The Hacker News - Cybersecurity News and Analysis: Search results for malware

The operators of TrickBot malware have infected an estimated 140,000 victims across 149 countries a little over a year after attempts were to dismantle its infrastructure, even as the advanced Trojan is fast becoming an entry point for Emotet, another botnet that was taken down at the start of 2021. Most of the victims detected since November 1, 2020, are from Portugal (18%), the U.S. (14%), and India (5%), followed by Brazil (4%), Turkey (3%), Russia (3%), and China (3%), Check Point Research noted in a report shared with The Hacker News, with government, finance, and manufacturing entities emerging the top affected industry verticals. "Emotet is a strong indicator of future ransomware attacks, as the malware provides ransomware gangs a backdoor into compromised machines," said the researchers, who detected 223 different Trickbot campaigns over the course of the last six months. Both TrickBot and Emotet are botnets, which are a network of internet-connected devices infe

Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video. Dubbed " Oscorp " by Italy's CERT-AGID and spotted by  AddressIntel , the malware "induce(s) the user to install an accessibility service with which [the attackers] can read what is present and what is typed on the screen." So named because of the title of the login page of its command-and-control (C2) server, the malicious APK (called "Assistenzaclienti.apk" or "Customer Protection") is  distributed  via a domain named "supportoapp[.]com," which upon installation, requests intrusive permissions to enable the accessibility service and establishes communications with a C2 server to retrieve additional commands. Furthermore, the malware repeatedly reopens the Settings screen every eight seconds until the user turns on permissions for accessibility and device usage stati

The year 2014 starts with the formation of new mobile malware like ' Android . HeHe ', with the ability to steal text messages, intercept phone calls, and other malware such as ' XXXX . apk ' uses WiFi networks or hotspots to steal information, infected more than 24,000 Devices. But it should not be forgotten by us that 2014 marks the 10th Anniversary of the World's First mobile malware . FortiGuard Labs has published a whitepaper  that briefly explains the major mobile threats from 'Cabir' to 'FakeDefend' over the last decade. The world's first mobile malware was ' Cabir ', detected in 2004 when mobiles were not so popular among all of us. It was developed by the group of hackers known as 29A , designed to infect the Nokia Series 60 , the most popular Smartphone platform with tens of millions users worldwide at that time. The name " Caribe " appears on the screen of the infected phones and the worm spreads itself by seeking other devices such as

SCADA system has always been an interesting target for cyber crooks, given the success of Stuxnet malware that was developed by the US and Israeli together to sabotage the Iranian nuclear facilities a few years ago, and " Havex " that previously targeted organizations in the energy sector. Now once again, hackers have used highly destructive malware and infected, at least, three regional power authorities in Ukraine, causing blackouts across the Ivano-Frankivsk region of Ukraine on 23rd December. The energy ministry confirmed it was investigating claims a cyber attack disrupted local energy provider Prykarpattyaoblenergo, causing the power outage that left half of the homes in Ivano-Frankivsk without electricity just before Christmas. According to a Ukrainian news service TSN, the outage was the result of nasty malware that disconnected electrical substations. Related Read: Dragonfly Russian Hackers Target 1000 Western Energy Firms . First Malware to

Shortly after Cisco's released its early report on a large-scale hacking campaign that infected over half a million routers and network storage devices worldwide, the United States government announced the takedown of a key internet domain used for the attack. Yesterday we reported about a piece of highly sophisticated IoT botnet malware that infected over 500,000 devices  in 54 countries and likely been designed by Russia-baked state-sponsored group in a possible effort to cause havoc in Ukraine, according to an early report published by Cisco's Talos cyber intelligence unit on Wednesday. Dubbed VPNFilter by the Talos researchers, the malware is a multi-stage, modular platform that targets small and home offices (SOHO) routers and storage devices from Linksys, MikroTik, NETGEAR, and TP-Link, as well as network-access storage (NAS) devices. Meanwhile, the court documents unsealed in Pittsburgh on the same day indicate that the FBI has seized a key web domain communic

More than 100 Pakistani Government Sites Under Malware attack Website Malware : A newer form of malware is what can be found attacking websites today. In the old days malware was mostly in the form of computer viruses. In today's age of globalization, malware starts to target websites and mobile devices.  Almost 100's of Pakistan Government sites are under attack by Godzilla Malware, Which is Created and implemented by an Indian Hacker. Hacker named " Godzilla " publish a list of all Freezed sites list here  ,including Peshawar Electric Supply Company website (www.pesco.gov.pk), Ministry of Information and Broadcasting - Government of Pakistan website (www.infopak.gov.pk), Pakistan Navy website (www.paknavy.gov.pk) and Many more. Hacker said," The malware is freezing the sever and if the server is changed then banner of malware hits the live ip.. " Today malware is much more sinister. It is backed up by an industry which some estimate at $2 billion a

Almost two months after releasing details of 23 different secret CIA hacking tool projects under Vault 7 series , Wikileaks today announced a new Vault 8 series that will reveal source codes and information about the backend infrastructure developed by the CIA hackers. Not just announcement, but the whistleblower organisation has also published its first batch of Vault 8 leak, releasing source code and development logs of Project Hive —a significant backend component the agency used to remotely control its malware covertly. In April this year, WikiLeaks disclosed a brief information about Project Hive , revealing that the project is an advanced command-and-control server (malware control system) that communicates with malware to send commands to execute specific tasks on the targets and receive exfiltrated information from the target machines. Hive is a multi-user all-in-one system that can be used by multiple CIA operators to remotely control multiple malware implants used

In a joint effort by several law enforcement agencies from 6 different countries, officials have dismantled a major global organized cybercrime network behind GozNym banking malware . GozNym banking malware is responsible for stealing nearly $100 million from over 41,000 victims across the globe, primarily in the United States and Europe, for years. GozNym was created by combining two known powerful Trojans—Gozi ISFB malware, a banking Trojan that first appeared in 2012 and Nymaim, a Trojan downloader that can also function as ransomware. In a press conference held on Thursday, Europol said the operation was successfully conducted with the cooperation between Bulgaria, Germany, Georgia, Moldova, Ukraine, and the United States. The United States has charged ten members of the GozNym criminal network, 5 of which were arrested during several coordinated searches conducted in Bulgaria, Georgia, Moldova, and Ukraine. However, rest of the five defendants reside in Russia and a

A pay-per-install (PPI) malware service known as PrivateLoader has been spotted distributing a "fairly sophisticated" framework called NetDooka, granting attackers complete control over the infected devices. "The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its own network communication protocol," Trend Micro  said  in a report published Thursday. PrivateLoader, as documented by Intel 471 in February 2022, functions as a downloader responsible for downloading and installing additional malware onto the infected system, including SmokeLoader, RedLine Stealer, Vidar, Raccoon, GCleaner, and  Anubis . Featuring anti-analysis techniques, PrivateLoader is written in the C++ programming language and is said to be in active development, with the downloader malware family gaining traction among multiple threat ac

Mac users need to beware of a newly discovered piece of malware that steals their web browser cookies and credentials in an attempt to withdraw funds from their cryptocurrency exchange accounts. Dubbed CookieMiner due to its capability of stealing cookies-related to cryptocurrency exchanges, the malware has specifically been designed to target Mac users and is believed to be based on DarthMiner, another Mac malware that was detected in December last year. Uncovered by Palo Alto Networks' Unit 42 security research team, CookieMiner also covertly installs coin mining software onto the infected Mac machines to secretly mine for additional cryptocurrency by consuming the targeted Mac's system resources. In the case of CookieMiner, the software is apparently geared toward mining "Koto," a lesser-known, privacy-oriented cryptocurrency which is mostly used in Japan. However, the most interesting capabilities of the new Mac malware is to steal: Both Google Chro

Advanced Persistent Threat (APT) type attacks continue to emerge on a global scale. What makes these attacks deviate from the norm is often the resources required to develop and implement them: time, money, and the knowledge required to create custom pieces of malware to carry out specific, targeted attacks. Operation Lotus Blossom is one of the more recent APT attacks that has been discovered and analyzed. It is an advanced adversary campaign against the mostly government and state-sponsored entities in the Philippines, Hong Kong, Vietnam, and Indonesia. It is thought that this group carried out the attack to gain a geopolitical advantage by stealing specific information from government and military institutions in that area.  At this point, it is still too early to tell if the reach of the attack will extend to the private sector (a la Stuxnet and Duqu). How does the attack work? It was found that Operation Lotus Blossom involved a novel custom-built malware

Cybersecurity researchers today took the wraps off a sophisticated, multi-functional peer-to-peer (P2P) botnet written in Golang that has been actively targeting SSH servers since January 2020. Called " FritzFrog ," the modular, multi-threaded and file-less botnet has breached more than 500 servers to date, infecting well-known universities in the US and Europe, and a railway company, according to a report released by Guardicore Labs today. "With its decentralized infrastructure, it distributes control among all its nodes," Guardicore 's Ophir Harpaz said. "In this network with no single point-of-failure, peers constantly communicate with each other to keep the network alive, resilient and up-to-date." In addition to implementing a proprietary P2P protocol that's been written from scratch, the communications are done over an encrypted channel, with the malware capable of creating a backdoor on victim systems that grants continued access fo

Security researchers have spotted a new malware campaign in the wild that spreads an advanced botnet malware by leveraging at least three recently disclosed vulnerabilities in Microsoft Office. Dubbed Zyklon , the fully-featured malware has resurfaced after almost two years and primarily found targeting telecommunications, insurance and financial services. Active since early 2016, Zyklon is an HTTP botnet malware that communicates with its command-and-control servers over Tor anonymising network and allows attackers to remotely steal keylogs, sensitive data, like passwords stored in web browsers and email clients. Zyklon malware is also capable of executing additional plugins, including secretly using infected systems for DDoS attacks and cryptocurrency mining. Different versions of the Zyklon malware has previously been found being advertised on a popular underground marketplace for $75 (normal build) and $125 ( Tor-enabled build). According to a recently published report

Clickjacking Vulnerability in Telegram Web Client The official Telegram web-client that allows its users to access messenger account over desktop's web browser is vulnerable to clickjacking web application vulnerability. Egyptian security researcher Mohamed A. Baset told The Hacker News about a flaw in Telegram that could allow an attacker to change sensitive information of a Telegram user, including password and the recovery e-mail. [ Watch Video Demo ] "Telegram web client is not protecting itself from clickjacking with the typical X-Frame-Options header but uses a JS frame busting technique to prevent the website to be iframed," Mohamed says. However, by exploiting one of HTML5 Features, Mohamed was able to open the Telegram account's settings page with a sandboxed iframe to prevent redirecting to top window, which also allows him to execute cross-site request forgery (csrf) vulnerability on the web-client. " I sent [bug report] it to them [Telegram team]

Security researchers at Kaspersky Labs have uncovered a new, complex malware campaign that has been targeting customers of several Mexican banking institutions since at least 2013. Dubbed Dark Tequila , the campaign delivers an advanced keylogger malware that managed to stay under the radar for five years due to its highly targeted nature and a few evasion techniques. Dark Tequila has primarily been designed to steal victims' financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars. The list of targeted sites includes "Cpanels, Plesk, online flight reservation systems, Microsoft Office 365, IBM Lotus Notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services," the researchers say in a blog post . The malware gets delivered to the victims' comp

Even after many efforts made by Google last year, malicious apps always somehow manage to make their ways into Google app store. Security researchers have now discovered a new piece of malware, dubbed GhostTeam , in at least 56 applications on Google Play Store that is designed to steal Facebook login credentials and aggressively display pop-up advertisements to users. Discovered independently by two cybersecurity firms, Trend Micro and Avast , the malicious apps disguise as various utility (such as the flashlight, QR code scanner, and compass), performance-boosting (like file-transfer and cleaner), entertainment, lifestyle and video downloader apps. Like most malware apps, these Android apps themselves don't contain any malicious code, which is why they managed to end up on Google's official Play Store. Once installed, it first confirms if the device is not an emulator or a virtual environment and then accordingly downloads the malware payload, which prompts the victim to

Industrial and government organizations, including enterprises in the military-industrial complex and research laboratories, are the targets of a new malware botnet dubbed  PseudoManyscrypt  that has infected roughly 35,000 Windows computers this year alone. The name comes from its similarities to the  Manuscrypt   malware , which is part of the  Lazarus  APT group's attack toolset, Kaspersky researchers said, characterizing the operation as a "mass-scale spyware attack campaign." The Russian cybersecurity company said it first detected the series of intrusions in June 2021. At least 7.2% of all computers attacked by the malware are part of industrial control systems (ICS) used by organizations in engineering, building automation, energy, manufacturing, construction, utilities, and water management sectors that are located mainly in India, Vietnam, and Russia. Approximately a third (29.4%) of non-ICS computers are situated in Russia (10.1%), India (10%), and Brazil (9.

A new powerful rootkit-enabled spyware operation has been discovered wherein hackers are distributing multifunctional malware disguised as cracked software or trojanized app posing as legitimate software like video players, drivers and even anti-virus products. While the rootkit malware—dubbed Scranos —which was first discovered late last year, still appears to be a work in progress, it is continuously evolving, testing new components and regularly making an improvement to old components, which makes it a significant threat. Scranos features a modular design that has already gained capabilities to steal login credentials and payment accounts from various popular services, exfiltrate browsing history and cookies, get YouTube subscribers, display ads, as well as download and execute any payload. According to a 48 page in-depth report Bitdefender shared with The Hacker News prior to its release, the malware gains persistence on infected machines by installing a digitally-signed