Malware | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered a previously undocumented malware targeting Android devices that uses compromised WordPress sites as relays for its actual command-and-control (C2) servers for detection evasion. The malware, codenamed  Wpeeper , is an ELF binary that leverages the HTTPS protocol to secure its C2 communications. "Wpeeper is a typical backdoor Trojan for Android systems, supporting functions such as collecting sensitive device information, managing files and directories, uploading and downloading, and executing commands," researchers from the QiAnXin XLab team  said . The ELF binary is embedded within a repackaged application that purports to be the  UPtodown App Store  app for Android (package name "com.uptodown"), with the APK file acting as a delivery vehicle for the backdoor in a manner that evades detection. The Chinese cybersecurity firm said it discovered the malware after it detected a  Wpeeper artifact  with zero detection on t

The authors behind the resurfaced  ZLoader  malware have added a feature that was originally present in the Zeus banking trojan that it's based on, indicating that it's being actively developed. "The latest version, 2.4.1.0, introduces a feature to prevent execution on machines that differ from the original infection," Zscaler ThreatLabz researcher Santiago Vicente  said  in a technical report. "A similar anti-analysis feature was present in the leaked Zeus 2.X source code, but implemented differently." ZLoader, also called Terdot, DELoader, or Silent Night,  emerged  after a nearly two-year hiatus around September 2023 following its takedown in early 2022. A modular trojan with capabilities to load next-stage payloads, recent versions of the malware have added RSA encryption as well as updates to its domain generation algorithm (DGA). The latest sign of ZLoader's evolution comes in the form of an anti-analysis feature that restricts the binary'

In today's digital world, where connectivity is rules all, endpoints serve as the gateway to a business's digital kingdom. And because of this, endpoints are one of hackers' favorite targets.  According to the IDC,  70% of successful breaches start at the endpoint . Unprotected endpoints provide vulnerable entry points to launch devastating cyberattacks. With IT teams needing to protect more endpoints—and more kinds of endpoints—than ever before, that perimeter has become more challenging to defend. You need to improve your endpoint security, but where do you start? That's where this guide comes in.  We've curated the top 10 must-know endpoint security tips that every IT and security professional should have in their arsenal. From identifying entry points to implementing EDR solutions, we'll dive into the insights you need to defend your endpoints with confidence.  1. Know Thy Endpoints: Identifying and Understanding Your Entry Points Understanding your network's

Cybersecurity researchers have discovered multiple campaigns targeting  Docker Hub  by planting millions of malicious "imageless" containers over the past five years, once again underscoring how open-source registries could pave the way for supply chain attacks. "Over four million of the repositories in Docker Hub are imageless and have no content except for the repository documentation," JFrog security researcher Andrey Polkovnichenko said in a report shared with The Hacker News. What's more, the documentation has no connection whatsoever to the container. Instead, it's a web page that's designed to lure users into visiting phishing or malware-hosting websites. Of the 4.6 million imageless Docker Hub repositories uncovered, 2.81 million of them are said to have been used as landing pages to redirect unsuspecting users to fraudulent sites as part of three broad campaigns - Downloader (repositories created in the first half of 2021 and September 2

The U.K. National Cyber Security Centre (NCSC) is calling on manufacturers of smart devices to comply with new legislation that prohibits them from using default passwords, effective April 29, 2024. "The law, known as the  Product Security and Telecommunications Infrastructure act  (or PSTI act), will help consumers to choose smart devices that have been designed to provide ongoing protection against cyber attacks," the NCSC  said . To that end, manufacturers are required to not supply devices that use guessable default passwords, provide a point of contact to report security issues, and state the duration for which their devices are expected to receive important security updates. Default passwords can not only be easily found online, they also act as a vector for threat actors to log in to devices for follow-on exploitation. That said, a unique default password is permissible under the law. The law, which aims to enforce a set of minimum security standards across the b

Google on Monday revealed that almost 200,000 app submissions to its Play Store for Android were either rejected or remediated to address issues with access to sensitive data such as location or SMS messages over the past year. The tech giant also said it blocked 333,000 bad accounts from the app storefront in 2023 for attempting to distribute malware or for repeated policy violations. "In 2023, we prevented 2.28 million policy-violating apps from being published on Google Play in part thanks to our investment in new and improved security features, policy updates, and advanced machine learning and app review processes," Google's Steve Kafka, Khawaja Shams, and Mohet Saxena said . "To help safeguard user privacy at scale, we partnered with SDK providers to limit sensitive data access and sharing, enhancing the privacy posture for over 31 SDKs impacting 790K+ apps." In comparison, Google  fended off 1.43 million bad apps  from being published to the Play Sto

Identity and access management (IAM) services provider Okta has warned of a spike in the "frequency and scale" of credential stuffing attacks aimed at online services. These unprecedented attacks, observed over the last month, are said to be facilitated by "the broad availability of residential proxy services, lists of previously stolen credentials ('combo lists'), and scripting tools," the company  said  in an alert published Saturday. The findings build on a  recent advisory  from Cisco, which cautioned of a global surge in brute-force attacks targeting various devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024. "These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Talos noted at the time, adding targets of the attacks comprise VPN appliances from Cisco, Check Point, Fortinet, Soni

Cybersecurity researchers have discovered a targeted operation against Ukraine that has been found leveraging a nearly seven-year-old flaw in Microsoft Office to deliver Cobalt Strike on compromised systems. The attack chain, which took place at the end of 2023 according to Deep Instinct, employs a PowerPoint slideshow file ("signal-2023-12-20-160512.ppsx") as the starting point, with the filename implying that it may have been shared via the Signal instant messaging app. That having said, there is no actual evidence to indicate that the PPSX file was distributed in this manner, even though the Computer Emergency Response Team of Ukraine (CERT-UA) has uncovered  two different campaigns  that have used the  messaging app  as a  malware delivery vector  in the past. Just last week, the agency  disclosed  that Ukrainian armed forces are being increasingly targeted by the UAC-0184 group via messaging and dating platforms to serve malware like  HijackLoader  (aka  GHOSTPULSE  

An ongoing social engineering campaign is targeting software developers with bogus npm packages under the guise of a job interview to trick them into downloading a Python backdoor. Cybersecurity firm Securonix is tracking the activity under the name  DEV#POPPER , linking it to North Korean threat actors. "During these fraudulent interviews, the developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov  said . "The software contained a malicious Node JS payload that, once executed, compromised the developer's system." Details of the campaign first emerged in late November 2023, when Palo Alto Networks Unit 42 detailed an activity cluster dubbed  Contagious Interview  in which the threat actors pose as employers to lure software developers into installing malware such as BeaverTail and InvisibleFerret through the

Fake browser updates are being used to push a previously undocumented Android malware called  Brokewell . "Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware," Dutch security firm ThreatFabric  said  in an analysis published Thursday. The malware is said to be in active development, adding new commands to capture touch events, textual information displayed on screen, and the applications a victim launches. The list of Brokewell apps that masquerade as Google Chrome, ID Austria, and Klarna is as follows - jcwAz.EpLIq.vcAZiUGZpK (Google Chrome) zRFxj.ieubP.lWZzwlluca (ID Austria) com.brkwl.upstracking (Klarna) Like other recent Android malware families of its kind, Brokewell is capable of getting around restrictions imposed by Google that prevent sideloaded apps from requesting  accessibility service permissions . The banking trojan, once installed and launched for the first time, pro

Palo Alto Networks has  shared  remediation guidance for a recently disclosed critical security flaw impacting PAN-OS that has come under active exploitation. The vulnerability, tracked as  CVE-2024-3400  (CVSS score: 10.0), could be weaponized to obtain unauthenticated remote shell command execution on susceptible devices. It has been addressed in multiple versions of PAN-OS 10.2.x, 11.0.x, and 11.1.x. There is evidence to suggest that the issue has been exploited as a zero-day since at least March 26, 2024, by a threat cluster tracked as UTA0218. The activity, codenamed  Operation MidnightEclipse , entails the use of the flaw to drop a Python-based backdoor called UPSTYLE that's capable of executing commands transmitted via specially crafted requests. The intrusions have not been linked to a known threat actor or group, but it's suspected to be a state-backed hacking crew given the tradecraft and the victimology observed. The  latest remediation advice  offered by Palo

The North Korea-linked threat actor known as Lazarus Group employed its time-tested fabricated job lures to deliver a new remote access trojan called Kaolin RAT as part of attacks targeting specific individuals in the Asia region in summer 2023. The malware could, "aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from [command-and-control] server," Avast security researcher Luigino Camastra  said  in a report published last week. The RAT acts as a pathway to deliver the FudModule rootkit, which has been recently observed leveraging a now-patched  admin-to-kernel exploit  in the appid.sys driver (CVE-2024-21338, CVSS score: 7.8) to obtain a kernel read/write primitive and ultimately disable security mechanisms. The Lazarus Group's use of job offer lures to infiltrate targets is not new. Dubbed Operation Dream Job, the  long-running campaign  has a  track record  of using various social media and

A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments. Cisco Talos, which dubbed the activity  ArcaneDoor , attributed it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft). "UAT4356 deployed two backdoors as components of this campaign, 'Line Runner' and 'Line Dancer,' which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement," Talos  said . The intrusions, which were first detected and confirmed in early January 2024, entail the exploitation of  two vulnerabilities  - CVE-2024-20353  (CVSS score: 8.6) - Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial-of-Service Vulnerabi

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Monday sanctioned two firms and four individuals for their involvement in malicious cyber activities on behalf of the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) from at least 2016 to April 2021. This includes the front companies Mehrsam Andisheh Saz Nik (MASN) and Dadeh Afzar Arman (DAA), as well as the Iranian nationals Alireza Shafie Nasab, Reza Kazemifar Rahman, Hossein Mohammad Harooni, and Komeil Baradaran Salmani. "These actors targeted more than a dozen U.S. companies and government entities through cyber operations, including spear-phishing and malware attacks," the Treasury Department  said . Concurrent with the sanctions, the U.S. Department of Justice (DoJ)  unsealed  an indictment against the four individuals for orchestrating cyber attacks targeting the U.S. government and private entities. Furthermore, a  reward of up to $10 million  has been an

Cybersecurity researchers have discovered an ongoing attack campaign that's leveraging phishing emails to deliver a malware called SSLoad . The campaign, codenamed  FROZEN#SHADOW  by Securonix, also involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software. "SSLoad is designed to stealthily infiltrate systems, gather sensitive information and transmit its findings back to its operators," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News. "Once inside the system, SSLoad deploys multiple backdoors and payloads to maintain persistence and avoid detection." Attack chains involve the use of phishing messages to randomly target organizations in Asia, Europe, and the Americas, with emails containing links that lead to the retrieval of a JavaScript file that kicks off the infection flow. Earlier this month, Palo Alto Networks uncovered at least two different method

A new malware campaign has been exploiting the updating mechanism of the eScan antivirus software to distribute backdoors and cryptocurrency miners like XMRig through a long-standing threat codenamed GuptiMiner targeting large corporate networks. Cybersecurity firm Avast said the activity is the work of a threat actor with possible connections to a North Korean hacking group dubbed  Kimsuky , which is also known as Black Banshee, Emerald Sleet, and TA427. "GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker's DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others," Avast  said . The intricate and elaborate infection chain, at its core, leverages a security shortcoming in the update mechanism of Indian antivirus vendor eScan to

A new ongoing malware campaign has been observed distributing three different stealers, such as  CryptBot ,  LummaC2 , and  Rhadamanthys  hosted on Content Delivery Network (CDN) cache domains since at least February 2024. Cisco Talos has attributed the activity with moderate confidence to a threat actor tracked as  CoralRaider , a suspected Vietnamese-origin group that came to light earlier this month. This assessment is based on "several overlaps in tactics, techniques, and procedures (TTPs) of CoralRaider's Rotbot campaign, including the initial attack vector of the Windows Shortcut file, intermediate PowerShell decryptor and payload download scripts, the FoDHelper technique used to bypass User Access Controls (UAC) of the victim machine," the company said. Targets of the campaign span various business verticals across geographies, including the U.S., Nigeria, Pakistan, Ecuador, Germany, Egypt, the U.K., Poland, the Philippines, Norway, Japan, Syria, and Turkey.