The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers have detailed the workings of a fully-featured malware loader dubbed  PureCrypter  that's being purchased by cyber criminals to deliver remote access trojans (RATs) and information stealers. "The loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption, and obfuscation to evade antivirus software products," Zscaler's Romain Dumont  said  in a new report. Some of the malware families distributed using PureCrypter include  Agent Tesla ,  Arkei ,  AsyncRAT ,  AZORult ,  DarkCrystal RAT  (DCRat),  LokiBot ,  NanoCore ,  RedLine Stealer ,  Remcos ,  Snake Keylogger , and  Warzone RAT . Sold for a price of $59 by its developer named "PureCoder" for a one-month plan (and $249 for a one-off lifetime purchase) since at least March 2021, PureCrypter is advertised as the "only crypter in the market that uses offline and online delivery technique....

A technically sophisticated threat actor known as  SeaFlower  has been targeting Android and iOS users as part of an extensive campaign that mimics official cryptocurrency wallet websites intending to distribute backdoored apps that drain victims' funds. Said to be first discovered in March 2022, the cluster of activity "hint[s] to a strong relationship with a Chinese-speaking entity yet to be uncovered," based on the macOS usernames, source code comments in the backdoor code, and its abuse of Alibaba's Content Delivery Network (CDN). "As of today, the main current objective of SeaFlower is to modify Web3 wallets with backdoor code that ultimately exfiltrates the seed phrase," Confiant's Taha Karim  said  in a technical deep-dive of the campaign. Targeted apps include Android and iOS versions of Coinbase Wallet, MetaMask, TokenPocket, and imToken. SeaFlower's modus operandi involves setting up cloned websites that act as a conduit to download ...

A Chinese advanced persistent threat (APT) known as Gallium has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa. Called  PingPull , the "difficult-to-detect" backdoor is notable for its use of the Internet Control Message Protocol ( ICMP ) for command-and-control (C2) communications, according to new research published by Palo Alto Networks Unit 42 today. Gallium is notorious for its attacks primarily aimed at telecom companies dating as far back as 2012. Also tracked under the name  Soft Cell  by Cybereason, the state-sponsored actor has been  connected  to a broader set of attacks targeting five major telecom companies located in Southeast Asian countries since 2017. Over the past year, however, the group is said to have expanded its victimology footprint to include financial institutions and government entities located in Afghanistan, Australia...

Cybersecurity researchers have disclosed details of two medium-security flaws in Mitel 6800/6900 desk phones that, if successfully exploited, could allow an attacker to gain root privileges on the devices. Tracked as  CVE-2022-29854  and  CVE-2022-29855  (CVSS score: 6.8), the access control issues were discovered by German penetration testing firm SySS, following which patches were shipped in May 2022. "Due to this undocumented backdoor, an attacker with physical access to a vulnerable desk phone can gain root access by pressing specific keys on system boot, and then connect to a provided Telnet service as root user," SySS researcher Matthias Deeg said in a statement shared with The Hacker News. Specifically, the issue relates to a previously unknown functionality present in a shell script ("check_mft.sh") in the phones' firmware that's designed to be executed at system boot. "The shell script 'check_mft.sh,' which is located in the direc...

BPFDoor isn't new to the  cyberattack  game — in fact, it's gone undetected for years — but PwC researchers discovered the piece of malware in 2021. Subsequently, the cybersecurity community is learning more about the  stealthy nature of malware , how it works, and how it can be prevented. What's BPFDoor? BPFDoor  is a piece of malware associated with China-based threat actor Red Menshen that has hit mostly Linux operating systems. It's undetected by firewalls and goes unnoticed by most detection systems — so unnoticed that it's been a work in progress over the last five years, going through various phases of development and complexity. How Does It Work? BPF stands for Berkley Packet Filters, which is appropriate given that the virus exploits packet filters. BPFDoor uses BPF " sniffers " to see all network traffic and find vulnerabilities. Packet filters are programs that analyze "packets" (files, metadata, network traffic) and permit or dec...

Windows and Linux systems are being targeted by a ransomware variant called HelloXD, with the infections also involving the deployment of a backdoor to facilitate persistent remote access to infected hosts. "Unlike other ransomware groups, this ransomware family doesn't have an active leak site; instead it prefers to direct the impacted victim to negotiations through  Tox chat  and onion-based messenger instances," Daniel Bunce and Doel Santos, security researchers from Palo Alto Networks Unit 42,  said  in a new write-up. HelloXD  surfaced in the wild on November 30, 2021, and is based off leaked code from Babuk, which was  published  on a Russian-language cybercrime forum in September 2021. The ransomware family is no exception to the norm in that the operators follow the tried-and-tested approach of  double extortion  to demand cryptocurrency payments by exfiltrating a victim's sensitive data in addition to encrypting it and threateni...

The Iranian state-sponsored threat actor tracked under the moniker Lyceum has turned to using a new custom .NET-based backdoor in recent campaigns directed against the Middle East. "The new malware is a .NET based DNS Backdoor which is a customized version of the open source tool 'DIG.net,'" Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar  said  in a report published last week. "The malware leverages a DNS attack technique called 'DNS Hijacking' in which an attacker-controlled DNS server manipulates the response of DNS queries and resolves them as per their malicious requirements." DNS hijacking is a  redirection attack  in which DNS queries to genuine websites are intercepted to take an unsuspecting user to fraudulent pages under an adversary's control. Unlike  cache poisoning , DNS hijacking targets the DNS record of the website on the nameserver, rather than a resolver's cache. Lyceum , also known as Hexane, Spirli...