Trustwave | Breaking Cybersecurity News | The Hacker News

The threat actor known as Blind Eagle has been attributed with high confidence to the use of the Russian bulletproof hosting service Proton66 . Trustwave SpiderLabs, in a report published last week, said it was able to make this connection by pivoting from Proton66-linked digital assets, leading to the discovery of an active threat cluster that leverages Visual Basic Script (VBS) files as its initial attack vector and installs off-the-shelf remote access trojans (RATS). Many threat actors rely on bulletpro While Visual Basic Script (VBS) might seem outdated, it's still a of hosting providers like Proton66 because these services intentionally ignore abuse reports and legal takedown requests. This makes it easier for attackers to run phishing sites, command-and-control servers, and malware delivery systems without interruption. The cybersecurity company said it identified a set of domains with a similar naming pattern (e.g., gfast.duckdns[.]org, njfast.duckdns[.]org) beginning i...

A new phishing campaign has set its eyes on the Latin American region to deliver malicious payloads to Windows systems. "The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious file download posing as an invoice," Trustwave SpiderLabs researcher Karla Agregado  said . The email message, the company said, originates from an email address format that uses the domain "temporary[.]link" and has Roundcube Webmail listed as the User-Agent string. The HTML file points containing a link ("facturasmex[.]cloud") that displays an error message saying "this account has been suspended," but when visited from an IP address geolocated to Mexico, loads a CAPTCHA verification page that uses Cloudflare Turnstile. This step paves the way for a redirect to another domain from where a malicious RAR file is downloaded. The RAR archive comes with a PowerShell script that gathers system metadata as well...

As SaaS applications dominate the business landscape, organizations need optimized network speed and robust security measures. Many of them have been turning to SASE, a product category that offers cloud-based network protection while enhancing network infrastructure performance. However, a new report: "Better Together: SASE and Enterprise Browser Extension for the SaaS-First Enterprise" ( Download here ), challenges SASE's ability to deliver comprehensive security against web-borne cyber threats on its own. From phishing attacks to malicious extensions and account takeovers, traditional network traffic analysis and security falls short. The report sheds light on these limitations and introduces the role of secure browser extensions as an essential component in a comprehensive security strategy. SASE Advantages and Limitations SASE takes on a dual role in addressing both infrastructure and security. However, while SASE offers clear advantages in security, it may not e...

A new phishing campaign has been observed leveraging a novel loader malware to deliver an information stealer and keylogger called  Agent Tesla . Trustwave SpiderLabs said it identified a phishing email bearing this attack chain on March 8, 2024. The message masquerades as a bank payment notification, urging the user to open an archive file attachment. The archive ("Bank Handlowy w Warszawie - dowód wpłaty_pdf.tar.gz") conceals a malicious loader that activates the procedure to deploy Agent Tesla on the compromised host. "This loader then used obfuscation to evade detection and leveraged polymorphic behavior with complex decryption methods," security researcher Bernard Bautista  said  in a Tuesday analysis. "The loader also exhibited the capability to bypass antivirus defenses and retrieved its payload using specific URLs and user agents leveraging proxies to further obfuscate traffic." The tactic of embedding malware within seemingly benign files is...

Vulnerable  Redis services  have been targeted by a "new, improved, dangerous" variant of a malware called SkidMap that's engineered to target a wide range of Linux distributions. "The malicious nature of this malware is to adapt to the system on which it is executed," Trustwave security researcher Radoslaw Zdonczyk  said  in an analysis published last week. Some of the Linux distribution SkidMap sets its eyes on include Alibaba, Anolis, openEuler, EulerOS, Stream, CentOS, RedHat, and Rocky. SkidMap was  first disclosed  by Trend Micro in September 2019 as a cryptocurrency mining botnet with capabilities to load malicious kernel modules that can obfuscate its activities as well as monitor the miner process. The operators of the malware have also been found camouflaging their backup command-and-control (C2) IP address on the Bitcoin blockchain, evocative of another botnet malware known as  Glupteba . "The technique of fetching real-time data from...

Chromium-based web browsers are the target of a new malware called Rilide that masquerades itself as a seemingly legitimate extension to harvest sensitive data and siphon cryptocurrency. "Rilide malware is disguised as a legitimate Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges," Trustwave SpiderLabs Research said in a report shared with The Hacker News. What's more, the stealer malware can display forged dialogs to deceive users into entering a two-factor authentication code to withdraw digital assets. Trustwave said it identified two different campaigns involving  Ekipa RAT  and  Aurora Stealer  that led to the installation of the malicious browser extension. While Ekipa RAT is distributed via booby-trapped Microsoft Publisher files, rogue Google Ads act a...

Phishing campaigns involving the  Qakbot malware  are using Scalable Vector Graphics ( SVG ) images embedded in HTML email attachments. The new distribution method was spotted by Cisco Talos, which  said  it identified fraudulent email messages featuring HTML attachments with encoded SVG images that incorporate  HTML script tags . HTML smuggling is a  technique  that relies on using legitimate features of HTML and JavaScript to run encoded malicious code contained within the lure attachment and assemble the payload on a victim's machine as opposed to making an HTTP request to fetch the malware from a remote server. In other words, the idea is to evade email gateways by storing a binary in the form of a JavaScript code that's decoded and downloaded when opened via a web browser. The attack chain spotted by the cybersecurity company concerns a JavaScript that's smuggled inside of the SVG image and executed when the unsuspecting email recipient laun...

The notorious  Emotet botnet  has been linked to a new wave of malspam campaigns that take advantage of password-protected archive files to drop CoinMiner and Quasar RAT on compromised systems. In an  attack chain  detected by Trustwave SpiderLabs researchers, an invoice-themed ZIP file lure was found to contain a nested self-extracting (SFX) archive, the first archive acting as a conduit to launch the second. While phishing attacks like these traditionally require persuading the target into opening the attachment, the cybersecurity company said the campaign sidesteps this hurdle by making use of a batch file to automatically supply the password to unlock the payload. The first SFX archive file further makes use of either a PDF or Excel icon to make it appear legitimate, when, in reality, it contains three components: the password-protected second SFX RAR file, the aforementioned batch script which launches the archive, and a decoy PDF or image. "The execution ...

The decentralized file system solution known as IPFS is becoming the new "hotbed" for hosting phishing sites, researchers have warned. Cybersecurity firm Trustwave SpiderLabs, which disclosed specifics of the spam campaigns, said it identified no less than 3,000 emails containing IPFS phishing URLs as an attack vector in the last three months. IPFS , short for InterPlanetary File System, is a peer-to-peer (P2P) network to store and share files and data using cryptographic hashes, instead of URLs or filenames, as is observed in a traditional client-server approach. Each hash forms the basis for a unique content identifier ( CID ). The idea is to create a resilient distributed file system that allows data to be stored across multiple computers. This would allow information to be accessed without having to rely on third parties such as cloud storage providers, effectively making it resistant to censorship. "Taking down phishing content stored on IPFS can be difficult ...

IT security firm Trustwave has been sued by a Las Vegas-based casino operator for conducting an allegedly "woefully inadequate" investigation following a network breach of the casino operator's system. Affinity Gaming , an operator of 5 casinos in Nevada and 6 elsewhere in the United States, has questioned Trustwave's investigation for failing to shut down breach that directly resulted in the theft of credit card data, allowing credit card thieves to maintain their foothold during the investigation period. The lawsuit, filed in the US District Court in Nevada, is one of the first cases of its kind where a client challenges a cyber security firm over the quality of its investigation following a hacking attack. Casino Sued an IT Security Firm Affinity Gaming said it hired Trustwave in late 2013 to analyze and clean up computer network intrusions that allowed attackers to obtain its customers' credit card data. It was reported that the details...