The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: Advanced Persistent Threat

Researchers Uncover How Colibri Malware Stays Persistent on Hacked Systems

Researchers Uncover How Colibri Malware Stays Persistent on Hacked Systems

April 07, 2022Ravie Lakshmanan
Cybersecurity researchers have detailed a "simple but efficient" persistence mechanism adopted by a relatively nascent malware loader called Colibri , which has been observed deploying a Windows information stealer known as Vidar as part of a new campaign. "The attack starts with a malicious Word document deploying a Colibri bot that then delivers the Vidar Stealer," Malwarebytes Labs  said  in an analysis. "The document contacts a remote server at (securetunnel[.]co) to load a remote template named 'trkal0.dot' that contacts a malicious macro," the researchers added. First documented by  FR3D.HK  and Indian cybersecurity company CloudSEK earlier this year, Colibri is a malware-as-a-service (MaaS) platform that's engineered to drop additional payloads onto compromised systems. Early signs of the loader appeared on Russian underground forums in August 2021. "This loader has multiple techniques that help avoid detection," CloudSEK r
Chinese 'Mustang Panda' Hackers Spotted Deploying New 'Hodur' Malware

Chinese 'Mustang Panda' Hackers Spotted Deploying New 'Hodur' Malware

March 23, 2022Ravie Lakshmanan
A China-based advanced persistent threat (APT) known as Mustang Panda has been linked to an ongoing cyber espionage campaign using a previously undocumented variant of the  PlugX  remote access trojan on infected machines. Slovak cybersecurity firm ESET dubbed the new version Hodur , owing to its resemblance to another PlugX (aka Korplug) variant called  THOR  that came to light in July 2021. "Most victims are located in East and Southeast Asia, but a few are in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan)," ESET malware researcher Alexandre Côté Cyr  said  in a report shared with The Hacker News. "Known victims include research entities, internet service providers (ISPs), and European diplomatic missions mostly located in East and Southeast Asia." Mustang Panda, also known as TA416, HoneyMyte, RedDelta, or PKPLUG, is a  cyber espionage group  that's primarily known for targeting non-governmental organizations with a specific foc
Chinese Hackers Target Taiwan's Financial Trading Sector with Supply Chain Attack

Chinese Hackers Target Taiwan's Financial Trading Sector with Supply Chain Attack

February 22, 2022Ravie Lakshmanan
An advanced persistent threat (APT) group operating with objectives aligned with the Chinese government has been linked to an organized supply chain attack on Taiwan's financial sector. The attacks are said to have first commenced at the end of November 2021, with the intrusions attributed to a threat actor tracked as  APT10 , also known as Stone Panda, the MenuPass group, and Bronze Riverside, and known to be active since at least 2009. The second wave of attacks hit a peak between February 10 and 13, 2022, according to a  new report  published by Taiwanese cybersecurity firm CyCraft, which said the wide-ranging supply chain compromise specifically targeted the software systems of financial institutions, resulting in "abnormal cases of placing orders." The infiltration activity, codenamed " Operation Cache Panda ," exploited a vulnerability in the web management interface of the unnamed securities software that has a market share of over 80% in Taiwan, usi
Palestine-Aligned Hackers Use New NimbleMamba Implant in Recent Attacks

Palestine-Aligned Hackers Use New NimbleMamba Implant in Recent Attacks

February 08, 2022Ravie Lakshmanan
An advanced persistent threat (APT) hacking group operating with motives that likely align with Palestine has embarked on a new campaign that takes advantage of a previously undocumented implant called NimbleMamba . The intrusions leveraged a sophisticated attack chain targeting Middle Eastern governments, foreign policy think tanks, and a state-affiliated airline, enterprise security firm Proofpoint  said  in a report, attributing the covert operation to a threat actor tracked as Molerats (aka TA402). Notorious for continuously updating their malware implants and their delivery methods, the APT group was most recently linked to an  espionage offensive  aimed at human rights activists and journalists in Palestine and Turkey, while a previous attack exposed in June 2021 resulted in the deployment of a backdoor called  LastConn . But the lull in the activities has been offset by the operators actively working to retool their arsenal, resulting in the development of NimbleMamba, whic
Chinese Hackers Target Taiwanese Financial Institutions with a new Stealthy Backdoor

Chinese Hackers Target Taiwanese Financial Institutions with a new Stealthy Backdoor

February 06, 2022Ravie Lakshmanan
A Chinese advanced persistent threat (APT) group has been targeting Taiwanese financial institutions as part of a "persistent campaign" that lasted for at least 18 months. The intrusions, whose primary intent was espionage, resulted in the deployment of a backdoor called xPack , granting the adversary extensive control over compromised machines, Broadcom-owned Symantec said in a  report  published last week. What's notable about this campaign is the amount of time the threat actor lurked on victim networks, affording the operators ample opportunity for detailed reconnaissance and exfiltrate potentially sensitive information pertaining to business contacts and investments without raising any red flags. In one of the unnamed financial organizations, the attackers spent close to 250 days between December 2020 and August 2021, while a manufacturing entity had its network under their watch for roughly 175 days. Although the initial access vector used to the breach the ta
A New APT Hacker Group Spying On Hotels and Governments Worldwide

A New APT Hacker Group Spying On Hotels and Governments Worldwide

September 24, 2021Ravie Lakshmanan
A new advanced persistent threat (APT) has been behind a string of attacks against hotels across the world, along with governments, international organizations, engineering companies, and law firms. Slovak cybersecurity firm ESET codenamed the cyber espionage group  FamousSparrow , which it said has been active since at least August 2019, with victims located across Africa, Asia, Europe, the Middle East, and the Americas, spanning several countries such as Burkina Faso, Taiwan, France, Lithuania, the U.K., Israel, Saudi Arabia, Brazil, Canada, and Guatemala. Attacks mounted by the group involve exploiting known vulnerabilities in server applications such as SharePoint and Oracle Opera, in addition to the  ProxyLogon  remote code execution vulnerability in Microsoft Exchange Server that came to light in March 2021, making it the  latest threat actor  to have had access to the exploit before details of the flaw became public. According to ESET, intrusions exploiting the flaws comme
WildPressure APT Emerges With New Malware Targeting Windows and macOS

WildPressure APT Emerges With New Malware Targeting Windows and macOS

July 07, 2021Ravie Lakshmanan
A malicious campaign that has set its sights on industrial-related entities in the Middle East since 2019 has resurfaced with an upgraded malware toolset to strike both Windows and macOS operating systems, symbolizing an expansion in both its targets and its strategy around distributing threats. Russian cybersecurity firm attributed the attacks to an advanced persistent threat (APT) it tracks as " WildPressure ," with victims believed to be in the oil and gas industry.  WildPressure first came to light in March 2020 based off of a malware operation distributing a fully-featured C++ Trojan dubbed "Milum" that enabled the threat actor to gain remote control of the compromised device. The attacks were said to have begun as early as August 2019. "For their campaign infrastructure, the operators used rented OVH and Netzbetrieb virtual private servers (VPS) and a domain registered with the Domains by Proxy anonymization service," Kaspersky researcher Denis
U.S Defense Warns of 3 New Malware Used by North Korean Hackers

U.S Defense Warns of 3 New Malware Used by North Korean Hackers

May 13, 2020Ravie Lakshmanan
Yesterday, on the 3rd anniversary of the infamous global WannaCry ransomware outbreak for which North Korea was blamed, the U.S. government released information about three new malware strains used by state-sponsored North Korean hackers. Called COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH, the malware variants are capable of remote reconnaissance and exfiltration of sensitive information from target systems, according to a joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). The three new malware strains are the latest addition to a long list of over 20 malware samples , including BISTROMATH, SLICKSHOES, HOPLIGHT, and ELECTRICFISH , among others, that have been identified by the security agencies as originating as part of a series of malicious cyber activity by the North Korean government it calls Hidden Cobra , or widely known by the moniker Lazarus Group. Full
Researchers Developed Artificial Intelligence-Powered Stealthy Malware

Researchers Developed Artificial Intelligence-Powered Stealthy Malware

August 09, 2018Mohit Kumar
Artificial Intelligence (AI) has been seen as a potential solution for automatically detecting and combating malware, and stop cyber attacks before they affect any organization. However, the same technology can also be weaponized by threat actors to power a new generation of malware that can evade even the best cyber-security defenses and infects a computer network or launch an attack only when the target's face is detected by the camera. To demonstrate this scenario, security researchers at IBM Research came up with DeepLocker —a new breed of "highly targeted and evasive" attack tool powered by AI," which conceals its malicious intent until it reached a specific victim. According to the IBM researcher, DeepLocker flies under the radar without being detected and "unleashes its malicious action as soon as the AI model identifies the target through indicators like facial recognition, geolocation and voice recognition." Describing it as the "sp
A New Paradigm For Cyber Threat Hunting

A New Paradigm For Cyber Threat Hunting

June 11, 2018Mohit Kumar
It's no secret that expecting security controls to block every infection vector is unrealistic. For most organizations, the chances are very high that threats have already penetrated their defenses and are lurking in their network. Pinpointing such threats quickly is essential, but traditional approaches to finding these needles in the haystack often fall short. Now there is a unique opportunity for more feasible, more effective threat hunting capabilities, and it stems from a most unusual effort: rethinking the approach to wide area networking. When we look at the cyber kill-chain today, there are two major phases—infection and post-infection. Security experts acknowledge that organizations can get infected no matter how good their security controls are. The simple fact is, infection vectors change rapidly and continuously. Attackers use new delivery methods – everything from social engineering to zero-day exploits – and they often are effective. In most cases, an infecti
Mobile Bootloaders From Top Manufacturers Found Vulnerable to Persistent Threats

Mobile Bootloaders From Top Manufacturers Found Vulnerable to Persistent Threats

September 06, 2017Swati Khandelwal
Security researchers have discovered several severe zero-day vulnerabilities in the mobile bootloaders from at least four popular device manufacturers that could allow an attacker to gain persistent root access on the device. A team of nine security researchers from the University of California Santa Barbara created a special static binary tool called BootStomp that automatically detects security vulnerabilities in bootloaders. Since bootloaders are usually closed source and hard to reverse-engineer, performing analysis on them is difficult, especially because hardware dependencies hinder dynamic analysis. Therefore, the researchers created BootStomp, which "uses a novel combination of static analysis techniques and underconstrained symbolic execution to build a multi-tag taint analysis capable of identifying bootloader vulnerabilities." The tool helped the researchers discover six previously-unknown critical security bugs across bootloaders from HiSilicon (Huawe
Russian Hackers Hijack Satellite To Steal Data from Thousands of Hacked Computers

Russian Hackers Hijack Satellite To Steal Data from Thousands of Hacked Computers

September 10, 2015Swati Khandelwal
A group of Russian hackers, most notably the Turla APT (Advanced Persistent Threat) is hijacking commercial satellites to hide command-and-control operations, a security firm said today. Turla APT group, which was named after its notorious software Epic Turla , is abusing satellite-based Internet connections in order to: Siphon sensitive data from government, military, diplomatic, research and educational organisations in the United States and Europe. Hide their command-and-control servers from law enforcement agencies. Despite some of its operations were uncovered last year, Turla APT group has been active for close to a decade, while remaining invisible by cleverly hiding from law enforcement agencies and security firms. Now, security researchers from Moscow-based cyber security firm Kaspersky Lab claim to have identified the way Turla APT group succeeded in hiding itself. The researchers said the group disguised itself by using commercial satellite Internet
FBI’s Cyber Task Force Identifies Stealthy FF-RATs used in Cyber Attack

FBI's Cyber Task Force Identifies Stealthy FF-RATs used in Cyber Attack

September 02, 2015Wang Wei
In both April and June this year, a series of cyber attacks was conducted against the United States Office of Personnel Management (OPM) . These attacks resulted in 21 million current and former Federal government employees' information being stolen. After months of investigation, the FBI's Cyber Task Force identified several Remote Access Tools (RATs) that were used to carry out the attack. One of the more effective tools discovered is named ' FF-RAT '. FF-RAT evades endpoint detection through stealth tactics, including the ability to download DLLs remotely and execute them in memory only. Hackers use RATs to gain unlimited access to infected endpoints. Once the victim's access privilege is acquired, it is then used for malware deployment, command and control (C&C) server communication, and data exfiltration. Most Advanced Persistent Threat (APT) attacks also take advantage of RAT functionality for bypassing strong authentication, reconnaissance, spreading
Operation Lotus Blossom APT - Elise Malware

Operation Lotus Blossom APT - Elise Malware

August 04, 2015Swati Khandelwal
Advanced Persistent Threat (APT) type attacks continue to emerge on a global scale. What makes these attacks deviate from the norm is often the resources required to develop and implement them: time, money, and the knowledge required to create custom pieces of malware to carry out specific, targeted attacks. Operation Lotus Blossom is one of the more recent APT attacks that has been discovered and analyzed. It is an advanced adversary campaign against the mostly government and state-sponsored entities in the Philippines, Hong Kong, Vietnam, and Indonesia. It is thought that this group carried out the attack to gain a geopolitical advantage by stealing specific information from government and military institutions in that area.  At this point, it is still too early to tell if the reach of the attack will extend to the private sector (a la Stuxnet and Duqu). How does the attack work? It was found that Operation Lotus Blossom involved a novel custom-built malware
APT28 — State Sponsored Russian Hacker Group

APT28 — State Sponsored Russian Hacker Group

October 30, 2014Mohit Kumar
Nearly a decade-long cyber espionage group that targeted a variety of Eastern European governments and security-related organizations including the North Atlantic Treaty Organization (NATO) has been exposed by a security research firm. The US intelligence firm FireEye released its latest Advanced Persistent Threat ( APT ) report on Tuesday which said that the cyber attacks targeting various organisations would be of the interest to Russia, and " may be " sponsored by the Russian government. The Report entitled " APT28: A Window Into Russia's Cyber Espionage Operations " published by FireEye has " evidence of long-standing, focused operations that indicate a government sponsor - specifically, a government based in Moscow. " " Despite rumours of the Russian government's alleged involvement in high-profile government and military cyber attacks, there has been little hard evidence of any link to cyber espionage, " Dan McWhort
POWELIKS — A Persistent Windows Malware Without Any Installer File

POWELIKS — A Persistent Windows Malware Without Any Installer File

August 04, 2014Mohit Kumar
Malware is nothing but a malicious files which is stored on an infected computer system in order to damage the system or steal sensitive data from it or perform other malicious activities. But security researchers have uncovered a new and sophisticated piece of malware that infects systems and steals data without installing any file onto the targeted system. Researchers dubbed this  persistent malware as Poweliks , which resides in the computer registry only and is therefore not easily detectable as other typical malware that installs files on the affected system which can be scanned by antivirus or anti-malware Software. According to Paul Rascagneres , Senior Threat Researcher, Malware analyst at GData software, due to the malware's subsequent and step-after-step execution of code, the feature set was similar to a stacking principles of Matryoshka Doll approach. Paul has made a number of name ripping malware and bots to uncover and undermine cyber crimes. He won last
APT Groups Return - Chinese Hackers Resume Cyber Espionage Operations

APT Groups Return - Chinese Hackers Resume Cyber Espionage Operations

April 11, 2014Swati Khandelwal
Year back, one of the largest " Advanced Persistent Threat " ( APT ) hacking groups received widespread attention from the media and from the U.S. government. APT Groups are China's cyber espionage units and they won't stop their espionage operation, despite being exposed last year. Yes, APT hacking groups, APT1 and APT12 , are again making headlines. Without bothering that the world knows about its cyber hacking activities, the two of its major hacking groups have became once again active and have resumed their espionage operation, reports the security firm Mandiant . A timeline of APT1 economic espionage conducted since 2006 and has systematically stolen confidential data from at least 141 organizations across multiple industries. Mandiant, the FireEye owned company, announced in its M-Trend report that over the past year the firm has a close eye on the APT1 group , which it first exposed in February 2013. It's also been monitoring the second Chinese hackers group, APT12 that
Malaysian flight MH370 tragedy abused by Chinese hackers for Espionage attacks

Malaysian flight MH370 tragedy abused by Chinese hackers for Espionage attacks

March 26, 2014Wang Wei
The Mysterious Malaysian Airlines flight MH370 , a Boeing 777-200 aircraft that has gone missing by the time it flew from Kuala Lumpur to Beijing. The Malaysian Prime Minister had also confirmed that the Malaysia Airlines plane had crashed in a remote part of the southern Indian Ocean. Cyber Criminals are known to take advantage of major news stories or events where there is a high level of public interest and now Scammers are also targeting tragedy of MH370 to trap innocent Internet users. Just a few days before we warned you about a Facebook malware campaign claimed that the missing Malaysian Airlines ' MH370 has been spotted in the Bermuda Triangle ' with its passengers still alive and invites users to click a link to view breaking news video footage. This week, Security researchers at FireEye have revealed about various ongoing spear phishing and malware attacks by some advanced persistent threat (APT) attackers. According to the researchers, the Chines
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.