Tag Archive for: files

Hackers Hiding Keylogger, RAT Malware in SVG Image Files


Critical Infrastructure Security
,
Cybercrime
,
Endpoint Security

New Campaign Evades Security Tools to Deliver Agent Tesla Keylogger and XWorm RAT

Hackers Hiding Keylogger, RAT Malware in SVG Image Files

Threat actors are hiding malware in SVG image files to evade detection and deliver ransomware, download a banking Trojan and distribute malware.

See Also: Live Webinar | Secrets Detection: Why Coverage Throughout the SDLC is Critical to Your Security Posture

Cofense Intelligence researchers in January observed a two-month campaign that used SVG files to deliver Agent Tesla Keylogger and XWorm RAT malware. The researchers advise security teams to remind users to watch for unexpected downloads upon opening an SVG file, the telltale sign of a compromise.

The Scalable Vector Graphic file format uses mathematical equations to describe images, which enables them to be scaled without loss of image quality and makes them suitable for diverse design applications.

AutoSmuggle, an open-source tool released in May 2022, enables threat actors to embed malicious files within SVG or HTML content, bypassing security measures such as secure email gateways and increasing the chances of successful malware delivery.

The use of SVG files for malware delivery was first observed in 2015, but researchers said hackers have refined their tactics to bypass security measures and successfully distribute harmful payloads. SVG files distributed Ursnif malware in 2017 and were used to smuggle .zip archives…

Source…

MrB Ransomware (.mrB Files) – Analysis & File Decryption – Gridinsoft Blog


MrB ransomware is a new Dharma ransomware sample, discovered on February 21, 2024. It is distinctive for applying a complex extension to the encrypted files that ends up with “.mrB”. This ransomware primarily attacks small corporations and asks the ransom only for decrypting the files, i.e. it does not practice double extortion. Jakub Kroustek was the first to discover and report this ransomware sample.

What is mrB Ransomware?

As I’ve described in the introduction, mrB is a sample of Dharma ransomware, a malware family active since 2016. It is known for adding a long extension to every file it encrypts; it consists of the victim ID, contact email and the extension itself. At the end, the encrypted file name starts looking like this:

Media1.mp3 → Media1.mp3.id-C3B22A85.[mirror-broken@tuta[.]io].mrB

mrB ransomware files
Files encrypted by mrB ransomware

MrB ransomware encrypts a wide range of file formats, from images and documents to files of some specific software suites. After finishing the encryption, it opens a pop-up ransom note in a form of HTA file, and also spawns a readme text file. The latter appears in every folder that contains the encrypted files. Below, you can see the contents of both ransom notes.

MrB ransomware note

Contents of the readme text file:


Your data has been stolen and encrypted!

email us

mirror-broken@tuta[.]io

How to Recover Encrypted Files?

Unfortunately, there are no recovery options available for mrB ransomware. The imperfections in its early Dharma samples were used to make the decryptor, though the flaws were fixed, and it is not effective nowadays. Options you can find online, like “professional hackers” or file recovery services will at best act as a medium between you and the hackers. At worst, they will take your money and disappear.

The most effective option for file recovery is a decryptor tool, dedicated to the specific ransomware family. Those are usually released when a vulnerability in the encryption mechanism is found, or when ransomware servers are seized. It may sound like it is unlikely to happen, but there were 4 such decryptors released in the first months of 2024. Be patient, do not lose hope – and you get the files back.

File recovery options

For now, your best…

Source…

Data protection in 2023 was all about resilience – Blocks and Files


Recovering from data loss and ransomware are the gifts that keep on giving … for data protection suppliers, that is.

Compared to a year ago, there is now more data to protect and more threats against it, making favorable market conditions for the suppliers. The data protection world in 2023 was dominated by dealing with cyber resilience, extending backup’s remit to cover SaaS applications, and seeking new archive technologies to fix tape’s flaws.

Virtually every backup supplier has now added security features to protect against ransomware and other malware attacks on data. Cyber resilience is the name of the backup game, and resilience is starting to look like an over-used word. For example:

  • Veeam describes itself as the home of radical resilience. 
  • Cohesity says: “Protection is one thing. Resilience is everything.”
  • Commvault claims it “gives you an unfair advantage to ensure resilience in the face of ransomware and other advanced threats in today’s hybrid world – and tomorrow’s.”
  • Druva says it is “the industry’s leading SaaS platform for data resiliency, and the only vendor to ensure data protection across the most common data risks backed by a $10 million guarantee.”
  • Rubrik greets its website visitors with this message: “Rubrik Security Cloud delivers complete cyber resilience.”
  • Veritas tells its site visitors: “We have a reputation for reliability at scale, which delivers the resilience our customers need against the disruptions threatened by cyberattacks, like ransomware.”

To keep protected data resilient, suppliers typically offer immutable backups and backup health checks, providing known good files, for example. Focus has extended from ransomware attack prevention to ransomware attack recovery, with some guarantees that such recovery is dependable.

No magic anti-malware silver technology bullet was announced in 2023 by any supplier – because there isn’t one.

SaaS app protection

Technology additions were sought by SaaS app protectors, spearheaded by HYCU. It realized that many SaaS applications stored customer data that was not protected by the provider or by data…

Source…

Babuk Ransomware Decryptor Updated to Recover Files Infected


Hackers use ransomware to encrypt victims’ files and render them inaccessible until a ransom is paid. This forces the victims to pay a ransom to regain access to compromised systems and data.

This tactic leads to financial gains for the threat actors. While ransomware attacks can be conducted at scale and threat actors can target individuals, businesses, and organizations.

The Babuk ransomware decryptor has recently received an update from Avast cybersecurity researchers, Cisco Talos, and the Dutch Police to allow for the recovery of files infected with the most recent ransomware variant.

Document

Free Webinar

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Technical Analysis

Babuk ransomware initially emerged in early 2021, and it is known for the following key things:-

  • Targeting Windows systems
  • Encrypting files
  • Demanding ransom payments in exchange for decryption keys

Besides this, Babuk ransomware has gained immense attention for its Evolving tactics and the sophistication of its attacks.

Since its founding, the Avast security company has blocked over 5600 targeted attacks, the majority of which targeted individuals and organizations in the following nations:

  • Brazil
  • Czech Republic
  • India
  • The United States
  • Germany
Babuk attacks blocked by Avast since 2021 (Source – Avast)

The recently updated Avast Babuk decryption tool can restore the files the Tortilla Babuk variant has encrypted.

Babuk ransomware source code was released in Sept 2021 in the form of a ZIP file on a Russian hacking forum, which included the following 14 victim-specific private keys:-

The cybersecurity analysts affirmed that the decryptor creation was easy as the encryption scheme remained unchanged from their analysis 2 years prior and the sample that the researchers analyzed was named “tortilla.exe.”.

The Babuk encryptor is likely made from leaked sources and uses a single key…

Source…