Dec 12 2022

95.6% of New Malware in 2022 Targeted Windows

Category: Malware,Windows SecurityDISC @ 11:06 am
95.6% of New Malware in 2022 Targeted Windows

Malware attacks are a growing problem in our increasingly digital world. By infiltrating computers and networks, malicious software can cause serious harm to those affected by it.

One of the most common types of malware is ransomware (encryption-based malware), which prevents users from accessing their files until they pay a hefty fee to the cyber attacker. This type of attack has been used to target everything from individuals to large organizations, including government agencies and healthcare providers.

In addition to financial losses, malware attacks can have devastating effects on businesses and individuals. In some cases, sensitive data can be stolen or destroyed as part of an attack. This can lead to identity theft and other forms of fraud, as well as put organizations at risk for long-term damage if confidential information is exposed or compromised.

Research Findings

A recent study by Atlas VPN shows how malware infection is on the rise and the trends in the new malware samples found in the first three quarters of 2022. 

According to researchers, 59.58 million samples of new Windows malware were found in the first three quarters of 2022 and these make up 95.6% of all new malware discovered during that time period. 

This analysis was based on data by AV-TEST GmbH, an independent organization that evaluates and rates antivirus and supplies services in IT Security and Antivirus Research. The study also includes new malware samples detected in the four quarters of 2021 and the first three quarters of 2022. 

Windows, Linux, and Android Malware

Overall, there is a downward trend in the data with the malware samples this year has decreased by 34% as compared to the same period last year. However, the numbers are still exceptionally high.

Following Windows on the list is Linux malware with 1.76 million new malware samples – 2.8% of the total malware threats in 2022. 

Android malware takes third place with the first three quarters of 2022 seeing 938,379 new Android malware threats, constituting 1.5% of the total new malware. 

Lastly, 8,329 samples of never before seen malware threats aimed at macOS were observed in the same period. 

Total Number of Malware

The study also shows that the total number of malware threats found in the first three quarters of 2022 across all operating systems amount to 62.29 million. This is about 228,164 malware threats daily. 

If we make a quarter-by-quarter comparison, the first quarter of 2022 saw the most significant number of malware samples – 22.35 million. However, this number dropped by 4% to 21.49 million in the second quarter of this year. Again, it decreased by another 14% to 18.45 million. 

The numbers continue to plummet into the fourth quarter of the year with 7.62 million new threats found in October and November – nearly 60% less than at the same time last year. 

Protection Against Malware

Malware is a pervasive threat to internet users on both personal and professional networks. It can cause serious damage to computers, networks, and data that can be expensive to fix. Fortunately, there are steps you can take to protect yourself from malware.

The most important step in protecting your network from malware is keeping your anti-malware software up to date. Regularly updating anti-malware programs ensures that they’re able to detect the latest threats and keep them away from your computer or network.

Additionally, be sure not to click on suspicious links or download files from unknown sources as these could contain malicious code that could harm your system.

Another way to stay safe online is by using a secure web browser with built-in security features like pop-up blockers, phishing protection, and ad blockers ((don’t use it on Hackread.com though :0)) for enhanced protection against malicious activities.

95.6% of New Malware in 2022 Targeted Windows

Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware

Tags: Malware, Malware Analysis

Dec 09 2022

Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

Category: Hacking,MalwareDISC @ 1:44 pm
Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

ThreatFabric’s security researchers have reported a new dark web platform through which cybercriminals can easily add malware to legitimate Android applications.

Dubbed Zombinder, this platform was detected while investigating a campaign in which scammers were distributing multiple kinds of Windows and Android malware, including Android banking malware like Ermac, Laplas “clipper,” Erbium, and the Aurora stealer, etc.

This comes just days after a new dark web marketplace called InTheBox surfaced online, serving smartphone malware developers and operators.

Further probe helped researchers trace the adversary to a third-party dark web service provider called Zombinder. It was identified as an app programming interface binding service launched in March 2022.

Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

According to ThreatFabric’s blog post, numerous different threat actors are using this service and advertising it on hacker forums. On one such forum, the service was promoted as a universal binder that binds malware with almost any legitimate app.

The campaign is designed to appear as it helps users access internet points by imitating the WiFi authorization portal. In reality, it pushes several different malware strains.

What does Zombinder Do?

In the campaign detected by ThreatFabric’s researchers, the service is distributing the Xenomorph banking malware disguised as the VidMate app. It is distributed via modified apps advertised/downloaded from a malicious website mimicking the application’s original website. The victim is lured to visit this site via malicious ads.

The Zombinder-infected app works just as it is marketed while the malicious activity carries on in the background and the victim stays unaware of the malware infection.

Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

At the moment, Zombinder is focusing entirely on Android apps but the service operators are offering Windows apps binding services. Those who downloaded the infected Windows app were delivered the Erbium stealer as well. It is an infamous Windows malware distributed to steal stored passwords, cookies, credit card details, and cryptocurrency wallet data.

It is worth noting that two downloaded buttons on the malicious website’s landing page, one for Windows and the other for Android. when a user clicks on the Download for Windows button, they are delivered malware designed for Microsoft operating system, including Aurora, Erbium, and Laplas clipper. Conversely, the Download for Android button distributes the Ermac malware.

How to Stay Protected?

If you want to stay safe, do not sideload apps even if you are desperate to make a specific product work. Also, avoid installing apps from unauthentic or unknown sources onto your Android mobile phone and rely on legitimate sources such as Google Play Store, Amazon Appstore, or Samsung Galaxy Store. Always check the app’s rating, and reviews, and check out the app developers’ website before installing a new app.

Cyber Deep Web

Tags: Cyber Deep Web, dark net, dark web, Zombinder

Dec 01 2022

The CHRISTMA EXEC network worm – 35 years and counting!

Category: MalwareDISC @ 11:32 am
The CHRISTMA EXEC network worm – 35 years and counting!

Forget Sergeant Pepper and his Lonely Hearts Club Band, who taught the band to play a mere 20 years ago today.

December 2022 sees the 35th anniversary of the first major self-spreading computer virus – the infamous CHRISTMA EXEC worm that temporarily crushed the major mainframe networks of the day…

… not by any deliberately coded side-effects such as file scrambling or data deletion, but simply by leeching too much network bandwidth for its own unauthorised purpose.

As a decoy to disguise the fact that it read in the 1980s IBM equivalents of your email address book (NAMES) and your known-hosts file (NETLOG) in order to find as many new recipients of the malware as possible to send itself to, the malware displayed this:

                *               
                *               
               ***              
              *****             
             *******            
            *********           
          *************                A
             *******            
           ***********                VERY
         ***************        
       *******************           HAPPY
           ***********          
         ***************            CHRISTMAS
       *******************      
     ***********************         AND MY
         ***************        
       *******************         BEST WISHES
     ***********************    
   ***************************     FOR THE NEXT
             ******             
             ******                    YEAR
             ******

If you’re wondering why the virus is widely known as CHRISTMA EXEC, rather than by the full word CHRISTMAS

…that’s because filenames were limited to eight characters, which could be followed by a space and what we would today call an “extension” of EXEC in order to turn them into scripts that could be run directly by the user – executed, in technical jargon.

The virus itself was written in IBM’s powerful text-based scripting language REXX (the resoundingly named Restructured Extended Executor), so a non-programmer looking at the message would probably recognise it as “program code”, and therefore tend to ignore it as unimportant and irrelevant, for all that it might look interesting.

Except that the author of the virus found a cheerful way to embed an instructional lure right into the code itself, which starts with a remark (as in the C language, text between /* and */ in REXX programs is treated as a comment and ignored when the file gets used)…

/*********************/
/*    LET THIS EXEC  */
/*                   */
/*        RUN        */
/*                   */
/*        AND        */
/*                   */
/*       ENJOY       */
/*                   */
/*     YOURSELF!     */
/*********************/

…and then offers the following cheery advice to non-techies:

/*  browsing this file is no fun at all
       just type CHRISTMAS from cms     */

CMS is short for Conversational Monitor System, a command prompt environment on top of IBM’s venerable VM/370 operating system and its many variants, which offered individual users a real-time virtual machine that behaved like a computer all of their own, with its own disk space for storing personal files and programs.

Handily, the user didn’t have to be taught to leave the final -S off the word CHRISTMAS, because CMS would automatically ignore any extra characters and hunt for CHRISTMA EXEC, which was the very script program that the user had just received without expecting it or asking for it.

As stated above, the code did indeed display the Christmas Tree ASCII art – or, more precisely, EBCDIC art, given that IBM famously had its own character encoding system known as Extended Binary Coded Decimal Interchange Code (pronounced ebb-si-dick).

But it also trawled through your NAMES and NETLOG files, which listed other users and computers you regularly contacted, and copied itself to all of them, so that for every user who innocently typed CHRISTMAS at the command prompt…

…a sea of copies of the virus (20? 50? 200?) would be distributed, potentially worldwide, and if any of those recipients (20? 50? 200?) innocently typed CHRISTMAS at the command prompt…

…a sea of copies of the virus would be distributed, and so on, and so on.

Shades of the future

As we said in this week’s podcast, where we discussed this seminal worm:

[This is j]ust like modern macro malware that says to the user, “Hey, macros are disabled, but for your ‘extra safety’ you need to turn them back on… why not click the button? It’s much easier that way.”

35 years ago, malware writers had already figured out that if you ask users nicely to do something that is not at all in their interest, some of them, possibly many of them, will do it.

Detection of Network Worm to Eliminate Security Threats in MANET: Wormhole Attack and its Challenges

Tags: CHRISTMA EXEC network worm

Nov 21 2022

Chinese Hackers Using 42,000 Phishing Domains To Drop Malware On Victims Systems

Category: Hacking,Malware,PhishingDISC @ 11:13 am
Chinese Hackers Using 42,000 Phishing Domains To Drop Malware On Victims Systems

An extensive phishing campaign targeting businesses in numerous upright markets, including retail, was discovered by Cyjax recently in which the attackers exploited the reputation…

China’s Playbook – new Art of War

War Without Rules: China's Playbook for Global Domination

Tags: Art of war, China's Playbook, Chinese hackers

Nov 16 2022

Massive Black Hat Malware Infect 2500 Websites By Injecting Malicious JavaScript

Category: MalwareDISC @ 10:17 am
Massive Black Hat Malware Infect 2500 Websites By Injecting Malicious JavaScript

Recently, the cybersecurity researchers of Sucuri have found that threat actors are conducting a tremendous massive black hat search engine optimization (SEO) campaign. 

However, nearly 15,000 websites redirected visitors to participate in fake Q&A discussion forums in this campaign. Over the course of September and October, the SiteCheck scanner of Sucuri detected over 2,500 redirects to other sites.

Not only this, but the experts have also stated that each and every compromised site contains nearly 20,000 files. All these files were being used as a part of the malicious campaign, which was being carried out by the threat actors, and most of the sites were WordPress.

Malicious ois[.]is Redirects

According to the securi report, After detecting the malware, the experts conducted a brief survey and found that some of the website’s malware infections generally limit themselves to a smaller number of files.

Not only this, but they also limit their footprint so that they can avoid detection and carry out their operations properly. 

A website infected with this malware will, on average, have over 100 files infected; that’s why this malware is completely different from others.

Common Infected Files

This malware is most commonly found infecting core files of WordPress, and it has also been found to infect “.php” files that were created by unrelated malware campaigns.

The following is a list of the top 10 most commonly infected files:-

  • ./wp-signup.php
  • ./wp-cron.php
  • ./wp-links-opml.php
  • ./wp-settings.php
  • ./wp-comments-post.php
  • ./wp-mail.php
  • ./xmlrpc.php
  • ./wp-activate.php
  • ./wp-trackback.php
  • ./wp-blog-header.php

Domains Targeted

Tags: Malicious JavaScript

Nov 15 2022

Hackers Hiding Malware Behind The PNG Images Using Steganography

Category: Hacking,MalwareDISC @ 10:03 am
Hackers Hiding Malware Behind The PNG Images Using Steganography 

The Worok threat infects victims’ computers with information-stealing malware by concealing malware within PNG images with the help of the Steganography technique, which makes it very difficult to detect by malware scanners.

The finding has substantiated one of the most crucial links in the chain of infection of the threat actor as claimed by the experts at Avast. These malicious PNG images are used by threat actors to conceal a payload that facilitates information theft under the guise of being an image.

In the past couple of months, ESET has been revealing details of attacks that Worok has been launching against several high-profile companies and local government agencies in the following regions:-

  • Middle East
  • Southeast Asia
  • South Africa

There are tactical overlaps between Worok and a Chinese threat actor known as TA428 that is believed to be sharing similar tactics.

Compromise Chain

Steganography is a technique that hides scripts within PNG images, such as the compromise series of Worok, which utilizes a C++-based loader which is known as “CLRLoad.”

As of right now, we do not know what vector was used in the initial attack. As part of certain intrusions, the malware was also deployed on Microsoft Exchange Server by exploiting the ProxyShell vulnerability.

A custom malicious kit was then deployed by the attackers using publicly available exploit tools that were available for free. Therefore, the final compromise chain can be summarized as follows:- 

First, CLRLoader is implemented, where simple code is implemented to load the PNGLoader, which is the second stage in the process.

In order to decode the malicious code possessed within the image, the PNGLoad comes in two different variants. While doing so, they launch either the following payloads:-

  • PowerShell script 
  • .NET C#-based

It has been difficult for PowerShell to find the script and they have recently discovered a new malware called DropboxControl, which is spyware that steals information from the system. Provide the threat actor with the ability to upload, download, and run commands contained in specific files.

Malware in PNG Files

When a viewer of an image is opened to view the steganographic code within it, it appears as if the image file is normal.

An image was encoded in a way that allows malicious code to be embedded in the least significant bits of each pixel in the image using a technique known as “least significant bit” (LSB) encoding.

No matter how the third-stage implant is deployed, it is clear that Worok has intelligence-gathering objectives that go beyond simply harvesting files of interest.

Worok attacks have been prompted by tools that are not circulating in the wild. Therefore, it’s likely that these tools are used by the group themselves exclusively to conduct attacks.

Indicators of Compromise

PNG file with steganographically embedded C# payload

29A195C5FF1759C010F697DC8F8876541651A77A7B5867F4E160FD8620415977
9E1C5FF23CD1B192235F79990D54E6F72ADBFE29D20797BA7A44A12C72D33B86
AF2907FC02028AC84B1AF8E65367502B5D9AF665AE32405C3311E5597C9C2774

DropBoxControl

1413090EAA0C2DAFA33C291EEB973A83DEB5CBD07D466AFAF5A7AD943197D726

Codes, Ciphers, Steganography & Secret Messages

Tags: Steganography

Nov 14 2022

Researchers Sound Alarm on Dangerous BatLoader Malware Dropper

Category: Information Security,MalwareDISC @ 11:36 pm

BatLoader has spread rapidly to roost in systems globally, tailoring payloads to its victims.

Little Red Flying Fox Bat (Pteropus scapulatus) in flight during the day

BatLoader has spread rapidly to roost in systems globally, tailoring payloads to its victims.

https://www.darkreading.com/attacks-breaches/researchers-alarm-batloader-malware-dropper

Tags: Malware

Nov 10 2022

Malicious Chrome Plugin Let Remote Attacker Steal keystroke and Inject Malicious Code

Category: Malware,Web SecurityDISC @ 11:38 am
Malicious Chrome Plugin Let Remote Attacker Steal keystroke and Inject Malicious Code

Researchers at Zimperium zLabs recently identified a new Chrome browser botnet called ‘Cloud9’ that is intent on stealing the following information using malicious extensions:-

  • Online accounts credentials
  • Log keystrokes
  • Inject ads
  • Inject malicious JS code
  • Enroll the victim’s browser in DDoS attacks

This method is becoming increasingly attractive for malware developers to target web browsers as they contain the most valuable information about a user.

In the course of everyday activities, we can find out a lot about ourselves through our keystrokes or session cookies. A breach of security or a violation of privacy can be caused by having access to such information.

Cloud9 botnet is a RAT that affects all Chromium-based web browsers, which are popular among consumers like Chrome and Microsoft Edge. Moreover, threat actors could exploit this RAT to remotely execute arbitrary commands.

Technical Analysis

The official Chrome web store doesn’t host this malicious Chrome extension, so it cannot be downloaded from there. 

The distribution channel of this malware relies on communities that are operated by threat actors, wherein the malware will be hidden by users of the tool before it gets delivered to the victims by the tool itself.

In terms of the Javascript files that make up the extension, there are only three. While the primary functionality of the extension can be located in a file called “campaign.js” which contains most of its functionality.

According to the report, During the initialization of campaign.js, the window.navigator API is used to identify the system’s operating system. Once the target has been identified, a Javascript file is injected into the victim’s computer system as a method to mine cryptocurrency using the resources of the victim’s computer system.

Next, for further proceedings, it injects another script known as cthulhu.js which comprises a full-chain exploit for the following flaws:-

  • CVE-2019-11708 (Firefox)
  • CVE-2019-9810 (Firefox)
  • CVE-2014-6332 (Internet Explorer)
  • CVE-2016-0189 (Internet Explorer)
  • CVE-2016-7200 (Edge)

As soon as the vulnerabilities are exploited, Windows malware is automatically installed on the host machine and executed. This gives attackers even more opportunities to compromise systems and carry out even more severe malware attacks.

While one of the sophisticated inclusion of this malware is “Clipper,” a module that keeps scanning the clipboard of the system for copied data like:-

  • Passwords
  • Credit cards details

In addition to injecting ads into webpages silently, Cloud9 is also capable of generating revenue for its operators by generating ad impressions.

Cloud9 Botnet Functionalities

<strong>Malicious Chrome Plugin Let Remote Attacker Steal keystroke and Inject Malicious Code</strong>

Tags: Malicious Chrome Plugin

Oct 31 2022

Active Raspberry Robin Worm Launch a ‘Hands-on-Keyboard’ Attacks To Hack Entire Networks

Category: MalwareDISC @ 12:47 pm
Active Raspberry Robin Worm Launch a ‘Hands-on-Keyboard’ Attacks To Hack Entire Networks

During recent research, Microsoft has discovered evidence of a complex interconnected malware ecosystem that is associated with the Raspberry Robin worm.

With other malware families, there are several root links to the Raspberry Robin worm were identified. Even security experts have detected that it uses alternate infection tactics as well.

Infections like these lead to a variety of complications and here below we have listed them:- 

  • Hands-on-keyboard attacks: When attackers are already inside your environment following a breach, a hands-on keyboard attack will occur. It is a two-sided operation; on one end it’s the cybercriminal who sits at a keyboard, while on the other side it’s your compromised network that is being accessed.
  • Human-operated ransomware activity: It occurs when cybercriminals are involved in an active attack on a victim. Using this approach, an organization’s on-premises infrastructure is penetrated, privileges are elevated, and ransomware is deployed by the threat actors.

Compromised 1,000 Organizations

In the past 30 days, on more than 1000 organizations’ 3000 devices, the Raspberry Robin worm has initiated payload alerts. There have been instances where the Raspberry Robin worm has been installed on the victims’ systems with malware called FakeUpdates.

Raspberry Worm is also known as QNAP Worm, as for command-and-control, it uses the compromised QNAP storage servers. Through infected USB drives containing malicious. LNK files, Raspberry Robin spreads to other devices.

The worm will spawn a msiexec process using cmd[.]exe as soon as a USB device is attached.

In order to communicate with its C2 servers, the malware communicates with compromised Windows devices.

Raspberry Robin’s Connection

Microsoft Security Threat Intelligence Center (MSTIC) observed Raspberry Robin in October 2022, and it’s being used by DEV-0950, which is another actor who was also involved in the post-compromise activity.

As a result of the DEV-0950 activity, the Cobalt Strike was compromised through hands-on keyboard activity. The majority of the victims of DEV-0950 are traditionally acquired via phishing scams.

However, the operators of DEV-0950 have moved to use Raspberry Robin instead of the traditional method. The advantage of this approach is that the payloads can be delivered to existing infections and the campaigns can move to the stage of ransomware more quickly.

Mitigations

To mitigate the impact of this threat, it is also possible for defenders to apply the following mitigation measures:-

  • When mounting the drive, prevent autorun from being used and code from being executed.
  • Make sure the tamper protection setting is enabled in order to protect Microsoft Defender Antivirus from being interrupted by attacks.
  • It is very important to turn on cloud-delivered protection for Microsoft Defender Antivirus or your antivirus software counterpart if it supports the feature.
  • The USB port should be blocked from running untrusted or unsigned processes.
  • Scripts that may be obfuscated should be blocked from being executed.
  • It is imperative to block executable files from running unless they fulfill all the trusted criteria.
  • The local security authority subsystem of Windows should be protected against credential theft.

Tags: Active Raspberry Robin Worm, Malware

Sep 26 2022

Chromeloader Malware Drops Malicious Browser Extensions to Track User’s Online Activity

Category: MalwareDISC @ 12:11 pm
Chromeloader Malware Drops Malicious Browser Extensions to Track User’s Online Activity

An ongoing, widespread Chromeloader malware campaign has been warned by Microsoft and VMware. It has been identified that this malicious campaign is dropping node-WebKit malware and ransomware, as well as dangerous browser extensions.

ChromeLoader was observed in the wild for the first time in January 2022 for Windows users and in March 2022 for Mac users by the VMware Carbon Black Managed Detection and Response (MDR) team.

The ChromeLoader is one of the most widespread and persistent malware programs on the web. A surge in Chromeloader infections occurred in Q1 2022, with the cybersecurity researchers from Red Canary theorizing the malware was used by affiliate marketers and advertisers to defraud them of their money.

To perform click fraud and earn money for the threat actors, the malware infects Chrome with a malicious extension in order to redirect user traffic to advertising websites.

Technical Analysis

The malicious campaign that caused this problem was traced back to a threat actor tracked as DEV-0796 that infected victims with several different types of malware by using Chromeloader.

In addition to ChromeLoader, there are several variants of the program such as ChromeBack and Choziosi Loader which are known.

The malware called ChromeLoader is delivered in the form of ISO files that may be downloaded from any of the following sources:-

  • Malicious ads
  • Browser redirects
  • YouTube video comments

After Microsoft began blocking Office macros by default, ISO files have become one of the most popular methods of distributing malware.

Additionally, Windows 10 and later automatically mount ISO files as CDROMs when double-clicking them. By doing so, they provide an efficient method for disseminating multiple malware files simultaneously.

There are four files that are commonly included in ChromeLoader ISOs:-

  • A ZIP archive containing the malware
  • An ICON file
  • A batch file (commonly named Resources.bat) 

A batch file is then created, which launches a batch program, and is installed along with the malware.

Chromeloader Malware Drops Malicious Browser Extensions to Track User’s Online Activity

Tags: Chromeloader

Aug 30 2022

Three campaigns delivering multiple malware, including ModernLoader and XMRig miner

Category: MalwareDISC @ 8:27 am

Researchers spotted three campaigns delivering multiple malware, including ModernLoader, RedLine Stealer, and cryptocurrency miners

Three campaigns delivering multiple malware, including ModernLoader and XMRig miner

Cisco Talos researchers observed three separate, but related, campaigns between March and June 2022 that were delivering multiple malware, including the ModernLoader bot (aka Avatar bot), RedLine info-stealer and cryptocurrency miners to victims.

ModernLoader is a .NET remote access trojan that supports multiple features, including the capability of gathering system information, executing arbitrary commands, or downloading and running a file from the C2 server.

ModernLoader

Threat actors use PowerShell, .NET assemblies, and HTA and VBS files to perform lateral movements across a targeted network and eventually drop other pieces of malware, such as the SystemBC trojan and DCRAT. The attackers’ use of a variety of off-the-shelf tools makes it difficult to attribute this activity to a specific adversary.

The attack chain starts with an HTML Application (HTA) file that runs a PowerShell script hosted on the C2 server which executes the next stage of the loading process.

“The next stage is the PowerShell loader. The loader contains embedded code of three modules, which are loaded using reflection as additional .NET assemblies into the PowerShell process space. The downloaded PowerShell code also downloads and runs auxiliary modules and payloads.” reads the analysis published by Cisco Talos. “There are usually three modules in this loader format. The first disables AMSI scanning functionality, the second is the final payload, and the last injects the payload into the process space of a newly created process, usually RegSvcs.exe.”

The final payload appears to be a ModernLoader remote access trojan (RAT) and the XMRig miner. Talos reported that the March campaigns targeted users in Eastern Europe, including Bulgaria, Poland, Hungary, and Russia.

The threat actors behind the campaigns are likely Russian-speaking actors, that are experimenting with different technologies. Experts speculate that the usage of ready-made tools demonstrates that despite the actors understanding the TTPs required for a successful malware campaign, they haven’t the technical skills to develop their own arsenal.

Cisco Talos attributed the infections to a previously undocumented but Russian-speaking threat actor, citing the use of off-the-shelf tools. Potential targets included Eastern European users in Bulgaria, Poland, Hungary, and Russia.

The attackers also compromised vulnerable web applications to change their configuration to use malicious PHP scripts to deliver malware to their users.

The attackers attempted to compromise WordPress and CPanel installs to distribute the malware using files masquerades as fake Amazon gift cards.

“The actor is frequently using open-source components and code generators to achieve its goals. A number of remote access tools, stealers and cryptominers are used in the campaigns to eventually reap financial benefits for the actor. The actor has an interest in alternative distribution channels such as compromised web applications, archive infections and spreading by using Discord webhooks.” concludes the report. “Despite all the techniques and tactics used we estimate that the success of these campaigns is limited.”

Malware Analysis

Tags: ModernLoader, XMRig miner

Aug 26 2022

7 open-source malware analysis tools you should try out

Category: MalwareDISC @ 8:39 am

There are two main types of malware analysis: static and dynamic.

7 open-source malware analysis tools you should try out

Performing static analysis of a malicious binary means concentrating on analyizing its code without executing it. This type of analysis may reveal to malware analysts not only what the malware does, but also its developer’s future intentions (e.g., currently unfinished functionalities).

Dynamic analysis looks at the behavior of the malware when it’s run – usually in a virtual sandbox. This type of analysis should reveal the malware’s behavor and any detection evasion techniques it uses.

Malware analysis benefits security analysts by allowing them to, among other things:

  • Identify hidden indicators of compromise (IOCs).
  • Boost the effectiveness of IOC notifications and warnings.
  • Triage incidents according to severity.

All the malware analysis tools listed below can be freely downloaded and used.

capa: Automatically identify malware capabilities

malware analysis tools

capa detects capabilities in executable files. You run it against a PE, ELF, .NET module, or shellcode file and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.

FLARE Obfuscated String Solver

malware analysis tools

The FLARE Obfuscated String Solver (FLOSS) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. You can use it just like strings.exe to enhance basic static analysis of unknown binaries.

Ghidra Software Reverse Engineering Framework

Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.

Malcom: Malware Communication Analyzer

Malcom is a tool designed to analyze a system’s network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.

Mobile Security Framework (MobSF)

MobSF is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis, and security assessment framework capable of performing static and dynamic analysis. MobSF supports mobile app binaries (APK, XAPK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline. The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.

Pafish: Testing tool

Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do. The project is free and open source; the code of all the anti-analysis techniques is publicly available.

Radare2: The Libre Unix-like reverse engineering framework

The radare project started as a simple command-line hexadecimal editor focused on forensics. Today, Radare2 is a featureful low-level command-line tool with support for scripting. It can edit files on local hard drives, view kernel memory, and debug programs locally or via a remote gdb server. Radare2’s wide architecture support allows you to analyze, emulate, debug, modify, and disassemble any binary.

theZoo: A live malware repository

theZoo is a repository of live malware. The project was created to offer a fast and easy way of retrieving malware samples and source code in an organized fashion in hopes of promoting malware research.

malware analysis tools

Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware

Tags: malware analysis tools, open-source malware analysis tools

Aug 24 2022

Disk wiping malware knows no borders

Category: MalwareDISC @ 9:02 am
Disk wiping malware knows no borders

Fortinet announced the latest semiannual FortiGuard Labs Global Threat Landscape Report which revealed that ransomware threat continues to adapt with more variants enabled by Ransomware-as-a-Service (RaaS).

Additional highlights of the report:

  • Work-from-anywhere (WFA) endpoints remain targets for cyber adversaries to gain access to corporate networks.
  • Operational technology (OT) and information technology (IT) environments are both attractive targets as cyber adversaries search for opportunities in the growing attack surface and IT/OT convergence.
  • Destructive threat trends continue to evolve, as evidenced by the spread of wiper malware as part of adversary toolkits.
  • Cyber adversaries are embracing more reconnaissance and defense evasion techniques to increase precision and destructive weaponization across the cyber-attack chain.

Derek Manky, Chief Security Strategist & VP Global Threat Intelligence at Fortinet, said: “Cyber adversaries are advancing their playbooks to thwart defense and scale their criminal affiliate networks. They are using aggressive execution strategies such as extortion or wiping data as well as focusing on reconnaissance tactics pre-attack to ensure better return on threat investment.

“To combat advanced and sophisticated attacks, organizations need integrated security solutions that can ingest real-time threat intelligence, detect threat patterns, and correlate massive amounts of data to detect anomalies and automatically initiate a coordinated response across hybrid networks.”

Ransomware threat growth and new variants show evolution of crime ecosystems

Tags: Disk wiping malware

Aug 22 2022

Escanor Malware delivered in Weaponized Microsoft Office Documents

Category: MalwareDISC @ 8:31 am
Escanor Malware delivered in Weaponized Microsoft Office Documents

Researchers spotted a new RAT (Remote Administration Tool) advertised in Dark Web and Telegram called Escanor

Resecurity, a Los Angeles-based cybersecurity company protecting Fortune 500 worldwide, identified a new RAT (Remote Administration Tool) advertised in Dark Web and Telegram called Escanor. The threat actors offer Android-based and PC-based versions of RAT, along with HVNC module and exploit builder to weaponize Microsoft Office and Adobe PDF documents to deliver malicious code.

The tool has been released for sale on January 26th this year initially as a compact HVNC implant allowing to set up a silent remote connection to the victim’s computer, and later transformed into a full-scale commercial RAT with a rich feature-set. Escanor has built a credible reputation in Dark Web, and attracted over 28,000 subscribers on the Telegram channel. In the past, the actor with exactly the same moniker released ‘cracked’ versions of other Dark Web tools, including Venom RAT, 888 RAT and Pandora HVNC which were likely used to enrich further functionality of Escanor.    

Escanor Malware

The mobile version of Escanor (also known as “Esca RAT”) is actively used by cybercriminals to attack online-banking customers by interception of OTP codes. The tool can be used to collect GPS coordinates of the victim, monitor key strokes, activate hidden cameras, and browse files on the remote mobile devices to steal data.

Fraudsters monitor the location of the victim, and leverage Esca RAT to steal credentials to online-banking platforms and perform unauthorized access to compromised account from the same device and IP – in such case fraud prevention teams are not able to detect it and react timely” – said Ali Saifeldin, a malware analyst with Resecurity, Inc. who investigated several recent online-banking theft cases.  

The majority of samples detected recently have been delivered using Escanor Exploit Builder. The actors are using decoy documents imitating invoices and notifications from popular online-services.

Notably, the domain name ‘

escanor.live
’ has been previously identified in connection to AridViper (APT-C-23 / GnatSpy) infrastructure. APT-C-23 as a group was active within the Middle Eastern region, known in particular to target Israeli military assets. After the report has been released by Qihoo 360, the Escanor RAT actor has released a video detailing how the tool may be used to bypass AV detection.

The majority of victims infected by Escanor have been identified in the U.S., Canada, UAE, Saudi Arabia, Kuwait, Bahrain, Egypt, Israel, Mexico, and Singapore with some infections in South-East Asia. 

The original post with additional details is available on the ReSecurity website:

https://resecurity.com/blog/article/escanor-malware-delivered-in-weaponized-microsoft-office-documents

Tags: Weaponized Microsoft Office Documents

Aug 10 2022

Microsoft confirms ‘DogWalk’ zero-day vulnerability has been exploited

Category: Malware,Zero dayDISC @ 12:28 pm
Microsoft confirms ‘DogWalk’ zero-day vulnerability has been exploited

Microsoft confirms ‘DogWalk’ zero-day vulnerability has been exploited

Microsoft has published a fix for a zero-day bug discovered in 2019 that it originally did not consider a vulnerability.

The tech giant patched CVE-2022-34713 – informally known as “DogWalk” – on Tuesday, noting in its advisory that it has already been exploited.

According to Microsoft, exploitation of the vulnerability requires that a user open a specially-crafted file delivered through a phishing email or web-based attack.

“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability,” Microsoft explained. “An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.”

Later in the advisory, Microsoft said the type of exploit needed is called an “Arbitrary Code Execution,” or ACE, noting that the attacker would need to convince a victim through social engineering to download and open a specially-crafted file from a website which leads to a local attack on their computer. 

A three-year wait

The bug was originally reported to Microsoft by security researcher Imre Rad on December 22, 2019. Even though a case was opened one day later, Rad said in a blog post that Microsoft eventually declined to fix the issue six months later. 

Microsoft initially told Rad that to make use of the attack he described, an attacker would need “to create what amounts to a virus, convince a user to download the virus, and then run it.” The company added that “as written this wouldn’t be considered a vulnerability.” 

“No security boundaries are being bypassed, the PoC doesn’t escalate permissions in any way, or do anything the user couldn’t do already,” Microsoft told Rad. 

But in June, as security researchers dug into the “Follina” vulnerability, cybersecurity expert j00sean took to Twitter to resurface the issue and spotlight it again.  

Rad noted that on August 4, Microsoft contacted him and said they “reassessed the issue” and “determined that this issue meets our criteria for servicing with a security update” tagging it as CVE-2022–34713.

Microsoft said in its advisory that, like Follina, this is yet another vulnerability centered around Microsoft Support Diagnostic Tool (MSDT)

“Public discussion of a vulnerability can encourage further scrutiny on the component, both by Microsoft security personnel as well as our research partners. This CVE is a variant of the vulnerability publicly known as Dogwalk,” Microsoft said this week. 

Microsoft acknowledged but did not respond to requests for comment about why their assessment of the issue changed after three years, but Microsoft security research and engineering lead Johnathan Norman took to Twitter to thank Rad and j00sean for highlighting the issue.

“We finally fixed the #DogWalk vulnerability. Sadly this remained an issue for far too long. thanks to everyone who yelled at us to fix it,” he said. 

Coalfire vice president Andrew Barratt said he has not seen the vulnerability exploited in the wild yet but said it would “be easily delivered using a phishing/rogue link campaign.”

When exploited, the vulnerability places some malware that automatically starts the next time the user reboots/logs into their Windows PC, Barratt explained, noting that while it is not a trivial point-and-click exploit and requires an attachment to be used in an email, it can be delivered via other fileservers – making it an interesting tactic for an insider to leverage.

“The vast majority of these attachments are blocked by Outlook, but various researchers point out that other email clients could see the attachment and launch the Windows troubleshooting tool (which it leverages as part of the exploit),” Barratt said. “The challenge for a lot of anti-malware is that the file leveraged doesn’t look like a traditional piece of malware, but could be leveraged to pull more sophisticated malware on to a target system. It’s an interesting technique but not one that is going to affect the masses. I’d expect this to be leveraged more by someone meeting the profile of an insider threat.”

Bharat Jogi, director of vulnerability and threat research at Qualys, added that Microsoft likely changed its tune related to CVE-2022–34713 because today’s bad actors are growing more sophisticated and creative in their exploits.

Jogi noted that Follina has been recently used by threat actors — like China-linked APT TA413 — in phishing campaigns that have targeted local U.S. and European government personnel, as well as a major Australian telecommunications provider

Source: Microsoft confirms ‘DogWalk’ zero-day vulnerability has been exploited

Countdown to Zero Day

Tags: Countdown to Zero Day, DogWalk zero-day

Aug 04 2022

GitHub blighted by “researcher” who created thousands of malicious projects

Category: App Security,MalwareDISC @ 10:46 am
GitHub blighted by “researcher” who created thousands of malicious projects

Just over a year ago, we wrote about a “cybersecurity researcher” who posted almost 4000 pointlessly poisoned Python packages to the popular repository PyPI.

This person went by the curious nickname of Remind Supply Chain Risks, and the packages had project names that were generally similar to well-known projects, presumably in the hope that some of them would get installed by mistake, thanks to users using slightly incorrect search terms or making minor typing mistakes when typing in PyPI URLs.

These pointless packages weren’t overtly malicious, but they did call home to a server hosted in Japan, presumably so that the perpetrator could collect statistics on this “experiment” and write it up while pretending it counted as science.

Poison packages – “Supply Chain Risks” user hits Python community with 4000 fake modules

A month after that, we wrote about a PhD student (who should have known better) and their supervisor (who is apparently an Assistant Professor of Computer Science at a US university, and very definitely should have known better) who went out of their way to introduce numerous apparently legitimate but not-strictly-needed patches into the Linux kernel.

They called these patches hypocrite commits, and the idea was to show that two peculiar patches submitted at different times could, in theory, be combined later on to introduce a security hole, effectively each contributing a sort of “half-vulnerability” that wouldn’t be spotted as a bug on its own.

Linux team in public bust-up over fake “patches” to introduce bugs

As you can imagine, the Linux kernel team did not take kindly to being experimented on in this way without permission, not least because they were faced with cleaning up the mess:

Please stop submitting known-invalid patches. Your professor is playing around with the review process in order to achieve a paper in some strange and bizarre way. This is not ok, it is wasting our time, and we will have to report this, AGAIN, to your university…

GitHub splattered with hostile code

Accelerate DevOps with GitHub: Enhance Software Delivery Performance with GitHub Issues, Projects, Actions, and Advanced Security

Tags: DevOps, DevSecOps, malicious projects

Aug 02 2022

Gootkit AaaS malware is still active and uses updated tactics

Category: MalwareDISC @ 8:47 am
Gootkit AaaS malware is still active and uses updated tactics

Gootkit access-as-a-service (AaaS) malware is back with tactics and fileless delivery of Cobalt Strike beacons.

Gootkit runs on an access-a-as-a-service model, it is used by different groups to drop additional malicious payloads on the compromised systems. Gootkit has been known to use fileless techniques to deliver threats such as the SunCrypt, and REvil (Sodinokibi) ransomware, Kronos trojans, and Cobalt Strike.

In the past, Gootkit distributed malware masquerading as freeware installers, now it uses legal documents to trick users into downloading these files. 

The attack chain starts with a user searching for specific information in a search engine. Attackers use black SEO technique to display a website compromised by Gootkit operators among the results.

Upon visiting the website, the victim will notice that it is presented as an online forum directly answering his query. This forum hosted a ZIP archive that contains the malicious .js file, which is used to establish persistence and drop a Cobalt Strike binary in the memory of the infected system.

“When the user downloaded and opened this file, it spawned an obfuscated script which, through registry stuffing, installed a chunk of encrypted codes in the registry and added scheduled tasks for persistence. The encrypted code in the registry was then reflectively loaded through PowerShell to reconstruct a Cobalt Strike binary that runs directly in the memory filelessly.” reads the analysis published by Trend Micro. “Much of what we have just described is still in line with the behavior we reported in 2020, but with a few minor updates. This indicates that Gootkit Loader is still actively being developed and has proved successful in compromising unsuspecting victims.”

Experts pointed out that encrypted registries now use custom text replacement algorithm instead of base64 encoding.

gootkit malware

The Cobalt Strike binary loaded directly to the memory of the victim’s system has been observed connecting to the IP address 89[.]238[.]185[.]13, which is a Cobalt Strike C2. 

“One key takeaway from this case is that Gootkit is still active and improving its techniques. This implies that this operation has proven effective, as other threat actors seem to continue using it. Users are likely to encounter Gootkit in other campaigns in the future, and it is likely that it will use new means of trapping victims.” concludes the report. “This threat also shows that SEO poisoning remains an effective tactic in luring unsuspecting users. The combination of SEO poisoning and compromised legitimate websites can mask indicators of malicious activity that would usually keep users on their guard. Such tactics highlight the importance of user awareness and the responsibility of website owners in keeping their cyberspaces safe.” 

Tags: Gootkit AaaS

Aug 01 2022

Threat Actors Circumvent Microsoft Efforts to Block Macros

Category: Cyber Threats,MalwareDISC @ 8:50 am
Threat Actors Circumvent Microsoft Efforts to Block Macros

Microsoft’s announcement that it would block macros in Microsoft Office apps by default didn’t stop threat actors—they have simply resorted to new tricks.

“Threat actors across the landscape responded by shifting away from macro-based threats,” Proofpoint researchers noted in a blog post. In fact, an analysis of campaign data, “which include threats manually analyzed and contextualized,” showed the use of VBA and XL4 Macros ticked down 66% or so between October 2021 and June 2022.

“While Proofpoint observed a notable increase in other attachment types, macro-enabled documents are still used across the threat landscape,” the researchers wrote, explaining that the tactics, techniques and procedures (TTPs) have changed, with miscreants turning to use of container files—like ISO and RAR—and Windows Shortcut files to pass malware along, according to Proofpoint research.

Threat actors have long used VBA macros “to automatically run malicious content when a user has actively enabled macros in Office applications. XL4 macros are specific to the Excel application, but can also be weaponized by threat actors,” researchers pointed out. “Typically, threat actors distributing macro-enabled documents rely on social engineering to convince a recipient the content is important, and enabling macros is necessary to view it.”

Microsoft took steps to block VBA macros by keying on a Mark of the Web (MOTW) attribute called the Zone.Identifier that shows whether a file comes from the internet and is added by Microsoft apps to some documents downloaded from the web. But bad actors can bypass MOTW by using container file formats.

By using container file formats like ISO (.iso), RAR (.rar), ZIP (.zip) and IMG (.img) files to send macro-enabled documents, “ … the ISO, RAR, etc. files will have the MOTW attribute because they were downloaded from the internet, but the document inside, such as a macro-enabled spreadsheet, will not,” researchers noted. “When the document is extracted, the user will still have to enable macros for the malicious code to automatically execute, but the file system will not identify the document as coming from the web.”

They also can distribute payloads directly using container files so that when they’re opened they can contain “additional content such as LNKs, DLLs or executable (.exe) files that lead to the installation of a malicious payload.”

“The change to block macros by default is a very good thing; has been suggested for years and it’s good Microsoft is finally doing it,” said Rob Jenks, SVP strategy and business at Tanium. He explained that “as with all security techniques, it’s not a silver bullet and attackers inevitably move on to the next attack pathway(s)—so the findings aren’t surprising.”

But “regarding the new attacks, there are other restrictions on not trusting zip content, so these other mechanisms throw more consent dialogs into the user’s face, potentially making a phishing attack less reliable,” Jenks said.

Proofpoint researchers have not only noted a two-thirds decrease in macro-enabled documents leveraged as attachments in email-based threats, but they observed “the number of campaigns leveraging container files including ISO and RAR, and Windows Shortcut (LNK) attachments increased nearly 175%,” researchers said.

“They attribute the increase in part to the uptick in use of ISO and LNK files in campaigns. Cybercriminal threat actors are increasingly adopting these as initial access mechanisms, such as actors distributing Bumblebee malware,” they said. “The use of ISO files increased over 150% between October 2021 and June 2022. More than half of the 15 tracked threat actors that used ISO files in this time began using them in campaigns after January 2022.”

Most notably, LNK files have emerged as a go-to for threat actors—at least 10 of them have begun using LNK files since February.  In fact, the number of campaigns containing LNK files exploded an incredible 1,675% since October 2021.

While fewer campaigns are using XL4 macros, Proofpoint did see a spike in macro use in March 2022, which researchers attributed to an uptick in campaigns with higher volumes of messages conducted by the TA542 actor delivering Emotet. “Typically, TA542 uses Microsoft Excel or Word documents containing VBA or XL4 macros,” the researcher wrote. “Emotet activity subsequently dropped off in April and it began using additional delivery methods including Excel Add-In (XLL) files and zipped LNK attachments in subsequent campaigns.”

The adoption of ISO and other container file formats is driving the pivot away from macro-enabled documents to different file types that can bypass the macro-blocking protections offered by Microsoft. “Such filetypes can bypass Microsoft’s macro blocking protections, as well as facilitate the distribution of executables that can lead to follow-on malware, data reconnaissance and theft and ransomware,” said Proofpoint researchers, who called the change “one of the largest email threat landscape shifts in recent history.”

Proofpoint has also observed a slight increase in threat actors using HTML attachments to deliver malware. The number of malware campaigns using HTML attachments more than doubled from October 2021 to June 2022, but the overall number remains low. Proofpoint researchers also observed threat actors increasingly adopt HTML smuggling, a technique used to “smuggle” an encoded malicious file within a specially crafted HTML attachment or web page.

Microsoft Koverse data protection impact assessment DPIA Dell AWS data protection cybersecurity

Tags: Block Macros, Threat actors

May 20 2022

Google OAuth client library flaw allowed to deploy of malicious payloads

Category: MalwareDISC @ 12:17 pm
Google OAuth client library flaw allowed to deploy of malicious payloads

Google addressed a high-severity flaw in its OAuth client library for Java that could allow attackers with a compromised token to deploy malicious payloads.

Google addressed a high-severity authentication bypass flaw in Google OAuth Client Library for Java, tracked as CVE-2021-22573 (CVS Score 8.7), that could be exploited by an attacker with a compromised token to deploy malicious payloads.

The Google OAuth Client Library for Java is designed to work with any OAuth service on the web, not just with Google APIs. The library is built on the Google HTTP Client Library for Java, and it supports Java 7 (or higher) standard (SE) and enterprise (EE), Android 4.0 (or higher), and Google App Engine.

The root cause of the issue is that the IDToken verifier does not verify if the token is properly signed. This means that an attacker can serve a malicious payload that doesn’t come from a trusted provider

“The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token’s payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload.” reads the description published by NIST. “The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above”

The vulnerability was reported by the security researcher Tamjid Al Rahat on March 12, the issue was awarded $5,000 as part of the company bug bounty program. Google addressed the issue with the release of the version 1.33.3 in April.

Users of the Google OAuth Client Library for Java are recommended to upgrade to version 1.33.3 or later.

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: Google OAuth

May 18 2022

Microsoft warns of the rise of cryware targeting hot wallets

Category: Crypto,MalwareDISC @ 8:58 am
Microsoft warns of the rise of cryware targeting hot wallets

Microsoft researchers warn of the rising threat of cryware targeting non-custodial cryptocurrency wallets, also known as hot wallets.

Microsoft warns of the rise of cryware, malicious software used to steal info an dfunds from non-custodial cryptocurrency wallets, also known as hot wallets. Data stolen from this kind of malware includes private keys, seed phrases, and wallet addresses, that could be used by threat actors to initiate fraudulent transactions.

“Cryware are information stealers that collect and exfiltrate data directly from non-custodial cryptocurrency wallets, also known as hot wallets. Because hot wallets, unlike custodial wallets, are stored locally on a device and provide easier access to cryptographic keys needed to perform transactions, more and more threats are targeting them.” reads the post published by Microsoft.

The experts pointed out that the theft of cryptocurrency is irreversible, unlike credit cards and other financial transactions there is no mechanism to reverse fraudulent transactions.

This cryware is automating the scanning process for hot wallet data exposed online.

The increasing popularity of cryptocurrency is attracting cybercrime that is using different means to target the cryptocurrency industry. Below is a list of threats that are currently leveraging cryptocurrency:

  • Cryptojackers. One of the threat types that surfaced and thrived since the introduction of cryptocurrency, cryptojackers are mining malware that hijacks and consumes a target’s device resources for the former’s gain and without the latter’s knowledge or consent. Based on our threat data, we saw millions of cryptojacker encounters in the last year.
  • Ransomware. Some threat actors prefer cryptocurrency for ransom payments because it provides transaction anonymity, thus reducing the chances of being discovered.
  • Password and info stealers. Apart from sign-in credentials, system information, and keystrokes, many info stealers are now adding hot wallet data to the list of information they search for and exfiltrate.
  • ClipBanker trojans. Another type of info stealer, this malware checks the user’s clipboard and steals banking information or other sensitive data a user copies. ClipBanker trojans are also now expanding their monitoring to include cryptocurrency addresses.
cryware

Microsoft described the techniques used by crooks to steal hot wallet data, including clipping and switching, memory dumping, wallet file theft, phishing sites and fake applications, and keylogging.

Experts also warn of scams and other social engineering attacks that cybercriminals use to trick victims into sending funds to the attackers’ wallets.

Microsoft recommends users and organizations lock hot wallets when not actively trading, disconnect sites connected to the wallet, never store private keys in plaintext, ensure that browser sessions are terminated after every transaction, enable MFA for wallet authentication, double-check hot wallet transactions and approvals, use hardware wallets to store private keys offline.

Blockchain Security from the Bottom Up: Securing and Preventing Attacks on Cryptocurrencies, Decentralized Applications, NFTs, and Smart Contracts

The secret CIA Bitcoin project that became a trillion-dollar Trojan horse

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: cryware

« Previous PageNext Page »