Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

ZIP File
malware South Korea Webhards And Torrents ZIP File

Threat Actors are Using Webhards And Torrents to Spread RAT Malware in Korea

 

The ASEC researchers have discovered a new malicious campaign targeting South Korean users. Threat actors are spreading easily obtainable malware such as njRAT and UDP RAT via Webhards and torrents to disguise as normal programs such as games or adult content for distribution. 

According to ASEC analysts, WebHards is a popular online storage service in Korea, preferred mainly for the convenience of direct downloads. However, threat actors are using Webhards to distribute a UDP RAT that is disguised as a ZIP file containing an adult game. Users who end up at webhards are directed by attackers through Discord or social media platforms. 

The downloaded compressed zip file has various files but then the user would need to open the “Game..exe” file to play the game. Upon execution, the “Game..exe” file becomes hidden, therefore, the user then uses Game.exe, which is the copied game program launcher. 

Apart from that, the stick.dat file that runs via launcher malware is the ALZIP SFX program, and it creates two malware “Uninstall.exe” and “op.gg.setup.apk” in the C:\Program Files\4.0389 folder. After stick.dat creates the files, it executes Uninstall.exe. Uninstall.exe is another launcher malware that runs op.gg.setup.apk. Op.gg.setup.apk is a downloader malware that downloads the Op.gg.exe file from the following address in the same directory and runs it.

njRAT is a type of malware that can steal private information from victims, such as account credentials and keystrokes. The malware is also capable of capturing screenshots from a compromised device and can modify the Windows registry for persistence. This variant adds a Registry key to ensure a continuous connection to the C2 server. It allows the attackers to drop more payloads. 

Threat actors have been employing various tricks to convince users to download the njRATs with torrents and file hosting services being a preferred method. Earlier this year in June, ASEC warned about this issue, when threat actors propagated a repackaged version of a well-known game as Lost Ruins. The package could run both the game and the virus simultaneously, making it hard to detect the infection. 

The researchers have advised users to remain vigilant while approaching executables downloaded from a file-sharing website and also to download products from the official websites of developers.
Read more »
Switzerland
Cyber Attacks Event Organizer MCH Group Swiss Switzerland

Switzerland Based MCH Group Hit by a Cyber Attack

 

Headquartered in Basel, Switzerland, the international live marketing company - MCH Group was hit by a criminal cyber-attack deploying malware on Wednesday, 20th of October 2021. The Swiss event organizer and marketing firm announced that it has been striving to restore system functionality as soon as possible. 

The multinational marketing and events organization is well-known for its trade shows Baselworld and Art Basel. 

The MCH firm announced in a statement released on Thursday 21st of October that it had been the target of a malware assault the day before. 

Also with the assistance of external experts and federal officials, company IT specialists sought to reduce the damage. An inquiry has been conducted to establish whether or not any information was taken. 

According to the firm, the occurrence doesn't jeopardize present events, and therefore future trade shows may go as scheduled. Neither any ransom was asked. the MCH organization has stated that it would pursue criminal proceedings against the criminals.

“The internal ICT specialists, together with other external experts and the federal authorities, immediately took measures to limit the damage as far as possible,” it said in a statement. “As part of this process, it will be investigated if any data have been siphoned.” 

The MCH group was formed in 2001 by the merging of two firms that administered fairs in Basel and Zurich, respectively. It is listed on the stock exchange, although major shares are owned by public authorities. 

It employed 710 individuals at the end of December, 355 of them were based in Switzerland. The coronavirus epidemic drove the corporation into the red in 2020, but it is looking for a comeback with fresh finance and initiatives. 

Cyber-attacks on official bodies and commercial enterprises are also on the rise in Switzerland, albeit not all occurrences are made public. 

On Thursday, it was also revealed that cybercriminals had hacked into the official Easygov system and taken the identities of around 130,000 businesses that had requested urgent financial credit during the epidemic. Authorities claim that no critical information was compromised. 

The municipal authority of the Swiss town of Montreux, Stadler Rail, and the price comparison website Comparis have also been attacked, and the personal data of the whole inhabitants of Rolle was purportedly published online in August.
Read more »
Stolen Data
Dark Web Dark web malware Hacking sites Infostealer malware RedLine Stealer Stolen Data

RedLine Stealer Identified as Major Source of Stolen Credentials on Dark Web Markets

 

A significant proportion of stolen credentials being traded on two dark web underground marketplaces were gathered via the RedLine Stealer malware, according to Insikt Group, Recorded Future's cybersecurity research arm. 

The RedLine Stealer, first discovered in March 2020, is a part of the info stealer family, a form of malware that once infects a computer and its primary goal is to capture as much user data as possible and then deliver it to the attackers, who often sell it online. 

The RedLine Stealer has data gathering features such as the ability to extract login credentials from web browsers, FTP applications, email apps, instant messaging clients, and VPNs. RedLine can also harvest authentication cookies and card numbers from browsers, chat logs, local files, and cryptocurrency wallet databases. 

Since March 2020, the malware has been sold on many underground hacking sites by a coder called REDGlade. After good feedback in a hacking forum thread, unauthorized versions of the RedLine Stealer were distributed on hacker forums a few months later, in August of this year, facilitating it to proliferate to even more threat actors who did not have to pay for it. 

But, even before the cracked version was released, RedLine had gained a devoted following. According to a report published last week by Insikt Group, the majority of stolen credentials available for sale on two underground marketplaces originate from computers infected with the RedLine Stealer. 

Insikt researchers stated, “Both Amigos Market and Russian Market were identified by Insikt Group (June 2021) posting identical listings regularly that contained the same timestamps, infostealer variants used, geographical locations of affected machines, and ISPs.” 

The results of the Insikt team follow similar research by threat intelligence firm KELA from February 2020, which discovered that around 90% of stolen credentials sold on the Genesis Market originated from infections with the AZORult infostealer. 

According to the two reports, underground cybercrime marketplaces are fragmented and often operate with their own independent suppliers, just as legal markets have their own choices for particular business partners. 

By going after the producers and dealers of these infostealers, this fragmentation opens the path to impairing the supply of multiple underground markets. In February 2020, a Chrome upgrade (which modified how credentials were saved inside the browser) halted the flow of newly stolen credentials on Genesis Market for months until the AZORult stealer was modified to assist the new format.
Read more »
Youtube
Google malware password stealing trojans Sensitive data Threat actors Youtube

YouTube Videos Spread Password Stealing Malware

 

According to Greek legend, a Trojan is a form of malware that disguises itself as a legitimate file or software in order to fool unsuspecting users into downloading it on their computers. This is how naive users give cyberattackers unauthorized remote access. Threat actors will now be able to monitor a user's activities (web browsing, computer usage, and so on) in order to collect and extract sensitive data, erase files, or download more malware onto the PC, among other things. 

Threat actors are getting more inventive, as they have begun to utilize YouTube videos to spread malware via embedded links in video descriptions. Cluster25 security researcher Frost said that malware campaigns promoting various password-stealing Trojans have increased significantly on YouTube. Frost believes that two clusters of malicious activity are operating at the same time, one distributing RedLine malware and the other distributing Racoon Stealer. 

Malicious actors start by launching dozens of new YouTube channels dedicated to software cracks, licenses, how-to instructions, bitcoin, mining, game hacks, VPN software, and just about any other popular topic. These videos demonstrate how to complete a task using a specific piece of software or technology. Furthermore, the description of the YouTube video claims to provide a link to the associated programme that was used to disseminate the virus.

"We are aware of this campaign and are currently taking action to block activity by this threat actor and flagging all links to Safe Browsing. As always, we are continuously improving our detection methods and investing in new tools and features that automatically identify and stop threats like this one. It is also important that users remain aware of these types of threats and take appropriate action to further protect themselves," said Google. 

According to the researcher, thousands of videos and channels were created as part of the massive virus effort, with 100 new videos and 81 channels launched in only twenty minutes. Threat actors use stolen Google accounts to create new YouTube channels to spread malware, according to Frost, creating an infinite and ever-growing loop. 

"The threat actors have thousands of new channels available because they infect new clients every day. As part of these attacks, they steal victim's Google credentials, which are then used to create new YouTube Videos to distribute the malware," Frost said. 

These campaigns demonstrate the need of not to download programmes from the Internet at random, as video publishers cannot check every link published to sites like YouTube. As a result, before downloading and installing anything from a website, a user should study it to see if it has a solid reputation and can be trusted.
Read more »
YouTube Account Hijack
Cookie Theft Malware Mobile Security Phishing Campaign User Privacy YouTube Account Hijack

Attackers Use Cookie Theft Malware to Hijack YouTube Accounts

 

Google claims it has disrupted a new phishing campaign targeting YouTube creators with cookie theft malware in which attackers were attempting to hijack YouTube accounts and exploit them to promote cryptocurrency frauds. 

The actors behind this campaign were recruited on a Russian-speaking forum that targeted thousands of YouTubers with malicious emails. The attackers tempted victims via fake collaboration opportunities such as providing free VPN, music player, or anti-virus software. 

After winning the confidence of a victim, the hackers would send a URL, either via email or a PDF on Google Drive, promising legal software but which instead took the target to a malicious page. Once installed, the malware steals cookies from the targets search engine via the smash-and-grab technique.

The scammers then use the cookies to gain access to the victim’s account and sold it in the dark web to the highest bidders. The cookies were sold between the range of $3 and $4,000, depending on the number of subscribers. 

Since the start of the campaign in 2019, threat actors created roughly 15,000 accounts, as well as domains associated with fake companies, alongside more than 1,000 websites that were used to deliver malware. Some of the websites posed legitimate software sites, such as Luminar, Cisco VPN, games on Steam, and some were designed using online templates. The malware used in this phishing campaign included Azorult, Grand Stealer, Kantal, Masad, Nexus stealer, Predator the Thief, RedLine, Raccoon, Vikro Stealer, and Vidar, alongside open-source tools such as Sorano and AdamantiumThief. The malware could steal both passwords and cookies. 

In collaboration with YouTube, Gmail, Trust & Safety, and Safe Browsing teams, Google decreased the volume of malicious emails by 99.6% on Gmail. Since May 2021, the company has blocked 1.6 million messages the scammers sent to their victims. The Internet search giant also displayed roughly 62,000 Safe Browsing warnings for the identified phishing pages, blocked 2,400 files, and restored roughly 4,000 impacted accounts. 

“With increased detection efforts, we’ve observed attackers shifting away from Gmail to other email providers (mostly email.cz, seznam.cz, post.cz and aol.com). Moreover, to protect our users, we have referred the below activity to the FBI for further investigation,” Google explained.
Read more »
XSS
MySQL Vulnerabilities and Exploits WordPress WordPress Plugin WP Fastest Chache Plugin XSS

WordPress WP Fastest Cache Plugin Discovered With Multiple Vulnerabilities

 

WP Fastest Cache is among a handful of WordPress plugins meant to improve the performance of a website. It seeks to reduce the frequency of database queries necessary to render the website and related server load by producing and maintaining a static replica of the articles and webpages. 

JetPack security experts uncovered several vulnerabilities in the popular WordPress plugin WP Fastest Cache that might enable an attacker to fully exploit admin rights. Outcomes have an impact on over a million WordPress installations. 

There are several flaws that have been discovered by the researchers, two of the many are: 

  • Authentic MySQL Injection 

Using an authenticated MySQL injection login, users can gain access to administrator-level data in the system. A MySQL injection vulnerability is a cyberattack on a database server that stores website components such as credentials and usernames. An effective MySQL injection attack might result in a total website takeover. 

“If exploited, MySQL injection bugs can give attackers access to privileged information from the affected site’s database (such as username and hash password). This can only be exploited if the Classic Editor plugin is also installed and activated on the site,” stated The Jetpack Security Bulletin. 

XSS was stored through cross-site request forgery 

XSS (cross-site scripting) flaws are rather widespread and stem from flaws in website input correction. If somehow the user inserts something into the website, such as a contact form, and the data is not deleted, the user may be attacked by XSS. 

Sanitization entails limiting what may be submitted to a single intended input, such as text, rather than a script or command. A faulty input enables the attacker to insert malicious scripts, which might also subsequently be used to target administrators who visit the site and install malicious files into their browsers; appears as though they are loading or blocking their credentials. 

Whenever an intruder convinces a user, such as a login administrator, into accessing the site and executing different actions, it is referred to as a cross-site application forgery. 

Such vulnerabilities are difficult to exploit since they rely on the traditional editor plugin being loaded and the attacker having some type of user verification. However, these flaws are still significant, and JetPack advises that customers must update their WP Fastest Cache plugins to at least version 0.95, which was released on October 14, 2021. 

According to the jet pack: “If exploited, MySQL injection bug attackers can gain access to privileged information from the affected site’s database (such as username and hash password). Successful exploitation of the vulnerabilities of CSRF and Stored XSS can allow bad actors to login to the administrator on the targeted site.”
Read more »
Trojan
App malwares Backdoor CDN Abuse Digital Platform Discord Gaming malware Spyware Trojan

Threat Actors Abuse Discord to Push Malware

 

Cybercriminals are using Discord, a popular VoIP, instant chat, and digital distribution network used by 140 million users in 2021, to disseminate malware files. 

Discord servers can be organised into topic-based channels where users can share text or audio files. Within the text-based channels, they can attach any form of material, including photos, document files, and executables. These files are maintained on the Content Delivery Network (CDN) servers of Discord. 

However, many files transferred over the Discord network are malicious, indicating that actors are abusing the site's self-hosted CDN by forming channels with the sole aim of distributing these harmful files. Although Discord was designed for the gaming community initially, many corporations are now adopting it for office communication. Many businesses may be permitting this unwanted traffic onto their network as a result of these malicious code files placed on Discord's CDN. 

Exploiting Discord channels 

RiskIQ researchers looked deeper into how Discord CDN utilises a Discord domain through links that use [hxxps://cdn.discordapp[.]com/attachments/{ChannelID}/{AttachmentID}/{filename}] as the format to discover malware. 

According to the researchers, they spotted links and queried Discord channel IDs used in these links, enabling them to identify domains comprising web pages that connect to a Discord CDN link with a certain channel ID. 

“For example, the RiskIQ platform can query the channel IDs associated with zoom[-]download[.]ml,” researchers explained. “This domain attempts to spoof users into downloading a Zoom plug-in for Microsoft Outlook and instead delivers the Dcstl password stealer hosted on Discord’s CDN.” 

In another case, RiskIQ determined that the channel ID for a URL containing a Raccoon password stealer file returned a domain for Taplink, a  site that offers users micro landing pages to send them to their Instagram and other social media accounts. 

According to the researchers, the approach allowed them to discover the day and time Discord channels were launched, connecting those generated within a few days after the first observation of a file in VirusTotal to channels with the sole purpose of disseminating malware. They eventually discovered and cataloged 27 distinct malware types hosted on Discord's CDN. 

About the malware 

Discord CDN URLs containing.exe, DLL, and different document and compressed files were detected by RiskIQ. It was discovered that more than 100 of the hashes on VirusTotal were transmitting malicious information. 

RiskIQ discovered more than eighty files from seventeen malware families, however, Trojans were the most frequent malware found on Discord's CDN. For most malware found on Discord's CDN, RiskIQ noticed a single file per channel ID. 

According to Microsoft's identification of the files and further research, there are a total of 27 distinct malware families, divided into four types: 
• Backdoors, e.g., AsyncRat 
• Password Stealers, e.g., DarkStealer 
• Spyware, e.g., Raccoon Stealer 
• Trojans, e.g., AgentTesla 

The exploitation of Discord's infrastructure throws light on the rising problem of CDN abuse by malicious attackers across the web. Using internet-wide visibility to identify malware in CDN infrastructure is significant to limiting the damage these valuable malware delivery techniques might have on the firm.
Read more »
Vulnerabilities and Exploits
Arbitrary code execution RCE Russian Hackers Vulnerabilities and Exploits

An Attacker Could Take Advantage of a Flaw in WinRAR to Execute Arbitrary Code

 

A new security flaw in the WinRAR trialware file archiver programme for Windows has been discovered, which might be exploited by a remote attacker to execute arbitrary code on targeted systems, highlighting how software flaws can serve as a gateway for a variety of assaults. 

The bug, tracked as CVE-2021-35052, affects the trial version of the software running version 5.70. In a technical write-up, Positive Technologies' Igor Sak-Sakovskiy stated, "This vulnerability allows an attacker to intercept and change requests sent to the user of the application. This can be used to get remote code execution (RCE) on the PC of a victim." 

Before gently urging customers to acquire a license, WinRAR offers a free trial license. The .rar archive, with which it is most closely connected, is not opened by Windows Explorer, hence WinRAR is popular among individuals who need to work with the format, or who just had to download a .rar archive once and required software to open it. 

An investigation into WinRAR began after Sak-Sakovskiy noticed a JavaScript error rendered by MSHTML, a proprietary browser engine for the now-defunct Internet Explorer that is used in Office to render web content inside Word, Excel, and PowerPoint documents, leading to the discovery that the error window is displayed once every three times when the application is launched after the trial period has expired. 

Positive Technologies discovered that by intercepting the response code sent when WinRAR notifies the user about the end of the free trial period via "notifier.rarlab[.]com" and changing it to a "301 Moved Permanently" redirect message, the redirection to an attacker-controlled malicious domain could be cached for all subsequent requests.

An almost two-decades-old flaw was discovered in WinRAR a few years ago, impacting an older file compression format initially developed in the 1990s. Positive Technologies was sanctioned by the US government earlier this year after the US claimed the company had transferred vulnerabilities to Russian state hackers rather than revealing them. The company has categorically disputed these allegations and continues to publish security research. 

Application security expert Sean Wright said of the vulnerability, "Remote Code Execution vulnerabilities should always be taken seriously and handled with a sense of urgency, as the risk they pose is significant. Even so, in the case of WinRAR's vulnerable trial, the likelihood of an attacker being able to successfully exploit the vulnerability in question seems fairly limited, as there are a number of conditions and stages that the victim would need to fulfill before the attacker could achieve RCE."
Read more »
Technology News
Cryptocurrencies Russia Technology Technology News

The Russian billionaire urged the Central Bank to develop cryptocurrencies in Russia

Russian billionaire Oleg Deripaska (Forbes estimates his fortune at $5.1 billion since 2018 Deripaska has been under US sanctions) criticized the Central Bank for allegedly “infantilely closing his eyes to the growing cryptocurrency market.” As an argument, the billionaire cited the actions of the US Treasury, which, according to him, invests in the crypto industry.

“The United States has long understood that uncontrolled digital payments can not only negate the effectiveness of the entire mechanism of economic sanctions but also bring down the dollar,” Deripaska said.

The billionaire referred to the sanctions review issued by the US Treasury. In the document, the regulator claims that the growing possibilities of financial technologies, including those based on cryptocurrency and alternative payment systems, pose a serious threat to the dollar.

According to Deripaska, this means that the development of the cryptocurrency market, uncontrolled by the state, can put the US Treasury in front of the prospect of default on a debt of $30 trillion, which will require $700 billion to service.

“I wonder if anyone has read this document at the Bank of Russia? Or do they work on the principle of “what we don't see doesn't exist?” he says ironically.

Earlier, Deripaska repeatedly criticized the Bank of Russia's policy on digital assets. For example, the billionaire claimed that the regulator should have issued a digital ruble two years ago because it is “more important than Gagarin's flight into space in 61st.”

It is worth noting that the value of bitcoin has updated the historical maximum, reaching $67 thousand. Experts expect cryptocurrency growth to continue.

Read more »
Vishing Campaign
Cyber Fraud SIM Swapping User Security Vishing Campaign

US Scammers Charged in SIM Swapping and Vishing Scam

 

The Maryland District Attorney’s Office has sentenced twenty-year-old Kyell Bryan from Pennsylvania, one of the two conspirators to grave identity theft for a SIM swap and cryptocurrency theft. 

According to the first indictment, Bryan conspired with Jordan K. Milleson and stole over 16,000 worth of cryptocurrency from a wireless carrier employee after SIM swapping his phone number in June 2019. The two were active members of the OGUsers trade forum, which employed similar phishing attacks against Twitter and other organizations, usually with the motive to steal financial credentials.

Later in 2019, the officials discovered leaked messages from OGUsers which suggested that Bryan asked another member's help for designing a website similar to T-Mobile’s employee login page. The stolen credentials were used to perform unauthorized SIM swaps and redirect their target’s phone number to evade the two-factor authentication process that is supposed to protect accounts. After successful swapping, Bryan directed his partner to transfer a cryptocurrency worth $ 16,847.47 from the victim’s account. 

Interestingly, the scheming partnership turned into a business dispute after Bryan and other accomplices suspected that Milleson failed to share the proceeds of a digital currency theft. After discovering the conspiracy, he called the Baltimore County police and reported falsely that he was at Milleson’s home address with a gun, saying he shot his father and threatened to shoot himself. 

When officers spoke to Milleson’s relative, they told them about a previous phone call claiming Milleson had stolen $ 20,000. Earlier in May 2021, Milleson was sentenced to two years in federal prison and paid $ 34,329.01.

“During the call, Bryan, posing as the purported shooter, threatened to shoot himself and to shoot at police officers if they attempted to confront him. The call was a ‘swatting’ attack, a criminal harassment tactic in which a person places a false call to authorities that will trigger a police or special weapons and tactics (SWAT) team response — thereby causing a life-threatening situation,” reads a statement from the U.S. Attorney’s Office for the District of Maryland. 

Earlier this week, Bryan pleaded guilty and is due to be sentenced in January 2022 to two years in federal prison after a year of supervised release. As part of his plea agreement, Bryan is sentenced to pay $ 16,847.47.
Read more »
Vulnerable Systems
Arbitrary code execution attacks Data Disclosure Attack Private Data Sensitive data SmashEx Vulnerabilities and Exploits Vulnerable Systems

New SmashEx Attack Breaks Intel SGX Enclaves

 

A recently disclosed vulnerability affecting Intel CPUs could be used by attackers to get access to sensitive information kept within enclaves and potentially run arbitrary code on vulnerable systems. 

The vulnerability (CVE-2021-0186, CVSS score: 8.2) was found in early May 2021 by a group of academics from ETH Zurich, the National University of Singapore, and the Chinese National University of Defense Technology, who utilized it to perform a confidential data disclosure attack called "SmashEx" that can distort and compromise private data stored in the enclave. 

SGX (short for Software Guard eXtensions) was introduced with Intel's Skylake processors which allow developers to operate selected application modules in a totally isolated secure compartment of memory known as an enclave or a Trusted Execution Environment (TEE). It is designed to be guarded against processes running at higher privilege levels such as the operating system. Even if a computer's operating system has been tampered with or is under assault, SGX assures that data remains safe. 

The research stated, "For normal functioning, the SGX design allows the OS to interrupt the enclave execution through configurable hardware exceptions at any point." 

"This feature enables enclave runtimes (e.g., Intel SGX SDK and Microsoft Open Enclave) to support in-enclave exception or signal handling, but it also opens up enclaves to re-entrancy bugs. SmashEx is an attack which exploits enclave SDKs which do not carefully handle re-entrancy in their exceptional handling safely." 

Outside Calls, or OCALLS, enable enclave functions to call out to the untrusted programme and subsequently return to the enclave. However, when the enclave additionally handles in-enclave exceptions (e.g., timer interrupt or division-by-zero), the vulnerability allows a local attacker to take over the control flow of execution by injecting an asynchronous exception soon after the enclave is entered. 

With this power, the attacker can then damage the in-enclave memory, allowing sensitive data such as RSA private keys to leak or malicious code to be executed. Because SmashEx impacts runtimes that assist in-enclave exception handling, the researchers stated that "such OCALL return flow and the exception handling flow should be written with care to ensure that they interleave safely," and that "when the OCALL return flow is interrupted, the enclave should be in a consistent state for the exception handling flow to progress correctly, and when the exception handling flow completes, the enclave state should also be ready for the enclave to progress correctly." 

Since then, Intel has launched software updates to address this vulnerability, including SGX SDK versions 2.13 and 2.14 for Windows and Linux, respectively. Microsoft fixed the problem (CVE-2021-33767) in its July 2021 Patch Tuesday updates with Open Enclave version 0.17.1 of the SDK. The results of the research team are anticipated to be disclosed next month at the ACM Conference on Computer and Communications Security.  

The researchers stated, "Asynchronous exception handling is a commodity functionality for real-world applications today, which are increasingly utilizing enclaves and highlighted "the importance of providing atomicity guarantees at the OS-enclave interface for such exceptions."
Read more »
Subscribe to: Comments (Atom)