#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cloud Security

rootkit | Breaking Cybersecurity News | The Hacker News

Researchers Discover Microsoft-Signed FiveSys Rootkit in the Wild

Researchers Discover Microsoft-Signed FiveSys Rootkit in the Wild
Oct 22, 2021
A newly identified rootkit has been found with a valid digital signature issued by Microsoft that's used to proxy traffic to internet addresses of interest to the attackers for over a year targeting online gamers in China. Bucharest-headquartered cybersecurity technology company Bitdefender named the malware " FiveSys ," calling out its possible credential theft and in-game-purchase hijacking motives. The Windows maker has since revoked the signature following responsible disclosure. "Digital signatures are a way of establishing trust," Bitdefender researchers said in a white paper, adding "a valid digital signature helps the attacker navigate around the operating system's restrictions on loading third-party modules into the kernel. Once loaded, the rootkit allows its creators to gain virtually unlimited privileges." Rootkits are both evasive and stealthy as they offer threat actors an entrenched foothold onto victims' systems and conceal

Researchers Discover UEFI Bootkit Targeting Windows Computers Since 2012

Researchers Discover UEFI Bootkit Targeting Windows Computers Since 2012
Oct 05, 2021
Cybersecurity researchers on Tuesday revealed details of a previously undocumented  UEFI  (Unified Extensible Firmware Interface) bootkit that has been put to use by threat actors to backdoor Windows systems as early as 2012 by modifying a legitimate Windows Boot Manager binary to achieve persistence, once again demonstrating how technology meant to secure the environment prior to loading the operating system is increasingly becoming a "tempting target." Slovak cybersecurity firm ESET codenamed the new malware "ESPecter" for its ability to persist on the EFI System Partition ( ESP ), in addition to circumventing Microsoft Windows Driver Signature Enforcement to load its own unsigned driver that can be used to facilitate espionage activities such as document theft, keylogging, and screen monitoring by periodically capturing screenshots. The intrusion route of the malware remains unknown as yet. "ESPecter shows that threat actors are relying not only on UEFI

Hands-on Review: Cynomi AI-powered vCISO Platform

Hands-on Review: Cynomi AI-powered vCISO Platform
Apr 10, 2024vCISO / Risk Assessment
The need for vCISO services is growing. SMBs and SMEs are dealing with more third-party risks, tightening regulatory demands and stringent cyber insurance requirements than ever before. However, they often lack the resources and expertise to hire an in-house security executive team. By outsourcing security and compliance leadership to a vCISO, these organizations can more easily obtain cybersecurity expertise specialized for their industry and strengthen their cybersecurity posture. MSPs and MSSPs looking to meet this growing vCISO demand are often faced with the same challenge. The demand for cybersecurity talent far exceeds the supply. This has led to a competitive market where the costs of hiring and retaining skilled professionals can be prohibitive for MSSPs/MSPs as well. The need to maintain expertise of both security and compliance further exacerbates this challenge. Cynomi, the first AI-driven vCISO platform , can help. Cynomi enables you - MSPs, MSSPs and consulting firms

Chinese Hackers Used a New Rootkit to Spy on Targeted Windows 10 Users

Chinese Hackers Used a New Rootkit to Spy on Targeted Windows 10 Users
Oct 01, 2021
A formerly unknown Chinese-speaking threat actor has been linked to a long-standing evasive operation aimed at South East Asian targets as far back as July 2020 to deploy a kernel-mode rootkit on compromised Windows systems. Attacks mounted by the hacking group, dubbed  GhostEmperor  by Kaspersky, are also said to have used a "sophisticated multi-stage malware framework" that allows for providing persistence and remote control over the targeted hosts. The Russian cybersecurity firm called the rootkit Demodex , with infections reported across several high-profile entities in Malaysia, Thailand, Vietnam, and Indonesia, in addition to outliers located in Egypt, Ethiopia, and Afghanistan. "[Demodex] is used to hide the user mode malware's artefacts from investigators and security solutions, while demonstrating an interesting undocumented loading scheme involving the kernel mode component of an open-source project named  Cheat Engine  to bypass the Windows Driver Sig

WATCH: The SaaS Security Challenge in 90 Seconds

cyber security
websiteAdaptive ShieldSaaS Security / Cyber Threat
Discover how you can overcome the SaaS security challenge by securing your entire SaaS stack with SSPM.

A New Bug in Microsoft Windows Could Let Hackers Easily Install a Rootkit

A New Bug in Microsoft Windows Could Let Hackers Easily Install a Rootkit
Sep 23, 2021
Security researchers have disclosed an unpatched weakness in Microsoft Windows Platform Binary Table (WPBT) affecting all Windows-based devices since Windows 8 that could be potentially exploited to install a rootkit and compromise the integrity of devices. "These flaws make every Windows system vulnerable to easily-crafted attacks that install fraudulent vendor-specific tables," researchers from Eclypsium  said  in a report published on Monday. "These tables can be exploited by attackers with direct physical access, with remote access, or through manufacturer supply chains. More importantly, these motherboard-level flaws can obviate initiatives like  Secured-core  because of the ubiquitous usage of  ACPI  [Advanced Configuration and Power Interface] and WPBT." WPBT, introduced with Windows 8 in 2012, is a  feature  that enables "boot firmware to provide Windows with a platform binary that the operating system can execute."  In other words, it allows

Researchers Warn of Facefish Backdoor Spreading Linux Rootkits

Researchers Warn of Facefish Backdoor Spreading Linux Rootkits
May 28, 2021
Cybersecurity researchers have disclosed a new backdoor program capable of stealing user login credentials, device information and executing arbitrary commands on Linux systems. The malware dropper has been dubbed " Facefish " by Qihoo 360 NETLAB team owing its capabilities to deliver different rootkits at different times and the use of  Blowfish  cipher to encrypt communications to the attacker-controlled server. "Facefish consists of 2 parts, Dropper and Rootkit, and its main function is determined by the Rootkit module, which works at the  Ring 3  layer and is loaded using the  LD_PRELOAD  feature to steal user login credentials by hooking ssh/sshd program related functions, and it also supports some backdoor functions," the researchers  said . The NETLAB research builds on a previous analysis  published  by Juniper Networks on April 26, which documented an attack chain targeting Control Web Panel (CWP, formerly CentOS Web Panel) to inject an SSH implant wit

New Stealthy Rootkit Infiltrated Networks of High-Profile Organizations

 New Stealthy Rootkit Infiltrated Networks of High-Profile Organizations
May 07, 2021
An unknown threat actor with the capabilities to evolve and tailor its toolset to target environments infiltrated high-profile organizations in Asia and Africa with an evasive Windows rootkit since at least 2018. Called  'Moriya ,' the malware is a "passive backdoor which allows attackers to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them," said Kaspersky researchers Mark Lechtik and Giampaolo Dedola in a Thursday deep-dive. The Russian cybersecurity firm termed the ongoing espionage campaign  'TunnelSnake .' Based on telemetry analysis, less than 10 victims around the world have been targeted to date, with the most prominent targets being two large diplomatic entities in Southeast Asia and Africa. All the other victims were located in South Asia. The first reports of Moriya emerged last November when Kaspersky said it discovered the stealthy implant in the networks

New Cryptojacking Malware Targeting Apache, Oracle, Redis Servers

New Cryptojacking Malware Targeting Apache, Oracle, Redis Servers
Feb 01, 2021
A financially-motivated threat actor notorious for its cryptojacking attacks has leveraged a revised version of their malware to target cloud infrastructures using vulnerabilities in web server technologies, according to new research. Deployed by the China-based cybercrime group  Rocke , the Pro-Ocean cryptojacking malware now comes with improved rootkit and worm capabilities, as well as harbors new evasion tactics to sidestep cybersecurity companies' detection methods, Palo Alto Networks' Unit 42 researchers  said  in a Thursday write-up. "Pro-Ocean uses known vulnerabilities to target cloud applications," the researchers detailed. "In our analysis, we found Pro-Ocean targeting Apache ActiveMQ ( CVE-2016-3088 ), Oracle WebLogic ( CVE-2017-10271 ) and Redis (unsecure instances)." "Once installed, the malware kills any process that uses the CPU heavily, so that it's able to use 100% of the CPU and mine Monero efficiently." First documented

TrickBot Malware Gets UEFI/BIOS Bootkit Feature to Remain Undetected

TrickBot Malware Gets UEFI/BIOS Bootkit Feature to Remain Undetected
Dec 03, 2020
TrickBot , one of the most notorious and adaptable malware botnets in the world, is expanding its toolset to set its sights on firmware vulnerabilities to potentially deploy bootkits and take complete control of an infected system. The new functionality, dubbed " TrickBoot " by Advanced Intelligence (AdvIntel) and Eclypsium, makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to inject malicious code in the UEFI/BIOS firmware of a device, granting the attackers an effective mechanism of persistent malware storage. "This marks a significant step in the evolution of TrickBot as UEFI level implants are the deepest, most powerful, and stealthy form of bootkits," the researchers said. "By adding the ability to canvas victim devices for specific UEFI/BIOS firmware vulnerabilities, TrickBot actors are able to target specific victims with firmware-level persistence that survives re-imaging or even device br

New 'MosaicRegressor' UEFI Bootkit Malware Found Active in the Wild

New 'MosaicRegressor' UEFI Bootkit Malware Found Active in the Wild
Oct 06, 2020
Cybersecurity researchers have spotted a rare kind of potentially dangerous malware that targets a machine's booting process to drop persistent malware. The campaign involved the use of a compromised  UEFI  (or Unified Extensible Firmware Interface) containing a malicious implant, making it the  second known public case  where a UEFI rootkit has been used in the wild. According to  Kaspersky , the rogue UEFI firmware images were modified to incorporate several malicious modules, which were then used to drop malware on victim machines in a series of targeted cyberattacks directed against diplomats and members of an NGO from Africa, Asia, and Europe. Calling the malware framework " MosaicRegressor ," Kaspersky researchers Mark Lechtik, Igor Kuznetsov, and Yury Parshin said a telemetry analysis revealed several dozen victims between 2017 and 2019, all of whom had some ties to North Korea. UEFI is a firmware interface and a replacement for BIOS that improves security, e

Microsoft Launches Free Linux Forensics and Rootkit Malware Detection Service

Microsoft Launches Free Linux Forensics and Rootkit Malware Detection Service
Jul 07, 2020
Microsoft has announced a new free-to-use initiative aimed at uncovering forensic evidence of sabotage on Linux systems, including rootkits and intrusive malware that may otherwise go undetected. The cloud offering, dubbed Project Freta , is a snapshot-based memory forensic mechanism that aims to provide automated full-system volatile memory inspection of virtual machine (VM) snapshots, with capabilities to spot malicious software, kernel rootkits , and other stealthy malware techniques such as process hiding . The project is named after Warsaw's Freta Street , the birthplace of Marie Curie, the famous French-Polish physicist who brought X-ray medical imaging to the battlefield during World War I. "Modern malware is complex, sophisticated, and designed with non-discoverability as a core tenet," said Mike Walker, Microsoft's senior director of New Security Ventures. "Project Freta intends to automate and democratize VM forensics to a point where every us

Dell Releases A New Cybersecurity Utility To Detect BIOS Attacks

Dell Releases A New Cybersecurity Utility To Detect BIOS Attacks
Apr 14, 2020
Computer manufacturing giant Dell has released a new security tool for its commercial customers that aims to protect their computers from stealthy and sophisticated cyberattacks involving the compromise of the BIOS. Dubbed ' SafeBIOS Events & Indicators of Attack ' (IoA), the new endpoint security software is a behavior-based threat detection system that alerts users when BIOS settings of their computers undergo some unusual changes. BIOS (Basic Input Output System) is a small but highly-privileged program that handles critical operations and starts your computer before handing it over to your operating system. Protecting the BIOS program is crucial because: Changes to the system BIOS settings could allow malicious software to run during the boot process, Once a hacker takes over the BIOS, he can stealthily control the targeted computer and gain access to the data stored on it, Malware in BIOS remains persistent and doesn't get away even when you format or

Over 40 Drivers Could Let Hackers Install Persistent Backdoor On Windows PCs

Over 40 Drivers Could Let Hackers Install Persistent Backdoor On Windows PCs
Aug 11, 2019
If you own a device, or a hardware component, manufactured by ASUS, Toshiba, Intel, NVIDIA, Huawei, or other 15 other vendors listed below, you're probably screwed. A team of security researchers has discovered high-risk security vulnerabilities in more than 40 drivers from at least 20 different vendors that could allow attackers to gain most privileged permission on the system and hide malware in a way that remains undetected over time, sometimes for years. For sophisticated attackers, maintaining persistence after compromising a system is one of the most important tasks, and to achieve this, existing hardware vulnerabilities sometimes play an important role. One such component is a device driver, commonly known as a driver or hardware driver, a software program that controls a particular type of hardware device, helping it to communicate with the computer's operating system properly. Since device drivers sit between the hardware and the operating system itself and in

Hackers Infect 50,000 MS-SQL and PHPMyAdmin Servers with Rootkit Malware

Hackers Infect 50,000 MS-SQL and PHPMyAdmin Servers with Rootkit Malware
May 29, 2019
Cyber Security researchers at Guardicore Labs today published a detailed report on a widespread cryptojacking campaign attacking Windows MS-SQL and PHPMyAdmin servers worldwide. Dubbed Nansh0u , the malicious campaign is reportedly being carried out by an APT-style Chinese hacking group who has already infected nearly 50,000 servers and are installing a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated. The campaign, which dates back to February 26 but was first detected in early-April, has been found delivering 20 different payload versions hosted on various hosting providers. The attack relies on the brute-forcing technique after finding publicly accessible Windows MS-SQL and PHPMyAdmin servers using a simple port scanner. Upon successful login authentication with administrative privileges, attackers execute a sequence of MS-SQL commands on the compromised system to download malicious payload from a remote file server and

Scranos: New Rapidly Evolving Rootkit-Enabled Spyware Discovered

Scranos: New Rapidly Evolving Rootkit-Enabled Spyware Discovered
Apr 16, 2019
A new powerful rootkit-enabled spyware operation has been discovered wherein hackers are distributing multifunctional malware disguised as cracked software or trojanized app posing as legitimate software like video players, drivers and even anti-virus products. While the rootkit malware—dubbed Scranos —which was first discovered late last year, still appears to be a work in progress, it is continuously evolving, testing new components and regularly making an improvement to old components, which makes it a significant threat. Scranos features a modular design that has already gained capabilities to steal login credentials and payment accounts from various popular services, exfiltrate browsing history and cookies, get YouTube subscribers, display ads, as well as download and execute any payload. According to a 48 page in-depth report Bitdefender shared with The Hacker News prior to its release, the malware gains persistence on infected machines by installing a digitally-signed

Cybersecurity Researchers Spotted First-Ever UEFI Rootkit in the Wild

Cybersecurity Researchers Spotted First-Ever UEFI Rootkit in the Wild
Sep 27, 2018
Cybersecurity researchers at ESET have unveiled what they claim to be the first-ever UEFI rootkit being used in the wild, allowing hackers to implant persistent malware on the targeted computers that could survive a complete hard-drive wipe. Dubbed LoJax , the UEFI rootkit is part of a malware campaign conducted by the infamous Sednit group, also known as APT28, Fancy Bear , Strontium , and Sofacy , to target several government organizations in the Balkans as well as in Central and Eastern Europe. Operating since at least 2007, Sednit group is a state-sponsored hacking group believed to be a unit of GRU (General Staff Main Intelligence Directorate), a Russian secret military intelligence agency. The hacking group has been associated with a number of high profile attacks, including the DNC hack just before the U.S. 2016 presidential election . UEFI, or Unified Extensible Firmware Interface, a replacement for the traditional BIOS, is a core and critical firmware component of a

3 New CIA-developed Hacking Tools For MacOS & Linux Exposed

3 New CIA-developed Hacking Tools For MacOS & Linux Exposed
Jul 27, 2017
WikiLeaks has just published a new set of classified documents linked to another CIA project, dubbed ' Imperial ,' which reveals details of at least three CIA-developed hacking tools and implants designed to target computers running Apple Mac OS X and different flavours of Linux operating systems. If you are a regular reader of THN, you must be aware that this latest revelation by the whistleblower organisation is the part of an ongoing CIA-Vault 7 leaks, marking it as the 18th batch in the series. If you are unaware of the Vault 7 leaks, you can head on to the second of this article for having a brief look on all the leaks at once. Achilles — Tool to Backdoor Mac OS X Disk Images Dubbed Achilles , the hacking tool allows CIA operators to combine malicious Trojan applications with a legitimate Mac OS app into a disk image installer (.DMG) file. The binding tool, the shell script is written in Bash, gives the CIA operators "one or more desired operator specified e

New GhostHook Attack Bypasses Windows 10 PatchGuard Protections

New GhostHook Attack Bypasses Windows 10 PatchGuard Protections
Jun 23, 2017
Vulnerabilities discovered in Microsoft PatchGuard kernel protection could allow hackers to plant rootkits on computers running the company's latest and secure operating system, Windows 10. Researchers at CyberArk Labs have developed a new attack technique which could allow hackers to completely bypass PatchGuard, and hook a malicious kernel code (rootkits) at the kernel level. PatchGuard, or (or Kernel Patch Protection) is a software tool that has been designed to forbid the kernel of 64-bit versions of Windows OS from being patched, preventing hackers from running rootkits or executing malicious code at the kernel level. Dubbed GhostHook , the attack is what the CyberArk Labs researchers call the first attack technique that thwarts the defensive technology to bypass PatchGuard, though it requires a hacker to already be present on a compromised system and running code in the kernel. So, basically, this is a post-exploitation attack. "[GhostHook] is neither an
Cybersecurity Resources