data theft and ransomware attacks.  

This Infostealer has a Lethal Sting for Python Developers

 

Checkmarx cybersecurity researchers discovered over two dozen malicious packages on PyPI, a popular repository for Python developers, and published their findings in a new report (opens in new tab). 

These malicious packages, which are designed to look almost identical to legitimate ones, attempt to dupe inexperienced developers into downloading and installing the wrong one, thereby spreading malware. The practice is known as typosquatting, and it is widely used by cybercriminals who target software developers. 

The attackers use two distinct methods to conceal the malware: steganography and polymorphism. Steganography is the practice of concealing code within an image, allowing threat actors to spread malicious code via seemingly innocent.JPGs and.PNGs. Polymorphic malware, on the other hand, changes the payload with each installation, allowing it to avoid detection by antivirus software and other cybersecurity solutions.

These techniques were used by the attackers to deliver WASP, an infostealer capable of stealing people's Discord accounts, passwords, cryptocurrency wallet information, credit card data, and any other information on the victim's endpoint that the attacker deems interesting.

When the data is identified, it is returned to the attackers via a hard-coded Discord webhook address. The campaign appears to be a marketing ploy, as researchers discovered threat actors advertising the tool on the dark web for $20 and claiming that it is undetectable.

Furthermore, the researchers believe this is the same group that was behind a similar attack reported earlier this month by Phylum(opens in new tab) and Check Point researchers (opens in new tab). It was previously stated that a group known as Worok had been distributing DropBoxControl, a custom.NET C# infostealer that uses Dropbox file hosting for communication and data theft, since at least September 2022.

Worok, based on its toolkit, is thought to be the work of a cyberespionage group that operates quietly, moves laterally across target networks, and steals sensitive data. It also appears to be using its own, proprietary tools, as no one else has been observed using them.

Analysis of Wiper Malware Groups

Max Kersten, a malware expert at Trellix, recently examined more than 20 wiper variants that completely wipe out computer systems, and have been employed by cyber attackers in multiple attacks since the start of this year. At the Black Hat Middle East & Africa conference on Tuesday, he gave an overview of his findings during a 'Wipermania' session. 

What are Wipers?

A malware designed to harm the victim's system. Using a wiper feature, malware with numerous functionalities can potentially be deployed to completely destroy a system.

However, in some ransomware instances, there is also an unexpected wiper use case. The ransomed machine stays unusable if the ransomware's encryption is flawed, there is no way to restore or directly link to who released the ransomware. Sometimes actors' email addresses are blacklisted or their websites are taken down, which makes it difficult to get a decryption key.

The third is phony ransomware, a less well-known wiper version. Malware that uses ransomware as a front may perhaps never have intended to decrypt the data in the first place, but instead pretends the system is being held for ransom. 

Since Saudi Aramco's 30,000 customer and server systems were rendered unusable by the 'Shamoon virus' more than ten years ago, destructive wiper malware has barely changed. According to a recent report, the threat it poses to enterprise firms is still very significant.

Selecting a target

First, the attack's character. hactivists seek to spread awareness of their cause and rely on the media to do so, in contrast to APT organizations who frequently want to remain undiscovered. Massively dispersed malware is typically categorized as inexpensive malware, and while both could have catastrophic effects, their dispersion modes differ.

The chosen operating system is the second element. While many Linux variants are frequently used to host servers, Windows is the platform business networks utilize the most. Wiping files from employee computers already affects how a firm operates and may be completed quickly because it doesn't call for a privilege escalation.

From this research, the majority of the wipers were found to target the Windows operating system. However, switching to a different platform is not a shield against wipers since some of the ones detected target a very narrow market.

Spreading the virus

Hackers want to run the malware of their choice on the victim's computer in some manner. An execution tactic that was observed is manually running the wipers on each device individually or using group policies to run them simultaneously on many devices. As an alternative, actors may develop a spreading mechanism related to a worm to activate the wiper on all connected devices.

Strategies for recovery

The wiper's objective is to render the system unusable, which can also be accomplished by overwriting files. Be aware that multiple file systems and details on individual disk types have been left out for the sake of conciseness. The majority of wipers concentrate on Windows, which has used NTFS as its primary file system for well over ten years.

Some wipers might just erase every file they come across, including event logs and shadow copies. These two make useful monitoring items because they are typically neither erased nor totally rewritten.

The backup system ought not to be linked to the computers other than when saving the backup otherwise, it runs the possibility of being compromised by malware other than wipers. Ransomware frequently encrypts the data on all associated disks, even backup drives. With administrative rights, the wiper's effects might range from losing files to making the computer unbootable.





FBI Nearly Adopted NSO's Spyware

According to a report published by the New York Times on Saturday, several agents from the US Federal Bureau of Investigation worked to enhance the rollout of Pegasus, the notorious phone-hacking program created by Israel's NSO Group. 

What is Pegasus?

Once installed, Pegasus spyware enables the user to fully manage a target's phone, allowing them to see messages, listen in on calls, and access the phone as a remote listening device.

Significant numbers of human rights activists, journalists, politicians, and corporate executives were reportedly designated as potential targets of NSO's Pegasus program, which has caused criticism for the Israeli company responsible for its development. 

When smartphones are infected with Pegasus, they effectively become portable surveillance tools that can be used to read the target's messages, browse through the images, or even switch on the user's camera and microphone secretly.

FBI Purchased Pegasus 

The highly classified files, which were provided to the Times in response to a FOIA request, reveal that agency officials had developed guidelines for federal prosecutors concerning how to disclose Pegasus usage in court proceedings and were progressed in organizing to brief FBI heads on the malware.

Additionally, the FBI asserted that Pegasus had never been used to assist an FBI investigation. The FBI only obtained a restricted license for product testing and evaluation, the statement read "There was no functional use in support of any investigation."

The announcement represents a clear admission by the FBI that it purchased Pegasus, one of the most advanced hacking tools in existence.

The FBI examined NSO's Phantom software, which has the ability to hack US phones, earlier this year, the press reported. After learning that NSO's hackers were linked to violations of human rights all around the world and as negative press about the technology spread, the FBI eventually opted against utilizing it.

The New York Times broke the news of the FBI's acquisition of Pegasus in 2019 while the Trump administration was in control. However, the bureau has still not ruled out the potential of using comparable technology in the future, the report said, citing recent court records.

A legal brief submitted on the bureau's behalf last month stated that "just because the FBI eventually decided not to deploy the tool in support of criminal investigations does not mean it would not test, evaluate, and potentially deploy other similar tools for gaining access to encrypted communications used by criminals."



Worok Cyber Espionage Group Employs Malicious PNG Images to Propagate Malware

 

Cybersecurity researchers have unearthed new malware threats manufactured to exploit steganography methodologies. Worok seems to be a complex cyber-espionage operation whose individual stages are still unknown. The campaign's final stage, however, has been identified by two cybersecurity firms.

Worok employs multi-stage malware created to siphon data and target high-profile victims, using steganography ways to conceal parts of the payloads in a plain PNG image file. The new malware was first uncovered by ESET in September. 

The researchers described Worok as a new cyber spying group that employs undocumented tools, including a steganography methodology designed to exfiltrate a malicious payload from a plain PNG image file. 

The cyber espionage group targeted high-profile victims like government agencies, particularly in the Middle East, Southeast Asia, and South Africa. ESET's knowledge of the trouble's attack chain was limited, but the latest report from Avast has provided fresh details regarding this malicious campaign.

According to the Czech security firm, Worok employs a complex multistage design to conceal its activities. The hackers employ sideloading to execute the CLRLoader malware which, in turn, implements the PNGLoader DLL, capable of reading obfuscated code masking in PNG files. 

That code translates to DropBoxControl, a custom .NET C# infostealer that abuses Dropbox file hosting for communication and data theft. The info stealer can support multiple commands, including running cmd /c, launching an executable, downloading and uploading data, deleting and renaming files, capturing file information, spy network communications, and extracting metadata. 

While researchers are still trying to put all the pieces together, the latest report from Avast confirms that Worok is a custom operation manufactured to siphon data, spy, and target high- victims in specific parts of the globe. 

“The key finding of this research is the interception of the PNG files, as predicted by ESET. The stenographically embedded C# payload (DropBoxControl) confirms Worok as the cyberespionage group. They steal data via the DropBox account registered on active Google emails,” Researchers at AVAST explained. “The prevalence of Worok’s tools in the wild is low, so it can indicate that the toolset is an APT project focusing on high-profile entities in private and public sectors in Asia, Africa, and North America.”

Hackers Using Malicious Versions of Popular Software Brands to Propagate RomCom RAT

 

The RomCom RAT (remote access trojan) hacker has launched a new campaign impersonating the official websites of popular software brands SolarWinds, KeePass, and PDF Technologies to propagate malware. 

Researchers from BlackBerry uncovered the malicious campaign while analyzing network artifacts linked with RomComRAT infections resulting from attacks targeting Ukrainian military institutions and some English-speaking nations including the United Kingdom. 

According to Mike Parkin, senior technical engineer at Vulcan Cyber, given the targets and the nature of the attack, there's more than just a cybercriminal motivation in play. It's quite likely there’s state-level planning behind the scenes. 

"At its core, though, this is an attack against human targets,” Parkin said. “They are primarily relying on victims being socially engineered through email to go to a malicious site disguised as a legitimate one. That makes the users the first line of defense, as well as the primary attack surface.” 

The RomCom hacker installed clone websites on malicious domains similar to the legitimate ones that they registered. Subsequently, the threat actor trojanized a legitimate application and propagated via the decoy website, deploying targeted phishing emails to the victims. In some cases, the attackers used additional infector vectors. 

The malicious campaign seems like a direct copycat of some attacks we examined during the pandemic where we witnessed a number of vendor products and support tools being impersonated or "wrapped" with malware, stated Andrew Barratt, vice president at Coalfire. 

“The wrapping means that the underlying legitimate tool is still deployed, but as part of that deployment some malware is dropped into the target environment,” Barratt explained. “Major APTs like FIN7 have used these tactics in the past. Leveraging well-known brands that they have probably identified are in use gives an intruder a high possibility of a positive response by a user they mislead.” 

Earlier this year in August, Palo Alto Networks’ Unit 42 linked the RomCom RAT with an affiliate of the Cuba Ransomware named 'Tropical Scorpius,' as this was the first actor to employ the malware with features like ICMP-based communications, commands for file manipulation, process hatching and spoofing, data exfiltration, and activating a reverse shell.

However, the BlackBerry researchers said that there was no evidence for that assumption, and its report mentions Cuba Ransomware and Industrial Spy as possibly related to RomCom RAT. Hence, it remains unclear who is behind RomCom RAT or what are the motives behind the attacks.

Threat Actors Exploit Antivirus Software to Launch LOADINFO Malware, Target Entities in Japan


APT10 uses LOADINFO malware to attack Japanese Organizations

The Chinese Cicada hacking group, known as APT10, was found exploiting security software to deploy a new variant of the LODEINFO malware against Japanese companies. 

The victim organizations include media groups, government, and public sector organizations, think tanks, and diplomatic agencies in Japan, all lucrative targets for cyberespionage. 

As per Kaspersky analysts who have been keeping tabs on APT10's operations in Japan since 2019, the malicious actors are continuously advancing their exploitation techniques and custom backdoor, 'LODEINFO,' to make it difficult for experts to detect. 

Kaspersky published two reports, one showing APT10's exploit chain tactics and the second highlighting the evolution of LODEINFO.

Exploiting security software

The hunt started in March 2022, Kaspersky found that APT10 cyberattacks in Japan started using a new infection vector, consisting of a spear-phishing mail, a self-extracting (SFX) RAR file, and exploiting a DLL side-loading vulnerability in security software. 

The RAR archive consists of the legitimate K7Security Suite Software executable, NRTOLD.exe, and a malicious DLL named K7SysMn1.dll. When NRTOLD.exe is run, it will try to deploy the genuine K7SysMn1.dll file that is usually present in the software suite. 

However, the executable will not look for the DLL in a specific folder and therefore permits malware developers to make a malicious DLL using the same name as K7SysMn1.dll.

If the infected DLL is kept in the same folder as the genuine executables, after launching, the executable will deploy the malicious DLL, containing LODEINFO malware. 

Because the malware is side-loaded using an authentic security app, other security software may not find it malicious. 

The Kaspersky report said: 

"K7SysMn1.dll contains a BLOB with an obfuscated routine not observed in past activities. The embedded BLOB is divided into four-byte chunks, and each part is stored in one of the 50 randomly named export functions of the DLL binary. These export functions reconstruct the BLOB in an allocated buffer and then decode the LODEINFO shellcode using a one-byte XOR key."

New LOADINFO

The malware developers launched six new variants of LODEINFO in 2022, the most recent being vo.6.7, launched in September 2022. 

APT10's Japan-attacking operations are marked by the expansion of targeted platforms, constant evolution, stealthy infection chains, and better escape. 

Other recent unfounded operations related to APT10 consist of a campaign attacking Middle Eastern and African governments via stenography and another exploiting VLC to launch custom backdoors. 






Azov Ransomware Tries to Frame Cybersecurity Researchers

 

Azov ransomware, a newcomer to the malware market, is being propagated via pirated software, key generators, and adware bundles, in an attempt to frame security researchers by claiming they are behind the attack. 

The ransom note, named RESTORE_FILES.txt, appears to be politically motivated to push western nations into assisting Ukraine in their war against Russia and claims to have encrypted the file in protest of the seizure of Crimea. 

The note falsely claims on Twitter that security researcher Hasherazade designed the data wiper, with the help of Vitali Kremez, Michael Gillespie, Lawrence Abrams, MalwareHunterTeam and also asks victims to contact the researchers for the recovery of the files. 

According to Lawrence Abrams of BleepingComputer, none of the researchers mentioned in the ransom note are responsible for the attack nor do they have the decryption keys to free the files locked up by the data wiper. 

Furthermore, the note does not include any contact details for the original author meaning there’s currently no way of retrieving from an Azov infection and hence the ransomware should be treated as a data wiper for the moment. 

 Modus operandi of Azov wiper

In a new campaign started over the past two days, a hacker reportedly purchased installs via the SmokeLoader malware botnet, normally propagated through websites offering pirated content including game mods, cheats, and key generators, to deliver the data wiper. 

Additionally, SmokeLoader is also bundling other malware with the data wiper, including the RedLine Stealer info-stealing malware and the STOP ransomware. There have been cases where victims were first attacked by Azov and then STOP ransomware causing double encryption of their files, Bleeping Computer reported. 

To mitigate the risks, users should immediately change the passwords on their online accounts, especially those sensitive in nature, such as online banking, password managers, and email accounts.

Raspberry Robin Worm Threats Uncovered by Microsoft

According to Microsoft Security Threat Intelligence analysts, threat actors have continued to target Raspberry Robin virus victims, indicating that the worm's creators have sold access to the infected devices to other ransomware gangs.

Raspberry Robin is malware that infects Windows systems via infected USB devices. It is also known as QNAP Worm due to the usage of compromised QNAP storage servers for command and control.

The malware loader Bumblebee, the Truebot trojan, and IdedID also known as BokBot, a banking trojan, have all been distributed using Raspberry Robin. Microsoft analysts claim that hackers also instructed it to launch the LockBit and Clop ransomware on hijacked computers.

The FakeUpdates malware, which resulted in DEV-0243 activity, was installed on Raspberry Robin-infected devices in July 2022, according to a report from Microsoft. DEV-0243 is a ransomware-focused threat actor with ties to EvilCorp that is also thought to have used the LockBit ransomware in some campaigns.

A malicious payload associated with Raspberry Robin has reportedly been the subject of at least one alert on almost 3,000 devices across 1,000 companies, according to data gathered by Microsoft's Defender for Endpoint product over the past 30 days.

When Raspberry Robin-infected devices were updated with the FakeUpdates backdoor earlier in July, Microsoft analysts discovered Evil Corp's pre-ransomware behavior on those networks. The activity was linked to the access broker monitored as DEV-0206, and it was seen during that time period.

In September, IBM's Security X-Force discovered additional linkages between Raspberry Robin and Dridex, including structural and functional parallels between a Raspberry Robin DLL and a malware loader used by Dridex.

Microsoft further speculated that the hackers of such malware operations linked to Raspberry Robin are funding the worm's operators for payload distribution, allowing them to stop using phishing as a method of acquiring new victims. According to Microsoft, the malware is anticipated to develop into a threat that is severe.

How to Prevent Malware on Your Android Device

Malware is a term that describes any malicious program or code that is harmful to systems. It seeks to invade, damage, or disable computers, networks, tablets, computer systems, and mobile devices, often by taking command of a device’s operations. 

According to recent happenings, studies show that all devices including smartwatches are all at risk. However, many organizations are working towards the prevention of such events by spreading correct information to the public domain. There are some steps you can follow to prevent your devices from falling into a malicious trap. 

Before learning the mitigating steps, learn how to identify if your devices are trapped by malware.  You will notice that your devices start working slowly, the screen is inundated with annoying ads, system crashes, you will also notice a mysterious loss of disk space, an increase in your system’s internet activity, browser settings will change, antivirus product stops working properly and you will lose the access to your files or your entire computer. 

Now learn how you can prevent such activities from happening on your devices. 

First Step is to Use a Secure Search Engine on Your Devices 

Now people are more aware that major search platforms are tracking them and collecting their private data. That’s why using a secure search engine is very important which can assure users that the engine is not storing IP addresses or personal information, no tracking data related to search queries, and encrypting and applying time-sensitive limits on active searches. 

Second Step is to Keep Your Phone Updated 

Most Android phones now stay updated automatically. However, one should keep checking. It also provides some critical security updates that help keep you safe. 

Third Step is to Clear Your Browser Cookies 

There are many ways that cookies can put your system at risk. Threat actors can store information from your cookies and use data against your devices. To stay safe, users are recommended to clear cookies from the system from time to time. 

Fourth is to Use Multiple Phone Accounts 

To save your data from threat actors and from crashing you can create multiple user accounts on your Android phone. You can keep your important data and apps safer by accessing certain content on separate accounts. 

Users are Recommended to Install Apps From Official Sources 

Internet users should install apps from official sources, like the Play Store or the Galaxy Store. Also, if something goes wrong or the apps get hacked one can hold an official source responsible for the same. 

Furthermore, internet users should avoid using cracked apps and games, meanwhile, it is strongly recommended that they do not click on random links in text messages.

The TommyLeaks and SchoolBoys Ransomware Gangs Share a Common Enemy

 



New extortion gangs, TommyLeaks and SchoolBoys, have emerged out of China attacking companies around the world with dangerous extortion threats. Even though they are both connected, there is one catch - both are part of the same ransomware gang. 

Earlier this month, security researcher MalwareHunterTeam warned of a new extortion gang called TommyLeaks that was trying to extort companies. 

As a result of the hacking group's activity, companies claim it has breached their networks, stolen data, and demanded a ransom not to leak this data. In a recent report, BleepingComputer reported that ransom demands ranged from $400,000 to $700,000. 

MalwareHunterTeam discovered yet another ransomware extortion gang in October, dubbed 'SchoolBoys Ransomware Gang'. They claim to use ransomware to steal data from victims and encrypt their devices as part of their attacks as part of their ransomware extortion campaigns.

Threat actors steal data during their attacks. However, as of yet, no site with public data leaks is known to have been used by threat actors to leak that data. 

Even though there was nothing that connected the two groups at the time, they both used the same Tor chat system to negotiate over the privacy of their members.

What is even more suspicious about the use of this particular chat system is that it had only ever before been used by the Karakurt extortion group.

BleepingComputer reported this week that TommyLeaks and SchoolBoys Ransomware Gang are both part of the same extortion group called the SchoolBoys Ransomware Gang, also called TommyLeaks.

During a SchoolBoys negotiation chat that BleepingComputer saw, the threat actors appeared to address their victim as TommyLeaks in their attempt to coerce a ransom payment from him. 

Even though it is not entirely clear why they are using two different names as part of their operation, they may be trying to take a similar approach to Konti and Karakurt in terms of the operation. 

As previously reported by BleepingComputer, AdvIntel CEO Vitali Kremez has revealed that Karakurt is a member of the Conti cybercrime syndicate and a member of the DefConti crime family. 

During attacks on Conti's ransomware encryptor, the malware's hackers blocked Conti's encryptor. They then extorted the victim using data that was already stolen under the Karakurt name rather than the Conti brand to gain access to the data. 

To take it one step further, as the TommyLeaks/SchoolBoys group uses the chat system as Karakurt, we may be seeing a rebrand of the Conti offshoot into these newer brands.

While it is too soon to tell if this is what is occurring, the extortion group is one that enterprises need to keep an eye on as they are targeting entities of all sizes.

Chrome Extensions with 1M+ Installs Hijack Targets’ Browsers

 

Guardio Labs researchers have discovered Dormant Colors, a new malvertising campaign to deliver malicious Google Chrome extensions. 

Chrome extensions are used to hijack searches and insert affiliate links into web pages. The campaign was dubbed Dormant Colors by experts because the extensions permit color customization. 

“It starts with the trickery malvertising campaign, continues with a crafty novel way to side-load the real malicious code without anyone noticing (until now!), and finally with stealing not only your searches and browsing data, but also affiliation to 10,000 targeted sites — a capability that is easily leveraged for targeted spear phishing, account takeover and credential extraction — all using this powerful network of millions of infected computers worldwide!” reads the post published by the Guardio Labs. 

The researchers discovered at least 30 variants of these extensions in both the Chrome and Edge web stores by mid-October 2022. Over a million people installed malicious browser extensions. Experts discovered that the code of Chrome extensions does not contain malicious components in its initial state, but malicious snippets are later added to the code. The attack chain is based on malvertising messages designed to trick victims into clicking on the install button, as seen in the video. Victims are prompted to install a color-changing extension after clicking the 'OK' or 'Continue' button.

Once installed, these extensions redirect users to various pages that side-load malicious scripts that alter browser behavior. The extensions can hijack searches and return affiliate links in the results. This scheme enables threat actors to profit from traffic to these websites while also stealing data.

According to experts, these malicious extensions are more than just other search hijackers because they include "stealth modules for code updating and telemetry collection, as well as a backbone of servers harvesting data from millions of users." The collected data is used to categorize potential targets and select the best social engineering attack vectors to target and steal from them.

Dormant Colors' operations rely on affiliation with 10,000 targeted sites and a global network of millions of infected computers. The attackers add affiliate tags to the URL, and any purchases made on the site result in a commission for the operators. The researchers released a video that depicts affiliate hijacking for the shopping site 365games.co.uk. The video depicts the address bar being filled with data from affiliation sources. The same method can clearly be used to redirect victims to phishing pages in order to steal credentials for popular services such as Microsoft 365, online banking, and social media platforms.

“This campaign is still up and running, shifting domains, generating new extensions, and re-inventing more color and style-changing functions you can for sure manage without. Adding to that, the code injection technique analyzed here is a vast infrastructure for mitigation and evasion and allows leveraging the campaign to even more malicious activities in the future.” concludes the report that also includes Indicators of Compromise (IoCs) for this campaign. 

“At the end of the day, it’s not only affiliation fees being collected on your back, this is your privacy as well as your internet experience being compromised here, in ways that can target organizations by harvesting credentials and hijacking accounts and financial data. No extension that makes a fine-looking website look dark and ugly is worth it…”

Irresponsibile Malware Operators Squandered an "Undetectable" Windows Backdoor

 

Due to the malware operators' careless behaviour, a "completely undetectable" backdoor has been discovered. 

SafeBreach Labs claims to have discovered a brand new PowerShell backdoor that, when properly executed, grants attackers remote access to compromised endpoints. From there, the attackers could launch a variety of stage-two attacks, ranging from data stealers to ransomware (opens in new tab) and everything in between. 

Based on the report, an unknown threat actor created "ApplyForm[.]docm," a weaponized Word document. It contained a macro that, when activated, ran an unknown PowerShell script.

"The macro drops updater.vbs, creates a scheduled task pretending to be part of a Windows update, which will execute the updater.vbs script from a fake update folder under '%appdata%\local\Microsoft\Windows," the researchers explained

Updater.vbs would then execute a PowerShell script, granting the attacker remote access. The malware creates two PowerShell scripts, Script.ps1 and Temp.ps1, before running the scheduled task. The contents are concealed and placed in text boxes within the Word document, which is then saved in the fictitious update directory. As a result, antivirus software fails to identify the file as malicious.

Script.ps1 connects to the command and control server to assign a victim ID and receive additional instructions. Then it executes the Temp.ps1 script, which stores data and executes commands. The attackers made the mistake of issuing victim IDs in a predictable sequence, which allowed researchers to listen in on conversations with the C2 server.

While it is unknown who is behind the attack, the malicious Word document was uploaded from Jordan in late August of this year and has so far compromised approximately one hundred devices, most of which belong to people looking for new jobs. The Register reader described their encounter with the backdoor, offering advice to businesses looking to mitigate the damage that unknown backdoors can cause.

“I run an MSP and we were alerted to this on the 3rd of October. Client was a 330 seat charity and I did not link it to this specific article until I read it this morning."

"They have zero-trust [ZT] and Ringfencing so although the macro ran, it didn't make it outside of Excel,” they said. “A subtle reminder to incorporate a ZT solution in critical environments as it can stop zero-day stuff like this."

How LofyGang Is Using Discord In A Massive Credential Stealing Attack

 

Checkmarx researchers have mapped out a complex web of criminal activity that all points back to a threat actor known as LofyGang. This group of cybercriminals provides free hacking tools, Discord-related npm packages, and other services to other nefarious actors and Discord users. These tools, packages, and services, however, come with a hidden cost: the theft of users' accounts and credit card credentials. 

The researchers discovered at least 200 malicious npm packages uploaded to the official npm website by various LofyGang sock puppet accounts. These npm packages look like genuine packages that enable users to interact with the Discord API. LofyGang dupes users into installing malicious packages instead of legitimate ones by uploading multiple versions of its packages with different misspellings of popular packages.

In order to give their malicious packages credibility on the npm website, the group also ties their npm packages to active and reputable GitHub repositories. An unsuspecting user who enters a typo while searching for a legitimate package may come across a listing for one of these malicious packages, fail to notice the misspelling, and install the package.

Unfortunately for those who install malicious npm packages, the packages are designed to steal users' account and credit card information. However, rather than containing malicious code directly, these packages rely on secondary packages that contain malicious code. Because malware is hidden in dependencies, the original malicious packages are less likely to be reported as malicious and removed from the npm website.

If one of the malicious dependencies is reported and removed, the threat actor can simply upload a new malicious dependency and push an update to the user's original npm package, instructing it to rely on this new malicious dependency.

LofyGang distributes malicious hacking tools on GitHub in addition to malicious npm packages. The hacking tools, like the npm packages, are usually Discord-related. These programmes also contain malicious dependencies that steal account and credit card information. LofyGang promotes these tools on a variety of platforms, including YouTube, where the group posts tool tutorials.

The LofyGang's Discord server, which has been operational since October 2021, is another avenue for promoting the group's malicious hacking tools. Users can join this Discord server to get assistance with the tools. The server also includes a Discord bot that can grant users a free Discord Nitro subscription using stolen credit card information. 

However, in order to use the bot, users must provide their Discord account credentials, which LofyGang is likely to add to the growing list of credentials stolen by its malicious packages and tools. At the end of the day, Checkmarx's report shows that anyone using LofyGang's packages, tools, and services, whether they realise it or not, is handing over their account and credit card credentials.

Zinc APT is Conducting an Attack Against Victims in Critical Sectors


 
During recent months, Microsoft has detected cyberattacks targeted at security researchers by an actor tracked as ZINC, who is also called the author of these attacks. Originally, the campaign was brought to the attention after Microsoft Defender for Endpoints detected an attack that was taking place in the background. 

As a consequence, seven groups have been identified as being targeted, including pen testers, private offensive security researchers, and employees of security and technology companies. Based on the observations made by MSTIC, which is a Microsoft Threat Intelligence Center, we can attribute this campaign with high confidence to ZINC, which is a DPRK-affiliated and state-sponsored group, given its tradecraft, infrastructure, malware patterns, and account affiliations.


Campaigns designed to attack 


Using a high degree of confidence, Microsoft Threat Prevention and Defense has linked these recent attacks to a threat group identified as Zinc. The group is allegedly associated with recent attacks on LinkedIn. In addition, the group is also linked with one of the groups of the Lazarus movement.

• During their experiments, researchers noticed Zinc using a wide variety of open-source software, including KiTTY, TightVNC, Sumatra PDF Reader, PuTTY, and muPDF/Subliminal Recording software installers.

• As far as Microsoft is concerned, there are around five methods for trojanizing open-source applications, including packing with commercial software protection Themida, hijacking DLL Search orders, using custom encryption methods, encoding victim information in parameters associated with common keywords, and using SSH clients.

• A number of these applications are bundled with malicious shellcodes and malicious payloads that belong to the ZetaNile malware family that researchers have been tracking.

Is there anyone who has been affected by the crisis?


There has been a recent rash of attacks caused by Zinc on employees of various companies located in the United Kingdom, the United States, Russia, and India. These companies operate in different industries such as defense, aerospace, IT services, and media.


The tactical approach to the spread of infection 


A LinkedIn security team discovered Zinc impersonating recruiters from defense, technology, and media companies. This was malware that was delivered from LinkedIn to WhatsApp. Despite this, LinkedIn immediately suspended accounts linked to suspicious or fraudulent behavior as per its policies and the accounts spotted in these attacks.

Earlier this month, Mandiant reported about an ongoing campaign related to the weaponized version of PuTTY being used by some hackers; the operation Dream Job campaign was initiated by attackers to extract information about jobs on LinkedIn using job lures.

In essence, throughout its attack campaign, Zinc targets victims all over the world with a wide range of platforms and open-source software, making it one of the most dangerous cyber threats for businesses globally. 

To prevent such abuses, individuals and organizations that use open-source software should therefore ensure that they are vigilant. Whenever possible, it is highly recommended that you leverage a threat intelligence platform to find threats that are tailored to your needs.

OnionPoison: Malicious Tor Browser Installer Distributed through YouTube Video

 

Researchers at Kaspersky have detected a trojanized version of the Window installer for the Tor Browser, that is being distributed through a popular Chinese YouTube channel. 
 
The malware campaign, dubbed OnionPoison allegedly reaches internet users through the Chinese-language YouTube video. The video is providing users with information on ‘staying anonymous online.’ 
 
The threat actors attach a malicious URL link to the official Tor website, below the YouTube video. Additionally, adding another link to a cloud-sharing service hosting an installer for Tor was modified to include malicious code.  
 
The YouTube Channel has more than 180,000 subscribers, with the video being on top result for the YouTube query ‘Tor浏览器’ translating to “Tor Browser.” The video, posted on January 2022 had more than 64,000 views at the time of discovery (March 2022), reported Kaspersky. The malware installs a malicious Tor Browser that is structured to expose user data that involves a list of installed software, browsing history, and data the users may have entered in a website form. The researchers also found that the library bundled with Tor Browser is infected with spyware. 
 
“More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. The spyware also provides the functionality to execute shell commands on the victim machine, giving the attacker control over it [...] We decided to dub this campaign ‘OnionPoison’, naming it after the onion routing technique that is used in Tor Browser.” reads the analysis conducted by Kaspersky. 
 
It is worth mentioning that the Tor browser is banned in China on account of China's extensive internet censorship. As a result, users often access the browser through third-party websites for downloading it. Hence, the users are most likely to be exposed to scams and be deceived into downloading the malicious installer.  
 
It is believed that the intention of the OnionPoison campaign may not be financially motivated as the threat actors did not recover any credentials or wallets.  
 
In regard to this, the researchers are warning China-based users and companies to avoid using third-party websites for downloading software to prevent becoming targets of threat actors.  
 

Trend Mirco Tracking Earth Aughisky’s Malware and Changes

 

Trend Micro’s security researchers and analysts have shared information pertaining to their research paper 'The Rise of Earth Aughisky: Tracking the Campaigns Taidoor Started' in which the platform monitoring advanced persistent threat (APT) groups’ attacks and tools, Earth Aughisky (also known as Taidoor). 

Researchers observed that the threat actors named this malware family Roudan while looking at both the backdoor and backdoor builder. The name Taidoor is interchangeably used to refer to the group and the malware. 

This group is found to be more active among others as it has been rampantly attacking organizations. Besides, the group continues to update its tools and malware deployments which makes it a more lethal threat. The recent targets of this group have been observed in Taiwan and Japan, researchers said. 

In the research paper, the monitoring units explained and listed all the malware attributed to the group, the latest updates in illicit activities potentially related to real-world changes, and the relation of these malware families and tools with other APT groups. 

Furthermore, people can also read recommendations and potential threats from this APT group. This classic Earth Aughisky malware was first reported 10 years ago, however, the group has always been known for its different formats employed for callback traffic as it contains an encoded MAC address and data. 

The blog post concluded – “The Over the years, the consistent monitoring of APT group Earth Aughisky enabled cybersecurity researchers to gain insights into the inner workings of other similar cyberespionage groups…” 

“…The amount of data gathered using various analysis techniques show an overview of motivations, the maturity of their technical skills, and even the plausible real-world connections of incidents. Groups like Earth Aughisky have sufficient resources at their disposal that allow them the flexibility to match their arsenal for long-term implementations of cyber espionage, and organizations should consider this observed downtime from this group’s attacks as a period for preparation and vigilance for when it becomes active again”.

Trojanized Comm100 Live Chat App Installer Distributed a JavaScript Backdoor

Cybersecurity platform CrowdStrike reported a supply chain attack that involved the use of a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor. The application suffered an attack from 27 September to 29, 2022. 

Additionally, the malicious group actively attacked other sectors of the organizations with the same installer including the industrial, technology, healthcare, manufacturing, telecommunications sectors, and insurance in North America and Europe. 

Canadian application Comm100 facilitates over 200,000 businesses with its customer service and communication products. With more than 15,000 clients, the Comm100 company offers chat and customer engagement applications to businesses in 51 countries. However, the company did not report anything on how many customers got affected by the attack. 

According to the Cybersecurity firm CrowdStrike, the malware was proliferated using a Comm100 installer that was downloadable from the company’s website. On September 26, the installer was signed with legitimate information on the Comm100 desktop agent app. 

“CrowdStrike Intelligence can confirm that the Microsoft Windows 7+ desktop agent hosted at hxxps[:]//dash11.comm100[.]io/livechat/electron/10000/Comm100LiveChat-Setup-win[.]exe that was available until the morning of September 29 was a trojanized installer.”, Crowdstrike confirmed. 

Also, a malicious loader DLL called MidlrtMd[.]dll has been used as part of the post-exploitation action. It starts an in-memory shellcode to inject an embedded payload into a new Notepad process (notepad[.]exe). The CrowdStrike believed that the China nexus threat actor is behind the attack because the group previously targeted several Asian online gambling organizations. 

“Furthermore, CrowdStrike Intelligence assesses with moderate confidence that this actor likely has a China nexus. This assessment is based on the presence of Chinese-language comments in the malware, the aforementioned tactics, techniques, and procedures (TTPs), and the connection to the targeting of online gambling entities in East and Southeast Asia — a previously established area of focus for China-nexus targeted intrusion actors”, CrowdStrike Intelligence customers reported.