Zscaler | Breaking Cybersecurity News | The Hacker News

Cybersecurity is constantly evolving, but complexity can give hostile actors an advantage. To stay ahead of current and future attacks, it's essential to simplify and reframe your defenses. Zscaler Deception is a state-of-the-art next-generation deception technology seamlessly integrated with the Zscaler Zero Trust Exchange. It creates a hostile environment for attackers and enables you to track the entire attack sequence. We're hosting a session where we'll demonstrate how you can set up Zscaler Deception to detect advanced attacks, investigate threats, and contain them. Join us to learn about the latest advances and best practices directly from our technical product experts. Don't let lateral threats compromise your environment. Why attend? Learn how Zscaler Deception can help you generate private threat intelligence, detect compromised users, stop lateral movement, and secure Active Directory. Discover automated deception campaigns that can be launched within

Stopping new and evasive threats is one of the greatest challenges in cybersecurity. This is among the biggest reasons why  attacks increased dramatically in the past year  yet again, despite the estimated $172 billion spent on global cybersecurity in 2022. Armed with cloud-based tools and backed by sophisticated affiliate networks, threat actors can develop new and evasive malware more quickly than organizations can update their protections.  Relying on malware signatures and blocklists against these rapidly changing attacks has become futile. As a result, the SOC toolkit now largely revolves around threat detection and investigation. If an attacker can bypass your initial blocks, you expect your tools to pick them up at some point in the attack chain. Every organization's digital architecture is now seeded with security controls that log anything potentially malicious. Security analysts pore through these logs and determine what to investigate further. Does this work? Let'

The North Korean advanced persistent threat (APT) actor dubbed ScarCruft is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware onto targeted machines. According to multiple reports from  AhnLab Security Emergency response Center  ( ASEC ),  SEKOIA.IO , and  Zscaler , the development is illustrative of the group's continuous efforts to refine and retool its tactics to sidestep detection. "The group is constantly evolving its tools, techniques, and procedures while experimenting with new file formats and methods to bypass security vendors," Zscaler researchers Sudeep Singh and Naveen Selvan said in a new analysis published Tuesday.  ScarCruft, also tracked under the names APT37, Reaper, RedEyes, and Ricochet Chollima, has exhibited an increased operational tempo since the start of the year, targeting various South Korean entities for espionage purposes. It is known to be active since at least 2012. Last month, ASEC  disclosed  a

An open source command-and-control (C2) framework known as Havoc is being adopted by threat actors as an alternative to other well-known legitimate toolkits like  Cobalt Strike ,  Sliver , and  Brute Ratel . Cybersecurity firm Zscaler said it observed a new campaign in the beginning of January 2023 targeting an unnamed government organization that utilized  Havoc . "While C2 frameworks are prolific, the open-source Havoc framework is an advanced post-exploitation command-and-control framework capable of bypassing the most current and updated version of Windows 11 defender due to the implementation of advanced evasion techniques such as indirect syscalls and sleep obfuscation," researchers Niraj Shivtarkar and Shatak Jain  said . The attack sequence documented by Zscaler begins with a ZIP archive that embeds a decoy document and a screen-saver file that's designed to download and launch the Havoc Demon agent on the infected host. Demon is the implant generated via th

Travel agencies have emerged as the target of a hack-for-hire group dubbed  Evilnum  as part of a broader campaign aimed at legal and financial investment institutions in the Middle East and Europe. The attacks, which took place during 2020 and 2021 and likely went as far back as 2015, involved a revamped variant of a malware called Janicab that leverages a number of public services like WordPress and YouTube as  dead drop resolvers , Kaspersky  said  in a technical report published this week. Janicab infections comprise a diverse set of victims located in Egypt, Georgia, Saudi Arabia, the UAE, and the U.K. The development marks the first time legal organizations in Saudi Arabia have been targeted by this group. Also tracked as DeathStalker, the threat actor is known to deploy  backdoors  like Janicab, Evilnum, Powersing, and PowerPepper to exfiltrate confidential corporate information. "Their interest in gathering sensitive business information leads us to believe that Deat

The operators of the Ducktail information stealer have demonstrated a "relentless willingness to persist" and continued to update their malware as part of an ongoing financially driven campaign. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad  said  in a new analysis. "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. The threat actor uses their gained access to run ads for monetary gain." Attributed to a Vietnamese threat actor, the Ducktail campaign is designed to target businesses in the digital marketing and advertising sectors which are active on the Facebook Ads and Business platform. Also targeted are individuals within prospective companies that are likely to have high-level access to Facebook Business accounts. This includes

Google has removed two new malicious dropper apps that have been detected on the Play Store for Android, one of which posed as a lifestyle app and was caught distributing the Xenomorph banking malware. "Xenomorph is a trojan that steals credentials from banking applications on users' devices," Zscaler ThreatLabz researchers Himanshu Sharma and Viral Gandhi  said  in an analysis published Thursday. "It is also capable of intercepting users' SMS messages and notifications, enabling it to steal one-time passwords and multi-factor authentication requests." The cybersecurity firm said it also found an expense tracker app that exhibited similar behavior, but noted that it couldn't extract the URL used to fetch the malware artifact. The two malicious apps are as follows - Todo: Day manager (com.todo.daymanager) 経費キーパー (com.setprice.expenses) Both the apps function as a dropper, meaning the apps themselves are harmless and are a conduit to retrieve t

The Transparent Tribe threat actor has been linked to a new campaign aimed at Indian government organizations with trojanized versions of a two-factor authentication solution called Kavach . "This group abuses Google advertisements for the purpose of malvertising to distribute backdoored versions of Kavach multi-authentication (MFA) applications," Zscaler ThreatLabz researcher Sudeep Singh  said  in a Thursday analysis. The cybersecurity company said the advanced persistent threat group has also conducted low-volume credential harvesting attacks in which rogue websites masquerading as official Indian government portals were set up to lure unwitting users into entering their passwords. Transparent Tribe, also known by the monikers APT36, Operation C-Major, and Mythic Leopard, is a suspected Pakistan  adversarial collective  that has a  history  of striking Indian and Afghanistan entities. The latest attack chain is not the first time the threat actor has set its sights o

A PHP version of an information-stealing malware called  Ducktail  has been discovered in the wild being distributed in the form of cracked installers for legitimate apps and games, according to the latest findings from Zscaler. "Like older versions (.NetCore), the latest version (PHP) also aims to exfiltrate sensitive information related to saved browser credentials, Facebook account information, etc.," Zscaler ThreatLabz researchers Tarun Dewan and Stuti Chaturvedi  said . Ducktail, which emerged on the threat landscape in late 2021, is attributed to an unnamed Vietnamese threat actor, with the malware primarily designed to hijack Facebook business and advertising accounts. The financially motivated cybercriminal operation was  first documented  by Finnish cybersecurity company WithSecure (formerly F-Secure) in late July 2022. While previous versions of the malware were found to use Telegram as a command-and-control (C2) channel to exfiltrate information, the PHP var

The threat actor behind the malware-as-a-service (MaaS) known as Eternity Group has been linked to new piece of malware called LilithBot . "It has advanced capabilities to be used as a miner, stealer, and a clipper along with its persistence mechanisms," Zscaler ThreatLabz researchers Shatak Jain and Aditya Sharma  said  in a Wednesday report. "The group has been continuously enhancing the malware, adding improvements such as anti-debug and anti-VM checks." Eternity Project  came on the scene earlier this year, advertising its warez and product updates on a Telegram channel. The services provided include a stealer, miner, clipper, ransomware, USB worm, and a DDoS bot. LilithBot is the latest addition to this list. Like its counterparts, the multifunctional malware bot is sold on a subscription basis to other cybercriminals in return for a cryptocurrency payment. Upon a successful compromise, the information gathered through the bot – browser history, cooki

Researchers discovered a private Telegram channel-based backdoor in the information stealing malware, dubbed Prynt Stealer , which its developer added with the intention of secretly stealing a copy of victims' exfiltrated data when used by other cybercriminals. "While this untrustworthy behavior is nothing new in the world of cybercrime, the victims' data end up in the hands of multiple threat actors, increasing the risks of one or more large scale attacks to follow," Zscaler ThreatLabz researchers Atinderpal Singh and Brett Stone-Gross  said  in a new report. Prynt Stealer, which  came to light  earlier this April, comes with capabilities to log keystrokes, steal credentials from web browsers, and siphon data from Discord and Telegram. It's sold for $100 for a one-month license and $900 for a lifetime subscription. The cybersecurity firm analysis of Prynt Stealer shows that its codebase is derived from two other open source malware families,  AsyncRAT  and 

Organizations in the Spanish-speaking nations of Mexico and Spain are in the crosshairs of a new campaign designed to deliver the  Grandoreiro  banking trojan.  "In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute 'Grandoreiro,' a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America," Zscaler  said  in a report. The ongoing attacks, which commenced in June 2022, have been observed to target automotive, civil and industrial construction, logistics, and machinery sectors via multiple infection chains in Mexico and chemicals manufacturing industries in Spain. Attack chains entail leveraging spear-phishing emails written in Spanish to trick potential victims into clicking on an embedded link that retrieves a ZIP archive

Microsoft is now taking steps to prevent Remote Desktop Protocol (RDP) brute-force attacks as part of the latest builds for the Windows 11 operating system in an attempt to raise the  security baseline  to meet the evolving threat landscape. To that end, the default policy for Windows 11 builds – particularly, Insider Preview builds 22528.1000 and newer – will automatically lock accounts for 10 minutes after 10 invalid sign-in attempts. "Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute-force password vectors," David Weston, Microsoft's vice president for OS security and enterprise,  said  in a series of tweets last week. "This technique is very commonly used in Human Operated Ransomware and other attacks -- this control will make brute forcing much harder which is awesome!" It's worth pointing out that while this  account lockout setting  is already incorporated in Windows 10, it's not enabled by default. The f

Google has taken steps to ax dozens of fraudulent apps from the official Play Store that were spotted propagating Joker, Facestealer, and Coper malware families through the virtual marketplace. While the Android storefront is considered to be a trusted source for discovering and installing apps, bad actors have repeatedly found ways to sneak past security barriers erected by Google in hopes of luring unsuspecting users into downloading malware-laced apps. The latest findings from  Zscaler ThreatLabz  and  Pradeo  are no different. "Joker is one of the most  prominent malware families  targeting Android devices," researchers Viral Gandhi and Himanshu Sharma said in a Monday report. "Despite public awareness of this particular malware, it keeps finding its way into Google's official app store by regularly modifying the malware's trace signatures including updates to the code, execution methods, and payload-retrieving techniques." Categorized as  fleecewa

The operators behind the Qakbot malware are transforming their delivery vectors in an attempt to sidestep detection. "Most recently, threat actors have transformed their techniques to evade detection by using ZIP file extensions, enticing file names with common formats, and Excel (XLM) 4.0 to trick victims into downloading malicious attachments that install Qakbot," Zscaler Threatlabz researchers Tarun Dewan and Aditya Sharma  said . Other methods adopted by the group include code obfuscation, introducing new layers in the attack chain from initial compromise to execution, and using multiple URLs as well as unknown file extensions (e.g., .OCX, .ooccxx, .dat, or .gyp) to deliver the payload. Also called QBot, QuackBot, or Pinkslipbot, Qakbot has been a  recurring threat  since late 2007, evolving from its initial days as a banking trojan to a modular information stealer capable of deploying next-stage payloads such as  ransomware . "Qakbot is a flexible post-exploi

Cybersecurity researchers have detailed the workings of a fully-featured malware loader dubbed  PureCrypter  that's being purchased by cyber criminals to deliver remote access trojans (RATs) and information stealers. "The loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption, and obfuscation to evade antivirus software products," Zscaler's Romain Dumont  said  in a new report. Some of the malware families distributed using PureCrypter include  Agent Tesla ,  Arkei ,  AsyncRAT ,  AZORult ,  DarkCrystal RAT  (DCRat),  LokiBot ,  NanoCore ,  RedLine Stealer ,  Remcos ,  Snake Keylogger , and  Warzone RAT . Sold for a price of $59 by its developer named "PureCoder" for a one-month plan (and $249 for a one-off lifetime purchase) since at least March 2021, PureCrypter is advertised as the "only crypter in the market that uses offline and online delivery technique." Crypters act as the  first layer of de

The Iranian state-sponsored threat actor tracked under the moniker Lyceum has turned to using a new custom .NET-based backdoor in recent campaigns directed against the Middle East. "The new malware is a .NET based DNS Backdoor which is a customized version of the open source tool 'DIG.net,'" Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar  said  in a report published last week. "The malware leverages a DNS attack technique called 'DNS Hijacking' in which an attacker-controlled DNS server manipulates the response of DNS queries and resolves them as per their malicious requirements." DNS hijacking is a  redirection attack  in which DNS queries to genuine websites are intercepted to take an unsuspecting user to fraudulent pages under an adversary's control. Unlike  cache poisoning , DNS hijacking targets the DNS record of the website on the nameserver, rather than a resolver's cache. Lyceum , also known as Hexane, Spirli

Fraudulent domains masquerading as Microsoft's Windows 11 download portal are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware. "The spoofed sites were created to distribute malicious ISO files which lead to a Vidar info-stealer infection on the endpoint," Zscaler  said  in a report. "These variants of Vidar malware fetch the C2 configuration from attacker-controlled social media channels hosted on Telegram and Mastodon network." Some of the rogue distribution vector domains, which were registered last month on April 20, consist of ms-win11[.]com, win11-serv[.]com, and win11install[.]com, and ms-teams-app[.]net. In addition, the cybersecurity firm cautioned that the threat actor behind the impersonation campaign is also leveraging backdoored versions of Adobe Photoshop and other legitimate software such as Microsoft Teams to deliver Vidar malware. The ISO file, for its part,