The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: Malware

New Android Banking Trojan 'Revive' Targeting Users of Spanish Financial Services

New Android Banking Trojan 'Revive' Targeting Users of Spanish Financial Services
June 28, 2022Ravie Lakshmanan
A previously unknown Android banking trojan has been discovered in the wild, targeting users of the Spanish financial services company BBVA. Said to be in its early stages of development, the malware — dubbed  Revive  by Italian cybersecurity firm Cleafy — was first observed on June 15, 2022 and distributed by means of phishing campaigns. "The name Revive has been chosen since one of the functionality of the malware (called by the [threat actors] precisely 'revive') is restarting in case the malware stops working, Cleafy researchers Federico Valentini and Francesco Iubatti  said  in a Monday write-up. Available for download from rogue phishing pages ("bbva.appsecureguide[.]com" or "bbva.european2fa[.]com") as a lure to trick users into downloading the app, the malware impersonates the bank's two-factor authentication (2FA) app and is said to be inspired from open-source spyware called  Teardroid , with the authors tweaking the original source c

Cybersecurity Experts Warn of Emerging Threat of "Black Basta" Ransomware

Cybersecurity Experts Warn of Emerging Threat of "Black Basta" Ransomware
June 27, 2022Ravie Lakshmanan
The Black Basta ransomware-as-a-service (RaaS) syndicate has amassed nearly 50 victims in the U.S., Canada, the U.K., Australia, and New Zealand within two months of its emergence in the wild, making it a prominent threat in a short window. "Black Basta has been observed targeting a range of industries, including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, undergarments manufacturers, and more," Cybereason  said  in a report. Evidence indicates the ransomware strain was still in development as recently as February 2022, and only started to be used in attacks starting April after it was advertised on underground forums with an intent to buy and monetize corporate network access for a share of the profits. Similar to other ransomware operations, Black Basta is known to employ the tried-and-tested tactic of double extortion to plunder sensitive information from the targets and threaten to publish

Researchers Warn of 'Matanbuchus' Malware Campaign Dropping Cobalt Strike Beacons

Researchers Warn of 'Matanbuchus' Malware Campaign Dropping Cobalt Strike Beacons
June 27, 2022Ravie Lakshmanan
A malware-as-a-service (Maas) dubbed  Matanbuchus  has been observed spreading through phishing campaigns, ultimately dropping the Cobalt Strike post-exploitation framework on compromised machines. Matanbuchus, like other  malware loaders  such as  BazarLoader ,  Bumblebee , and  Colibri , is engineered to download and execute second-stage executables from command-and-control (C&C) servers on infected systems without detection. Available on Russian-speaking cybercrime forums for a price of $2,500 since February 2021, the malware is equipped with capabilities to launch .EXE and .DLL files in memory and run arbitrary PowerShell commands. The findings, released by threat intelligence firm Cyble last week, document the latest infection chain associated with the loader, which is linked to a threat actor who goes by the online moniker BelialDemon. "If we look historically, BelialDemon has been involved in the development of malware loaders," Unit 42 researchers Jeff White

Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware

Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware
June 24, 2022Ravie Lakshmanan
A week after it emerged that a sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices. Additionally, necessary changes have been implemented in  Google Play Protect  — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat Analysis Group (TAG)  said  in a Thursday report. Hermit, the work of an Italian vendor named RCS Lab, was  documented  by Lookout last week, calling out its modular feature-set and its abilities to harvest sensitive information such as call logs, contacts, photos, precise location, and SMS messages. Once the threat has thoroughly insinuated itself into a device, it's also equipped to record audio and make and redirect phone calls, besides abusing its permissions to accessibility services on Android to keep tabs on various foreground apps used by the victims. Its modularity also enab

State-Backed Hackers Using Ransomware as a Decoy for Cyber Espionage Attacks

State-Backed Hackers Using Ransomware as a Decoy for Cyber Espionage Attacks
June 24, 2022Ravie Lakshmanan
A China-based advanced persistent threat (APT) group is possibly deploying short-lived ransomware families as a decoy to cover up the true operational and tactical objectives behind its campaigns. The activity cluster, attributed to a hacking group dubbed  Bronze Starlight  by Secureworks, involves the deployment of post-intrusion ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0. "The ransomware could distract incident responders from identifying the threat actors' true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group," the researchers  said  in a new report. "In each case, the ransomware targets a small number of victims over a relatively brief period of time before it ceases operations, apparently permanently." Bronze Starlight, active since mid-2021, is also tracked by Microsoft under the emerging threat cluster moniker DEV-0401, with the tech giant empha

Chinese Hackers Distributing SMS Bomber Tool with Malware Hidden Inside

Chinese Hackers Distributing SMS Bomber Tool with Malware Hidden Inside
June 23, 2022Ravie Lakshmanan
A threat cluster with ties to a hacking group called Tropic Trooper has been spotted using a previously undocumented malware coded in Nim language to strike targets as part of a newly discovered campaign. The novel loader, dubbed Nimbda, is "bundled with a Chinese language greyware 'SMS Bomber' tool that is most likely illegally distributed in the Chinese-speaking web," Israeli cybersecurity company Check Point  said  in a report. "Whoever crafted the Nim loader took special care to give it the same executable icon as the SMS Bomber that it drops and executes," the researchers said. "Therefore the entire bundle works as a trojanized binary." SMS Bomber, as the name indicates, allows a user to input a phone number (not their own) so as to flood the victim's device with messages and potentially render it unusable in what's a denial-of-service (DoS) attack. The fact that the binary doubles up as SMS Bomber and a backdoor suggests that t

Critical PHP Vulnerability Exposes QNAP NAS Devices to Remote Attacks

Critical PHP Vulnerability Exposes QNAP NAS Devices to Remote Attacks
June 22, 2022Ravie Lakshmanan
QNAP, Taiwanese maker of network-attached storage (NAS) devices, on Wednesday said it's in the process of fixing a critical three-year-old PHP vulnerability that could be abused to achieve remote code execution. "A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config," the hardware vendor  said  in an advisory. "If exploited, the vulnerability allows attackers to gain remote code execution." The vulnerability, tracked as  CVE-2019-11043 , is rated 9.8 out of 10 for severity on the CVSS vulnerability scoring system. That said, it's required that Nginx and php-fpm are running in appliances using the following QNAP operating system versions - QTS 5.0.x and later QTS 4.5.x and later QuTS hero h5.0.x and later QuTS hero h4.5.x and later QuTScloud c5.0.x and later "As QTS, QuTS hero or QuTScloud does not have nginx installed by default, QNAP NAS are not aff

Russian Hackers Exploiting Microsoft Follina Vulnerability Against Ukraine

Russian Hackers Exploiting Microsoft Follina Vulnerability Against Ukraine
June 22, 2022Ravie Lakshmanan
The Computer Emergency Response Team of Ukraine (CERT-UA) has  cautioned  of a new set of spear-phishing attacks exploiting the "Follina" flaw in the Windows operating system to deploy password-stealing malware. Attributing the intrusions to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks commence with a lure document titled "Nuclear Terrorism A Very Real Threat.rtf" that, when opened, exploits the recently disclosed vulnerability to download and execute a malware called CredoMap. Follina ( CVE-2022-30190 , CVSS score: 7.8), which concerns a case of remote code execution affecting the Windows Support Diagnostic Tool (MSDT), was addressed by Microsoft on June 14, as part of its Patch Tuesday updates , but not before it was subjected to widespread zero-day exploit activity by numerous threat actors. According to an independent report published by Malwarebytes,  CredoMap  is a variant of the .NET-based credenti

Europol Busts Phishing Gang Responsible for Millions in Losses

Europol Busts Phishing Gang Responsible for Millions in Losses
June 22, 2022Ravie Lakshmanan
Europol on Tuesday announced the dismantling of an organized crime group that dabbled in phishing, fraud, scams, and money laundering activities. The cross-border operation, which involved law enforcement authorities from Belgium and the Netherlands, saw the arrests of nine individuals in the Dutch nation. The suspects are men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse and a 25-year-old woman from Deventer, according to a  statement  from the National Police Force. Also confiscated as part of 24 house searches were firearms, ammunition, jewelry, designer clothing, expensive watches, electronic devices, tens of thousands of euros in cash, and cryptocurrency, the officials said. "The criminal group contacted victims by email, text message and through mobile messaging applications," the agency  noted . "These messages were sent by the members of the gang and contained a phishing link leading to a bogus banking website." Unsu

RIG Exploit Kit Now Infects Victims' PCs With Dridex Instead of Raccoon Stealer

RIG Exploit Kit Now Infects Victims' PCs With Dridex Instead of Raccoon Stealer
June 21, 2022Ravie Lakshmanan
The operators behind the Rig Exploit Kit have swapped the Raccoon Stealer malware for the Dridex financial trojan as part of an ongoing campaign that commenced in January 2022. The switch in modus operandi,  spotted  by Romanian company Bitdefender, comes in the wake of Raccoon Stealer  temporarily closing the project  after one of its team members responsible for critical operations passed away in the Russo-Ukrainian war in March 2022. The Rig Exploit Kit is notable for its abuse of browser exploits to distribute an array of malware. First spotted in 2019, Raccoon Stealer is a credential-stealing trojan that's advertised and sold on underground forums as a malware-as-a-service (MaaS) for $200 a month. That said, the Raccoon Stealer actors are already working on a second version that's expected to be "rewritten from scratch and optimized." But the void left by the malware's exit is being filled by other information stealers such as RedLine Stealer and Vidar.

New ToddyCat Hacker Group on Experts' Radar After Targeting MS Exchange Servers

New ToddyCat Hacker Group on Experts' Radar After Targeting MS Exchange Servers
June 21, 2022Ravie Lakshmanan
An advanced persistent threat (APT) actor codenamed ToddyCat has been linked to a string of attacks aimed at government and military entities in Europe and Asia since at least December 2020. The relatively new adversarial collective is said to have commenced its operations by targeting Microsoft Exchange servers in Taiwan and Vietnam using an unknown exploit to deploy the China Chopper web shell and activate a multi-stage infection chain. Other prominent countries singled out include Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Thailand, the U.K., and Uzbekistan, the swift escalation in targeting marked by improvements to its toolset over the course of successive campaigns. "The first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai, a sophisticated passive backdoor that usually works on ports 80 and 443," Russian cybersecurity company Kaspersky  said  in a report published toda

Mitigate Ransomware in a Remote-First World

Mitigate Ransomware in a Remote-First World
June 21, 2022The Hacker News
Ransomware has been a thorn in the side of cybersecurity teams for years. With the move to remote and hybrid work, this insidious threat has become even more of a challenge for  organizations everywhere. 2021 was a case study in ransomware due to the wide variety of attacks, significant financial and economic impact, and diverse ways that organizations responded.  These attacks  should be seen as a lesson that can inform future security strategies to mitigate ransomware risk. As an organization continues to evolve, so should its security strategy. The Remote Environment Is Primed for Ransomware With organizations continuing to support remote and hybrid work, they no longer have the visibility and control they once had inside their perimeter. Attackers are  exploiting this weakness  and profiting. Here are three reasons they're able to do so: Visibility and control have changed.  Most organizations now have employees working from anywhere. These employees expect seamless access to

Do You Have Ransomware Insurance? Look at the Fine Print

Do You Have Ransomware Insurance? Look at the Fine Print
June 20, 2022The Hacker News
Insurance exists to protect the insured party against catastrophe, but the insurer needs protection so that its policies are not abused – and that's where the fine print comes in. However, in the case of ransomware insurance, the fine print is becoming contentious and arguably undermining the usefulness of ransomware insurance. In this article, we'll outline why, particularly given the current climate, war exclusion clauses are increasingly rendering ransomware insurance of reduced value – and why your organization should focus on protecting itself instead. What is ransomware insurance In recent years, ransomware insurance has grown as a product field because organizations are trying to buy protection against the catastrophic effects of a successful ransomware attack. Why try to buy insurance? Well, a single, successful attack can just about wipe out a large organization, or lead to crippling costs –  NotPetya alone led to a total of $10bn in damages .  Ransomware attacks

BRATA Android Malware Gains Advanced Mobile Threat Capabilities

BRATA Android Malware Gains Advanced Mobile Threat Capabilities
June 19, 2022Ravie Lakshmanan
The operators behind  BRATA  have once again added more capabilities to the Android mobile malware in an attempt to make their attacks against financial apps more stealthy. "In fact, the modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern," Italian cybersecurity firm Cleafy  said  in a report last week. "This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information." An acronym for "Brazilian Remote Access Tool Android," BRATA was first  detected  in the wild in Brazil in late 2018, before making its first appearance in Europe last April, while masquerading as antivirus software and other common productivity tools to trick users into downloading them. The change in the attack pattern, which scaled new highs in early April 2022, involves tailoring the malware to strike a specific financial institution at a time, switching to a differe

Authorities Shut Down Russian RSOCKS Botnet That Hacked Millions of Devices

Authorities Shut Down Russian RSOCKS Botnet That Hacked Millions of Devices
June 17, 2022Ravie Lakshmanan
The U.S. Department of Justice (DoJ) on Thursday disclosed that it took down the infrastructure associated with a Russian botnet known as RSOCKS in collaboration with law enforcement partners in Germany, the Netherlands, and the U.K. The botnet, operated by a sophisticated cybercrime organization, is believed to have ensnared millions of internet-connected devices, including Internet of Things (IoT) devices, Android phones, and computers for use as a proxy service. Botnets, a constantly evolving threat, are networks of hijacked computer devices that are under the control of a single attacking party and are used to facilitate a variety of large-scale cyber intrusions such as distributed denial-of-service (DDoS) attacks, email spam, and cryptojacking. "The RSOCKS botnet offered its clients access to IP addresses assigned to devices that had been hacked," the DoJ  said  in a press release. "The owners of these devices did not give the RSOCKS operator(s) authority to ac

Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners

Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners
June 17, 2022Ravie Lakshmanan
A recently patched  critical security flaw  in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads. In at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a  crypto miner  called z0miner on victim networks. The bug ( CVE-2022-26134 , CVSS score: 9.8), which was  patched  by Atlassian on June 3, 2022, enables an unauthenticated actor to inject malicious code that paves the way of remote code execution (RCE) on affected installations of the collaboration suite. All supported versions of Confluence Server and Data Center are affected. Other notable malware pushed as part of disparate instances of attack activity include Mirai and Kinsing bot variants, a rogue package called  pwnkit , and Cobalt Strike by way of a web shell deployed after gaining an initial foothold into the

Researchers Uncover 'Hermit' Android Spyware Used in Kazakhstan, Syria, and Italy

Researchers Uncover 'Hermit' Android Spyware Used in Kazakhstan, Syria, and Italy
June 17, 2022Ravie Lakshmanan
An enterprise-grade surveillanceware dubbed Hermit has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed. Lookout attributed the spy software, which is equipped to target both Android and iOS, to an Italian company named RCS Lab S.p.A and Tykelab Srl, a telecom services provider which it suspects to be a front company. The San Francisco-based cybersecurity firm said it detected the campaign aimed at Kazakhstan in April 2022. Hermit is modular and comes with myriad capabilities that allow it to "exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages," Lookout researchers Justin Albrecht and Paul Shunk  said  in a new write-up. The spyware is believed to be distributed via SMS messages that trick users into installing what are seemingly innocuous apps from Samsung, Vivo, and Oppo, w
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.