Tag Archive for: keylogger

New Phishing Attack Delivers Keylogger Disguised as Bank Payment Notice

/in


Mar 27, 2024NewsroomVulnerability / Cybercrime

A new phishing campaign has been observed leveraging a novel loader malware to deliver an information stealer and keylogger called Agent Tesla.

Trustwave SpiderLabs said it identified a phishing email bearing this attack chain on March 8, 2024. The message masquerades as a bank payment notification, urging the user to open an archive file attachment.

The archive (“Bank Handlowy w Warszawie – dowód wpłaty_pdf.tar.gz”) conceals a malicious loader that activates the procedure to deploy Agent Tesla on the compromised host.

“This loader then used obfuscation to evade detection and leveraged polymorphic behavior with complex decryption methods,” security researcher Bernard Bautista said in a Tuesday analysis.

“The loader also exhibited the capability to bypass antivirus defenses and retrieved its payload using specific URLs and user agents leveraging proxies to further obfuscate traffic.”

The tactic of embedding malware within seemingly benign files is a tactic that has been repeatedly employed by threat actors to trick unsuspecting victims into triggering the infection sequence.

Cybersecurity

The loader used in the attack is written in .NET, with Trustwave discovering two distinct variants that each make use of a different decryption routine to access its configuration and ultimately retrieve the XOR-encoded Agent Tesla payload from a remote server.

In an effort to evade detection, the loader is also designed to bypass the Windows Antimalware Scan Interface (AMSI), which offers the ability for security software to scan files, memory, and other data for threats.

It achieves this by “patching the AmsiScanBuffer function to evade malware scanning of in-memory content,” Bautista explained.

The last phase involves decoding and executing Agent Tesla in memory, allowing the threat actors to stealthily exfiltrate sensitive data via SMTP using a compromised email account associated with a legitimate security system supplier in Turkey (“merve@temikan[.]com[.]tr”).

The approach, Trustwave said, not only does not raise any red flags, but also affords a layer of anonymity that makes it harder to trace the attack back to the adversary, not to mention save…

Source…

Hackers Hiding Keylogger, RAT Malware in SVG Image Files

/in


Critical Infrastructure Security
,
Cybercrime
,
Endpoint Security

New Campaign Evades Security Tools to Deliver Agent Tesla Keylogger and XWorm RAT

Prajeet Nair (@prajeetspeaks) •
March 13, 2024    

Hackers Hiding Keylogger, RAT Malware in SVG Image Files

Threat actors are hiding malware in SVG image files to evade detection and deliver ransomware, download a banking Trojan and distribute malware.

See Also: Live Webinar | Secrets Detection: Why Coverage Throughout the SDLC is Critical to Your Security Posture

Cofense Intelligence researchers in January observed a two-month campaign that used SVG files to deliver Agent Tesla Keylogger and XWorm RAT malware. The researchers advise security teams to remind users to watch for unexpected downloads upon opening an SVG file, the telltale sign of a compromise.

The Scalable Vector Graphic file format uses mathematical equations to describe images, which enables them to be scaled without loss of image quality and makes them suitable for diverse design applications.

AutoSmuggle, an open-source tool released in May 2022, enables threat actors to embed malicious files within SVG or HTML content, bypassing security measures such as secure email gateways and increasing the chances of successful malware delivery.

The use of SVG files for malware delivery was first observed in 2015, but researchers said hackers have refined their tactics to bypass security measures and successfully distribute harmful payloads. SVG files distributed Ursnif malware in 2017 and were used to smuggle .zip archives…

Source…

A Top LastPass Engineer’s Home PC Got Pwned by a Hacker’s Keylogger

/in


Photo: Maor_Winetrob (Shutterstock)

Photo: Maor_Winetrob (Shutterstock)

Beleaguered password manager LastPass has announced yet another serious security screwup and, this time, it may be the final straw for some users.

For months, the company has been periodically providing updates about a nasty data breach that occurred last August. At the time, LastPass revealed that a cybercriminal had managed to worm their way into the company’s development environment and steal some source code but claimed there was “no evidence” that any user data had been compromised as a result. Then, in December, the company made an update, revealing that, well, actually, yeah, certain user information had been compromised, but couldn’t share what, exactly, had been impacted. Several weeks later it did reveal what had been impacted: users’ vault data, which, under the right, extreme circumstances, could lead to total account compromises. And now, finally, LastPass has provided yet more details, revealing that the fallout from the breach was even worse than previously imagined. It’s probably enough to make some users run screaming for the hills.

Read more

According to a press release published Monday, the initial August data breach allowed the cybercriminal in question to hack into the home computer of one of LastPass’s most privileged employees—a senior DevOps engineer, and one of only four employees with access to decryption keys that could unlock the platform’s shared cloud environment. The hacker subsequently laced the engineer’s computer with a keylogger, which allowed them to steal their LastPass master password. Using the PW, the cybercriminal managed to break into the engineer’s password vault and, filching necessary decryption keys from the engineer’s account, proceeded to penetrate LastPass’s shared cloud environment, where they stole a whole load of important data.

The company admits that the hacker “exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”

In short:…

Source…

Maintaining Access | Penetration Testing

/in