Tag Archive for: infostealing

Threat actors abuse Google Ads to distribute info-stealing malware: Report

/in


A threat actor was found abusing Google Ads to distribute a trojanised version of the CPU-Z tool to deliver the Redline info-stealing malware.

Threat actors were found using Google Ads to redirect users to a cloned copy of the legitimate Windows news site Windows Report.

Clicking on the ad takes the victim through a redirect step that tricks Google’s anti-abuse crawlers by sending invalid visitors to an innocuous site, a report from Bleeping Computer said.

Those deemed valid to receive the payload are redirected to a Windows news site that lookalike hosted on a number of different domains.  Users are then presented with a “Download now” button that results in them installing a malicious script that loads the malware on devices.

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

This malware is a powerful stealer able to collect passwords, cookies, and browsing data from a range of web browsers and applications, as well as sensitive data from cryptocurrency wallets.

Users are advised to be careful when clicking on promoted results in Google Search and check the loaded site and the domain match before downloading any files. Users can also make use of adblockers to automatically hide such results from their search results.

This is a Premium article available exclusively to our subscribers. To read 250+ such premium articles every
month

You have exhausted your free article limit.
Please support quality journalism.

You have exhausted your free article limit.
Please support quality journalism.

This is your last free article.

Source…

Threat Actors Use Abnormal Certificates to Deliver Info-stealing Malware

/in


Threat Actors Use Abnormal Certificates to Deliver Info-stealing Malware

Malicious certificates can be highly dangerous as they can be used to deceive users into trusting malicious websites or software.

This can lead to various security threats, including:-

  • Data breaches
  • Malware infections
  • Phishing attacks
  • Compromise user privacy
  • Compromise system integrity

Cybersecurity researchers at ASEC (AhnLab Security Emergency Response Center) recently identified that threat actors are exploiting abnormal certificates to deliver info-stealing malware.

Document

FREE Demo

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware


Technical Analysis

Malicious code mimics certificates with randomly entered info, causing unusually long Subject and Issuer Names.

Certificate info remains hidden in Windows, which is only detectable with specific tools. So, the incorrect certificate and its information are useless for signature verification.

The signature uses non-English languages and special characters and shows little variation for over two months, suggesting a specific intention.

Signature information
Signature information (Source – ASEC)

The distributed sample is a URL-encoded malicious script that fails to download and execute Powershell commands, remaining inactive in the infection process.

Two distinct malware types with this distinctive appearance are distributed. And here below, we have mentioned them:

  • LummaC2: LummaC2 is the most adaptable malware in this distribution. Originally, it had self-contained malicious actions, but now it downloads configs from C2 and can install other malware like Amadey and Clipbanker.
  • RecordBreaker: RecoreBreaker, aka Raccoon Stealer V2, spreads through YouTube and other malware. It employs a unique User-Agent value like ‘GeekingToTheMoon’ when connecting to C2, but its functionality remains largely unchanged.

Both malware types excel in information theft, potentially exposing sensitive user data like browser…

Source…

Someone is targeting Roblox developers with info-stealing malware

/in


An unknown party has been targeting developers of the popular online game Roblox, seeding more than a dozen open-source software packages they use with information-stealing malware called “Luna Grabber.”

The campaign, discovered by researchers at ReversingLabs, uses typo-squatting and a number of sophisticated obfuscation tactics to entice users into downloading fake versions of commonly used software on npm, a popular open source software library. While in many cases those packages still contain the legitimate code developers are looking for, they also include a multi-stage malware attack that can deploy Luba Grabber on a victim’s web browser, their Discord application and other sources.

The malware was initially discovered as part of ReversingLabs “routine monitoring” of npm, identifying one such package called noblox.js-vps that was “clearly typo-squatting” the name of a legitimate Roblox API wrapper. In a post published Tuesday, threat researcher Lucija Valentić wrote that the stolen information could potentially be leveraged in future attacks.

“The use of the Luna Grabber ‘turnkey’ open source malware [can] generate malicious executables that act as bait in phishing and supply chain attacks, gathering sensitive information from targeted developers,” wrote Valentić.

Npm is one of the largest open source software repositories in the world, but the observed impact of the campaign thus far has been muted compared with other open source campaigns: just under 1,000 users have downloaded the infostealer across more than a dozen discovered software packages. Many of the identified packages have since been removed, but ReversingLabs noted the campaign remains ongoing.

A screenshot of a since-removed malicious npm package mimicking a legitimate Roblox-related piece of code. (Image Credit: Reversing Labs)
A screenshot of a since-removed malicious npm package mimicking a legitimate Roblox-related piece of code. (Image Credit: Reversing Labs)

Roblox is an online video game platform where, similar to games like Minecraft, users can build virtual worlds and levels for others to play in. Since the COVID-19 pandemic, its popularity has exploded: according to data analytics reporting firm DemandSage, the game currently boasts more than 66 million daily active users and 214 million monthly active users.

It’s not…

Source…

Info-Stealing Malware Populates ‘Cloud of Logs’ Offerings

/in


Cybercrime
,
Fraud Management & Cybercrime

Private Subscription Services Emerge, Together With Fresh Strains of Info Stealers

Mathew J. Schwartz (euroinfosec) •
May 15, 2023    

Info-Stealing Malware Populates 'Cloud of Logs' Offerings
Advertisement for TitanStealer, first offered for sale in November 2022 via the Russian-language BHF and Dark2Web forums (Source: Kela)

Cybercrime watchers continue to see strong demand for fresh strains of information-stealing malware and the personal information being harvested by such info stealers.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources


Information stealers exfiltrate data from an infected system – aka “bot” – and batch it into “logs” containing “browser login information including passwords, cookies, credit card details, crypto wallet data and more,” threat intelligence firm Kela said in a new report.


Phishing is the main distribution method, oftentimes through links to compromised or malicious websites. One recent campaign tied to the Lumma and Aurora stealers used “typosquatted” domains – malicious domains with names resembling legitimate ones – that pretended to offer access to OpenAI and ChatGPT, cybersecurity firm Cyble reported.


After infecting systems and collecting logs, criminals often sell the stolen data via automated bot markets such as Genesis, RussianMarket and TwoEasy, via forums such as BHF and Dark2Web, and Telegram messaging app channels. While Genesis was disrupted last month via an international police operation accompanied by more than 100 arrests worldwide, the BBC reported Friday that the darknet version of Genesis appears to remain alive and well.


One sign of the maturity of marketplaces selling account takeover services or stolen digital identities is the emergence in recent years…

Source…