Tag Archive for: infection

North Korea’s ScarCruft Deploys RokRAT Malware via LNK File Infection Chains

/in


May 02, 2023Ravie LakshmananThreat Intelligence

RokRAT Malware

The North Korean threat actor known as ScarCruft began experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros across Office documents by default.

“RokRAT has not changed significantly over the years, but its deployment methods have evolved, now utilizing archives containing LNK files that initiate multi-stage infection chains,” Check Point said in a new technical report.

“This is another representation of a major trend in the threat landscape, where APTs and cybercriminals alike attempt to overcome the blocking of macros from untrusted sources.”

ScarCruft, also known by the names APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a threat group that almost exclusively targets South Korean individuals and entities as part of spear-phishing attacks designed to deliver an array of custom tools.

Cybersecurity

The adversarial collective, unlike the Lazarus Group or Kimsuky, is overseen by North Korea’s Ministry of State Security (MSS), which is tasked with domestic counterespionage and overseas counterintelligence activities, per Mandiant.

The group’s primary malware of choice is RokRAT (aka DOGCALL), which has since been adapted to other platforms such as macOS (CloudMensis) and Android (RambleOn), indicating that the backdoor is being actively developed and maintained.

RokRAT and its variants are equipped to carry out a wide range of activities like credential theft, data exfiltration, screenshot capture, system information gathering, command and shellcode execution, and file and directory management.

RokRAT Malware

The collected information, some of which is stored in the form of MP3 files to cover its tracks, is sent back using cloud services like Dropbox, Microsoft OneDrive, pCloud and Yandex Cloud in a bid to disguise the command-and-control (C2) communications as legitimate.

Other bespoke malware used by the group include, but not limited to, Chinotto, BLUELIGHT, GOLDBACKDOOR, Dolphin, and, most recently, M2RAT. It’s also known to use commodity malware such as Amadey, a downloader that can receive commands from the attacker to…

Source…

Valorant aimbot hack lures the unwary into malware infection • Graham Cluley

/in


Valorant aimbot hack lures the unwary into malware infection

Just what would you do to be better at video games? Devote yourselves to hundreds of hours of practice, or search the internet for cheats and hacks that might give you an unfair competitive advantage.

Cheating in online games is nothing new, and some players have no qualms about resorted to installing “aimbots” that might help them by automatically aiming at their fellow rivals or even auto-shoot.

However, as South Korean security experts at AhnLab warn, you might be wise to resist the temptation to cheat.

Sign up to our newsletter
Security news, advice, and tips.

According to the security researchers, malware has been distributed via descriptions in a YouTube video related to the Valorant first person shooter game.

The video’s description cheekily advises users to disable their anti-virus software before downloading the cheat (boy… the things people will do if they think it will improve their aim in a video game.)

FREE CHEAT = <LINK>
if link dont work – Try VPN
TURN OFF ANTI VIRUS

The YouTube video’s description contains a link which points to a website containing a file called Pluto Valrant cheat.rar.

If you’re unlucky enough to be duped into downloading the .RAR archive file, and then run the enclosed executable (named Cheat Installer.exe), your computer will be infected with an information-stealing Trojan horse called RedLine.

According to the AhnLab researchers, the malware collects a wide array of information from infected Windows systems, including login credentials, Discord tokens, Steam and Telegram session files, cryptocurrency wallets, and more.

The stolen data is then sent to cybercriminals via a Discord server.

As ever you should be highly suspicious of software of unknown provenance, and links to downloads from YouTube videos. It should go without saying that if you’re ever advised to disable your anti-virus, steer well clear!

Many of us might need a helping hand to defeat our video game rivals, but you could end up shooting yourself in the foot.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of…

Source…

Fake Norton Internet Security for Android

/in



DATA443 ANNOUNCES NEW RANSOMWARE PRODUCT FOR ENDPOINTS IN RESPONSE TO ESCALATING INFECTION COSTS AND EXTORTION RISKS

/in


Capability Removes Requirement for Physical Interaction by IT Staff, Perfect for Hospitals, Schools, Government & Manufacturing

RESEARCH TRIANGLE PARK, NC, April 01, 2021 (GLOBE NEWSWIRE) — Data443 Risk Mitigation, Inc. (“Data443®” or the “Company”) (OTCPK: ATDS), a leading data security and privacy software company, is pleased to announce that its latest privacy-centric endpoint technology – Data443 Ransomware Recovery Manager – is now available.

“The functionality of Data443 Ransomware Recovery Manager is a direct response to the escalating ransomware attacks experienced around the world on a daily basis,” said Jason Remillard, founder and CEO of Data443. “These attacks affect millions of organizations of all sizes and across all sectors – with a high number of attacks primarily targeting three sectors: financial services, healthcare and education.”

“Not only has the incident rate been increasing, the infection rates, costs, and true damages are also increasing year over year, and at an accelerated rate. It is no longer a matter of if but when a ransomware or virus attack hits a business. The Data443 Ransomware Recovery Manager solution was built for the modern enterprise with this attack landscape in mind, and its capabilities are designed to recover a workstation immediately upon infection to the last known business-operable state, without any end user or IT Administrator efforts.”

“Data security continues to be a growing concern for all stakeholders, and having a capability at hand to protect, respond and be back in full operations within minutes is a true differentiator for Data443 and our unique product stack. With the integrated power of Data Identification Manager and Data Archive Manager, we are able to ensure sensitive data is both archived and restored if there is any infection, and with virtually zero down time. Augmented with Data Classification and Data Governance capabilities within the larger Data443 product family, Ransomware Recovery Manager possesses unique capabilities unmatched in this market segment.”

“This new capability demonstrates our commitment to always deliver sophisticated and timely solutions…

Source…