#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

avast | Breaking Cybersecurity News | The Hacker News

Category — avast
Researchers Uncover Malware Using BYOVD to Bypass Antivirus Protections

Researchers Uncover Malware Using BYOVD to Bypass Antivirus Protections

Nov 25, 2024 Malware / Windows Security
Cybersecurity researchers have uncovered a new malicious campaign that leverages a technique called Bring Your Own Vulnerable Driver ( BYOVD ) to disarm security protections and ultimately gain access to the infected system. "This malware takes a more sinister route: it drops a legitimate Avast Anti-Rootkit driver (aswArPot.sys) and manipulates it to carry out its destructive agenda," Trellix security researcher Trishaan Kalra said in an analysis published last week. "The malware exploits the deep access provided by the driver to terminate security processes, disable protective software, and seize control of the infected system." The starting point of the attack is an executable file (kill-floor.exe) that drops the legitimate Avast Anti-Rootkit driver, which is subsequently registered as a service using Service Control (sc.exe) to perform its malicious actions. Once the driver is up and running, the malware gains kernel-level access to the system, allowing it...
eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners

eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners

Apr 24, 2024 Cryptocurrency / Threat Intelligence
A new malware campaign has been exploiting the updating mechanism of the eScan antivirus software to distribute backdoors and cryptocurrency miners like XMRig through a long-standing threat codenamed GuptiMiner targeting large corporate networks. Cybersecurity firm Avast said the activity is the work of a threat actor with possible connections to a North Korean hacking group dubbed  Kimsuky , which is also known as Black Banshee, Emerald Sleet, and TA427. "GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker's DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others," Avast  said . The intricate and elaborate infection chain, at its core, leverages a security shortcoming in the update mechanism of Indian antivi...
Want to Grow Vulnerability Management into Exposure Management? Start Here!

Want to Grow Vulnerability Management into Exposure Management? Start Here!

Dec 05, 2024Attack Surface / Exposure Management
Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident.  At its core, Vulnerability Management processes remain essential for identifying and addressing weaknesses. But as time marches on and attack avenues evolve, this approach is beginning to show its age. In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. We feel it's more than a worthwhile read an...
Raspberry Robin Returns: New Malware Campaign Spreading Through WSF Files

Raspberry Robin Returns: New Malware Campaign Spreading Through WSF Files

Apr 10, 2024 Cyber Crime / Malvertising
Cybersecurity researchers have discovered a new Raspberry Robin campaign wave that has been propagating the malware through malicious Windows Script Files ( WSFs ) since March 2024. "Historically, Raspberry Robin was known to spread through removable media like USB drives, but over time its distributors have experimented with other initial infection vectors," HP Wolf Security researcher Patrick Schläpfer  said  in a report shared with The Hacker News. Raspberry Robin, also called QNAP worm, was  first spotted  in September 2021 that has since  evolved into a downloader  for various other payloads in recent years, such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and also serving as a precursor for ransomware. While the malware was initially distributed by means of USB devices containing LNK files that retrieved the payload from a compromised QNAP device, it has since  adopted other methods  such as social engineering and malv...
cyber security

Breaking Barriers: Strategies to Unite AppSec and R&D for Success

websiteBackslashApplication Security
Tackle common challenges to make security and innovation work seamlessly.
FTC Slams Avast with $16.5 Million Fine for Selling Users' Browsing Data

FTC Slams Avast with $16.5 Million Fine for Selling Users' Browsing Data

Feb 23, 2024 Privacy / Regulatory Compliance
The U.S. Federal Trade Commission (FTC) has hit antivirus vendor Avast with a $16.5 million fine over charges that the firm sold users' browsing data to advertisers after claiming its products would block online tracking. In addition, the company has been banned from selling or licensing any web browsing data for advertising purposes. It will also have to notify users whose browsing data was sold to third-parties without their consent. The FTC, in its complaint,  said  Avast "unfairly collected consumers' browsing information through the company's browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without consumer consent." It also accused the U.K.-based company of deceiving users by claiming that the software would block third-party tracking and protect users' privacy, but failing to inform them that it would sell their "detailed, re-identifiable browsing data" to more than 100 third-partie...
New Python Variant of Chaes Malware Targets Banking and Logistics Industries

New Python Variant of Chaes Malware Targets Banking and Logistics Industries

Sep 05, 2023 Cyber Threat / Malware
Banking and logistics industries are under the onslaught of a reworked variant of a malware called  Chaes . "It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol," Morphisec said in a new detailed technical write-up shared with The Hacker News. Chaes, which first emerged in 2020, is known to target e-commerce customers in Latin America, particularly Brazil, to steal sensitive financial information. A subsequent analysis from Avast in early 2022  found  that the threat actors behind the operation, who call themselves Lucifer, had breached more than 800 WordPress websites to deliver Chaes to users of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago. Further updates were detected in December 2022, when Brazilian cybersecurity company Tempest Security Intelligence  uncovered...
Researchers Demonstrate How EDR and Antivirus Can Be Weaponized Against Users

Researchers Demonstrate How EDR and Antivirus Can Be Weaponized Against Users

Dec 12, 2022 Endpoint Detection / Data Security
High-severity security vulnerabilities have been disclosed in different endpoint detection and response (EDR) and antivirus (AV) products that could be exploited to turn them into data wipers. "This wiper runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on a system, including system files, and make a computer completely unbootable," SafeBreach Labs researcher Or Yair  said . "It does all that without implementing code that touches the target files, making it fully undetectable." EDR software, by design, are capable of continually scanning a machine for potentially suspicious and malicious files, and taking appropriate action, such as deleting or quarantining them. The idea, in a nutshell, is to trick vulnerable security products into deleting legitimate files and directories on the system and render the machine inoperable by making use of specially crafted paths. This is achieved by taking advantage of what's ca...
Worok Hackers Abuse Dropbox API to Exfiltrate Data via Backdoor Hidden in Images

Worok Hackers Abuse Dropbox API to Exfiltrate Data via Backdoor Hidden in Images

Nov 14, 2022
A recently discovered cyber espionage group dubbed  Worok  has been found hiding malware in seemingly innocuous image files, corroborating a crucial link in the threat actor's infection chain. Czech cybersecurity firm Avast said the purpose of the PNG files is to conceal a payload that's used to facilitate information theft. "What is noteworthy is data collection from victims' machines using Dropbox repository, as well as attackers using Dropbox API for communication with the final stage," the company  said . The development comes a little over two months after ESET disclosed details of attacks carried out by  Worok  against high-profile companies and local governments located in Asia and Africa. Worok is believed to share tactical overlaps with a Chinese threat actor tracked as  TA428 . The Slovak cybersecurity company also documented Worok's compromise sequence, which makes use of a C++-based loader called CLRLoad to pave the way for an unknown Pow...
Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network

Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network

Jun 03, 2022
The Parrot traffic direction system (TDS) that came to light earlier this year has had a larger impact than previously thought, according to new research. Sucuri, which has been tracking the same campaign since February 2019 under the name "NDSW/NDSX," said that "the malware was one of the top infections" detected in 2021, accounting for more than 61,000 websites. Parrot TDS was  documented  in April 2022 by Czech cybersecurity company Avast, noting that the PHP script had ensnared web servers hosting more than 16,500 websites to act as a gateway for further attack campaigns. This involves appending a piece of malicious code to all JavaScript files on compromised web servers hosting content management systems (CMS) such as WordPress that are in turn said to be breached by taking advantage of weak login credentials and vulnerable plugins. Besides using different obfuscation tactics to conceal the code, the "injected JavaScript may also be found well indent...
Researchers Disclose Years-Old Vulnerabilities in Avast and AVG Antivirus

Researchers Disclose Years-Old Vulnerabilities in Avast and AVG Antivirus

May 05, 2022
Two high-severity security vulnerabilities, which went undetected for several years, have been discovered in a  legitimate driver  that's part of Avast and AVG antivirus solutions. "These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded," SentinelOne researcher Kasif Dekel  said  in a report shared with The Hacker News. Tracked as CVE-2022-26522 and CVE-2022-26523, the flaws reside in a legitimate anti-rootkit kernel driver named aswArPot.sys and are said to have been introduced in Avast version 12.1, which was released in June 2016. Specifically, the shortcomings are rooted in a socket connection handler in the kernel driver that could lead to privilege escalation by running code in the kernel from a non-administrator user, potentially causing the operating system to crash and display a blue screen of death ( BSo...
Over 10 Million Android Users Targeted With Premium SMS Scam Apps

Over 10 Million Android Users Targeted With Premium SMS Scam Apps

Oct 26, 2021
A global fraud campaign has been found leveraging 151 malicious Android apps with 10.5 million downloads to rope users into premium subscription services without their consent and knowledge. The  premium SMS scam  campaign — dubbed " UltimaSMS " — is believed to commenced in May 2021 and involved apps that cover a wide range of categories, including keyboards, QR code scanners, video and photo editors, spam call blockers, camera filters, and games, with most of the fraudulent apps downloaded by users in Egypt, Saudi Arabia, Pakistan, the U.A.E., Turkey, Oman, Qatar, Kuwait, the U.S., and Poland. Although a significant  chunk of the apps  in question has since been removed from the Google Play Store, 82 of them have continued to remain available in the online marketplace as of October 19, 2021. It all starts with the apps prompting users to enter their phone numbers and email addresses to gain access to the advertised features, only to subscribe the victims to p...
Avast and AVG Browser Extensions Spying On Chrome and Firefox Users

Avast and AVG Browser Extensions Spying On Chrome and Firefox Users

Dec 03, 2019
If your Firefox or Chrome browser has any of the below-listed four extensions offered by Avast and its subsidiary AVG installed, you should disable or remove them as soon as possible. Avast Online Security AVG Online Security Avast SafePrice AVG SafePrice Why? Because these four widely installed browser extensions have been caught collecting a lot more data on its millions of users than they are intended to, including your detailed browsing history. Most of you might not even remember downloading and installing these extensions on your web browser, and that's likely because when users install Avast or AVG antivirus on their PCs, the software automatically installs their respective add-ons on the users' browsers. Both online security extensions have been designed to warn users when they visit a malicious or phishing website; whereas, SafePrice extensions help online shoppers learn about best offers, price comparisons, travel deals, and discount coupons from variou...
CCleaner Attack Timeline—Here's How Hackers Infected 2.3 Million PCs

CCleaner Attack Timeline—Here's How Hackers Infected 2.3 Million PCs

Apr 18, 2018
Last year, the popular system cleanup software CCleaner suffered a massive supply-chain malware attack of all times, wherein hackers compromised the company's servers for more than a month and replaced the original version of the software with the malicious one. The malware attack infected over 2.3 million users who downloaded or updated their CCleaner app between August and September last year from the official website with the backdoored version of the software. Now, it turns out that the hackers managed to infiltrate the company's network almost five months before they first replaced the official CCleaner build with the backdoored version, revealed Avast executive VP and CTO Ondrej Vlcek at the RSA security conference in San Francisco on Tuesday. 6-Months Timeline of CCleaner Supply Chain Attack Vlcek shared a brief timeline of the last year's incident that came out to be the worst nightmare for the company, detailing how and when unknown hackers breached Pi...
Antivirus firm Avast to Buy its rival AVG for $1.3 Billion

Antivirus firm Avast to Buy its rival AVG for $1.3 Billion

Jul 07, 2016
Breaking News for Today: Antivirus company Avast Software is planning to acquire Dutch rival AVG Technologies for $1.3 Billion in cash. Avast announced today that it would buy Amsterdam-based AVG Technologies for $25 per share in an all-cash transaction valued at $1.3 Billion in an aim to expand its presence in the emerging markets. With more than 230 Million users worldwide, Avast provides free and paid security software packages for both PCs as well as mobile devices to businesses and individuals. The deal between the two popular security software companies will provide Avast with 400 Million endpoints -- devices that have some form of Avast or AVG application installed. Around 160 Million of those are mobile. However, AVG technologies was in controversies for updating its policy that clearly said that the company will be allowed to collect and sell users' "non-personal data" to online advertisers in order to "make money" from their "free of...
Bicololo malware spreading via 404 Error targeting Russians

Bicololo malware spreading via 404 Error targeting Russians

Feb 05, 2013
A Trojan that attacks Russian Internet users using a new trick to spread itself. Known as " Bicololo " was first discovered in October 2012 and specially designed to steal login credentials from users.  For this, the malware modify the system Hosts file (i.e etc/hosts) to host perfect phishing sites via DNS poisoning to collect social networking and email credentials. In a recent post from Avast antivirus,  Bicololo  continued to evolve and spread even further. Because it is difficult for a user to determine that he is redirected to a phishing site the attack going smoothly. In Oct, They found that all these phishing sites were resolving via servers located at 69.197.136.99, 94.249.188.224 and 178.63.214.97, 94.249.189.21 , which originally were hosted on afraid.org servers. But now this malware spreading via standard 404 Error webpage error of hacked sites. The most frequent phishing clones of vk.com , odnokl...
Expert Insights / Articles Videos
Cybersecurity Resources