#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

keylogger | Breaking Cybersecurity News | The Hacker News

AllaKore RAT Malware Targeting Mexican Firms with Financial Fraud Tricks

AllaKore RAT Malware Targeting Mexican Firms with Financial Fraud Tricks
Jan 27, 2024 Malware / Software Update
Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called  AllaKore RAT . The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin America-based financially motivated threat actor. The campaign has been active since at least 2021. "Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process," the Canadian company  said  in an analysis published earlier this week. "The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud." The attacks appear to be designed to particularly single out large companies with gross revenues over $100 million. Targeted entities span retail, agriculture, publ

SystemBC Malware's C2 Server Analysis Exposes Payload Delivery Tricks

SystemBC Malware's C2 Server Analysis Exposes Payload Delivery Tricks
Jan 25, 2024 Remote Access Trojan
Cybersecurity researchers have shed light on the command-and-control (C2) server workings of a known malware family called  SystemBC . "SystemBC can be purchased on underground marketplaces and is supplied in an archive containing the implant, a command-and-control (C2) server, and a web administration portal written in PHP," Kroll  said  in an analysis published last week. The risk and financial advisory solutions provider said it has witnessed an increase in the use of malware throughout Q2 and Q3 2023. SystemBC,  first observed  in the wild in 2018, allows threat actors to remote control a compromised host and deliver additional payloads, including trojans, Cobalt Strike, and ransomware. It also features support for launching ancillary modules on the fly to expand on its core functionality. A standout aspect of the malware revolves around its use of SOCKS5 proxies to mask network traffic to and from C2 infrastructure, acting as a persistent access mechanism for post-

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future
Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu

Remcos RAT Spreading Through Adult Games in New Attack Wave

Remcos RAT Spreading Through Adult Games in New Attack Wave
Jan 16, 2024 Botnet / Malware
The remote access trojan (RAT) known as Remcos RAT has been found being propagated via webhards by disguising it as adult-themed games in South Korea. WebHard, short for  web hard drive , is a popular online file storage system used to upload, download, and share files in the country. While webhards have been used in the past to deliver  njRAT ,  UDP RAT, and DDoS botnet malware , the AhnLab Security Emergency Response Center's (ASEC) latest analysis shows that the technique has been adopted to distribute Remcos RAT. In these attacks, users are tricked into opening booby-trapped files by passing them off as adult games, which, when launched, execute malicious Visual Basic scripts in order to run an intermediate binary named "ffmpeg.exe." This results in the retrieval of Remcos RAT from an actor-controlled server. A sophisticated RAT, Remcos (aka Remote Control and Surveillance) facilitates unauthorized remote control and surveillance of compromised hosts, enablin

Automated remediation solutions are crucial for security

cyber security
websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.

UAC-0099 Using WinRAR Exploit to Target Ukrainian Firms with LONEPAGE Malware

UAC-0099 Using WinRAR Exploit to Target Ukrainian Firms with LONEPAGE Malware
Dec 22, 2023 Malware / Cyber Attack
The threat actor known as  UAC-0099  has been linked to continued attacks aimed at Ukraine, some of which leverage a high-severity flaw in the WinRAR software to deliver a malware strain called LONEPAGE. "The threat actor targets Ukrainian employees working for companies outside of Ukraine," cybersecurity firm Deep Instinct  said  in a Thursday analysis. UAC-0099 was  first documented  by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2023, detailing its attacks against state organizations and media entities for espionage motives. The attack chains leveraged phishing messages containing HTA, RAR, and LNK file attachments that led to the deployment of  LONEPAGE , a Visual Basic Script (VBS) malware that's capable of contacting a command-and-control (C2) server to retrieve additional payloads such as keyloggers, stealers, and screenshot malware. "During 2022-2023, the mentioned group received unauthorized remote access to several dozen computer

Rhadamanthys Malware: Swiss Army Knife of Information Stealers Emerges

Rhadamanthys Malware: Swiss Army Knife of Information Stealers Emerges
Dec 18, 2023 Malware / Cyber Threat
The developers of the information stealer malware known as  Rhadamanthys  are actively iterating on its features, broadening its information-gathering capabilities and also incorporating a plugin system to make it more customizable. This approach not only transforms it into a threat capable of delivering "specific distributor needs," but also makes it more potent, Check Point  said  in a technical deep dive published last week. Rhadamanthys,  first documented  by ThreatMon in October 2022, has been sold under the malware-as-a-service (MaaS) model as early as September 2022 by an actor under the alias "kingcrete2022." Typically distributed through malicious websites mirroring those of genuine software that are advertised through Google ads, the malware is capable of harvesting a wide range of sensitive information from compromised hosts, including from web browsers, crypto wallets, email clients, VPN, and instant messaging apps. "Rhadamanthys represents a

New Agent Tesla Malware Variant Using ZPAQ Compression in Email Attacks

New Agent Tesla Malware Variant Using ZPAQ Compression in Email Attacks
Nov 21, 2023 Malware Threat / Data Privacy
A new variant of the  Agent Tesla  malware has been observed delivered via a lure file with the  ZPAQ compression format  to harvest data from several email clients and nearly 40 web browsers. "ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats like ZIP and RAR," G Data malware analyst Anna Lvova  said  in a Monday analysis. "That means that ZPAQ archives can be smaller, saving storage space and bandwidth when transferring files. However, ZPAQ has the biggest disadvantage: limited software support." First appearing in 2014, Agent Tesla is a  keylogger  and  remote access trojan  (RAT) written in .NET that's  offered  to other threat actors as part of a malware-as-a-service (MaaS) model. It's often used as a first-stage payload, providing remote access to a compromised system and utilized to download more sophisticated second-stage tools such as ransomware. Agent Tesla is typ

Pakistani Hackers Use Linux Malware Poseidon to Target Indian Government Agencies

Pakistani Hackers Use Linux Malware Poseidon to Target Indian Government Agencies
Apr 19, 2023 Linux / Malware
The Pakistan-based advanced persistent threat (APT) actor known as  Transparent Tribe  used a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon. "Poseidon is a second-stage payload malware associated with Transparent Tribe," Uptycs security researcher Tejaswini Sandapolla said in a technical report published this week. "It is a general-purpose backdoor that provides attackers with a wide range of capabilities to hijack an infected host. Its functionalities include logging keystrokes, taking screen captures, uploading and downloading files, and remotely administering the system in various ways." Transparent Tribe  is also tracked as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, and has a track record of targeting Indian government organizations, military personnel, defense contractors, and educational entities. It has also repeatedly leveraged trojanized versions of Kavac

International Law Enforcement Takes Down Infamous NetWire Cross-Platform RAT

International Law Enforcement Takes Down Infamous NetWire Cross-Platform RAT
Mar 10, 2023 Cyber Crime / Cyber Threat
A coordinated international law enforcement exercise has taken down the online infrastructure associated with a cross-platform remote access trojan (RAT) known as NetWire . Coinciding with the seizure of the sales website www.worldwiredlabs[.]com, a Croatian national who is suspected to be the website's administrator has been arrested. While the suspect's name was not released, investigative journalist Brian Krebs  identified  Mario Zanko as the owner of the domain. "NetWire is a licensed commodity RAT offered in underground forums to non-technical users to carry out their own criminal activities," Europol's European Cybercrime Center (EC3)  said  in a tweet. Advertised  since   at least 2012 , the malware is typically distributed via  malspam campaigns  and gives a remote attacker complete control over a Windows, macOS, or Linux system. It also comes with password-stealing and keylogging capabilities. The U.S. Department of Justice (DoJ)  said  an investiga

BADNEWS! Patchwork APT Hackers Score Own Goal in Recent Malware Attacks

BADNEWS! Patchwork APT Hackers Score Own Goal in Recent Malware Attacks
Jan 10, 2022
Threat hunters have shed light on the tactics, techniques, and procedures embraced by an Indian-origin hacking group called Patchwork as part of a renewed campaign that commenced in late November 2021, targeting Pakistani government entities and individuals with a research focus on molecular medicine and biological science. "Ironically, all the information we gathered was possible thanks to the threat actor infecting themselves with their own [remote access trojan], resulting in captured keystrokes and screenshots of their own computer and virtual machines," Malwarebytes Threat Intelligence Team  said  in a report published on Friday. Prominent victims that were successfully infiltrated include Pakistan's Ministry of Defense, National Defence University of Islamabad, Faculty of Bio-Sciences at UVAS Lahore, International Center for Chemical and Biological Sciences (ICCBS), H.E.J. Research Institute of Chemistry, and the Salim Habib University (SBU). Believed to have b

New Android Malware Steals Banking Passwords, Private Data and Keystrokes

New Android Malware Steals Banking Passwords, Private Data and Keystrokes
Apr 30, 2020
A new type of mobile banking malware has been discovered abusing Android's accessibility features to exfiltrate sensitive data from financial applications, read user SMS messages, and hijack SMS-based two-factor authentication codes. Called "EventBot" by Cybereason researchers, the malware is capable of targeting over 200 different financial apps, including banking, money transfer services, and crypto-currency wallets such as Paypal Business, Revolut, Barclays, CapitalOne, HSBC, Santander, TransferWise, and Coinbase. "EventBot is particularly interesting because it is in such early stages," the researchers said. "This brand new malware has real potential to become the next big mobile malware, as it is under constant iterative improvements, abuses a critical operating system feature, and targets financial applications." The campaign, first identified in March 2020, masks its malicious intent by posing as legitimate applications (e.g., Adobe Fl

iOS 13 Bug Lets 3rd-Party Keyboards Gain 'Full Access' — Even When You Deny

iOS 13 Bug Lets 3rd-Party Keyboards Gain 'Full Access' — Even When You Deny
Sep 26, 2019
Following the release of iOS 13 and iPadOS earlier this week, Apple has issued an advisory warning iPhone and iPad users of an unpatched security bug impacting third-party keyboard apps. On iOS, third-party keyboard extensions can run entirely standalone without access to external services and thus, are forbidden from storing what you type unless you grant "full access" permissions to enable some additional features through network access. However, in the brief security advisory , Apple says that an unpatched issue in iOS 13 and iPadOS could allow third-party keyboard apps to grant themselves "full access" permission to access what you are typing—even if you deny this permission request in the first place. It should be noted that the iOS 13 bug doesn't affect Apple's built-in keyboards or third-party keyboards that don't make use of full access. Instead, the bug only impacts users who have third-party keyboard apps—such as popular Gboard, Grammarl

French Police Remotely Removed RETADUP Malware from 850,000 Infected PCs

French Police Remotely Removed RETADUP Malware from 850,000 Infected PCs
Aug 28, 2019
The French law enforcement agency, National Gendarmerie, today announced the successful takedown of one of the largest wide-spread RETADUP botnet malware and how it remotely disinfected more than 850,000 computers worldwide with the help of researchers. Earlier this year, security researchers at Avast antivirus firm, who were actively monitoring the activities of RETADUP botnet, discovered a design flaw in the malware's C&C protocol that could have been exploited to remove the malware from victims' computer without executing any extra code. However, to do that, the plan required researchers to have control over the malware's C&C server, which was hosted with a hosting provider located in the Ile-de-France region in north-central France. Therefore, the researchers contacted the Cybercrime Fighting Center (C3N) of the French National Gendarmerie at the end of March this year, shared their findings, and proposed a secret plan to put an end to the RETADUP vir

Popular Video Editing Software Website Hacked to Spread Banking Trojan

Popular Video Editing Software Website Hacked to Spread Banking Trojan
Apr 11, 2019
If you have downloaded the VSDC multimedia editing software between late February to late March this year, there are high chances that your computer has been infected with a banking trojan and an information stealer. The official website of the VSDC software — one of the most popular, free video editing and converting app with over 1.3 million monthly visitors — was hacked, unfortunately once again. According to a new report Dr. Web published today and shared with The Hacker News, hackers hijacked the VSDC website and replaced its software download links leading to malware versions, tricking visitors into installing dangerous Win32.Bolik.2 banking trojan and KPOT stealer. Even more ironic is that despite being so popular among the multimedia editors, the VSDC website is running and offering software downloads over an insecure HTTP connection. Though it's unclear how hackers this time managed to hijack the website, researchers revealed that the breach was reportedly ne

Someone Hijacked MEGA Chrome Extension to Steal Users' Passwords

Someone Hijacked MEGA Chrome Extension to Steal Users' Passwords
Sep 05, 2018
Warning! If you are using Chrome browser extension from the MEGA file storage service, uninstall it right now. The official Chrome extension for the MEGA.nz cloud storage service had been compromised and replaced with a malicious version that can steal users' credentials for popular websites like Amazon, Microsoft, Github, and Google, as well as private keys for users' cryptocurrency wallets. On 4 September at 14:30 UTC, an unknown attacker managed to hack into MEGA's Google Chrome web store account and upload a malicious version 3.39.4 of an extension to the web store, according to a blog post published by the company. Malicious MEGA Chrome Extension Steals Passwords Upon installation or auto-update, the malicious extension asked for elevated permissions to access personal information, allowing it to steal credentials from sites like Amazon, Github, and Google, along with online wallets such as MyEtherWallet and MyMonero, and Idex.market cryptocurrency trading

Dark Tequila Banking Malware Uncovered After 5 Years of Activity

Dark Tequila Banking Malware Uncovered After 5 Years of Activity
Aug 21, 2018
Security researchers at Kaspersky Labs have uncovered a new, complex malware campaign that has been targeting customers of several Mexican banking institutions since at least 2013. Dubbed Dark Tequila , the campaign delivers an advanced keylogger malware that managed to stay under the radar for five years due to its highly targeted nature and a few evasion techniques. Dark Tequila has primarily been designed to steal victims' financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars. The list of targeted sites includes "Cpanels, Plesk, online flight reservation systems, Microsoft Office 365, IBM Lotus Notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services," the researchers say in a blog post . The malware gets delivered to the victims' comp

Nearly 2000 WordPress Websites Infected with a Keylogger

Nearly 2000 WordPress Websites Infected with a Keylogger
Jan 29, 2018
More than 2,000 WordPress websites have once again been found infected with a piece of crypto-mining malware that not only steals the resources of visitors' computers to mine digital currencies but also logs visitors' every keystroke. Security researchers at Sucuri discovered a malicious campaign that infects WordPress websites with a malicious script that delivers an in-browser cryptocurrency miner from CoinHive and a keylogger. Coinhive is a popular browser-based service that offers website owners to embed a JavaScript to utilise CPUs power of their website visitors in an effort to mine the Monero cryptocurrency. Sucuri researchers said the threat actors behind this new campaign is the same one who infected more than 5,400 Wordpress websites last month since both campaigns used keylogger/cryptocurrency malware called cloudflare[.]solutions. Spotted in April last year, Cloudflare[.]solutions is cryptocurrency mining malware and is not at all related to network

Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems
Jan 25, 2018
Are you using Linux or Mac OS? If you think your system is not prone to viruses, then you should read this. Wide-range of cybercriminals are now using a new piece of 'undetectable' spying malware that targets Windows, macOS, Solaris and Linux systems. Just last week we published a detailed article on the report from EFF/Lookout that revealed a new advanced persistent threat (APT) group, called Dark Caracal , engaged in global mobile espionage campaigns. Although the report revealed about the group's successful large-scale hacking operations against mobile phones rather than computers, it also shed light on a new piece of cross-platform malware called CrossRAT (version 0.1), which is believed to be developed by, or for, the Dark Caracal group. CrossRAT is a cross-platform remote access Trojan that can target all four popular desktop operating systems, Windows, Solaris, Linux, and macOS, enabling remote attackers to manipulate the file system, take screenshots, ru

Pre-Installed Keylogger Found On Over 460 HP Laptop Models

Pre-Installed Keylogger Found On Over 460 HP Laptop Models
Dec 09, 2017
HP has an awful history of 'accidentally' leaving keyloggers onto its customers' laptops. At least two times this year, HP laptops were caught with pre-installed keylogger or spyware applications. I was following a tweet made by a security researcher claiming to have found a built-in keylogger in several HP laptops, and now he went public with his findings. A security researcher who goes by the name of ZwClose discovered a keylogger in several Hewlett-Packard (HP) laptops that could allow hackers to record your every keystroke and steal sensitive data, including passwords, account information, and credit card details. The Keylogger was found embedded in the SynTP.sys file, a part of Synaptics touchpad driver that ships with HP notebook computers, leaving more than 460 HP Notebook models vulnerable to hackers. Although the keylogger component is disabled by default, hackers can make use of available open source tools for bypassing User Account Control (UAC) to

Over 400 Popular Sites Record Your Every Keystroke and Mouse Movement

Over 400 Popular Sites Record Your Every Keystroke and Mouse Movement
Nov 22, 2017
How many times it has happened to you when you look for something online and the next moment you find its advertisement on almost every other web page or social media site you visit? Web-tracking is not new. Most of the websites log its users' online activities, but a recent study from Princeton University has suggested that hundreds of sites record your every move online, including your searches, scrolling behavior, keystrokes and every movement. Researchers from Princeton University's Centre for Information Technology Policy (CITP) analyzed the Alexa top 50,000 websites in the world and found that 482 sites, many of which are high profile, are using a new web-tracking technique to track every move of their users. Dubbed " Session Replay ," the technique is used even by most popular websites, including The Guardian, Reuters, Samsung, Al-Jazeera, VK, Adobe, Microsoft, and WordPress, to record every single movement a visitor does while navigating a web page,
Cybersecurity Resources