Malware | Breaking Cybersecurity News | The Hacker News

Microsoft's threat intelligence division on Wednesday assessed that a subgroup of the Iranian threat actor tracked as  Phosphorus  is conducting ransomware attacks as a "form of moonlighting" for personal gain. The tech giant, which is monitoring the activity cluster under the moniker  DEV-0270  (aka Nemesis Kitten), said it's operated by a company that functions under the public aliases Secnerd and Lifeweb, citing infrastructure overlaps between the group and the two organizations. "DEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities," Microsoft  said . "DEV-0270 also extensively uses living-off-the-land binaries (LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices." The use of BitLocker and DiskCryptor by Iranian actor

A new piece of stealthy Linux malware called Shikitega has been uncovered adopting a multi-stage infection chain to compromise endpoints and IoT devices and deposit additional payloads. "An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist," AT&T Alien Labs  said  in a new report published Tuesday. The findings add to a growing list of Linux malware that has been found in the wild in recent months, including  BPFDoor ,  Symbiote ,  Syslogk ,  OrBit , and  Lightning Framework . Once deployed on a targeted host, the attack chain downloads and executes the Metasploit's " Mettle " meterpreter to maximize control, exploits vulnerabilities to elevate its privileges, adds persistence on the host via crontab, and ultimately launches a cryptocurrency miner on infected devices. The exact method by which the initial compromise is achieved remains unknown as yet, but what makes Shikitega

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

A variant of the Mirai botnet known as MooBot is co-opting vulnerable D-Link devices into an army of denial-of-service bots by taking advantage of multiple exploits. "If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks," Palo Alto Networks Unit 42  said  in a Tuesday report. MooBot, first disclosed by Qihoo 360's Netlab team in September 2019, has previously targeted  LILIN digital video recorders  and  Hikvision video surveillance products  to expand its network. In the latest wave of attacks discovered by Unit 42 in early August 2022, as many as four different flaws in D-Link devices, both old and new, have paved the way for the deployment of MooBot samples. These include - CVE-2015-2051  (CVSS score: 10.0) - D-Link HNAP SOAPAction Header Command Execution Vulnerability CVE-2018-6530  (CVSS score: 9.8) - D-Link SOAP Interface Re

A previously undocumented strain of Android spyware with extensive information gathering capabilities has been found disguised as a book likely designed to target the  Uyghur community  in China. The malware comes under the guise of a book titled " The China Freedom Trap ," a biography written by the exiled Uyghur leader Dolkun Isa. "In light of the ongoing conflict between the Government of the People's Republic of China and the Uyghur community, the malware disguised as the book is a lucrative bait employed by threat actors (TAs) to spread malicious infection in the targeted community," cybersecurity firm Cyble  said  in a report published Monday. The existence of the malware samples, which come with the package name " com.emc.pdf ," was first disclosed by researchers from the  MalwareHunterTeam  late last month. Distributed outside of the official Google Play Store, the app, once installed and opened, displays a few pages of the book, includi

QNAP has issued a new advisory urging users of its network-attached storage (NAS) devices to upgrade to the latest version of  Photo Station  following yet another wave of  DeadBolt ransomware attacks  in the wild by exploiting a zero-day flaw in the software. The Taiwanese company  said  it detected the attacks on September 3 and that "the campaign appears to target QNAP NAS devices running Photo Station with internet exposure." The issue has been addressed in the following versions - QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later Details of the flaw have been kept under wraps for now, but the company is advising users to disable port forwarding on the routers, prevent NAS devices from being accessible on the Internet, upgrade NAS firmware, apply strong passwords for user accounts, and take regula

The notorious Android banking trojan known as  SharkBot  has once again made an appearance on the Google Play Store by masquerading as antivirus and cleaner apps. "This new dropper doesn't rely on Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware," NCC Group's Fox-IT  said  in a report. "Instead, this new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats." The apps in question, Mister Phone Cleaner and Kylhavy Mobile Security, have over 60,000 installations between them and are designed to target users in Spain, Australia, Poland, Germany, the U.S., and Austria - Mister Phone Cleaner (com.mbkristine8.cleanmaster, 50,000+ downloads) Kylhavy Mobile Security (com.kylhavy.antivirus, 10,000+ downloads) The  droppers  are designed to drop a new version of SharkBot,  dubbed V2  by Dutch security firm ThreatFabric, which features an updated co

How much time do developers spend actually writing code? According to recent studies , developers spend more time maintaining, testing and securing existing code than they do writing or improving code. Security vulnerabilities have a bad habit of popping up during the software development process, only to surface after an application has been deployed. The disappointing part is that many of these security flaws and bugs could have been resolved in an earlier stage and there are proper methods and tools to uncover them. How much time does a developer spend on learning to write a functioning code? And how much is spent on learning about code security? Or learning how not to code?" Wouldn't it be better to eradicate the problem from the system rather than having it there, and then trying to detect and stop an ongoing attack targeting it? You can test your secure coding skills with this short  self-assessment. The true cost of bugs Everyone makes mistakes, even developers.

Researchers have identified functional similarities between a malicious component used in the Raspberry Robin infection chain and a Dridex malware loader, further strengthening the operators' connections to the Russia-based Evil Corp group. The findings suggest that "Evil Corp is likely using Raspberry Robin infrastructure to carry out its attacks," IBM Security X-Force researcher Kevin Henson  said  in a Thursday analysis. Raspberry Robin (aka QNAP Worm), first  discovered  by cybersecurity company Red Canary in September 2021, has remained something of a mystery for nearly a year, partly owing to the noticeable lack of post-exploitation activities in the wild. That changed in July 2022 when Microsoft  revealed  that it observed the  FakeUpdates  (aka SocGholish) malware being delivered via existing Raspberry Robin infections, with potential connections identified between DEV-0206 and DEV-0243 (aka Evil Corp). The malware is known to be delivered from a compromised

The operators of the emerging cross-platform BianLian ransomware have increased their command-and-control (C2) infrastructure this month, a development that alludes to an increase in the group's operational tempo. BianLian, written in the Go programming language, was first discovered in mid-July 2022 and has claimed 15 victim organizations as of September 1, cybersecurity firm [redacted] said in a  report  shared with The Hacker News. It's worth noting that the double extortion ransomware family has no connection to an  Android banking trojan  of the same name, which targets mobile banking and cryptocurrency apps to siphon sensitive information. Initial access to victim networks is achieved via successful exploitation of the  ProxyShell  Microsoft Exchange Server flaws, leveraging it to either drop a web shell or an ngrok payload for follow-on activities. "BianLian has also targeted SonicWall VPN devices for exploitation, another common target for ransomware groups,&

A months-long cyber espionage campaign undertaken by a Chinese nation-state group targeted several entities with reconnaissance malware so as to glean information about its victims and meet its strategic goals. "The targets of this recent campaign spanned Australia, Malaysia, and Europe, as well as entities that operate in the South China Sea," enterprise security firm Proofpoint  said  in a published in partnership with PwC. Targets encompass local and federal Australian Governmental agencies, Australian news media companies, and global heavy industry manufacturers which conduct maintenance of fleets of wind turbines in the South China Sea. Proofpoint and PwC attributed the intrusions with moderate confidence to a threat actor tracked by the two companies under the names TA423 and Red Ladon respectively, which is also known as APT40 and Leviathan. APT40 is the name designated to a China-based, espionage-motivated threat actor that's known to be active since 2013 and

A new ransomware strain written in Golang dubbed " Agenda " has been spotted in the wild, targeting healthcare and education entities in Indonesia, Saudi Arabia, South Africa, and Thailand. "Agenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes to run," Trend Micro researchers  said  in an analysis last week. Qilin, the threat actor advertising the ransomware on the dark web, is said to provide affiliates with options to tailor the binary payloads for each victim, enabling the operators to decide the ransom note, encryption extension, as well as the list of processes and services to terminate before commencing the encryption process. Additionally, the ransomware incorporates techniques for detection evasion by taking advantage of the 'safe mode' feature of a device to proceed with its file encryption routine unnoticed, but not before changing the default user's password and enabl

A Turkish-speaking entity called Nitrokod has been attributed to an active cryptocurrency mining campaign that involves impersonating a desktop application for Google Translate to infect over 111,000 victims in 11 countries since 2019.  "The malicious tools can be used by anyone," Maya Horowitz, vice president of research at Check Point, said in a statement shared with The Hacker News. "They can be found by a simple web search, downloaded from a link, and installation is a simple double-click." The list of countries with victims includes the U.K., the U.S., Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland. The  campaign  entails serving malware through free software hosted on popular sites such as Softpedia and Uptodown. But in an interesting tactic, the malware puts off its execution for weeks and separates its malicious activity from the downloaded fake software to avoid detection. The installation of the infected program

Nation-state threat actors are  increasingly adopting  and integrating the Sliver command-and-control (C2) framework in their intrusion campaigns as a replacement for Cobalt Strike. "Given Cobalt Strike's popularity as an attack tool, defenses against it have also improved over time," Microsoft security experts  said . "Sliver thus presents an attractive alternative for actors looking for a lesser-known toolset with a low barrier for entry." Sliver, first made public in late 2019 by cybersecurity company BishopFox, is a Go-based  open source C2 platform  that supports user-developed extensions, custom implant generation, and other commandeering options. "A C2 framework usually includes a server that accepts connections from implants on a compromised system, and a client application that allows the C2 operators to interact with the implants and launch malicious commands," Microsoft said. Besides facilitating long-term access to infected hosts, the cross-platform kit is also known

Threat actors have begun to use the Tox peer-to-peer instant messaging service as a command-and-control method, marking a shift from its earlier role as a contact method for ransomware negotiations. The findings from Uptycs, which analyzed an Executable and Linkable Format (ELF) artifact (" 72client ") that functions as a bot and can run scripts on the compromised host using the Tox protocol. Tox is a  serverless protocol  for online communications that offers end-to-end encryption (E2EE) protections by making use of the Networking and Cryptography library ( NaCl , pronounced "salt") for encryption and authentication. "The binary found in the wild is a stripped but dynamic executable, making decompilation easier," researchers Siddharth Sharma and Nischay Hedge  said . "The entire binary appears to be written in C, and has only  statically linked  the c-toxcore library." It's worth noting that c-toxcore is a  reference implementation  of

WordPress sites are being hacked to display fraudulent Cloudflare DDoS protection pages that lead to the delivery of malware such as NetSupport RAT and Raccoon Stealer. "A recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead victims to download remote access trojan malware," Sucuri's Ben Martin  said  in a write-up published last week. Distributed denial-of-service (DDoS) protection pages are essential browser verification checks designed to deter bot-driven unwanted and malicious traffic from eating up bandwidth and taking down websites. The new attack vector involves hijacking WordPress sites to display fake DDoS protection pop-ups that, when clicked, ultimately lead to the download of a malicious ISO file ("security_install.iso") to the victim's systems. This is achieved by injecting three lines of code into a JavaScript file ("jquery.min.js"), or alternatively into the active

The operators of the XCSSET macOS malware have upped the stakes by making iterative improvements that add support for macOS Monterey by upgrading its source code components to Python 3. "The malware authors have changed from hiding the primary executable in a fake Xcode.app in the initial versions in 2020 to a fake Mail.app in 2021 and now to a fake Notes.app in 2022," SentinelOne researchers Phil Stokes and Dinesh Devadoss  said  in a report. XCSSET, first  documented  by Trend Micro in 2020, has many moving parts that allow it to  harvest sensitive information  from Apple Notes, WeChat, Skype, and Telegram; inject malicious JavaScript code into various websites; and dump cookies from Safari web browser. Infection chains entail using a dropper to compromise users' Xcode projects with the backdoor, with the latter also taking steps to evade detection by masquerading as either system software or the Google Chrome web browser application. The primary executable is an

Atlanta-based cyber risk intelligence company, Cyble discovered a new Remote Access Trojan (RAT) malware. What makes this particular RAT malware distinct enough to be named after the  comic creation of Sacha Baron Cohen ? RAT malware typically helps cybercriminals gain complete control of a victim's system, permitting them to access network resources, files, and power to toggle the mouse and keyboard. Borat RAT malware goes beyond the standard features and enables threat actors to deploy ransomware and  DDoS attacks . It also increases the number of threat actors who can launch attacks, sometimes appealing to the lowest common denominator. The added functionality of carrying out DDoS attacks makes it insidious and a risk to today's digital organizations. Ransomware has been the most common top attack type for over  three years . According to an IBM report, REvil was the most common ransomware strain, consisting of about  37%  of all ransomware attacks. Borat RAT is a unique

Researchers have disclosed multiple vulnerabilities impacting Ultra-wideband (UWB) Real-time Locating Systems ( RTLS ), enabling threat actors to launch adversary-in-the-middle (AitM) attacks and tamper with location data. "The zero-days found specifically pose a security risk for workers in industrial environments," cybersecurity firm Nozomi Networks  disclosed  in a technical write-up last week. "If a threat actor exploits these vulnerabilities, they have the ability to tamper with safety zones designated by RTLS to protect workers in hazardous areas." RTLS is used to automatically identify and track the location of objects or people in real-time, usually within a confined indoor area. This is achieved by making use of tags that are attached to assets, which broadcast USB signals to fixed reference points called anchors that then determine their location. But flaws identified in RTLS solutions –  Sewio Indoor Tracking RTLS UWB Wi-Fi Kit  and  Avalue Renity Ar