The Hacker News Logo
Subscribe to Newsletter

The Hacker News — Cyber Security and Hacking News Website: Malware

Several Popular Beauty Camera Apps Caught Stealing Users' Photos

Several Popular Beauty Camera Apps Caught Stealing Users' Photos

February 04, 2019Swati Khandelwal
Just because an app is available on Google Play Store doesn't mean that it is a legitimate app. Despite so many efforts by Google, some fake and malicious apps do sneak in and land millions of unaware users on the hunting ground of scammers and hackers. Cybersecurity firm Trend Micro uncovered at least 29 devious photo apps that managed to make its way onto Google Play Store and have been downloaded more than 4 million times before Google removed them from its app store. The mobile apps in question disguised as photo editing and beauty apps purporting to use your mobile phone's camera to take better pictures or beautify the snaps you shoot, but were found including code that performs malicious activities on their users' smartphone. Three of the rogue apps—Pro Camera Beauty, Cartoon Art Photo and Emoji Camera—have been downloaded more than a million times each, with Artistic Effect Filter being installed over 500,000 times and another seven apps in the list over 100
New Mac Malware Targets Cookies to Steal From Cryptocurrency Wallets

New Mac Malware Targets Cookies to Steal From Cryptocurrency Wallets

February 01, 2019Mohit Kumar
Mac users need to beware of a newly discovered piece of malware that steals their web browser cookies and credentials in an attempt to withdraw funds from their cryptocurrency exchange accounts. Dubbed CookieMiner due to its capability of stealing cookies-related to cryptocurrency exchanges, the malware has specifically been designed to target Mac users and is believed to be based on DarthMiner, another Mac malware that was detected in December last year. Uncovered by Palo Alto Networks' Unit 42 security research team, CookieMiner also covertly installs coin mining software onto the infected Mac machines to secretly mine for additional cryptocurrency by consuming the targeted Mac's system resources. In the case of CookieMiner, the software is apparently geared toward mining "Koto," a lesser-known, privacy-oriented cryptocurrency which is mostly used in Japan. However, the most interesting capabilities of the new Mac malware is to steal: Both Google Chro
FBI Mapping 'Joanap Malware' Victims to Disrupt the North Korean Botnet

FBI Mapping 'Joanap Malware' Victims to Disrupt the North Korean Botnet

January 31, 2019Swati Khandelwal
The United States Department of Justice (DoJ) announced Wednesday its effort to "map and further disrupt" a botnet tied to North Korea that has infected numerous Microsoft Windows computers across the globe over the last decade. Dubbed Joanap , the botnet is believed to be part of " Hidden Cobra "—an Advanced Persistent Threat (APT) actors' group often known as Lazarus Group and Guardians of Peace and backed by the North Korean government. Hidden Cobra is the same hacking group that has been allegedly associated with the WannaCry ransomware menace in 2016, the SWIFT Banking attack in 2016, as well as Sony Motion Pictures hack in 2014. Dates back to 2009, Joanap is a remote access tool (RAT) that lands on a victim's system with the help an SMB worm called Brambul , which crawls from one computer to another by brute-forcing Windows Server Message Block (SMB) file-sharing services using a list of common passwords. Once there, Brambul downloads Jo
GandCrab ransomware and Ursnif virus spreading via MS Word macros

GandCrab ransomware and Ursnif virus spreading via MS Word macros

January 25, 2019Swati Khandelwal
Security researchers have discovered two separate malware campaigns, one of which is distributing the Ursnif data-stealing trojan and the GandCrab ransomware in the wild, whereas the second one is only infecting victims with Ursnif malware. Though both malware campaigns appear to be a work of two separate cybercriminal groups, we find many similarities in them. Both attacks start from phishing emails containing an attached Microsoft Word document embedded with malicious macros and then uses Powershell to deliver fileless malware. Ursnif is a data-stealing malware that typically steals sensitive information from compromised computers with an ability to harvest banking credentials, browsing activities, collect keystrokes, system and process information, and deploy additional backdoors. Discovered earlier last year, GandCrab is a widespread ransomware threat that, like every other ransomware in the market, encrypts files on an infected system and insists victims to pay a ransom
New malware found using Google Drive as its command-and-control server

New malware found using Google Drive as its command-and-control server

January 21, 2019Mohit Kumar
Since most security tools also keep an eye on the network traffic to detect malicious IP addresses, attackers are increasingly adopting infrastructure of legitimate services in their attacks to hide their malicious activities. Cybersecurity researchers have now spotted a new malware attack campaign linked to the notorious DarkHydrus APT group that uses Google Drive as its command-and-control (C2) server. DarkHydrus first came to light in August last year when the APT group was leveraging the open-source Phishery tool to carry out credential-harvesting campaign against government entities and educational institutions in the Middle East. The latest malicious campaign conducted by the DarkHydrus APT group was also observed against targets in the Middle East, according to reports published by the 360 Threat Intelligence Center ( 360TIC ) and Palo Alto Networks. This time the advanced threat attackers are using a new variant of their backdoor Trojan, called RogueRobin , which i
Ukrainian Police Arrest 6 Hackers Linked to DDoS and Financial Attacks

Ukrainian Police Arrest 6 Hackers Linked to DDoS and Financial Attacks

January 17, 2019Swati Khandelwal
Ukrainian Police have this week busted out two separate groups of hackers involved in carrying out DDoS attacks against news agencies and stealing money from Ukrainian citizens, respectively. According to the authorities, the four suspected hackers they arrested last week , all aged from 26 to 30 years, stole more than 5 million Hryvnia (around 178,380 USD) from the bank accounts of Ukrainian citizens by hacking into their computers. The suspects carried out their attacks by scanning vulnerable computers on the Internet and infecting them with a custom Trojan malware to take full remote control of the systems. The group then apparently enabled key-logging on the infected computers in an attempt to capture banking credentials of victims when the owners of those infected computers fill in that information on any banking site or their digital currency wallet. Once getting a hold on the victims banking and financial data, the attackers logged into their online banking accounts
New Malware Takes Commands From Memes Posted On Twitter

New Malware Takes Commands From Memes Posted On Twitter

December 18, 2018Wang Wei
Security researchers have discovered yet another example of how cybercriminals disguise their malware activities as regular traffic by using legitimate cloud-based services. Trend Micro researchers have uncovered a new piece of malware that retrieves commands from memes posted on a Twitter account controlled by the attackers. Most malware relies on communication with their command-and-control server to receive instructions from attackers and perform various tasks on infected computers. Since security tools keep an eye on the network traffic to detect malicious IP addresses, attackers are increasingly using legitimate websites and servers as infrastructure in their attacks to make the malicious software more difficult to detect. In the recently spotted malicious scheme, which according to the researchers is in its early stage, the hackers uses Steganography —a technique of hiding contents within a digital graphic image in such a way that's invisible to an observer—to hid
New Shamoon Malware Variant Targets Italian Oil and Gas Company

New Shamoon Malware Variant Targets Italian Oil and Gas Company

December 14, 2018Swati Khandelwal
Shamoon is back… one of the most destructive malware families that caused damage to Saudi Arabia's largest oil producer in 2012 and this time it has targeted energy sector organizations primarily operating in the Middle East. Earlier this week, Italian oil drilling company Saipem was attacked and sensitive files on about 10 percent of its servers were destroyed, mainly in the Middle East, including Saudi Arabia, the United Arab Emirates and Kuwait, but also in India and Scotland. Saipem admitted Wednesday that the computer virus used in the latest cyber attack against its servers is a variant Shamoon—a disk wiping malware that was used in the most damaging cyber attacks in history against Saudi Aramco and RasGas Co Ltd and destroyed data on more than 30,000 systems. The cyber attack against Saudi Aramco, who is the biggest customer of Saipem, was attributed to Iran, but it is unclear who is behind the latest cyber attacks against Saipem. Meanwhile, Chronicle, Google'
New Adobe Flash Zero-Day Exploit Found Hidden Inside MS Office Docs

New Adobe Flash Zero-Day Exploit Found Hidden Inside MS Office Docs

December 06, 2018Swati Khandelwal
Cybersecurity researchers have discovered a new zero-day vulnerability in Adobe Flash Player that hackers are actively exploiting in the wild as part of a targeted campaign appears to be attacking a Russian state health care institution. The vulnerability, tracked as CVE-2018-15982 , is a use-after-free flaw resides in Flash Player that, if exploited successfully, allows an attacker to execute arbitrary code on the targeted computer and eventually gain full control over the system. The newly discovered Flash Player zero-day exploit was spotted last week by researchers inside malicious Microsoft Office documents, which were submitted to online multi-engine malware scanning service VirusTotal from a Ukrainian IP address. The maliciously crafted Microsoft Office documents contain an embedded Flash Active X control in its header that renders when the targeted user opens it, causing exploitation of the reported Flash player vulnerability. According to cybersecurity researchers, neit
New Ransomware Spreading Rapidly in China Infected Over 100,000 PCs

New Ransomware Spreading Rapidly in China Infected Over 100,000 PCs

December 04, 2018Swati Khandelwal
A new piece of ransomware is spreading rapidly across China that has already infected more than 100,000 computers in the last four days as a result of a supply-chain attack... and the number of infected users is continuously increasing every hour. What's Interesting? Unlike almost every ransomware malware, the new virus doesn't demand ransom payments in Bitcoin. Instead, the attacker is asking victims to pay 110 yuan (nearly USD 16) in ransom through WeChat Pay—the payment feature offered by China's most popular messaging app. Ransomware + Password Stealer — Unlike WannaCry and NotPetya ransomware outbreaks that caused worldwide chaos last year, the new Chinese ransomware has been targeting only Chinese users. It also includes an additional ability to steal users' account passwords for Alipay, NetEase 163 email service, Baidu Cloud Disk, Jingdong (JD.com), Taobao, Tmall , AliWangWang, and QQ websites. A Supply Chain Attack — According to Chinese cybers
U.S Charges Two Iranian Hackers for SamSam Ransomware Attacks

U.S Charges Two Iranian Hackers for SamSam Ransomware Attacks

November 28, 2018Mohit Kumar
The Department of Justice announced Wednesday charges against two Iranian nationals for their involvement in creating and deploying the notorious SamSam ransomware. The alleged hackers, Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah, 27, have been charged on several counts of computer hacking and fraud charges, the indictment unsealed today at New Jersey court revealed. The duo used SamSam ransomware to extort over $6 million in ransom payments since 2015, and also caused more than $30 million in damages to over 200 victims, including hospitals , municipalities, and public institutions. According to the indictment, Savandi and Mansouri have been charged with a total of six counts, including one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two counts of intentional damage to a protected computer, and two counts of transmitting a demand in relation to damaging a protected computer. Si
Rogue Developer Infects Widely Used NodeJS Module to Steal Bitcoins

Rogue Developer Infects Widely Used NodeJS Module to Steal Bitcoins

November 27, 2018Mohit Kumar
A widely used third-party NodeJS module with nearly 2 million downloads a week was compromised after one of its open-source contributor gone rogue, who infected it with a malicious code that was programmed to steal funds stored in Bitcoin wallet apps. The Node.js library in question is "Event-Stream," a toolkit that makes it easy for developers to create and work with streams, a collection of data in Node.js — just like arrays or strings. The malicious code detected earlier this week was added to Event-Stream version 3.3.6, published on September 9 via NPM repository , and had since been downloaded by nearly 8 million application programmers. Event-Stream module for Node.js was originally created by Dominic Tarr, who maintained the Event-Stream library for a long time, but handed over the development and maintenance of the project several months ago to an unknown programmer, called "right9ctrl." Apparently, right9ctrl gained Dominic's trust by making
3 New Code Execution Flaws Discovered in Atlantis Word Processor

3 New Code Execution Flaws Discovered in Atlantis Word Processor

November 20, 2018Mohit Kumar
This is why you should always think twice before opening innocent looking email attachments, especially word and pdf files. Cybersecurity researchers at Cisco Talos have once again discovered multiple critical security vulnerabilities in the Atlantis Word Processor that allow remote attackers to execute arbitrary code and take over affected computers. An alternative to Microsoft Word, Atlantis Word Processor is a fast-loading word processor application that allows users to create, read and edit word documents effortlessly. It can also be used to convert TXT, RTF, ODT, DOC, WRI, or DOCX documents to ePub. Just 50 days after disclosing 8 code execution vulnerabilities in previous versions of Atlantis Word Processor, Talos team today revealed details and proof-of-concept exploits for 3 more remote code execution vulnerabilities in the application. All the three vulnerabilities, listed below, allow attackers to corrupt the application's memory and execute arbitrary code und
Apple's New MacBook Disconnects Microphone "Physically" When Lid is Closed

Apple's New MacBook Disconnects Microphone "Physically" When Lid is Closed

October 31, 2018Mohit Kumar
Apple introduces a new privacy feature for all new MacBooks that "at some extent" will prevent hackers and malicious applications from eavesdropping on your conversations. Apple's custom T2 security chip in the latest MacBooks includes a new hardware feature that physically disconnects the MacBook's built-in microphone whenever the user closes the lid, the company revealed yesterday at its event at the Brooklyn Academy of Music in New York. Though the new T2 chip is already present in the 2018 MacBook Pro models launched earlier this year, this new feature got unveiled when Apple launched the new Retina MacBook Air and published a full security guide for T2 Chip yesterday. "This disconnect is implemented in hardware alone, and therefore prevents any software, even with root or kernel privileges in macOS, and even the software on the T2 chip, from engaging the microphone when the lid is closed," Apple explained in the guide [ PDF ]. The tech giant furt
FireEye: Russian Research Lab Aided the Development of TRITON Industrial Malware

FireEye: Russian Research Lab Aided the Development of TRITON Industrial Malware

October 24, 2018Swati Khandelwal
Cybersecurity firm FireEye claims to have discovered evidence that proves the involvement of a Russian-owned research institute in the development of the TRITON malware that caused some industrial systems to unexpectedly shut down last year, including a petrochemical plant in Saudi Arabia. TRITON , also known as Trisis, is a piece of ICS malware designed to target the Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric which are often used in oil and gas facilities. Triconex Safety Instrumented System is an autonomous control system that independently monitors the performance of critical systems and takes immediate actions automatically if a dangerous state is detected. Since malware of such capabilities can't be created by a computer hacker without possessing necessary knowledge of Industrial Control Systems (ICS), researchers believe with "high confidence" that Moscow-based lab Central Scientific Research Institute of Chemistry and
GhostDNS: New DNS Changer Botnet Hijacked Over 100,000 Routers

GhostDNS: New DNS Changer Botnet Hijacked Over 100,000 Routers

October 01, 2018Swati Khandelwal
Chinese cybersecurity researchers have uncovered a widespread, ongoing malware campaign that has already hijacked over 100,000 home routers and modified their DNS settings to hack users with malicious web pages—especially if they visit banking sites—and steal their login credentials. Dubbed GhostDNS , the campaign has many similarities with the infamous DNSChanger malware that works by changing DNS server settings on an infected device, allowing attackers to route the users' internet traffic through malicious servers and steal sensitive data. According to a new report from cybersecurity firm Qihoo 360's NetLab, just like the regular DNSChanger campaign, GhostDNS scans for the IP addresses for routers that use weak or no password at all, accesses the routers' settings, and then changes the router's default DNS address to the one controlled by the attackers. GhostDNS System: List of Modules and Sub-Modules The GhostDNS system mainly includes four modules:
Cybersecurity Researchers Spotted First-Ever UEFI Rootkit in the Wild

Cybersecurity Researchers Spotted First-Ever UEFI Rootkit in the Wild

September 27, 2018Swati Khandelwal
Cybersecurity researchers at ESET have unveiled what they claim to be the first-ever UEFI rootkit being used in the wild, allowing hackers to implant persistent malware on the targeted computers that could survive a complete hard-drive wipe. Dubbed LoJax , the UEFI rootkit is part of a malware campaign conducted by the infamous Sednit group, also known as APT28, Fancy Bear , Strontium , and Sofacy , to target several government organizations in the Balkans as well as in Central and Eastern Europe. Operating since at least 2007, Sednit group is a state-sponsored hacking group believed to be a unit of GRU (General Staff Main Intelligence Directorate), a Russian secret military intelligence agency. The hacking group has been associated with a number of high profile attacks, including the DNC hack just before the U.S. 2016 presidential election . UEFI, or Unified Extensible Firmware Interface, a replacement for the traditional BIOS, is a core and critical firmware component of a
Operator of VirusTotal Like Malware-Scanning Service Jailed for 14 Years

Operator of VirusTotal Like Malware-Scanning Service Jailed for 14 Years

September 22, 2018Mohit Kumar
A Latvian hacker behind the development and operation of counter antivirus service "Scan4You" has finally been sentenced to 14 years in prison. 37-year-old Ruslans Bondars, described as a Latvian "non-citizen" or "citizen of the former USSR who had been residing in Riga, Latvia," was found guilty on May 16 in federal court in Alexandria, during which a co-conspirator revealed he had worked with Russian law enforcement. Bondars created and ran Scan4you—a VirusTotal like online multi-engine antivirus scanning service that allowed hackers to run their code by several popular antiviruses to determine if their computer virus or malware would be flagged during routine security scans before launching them into a real-world malware campaign. While legal scanning services share data about uploaded files with the antivirus firms, Scan4you instead informed its users that they could "upload files anonymously and promised not to share information about the
Mirai Botnet Creators Helping FBI Fight Cybercrime to Stay Out of Jail

Mirai Botnet Creators Helping FBI Fight Cybercrime to Stay Out of Jail

September 19, 2018Mohit Kumar
Three young hackers who were sentenced late last year for creating and spreading the notorious Mirai botnet are now helping the FBI to investigate other "complex" cybercrime cases in return to avoid their lengthy prison terms. Paras Jha, 21 from New Jersey, Josiah White, 20 from Washington, and Dalton Norman, 21 from Louisiana, plead guilty in December 2017 to multiple charges for their role in creating and hijacking hundreds of thousands IoT devices to make them part of a notorious botnet network dubbed Mirai . Mirai malware scanned for insecure routers, cameras, DVRs, and other Internet of Things (IoT) devices which were using their default passwords and then made them part of a botnet network . The trio developed the Mirai botnet to attack rival Minecraft video gaming hosts, but after realizing that their invention was powerful enough to launch record-breaking DDoS attacks against targets like OVH hosting website, they released the source code of Mirai . The
Exclusive Deals

Get Daily News Updates By Email

Join over 350,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.