The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: computer virus

New Malware Uses Windows BITS Service to Stealthy Exfiltrate Data

New Malware Uses Windows BITS Service to Stealthy Exfiltrate Data

September 09, 2019Mohit Kumar
Cybersecurity researchers have discovered a new computer virus associated with the Stealth Falcon state-sponsored cyber espionage group that abuses a built-in component of the Microsoft Windows operating system to stealthily exfiltrate stolen data to attacker-controlled server. Active since 2012, Stealth Falcon is a sophisticated hacking group known for targeting journalists, activists, and dissidents with spyware in the Middle East, primarily in the United Arab Emirates (UAE). Dubbed Win32/StealthFalcon , named after the hacking group, the malware communicates and sends collected data to its remote command-and-control (C&C) servers using Windows Background Intelligent Transfer Service (BITS). BITS is a communication protocol in Windows that takes unused network bandwidth to facilitate asynchronous, prioritized, and throttled transfer of files between machines in the foreground or background, without impacting the network experience. BITS is commonly used by software up
The Hottest Malware Hits of the Summer

The Hottest Malware Hits of the Summer

September 06, 2019The Hacker News
It's been a summer of ransomware hold-ups, supply chain attacks and fileless attacks flying under the radar of old-school security. With malware running amok while we were lying on the beach, here's a recap of the most burning strains and trends seen in the wild during the months of July and August 2019. Malware Evolution Trends The heat must have had an effect as this summer saw malware continuing to evolve, particularly around three core trends: Evasion-by-design Malware has been increasingly designed to bypass security controls leveraging a host of tactics, most notably by: Changing hashes via file obfuscation to evade AVs. Using encrypted communication with C2 servers to foil EDRs. Using feature manipulation and tampering to trick AI, machine-learning engines, and sandboxes through the detection of such environments and the deliberate delay in execution. Fileless Attacks and Living-Off-The-Land (LOTL) Taking evasion techniques one step further, an in
French Police Remotely Removed RETADUP Malware from 850,000 Infected PCs

French Police Remotely Removed RETADUP Malware from 850,000 Infected PCs

August 28, 2019Mohit Kumar
The French law enforcement agency, National Gendarmerie, today announced the successful takedown of one of the largest wide-spread RETADUP botnet malware and how it remotely disinfected more than 850,000 computers worldwide with the help of researchers. Earlier this year, security researchers at Avast antivirus firm, who were actively monitoring the activities of RETADUP botnet, discovered a design flaw in the malware's C&C protocol that could have been exploited to remove the malware from victims' computer without executing any extra code. However, to do that, the plan required researchers to have control over the malware's C&C server, which was hosted with a hosting provider located in the Ile-de-France region in north-central France. Therefore, the researchers contacted the Cybercrime Fighting Center (C3N) of the French National Gendarmerie at the end of March this year, shared their findings, and proposed a secret plan to put an end to the RETADUP vir
Ransomware Attack Caused Power Outages in the Biggest South African City

Ransomware Attack Caused Power Outages in the Biggest South African City

July 26, 2019Mohit Kumar
Yesterday, some residents of Johannesburg, the largest city in South Africa, were left without electricity after the city's power company got attacked by a ransomware virus. City Power, the company responsible for powering South Africa's financial capital Johannesburg, confirmed Thursday on Twitter that it had been hit by a Ransomware virus that had encrypted all of its databases, applications, and network. The attack prevented prepaid customers from buying electricity units, upload invoices when making payments, or access the City Power's official website, eventually leaving them without power. "Please note that the virus hit us early Thursday morning, compromising our database and other software, impacting most of our applications and networks," the city government said in a tweet . However, the company has also ensured its customers that none of their details were compromised in the cyber attack. At the time of writing, the company confirmed they h
Baltimore City Shuts Down Most of Its Servers After Ransomware Attack

Baltimore City Shuts Down Most of Its Servers After Ransomware Attack

May 08, 2019Swati Khandelwal
For the second time in just over a year, the city of Baltimore has been hit by a ransomware attack, affecting its computer network and forcing officials to shut down a majority of its computer servers as a precaution. Ransomware works by encryption files and locking them up so users can't access them. The attackers then demand a ransom amount, typically in Bitcoin digital currency, in exchange for the decryption keys use to unlock the files. The ransomware attack on the Baltimore City Hall took place on Tuesday morning and infected the city's technology systems with an unknown ransomware virus, which according to government officials, is apparently spreading throughout their network. According to new Baltimore Mayor Bernard C. Jack Young, Baltimore City's critical public safety systems, such as 911, 311, emergency medical services and the fire department, are operational and not affected by the ransomware attack. Young also says the city technology officials are
Elfin Hacking Group Targets Multiple U.S. and Saudi Arabian Firms

Elfin Hacking Group Targets Multiple U.S. and Saudi Arabian Firms

March 28, 2019Swati Khandelwal
An Iran-linked cyber-espionage group that has been found targeting critical infrastructure , energy and military sectors in Saudi Arabia and the United States two years ago continues targeting organizations in the two nations, Symantec reported on Wednesday. Widely known as APT33 , which Symantec calls Elfin , the cyber-espionage group has been active since as early as late 2015 and targeted a wide range of organizations, including government, research, chemical, engineering, manufacturing, consulting, finance, and telecommunications in the Middle East and other parts of the world. Symantec started monitoring Elfin's attacks since the beginning of 2016 and found that the group has launched a heavily targeted campaign against multiple organizations with 42% most recent attacks observed against Saudi Arabia and 34% against the United States. Elfin targeted a total of 18 American organizations in the engineering, chemical, research, energy consultancy, finance, IT and healthcar
Ransomware Attack Forces Aluminum Manufacturer to Shutdown Systems Worldwide

Ransomware Attack Forces Aluminum Manufacturer to Shutdown Systems Worldwide

March 19, 2019Mohit Kumar
Photo by Terje Pedersen / NTB scanpix One of the world's largest producers of aluminum has been forced to shut down several of its plants across Europe and the U.S. after an "extensive cyber attack" hit its operations, leaving companies' IT systems unusable. According to a press release shared by Aluminum giant Norsk Hydro today, the company has temporarily shut down several plants and switched to manual operations, "where possible," in countries including Norway, Qatar, and Brazil in an attempt to continue some of its operations. The cyber attack, that began in the U.S.,was first detected by the company's IT experts around late Monday evening CET and the company is working to neutralize the attack, as well as investigating to know the full extent of the incident. "Hydro's main priority is to continue to ensure safe operations and limit operational and financial impact. The problem has not led to any safety-related incidents," t
Latest WinRAR Flaw Being Exploited in the Wild to Hack Windows Computers

Latest WinRAR Flaw Being Exploited in the Wild to Hack Windows Computers

February 26, 2019Wang Wei
It's not just the critical Drupal vulnerability that is being exploited by in the wild  cybercriminals to attack vulnerable websites that have not yet applied patches already available by its developers, but hackers are also exploiting a critical WinRAR vulnerability that was also revealed last week. A few days ago, The Hacker News reported about a 19-year-old remote code execution vulnerability disclosed by Check Point in the UNACEV2.dll library of WinRAR that could allow a maliciously-crafted ACE archive file to execute arbitrary code on a targeted system. WinRAR is a popular Windows file compression application with 500 million users worldwide, but a critical "Absolute Path Traversal" bug (CVE-2018-20250) in its old third-party library, called UNACEV2.DLL, could allow attackers to extract a compressed executable file from the ACE archive to one of the Windows Startup folders, where the file would automatically run on the next reboot. To successfully exploit the
Beware!! New Windows .exe Malware Found Targeting macOS Computers

Beware!! New Windows .exe Malware Found Targeting macOS Computers

February 11, 2019Mohit Kumar
A malicious Windows EXE file can even infect your Mac computer as well. Yes, you heard me right — a .exe malware on macOS. Security researchers at antivirus firm Trend Micro have discovered a novel way hackers are using in the wild to bypass Apple's macOS security protection and infect Mac computers by deploying malicious EXE files that normally run only on Windows computers. Researchers found several samples of malicious macOS application (.dmg) masquerading as installers for popular software on a torrent site that includes an EXE application compiled with Mono framework to make it compatible with macOS. Mono is an open source implementation of Microsoft's .NET Framework that allows developers to create cross-platform .NET applications, which work across all supported platforms, including Linux, Windows and Mac OS X. Usually, running any Windows executable results in error on macOS systems, and its built-in protection mechanisms such as Gatekeeper also skips scann
New Shamoon Malware Variant Targets Italian Oil and Gas Company

New Shamoon Malware Variant Targets Italian Oil and Gas Company

December 14, 2018Swati Khandelwal
Shamoon is back… one of the most destructive malware families that caused damage to Saudi Arabia's largest oil producer in 2012 and this time it has targeted energy sector organizations primarily operating in the Middle East. Earlier this week, Italian oil drilling company Saipem was attacked and sensitive files on about 10 percent of its servers were destroyed, mainly in the Middle East, including Saudi Arabia, the United Arab Emirates and Kuwait, but also in India and Scotland. Saipem admitted Wednesday that the computer virus used in the latest cyber attack against its servers is a variant Shamoon—a disk wiping malware that was used in the most damaging cyber attacks in history against Saudi Aramco and RasGas Co Ltd and destroyed data on more than 30,000 systems. The cyber attack against Saudi Aramco, who is the biggest customer of Saipem, was attributed to Iran, but it is unclear who is behind the latest cyber attacks against Saipem. Meanwhile, Chronicle, Google'
New Ransomware Spreading Rapidly in China Infected Over 100,000 PCs

New Ransomware Spreading Rapidly in China Infected Over 100,000 PCs

December 04, 2018Swati Khandelwal
A new piece of ransomware is spreading rapidly across China that has already infected more than 100,000 computers in the last four days as a result of a supply-chain attack... and the number of infected users is continuously increasing every hour. What's Interesting? Unlike almost every ransomware malware, the new virus doesn't demand ransom payments in Bitcoin. Instead, the attacker is asking victims to pay 110 yuan (nearly USD 16) in ransom through WeChat Pay—the payment feature offered by China's most popular messaging app. Ransomware + Password Stealer — Unlike WannaCry and NotPetya ransomware outbreaks that caused worldwide chaos last year, the new Chinese ransomware has been targeting only Chinese users. It also includes an additional ability to steal users' account passwords for Alipay, NetEase 163 email service, Baidu Cloud Disk, Jingdong (JD.com), Taobao, Tmall , AliWangWang, and QQ websites. A Supply Chain Attack — According to Chinese cybers
TSMC Chip Maker Blames WannaCry Malware for Production Halt

TSMC Chip Maker Blames WannaCry Malware for Production Halt

August 07, 2018Mohit Kumar
Taiwan Semiconductor Manufacturing Company (TSMC)—the world's largest makers of semiconductors and processors—was forced to shut down several of its chip-fabrication factories over the weekend after being hit by a computer virus. Now, it turns out that the computer virus outbreak at Taiwan chipmaker was the result of a variant of WannaCry —a massive ransomware attack that wreaked havoc across the world by shutting down hospitals, telecom providers, and many businesses in May 2017. TSMC shut down an entire day of production this weekend after several of its factories systems were halted by a computer virus in the middle of the ramp-up for chips to be used by Apple's future lines of iPhones, which could impact revenue by approx $256 million. According to the semiconductor manufacturer, its computer systems were not direct attacked by any hacker, but instead, were exposed to the malware "when a supplier installed tainted software without a virus scan" to TSMC&
iPhone Chip Supplier TSMC Stops Production After Computer Virus Attack

iPhone Chip Supplier TSMC Stops Production After Computer Virus Attack

August 06, 2018Swati Khandelwal
Taiwan Semiconductor Manufacturing Company (TSMC)—Apple's sole supplier of SoC components for iPhones and iPads, and Qualcomm's major manufacturing partner—shut down several of its chip-fabrication factories Friday night after being hit by a computer virus. The world's largest makers of semiconductors and processors TSMC lost an entire day of production after several of its factories systems were halted by a computer virus in the middle of the ramp-up for chips to be used by Apple's future lines of iPhones. Though the popular chip maker has been attacked by viruses in the past, this is the first time a virus has affected TSMC's production lines, making the incident a real big deal. Without revealing many details, TSMC said a number of its computer systems and fabrication tools were infected by the virus on Friday night, but since then it has recovered 80% of its impacted equipment, though others will be recovered by tomorrow. According to TSMC, the comput
Linux Trojan Using Hacked IoT Devices to Send Spam Emails

Linux Trojan Using Hacked IoT Devices to Send Spam Emails

September 22, 2017Wang Wei
Botnets, like Mirai , that are capable of infecting Linux-based internet-of-things (IoT) devices are constantly increasing and are mainly designed to conduct Distributed Denial of Service (DDoS) attacks, but researchers have discovered that cybercriminals are using botnets for mass spam mailings. New research conducted by Russian security firm Doctor Web has revealed that a Linux Trojan, dubbed Linux.ProxyM that cybercriminals use to ensure their online anonymity has recently been updated to add mas spam sending capabilities to earn money. The Linux.ProxyM Linux Trojan, initially discovered by the security firm in February this year, runs a SOCKS proxy server on an infected IoT device and is capable of detecting honeypots in order to hide from malware researchers. Linux.ProxyM can operate on almost all Linux device, including routers, set-top boxes, and other equipment having the following architectures: x86, MIPS, PowerPC, MIPSEL, ARM, Motorola 68000, Superh and SPARC.
Beware of Windows/MacOS/Linux Virus Spreading Through Facebook Messenger

Beware of Windows/MacOS/Linux Virus Spreading Through Facebook Messenger

August 24, 2017Unknown
If you came across any Facebook message with a video link sent by anyone, even your friend — just don't click on it. Security researchers at Kaspersky Lab have spotted an ongoing cross-platform campaign on Facebook Messenger, where users receive a video link that redirects them to a fake website, luring them to install malicious software. Although it is still unclear how the malware spreads, researchers believe spammers are using compromised accounts, hijacked browsers, or clickjacking techniques to spread the malicious link. The attackers make use of social engineering to trick users into clicking the video link, which purports to be from one of their Facebook friends, with the message that reads "< your friend name > Video" followed by a bit.ly link, as shown. Here's How this Cross-Platform Malware Works: The URL redirects victims to a Google doc that displays a dynamically generated video thumbnail, like a playable movie, based on the sender'
Ukrainian Man Arrested For Distributing NotPetya Ransomware And Helping Tax Evaders

Ukrainian Man Arrested For Distributing NotPetya Ransomware And Helping Tax Evaders

August 10, 2017Mohit Kumar
Ukrainian authorities have arrested a 51-year-old man accused of distributing the infamous Petya ransomware (Petya.A, also known as NotPetya) — the same computer virus that massively hit numerous businesses, organisations and banks in Ukraine as well as different parts of Europe around 45 days ago. However, the story is not as simple as it seems, which portrayed this man as a criminal. I recommend you to read complete article to understand the case better and then have an opinion accordingly. Sergey Neverov (Сергей Неверов), father of two sons and the resident of the southern city of Nikopol, is a video blogger and computer enthusiast who was arrested by the Ukrainian police on Monday, August 7 from his home. What Neverov Did? According to a press release published on Thursday by the Ukrainian cyber police department, Neverov uploaded a video, showing how to infect a computer with Petya.A ransomware—and also shared a download link for NotPetya malware to his social media
Apple Users, Beware! A Nearly-Undetectable Malware Targeting Mac Computers

Apple Users, Beware! A Nearly-Undetectable Malware Targeting Mac Computers

July 25, 2017Swati Khandelwal
Yes, even Mac could also get viruses that could silently spy on its users. So, if you own a Mac and think you are immune to malware, you are wrong. An unusual piece of malware that can remotely take control of webcams, screen, mouse, keyboards, and install additional malicious software has been infecting hundreds of Mac computers for more than five years—and it was detected just a few months back. Dubbed FruitFly , the Mac malware was initially detected earlier this year by Malwarebytes researcher Thomas Reed, and Apple quickly released security patches to address the dangerous malware. Now months later, Patrick Wardle, an ex-NSA hacker and now chief security researcher at security firm Synack, discovered around 400 Mac computers infected with the newer strain of the FruitFly malware (FruitFly 2) in the wild. Wardle believes the number of infected Macs with FruitFly 2 would likely be much higher, as he only had access to some servers used to control FruitFly. Although it i
WikiLeaks Reveals CIA Teams Up With Tech to Collect Ideas For Malware Development

WikiLeaks Reveals CIA Teams Up With Tech to Collect Ideas For Malware Development

July 19, 2017Swati Khandelwal
As part of its ongoing Vault 7 leaks , the whistleblower organisation WikiLeaks today revealed about a CIA contractor responsible for analysing advanced malware and hacking techniques being used in the wild by cyber criminals. According to the documents leaked by WikiLeaks, Raytheon Blackbird Technologies, the Central Intelligence Agency (CIA) contractor, submitted nearly five such reports to CIA as part of UMBRAGE Component Library (UCL) project between November 2014 and September 2015. These reports contain brief analysis about proof-of-concept ideas and malware attack vectors — publically presented by security researchers and secretly developed by cyber espionage hacking groups. Reports submitted by Raytheon were allegedly helping CIA's Remote Development Branch (RDB) to collect ideas for developing their own advanced malware projects. It was also revealed in previous Vault 7 leaks that CIA's UMBRAGE malware development teams also borrow codes from publicly avail
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.