#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter

The Hacker News | #1 Trusted Cybersecurity News Site: ESET

North Korea Hackers Using New "Dolphin" Backdoor to Spy on South Korean Targets

North Korea Hackers Using New "Dolphin" Backdoor to Spy on South Korean Targets

Nov 30, 2022
The North Korea-linked  ScarCruft  group has been attributed to a previously undocumented backdoor called Dolphin that the threat actor has used against targets located in its southern counterpart. "The backdoor [...] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers," ESET researcher Filip Jurčacko  said  in a new report published today. Dolphin is said to be selectively deployed, with the malware using cloud services like Google Drive for data exfiltration as well as command-and-control. The Slovak cybersecurity company said it found the implant deployed as a final-stage payload as part of a watering hole attack in early 2021 directed against a South Korean digital newspaper. The campaign, first uncovered by  Kaspersky  and  Volexity  last year,  entailed  the weaponization of two Internet Explorer flaws ( CVE-2020-1380
Russia-based RansomBoggs Ransomware Targeted Several Ukrainian Organizations

Russia-based RansomBoggs Ransomware Targeted Several Ukrainian Organizations

Nov 26, 2022
Ukraine has come under a fresh onslaught of ransomware attacks that mirror previous intrusions attributed to the Russia-based Sandworm nation-state group. Slovak cybersecurity company ESET, which dubbed the new ransomware strain  RansomBoggs , said the attacks against several Ukrainian entities were first detected on November 21, 2022. "While the malware written in .NET is new, its deployment is similar to previous attacks attributed to Sandworm," the company  said  in a series of tweets Friday. The development comes as the Sandworm actor, tracked by Microsoft as Iridium, was implicated for a set of attacks aimed at transportation and logistics sectors in Ukraine and Poland with another ransomware strain called  Prestige  in October 2022. The RansomBoggs activity is said to employ a PowerShell script to distribute the ransomware, with the former "almost identical" to the one used in the  Industroyer2 malware  attacks that came to light in April. According to
Notorious Emotet Malware Returns With High-Volume Malspam Campaign

Notorious Emotet Malware Returns With High-Volume Malspam Campaign

Nov 21, 2022
The notorious Emotet malware has returned with renewed vigor as part of a high-volume malspam campaign designed to drop payloads like  IcedID  and  Bumblebee . "Hundreds of thousands of emails per day" have been sent since early November 2022, enterprise security company Proofpoint  said  last week, adding, "the new activity suggests Emotet is returning to its full functionality acting as a delivery network for major malware families." Among the primary countries targeted are the U.S., the U.K., Japan, Germany, Italy, France, Spain, Mexico, and Brazil. The Emotet-related activity was last observed in July 2022, although  sporadic   infections  have been  reported  since then. In mid-October, ESET  revealed  that Emotet may be readying for a new wave of attacks, pointing out updates to its "systeminfo" module. The malware, which is attributed to a threat actor known as Mummy Spider (aka Gold Crestwood or TA542), staged a revival of sorts late last yea
Worok Hackers Abuse Dropbox API to Exfiltrate Data via Backdoor Hidden in Images

Worok Hackers Abuse Dropbox API to Exfiltrate Data via Backdoor Hidden in Images

Nov 14, 2022
A recently discovered cyber espionage group dubbed  Worok  has been found hiding malware in seemingly innocuous image files, corroborating a crucial link in the threat actor's infection chain. Czech cybersecurity firm Avast said the purpose of the PNG files is to conceal a payload that's used to facilitate information theft. "What is noteworthy is data collection from victims' machines using Dropbox repository, as well as attackers using Dropbox API for communication with the final stage," the company  said . The development comes a little over two months after ESET disclosed details of attacks carried out by  Worok  against high-profile companies and local governments located in Asia and Africa. Worok is believed to share tactical overlaps with a Chinese threat actor tracked as  TA428 . The Slovak cybersecurity company also documented Worok's compromise sequence, which makes use of a C++-based loader called CLRLoad to pave the way for an unknown PowerS
New Updates for ESET's Advanced Home Solutions

New Updates for ESET's Advanced Home Solutions

Nov 11, 2022
It's no secret that antivirus software is as essential to your computer as a power cord. However, the threats don't stop at your devices. For example, criminals trying to steal your data can attack your Wi-Fi router, and phishing attempts can target your email.  ESET's latest consumer product release takes a comprehensive approach to security to guard against a full range of threats. All are built with ESET's signature light footprint for gaming, browsing, shopping and socializing with no interruptions or slowdowns. Introducing enhanced security for Windows, Mac and Android For more than 30 years, ESET® has created industry-leading IT security software and services, protecting businesses worldwide from ever-evolving digital threats.  ESET's solutions for consumers use the same advanced technologies. By protecting your digital life, ESET delivers real-world protection against criminals trying to steal your identity, hack your bank account or lock down your com
New UEFI Firmware Flaws Reported in Several Lenovo Notebook Models

New UEFI Firmware Flaws Reported in Several Lenovo Notebook Models

Nov 10, 2022
PC maker Lenovo has addressed yet another set of three shortcomings in the Unified Extensible Firmware Interface (UEFI) firmware affecting several Yoga, IdeaPad, and ThinkBook devices. "The vulnerabilities allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS," Slovak cybersecurity firm ESET  explained  in a series of tweets. UEFI refers to software that acts as an interface between the operating system and the firmware embedded in the device's hardware. Because UEFI is  responsible  for launching the operating system when a device is powered on, it has made the technology an attractive option for threat actors looking to  drop malware  that's difficult to detect and remove. Viewed in that light, the flaws, tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432, could be abused by an adversary to turn off Secure Boot, a security mechanism that's designed to prevent malicious programs from lo
Researchers Uncover Custom Backdoors and Spying Tools Used by Polonium Hackers

Researchers Uncover Custom Backdoors and Spying Tools Used by Polonium Hackers

Oct 13, 2022
A threat actor tracked as Polonium has been linked to over a dozen highly targeted attacks aimed at Israelian entities with seven different custom backdoors since at least September 2021. The intrusions were aimed at organizations in various verticals, such as engineering, information technology, law, communications, branding and marketing, media, insurance, and social services, cybersecurity firm ESET said. Polonium  is the chemical element-themed moniker given by Microsoft to a sophisticated operational group that's believed to be based in Lebanon and is known to exclusively strike Israeli targets. Activities undertaken by the group first came to light earlier this June when the Windows maker disclosed it suspended more than 20 malicious OneDrive accounts created by the adversary for command-and-control (C2) purposes. Core to the attacks has been the use of implants coined CreepyDrive and CreepyBox for their ability to exfiltrate sensitive data to actor-controlled OneDrive
Hackers Exploiting Dell Driver Vulnerability to Deploy Rootkit on Targeted Computers

Hackers Exploiting Dell Driver Vulnerability to Deploy Rootkit on Targeted Computers

Oct 03, 2022
The North Korea-backed Lazarus Group has been observed deploying a Windows rootkit by taking advantage of an exploit in a Dell firmware driver, highlighting new tactics adopted by the state-sponsored adversary. The Bring Your Own Vulnerable Driver ( BYOVD ) attack, which took place in the autumn of 2021, is another variant of the threat actor's espionage-oriented activity called Operation In(ter)ception  that's directed against aerospace and defense industries. "The campaign started with spear-phishing emails containing malicious Amazon-themed documents and targeted an employee of an aerospace company in the Netherlands, and a political journalist in Belgium," ESET researcher Peter Kálnai  said . Attack chains unfolded upon the opening of the lure documents, leading to the distribution of malicious droppers that were trojanized versions of open source projects, corroborating recent reports from Google's  Mandiant  and  Microsoft . ESET said it uncovered evid
SparklingGoblin APT Hackers Using New Linux Variant of SideWalk Backdoor

SparklingGoblin APT Hackers Using New Linux Variant of SideWalk Backdoor

Sep 14, 2022
A Linux variant of a backdoor known as SideWalk was used to target a Hong Kong university in February 2021, underscoring the cross-platform abilities of the implant.  Slovak cybersecurity firm ESET, which detected the malware in the university's network, attributed the backdoor to a nation-state actor dubbed  SparklingGoblin . The unnamed university is said to have been already targeted by the group in May 2020 during the  student protests . "The group continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage student schedules and course registrations," ESET  said  in a report shared with The Hacker News. SparklingGoblin is the name given to a Chinese advanced persistent threat (APT) group with connections to the  Winnti umbrella  (aka APT41, Barium, Earth Baku, or Wicked Panda). It's primarily known for its attacks targeting various en
North Korea Hackers Spotted Targeting Job Seekers with macOS Malware

North Korea Hackers Spotted Targeting Job Seekers with macOS Malware

Aug 17, 2022
The North Korea-backed Lazarus Group has been observed targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets. Slovak cybersecurity firm ESET linked it to a campaign dubbed " Operation In(ter)ception " that was first disclosed in June 2020 and involved using social engineering tactics to trick employees working in the aerospace and military sectors into opening decoy job offer documents. The latest attack is no different in that a job description for the Coinbase cryptocurrency exchange platform was used as a launchpad to drop a signed Mach-O executable. ESET's analysis comes from a sample of the binary that was uploaded to VirusTotal from Brazil on August 11, 2022. "Malware is compiled for both Intel and Apple Silicon," the company  said  in a series of tweets. "It drops three files: a decoy PDF document ' Coinbase_online_careers_2022_07.pdf ', a bundle  'FinderFontsUpdater.app ,' and a downloa
Experts Uncover New CloudMensis Spyware Targeting Apple macOS Users

Experts Uncover New CloudMensis Spyware Targeting Apple macOS Users

Jul 19, 2022
Cybersecurity researchers have taken the wraps off a previously undocumented spyware targeting the Apple macOS operating system. The malware, codenamed  CloudMensis  by Slovak cybersecurity firm ESET, is said to exclusively use public cloud storage services such as pCloud, Yandex Disk, and Dropbox for receiving attacker commands and exfiltrating files. "Its capabilities clearly show that the intent of its operators is to gather information from the victims' Macs by exfiltrating documents, keystrokes, and screen captures," ESET researcher Marc-Etienne M.Léveillé  said  in a report published today. CloudMensis, written in Objective-C, was first discovered in April 2022 and is designed to strike both Intel and Apple silicon architectures. The initial infection vector for the attacks and the targets remain unknown as yet. But its very limited distribution is an indication that the malware is being used as part of a highly targeted operation directed against entities of i
New Lenovo UEFI Firmware Vulnerabilities Affect Millions of Laptops

New Lenovo UEFI Firmware Vulnerabilities Affect Millions of Laptops

Apr 19, 2022
Three high-impact Unified Extensible Firmware Interface (UEFI) security vulnerabilities have been discovered impacting various Lenovo consumer laptop models, enabling malicious actors to deploy and execute firmware implants on the affected devices. Tracked as CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, the latter two "affect firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks," ESET researcher Martin Smolár  said  in a report published today. "Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated," Smolár added. Successful exploitation of the flaws could permit an attacker to disable SPI flash protections or Secure Boot, effectively granting the adversary the ability to install persistent malware that can survive system reboots. CVE-2021-3970, on the other hand, relates to a case of memory corruption in the System Management Mode ( SMM
Microsoft Disrupts ZLoader Cybercrime Botnet in Global Operation

Microsoft Disrupts ZLoader Cybercrime Botnet in Global Operation

Apr 14, 2022
Microsoft and a consortium of cybersecurity companies took legal and technical steps to disrupt the ZLoader botnet , seizing control of 65 domains that were used to control and communicate with the infected hosts. "ZLoader is made up of computing devices in businesses, hospitals, schools, and homes around the world and is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money," Amy Hogan-Burney, general manager of Microsoft's Digital Crimes Unit (DCU),  said . The operation, Microsoft said, was undertaken in collaboration with ESET, Lumen's Black Lotus Labs, Palo Alto Networks Unit 42, Avast, Financial Services Information Sharing and Analysis Center (FS-ISAC), and Health Information Sharing and Analysis Center (H-ISAC). As a result of the disruption, the domains are now redirected to a sinkhole, effectively preventing the botnet's criminal operators from contacting the compromised devices.
Russian Hackers Tried Attacking Ukraine's Power Grid with Industroyer2 Malware

Russian Hackers Tried Attacking Ukraine's Power Grid with Industroyer2 Malware

Apr 13, 2022
The Computer Emergency Response Team of Ukraine (CERT-UA) on Tuesday  disclosed  that it thwarted a cyberattack by Sandworm , a hacking group affiliated with Russia's military intelligence, to sabotage the operations of an unnamed energy provider in the country. "The attackers attempted to take down several infrastructure components of their target, namely: Electrical substations, Windows-operated computing systems, Linux-operated server equipment, [and] active network equipment," the State Service of Special Communications and Information Protection of Ukraine (SSSCIP)  said  in a statement. Slovak cybersecurity firm ESET, which collaborated with CERT-UA to analyze the attack, said the attempted intrusion involved the use of ICS-capable malware and regular disk wipers, with the adversary unleashing an updated variant of the  Industroyer  malware, which was first deployed in a 2016 assault on Ukraine's power grid. "The Sandworm attackers made an attempt to d
Hackers Distributing Fake Shopping Apps to Steal Banking Data of Malaysian Users

Hackers Distributing Fake Shopping Apps to Steal Banking Data of Malaysian Users

Apr 06, 2022
Threat actors have been distributing malicious applications under the guise of seemingly harmless shopping apps to target customers of eight Malaysian banks since at least November 2021. The attacks involved setting up fraudulent but legitimate-looking websites to trick users into downloading the apps, Slovak cybersecurity firm ESET said in a report shared with The Hacker News. The copycat websites impersonated cleaning services such as Maid4u, Grabmaid, Maria's Cleaning, Maid4u, YourMaid, Maideasy and MaidACall and a pet store named PetsMore, all of which are aimed at users in Malaysia. "The threat actors use these fake e-shop applications to phish for banking credentials," ESET  said . "The apps also forward all SMS messages received by the victim to the malware operators in case they contain 2FA codes sent by the bank." The targeted banks include Maybank, Affin Bank, Public Bank Berhad, CIMB bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank. Th
Experts Detail Virtual Machine Used by Wslink Malware Loader for Obfuscation

Experts Detail Virtual Machine Used by Wslink Malware Loader for Obfuscation

Mar 29, 2022
Cybersecurity researchers have shed more light on a malicious loader that runs as a server and executes received modules in memory, laying bare the structure of an "advanced multi-layered virtual machine" used by the malware to fly under the radar. Wslink, as the malicious loader is called, was first  documented  by Slovak cybersecurity company ESET in October 2021, with very few telemetry hits detected in the past two years spanning Central Europe, North America, and the Middle East. Analysis of the malware samples have yielded little to no clues about the initial compromise vector used, and no code, functionality, or operational similarities have been uncovered to suggest that this is a tool from a previously identified threat actor. Packed with a file compression utility named NsPack, Wslink makes use of what's called a  process virtual machine  (VM), a mechanism to run an application in a platform-independent manner that abstracts the underlying hardware or opera
Chinese 'Mustang Panda' Hackers Spotted Deploying New 'Hodur' Malware

Chinese 'Mustang Panda' Hackers Spotted Deploying New 'Hodur' Malware

Mar 23, 2022
A China-based advanced persistent threat (APT) known as Mustang Panda has been linked to an ongoing cyber espionage campaign using a previously undocumented variant of the  PlugX  remote access trojan on infected machines. Slovak cybersecurity firm ESET dubbed the new version Hodur , owing to its resemblance to another PlugX (aka Korplug) variant called  THOR  that came to light in July 2021. "Most victims are located in East and Southeast Asia, but a few are in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan)," ESET malware researcher Alexandre Côté Cyr  said  in a report shared with The Hacker News. "Known victims include research entities, internet service providers (ISPs), and European diplomatic missions mostly located in East and Southeast Asia." Mustang Panda, also known as TA416, HoneyMyte, RedDelta, or PKPLUG, is a  cyber espionage group  that's primarily known for targeting non-governmental organizations with a specific foc
More Resources

Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.