Malware | Breaking Cybersecurity News | The Hacker News

A Spanish-speaking cybercrime group named GXC Team has been observed bundling phishing kits with malicious Android applications, taking malware-as-a-service (MaaS) offerings to the next level. Singaporean cybersecurity company Group-IB, which has been tracking the e-crime actor since January 2023, described the crimeware solution as a "sophisticated AI-powered phishing-as-a-service platform" capable of targeting users of more than 36 Spanish banks, governmental bodies and 30 institutions worldwide.  The phishing kit is priced anywhere between $150 and $900 a month, whereas the bundle including the phishing kit and Android malware is available on a subscription basis for about $500 per month. Targets of the campaign include users of Spanish financial institutions, as well as tax and governmental services, e-commerce, banks, and cryptocurrency exchanges in the United States, the United Kingdom, Slovakia, and Brazil. As many as 288 phishing domains linked to the activity ha

CrowdStrike is alerting about an unfamiliar threat actor attempting to capitalize on the Falcon Sensor update fiasco to distribute dubious installers targeting German customers as part of a highly targeted campaign. The cybersecurity company said it identified what it described as an unattributed spear-phishing attempt on July 24, 2024, distributing an inauthentic CrowdStrike Crash Reporter installer via a website impersonating an unnamed German entity. The imposter website is said to have been created on July 20, a day after the botched update crashed nearly 9 million Windows devices, causing extensive IT disruptions across the world. "After the user clicks the Download button, the website leverages JavaScript (JS) that masquerades as JQuery v3.7.1 to download and deobfuscate the installer," CrowdStrike's Counter Adversary Operations team said . "The installer contains CrowdStrike branding, German localization, and a password [is] required to continue install

As a vCISO, you are responsible for your client's cybersecurity strategy and risk governance. This incorporates multiple disciplines, from research to execution to reporting. Recently, we published a comprehensive playbook for vCISOs, "Your First 100 Days as a vCISO – 5 Steps to Success" , which covers all the phases entailed in launching a successful vCISO engagement, along with recommended actions to take, and step-by-step examples.  Following the success of the playbook and the requests that have come in from the MSP/MSSP community, we decided to drill down into specific parts of vCISO reporting and provide more color and examples. In this article, we focus on how to create compelling narratives within a report, which has a significant impact on the overall MSP/MSSP value proposition.  This article brings the highlights of a recent guided workshop we held, covering what makes a successful report and how it can be used to enhance engagement with your cyber security clients.

A North Korea-linked threat actor known for its cyber espionage operations has gradually expanded into financially-motivated attacks that involve the deployment of ransomware, setting it apart from other nation-state hacking groups linked to the country. Google-owned Mandiant is tracking the activity cluster under a new moniker APT45 , which overlaps with names such as Andariel, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Silent Chollima, and Stonefly. "APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009," researchers Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, and Michael Barnhart said . "APT45 has been the most frequently observed targeting critical infrastructure." It's worth mentioning that APT45, along with APT38 (aka BlueNoroff), APT43 (aka Kimsuky), and Lazarus Group (aka TEMP.Hermit), are elements within North Korea's Reconnaissance General Bureau

A zero-day security flaw in Telegram's mobile app for Android called EvilVideo made it possible for attackers to malicious files disguised as harmless-looking videos. The exploit appeared for sale for an unknown price in an underground forum on June 6, 2024, ESET said. Following responsible disclosure on June 26, the issue was addressed by Telegram in version 10.14.5 released on July 11. "Attackers could share malicious Android payloads via Telegram channels, groups, and chat, and make them appear as multimedia files," security researcher Lukáš Štefanko said in a report. It's believed that the payload is concocted using Telegram's application programming interface ( API ), which allows for programmatic uploads of multimedia files to chats and channels. In doing so, it enables an attacker to camouflage a malicious APK file as a 30-second video.  Users who click on the video are displayed an actual warning message stating the video cannot be played and urges t

The threat actor known as Patchwork has been linked to a cyber attack targeting entities with ties to Bhutan to deliver the Brute Ratel C4 framework and an updated version of a backdoor called PGoShell. The development marks the first time the adversary has been observed using the red teaming software, the Knownsec 404 Team said in an analysis published last week. The activity cluster, also called APT-C-09, Dropping Elephant, Operation Hangover, Viceroy Tiger, and Zinc Emerson, is a state-sponsored actor likely of Indian origin. Known for conducting spear-phishing and watering hole attacks against China and Pakistan, the hacking crew is believed to be active since at least 2009, according to data shared by Chinese cybersecurity firm QiAnXin. Last July, Knownsec 404 disclosed details of an espionage campaign aimed at universities and research organizations in China that leveraged a .NET-based implant codenamed EyeShell to fetch and execute commands from an attacker-controlled

A now-patched security flaw in the Microsoft Defender SmartScreen has been exploited as part of a new campaign designed to deliver information stealers such as ACR Stealer, Lumma , and Meduza . Fortinet FortiGuard Labs said it detected the stealer campaign targeting Spain, Thailand, and the U.S. using booby-trapped files that exploit CVE-2024-21412 (CVSS score: 8.1). The high-severity vulnerability allows an attacker to sidestep SmartScreen protection and drop malicious payloads. Microsoft addressed this issue as part of its monthly security updates released in February 2024. "Initially, attackers lure victims into clicking a crafted link to a URL file designed to download an LNK file," security researcher Cara Lin said . "The LNK file then downloads an executable file containing an [HTML Application] script." The HTA file serves as a conduit to decode and decrypt PowerShell code responsible for fetching a decoy PDF file and a shellcode injector that, in tur

Organizations in Taiwan and a U.S. non-governmental organization (NGO) based in China have been targeted by a Beijing-affiliated state-sponsored hacking group called Daggerfly using an upgraded set of malware tools. The campaign is a sign that the group "also engages in internal espionage," Symantec's Threat Hunter Team, part of Broadcom, said in a new report published today. "In the attack on this organization, the attackers exploited a vulnerability in an Apache HTTP server to deliver their MgBot malware." Daggerfly, also known by the names Bronze Highland and Evasive Panda, was previously observed using the MgBot modular malware framework in connection with an intelligence-gathering mission aimed at telecom service providers in Africa. It's known to be operational since 2012. "Daggerfly appears to be capable of responding to exposure by quickly updating its toolset to continue its espionage activities with minimal disruption," the compan

Cybersecurity researchers have discovered what they say is the ninth Industrial Control Systems (ICS)-focused malware that has been used in a disruptive cyber attack targeting an energy company in the Ukrainian city of Lviv earlier this January. Industrial cybersecurity firm Dragos has dubbed the malware FrostyGoop , describing it as the first malware strain to directly use Modbus TCP communications to sabotage operational technology (OT) networks. It was discovered by the company in April 2024. "FrostyGoop is an ICS-specific malware written in Golang that can interact directly with Industrial Control Systems (ICS) using Modbus TCP over port 502," researchers Kyle O'Meara, Magpie (Mark) Graham, and Carolyn Ahlers said in a technical report shared with The Hacker News. It's believed that the malware, mainly designed to target Windows systems, has been used to target ENCO controllers with TCP port 502 exposed to the internet. It has not been tied to any previously

Threat actors have been observed using swap files in compromised websites to conceal a persistent credit card skimmer and harvest payment information. The sneaky technique, observed by Sucuri on a Magento e-commerce site's checkout page, allowed the malware to survive multiple cleanup attempts, the company said. The skimmer is designed to capture all the data into the credit card form on the website and exfiltrate the details to an attacker-controlled domain named "amazon-analytic[.]com," which was registered in February 2024. "Note the use of the brand name; this tactic of leveraging popular products and services in domain names is often used by bad actors in an attempt to evade detection," security researcher Matt Morrow said . This is just one of many defense evasion methods employed by the threat actor, which also includes the use of swap files ("bootstrap.php-swapme") to load the malicious code while keeping the original file ("bootstra

The Computer Emergency Response Team of Ukraine (CERT-UA) has alerted of a spear-phishing campaign that targeted a scientific research institution in the country with malware known as HATVIBE and CHERRYSPY. The agency attributed the attack to a threat actor it tracks under the name UAC-0063 , which was previously observed targeting various government entities to gather sensitive information using keyloggers and backdoors. The attack is characterized by the use of a compromised email account belonging to an employee of the organization to send phishing messages to "dozens" of recipients containing a macro-laced Microsoft Word (DOCX) attachment. Opening the document and enabling macros results in the execution of an encoded HTML Application (HTA) named HATVIBE, which sets up persistence on the host using a scheduled task and paves the way for a Python backdoor codenamed CHERRYSPY, which is capable of running commands issued by a remote server. CERT-UA said it detected &q

A Latin America (LATAM)-based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity, highlighting the abuse of the cloud computing model for malicious purposes. "Serverless architectures are attractive to developers and enterprises for their flexibility, cost effectiveness, and ease of use," Google said in its biannual Threat Horizons Report [PDF] shared with The Hacker News. "These same features make serverless computing services for all cloud providers attractive to threat actors, who use them to deliver and communicate with their malware, host and direct users to phishing pages, and to run malware and execute malicious scripts specifically tailored to run in a serverless environment." The campaign involved the use of Google Cloud container URLs to host credential phishing pages with the aim of harvesting login information associated with Mercado Pago, an onli

The JavaScript downloader malware known as SocGholish (aka FakeUpdates) is being used to deliver a remote access trojan called AsyncRAT as well as a legitimate open-source project called BOINC. BOINC , short for Berkeley Open Infrastructure Network Computing Client, is an open-source "volunteer computing" platform maintained by the University of California with an aim to carry out "large-scale distributed high-throughput computing" using participating home computers on which the app is installed. "It's similar to a cryptocurrency miner in that way (using computer resources to do work), and it's actually designed to reward users with a specific type of cryptocurrency called Gridcoin, designed for this purpose," Huntress researchers Matt Anderson, Alden Schmidt, and Greg Linares said in a report published last week. These malicious installations are designed to connect to an actor-controlled domain ("rosettahome[.]cn" or "rosettah

Cybersecurity researchers have discovered a new Linux variant of a ransomware strain known as Play (aka Balloonfly and PlayCrypt) that's designed to target VMware ESXi environments. "This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations," Trend Micro researchers said in a report published Friday. Play, which arrived on the scene in June 2022, is known for its double extortion tactics, encrypting systems after exfiltrating sensitive data and demanding payment in exchange for a decryption key. According to estimates released by Australia and the U.S., as many as 300 organizations have been victimized by the ransomware group as of October 2023. Statistics shared by Trend Micro for the first seven months of 2024 show that the U.S. is the country with the highest number of victims, followed by Canada, Germany, the U.K., and the Netherlands. Manufactu

Cybersecurity firm CrowdStrike, which is facing the heat for causing worldwide IT disruptions by pushing out a flawed update to Windows devices, is now warning that threat actors are exploiting the situation to distribute Remcos RAT to its customers in Latin America under the guise of providing a hotfix. The attack chains involve distributing a ZIP archive file named " crowdstrike-hotfix.zip ," which contains a malware loader named Hijack Loader (aka DOILoader or IDAT Loader) that, in turn, launches the Remcos RAT payload. Specifically, the archive file also includes a text file ("instrucciones.txt") with Spanish-language instructions that urges targets to run an executable file ("setup.exe") to recover from the issue. "Notably, Spanish filenames and instructions within the ZIP archive indicate this campaign is likely targeting Latin America-based (LATAM) CrowdStrike customers," the company said , attributing the campaign to a suspected e-

Learn about critical threats that can impact your organization and the bad actors behind them from Cybersixgill's threat experts. Each story shines a light on underground activities, the threat actors involved, and why you should care, along with what you can do to mitigate risk.  In the current cyber threat landscape, the protection of personal and corporate identities has become vital. Once in the hands of cybercriminals, compromised credentials and accounts provide unauthorized access to corporations' sensitive information and an entry point to launch costly ransomware and other malware attacks. To properly mitigate threats stemming from compromised credentials and accounts, organizations need identity intelligence. Understanding the significance of identity intelligence and the benefits it delivers is foundational to maintaining a secure posture and minimizing risk.  There is a perception that security teams and threat analysts are already overloaded by too much data. By these

A suspected pro-Houthi threat group targeted at least three humanitarian organizations in Yemen with Android spyware designed to harvest sensitive information. These attacks, attributed to an activity cluster codenamed OilAlpha , entail a new set of malicious mobile apps that come with their own supporting infrastructure, Recorded Future's Insikt Group said . Targets of the ongoing campaign include, CARE International, the Norwegian Refugee Council (NRC), and the Saudi Arabian King Salman Humanitarian Aid and Relief Centre. "The OilAlpha threat group is highly likely active and executing targeted activity against humanitarian and human rights organizations operating in Yemen, and potentially throughout the Middle East," the cybersecurity company said. OilAlpha was first documented in May 2023 in connection with an espionage campaign targeting development, humanitarian, media, and non-governmental organizations in the Arabian peninsula. These attacks leveraged What