Tag Archive for: File

North Korea’s ScarCruft Deploys RokRAT Malware via LNK File Infection Chains

/in


May 02, 2023Ravie LakshmananThreat Intelligence

RokRAT Malware

The North Korean threat actor known as ScarCruft began experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros across Office documents by default.

“RokRAT has not changed significantly over the years, but its deployment methods have evolved, now utilizing archives containing LNK files that initiate multi-stage infection chains,” Check Point said in a new technical report.

“This is another representation of a major trend in the threat landscape, where APTs and cybercriminals alike attempt to overcome the blocking of macros from untrusted sources.”

ScarCruft, also known by the names APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a threat group that almost exclusively targets South Korean individuals and entities as part of spear-phishing attacks designed to deliver an array of custom tools.

Cybersecurity

The adversarial collective, unlike the Lazarus Group or Kimsuky, is overseen by North Korea’s Ministry of State Security (MSS), which is tasked with domestic counterespionage and overseas counterintelligence activities, per Mandiant.

The group’s primary malware of choice is RokRAT (aka DOGCALL), which has since been adapted to other platforms such as macOS (CloudMensis) and Android (RambleOn), indicating that the backdoor is being actively developed and maintained.

RokRAT and its variants are equipped to carry out a wide range of activities like credential theft, data exfiltration, screenshot capture, system information gathering, command and shellcode execution, and file and directory management.

RokRAT Malware

The collected information, some of which is stored in the form of MP3 files to cover its tracks, is sent back using cloud services like Dropbox, Microsoft OneDrive, pCloud and Yandex Cloud in a bid to disguise the command-and-control (C2) communications as legitimate.

Other bespoke malware used by the group include, but not limited to, Chinotto, BLUELIGHT, GOLDBACKDOOR, Dolphin, and, most recently, M2RAT. It’s also known to use commodity malware such as Amadey, a downloader that can receive commands from the attacker to…

Source…

Ransomware crooks are exploiting IBM file exchange bug with a 9.8 severity

/in


Ransomware crooks are exploiting IBM file exchange bug with a 9.8 severity

Threat actors are exploiting a critical vulnerability in an IBM file-exchange application in hacks that install ransomware on servers, security researchers have warned.

The IBM Aspera Faspex is a centralized file-exchange application that large organizations use to transfer large files or large volumes of files at very high speeds. Rather than relying on TCP-based technologies such as FTP to move files, Aspera uses IBM’s proprietary FASP—short for Fast, Adaptive, and Secure Protocol—to better utilize available network bandwidth. The product also provides fine-grained management that makes it easy for users to send files to a list of recipients in distribution lists or shared inboxes or workgroups, giving transfers a workflow that’s similar to email.

In late January, IBM warned of a critical vulnerability in Aspera versions 4.4.2 Patch Level 1 and earlier and urged users to install an update to patch the flaw. Tracked as CVE-2022-47986, the vulnerability makes it possible for unauthenticated threat actors to remotely execute malicious code by sending specially crafted calls to an outdated programming interface. The ease of exploiting the vulnerability and the damage that could result earned CVE-2022-47986 a severity rating of 9.8 out of a possible 10.

On Tuesday, researchers from security firm Rapid7 said they recently responded to an incident in which a customer was breached using the vulnerability.

“Rapid7 is aware of at least one recent incident where a customer was compromised via CVE-2022-47986,” company researchers wrote. “In light of active exploitation and the fact that Aspera Faspex is typically installed on the network perimeter, we strongly recommend patching on an emergency basis, without waiting for a typical patch cycle to occur.”

According to other researchers, the vulnerability is being exploited to install ransomware. Sentinel One researchers, for instance, said recently that a ransomware group known as IceFire was exploiting CVE-2022-47986 to install a newly minted Linux version of its file-encrypting malware. Previously, the…

Source…

Azov Ransomware can modify its own code to delete every single file on a machine with a single click

/in


A ransomware attack that is successful may be very detrimental to a company. In the event that an organization is caught unprepared, they may be forced to choose between paying a ransom demand or erasing all of the data that was taken. The WannaCry attack, which occurred more than 5 years ago, fundamentally altered cybersecurity. It was the first global-scaled, multi-vectored cyberattack in the form of an attack encrypting for and foremost, a compromised machine’s files, rendering it unusable, though reversible. Its outsized influence on the cyber threat landscape was outstanding, and it was an attack that encrypted for and foremost, a compromised machine’s files.

Since then, ransomware attacks have increased in number, form, and forms, and have evolved to use a variety of strategies and approaches.

The information security industry first became aware of Azov when it was discovered as a payload of the SmokeLoader botnet. This botnet is often located at fraudulent sites that provide unlicensed software and cracks.

The fact that Azov modifies some 64-bit executables in order to run its own code is one of the things that distinguishes it unique from the many other ransomware attacks that have been seen in recent years. The change of executables is accomplished via the use of polymorphic code in order to avoid the possibility of being blocked or discovered by static signatures. In addition, the modification is performed to 64-bit executables, which the typical malware programmer would not have bothered with.

According to the researchers at the Checkpoint “Because of this aggressive polymorphic infection of victim executables, there has been an increase in the number of Azov-infected files that are accessible to the public. VirusTotal receives hundreds of new Azov-related samples on a daily basis, and as of November 2022, the total number of these samples has already surpassed 17,000.”

Malware like Azov is one of a kind since it has the ability to develop its own code, making it simple for it to share personal information with other pieces of malware.

In addition to being able to write code, it also has the power of producing code, which allows it to…

Source…

SharkBot Trojan Spread Via Android File Manager Apps

/in


Cybercrime
,
Cybercrime as-a-service
,
Fraud Management & Cybercrime

Now-Removed Apps Have 10K Downloads, Target Victims in the UK, Italy

Prajeet Nair (@prajeetspeaks) •
November 26, 2022    

SharkBot Trojan Spread Via Android File Manager Apps

The operators behind banking Trojan SharkBot are targeting Google Play users by masquerading as now-deactivated Android file manager apps and have tens of thousands of installations so far.

See Also: Live Webinar | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

Cybersecurity firm Bitdefender says it found applications on Google Play store disguised as file managers and acting “as droppers for SharkBot bankers shortly after installation, depending on the user’s location.”

“The Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals resort to more covert methods. One way is with an app, sometimes legitimate with some of the advertised features, that doubles as a dropper for more insidious malware,” Bitdefender researchers say.

The apps uncovered by Bitdefender are disguised as file managers and require permission to install external packages, leading to malware downloading.

“As Google Play apps only need the functionality of a file manager to install another app and the malicious behavior is activated to a restricted pool of users, they are challenging to detect,” researchers say.

However, the apps are removed for now, and researchers warn that they are still present across the web in different third-party stores, making them a current threat.

Users primarily from…

Source…