#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter
CrowdSec

Kaspersky | Breaking Cybersecurity News | The Hacker News

Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade

Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade
May 22, 2023 Cyber Espionage / Malware
New findings about a hacker group linked to cyber attacks targeting companies in the Russo-Ukrainian conflict area reveal that it may have been around for much longer than previously thought. The threat actor, tracked as  Bad Magic  (aka Red Stinger), has not only been linked to a fresh sophisticated campaign, but also to an activity cluster that first came to light in May 2016. "While the previous targets were primarily located in the Donetsk, Luhansk, and Crimea regions, the scope has now widened to include individuals, diplomatic entities, and research organizations in Western and Central Ukraine," Russian cybersecurity firm Kaspersky  said  in a technical report published last week. The campaign is characterized by the use of a novel modular framework codenamed CloudWizard, which features capabilities to take screenshots, record microphone, log keystrokes, grab passwords, and harvest Gmail inboxes. Bad Magic was  first documented  by the company in March 2023, detail

New APT Group Red Stinger Targets Military and Critical Infrastructure in Eastern Europe

New APT Group Red Stinger Targets Military and Critical Infrastructure in Eastern Europe
May 11, 2023 Advanced Persistent Threat
A previously undetected advanced persistent threat (APT) actor dubbed  Red Stinger  has been linked to attacks targeting Eastern Europe since 2020. "Military, transportation, and critical infrastructure were some of the entities being targeted, as well as some involved in the  September East Ukraine referendums ," Malwarebytes disclosed in a  report  published today. "Depending on the campaign, attackers managed to exfiltrate snapshots, USB drives, keyboard strokes, and microphone recordings." Red Stinger overlaps with a threat cluster Kaspersky revealed under the name  Bad Magic  last month as having targeted government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea last year. While there were indications that the APT group may have been active since at least September 2021, the latest findings from Malwarebytes push the group's origins back by nearly a year, with the first operation taking place in December 2020.

external linkWing Security Launches Free SaaS Discovery Tool to Tackle Shadow IT Risks

SaaS
websitewww.wing.securitySaaS Security / Attack Surface
Wing Security finds and ranks all SaaS applications completely for free, removing unnecessary risk.

Researchers Uncover Thriving Phishing Kit Market on Telegram Channels

Researchers Uncover Thriving Phishing Kit Market on Telegram Channels
Apr 07, 2023 Cyber Threat / Online Security
In yet another sign that Telegram is increasingly becoming a  thriving hub  for cybercrime, researchers have found that threat actors are using the messaging platform to peddle phishing kits and help set up phishing campaigns. "To promote their 'goods,' phishers create Telegram channels through which they educate their audience about phishing and entertain subscribers with polls like, 'What type of personal data do you prefer?'," Kaspersky web content analyst Olga Svistunova  said  in a report published this week. The links to these Telegram channels are distributed via YouTube, GitHub, and the phishing kits that are developed by the crooks themselves. The Russian cybersecurity firm said it detected over 2.5 million malicious URLs generated using phishing kits in the past six months. One of the prominent services offered is to provide threat actors with Telegram bots that automate the process of generating phishing pages and collecting user data. Although

New 'Bad Magic' Cyber Threat Disrupts Ukraine's Key Sectors Amid War

New 'Bad Magic' Cyber Threat Disrupts Ukraine's Key Sectors Amid War
Mar 21, 2023 Cyber War / Cyber Threat
Amid the  ongoing war  between Russia and Ukraine, government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea have been attacked as part of an active campaign that drops a previously unseen, modular framework dubbed  CommonMagic . "Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods," Kaspersky  said  in a new report. The Russian cybersecurity company, which detected the attacks in October 2022, is tracking the activity cluster under the name "Bad Magic." Attack chains entail the use of booby-trapped URLS pointing to a ZIP archive hosted on a malicious web server. The file, when opened, contains a decoy document and a malicious LNK file that culminates in the deployment of a backdoor named PowerMagic. Written in PowerShell, PowerMagic establishes contact with a remote server and executes arbitrary commands, the results of which are exfiltra

New Backdoor Created Using Leaked CIA's Hive Malware Discovered in the Wild

New Backdoor Created Using Leaked CIA's Hive Malware Discovered in the Wild
Jan 16, 2023 Threat Landscape / Malware
Unidentified threat actors have deployed a new backdoor that borrows its features from the U.S. Central Intelligence Agency (CIA)'s  Hive  multi-platform  malware suite , the source code of which was  released  by WikiLeaks in November 2017. "This is the first time we caught a variant of the CIA Hive attack kit in the wild, and we named it  xdr33  based on its embedded Bot-side certificate CN=xdr33," Qihoo Netlab 360's Alex Turing and Hui Wang  said  in a technical write-up published last week. xdr33 is said to be propagated by exploiting an unspecified N-day security vulnerability in F5 appliances. It communicates with a command-and-control (C2) server using SSL with forged Kaspersky certificates. The intent of the backdoor, per the Chinese cybersecurity firm, is to harvest sensitive information and act as a launchpad for subsequent intrusions. It improves upon Hive by adding new C2 instructions and functionalities, among other implementation changes. The  ELF

BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection

BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection
Dec 27, 2022 Cyber Attack / Windows Security
BlueNoroff , a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows Mark of the Web ( MotW ) protections. This includes the use of optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file formats as part of a novel infection chain, Kaspersky disclosed in a report published today. "BlueNoroff created numerous fake domains impersonating venture capital companies and banks," security researcher Seongsu Park said , adding the new attack procedure was flagged in its telemetry in September 2022. Some of the bogus domains have been found to imitate ABF Capital, Angel Bridge, ANOBAKA, Bank of America, and Mitsubishi UFJ Financial Group, most of which are located in Japan, signalling a "keen interest" in the region. It's worth pointing out that although MotW bypasses have been documented in the wild before, this is the first time they have been incorporated by

Researchers Uncover MirrorFace Cyber Attacks Targeting Japanese Political Entities

Researchers Uncover MirrorFace Cyber Attacks Targeting Japanese Political Entities
Dec 15, 2022 Advanced Persistent Threat
A Chinese-speaking advanced persistent threat (APT) actor codenamed  MirrorFace  has been attributed to a spear-phishing campaign targeting Japanese political establishments. The activity, dubbed  Operation LiberalFace  by ESET, specifically focused on members of an unnamed political party in the nation with the goal of delivering an implant called LODEINFO and a hitherto unseen credential stealer named MirrorStealer. The Slovak cybersecurity company said the campaign was launched a little over a week prior to the  Japanese House of Councillors election  that took place on July 10, 2022. "LODEINFO was used to deliver additional malware, exfiltrate the victim's credentials, and steal the victim's documents and emails," ESET researcher Dominik Breitenbacher  said  in a technical report published Wednesday. MirrorFace is said to share overlaps with another threat actor tracked as  APT10  (aka Bronze Riverside, Cicada, Earth Tengshe, Stone Panda, and Potassium) and

Hack-for-Hire Group Targets Travel and Financial Entities with New Janicab Malware Variant

Hack-for-Hire Group Targets Travel and Financial Entities with New Janicab Malware Variant
Dec 10, 2022 Hack-for-Hire / Threat Intelligence
Travel agencies have emerged as the target of a hack-for-hire group dubbed  Evilnum  as part of a broader campaign aimed at legal and financial investment institutions in the Middle East and Europe. The attacks, which took place during 2020 and 2021 and likely went as far back as 2015, involved a revamped variant of a malware called Janicab that leverages a number of public services like WordPress and YouTube as  dead drop resolvers , Kaspersky  said  in a technical report published this week. Janicab infections comprise a diverse set of victims located in Egypt, Georgia, Saudi Arabia, the UAE, and the U.K. The development marks the first time legal organizations in Saudi Arabia have been targeted by this group. Also tracked as DeathStalker, the threat actor is known to deploy  backdoors  like Janicab, Evilnum, Powersing, and PowerPepper to exfiltrate confidential corporate information. "Their interest in gathering sensitive business information leads us to believe that Deat

North Korea Hackers Using New "Dolphin" Backdoor to Spy on South Korean Targets

North Korea Hackers Using New "Dolphin" Backdoor to Spy on South Korean Targets
Nov 30, 2022
The North Korea-linked  ScarCruft  group has been attributed to a previously undocumented backdoor called Dolphin that the threat actor has used against targets located in its southern counterpart. "The backdoor [...] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers," ESET researcher Filip Jurčacko  said  in a new report published today. Dolphin is said to be selectively deployed, with the malware using cloud services like Google Drive for data exfiltration as well as command-and-control. The Slovak cybersecurity company said it found the implant deployed as a final-stage payload as part of a watering hole attack in early 2021 directed against a South Korean digital newspaper. The campaign, first uncovered by  Kaspersky  and  Volexity  last year,  entailed  the weaponization of two Internet Explorer flaws ( CVE-2020-1380

Experts Warn of SandStrike Android Spyware Infecting Devices via Malicious VPN App

Experts Warn of SandStrike Android Spyware Infecting Devices via Malicious VPN App
Nov 02, 2022
A previously undocumented Android spyware campaign has been found striking Persian-speaking individuals by masquerading as a seemingly harmless VPN application. Russian cybersecurity firm Kaspersky is tracking the campaign under the moniker  SandStrike . It has not been attributed to any particular threat group. "SandStrike is distributed as a means to access resources about the  Bahá'í religion  that are banned in Iran," the company noted in its  APT trends report  for the third quarter of 2022. While the app is ostensibly designed to provide victims with a VPN connection to bypass the ban, it's also configured to covertly siphon data from the victims' devices, such as call logs, contacts, and even connect to a remote server to fetch additional commands. The booby-trapped VPN service, while fully functional, is said to be distributed via a Telegram channel controlled by the adversary. Links to the channel are also advertised on fabricated social media acco

Cybercriminals Used Two PoS Malware to Steal Details of Over 167,000 Credit Cards

Cybercriminals Used Two PoS Malware to Steal Details of Over 167,000 Credit Cards
Oct 25, 2022
Two point-of-sale (PoS) malware variants have been put to use by a threat actor to steal information related to more than 167,000 credit cards from payment terminals. According to Singapore-headquartered cybersecurity company Group-IB, the stolen data dumps could net the operators as much as $3.34 million by selling them on underground forums. While a significant proportion of attacks aimed at gathering payment data rely on  JavaScript sniffers  (aka web skimmers) stealthily inserted on e-commerce websites, PoS malware continues to be an ongoing, if less popular, threat. Just last month, Kaspersky detailed new tactics adopted by a Brazilian threat actor known as  Prilex  to steal money by means of fraudulent transactions. "Almost all PoS malware strains have a similar card dump extraction functionality, but different methods for maintaining persistence on infected devices, data exfiltration and processing," researchers Nikolay Shelekhov and Said Khamchiev  said . Trea

New NullMixer Malware Campaign Stealing Users' Payment Data and Credentials

New NullMixer Malware Campaign Stealing Users' Payment Data and Credentials
Sep 27, 2022
Cybercriminals are continuing to prey on users searching for cracked software by directing them to fraudulent websites hosting weaponized installers that deploy malware called  NullMixer  on compromised systems. "When a user extracts and executes NullMixer, it drops a number of malware files to the compromised machine," cybersecurity firm Kaspersky said in a Monday report. "It drops a wide variety of malicious binaries to infect the machine with, such as backdoors, bankers, downloaders, spyware, and many others." Besides siphoning users' credentials, address, credit card data, cryptocurrencies, and even Facebook and Amazon account session cookies, what makes NullMixer insidious is its ability to download dozens of trojans at once, significantly widening the scale of the infections. Attack chains typically start when a user attempts to download cracked software from one of the sites, which leads to a password-protected archive that contains an executable fil

Researchers Uncover Kimusky Infra Targeting South Korean Politicians and Diplomats

Researchers Uncover Kimusky Infra Targeting South Korean Politicians and Diplomats
Aug 25, 2022
The North Korean nation-state group Kimusky has been linked to a new set of malicious activities directed against political and diplomatic entities located in its southern counterpart since early 2022. Russian cybersecurity firm Kaspersky codenamed the cluster  GoldDragon , with the infection chains leading to the deployment of Windows malware designed to file lists, user keystrokes, and stored web browser login credentials. Included among the potential victims are South Korean university professors, think tank researchers, and government officials.  Kimsuky , also known as Black Banshee, Thallium, and Velvet Chollima, is the name given to a prolific North Korean advanced persistent threat (APT) group that targets entities globally, but with a primary focus on South Korea, to gain intelligence on various topics of interest to the regime. Known to be operating since 2012, the group has a history of employing social engineering tactics, spear-phishing, and watering hole attacks to

Malicious Browser Extensions Targeted Over a Million Users So Far This Year

Malicious Browser Extensions Targeted Over a Million Users So Far This Year
Aug 17, 2022
More than 1.31 million users attempted to install malicious or unwanted web browser extensions at least once, new findings from cybersecurity firm Kaspersky show. "From January 2020 to June 2022, more than 4.3 million unique users were attacked by adware hiding in browser extensions, which is approximately 70% of all users affected by malicious and unwanted add-ons," the company  said . As many as 1,311,557 users fall under this category in the first half of 2022, per Kaspersky's telemetry data. In comparison, the number of such users peaked in 2020 at 3,660,236, followed by 1,823,263 unique users in 2021. The most prevalent threat is a family of adware called WebSearch, which masquerade as PDF viewers and other utilities, and comes with capabilities to collect and analyze search queries and redirect users to affiliate links. WebSearch is also notable for modifying the browser's start page, which contains a search engine and a number of links to third-party sour

Experts Uncover Details on Maui Ransomware Attack by North Korean Hackers

Experts Uncover Details on Maui Ransomware Attack by North Korean Hackers
Aug 10, 2022
The first ever incident possibly involving the ransomware family known as Maui occurred on April 15, 2021, aimed at an unnamed Japanese housing company. The disclosure from Kaspersky arrives a month after U.S. cybersecurity and intelligence agencies issued an  advisory  about the use of the ransomware strain by North Korean government-backed hackers to target the healthcare sector since at least May 2021. Much of the data about its modus operandi came from incident response activities and industry analysis of a Maui sample that revealed a lack of "several key features" typically associated with ransomware-as-a-service (RaaS) operations. Not only is Maui designed to be manually executed by a remote actor via a command-line interface, it's also notable for not including a ransom note to provide recovery instructions. Subsequently, the Justice Department  announced  the seizure of $500,000 worth of Bitcoin that were extorted from several organizations, including two he

Chinese Hackers Targeted Dozens of Industrial Enterprises and Public Institutions

Chinese Hackers Targeted Dozens of Industrial Enterprises and Public Institutions
Aug 09, 2022
Over a dozen military-industrial complex enterprises and public institutions in Afghanistan and Europe have come under a wave of targeted attacks since January 2022 to steal confidential data by simultaneously making use of six different backdoors. Russian cybersecurity firm Kaspersky  attributed  the attacks "with a high degree of confidence" to a China-linked threat actor tracked by  Proofpoint  as  TA428 , citing overlaps in tactics, techniques, and procedures (TTPs).  TA428, also known by the names Bronze Dudley, Temp.Hex, and Vicious Panda, has a  history  of striking entities in Ukraine, Russia, Belarus, and Mongolia. It's believed to share connections with another hacking group called Mustang Panda (aka Bronze President). Targets of the latest cyber espionage campaign included industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries and Afghanistan. Attack chains entail penet

Malicious IIS Extensions Gaining Popularity Among Cyber Criminals for Persistent Access

Malicious IIS Extensions Gaining Popularity Among Cyber Criminals for Persistent Access
Jul 27, 2022
Threat actors are increasingly abusing Internet Information Services ( IIS ) extensions to backdoor servers as a means of establishing a "durable persistence mechanism." That's according to a  new warning  from the Microsoft 365 Defender Research Team, which said that "IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules." Attack chains taking this approach commence with weaponizing a critical vulnerability in the hosted application for initial access, using this foothold to drop a script web shell as the first stage payload. This web shell then becomes the conduit for installing a rogue IIS module to provide highly covert and persistent access to the server, in addition to monitoring incoming and outgoing requests as well as running remote commands. Indeed, earlier this month, Kaspersky researchers disclosed a cam
Cybersecurity Resources