Tag Archive for: abused

GitHub, NPM registry abused to host SSH key-stealing malware

/in


Malicious NPM packages designed to upload stolen SSH keys to GitHub were discovered by software threat researchers this month.

GitHub removed two packages from the NPM registry in early January  — warbeast2000 and kodiak2k  — both of which were designed to grab private SSH keys from machines they are installed on and store the keys on an attacker-controlled GitHub repository.

The SSH key-stealing malware tools were first discovered by researchers at ReversingLabs using the company’s Software Supply Chain Security platform. The malicious packages were found during the first week of January 2024 and removed by the GitHub-owned NPM registry shortly after they were reported.

The details of warbeast2000 and kodiak2k were first disclosed by ReversingLabs in a blog post on Jan. 23.

“Since there are instructions in the code’s comments, the [package] author’s intention is possibly to share malicious code with other malicious actors,” Lucija Valentić, a software threat researcher at ReversingLabs and author of the blog post, told SC Media. “They may also be hoping for developers and users to download and install warbeast2000 and kodiak2k.”

Software developers at risk from dangerous NPM packages

The warbeast2000 and kodiak2k packages both use a postinstall script to retrieve additional JavaScript code from an external source and execute it on a victim’s machine. At least one of the packages (warbeast2000) retrieves this second malicious script from a Pastebin address.

The payload installed and executed by warbeast2000 targets the id_rsa file located at /.ssh within the victim’s home directory to grab the private SSH key stored within this file. “Id_rsa” is the default file name for SSH keys generated by ssh-keygen, which is standard on Unix, Linux and macOS systems as well as Git for Windows.

After reading the private SSH key, warbeast2000’s final payload copies the key, encodes it in Base64 and uploads it to a GitHub repository controlled by the attacker. Warbeast2000 has no other functions and does not appear to imitate other legitimate packages.

Kodiak2k’s payload works similarly to warbeast2000’s, but instead of going after id_rsa, it searches (home…

Source…

Microsoft Disabled App Installer Abused by Hackers

/in


Threat actors, particularly those with financial motivations, have been observed spreading malware via the ms-appinstaller URI scheme (App Installer). As a result of this activity, Microsoft has disabled the ms-appinstaller protocol handler by default.

“The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution,” the Microsoft Threat Intelligence team said.

The ms-appinstaller protocol handler vector is probably the one that threat actors have selected since it can bypass security measures like Microsoft Defender SmartScreen and built-in browser alerts for downloading executable file types, which are intended to protect users from malware.

Microsoft Threat Intelligence has identified App Installer as a point of entry for human-operated ransomware activities by several actors, including Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674.

Document

Free Webinar

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Spoofing legitimate applications, tricking users into installing malicious MSIX packages that look like legitimate applications, and avoiding detections on the initial installation files are some of the activities that have been noticed.

Financially Motivated Threat Actors Abusing App Installer

Microsoft discovered that Storm-0569 was using search engine optimization (SEO) poisoning to spread BATLOADER by impersonating websites that offered legitimate downloads, including AnyDesk, Zoom, Tableau, and TeamViewer. 

When a user searches on Bing or Google for a legitimate software application, they could see links to malicious installers using the ms-app installer protocol on a landing page that mimics the landing pages of the actual software provider. A prominent social engineering technique involves spoofing and imitating…

Source…

Cyber gang abused free trials to exploit public cloud CPU resources

/in


A South Africa-based threat actor known as Automated Libra has been observed adopting increasingly sophisticated techniques to conduct a widespread freejacking campaign against various public cloud services.

Freejacking is the act of using free or time-limited access to public cloud resources – such as introductory trial offers – to perform illicit cryptomining.

The campaign was initially dubbed PurpleUrchin by researchers at cloud and container security specialist Sysdig, which uncovered it last year while analysing some publicly shared containers and suspicious activity emanating from a Docker hub account.

At the time, Sysdig told Computer Weekly’s sister site SearchSecurity that its research team had not been able to establish how long the campaign had been running. However, Palo Alto Networks’ Unit 42 team has since analysed over 250GB of data, including container data and system access logs, and hundreds of indicators of compromise, and is now able to shed more light on the campaign and those behind it.

Unit 42 said PurpleUrchin – which reached a peak of activity in November 2022 – was set up as long ago as 2019 and had previously been highly active during the second half of 2021.

In the campaign, the Automated Libra gang stole compute resource from several service platforms using “play-and-run” tactics – akin to a so-called “dine-and-dash” in a restaurant – where they exploited the on-offer resources until they ran out, and then did not pay their bills, which in some cases were close to $200 per account.

Unit 42 found that Automated Libra was able to create and use more than 130,000 fake accounts on limited use platforms such as GitHub, Heroku and Togglebox using stolen or fake credit cards, and deployed an architecture that used standard DevOps continuous integration and delivery (CI/CD) techniques to automate the business of standing up these accounts and running them to perform cryptomining activities on a massive scale.

Among other things, they became able to bypass or resolve CAPTCHAs designed to weed out fake accounts, increase the number of accounts created – three to five per minute on GitHub at one point – and use as much CPU…

Source…

Unity: IronSource malware came from “bad actors who abused the platform”

/in


Engine provider responds to backlash over merger, says IronSource desktop business was “spun off several years ago”

Unity has responded to criticism concerning its merger with IronSource, which has labelled a malware provider by various developers via social media.

As discussed in today’s This Week In Business, the $4.4 billion deal has sparked complaints stemming from an incident where IronSource’s first product was classified as malware.

InstallCore was an installation program for internet-based applications launched in 2010, but within a few years it has been blocked by software such as Malwarebytes and even Microsoft’s Windows platform for installing unwanted programs.

The program was later discontinued, but developers have shared their frustration of Unity bringing a company associated with malware into the fold.

In a statement to GamesIndustry.biz, a Unity spokesperson assured that IronSource no longer delivers such a program.

“We are seeing developers talking negatively about IronSource’s involvement in malware campaigns or being behind malware spreading, referencing old articles about a historical desktop activity that was deprecated and spun off several years ago,” the company said.

“Like any large-scale desktop advertising platform, despite monitoring and enforcement, the desktop platform occasionally suffered from ‘bad actors’ who tried to abuse the platform.

“IronSource has long focused on developing products for mobile game and app developers and doesn’t operate any desktop software distribution platforms today.”

The merger was announced on Wednesday, and is expected to close in Q4 2022.

Source…