The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Malware

Beware — A New Wormable Android Malware Spreading Through WhatsApp

Beware — A New Wormable Android Malware Spreading Through WhatsApp

January 24, 2021Ravie Lakshmanan
A newly discovered Android malware has been found to propagate itself through WhatsApp messages to other contacts in order to expand what appears to be an adware campaign. "This malware spreads via victim's WhatsApp by automatically replying to any received WhatsApp message notification with a link to [a] malicious Huawei Mobile app," ESET researcher Lukas Stefanko said. The link to the fake Huawei Mobile app, upon clicking, redirects users to a lookalike Google Play Store website. Once installed, the wormable app prompts victims to grant it notification access, which is then abused to carry out the wormable attack. Specifically, it leverages WhatApp's quick reply feature — which is used to respond to incoming messages directly from the notifications — to send out a reply to a received message automatically. Besides requesting permissions to read notifications, the app also requests intrusive access to run in the background as well as to draw over other apps,
Here's How SolarWinds Hackers Stayed Undetected for Long Enough

Here's How SolarWinds Hackers Stayed Undetected for Long Enough

January 21, 2021Ravie Lakshmanan
Microsoft on Wednesday shared more specifics about the tactics, techniques, and procedures (TTPs) adopted by the attackers behind the SolarWinds hack to stay under the radar and avoid detection, as cybersecurity companies work towards getting a "clearer picture" of one of the most sophisticated attacks in recent history. Calling the threat actor "skillful and methodic operators who follow operations security (OpSec) best practices," the company said the attackers went out of their way to ensure that the initial backdoor ( Sunburst  aka Solorigate) and the post-compromise implants ( Teardrop  and  Raindrop ) are separated as much as possible so as to hinder efforts to spot their malicious activity. "The attackers behind Solorigate are skilled campaign operators who carefully planned and executed the attack, remaining elusive while maintaining persistence," researchers from Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC)
Researchers Discover Raindrop — 4th Malware Linked to the SolarWinds Attack

Researchers Discover Raindrop — 4th Malware Linked to the SolarWinds Attack

January 19, 2021Ravie Lakshmanan
Cybersecurity researchers have unearthed a fourth new malware strain—designed to spread the malware onto other computers in victims' networks—which was deployed as part of the  SolarWinds supply chain attack  disclosed late last year. Dubbed "Raindrop" by Broadcom-owned Symantec, the malware joins the likes of other malicious implants such as  Sunspot , Sunburst (or Solorigate), and Teardrop that were stealthily delivered to enterprise networks. The latest finding comes amid a continued probe into the breach, suspected to be of  Russian origin , that has claimed a number of U.S. government agencies and private sector companies. "The discovery of Raindrop is a significant step in our investigation of the SolarWinds attacks as it provides further insights into post-compromise activity at organizations of interest to the attackers," Symantec researchers  said . The cybersecurity firm said it discovered only four samples of Raindrop to date that were used to d
FreakOut! Ongoing Botnet Attack Exploiting Recent Linux Vulnerabilities

FreakOut! Ongoing Botnet Attack Exploiting Recent Linux Vulnerabilities

January 19, 2021Ravie Lakshmanan
An ongoing malware campaign has been found exploiting recently disclosed vulnerabilities in network-attached storage (NAS) devices running on Linux systems to co-opt the machines into an  IRC botnet  for launching distributed denial-of-service (DDoS) attacks and mining Monero cryptocurrency. The attacks deploy a new  malware variant called " FreakOut " by leveraging critical flaws fixed in Laminas Project (formerly Zend Framework) and Liferay Portal as well as an unpatched security weakness in TerraMaster, according to Check Point Research's new analysis published today and shared with The Hacker News. Attributing the malware to be the work of a long-time cybercrime hacker — who goes by the aliases Fl0urite and Freak on HackForums and Pastebin at least since 2015 — the researchers said the flaws —  CVE-2020-28188 ,  CVE-2021-3007 , and  CVE-2020-7961  — were weaponized to inject and execute malicious commands in the server. Regardless of the vulnerabilities exploit
Apple Removes macOS Feature That Allowed Apps to Bypass Firewall Security

Apple Removes macOS Feature That Allowed Apps to Bypass Firewall Security

January 17, 2021Ravie Lakshmanan
Apple has removed a controversial feature from its macOS operating system that allowed the company's own first-party apps to bypass content filters, VPNs, and third-party firewalls. Called " ContentFilterExclusionList ," it included a list of as many as 50 Apple apps like iCloud, Maps, Music, FaceTime, HomeKit, the App Store, and its software update service that were routed through Network Extension Framework, effectively circumventing firewall protections. This exclusion list has been scrubbed now from macOS 11.2 beta 2. The issue first came to light last October following the release of macOS Big Sur, prompting concerns from security researchers who said the feature was ripe for abuse, adding it could be leveraged by an attacker to exfiltrate sensitive data by piggybacking it on to legitimate Apple apps included on the list and then bypass firewalls and security software. "After lots of bad press and lots of feedback/bug reports to Apple from developers such
Researchers Disclose Undocumented Chinese Malware Used in Recent Attacks

Researchers Disclose Undocumented Chinese Malware Used in Recent Attacks

January 15, 2021Ravie Lakshmanan
Cybersecurity researchers have  disclosed  a series of attacks by a threat actor of Chinese origin that has targeted organizations in Russia and Hong Kong with malware — including a previously undocumented backdoor. Attributing the campaign to  Winnti  (or APT41), Positive Technologies dated the first attack to May 12, 2020, when the APT used LNK shortcuts to extract and run the malware payload. A second attack detected on May 30 used a malicious RAR archive file consisting of shortcuts to two bait PDF documents that purported to be a curriculum vitae and an IELTS certificate. The shortcuts themselves contain links to pages hosted on Zeplin, a legitimate collaboration tool for designers and developers that are used to fetch the final-stage malware that, in turn, includes a shellcode loader ("svchast.exe") and a backdoor called  Crosswalk  ("3t54dE3r.tmp"). Crosswalk, first documented by FireEye in 2017, is a bare-bones modular backdoor capable of carrying out s
Experts Uncover Malware Attacks Against Colombian Government and Companies

Experts Uncover Malware Attacks Against Colombian Government and Companies

January 14, 2021Ravie Lakshmanan
Cybersecurity researchers took the wraps off an ongoing surveillance campaign directed against Colombian government institutions and private companies in the energy and metallurgical industries. In a report published by ESET on Tuesday, the Slovak internet security company said the attacks — dubbed " Operation Spalax " — began in 2020, with the modus operandi sharing some similarities to an APT group targeting the country since at least April 2018, but also different in other ways. The overlaps come in the form of phishing emails, which have similar topics and pretend to come from some of the same entities that were used in a February 2019 operation disclosed by  QiAnXin researchers , and subdomain names used for command-and-control (C2) servers. However, the two campaigns diverge in the attachments used for phishing emails, the remote access trojans (RATs) deployed, and the C2 infrastructure employed to fetch the malware dropped. The attack chain begins with the target
Intel Adds Hardware-Enabled Ransomware Detection to 11th Gen vPro Chips

Intel Adds Hardware-Enabled Ransomware Detection to 11th Gen vPro Chips

January 13, 2021Ravie Lakshmanan
Intel and Cybereason have partnered to build anti-ransomware defenses into the chipmaker's newly announced 11th generation Core  vPro  business-class processors. The hardware-based security enhancements are baked into Intel's vPro platform via its  Hardware Shield  and  Threat Detection Technology  (TDT), enabling profiling and detection of ransomware and other threats that have an impact on the CPU performance. "The joint solution represents the first instance where PC hardware plays a direct role in ransomware defenses to better protect enterprise endpoints from costly attacks," Cybereason  said . Exclusive to vPro, Intel Hardware Shield provides protections against firmware-level attacks targeting the  BIOS , thereby ensuring that the operating system (OS) runs on legitimate hardware as well as minimizing the risk of malicious code injection by locking down memory in the BIOS when the software is running to help prevent planted malware from compromising the OS
Warning — 5 New Trojanized Android Apps Spying On Users In Pakistan

Warning — 5 New Trojanized Android Apps Spying On Users In Pakistan

January 12, 2021Ravie Lakshmanan
Cybersecurity researchers took the wraps off a new spyware operation targeting users in Pakistan that leverages trojanized versions of legitimate Android apps to carry out covert surveillance and espionage. Designed to masquerade apps such as the Pakistan Citizen Porta l, a Muslim prayer-clock app called Pakistan Salat Time , Mobile Packages Pakistan , Registered SIMs Checker , and TPL Insurance , the malicious variants have been found to obfuscate their operations to stealthily download a payload in the form of an Android Dalvik executable (DEX) file. "The DEX payload contains most of the malicious features, which include the ability to covertly exfiltrate sensitive data like the user's contact list and the full contents of SMS messages," Sophos threat researchers Pankaj Kohli and Andrew Brandt said. "The app then sends this information to one of a small number of command-and-control websites hosted on servers located in eastern Europe." Interestingly, t
Experts Sound Alarm On New Android Malware Sold On Hacking Forums

Experts Sound Alarm On New Android Malware Sold On Hacking Forums

January 12, 2021Ravie Lakshmanan
Cybersecurity researchers have exposed the operations of an Android malware vendor who teamed up with a second threat actor to market and sell a remote access Trojan (RAT) capable of device takeover and exfiltration of photos, locations, contacts, and messages from popular apps such as Facebook, Instagram, WhatsApp, Skype, Telegram, Kik, Line, and Google Messages. The vendor, who goes by the name of " Triangulum " in a number of darknet forums, is alleged to be a 25-year-old man of Indian origin, with the individual opening up shop to sell the malware three years ago on June 10, 2017, according to an analysis published by Check Point Research today. "The product was a mobile RAT, targeting Android devices and capable of exfiltration of sensitive data from a C&C server, destroying local data – even deleting the entire OS, at times," the researchers said. An Active Underground Market for Mobile Malware Piecing together Triangulum's trail of activities, t
Unveiled: SUNSPOT Malware Was Used to Inject SolarWinds Backdoor

Unveiled: SUNSPOT Malware Was Used to Inject SolarWinds Backdoor

January 11, 2021Ravie Lakshmanan
As the investigation into the SolarWinds supply-chain attack continues, cybersecurity researchers have disclosed a third malware strain that was deployed into the build environment to inject the backdoor into the company's Orion network monitoring platform. Called " Sunspot ," the malignant tool adds to a growing list of previously disclosed malicious software such as Sunburst and Teardrop. "This highly sophisticated and novel code was designed to inject the Sunburst malicious code into the SolarWinds Orion Platform without arousing the suspicion of our software development and build teams," SolarWinds' new CEO Sudhakar Ramakrishna  explained . While  preliminary evidence  found that operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor, the latest findings reveal a new timeline that establishes the first brea
ALERT: North Korean hackers targeting South Korea with RokRat Trojan

ALERT: North Korean hackers targeting South Korea with RokRat Trojan

January 08, 2021Ravie Lakshmanan
A North Korean hacking group has been found deploying the RokRat Trojan in a new spear-phishing campaign targeting the South Korean government. Attributing the attack to  APT37  (aka Starcruft, Ricochet Chollima, or Reaper), Malwarebytes said it identified a malicious document last December that, when opened, executes a macro in memory to install the aforementioned remote access tool (RAT). "The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad," the researchers  noted  in a Wednesday analysis. Believed to be active at least since 2012, the  Reaper APT  is known for its focus on public and private entities primarily in South Korea, such as chemicals, electronics, manufacturing, aerospace, automotive, and healthcare entities. Since then, their victimology has expanded beyond the Korean peninsula to include Ja
Hackers Using Fake Trump's Scandal Video to Spread QNode Malware

Hackers Using Fake Trump's Scandal Video to Spread QNode Malware

January 06, 2021Ravie Lakshmanan
Cybesecurity researchers today revealed a new malspam campaign that distributes a remote access Trojan (RAT) by purporting to contain a sex scandal video of U.S. President Donald Trump. The emails, which carry with the subject line "GOOD LOAN OFFER!!," come attached with a Java archive (JAR) file called "TRUMP_SEX_SCANDAL_VIDEO.jar," which, when downloaded, installs Qua or Quaverse RAT ( QRAT ) onto the infiltrated system. "We suspect that the bad guys are attempting to ride the frenzy brought about by the recently concluded Presidential elections since the filename they used on the attachment is totally unrelated to the email's theme," Trustwave's Senior Security Researcher Diana Lopera said in a write-up published today. The latest campaign is a variant of the Windows-based QRAT downloader Trustwave researchers  discovered  in August. The infection chain starts with a spam message containing an embedded attachment or a link pointing to a m
Warning: Cross-Platform ElectroRAT Malware Targeting Cryptocurrency Users

Warning: Cross-Platform ElectroRAT Malware Targeting Cryptocurrency Users

January 05, 2021Ravie Lakshmanan
Cybersecurity researchers today revealed a wide-ranging scam targeting cryptocurrency users that began as early as January last year to distribute trojanized applications to install a previously undetected remote access tool on target systems. Called ElectroRAT by Intezer, the RAT is written from ground-up in Golang and designed to target multiple operating systems such as Windows, Linux, and macOS.  The apps are developed using the open-source Electron cross-platform desktop app framework. "ElectroRAT is the latest example of attackers using Golang to develop multi-platform malware and evade most antivirus engines," the researchers said . "It is common to see various information stealers trying to collect private keys to access victims wallets. However, it is rare to see tools written from scratch and targeting multiple operating systems for these purposes." The campaign, first detected in December, is believed to have claimed over 6,500 victims based on th
Ticketmaster To Pay $10 Million Fine For Hacking A Rival Company

Ticketmaster To Pay $10 Million Fine For Hacking A Rival Company

January 02, 2021Ravie Lakshmanan
Ticketmaster has agreed to pay a $10 million fine after being charged with illegally accessing computer systems of a competitor repeatedly between 2013 and 2015 in an attempt to "cut [the company] off at the knees." A subsidiary of Live Nation, the California-based ticket sales and distribution company used the stolen information to gain an advantage over CrowdSurge — which merged with Songkick in 2015 and later acquired by Warner Music Group (WMG) in 2017 — by hiring a former employee to break into its tools and gain insight into the firm's operations. "Ticketmaster employees repeatedly – and illegally – accessed a competitor's computers without authorization using stolen passwords to unlawfully collect business intelligence,"  said  Acting U.S. Attorney Seth DuCharme. "Further, Ticketmaster's employees brazenly held a division-wide 'summit' at which the stolen passwords were used to access the victim company's computers, as if th
Microsoft Says SolarWinds Hackers Accessed Some of Its Source Code

Microsoft Says SolarWinds Hackers Accessed Some of Its Source Code

December 31, 2020Ravie Lakshmanan
Microsoft on Thursday revealed that the threat actors behind the SolarWinds supply chain attack were able to gain access to a small number of internal accounts and escalate access inside its internal network. The "very sophisticated nation-state actor" used the unauthorized access to view, but not modify, the source code present in its repositories, the company said. "We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories," the Windows maker  disclosed  in an update. "The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated." The development is the latest in the far-reaching  espionage saga  that came to light earlier in December following revelations by cybersecurity firm FireEye that attac
AutoHotkey-Based Password Stealer Targeting  US, Canadian Banking Users

AutoHotkey-Based Password Stealer Targeting US, Canadian Banking Users

December 29, 2020Ravie Lakshmanan
Threat actors have been discovered distributing a new credential stealer written in AutoHotkey (AHK) scripting language as part of an ongoing campaign that started early 2020. Customers of financial institutions in the US and Canada are among the primary targets for credential exfiltration, with a specific focus on banks such as Scotiabank, Royal Bank of Canada, HSBC, Alterna Bank, Capital One, Manulife, and EQ Bank. Also included in the list is an Indian banking firm ICICI Bank. AutoHotkey  is an open-source custom scripting language for Microsoft Windows aimed at providing easy hotkeys for macro-creation and software automation that allows users to automate repetitive tasks in any Windows application. The multi-stage infection chain commences with a malware-laced Excel file that's embedded with a Visual Basic for Applications (VBA)  AutoOpen  macro, which is subsequently used to drop and execute the downloader client script ("adb.ahk") via a legitimate portable AHK
A New SolarWinds Flaw Likely Had Let Hackers Install SUPERNOVA Malware

A New SolarWinds Flaw Likely Had Let Hackers Install SUPERNOVA Malware

December 26, 2020Ravie Lakshmanan
An authentication bypass vulnerability in the SolarWinds Orion software may have been leveraged by adversaries as a zero-day to deploy the SUPERNOVA malware in target environments. According to an  advisory  published yesterday by the CERT Coordination Center, the SolarWinds Orion API that's used to interface with all other Orion system monitoring and management products suffers from a security flaw (CVE-2020-10148) that could allow a remote attacker to execute unauthenticated API commands, thus resulting in a compromise of the SolarWinds instance. "The authentication of the API can be bypassed by including specific parameters in the  Request.PathInfo  portion of a URI request to the API, which could allow an attacker to execute unauthenticated API commands," the advisory states. "In particular, if an attacker appends a PathInfo parameter of 'WebResource.adx,' 'ScriptResource.adx,' 'i18n.ashx,' or 'Skipi18n' to a request to a Solar
Microsoft Warns CrowdStrike of Hackers Targeting Azure Cloud Customers

Microsoft Warns CrowdStrike of Hackers Targeting Azure Cloud Customers

December 25, 2020Ravie Lakshmanan
New evidence amidst the ongoing probe into the  espionage campaign  targeting SolarWinds has uncovered an unsuccessful attempt to compromise cybersecurity firm Crowdstrike and access the company's email. The hacking endeavor was reported to the company by Microsoft's Threat Intelligence Center on December 15, which identified a third-party reseller's Microsoft Azure account to be making "abnormal calls" to Microsoft cloud APIs during a 17-hour period several months ago. The undisclosed affected reseller's Azure account handles Microsoft Office licensing for its Azure customers, including CrowdStrike. Although there was an attempt by unidentified threat actors to read the emails, it was ultimately foiled as the firm does not use Microsoft's Office 365 email service, CrowdStrike  said . The incident comes in the wake of the  supply chain attack  of SolarWinds revealed earlier this month, resulting in the deployment of a covert backdoor (aka "Sunbu
North Korean Hackers Trying to Steal COVID-19 Vaccine Research

North Korean Hackers Trying to Steal COVID-19 Vaccine Research

December 23, 2020Ravie Lakshmanan
Threat actors such as the notorious Lazarus group are continuing to tap into the ongoing COVID-19 vaccine research to steal sensitive information to speed up their countries' vaccine-development efforts. Cybersecurity firm Kaspersky  detailed  two incidents at a pharmaceutical company and a government ministry in September and October leveraging different tools and techniques but exhibiting similarities in the post-exploitation process, leading the researchers to connect the two attacks to the North Korean government-linked hackers. "These two incidents reveal the Lazarus group's interest in intelligence related to COVID-19," Seongsu Park, a senior security researcher at Kaspersky, said. "While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well." Kaspersky did not name the targeted entities but said the pharmaceutical firm was breached on September 25, 2020, with the attack again
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.