Malspam | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have flagged a new malspam campaign that makes use of Google's DoubleClick domain as a way to evade detection and ultimately deliver a remote access trojan (RAT) named DesckVB RAT . "Before the victim ever reaches attacker-controlled infrastructure, the lure routes through DoubleClick, a legitimate Google-owned domain that many security tools are less likely to treat as suspicious," Huntress researchers Anna Pham and Adam Mooney said in a report shared with The Hacker News. "From there, the victim is passed into a malspam kit that personalizes itself on the fly using the victim's email address, dynamically pulling in company branding and location details to make the page feel convincing without requiring the operators to handcraft a lure for each target." What makes this attack noteworthy is that it eliminates the need for having a bespoke kit for each targeted organization, thereby making these operations more scalable and ...

A global network of about 13,000 hijacked Mikrotik routers has been employed as a botnet to propagate malware via spam campaigns, the latest addition to a list of botnets powered by MikroTik devices. The activity "take[s] advantage of misconfigured DNS records to pass email protection techniques," Infoblox security researcher David Brunsdon said in a technical report published last week. "This botnet uses a global network of Mikrotik routers to send malicious emails that are designed to appear to come from legitimate domains." The DNS security company, which has codenamed the campaign Mikro Typo , said its analysis sprang forth from the discovery of a malspam campaign in late November 2024 that leveraged freight invoice-related lures to entice recipients into launching a ZIP archive payload. The ZIP file contains an obfuscated JavaScript file, which is then responsible for running a PowerShell script designed to initiate an outbound connection to a command-a...

Cybersecurity researchers have found that bad actors are continuing to have success by spoofing sender email addresses as part of various malspam campaigns. Faking the sender address of an email is widely seen as an attempt to make the digital missive more legitimate and get past security mechanisms that could otherwise flag it as malicious. While there are safeguards such as DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), and Sender Policy Framework (SPF) that can be used to prevent spammers from spoofing well-known domains, such measures have increasingly led them to leverage old, neglected domains in their operations. In doing so, the email messages are likely to bypass security checks that rely on the domain age as a means to identify spam. DNS threat intelligence firm Infoblox, in a new analysis shared with The Hacker News, discovered that threat actors, including Muddling Meerkat and others, have abused some of it...

Threat actors are luring unsuspecting users with free or pirated versions of commercial software to deliver a malware loader called Hijack Loader , which then deploys an information stealer known as Vidar Stealer . "Adversaries had managed to trick users into downloading password-protected archive files containing trojanized copies of a Cisco Webex Meetings App (ptService.exe)," Trellix security researcher Ale Houspanossian said in a Monday analysis. "When unsuspecting victims extracted and executed a 'Setup.exe' binary file, the Cisco Webex Meetings application covertly loaded a stealthy malware loader, which led to the execution of an information-stealing module." The starting point is a RAR archive file that contains an executable name "Setup.exe," but in reality is a copy of Cisco Webex Meetings's ptService module. What makes the campaign noteworthy is the use of DLL side-loading techniques to stealthily launch Hijack Loader (aka DOI...

Cybersecurity researchers have discovered a new malware campaign that leverages bogus Google Sites pages and HTML smuggling to distribute a commercial malware called  AZORult  in order to facilitate information theft. "It uses an unorthodox HTML smuggling technique where the malicious payload is embedded in a separate JSON file hosted on an external website," Netskope Threat Labs researcher Jan Michael Alcantara  said  in a report published last week. The phishing campaign has not been attributed to a specific threat actor or group. The cybersecurity company described it as widespread in nature, carried out with an intent to collect sensitive data for selling them in underground forums. AZORult, also called PuffStealer and Ruzalto, is an  information stealer  first detected around 2016. It's typically distributed via phishing and malspam campaigns, trojanized installers for pirated software or media, and malvertising. Once installed, it's capable of g...

A new malspam campaign has been observed deploying an off-the-shelf malware called DarkGate . "The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates," Telekom Security  said  in a report published last week. The latest report builds on  recent findings  from security researcher Igal Lytzki, who detailed a "high volume campaign" that leverages hijacked email threads to trick recipients into downloading the malware. The attack commences with a phishing URL that, when clicked, passes through a traffic direction system ( TDS ) to take the victim to an MSI payload subject to certain conditions. This includes the presence of a refresh header in the HTTP response. Opening the MSI file triggers a multi-stage process that incorporates an AutoIt script to execute shellcode that acts as a conduit to decrypt and launch DarkGate via a crypte...