Malware | Breaking Cybersecurity News | The Hacker News

Decentralized multi-chain crypto wallet BitKeep on Wednesday confirmed a cyber attack that allowed threat actors to distribute fraudulent versions of its Android app with the goal of stealing users' digital currencies. "With maliciously implanted code, the altered APK led to the leak of user's private keys and enabled the hacker to move funds," BitKeep CEO Kevin Como  said , describing it as a "large-scale hacking incident." According to blockchain security company  PeckShield  and multi-chain blockchain explorer  OKLink , an estimated  $9.9 million  worth of assets have been plundered so far. "Funds stolen are on BNB Chain, Ethereum, TRON and Polygon," BitKeep further  noted  in a series of tweets. "More than 200 addresses on the other three chains were used in the heist, and all funds were transferred to two main addresses in the end." The incident is said to have taken place on December 26, 2022, with the threat actor exploiting

Microsoft's decision to block Visual Basic for Applications (VBA) macros by default for Office files downloaded from the internet has led many threat actors to improvise their attack chains in recent months. Now according to Cisco Talos , advanced persistent threat (APT) actors and commodity malware families alike are increasingly using Excel add-in (.XLL) files as an initial intrusion vector. Weaponized Office documents delivered via spear-phishing emails and other social engineering attacks have remained one of the widely used entry points for criminal groups looking to execute malicious code. These documents traditionally prompt the victims to enable macros to view seemingly innocuous content, only to activate the execution of malware stealthily in the background. To counter this misuse, the Windows maker enacted a crucial change starting in July 2022 that blocks macros in Office files attached to email messages, effectively severing a crucial attack vector. While this

Super Low RPO with Continuous Data Protection: Dial Back to Just Seconds Before an Attack Zerto , a Hewlett Packard Enterprise company, can help you detect and recover from ransomware in near real-time. This solution leverages continuous data protection (CDP) to ensure all workloads have the lowest recovery point objective (RPO) possible. The most valuable thing about CDP is that it does not use snapshots, agents, or any other periodic data protection methodology. Zerto has no impact on production workloads and can achieve RPOs in the region of 5-15 seconds across thousands of virtual machines simultaneously. For example, the environment in the image below has nearly 1,000 VMs being protected with an average RPO of just six seconds! Application-Centric Protection: Group Your VMs to Gain Application-Level Control   You can protect your VMs with the Zerto application-centric approach using Virtual Protection Groups (VPGs). This logical grouping of VMs ensures that your whole applica

Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called  GuLoader  to evade security software. "New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings," CrowdStrike researchers Sarang Sonawane and Donato Onofri  said  in a technical write-up published last week. GuLoader, also called  CloudEyE , is a Visual Basic Script (VBS) downloader that's used to distribute remote access trojans such as Remcos on infected machines. It was first detected in the wild in 2019. In November 2021, a JavaScript malware strain dubbed RATDispenser  emerged  as a conduit for dropping GuLoader by means of a Base64-encoded VBScript dropper. Recent GuLoader samples unearthed by CrowdStrike have been found to exhibit a three-stage process wherein the VBScript is designed to deliver a next-stage that performs anti-a

As we are nearing the end of 2022, looking at the most concerning threats of this turbulent year in terms of testing numbers offers a threat-based perspective on what triggers cybersecurity teams to check how vulnerable they are to specific threats. These are the threats that were most tested to validate resilience with the  Cymulate security posture management platform  between January 1st and December 1st, 2022. Manjusaka Date published: August 2022 Reminiscent of Cobalt Strike and Sliver framework (both commercially produced and designed for red teams but misappropriated and misused by threat actors), this emerging attack framework holds the potential to be widely used by malicious actors. Written in Rust and Golang with a User Interface in Simple Chinese (see the workflow diagram below), this software is of Chinese origin. Manjusaka carries Windows and Linux implants in Rust and makes a ready-made C2 server freely available, with the possibility of creating custom implants.

The pay-per-install (PPI) malware downloader service known as PrivateLoader is being used to distribute a previously documented information-stealing malware dubbed  RisePro . Flashpoint spotted the newly identified stealer on December 13, 2022, after it discovered "several sets of logs" exfiltrated using the malware on an illicit cybercrime marketplace called Russian Market. A C++-based malware, RisePro is said to share similarities with another info-stealing malware referred to as Vidar stealer, itself a fork of a stealer codenamed  Arkei  that emerged in 2018. "The appearance of the stealer as a payload for a pay-per-install service may indicate a threat actor's confidence in the stealer's abilities," the threat intelligence company  noted  in a write-up last week. Cybersecurity firm SEKOIA, which  released  its own analysis of RisePro , further identified partial source code overlaps with PrivateLoader. This encompasses the string scrambling mecha

Threat actors have published yet another round of malicious packages to Python Package Index (PyPI) with the goal of delivering information-stealing malware on compromised developer machines. Interestingly, while the malware goes by a variety of names like ANGEL Stealer, Celestial Stealer, Fade Stealer, Leaf $tealer, PURE Stealer, Satan Stealer, and @skid Stealer, cybersecurity company Phylum found them all to be copies of  W4SP Stealer . W4SP Stealer primarily functions to siphon user data, including credentials, cryptocurrency wallets, Discord tokens, and other files of interest. It's created and published by an actor who goes by the aliases BillyV3, BillyTheGoat, and billythegoat356. "For some reason, each deployment appears to have simply tried to do a find/replace of the W4SP references in exchange for some other seemingly arbitrary name," the researchers  said  in a report published earlier this week. The 16 rogue modules are as follows: modulesecurity, inform

The Vice Society ransomware actors have switched to yet another custom ransomware payload in their recent attacks aimed at a variety of sectors. "This ransomware variant, dubbed ' PolyVice ,' implements a robust encryption scheme, using  NTRUEncrypt  and  ChaCha20-Poly1305  algorithms," SentinelOne researcher Antonio Cocomazzi  said  in an analysis. Vice Society , which is tracked by Microsoft under the moniker DEV-0832, is an intrusion, exfiltration, and extortion hacking group that first appeared on the threat landscape in May 2021. Unlike other ransomware gangs, the cybercrime actor does not use file-encrypting malware developed in-house. Instead, it's known to deploy third-party lockers such as Hello Kitty, Zeppelin, and RedAlert ransomware in their attacks. Per SentinelOne, indications are that the threat actor behind the custom-branded ransomware is also selling similar payloads to other hacking crews based on PolyVice's extensive similarities to ra

An exhaustive analysis of  FIN7  has unmasked the cybercrime syndicate's organizational hierarchy, alongside unraveling its role as an affiliate for mounting ransomware attacks. It has also exposed deeper associations between the group and the larger threat ecosystem comprising the now-defunct ransomware  DarkSide ,  REvil , and  LockBit  families. The highly active threat group, also known as Carbanak, is  known  for employing an extensive arsenal of tools and tactics to expand its "cybercrime horizons," including adding ransomware to its playbook and setting up fake security companies to lure researchers into conducting ransomware attacks under the guise of penetration testing. More than 8,147 victims have been compromised by the financially motivated adversary across the world, with a majority of the entities located in the U.S. Other prominent countries include China, Germany, Canada, Italy, and the U.K. FIN7's intrusion techniques, over the years, have furth

The  Zerobot  DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network. Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters. Zerobot,  first documented  by Fortinet FortiGuard Labs earlier this month, is a Go-based malware that propagates through vulnerabilities in web applications and IoT devices like firewalls, routers, and cameras. "The most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark ( CVE-2021-42013  and  CVE-2022-33891  respectively), and new DDoS attack capabilities," Microsoft researchers  said . Also called ZeroStresser by its operators, the malware is offered as a DDoS-for-hire service to other criminal actors, with the botnet advertised for sale on various social media networks.

The  Raspberry Robin  worm has been used in attacks against telecommunications and government office systems across Latin America, Australia, and Europe since at least September 2022. "The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools," Trend Micro researcher Christopher So  said  in a technical analysis published Tuesday. A majority of the infections have been detected in Argentina, followed by Australia, Mexico, Croatia, Italy, Brazil, France, India, and Colombia. Raspberry Robin, attributed to an activity cluster tracked by Microsoft as  DEV-0856 , is being increasingly  leveraged by multiple threat actors  as an initial access mechanism to deliver payloads such as  LockBit  and  Clop  ransomware. The malware is known for relying on infected USB drives as a distribution vector to download a rogue MSI installer file that deploys the main payload

An Android banking trojan known as  GodFather  is being used to target users of more than 400 banking and cryptocurrency apps spanning across 16 countries. This includes 215 banks, 94 crypto wallet providers, and 110 crypto exchange platforms serving users in the U.S., Turkey, Spain, Italy, Canada, and Canada, among others, Singapore-headquartered Group-IB  said  in a report shared with The Hacker News. The malware, like  many   financial   trojans  targeting the Android ecosystem, attempts to steal user credentials by generating convincing overlay screens (aka web fakes) that are served atop target applications. First detected by Group-IB in June 2021 and  publicly disclosed  by ThreatFabric in March 2022, GodFather also packs in native backdoor features that allows it to abuse Android's Accessibility APIs to record videos, log keystrokes, capture screenshots, and harvest SMS and call logs. Group-IB's analysis of the malware has revealed it to be a successor of  Anubis

Threat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access ( OWA ). "The new exploit method bypasses  URL rewrite mitigations  for the  Autodiscover endpoint ," CrowdStrike researchers Brian Pitchford, Erik Iker, and Nicolas Zilio  said  in a technical write-up published Tuesday. Play ransomware, which first surfaced in June 2022, has been  revealed  to adopt many tactics employed by other ransomware families such as  Hive  and  Nokoyawa , the latter of which  upgraded to Rust  in September 2022. The cybersecurity company's investigations into several Play ransomware intrusions found that initial access to the target environments was not achieved by directly exploiting  CVE-2022-41040 , but rather through the OWA endpoint. Dubbed  OWASSRF , the technique likely takes

An ongoing analysis of the  KmsdBot  botnet has raised the possibility that it's a DDoS-for-hire service offered to other threat actors. This is based on the different industries and geographies that were attacked, web infrastructure company Akamai said. Among the notable targets included  FiveM  and  RedM , which are game modifications for Grand Theft Auto V and Red Dead Redemption 2, as well as luxury brands and security firms. KmsdBot is a  Go-based malware  that leverages SSH to infect systems and carry out activities like cryptocurrency mining and launch commands using TCP and UDP to mount distributed denial-of-service (DDoS) attacks. However, a lack of an error-checking mechanism in the malware source code caused the criminal operators to inadvertently  crash their own botnet  last month. "Based on observed IPs and domains, the majority of the victims are located in Asia, North America, and Europe," Akamai researchers Larry W. Cashdollar and Allen West  said .

The operators of the Glupteba botnet resurfaced in June 2022 as part of a renewed and "upscaled" campaign, months after Google disrupted the malicious activity. The ongoing attack is suggestive of the malware's resilience in the face of takedowns, cybersecurity company Nozomi Networks said in a write-up. "In addition, there was a tenfold increase in TOR hidden services being used as C2 servers since the 2021 campaign," it  noted . The malware, which is distributed through fraudulent ads or software cracks, is also equipped to retrieve additional payloads that enable it to steal credentials, mine cryptocurrencies, and expand its reach by exploiting vulnerabilities in IoT devices from  MikroTik  and  Netgear . It's also an instance of an unusual malware that leverages blockchain as a mechanism for command-and-control (C2)  since at least 2019 , rendering its infrastructure resistant to takedown efforts as in the case of a traditional server. Specifically

Threat actors continue to adapt to the latest technologies, practices, and even data privacy laws—and it's up to organizations to stay one step ahead by implementing strong cybersecurity measures and programs.  Here's a look at how cybercrime will evolve in 2023 and what you can do to secure and protect your organization in the year ahead.  Increase in digital supply chain attacks  With the rapid modernization and digitization of supply chains come new security risks. Gartner predicts that  by 2025, 45% of organizations worldwide will have experienced attacks  on their software supply chains—this is a three-fold increase from 2021. Previously, these types of attacks weren't even likely to happen because supply chains weren't connected to the internet. But now that they are, supply chains need to be secured properly.  The introduction of new technology around software supply chains means there are likely security holes that have yet to be identified, but are essenti