Tag Archive for: infects

Malicious web redirect service infects 16,500 sites to push malware

/in


Malicious web redirect service infects 16,500 sites to push malware

A new traffic direction system (TDS) called Parrot is relying on servers that host 16,500 websites of universities, local governments, adult content platforms, and personal blogs.

Parrot’s use is for malicious campaigns to redirect potential victims matching a specific profile (location, language, operating system, browser) to online resources such as phishing and malware-dropping sites.

Threat actors running malicious campaigns buy TDS services to filter incoming traffic and send it to a final destination serving malicious content.

TDS are also legitimately used by advertisers and marketers, and some of these services were exploited in the past to facilitate malspam campaigns.

Used for RAT distribution

Parrot TDS was discovered by threat analysts at Avast, who report that it’s currently used for a campaign called FakeUpdate, which delivers remote access trojans (RATs) via fake browser update notices.

Site displaying the fake browser update notice
Site displaying the fake browser update warning (Avast)

The campaign appears to have started in February 2022 but signs of Parrot activity have been traced as far back as October 2021.

“One of the main things that distinguishes Parrot TDS from other TDS is how widespread it is and how many potential victims it has,” comments Avast in the report

“The compromised websites we found appear to have nothing in common apart from servers hosting poorly secured CMS sites, like WordPress sites.”

Malicious JavaScript code seen in compromised sites
Malicious JavaScript code seen in compromised sites (Avast)

Threat actors have planted a malicious web shell on compromised servers and copied it to various locations under similar names that follow a “parroting” pattern.

Moreover, the adversaries use a PHP backdoor script that extracts client information and forwards requests to the Parrot TDS command and control (C2) server.

In some cases, the operators use a shortcut without the PHP script, sending the request directly to the Parrot infrastructure.

Parrot's direct and proxied forwarding
Parrot’s direct and proxied forwarding (Avast)

Avast says that in March 2022 alone its services protected more than 600,000 of its clients from visiting these infected sites, indicating the massive scale of the Parrot redirection gateway.

Most of the users targeted by these…

Source…

EwDoor Malware Infects AT&T Users: How to Detect Data-Stealing Virus, Remove from Your Phone

/in


EWDoor malware infected the networking equipment of AT&T, which protects and manages communications of the mobile carrier.

The said AT&T malware affected more than 5,700 subscibers.

EWDoor Malware Affects AT&T Subscribers

Chinese cybersecurity company, Qihoo 360, found out that thousands of networking equipment belonging to AT&T subscribers in the United States have been compromised with newly acquired malware, per Ars Technica.

Gizmodo reported that the AT&T malware acts as a backdoor, allowing an attacker to get into networks, steal data and engage in other activities.

Moreover, the said attacked device is named EdgeMarc Enterprise Session Border Controller. This tool is used by small and medium companies to protect and manage phone calls, video conferencing and other real-time communications.

In addition to this, session border controllers, the link connecting businesses and their Internet service providers, have access to a wide range of bandwidth and may obtain sensitive personal information, making it perfect for distributed denial of service (DDoS) attacks and data gathering.

Since the AT&T malware acts as a backdoor, it was named EWDoor by Qihoo 360, which is a word play of the “backdoor,” referring to the fact that it affects Edgewater devices.

In addition to this, EWDoor malware can update on its own, do port scanning, organize files, DDoS attack, reverse shell, and unprecedented command execution.

For those who do not know what DDoS is, Kaspersky stated that it is a method of attack that takes advantage of internet resource capacity limitations.

The DDoS attack will make several demands towards the targeted online resource. Aside from this, it also aims to surpass the website’s capabilities, accommodate numerous request and prevent it from working properly.

Read Also: Apple Hack for Students, Teachers: How to Get $400 Discount on Your Mac, iPad Purchase

On the other hand, Qihoo 360 researchers identified the EWDoor malware after infiltrating a previously undisclosed botnet, revealing that it had affected at least 5,700 AT&T subscribers in the United States.

They also claimed to have discovered more than 100,000 devices using the same TLS certificate as…

Source…

Joker malware infects 11 Play Store apps using new tricks; your Android smartphone under threat

/in


Android malware is becoming increasingly prevalent as more and more users come online. However, there is an enormous threat present on the Internet that can cause a lot of trouble for users. This happens through smartphone malware, which can steal user data, compromise user privacy, snoop on other apps and encrypt data. The Joker malware is an infamous example of Android malware, which has also managed to spread undetected via the Google Play Store.

Cybersecurity researchers have found that a total of 11 apps were recently discovered that were infected with the Joker malware and were found on the Play Store, as spotted by ZDNet – the researchers said the apps can also ‘conduct financial fraud’. They had managed to notch up 30,000 installs on the store. The researchers, from Zscaler’s ThreatLabz found that the apps offered features for productivity, communication and other utilities like keyboards. Google has reportedly already removed these apps from the Play Store.

How they lured users: The Joker malware is notorious for aggressive ‘billing’ by signing up users for premium services using SMS. The app also attempts to hide its tracks by using the ‘read notifications’ permission to hide any sign-up messages. Unlike the previous versions of the malware, the new Joker variants are using a novel method of infecting the device. It downloads the malware “payload” using URL shorteners. That means it uses links like TinyURL, bit.ly, Rebrand.ly, zws.im, 27url.cn and others in order to mask the real server names it downloads the malicious payload from.

Joker Malware bypasses Google security: However, what is really worrying is that the malware repeatedly manages to get back onto the Play Store, despite Google’s protection. The company uses its internal Bouncer checks for apps submitted to the Play Store, along with on-device scanning using Google Play Protect.

“Despite public awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques,” the researchers stated.

How users…

Source…