Tag: infects | Page 2

Windows-based ransomware now infects Linux devices as well

March 10, 2023/in Internet Security

A ransomware variant commonly known for encrypting Windows systems has recently been found targeting Linux devices as well.

According to a report by SentinelLabs, Linux versions of the ransomware strain IceFire have recently compromised the networks of several media and entertainment sector organizations worldwide. The operators behind the ransomware do this by exploiting a deserialization vulnerability in the IBM Aspera Faspex file-sharing software. After gaining access to the victim’s system, they will then deploy the IceFire ransomware, which will encrypt data and append the ‘.ifire’ extension to the affected files. The ransomware will finally delete itself to cover its tracks.

Interestingly enough, IceFire doesn’t encrypt all files on Linux. It actually avoids encrypting certain paths to ensure that critical parts of the system will remain operational and avoid further damage to the system.

Once the ransomware completes data encryption, it will drop a ransom note which asks the victim to contact the malware’s operators within five days. If they fail to do so, the note claims that the victim’s data will be publicly posted online.

IceFire is just one of many ransomware variants that have started targeting Linux systems. “While the groundwork was laid in 2021, the Linux ransomware trend accelerated in 2022 when illustrious groups added Linux encryptors to their arsenal,” SentinelLabs’ blog stated. Some of these variants include Conti, LockBit, Hive, and HelloKitty, among others.

Source…

RIG Exploit Kit Now Infects Victims’ PCs With Dridex Instead of Raccoon Stealer

June 22, 2022/in Computer Security

The operators behind the Rig Exploit Kit have swapped the Raccoon Stealer malware for the Dridex financial trojan as part of an ongoing campaign that commenced in January 2022.

The switch in modus operandi, spotted by Romanian company Bitdefender, comes in the wake of Raccoon Stealer temporarily closing the project after one of its team members responsible for critical operations passed away in the Russo-Ukrainian war in March 2022.

The Rig Exploit Kit is notable for its abuse of browser exploits to distribute an array of malware. First spotted in 2019, Raccoon Stealer is a credential-stealing trojan that’s advertised and sold on underground forums as a malware-as-a-service (MaaS) for $200 a month.

That said, the Raccoon Stealer actors are already working on a second version that’s expected to be “rewritten from scratch and optimized.” But the void left by the malware’s exit is being filled by other information stealers such as RedLine Stealer and Vidar.

Dridex (aka Bugat and Cridex), for its part, has the capability to download additional payloads, infiltrate browsers to steal customer login information entered on banking websites, capture screenshots, and log keystrokes, among others, through different modules that allow its functionality to be extended at will.

In April 2022, Bitdefender discovered another Rig Exploit Kit campaign distributing the RedLine Stealer trojan by exploiting an Internet Explorer flaw patched by Microsoft last year (CVE-2021-26411).

That’s not all. Last May, a separate campaign exploited two scripting engine vulnerabilities in unpatched Internet Explorer browsers (CVE-2019-0752 and CVE-2018-8174) to deliver a malware called WastedLoader, so named for its similarities to WasterLocker but lacking the ransomware component.

“This once again demonstrates that threat actors are agile and quick to adapt to change,” the cybersecurity firm said. “By design, Rig Exploit Kit allows for rapid substitution of payloads in case of detection or compromise, which helps cyber criminal groups recover from disruption or environmental changes.”

Source...

[the_ad_group id="27628"]

Fake Pixelmon NFT site infects you with password-stealing malware

May 16, 2022/in Computer Security

Pixelmon

A fake Pixelmon NFT site entices fans with free tokens and collectibles while infecting them with malware that steals their cryptocurrency wallets.

Pixelmon is a popular NFT project whose roadmap includes creating an online metaverse game where you can collect, train, and battle other players using pixelmon pets.

With close to 200,000 Twitter followers and over 25,000 Discord members, the project has garnered a lot of interest.

Impersonating the Pixelmon project

To take advantage of this interest, threat actors have copied the legitimate pixelmon.club website and created a fake version at pixelmon[.]pw to distribute malware.

This site is almost a replica of the legitimate site, but instead of offering a demo of the project’s game, the malicious site offers executables that install password-stealing malware on a device.

**Fake Pixelmon website**
*Source: BleepingComputer*

The site is offering a file called Installer.zip that contains an executable that appears to be corrupt and does not infect users with any malware.

However, MalwareHunterTeam, who first discovered this malicious site, found other malicious files distributed by the site that allowed us to see what malware it was spreading.

One of the files distributed by this malicious site is setup.zip, which contains the setup.lnk file. Setup.lnk is a Windows shortcut that will execute a PowerShell command to download a system32.hta file from pixelmon[.]pw.

**Setup.lnk contents**
*Source: BleepingComputer*

When BleepingComputer tested these malicious payloads, the System32.hta file downloaded Vidar, a password-stealing malware that is not as commonly used as it was in the past. This was confirmed by security researcher Fumik0_, who has previously analyzed this malware family.

When executed, the threat actor’s Vidar sample will connect to a Telegram channel and retrieve the IP address of a malware’s command and control server.

**Telegram channel containing C2 IP address**
*Source: BleepingComputer*

The malware will then retrieve a configuration command from the C2 and download further modules to be used to steal data from the infected device.

The Vidar malware can steal passwords from browsers and applications and search a computer for…

Source…

Emotet malware infects users again after fixing broken installer

April 25, 2022/in Computer Security

Emotet

The Emotet malware phishing campaign is up and running again after the threat actors fixed a bug preventing people from becoming infected when they opened malicious email attachments.

Emotet is a malware infection distributed through spam campaigns with malicious attachments. If a user opens the attachment, malicious macros or scripts will download the Emotet DLL and load it into memory.

Once loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks.

Buggy attachments broke the Emotet campaign

Last Friday, the Emotet malware distributors launched a new email campaign that included password-protected ZIP file attachments containing Windows LNK (shortcut) files pretending to be Word documents.

**Current Emotet phishing email example**
*Source: Cofense*

When a user double-clicked on the shortcut, it would execute a command that searches the shortcut file for a particular string that contains Visual Basic Script code, appends the found code to a new VBS file, and executes that VBS file, as shown below.

Emotet shortcut commands from Friday's campaign — **Emotet shortcut commands from Friday’s campaign**
*Source: BleepingComputer*

However, this command contained a bug as it used a static shortcut name of ‘Password2.doc.lnk,’ even though the actual name of the attached shortcut file is different, like ‘INVOICE 2022-04-22_1033, USA.doc’.

This caused the command to fail, as the Password2.doc.lnk file did not exist, and thus the VBS file was not created, as explained by the Emotet research group Cryptolaemus.

#emotet Update – As of the last few hours Ivan is running some tests on E4 to try to bypass detection by appending a VBS at the end of an LNK file in a zip. The LNK when launched will find a string in itself and then copy the remainder from that string after to a VBS file. 1/x https://t.co/pEcOWdbfOa

— Cryptolaemus (@Cryptolaemus1) April 22, 2022

Cryptolaemus researcher Joseph Roosen told BleepingComptuer that Emotet shut down the new email campaign at approximately 00:00 UTC on Friday after discovering that the bug was preventing users from becoming infected.

Unfortunately, Emotet fixed the bug today…

Source…

Tag Archive for: infects

Impersonating the Pixelmon project

Buggy attachments broke the Emotet campaign