Malware | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have disclosed details of an ongoing campaign dubbed KongTuke that used a malicious Google Chrome extension masquerading as an ad blocker to deliberately crash the web browser and trick victims into running arbitrary commands using ClickFix -like lures to deliver a previously undocumented remote access trojan (RAT) dubbed ModeloRAT. This new escalation of ClickFix has been codenamed CrashFix by Huntress. KongTuke , also tracked as 404 TDS, Chaya_002, LandUpdate808, and TAG-124, is the name given to a traffic distribution system (TDS) known for profiling victim hosts before redirecting them to a payload delivery site that infects their systems. Access to these compromised hosts is then handed off to other threat actors, including ransomware groups, for follow-on malware delivery. Some of the cybercriminal groups that have leveraged TAG-124 infrastructure include Rhysida ransomware , Interlock ransomware , and TA866 (aka Asylum Ambuscade), with the threat ...

Cybersecurity researchers have disclosed a cross-site scripting (XSS) vulnerability in the web-based control panel used by operators of the StealC information stealer, allowing them to gather crucial insights on one of the threat actors using the malware in their operations. "By exploiting it, we were able to collect system fingerprints, monitor active sessions, and – in a twist that will surprise no one – steal cookies from the very infrastructure designed to steal them," CyberArk researcher Ari Novick said in a report published last week. StealC is an information stealer that first emerged in January 2023 under a malware-as-a-service (MaaS) model, allowing potential customers to leverage YouTube as a primary mechanism – a phenomenon called the YouTube Ghost Network – to distribute the malicious program by disguising it as cracks for popular software. Over the past year, the stealer has also been observed being propagated via rogue Blender Foundation files and a soc...

Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of working for the Russia-linked ransomware-as-a-service (RaaS) group Black Basta. In addition, the group's alleged leader, a 35-year-old Russian national named Oleg Evgenievich Nefedov (Нефедов Олег Евгеньевич), has been added to the European Union's Most Wanted and INTERPOL's Red Notice lists, authorities noted. "According to the investigation, the suspects specialized in technical hacking of protected systems and were involved in preparing cyberattacks using ransomware," the Cyber Police of Ukraine said in a statement.  The agency said the accused individuals functioned as "hash crackers," who specialize in extracting passwords from information systems using specialized software. Once the credential information was obtained, members of the ransomware group broke into corporate networks and ultimately deployed ransomware and extorted money to recover the e...

The JavaScript (aka JScript) malware loader called GootLoader has been observed using a malformed ZIP archive that's designed to sidestep detection efforts by concatenating anywhere from 500 to 1,000 archives. "The actor creates a malformed archive as an anti-analysis technique," Expel security researcher Aaron Walton said in a report shared with The Hacker News. "That is, many unarchiving tools are not able to consistently extract it, but one critical unarchiving tool seems to work consistently and reliably: the default tool built into Windows systems." This leads to a scenario where the archive cannot be processed by tools like WinRAR or 7-Zip, and, therefore, prevents many automated workflows from analyzing the contents of the file. At the same time, it can be opened by the default Windows unarchiver, thereby ensuring that victims who fall victim to the social engineering scheme can extract and run the JavaScript malware. GootLoader is typically distrib...

Cybersecurity researchers have discovered five new malicious Google Chrome web browser extensions that masquerade as human resources (HR) and enterprise resource planning (ERP) platforms like Workday, NetSuite, and SuccessFactors to take control of victim accounts. "The extensions work in concert to steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking," Socket security researcher Kush Pandya said in a Thursday report. The names of the extensions are listed below - DataByCloud Access (ID: oldhjammhkghhahhhdcifmmlefibciph, Published by: databycloud1104) - 251 Installs Tool Access 11 (ID: ijapakghdgckgblfgjobhcfglebbkebf, Published by: databycloud1104) - 101 Installs DataByCloud 1 (ID: mbjjeombjeklkbndcjgmfcdhfbjngcam, Published by: databycloud1104) - 1,000 Installs DataByCloud 2 (ID: makdmacamkifdldldlelollkkjnoiedg, Published by: databycloud1104) - 1,000 Installs Software Access (ID: bmodapc...