Tag Archive for: Deliver

Beware of encrypted PDFs as the latest trick to deliver malware to you

/in


Russian-backed hackers are using malware disguised as a PDF encryption tool to steal your information. According to the Threat Analysis Group report, COLDRIVER will send victims encrypted PDFs. When the unsuspecting victim replies saying they can’t see the PDF, the group will send a download link that poses as an encryption tool. But it’s really malware.

According to Threat Analysis Group (TAG), which is a specialized team within Google that focuses on identifying and countering various security threats, COLDRIVER primarily deals with phishing attacks. So this new malware-based attack is relatively new territory for the group.

 

COLDRIVER’s backdoor malware attack

The attack itself is pretty simple. As previously mentioned, attackers will send an encrypted PDF and then a malware-loaded “encryption tool” once the victims respond. That “encryption tool” will even display a fake PDF document to really sell the ruse. However, it’s really backdooring a piece of malware called Spica into your device.

Spica will steal cookies from Google Chrome, FireFox, Edge and Opera in order to get your information. Google says it’s been in play since September 2023. However, there are instances of COLDRIVER dating back to 2022.

Google says it’s added all domains, websites and files involved in the attacks to its Safe Browsing service. The company has also notified targeted users that they were at risk of an attack.

MORE: HOW CRYPTO IMPOSTERS ARE USING CALENDLY TO INFECT MACS WITH MALWARE 

 

How to protect yourself

1) Don’t download bootleg software: It’s not worth the risk to download bootleg software. It exposes your device to potential security threats, such as viruses and spyware.  If someone emails you a link for a download, make sure it’s from a reputable source and scan it. Downloading software from reputable app stores is definitely the way to go to protect your devices.

2) Don’t click on suspicious links or files: If you encounter a link that looks suspicious, misspelled, or unfamiliar, avoid clicking on it. Instead, consider going directly to the company’s website by manually typing in the web address or searching for it in a trusted search engine….

Source…

Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware

/in


Dec 22, 2023NewsroomSocial Engineering / Malware Analysis

Nim-Based Malware

A new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the Nim programming language.

“Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers’ unfamiliarity can hamper their investigation,” Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara said.

Nim-based malware has been a rarity in the threat landscape, although that has been slowly changing in recent years as attackers continue to either develop custom tools from scratch using the language or port existing versions of their nefarious programs to it.

This has been demonstrated in the case of loaders such as NimzaLoader, Nimbda, IceXLoader, as well as ransomware families tracked under the names Dark Power and Kanti.

The attack chain documented by Netskope begins with a phishing email containing a Word document attachment that, when opened, urges the recipient to enable macros to activate the deployment of the Nim malware. The email sender disguises themselves as a Nepali government official.

Once launched, the implant is responsible for enumerating running processes to determine the existence of known analysis tools on the infected host and promptly terminate itself should it find one.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust – Webinar for Security Professionals

Traditional security measures won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.

Join Now

Otherwise, the backdoor establishes connections with a remote server that mimics a government domain from Nepal, including the National Information Technology Center (NITC) and awaits further instructions. The command-and-control (C2) servers are no longer accessible –

  • mail[.]mofa[.]govnp[.]org
  • nitc[.]govnp[.]org
  • mx1[.]nepal[.]govnp[.]org
  • dns[.]govnp[.]org

“Nim is a statically typed compiled programming language,” the researchers said. “Aside from its familiar syntax, its cross-compilation features allow attackers to write one malware variant and have it cross-compiled to target different…

Source…

Konni Group Use Weaponized Word Documents Deliver RAT Malware

/in


In the ever-evolving cybersecurity domain, the resurgence of NetSupport RAT, a Remote Access Trojan (RAT), has raised concerns among security professionals. 

This sophisticated malware, initially developed as a legitimate remote administration tool, has been repurposed by malicious actors to infiltrate systems and establish remote control.

NetSupport Manager, the software upon which NetSupport RAT is based, originated as a genuine remote technical support tool three decades ago. 

It provided capabilities for file transfers, support chat, inventory management, and remote access. 

While its initial purpose was legitimate, threat actors have exploited its functionalities for malicious purposes.

Document

Free Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

In collaboration with the Threat Analysis Unit, the Carbon Black Managed Detection & Response (MDR) team has witnessed a significant increase in NetSupport RAT infections in recent weeks. 

This surge primarily affects Education, Government, and Business Services organizations.

Delivery Mechanisms and Actor Landscape

The distribution of NetSupport RAT involves a variety of tactics, including fraudulent updates, drive-by downloads, exploitation of malware loaders like GhostPulse, and phishing campaigns. 

Unlike some malware exclusively utilized by specific threat actors, NetSupport RAT has been employed by a range of malicious entities, from novice hackers to sophisticated adversaries.

Recent NetSupport RAT attacks typically involve tricking victims into downloading fake browser updates from compromised websites. 

The initial infection process may vary depending on the specific threat actor’s methodology.

One observed infection scenario involves a victim downloading a fake browser update from a compromised website. 

This update hosts a PHP script that displays a seemingly authentic update prompt. 

Upon…

Source…

Threat Actors Use Abnormal Certificates to Deliver Info-stealing Malware

/in


Threat Actors Use Abnormal Certificates to Deliver Info-stealing Malware

Malicious certificates can be highly dangerous as they can be used to deceive users into trusting malicious websites or software.

This can lead to various security threats, including:-

  • Data breaches
  • Malware infections
  • Phishing attacks
  • Compromise user privacy
  • Compromise system integrity

Cybersecurity researchers at ASEC (AhnLab Security Emergency Response Center) recently identified that threat actors are exploiting abnormal certificates to deliver info-stealing malware.

Document

FREE Demo

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware


Technical Analysis

Malicious code mimics certificates with randomly entered info, causing unusually long Subject and Issuer Names.

Certificate info remains hidden in Windows, which is only detectable with specific tools. So, the incorrect certificate and its information are useless for signature verification.

The signature uses non-English languages and special characters and shows little variation for over two months, suggesting a specific intention.

Signature information
Signature information (Source – ASEC)

The distributed sample is a URL-encoded malicious script that fails to download and execute Powershell commands, remaining inactive in the infection process.

Two distinct malware types with this distinctive appearance are distributed. And here below, we have mentioned them:

  • LummaC2: LummaC2 is the most adaptable malware in this distribution. Originally, it had self-contained malicious actions, but now it downloads configs from C2 and can install other malware like Amadey and Clipbanker.
  • RecordBreaker: RecoreBreaker, aka Raccoon Stealer V2, spreads through YouTube and other malware. It employs a unique User-Agent value like ‘GeekingToTheMoon’ when connecting to C2, but its functionality remains largely unchanged.

Both malware types excel in information theft, potentially exposing sensitive user data like browser…

Source…