The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Malware

Police Raided German Spyware Company FinFisher Offices

Police Raided German Spyware Company FinFisher Offices

October 14, 2020Swati Khandelwal
German investigating authorities have raided the offices of Munich-based company FinFisher that sells the infamous commercial surveillance spyware dubbed 'FinSpy,' reportedly in suspicion of illegally exporting the software to abroad without the required authorization. Investigators from the German Customs Investigation Bureau (ZKA), ordered by the Munich Public Prosecutor's Office, searched a total of 15 properties in Munich, including business premises of FinFisher GmbH, two other business partners, as well as the private apartments of the managing directors, along with a partner company in Romania from October 6 to 8. For those unaware, FinSpy is extremely powerful spying software that is being sold as a legal law enforcement tool to governments around the world but has also been found in use by oppressive and dubious regimes to spy on activists, political dissidents and journalists. FinSpy malware can target both desktop and mobile operating systems, including And
FIN11 Hackers Spotted Using New Techniques In Ransomware Attacks

FIN11 Hackers Spotted Using New Techniques In Ransomware Attacks

October 14, 2020Ravie Lakshmanan
A financially-motivated threat actor known for its malware distribution campaigns has evolved its tactics to focus on ransomware and extortion. According to FireEye's Mandiant threat intelligence team, the collective — known as FIN11 — has engaged in a pattern of cybercrime campaigns at least since 2016 that involves monetizing their access to organizations' networks, in addition to deploying point-of-sale (POS) malware targeting financial, retail, restaurant, and pharmaceutical sectors. "Recent FIN11 intrusions have most commonly led to data theft, extortion and the disruption of victim networks via the distribution of CLOP ransomware ," Mandiant said . Although FIN11's activities in the past have been tied to malware such as FlawedAmmyy , FRIENDSPEAK , and MIXLABEL, Mandiant notes significant overlap in TTPs with another threat group that cybersecurity researchers call TA505 , which is behind the infamous Dridex banking Trojan and Locky ransomware that'
Microsoft and Other Tech Companies Take Down TrickBot Botnet

Microsoft and Other Tech Companies Take Down TrickBot Botnet

October 13, 2020Ravie Lakshmanan
Days after the US Government took steps to disrupt the notorious TrickBot botnet , a group of cybersecurity and tech companies has detailed a separate coordinated effort to take down the malware's back-end infrastructure. The joint collaboration, which involved Microsoft's Digital Crimes Unit , Lumen's Black Lotus Labs , ESET , Financial Services Information Sharing and Analysis Center ( FS-ISAC ), NTT , and Broadcom's Symantec , was undertaken after their request to halt TrickBot's operations was granted by the US District Court for the Eastern District of Virginia. The development comes after the US Cyber Command mounted a campaign to thwart TrickBot's spread over concerns of ransomware attacks targeting voting systems ahead of the presidential elections next month. Attempts aimed at impeding the botnet were first reported by KrebsOnSecurity early this month. Microsoft and its partners analyzed over 186,000 TrickBot samples, using it to track down the m
Watch Out — Microsoft Warns Android Users About A New Ransomware

Watch Out — Microsoft Warns Android Users About A New Ransomware

October 12, 2020Ravie Lakshmanan
Microsoft has warned about a new strain of mobile ransomware that takes advantage of incoming call notifications and Android's Home button to lock the device behind a ransom note. The findings concern a variant of a known Android ransomware family dubbed "MalLocker.B" which has now resurfaced with new techniques, including a novel means to deliver the ransom demand on infected devices as well as an obfuscation mechanism to evade security solutions. The development comes amid a huge surge in ransomware attacks against critical infrastructure across sectors, with a 50% increase in the daily average of ransomware attacks in the last three months compared to the first half of the year, and cybercriminals increasingly incorporating double extortion in their playbook. MalLocker has been known for being hosted on malicious websites and circulated on online forums using various social engineering lures by masquerading as popular apps, cracked games, or video players. Pre
ALERT! Hackers targeting IoT devices with a new P2P botnet malware

ALERT! Hackers targeting IoT devices with a new P2P botnet malware

October 07, 2020Ravie Lakshmanan
Cybersecurity researchers have taken the wraps off a new botnet hijacking Internet-connected smart devices in the wild to perform nefarious tasks, mostly DDoS attacks, and illicit cryptocurrency coin mining. Discovered by Qihoo 360's Netlab security team, the  HEH Botnet  — written in Go language and armed with a proprietary peer-to-peer (P2P) protocol, spreads via a brute-force attack of the Telnet service on ports 23/2323 and can execute arbitrary shell commands. The researchers said the HEH botnet samples discovered so far support a wide variety of CPU architectures, including x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III), and PowerPC (PPC). The botnet, despite being in its early stages of development, comes with three functional modules: a propagation module, a local HTTP service module, and a P2P module. Initially downloaded and executed by a malicious Shell script named "wpqnbw.txt," the HEH sample then uses the Shell script to download rogue programs for all
New 'MosaicRegressor' UEFI Bootkit Malware Found Active in the Wild

New 'MosaicRegressor' UEFI Bootkit Malware Found Active in the Wild

October 06, 2020Ravie Lakshmanan
Cybersecurity researchers have spotted a rare kind of potentially dangerous malware that targets a machine's booting process to drop persistent malware. The campaign involved the use of a compromised  UEFI  (or Unified Extensible Firmware Interface) containing a malicious implant, making it the  second known public case  where a UEFI rootkit has been used in the wild. According to  Kaspersky , the rogue UEFI firmware images were modified to incorporate several malicious modules, which were then used to drop malware on victim machines in a series of targeted cyberattacks directed against diplomats and members of an NGO from Africa, Asia, and Europe. Calling the malware framework " MosaicRegressor ," Kaspersky researchers Mark Lechtik, Igor Kuznetsov, and Yury Parshin said a telemetry analysis revealed several dozen victims between 2017 and 2019, all of whom had some ties to North Korea. UEFI is a firmware interface and a replacement for BIOS that improves security, e
New Flaws in Top Antivirus Software Could Make Computers More Vulnerable

New Flaws in Top Antivirus Software Could Make Computers More Vulnerable

October 05, 2020Ravie Lakshmanan
Cybersecurity researchers today disclosed details of security vulnerabilities found in popular antivirus solutions that could enable attackers to elevate their privileges, thereby helping malware sustain its foothold on the compromised systems. According to a report published by CyberArk researcher Eran Shimony today and shared with The Hacker News, the high privileges often associated with anti-malware products render them more vulnerable to exploitation via file manipulation attacks, resulting in a scenario where malware gains elevated permissions on the system. The bugs impact a wide range of antivirus solutions, including those from Kaspersky, McAfee, Symantec, Fortinet, Check Point, Trend Micro, Avira, and Microsoft Defender, each of which has been fixed by the respective vendor. Chief among the flaws is the ability to delete files from arbitrary locations, allowing the attacker to delete any file in the system, as well as a file corruption vulnerability that permits a bad ac
Researchers Fingerprint Exploit Developers Who Help Several Malware Authors

Researchers Fingerprint Exploit Developers Who Help Several Malware Authors

October 02, 2020Ravie Lakshmanan
Writing advanced malware for a threat actor requires different groups of people with diverse technical expertise to put them all together. But can the code leave enough clues to reveal the person behind it? To this effect, cybersecurity researchers on Friday detailed a new methodology to identify exploit authors that use their unique characteristics as a fingerprint to track down other exploits developed by them. By deploying this technique, the researchers were able to link 16 Windows local privilege escalation (LPE) exploits to two zero-day sellers "Volodya" (previously called "BuggiCorp") and "PlayBit" (or "luxor2008"). "Instead of focusing on an entire malware and hunting for new samples of the malware family or actor, we wanted to offer another perspective and decided to concentrate on these few functions that were written by an exploit developer," Check Point Research's Itay Cohen and Eyal Itkin noted. Fingerprinting an
Beware: New Android Spyware Found Posing as Telegram and Threema Apps

Beware: New Android Spyware Found Posing as Telegram and Threema Apps

October 01, 2020Ravie Lakshmanan
A hacking group known for its attacks in the Middle East, at least since 2017, has recently been found impersonating legitimate messaging apps such as Telegram and Threema to infect Android devices with a new, previously undocumented malware. "Compared to the versions documented in 2017, Android/SpyC23.A has extended spying functionality, including reading notifications from messaging apps, call recording and screen recording, and new stealth features, such as dismissing notifications from built-in Android security apps," cybersecurity firm ESET  said  in a Wednesday analysis. First detailed by Qihoo 360 in 2017 under the moniker  Two-tailed Scorpion (aka APT-C-23 or Desert Scorpion), the mobile malware has been deemed "surveillanceware" for its abilities to spy on the devices of targeted individuals, exfiltrating call logs, contacts, location, messages, photos, and other sensitive documents in the process. In 2018, Symantec discovered a  newer variant  of the
Russian Arrested After Offering $1 Million to U.S. Company Employee for Planting Malware

Russian Arrested After Offering $1 Million to U.S. Company Employee for Planting Malware

August 26, 2020Mohit Kumar
Hackers always find a way in, even if there's no software vulnerability to exploit. The FBI has arrested a Russian national who recently traveled to the United States and offered $1 million in bribe to an employee of a targeted company for his help in installing malware into the company's computer network manually. Egor Igorevich Kriuchkov , 27-year-old, entered the United States as a tourist and was arrested in Los Angeles after meeting with the unnamed employee of an undisclosed Nevada-based company numerous times, between August 1 to August 21, to discuss the conspiracy. "On or about July 16, EGOR IGOREVICH KRIUCHKOV used his WhatsApp account to contact the employee of victim company and arranged to visit in person in the District of Nevada," the court documents say. "On or about July 28, EGOR IGOREVICH KRIUCHKOV entered the United States using his Russian Passport and a B1/B2 tourist visa." Kriuchkov also asked the employee to participate in
US Government Warns of a New Strain of Chinese 'Taidoor' Virus

US Government Warns of a New Strain of Chinese 'Taidoor' Virus

August 04, 2020Ravie Lakshmanan
Intelligence agencies in the US have released information about a new variant of 12-year-old computer virus used by China's state-sponsored hackers targeting governments, corporations, and think tanks. Named " Taidoor, " the malware has done an 'excellent' job of compromising systems as early as 2008 , with the actors deploying it on victim networks for stealthy remote access. "[The] FBI has high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation," the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) said in a joint advisory . The US Cyber Command has also uploaded four samples of the Taidoor RAT on the public malware repository VirusTotal to let 50+ Antivirus companies check the virus's involvement in other unattributed cam
Over 100 New Chrome Browser Extensions Caught Spying On Users

Over 100 New Chrome Browser Extensions Caught Spying On Users

June 22, 2020Ravie Lakshmanan
Google recently removed 106 more extensions from its Chrome Web Store after they were found illegally collecting sensitive user data as part of a "massive global surveillance campaign" targeting oil and gas, finance, and healthcare sectors. Awake Security, which disclosed the findings late last week, said the malicious browser add-ons were tied back to a single internet domain registrar, GalComm. However, it's not immediately clear who is behind the spyware effort. "This campaign and the Chrome extensions involved performed operations such as taking screenshots of the victim device, loading malware, reading the clipboard, and actively harvesting tokens and user input," Awake Security said. The extensions in question posed as utilities offering capabilities to convert files from one format to the other, among other tools for secure browsing, while relying on thousands of fake reviews to trick unsuspecting users into installing them. Furthermore, the
Hackers Target Military and Aerospace Staff by Posing as HRs Offering Jobs

Hackers Target Military and Aerospace Staff by Posing as HRs Offering Jobs

June 17, 2020Ravie Lakshmanan
Cybersecurity researchers today took the wraps off a new sophisticated cyber-espionage campaign directed against aerospace and military organizations in Europe and the Middle East with an aim to spy on key employees of the targeted firms and, in some case, even to siphon money. The campaign, dubbed " Operation In(ter)ception " because of a reference to "Inception" in the malware sample, took place between September to December 2019, according to a new report cybersecurity firm ESET shared with The Hacker News. "The primary goal of the operation was espionage," the researchers told The Hacker News. "However, in one of the cases we investigated, the attackers tried to monetize access to a victim's email account through a business email compromise (BEC) attack as the final stage of the operation." The financial motivation behind the attacks, coupled with similarities in targeting and development environment, have led ESET to suspect Laz
New ComRAT Malware Uses Gmail to Receive Commands and Exfiltrate Data

New ComRAT Malware Uses Gmail to Receive Commands and Exfiltrate Data

May 26, 2020Ravie Lakshmanan
Cybersecurity researchers today uncovered a new advanced version of ComRAT backdoor, one of the earliest known backdoors used by the Turla APT group, that leverages Gmail's web interface to covertly receive commands and exfiltrate sensitive data. "ComRAT v4 was first seen in 2017 and known still to be in use as recently as January 2020," cybersecurity firm ESET said in a report shared with The Hacker News. "We identified at least three targets: two Ministries of Foreign Affairs in Eastern Europe and a national parliament in the Caucasus region." Turla , also known as Snake, has been active for over a decade with a long history of the watering hole and spear-phishing campaigns against embassies and military organizations at least since 2004. The group's espionage platform started off as Agent.BTZ , in 2007, before it evolved to ComRAT , in addition to gaining additional capabilities to achieve persistence and to steal data from a local network. It
HTTP Status Codes Command This Malware How to Control Hacked Systems

HTTP Status Codes Command This Malware How to Control Hacked Systems

May 15, 2020Ravie Lakshmanan
A new version of COMpfun remote access trojan (RAT) has been discovered in the wild that uses HTTP status codes to control compromised systems targeted in a recent campaign against diplomatic entities in Europe. The cyberespionage malware—traced to Turla APT with "medium-to-low level of confidence" based on the history of compromised victims—spread via an initial dropper that masks itself as a visa application, the Global Research and Analysis Team at Kaspersky discovered. The Turla APT , a Russian-based threat group, has a long history of carrying out espionage and watering hole attacks spanning various sectors, including governments, embassies, military, education, research, and pharmaceutical companies. First documented by G-Data in 2014, COMpfun received a significant upgrade last year (called "Reductor") after Kaspersky found that the malware was used to spy on a victim's browser activity by staging man-in-the-middle ( MitM ) attacks on encrypte
This Asia-Pacific Cyber Espionage Campaign Went Undetected for 5 Years

This Asia-Pacific Cyber Espionage Campaign Went Undetected for 5 Years

May 07, 2020Ravie Lakshmanan
An advanced group of Chinese hackers has recently been spotted to be behind a sustained cyber espionage campaign targeting government entities in Australia, Indonesia, Philippines, Vietnam, Thailand, Myanmar, and Brunei—which went undetected for at least five years and is still an ongoing threat. The group, named 'Naikon APT,' once known as one of the most active APTs in Asia until 2015, carried out a string of cyberattacks in the Asia-Pacific (APAC) region in search of geopolitical intelligence. According to the latest investigation report Check Point researchers shared with The Hacker News, the Naikon APT group had not gone silent for the last 5 years, as initially suspected; instead, it was using a new backdoor, called " Aria-body ," to operate stealthily. "Given the characteristics of the victims and capabilities presented by the group, it is evident that the group's purpose is to gather intelligence and spy on the countries whose governments it
COVID-Themed Lures Target SCADA Sectors With Data Stealing Malware

COVID-Themed Lures Target SCADA Sectors With Data Stealing Malware

April 20, 2020Ravie Lakshmanan
A new malware campaign has been found using coronavirus-themed lures to strike government and energy sectors in Azerbaijan with remote access trojans (RAT) capable of exfiltrating sensitive documents, keystrokes, passwords, and even images from the webcam. The targeted attacks employ Microsoft Word documents as droppers to deploy a previously unknown Python-based RAT dubbed "PoetRAT" due to various references to sonnets by English playwright William Shakespeare. "The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation," said Cisco Talos in an analysis published last week. According to the researchers, the malware specifically targets supervisory control and data acquisition (SCADA) systems in the energy industry, such as wind turbine systems, whose identities are currently not known. The development is the latest in a surge in cyberattacks exploiting the ongoing coronavirus pandemi
COVID-19: Hackers Begin Exploiting Zoom's Overnight Success to Spread Malware

COVID-19: Hackers Begin Exploiting Zoom's Overnight Success to Spread Malware

March 30, 2020Ravie Lakshmanan
As people increasingly work from home and online communication platforms such as Zoom explode in popularity in the wake of coronavirus outbreak, cybercriminals are taking advantage of the spike in usage by registering new fake "Zoom" domains and malicious "Zoom" executable files in an attempt to trick people into downloading malware on their devices. According to a report published by Check Point and shared with The Hacker News, over 1,700 new "Zoom" domains have been registered since the onset of the pandemic, with 25 percent of the domains registered in the past seven days alone. "We see a sharp rise in the number of 'Zoom' domains being registered, especially in the last week," said Omer Dembinsky, Manager of Cyber Research at Check Point . "The recent, staggering increase means that hackers have taken notice of the work-from-home paradigm shift that COVID-19 has forced, and they see it as an opportunity to deceive, lure,
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.