The Extended Reach of the Extension Trojan Campaign in the DNS


The ReasonLabs Research Team uncovered a new widespread polymorphic malware campaign that forcefully installed extensions on users’ systems. The Trojan comes in various forms ranging from simple adware extensions that hijack searches to more sophisticated malicious scripts that deliver local extensions to steal private data and execute various commands. The Extension Trojan has reportedly already affected at least 300,000 Google Chrome and Microsoft Edge users.

How far does the reach of the Extension Trojan campaign go in the DNS? The WhoisXML API research team sought to find out by expanding a list of 22 domains identified as indicators of compromise (IoCs). Our DNS deep dive led to the discovery of:

  • 84 email-connected domains
  • 28 IP addresses, //24 of which turned out to be malicious
  • 38 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

More Information about the IoCs

As per usual, we began our analysis by attempting to know more about the IoCs. We queried the 22 domains tagged as IoCs on Bulk WHOIS Lookup and found that:

  • Only 19 of them had public current WHOIS record data.
  • Namecheap, Inc. was the top registrar, accounting for 16 domain IoCs. The three remaining IoCs were split among two other registrars—Cloudflare, Inc. administered two while Danesco Trading Ltd. managed one.
  • The threat actors used domains newly registered when they were weaponized starting in 2021 around the time the trojan was first seen. Seven domain IoCs each were created in 2021 and 2024. Four were created in 2022 and one in 2023.

  • A majority of the domain IoCs, 16 to be exact, were registered in Iceland. Two were registered in Israel and one didn’t have a registrant country in its current WHOIS record.

IoC List Expansion Results

In a bid to find more artifacts possibly connected to the Extension Trojan, we queried the 20 domains identified as IoCs on WHOIS History API. That led to the discovery of 26 email addresses in their historical WHOIS records, four of which were public.

Querying the four public email addresses on Reverse WHOIS API allowed us to uncover 84 email-connected domains…

Source…

Millions of Android streaming boxes hit by damaging malware


More than a million TV streaming boxes running older versions of Android are currently infected with malware which could allow hackers to take over the devices, experts have warned.

Cybersecurity researchers from Dr.Web recently discovered 1.3 million TV streaming boxes, powered by the Android Open Source Project, infected with a piece of malware called Vo1d.

Source…

Targeted Iranian Attacks Against Iraqi Government Infrastructure


Key Findings

  • Check Point Research discovered a new set of malware called Veaty and Spearal that was used in attacks against different Iraqi entities including government networks.
  • The malware samples described in this report use a variety of techniques including a passive IIS backdoor, DNS tunneling, and C2 communication via compromised email accounts.
  • The passive IIS backdoor appears to be a newer variant of the backdoor reported by ESET as employed by the IIS Group 2 (also attributed by Symantec to GreenBug aka APT34).
  • The malware has multiple ties to previously described APT34 malware families such as KarkoffSaitama, and IIS Group 2 operating in the same region. Those malware families are affiliated with tun (MOIS).

Introduction

Check Point Research (CPR) has been closely monitoring a campaign targeting the Iraqi government over the past few months. This campaign features a custom toolset and infrastructure for specific targets and uses a combination of techniques commonly associated with Iranian threat actors operating in the region.

The toolset used in this targeted campaign employs unique Command and Control (C2) mechanisms, including a custom DNS tunneling protocol and a tailor-made email based C2 channel. The C2 channel uses compromised email accounts within the targeted organization, indicating that the threat actor successfully infiltrated the victim’s networks.

Using such distinctive C2 mechanisms, along with other attack-related artifacts such as malicious IIS modules, suggests possible connections to APT34, an Iranian MOIS-affiliated group. The malware families and methodology employed overlap with Karkoff, Saitama, and IIS Group2 clusters, all of which have ties to APT34.

Initial Infection

The initial infection for the newly discovered campaign is kicked off by a series of files that use double extensions to masquerade as document attachments. Examples of the file names include Avamer.pdf.exeProtocol.pdf.exeIraqiDoc.docx.rar. We also observed an infection that starts with an installer called ncms_demo.msi. All these files were uploaded to VirusTotal (VT) from Iraq in the months of March-May 2024. The…

Source…

Chinese hackers are switching to new malware for government attacks


Chinese state-sponsored threat actor Mustang Panda (also known as LuminousMoth, Camaro Dragon, HoneyMyte, and more), has been found launching malware campaigns against high value targets, including government agencies in Asia.

The group used a variant of the HIUPAN worm to deliver PUBLOAD malware into the networks of its targets via removable drives. The HIUPAN worm moved all its files into a hidden directory to obscure its presence, and left only one seemingly legitimate file visible (“USBConfig.exe”) to trick the user.

Source…