Obfuscation | Breaking Cybersecurity News | The Hacker News

The Colombian insurance sector is the target of a threat actor tracked as Blind Eagle with the end goal of delivering a customized version of a known commodity remote access trojan (RAT) referred to as Quasar RAT since June 2024. "Attacks have originated with phishing emails impersonating the Colombian tax authority," Zscaler ThreatLabz researcher Gaetano Pellegrino said in a new analysis published last week. The advanced persistent threat (APT), also known as AguilaCiega, APT-C-36, and APT-Q-98, has a track record of focusing on organizations and individuals in South America, particularly related to the government and finance sectors in Colombia and Ecuador. The attack chains, as recently documented by Kaspersky, originate with phishing emails that entice recipients into clicking on malicious links that serve as the launchpad for the infection process. The links, either embedded within a PDF attachment or directly in the email body, point to ZIP archives hosted on ...

Cybersecurity researchers have uncovered a new suspicious package uploaded to the npm package registry that's designed to drop a remote access trojan (RAT) on compromised systems. The package in question is glup-debugger-log , which targets users of the gulp toolkit by masquerading as a "logger for gulp and gulp plugins." It has been downloaded 175 times to date. Software supply chain security firm Phylum, which discovered the package, said the software comes fitted with two obfuscated files that work in tandem to deploy the malicious payload. "One worked as a kind of initial dropper setting the stage for the malware campaign by compromising the target machine if it met certain requirements, then downloading additional malware components, and the other script providing the attacker with a persistent remote access mechanism to control the compromised machine," it said . Phylum's closer examination of the library's package.json file – which acts as...

Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident.  At its core, Vulnerability Management processes remain essential for identifying and addressing weaknesses. But as time marches on and attack avenues evolve, this approach is beginning to show its age. In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. We feel it's more than a worthwhile read an...

A new Android trojan called  SoumniBot  has been detected in the wild targeting users in South Korea by leveraging weaknesses in the manifest extraction and parsing procedure. The malware is "notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest," Kaspersky researcher Dmitry Kalinin  said  in a technical analysis. Every Android app comes with a  manifest XML file  ("AndroidManifest.xml") that's located in the root directory and declares the various components of the app, as well as the permissions and the hardware and software features it requires. Knowing that threat hunters typically commence their analysis by inspecting the app's manifest file to determine its behavior, the threat actors behind the malware have been found to leverage three different techniques to make the process a lot more challenging. The first method involves the use of an invalid Compression method value when unpacki...

The threat actors behind the PikaBot malware have made significant changes to the malware in what has been described as a case of "devolution." "Although it appears to be in a new development cycle and testing phase, the developers have reduced the complexity of the code by removing advanced obfuscation techniques and changing the network communications," Zscaler ThreatLabz researcher Nikolaos Pantazopoulos  said . PikaBot,  first documented  by the cybersecurity firm in May 2023, is a malware loader and a backdoor that can execute commands and inject payloads from a command-and-control (C2) server as well as allow the attacker to control the infected host. It is also known to halt its execution should the system's language be Russian or Ukrainian, indicating that the operators are either based in Russia or Ukraine. In recent months, both PikaBot and another loader called DarkGate have emerged as  attractive replacements  for threat actors such as  Wa...

The developers of the information stealer malware known as  Rhadamanthys  are actively iterating on its features, broadening its information-gathering capabilities and also incorporating a plugin system to make it more customizable. This approach not only transforms it into a threat capable of delivering "specific distributor needs," but also makes it more potent, Check Point  said  in a technical deep dive published last week. Rhadamanthys,  first documented  by ThreatMon in October 2022, has been sold under the malware-as-a-service (MaaS) model as early as September 2022 by an actor under the alias "kingcrete2022." Typically distributed through malicious websites mirroring those of genuine software that are advertised through Google ads, the malware is capable of harvesting a wide range of sensitive information from compromised hosts, including from web browsers, crypto wallets, email clients, VPN, and instant messaging apps. "Rhadamanthys represent...

An updated version of an information stealer malware known as  Jupyter  has resurfaced with "simple yet impactful changes" that aim to stealthily establish a persistent foothold on compromised systems. "The team has discovered new waves of Jupyter Infostealer attacks which leverage PowerShell command modifications and signatures of private keys in attempts to pass off the malware as a legitimately signed file," VMware Carbon Black researchers  said  in a report shared with The Hacker News. Jupyter Infostealer , also known as Polazert , SolarMarker, and Yellow Cockatoo, has a  track record  of leveraging manipulated search engine optimization (SEO) tactics and malvertising as an initial access vector to trick users searching for popular software into downloading it from dubious websites. It comes with capabilities to harvest credentials as well as establish encrypted command-and-control (C2) communication to exfiltrate data and execute arbitrary commands...

The Russia-linked hacking crew known as Turla has been observed using an updated version of a known second-stage backdoor referred to as Kazuar. The new findings come from Palo Alto Networks Unit 42, which is tracking the adversary under its constellation-themed moniker  Pensive Ursa . "As the code of the upgraded revision of Kazuar reveals, the authors put special emphasis on Kazuar's ability to operate in stealth, evade detection and thwart analysis efforts," security researchers Daniel Frank and Tom Fakterman  said  in a technical report. "They do so using a variety of advanced anti-analysis techniques and by protecting the malware code with effective encryption and obfuscation practices." Pensive Ursa, active since at least 2004, is attributed to the Russian Federal Security Service (FSB). Earlier this July, the Computer Emergency Response Team of Ukraine (CERT-UA)  implicated  the threat group to attacks targeting the defense sector in Ukraine and East...