Tag Archive for: distribute

North Korean Lazarus Hacking Group Leverages Supply Chain Attacks To Distribute Malware for Cyber Espionage

/in


North Korean threat actor Lazarus group has resorted to supply chain attacks similar to SolarWinds and Kaseya to compromise the regime’s targets, according to cybersecurity firm Kaspersky.

Kaspersky’s Q3 2021 APT Trends report says that “Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload.”

The APT group compromised a South Korean think tank using two remote access trojan (RAT) variants BLINDINGCAN and COPPERHEDGE. The DHS Cybersecurity & Infrastructure Security Agency (CISA) had issued security alerts AR20-232A and AR20-133A over these trojans.

According to the researchers, Lazarus’ recent activity is part of a broader international campaign leveraging supply chain attacks.

Identified by US-CERT and the FBI as HIDDEN COBRA, the group was suspected to be responsible for the WannaCry ransomware and the Sony Picture Entertainment hacking that escalated tensions between the US and North Korea.

Lazarus’ supply chain attacks target atypical victims

Experts believe that Lazarus is expanding its victim base beyond that of Asian government agencies and policy think tanks.

Kaspersky researchers discovered that the hacking group had targeted a Latvian tech firm developing asset monitoring solutions, an atypical victim for Lazarus.

During the attack, the North Korean APT deployed a compromised downloader “Racket” signed with a stolen digital certificate. The hacking group had stolen the digital certificate from a US-based South Korean security company.

According to Kaspersky, the APT compromised multiple servers and uploaded several malicious scripts in the process. The group used the malicious scripts to control the trojans installed on downstream victims.

“North Korea once again figures prominently in an attack, although it doesn’t appear to be the government this time, at least not directly,” said Saryu Nayyar, CEO at Gurucul.

“Government-sponsored attacks continue to be a major issue for other governments and enterprises. Both types of organizations need to be cognizant of the potential for high-powered attacks and respond appropriately. Early…

Source…

Security researcher: Criminals use Discord to distribute malware

/in


According to security researchers, the content delivery network (CDN) of the voice and text chat platform Discord is increasingly being misused by criminals to spread malware. The security company Sophos writes that four percent of their malware downloads examined came from Discord in the second quarter of this year. Users can upload and exchange files via Discord. According to Sophos, this has a number of advantages for cyber criminals.

Overall, Sophos found 14,000 malicious files on the Discord CDN and sees an upward trend. So that criminals can place their malicious software there, all they need is a chat room that anyone can set up free of charge. As soon as a file is uploaded, it lands on cdn.discordapp.com. In this Google Cloud Storage, Trojans can then be reached all over the world via a fast CDN.

Files can be called up directly

Discord uploads files to its CDN, but no longer deletes them.

(Image: screenshot)

The special thing about it: You do not need to log in to access the file. If you call up the URL of the uploaded file, the browser asks directly whether the file should be downloaded. If this URL is linked in an email, there is no warning or anything else that could distract from the download.

Even if the message with the file attachment is deleted on Discord, the file itself can still be accessed in the CDN, as heise online found out in a short test. And it gets even better: If you delete the so-called “server” (actually a created, administrative room) on Discord with all messages, channels and users, the file was still available to us in the CDN.

Free malware hosting

The problem is by no means new. According to Sophos, a lot of malicious software landed on Discords CDN last year. Discord has not changed the basic functionality, but relies on reports from users and scans itself for malicious code. However, malware cannot be easily distinguished from non-malicious software without fully analyzing its behavior.

Among the files found by Sophos were some malware families that intercept stored login data or ensure that the attacker can remotely control the affected computer. We therefore recommend that you be…

Source…

Hackers using fake streaming site to distribute BazaLoader dropper

/in


Security researchers at Proofpoint have uncovered a new phishing campaign that involves hackers luring unsuspecting Internet users into downloading the BazaLoader malware dropper by making they believe they erroneously subscribed to a movie streaming service.

The phishing campaign, first discovered in early May by Proofpoint, involved hackers setting up a fake movie-streaming website called BravoMovies and populating the site with fake movie posters and additional content to make it appear genuine to unsuspecting visitors.

The hackers then proceeded to send carefully-crafted emails to hundreds of recipients, informing them that they had subscribed to BravoMovies, that they were on a 30-day free trial, and will be charged $39.99 a month after the end of the trial period. The recipients were, however, given the option to unsubscribe by calling a customer service number. The emails themselves did not contain any malicious attachments.

Once a curious recipient of the email calls the customer service number, they are directed by the fraudsters to navigate to the Frequently Asked Questions component of the website, and follow the instructions to unsubscribe via the “Subscribtion” page, and download an Excel sheet to complete the process. According to Proofpoint, the Excel sheet contains macros that, if enabled, will download BazaLoader, a downloader written in C++ that is used to download and execute additional modules.

“BazaLoader is a downloader written in C++ that is used to download and execute additional modules. Proofpoint first observed BazaLoader in April 2020. It is currently used by multiple threat actors and frequently serves as a loader for disruptive malware including Ryuk and Conti ransomware. Proofpoint assesses with high confidence there is a strong overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as Trickbot,” the security firm said in a blog post.

“Proofpoint has observed BazarLoader threat actors using the method of phone-based customer service representatives to direct malicious downloads since February 2021. Security researchers have dubbed this method…

Source…

Cybercriminals Widely Abusing Excel 4.0 Macro to Distribute Malware

/in


Threat actors are increasingly adopting Excel 4.0 documents as an initial stage vector to distribute malware such as ZLoader and Quakbot, according to new research.

The findings come from an analysis of 160,000 Excel 4.0 documents between November 2020 and March 2021, out of which more than 90% were classified as malicious or suspicious.

password auditor

“The biggest risk for the targeted companies and individuals is the fact that security solutions still have a lot of problems with detecting malicious Excel 4.0 documents, making most of these slip by conventional signature based detections and analyst written YARA rules,” researchers from ReversingLabs said in a report published today.

Excel 4.0 macros (XLM), the precursor to Visual Basic for Applications (VBA), is a legacy feature incorporated in Microsoft Excel for backward compatibility reasons. Microsoft warns in its support document that enabling all macros can cause “potentially dangerous code” to run.

The ever-evolving Quakbot (aka QBOT), since its discovery in 2007, has remained a notorious banking trojan capable of stealing banking credentials and other financial information, while also gaining worm-like propagation features. Typically spread via weaponized Office documents, variants of QakBot have been able to deliver other malware payloads, log user keystrokes, and even create a backdoor to compromised machines.

password auditor

In a document analyzed by ReversingLabs, the malware not only tricked users into enabling macros with convincing lures, but also came with embedded files containing XLM macros that download and execute a malicious second-stage payload retrieved from a remote server. Another sample included a Base64-encoded payload in one of the sheets, which then attempted to download additional malware from a sketchy URL.

“Even though backward compatibility is very important, some things should have a life expectancy and, from a security perspective, it would probably be best if they were deprecated at some point in time,” the researchers noted. “Cost of maintaining 30 year old macros should be weighed against the security risks using such outdated technology brings.”

Source...


[the_ad_group id="27628"]