Tag: Decoy | SpinSafe

Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware

December 22, 2023/in Computer Security

Dec 22, 2023NewsroomSocial Engineering / Malware Analysis

A new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the Nim programming language.

“Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers’ unfamiliarity can hamper their investigation,” Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara said.

Nim-based malware has been a rarity in the threat landscape, although that has been slowly changing in recent years as attackers continue to either develop custom tools from scratch using the language or port existing versions of their nefarious programs to it.

This has been demonstrated in the case of loaders such as NimzaLoader, Nimbda, IceXLoader, as well as ransomware families tracked under the names Dark Power and Kanti.

The attack chain documented by Netskope begins with a phishing email containing a Word document attachment that, when opened, urges the recipient to enable macros to activate the deployment of the Nim malware. The email sender disguises themselves as a Nepali government official.

Once launched, the implant is responsible for enumerating running processes to determine the existence of known analysis tools on the infected host and promptly terminate itself should it find one.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust – Webinar for Security Professionals

Traditional security measures won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.

Join Now

Otherwise, the backdoor establishes connections with a remote server that mimics a government domain from Nepal, including the National Information Technology Center (NITC) and awaits further instructions. The command-and-control (C2) servers are no longer accessible –

mail[.]mofa[.]govnp[.]org
nitc[.]govnp[.]org
mx1[.]nepal[.]govnp[.]org
dns[.]govnp[.]org

“Nim is a statically typed compiled programming language,” the researchers said. “Aside from its familiar syntax, its cross-compilation features allow attackers to write one malware variant and have it cross-compiled to target different…

Source…

Infoblox discovers rare Decoy Dog C2 exploit

May 3, 2023/in Internet Security

Domain security firm Infoblox discovered a command-and-control exploit that, while extremely rare and complex, could be a warning growl from a new, as-yet anonymous state actor.

Illustrated rat wearing sunglasses in front of a blue background — Image: andrenascimento/Adobe Stock

If you do a search for the most recent reports on Domain Name System attacks, you may have a hard time finding one since IDC’s 2021 report noting that in 2020, 87% of organizations experienced a DNS attack during 2020.

The fact that DNS isn’t front-of-mind nomenclature for many attacks that actually put DNS in the attack chain may have to do with the security alphabet soup of DNS over TLS or HTTP. As a CloudFlare report explains, TLS and HTTP encrypt plaintext DNS queries, keeping browsing secure and private.

SEE: Google’s 2FA may lack encryption, meaning unlocked doors to mobile devices

Still, Akamai’s Q3 DNS threat report noted a 40% increase in DNS attacks in that quarter last year, and 14% of all protected devices communicated with a malicious designation at least once in the third quarter last year.

Jump to:

Infoblox Threat Intelligence Group, which says it analyzes billions of DNS records and millions of domain-related records each day, has reported a new malware toolkit called Decoy Dog that uses a remote access trojan called Pupy.

Renée Burton, senior director threat intelligence at Infoblox, said Pupy is an open-source product that is very difficult to use and not well documented. Infoblox found that the Decoy Dog toolkit that uses Pupy in fewer than 3% of all networks, and that the threat actor who has control of Decoy Dog is connected to just 18 domains.

“We discovered it through our series of anomaly detectors and learned that Decoy Dog activities have been operating a data exfiltration command and control, or C2, system for over a year, starting early April 2022,” Burton said. “Nobody else knew.”

Russian hound

When Infoblox analyzed the queries in external global DNS data, the firm’s researchers found that the Decoy Dog C2 originated almost exclusively from hosts in Russia.

“One of the main dangers is nobody knows what it is,” Burton said. “That means something is compromised and someone…

Source…

World War 3: Russia And China Could Use North Korea As Decoy To Launch Attacks Against US, Expert Warns – The Inquisitr

October 22, 2017/in Internet Security

The Inquisitr

World War 3: Russia And China Could Use North Korea As Decoy To Launch Attacks Against US, Expert Warns
The Inquisitr
However, Morris, vice president of NexDefense, warned that Russia and China could be using North Korea as a decoy to cloak their attacks against the West, according to Express. He argued that Russian and Chinese hackers could be faking North Korean …

and more »

China hackers – read more

Tag Archive for: Decoy

Russian hound