Tag Archive for: malicious

TheMoon Malware Rises Again with Malicious Botnet for Hire

/in


After disappearing for several years, TheMoon has returned with a botnet army around 40,000 strong, made up of hijacked small home and office (SOHO) devices and available for hire as a proxy service for cybercriminals looking to obscure their traffic origins.

The cybercrime botnet service, called Faceless, costs less than a dollar per day, according to the researchers at Lumen Technologies’ Black Lotus Labs, who are warning about the return of TheMoon after the malware group disappeared in 2019, before reemerging back on the scene in 2023. By the beginning of 2024, TheMoon had amassed bots from across 88 countries to operate its Faceless service.

“We believe these cybercriminals [using Faceless] are using these networks to steal data and information from their victims, including the financial sector,” Mark Dehus, senior director of threat intelligence at Lumen Black Lotus Labs, said in a statement. “TheMoon malware is a serious threat not only to the owners of the compromised SOHO devices, but also the victims exploited through this anonymous proxy network.”

John Gallagher, vice president of Viakoo Labs at Viakoo, noted that the types of endpoints that TheMoon looks to bring to the dark side are somewhat sitting ducks.

“IoT devices are designed to be ‘set it and forget it,’ leading to their being favored by threat actors even if they are not end of life (they are likely to be unmanaged and not updated),” he said in an emailed statement. “This is a much bigger issue for enterprises than consumers. The operators of IoT devices are often cost centers, and there’s an incentive to not replace equipment unless it isn’t functional anymore. Enterprises offer vast fleets of IoT devices for threat actors to leverage for DDoS and other attack vectors.” 

Source…

Radware: Web App, API Malicious Transactions Up 171% Due to DDoS Attacks

/in


  • DDoS attacks per customer nearly double
  • Web DDoS attacks relentlessly continue throughout the year
  • DNS query flood vectors increase more than three fold
  • Government, business/economy, and travel websites face the most hacktivist claimed DDoS attacks worldwide

Radware® (NASDAQ: RDWR), a leading provider of cyber security and application delivery solutions, released its 2024 Global Threat Analysis Report.

“The technological race between good and bad actors has never been more intense,” said Pascal Geenens, Radware’s director of threat intelligence. “With advancements like Generative AI,

inexperienced threat actors are becoming more proficient and skilled attackers more emboldened. In 2024, look for attack numbers to climb and attack patterns, like the shift in Web DDoS attacks, to continue to evolve.”

Radware’s comprehensive report leverages intelligence provided by network and application attack activity sourced from Radware’s Cloud and Managed Services, Global Deception Network, and threat intelligence research team during 2023. In addition, it draws from information found on Telegram, a public messaging platform often used by cyber criminals.

Radware’s report reveals key themes about the emerging threat landscape.

DDoS Attacks Surge Unprosecuted

“With almost two years of illegal denial of service left un-prosecuted following Russia’s invasion of Ukraine and the unfettered rise of hacktivism, the threshold into a life of cyber crime has reached a new low,” said Geenens. “We have yet to see DDoS attacks used as a mainstream vehicle to settle disagreements or differences, but plenty of groundwork has been laid by proficient hacktivists.”

Between the close of 2022 and 2023 DDoS attacks rose worldwide:

  • Globally, the average number of DDoS attacks per customer grew by 94%. On a regional basis, the increase in the number of DDoS attacks targeting customers varied:
    • EMEA rose 43%
    • The Americas grew 196%
    • APAC climbed 260%
  • The Americas were targeted by almost half of all global DDoS attacks. The EMEA region, accounting for 39% of the DDoS attacks, mitigated 65% of the global DDoS attack volume. The APAC region accounted for almost 12% of global DDoS attacks.

Hacktivists Attack with Unrelenting…

Source…

New Malicious PyPI Packages Uses DLL Sideloading

/in


Researchers have discovered that threat actors have been using open-source platforms and codes for several purposes, such as hosting C2 infrastructure, storing stolen data, and delivering second and third-stage downloaders or rootkit programs.

Two open-source PyPI packages were discovered to be utilized by threat actors for executing code via DLL sideloading attacks as a means of evading security monitoring tools.

The packages were identified as NP6HelperHttptest and NP6HelperHttper. 

Malicious PyPI Packages

According to the reports shared with Cyber Security News, open-source ecosystems are most widely used by almost every developer, which does not have a reputation provider to assess the quality and reliability of the code.

Thus making it extremely simple and easier for threat actors to insert malicious codes into the repositories and perform supply chain attacks.

In addition to this, researchers discovered two attack types that are used in software supply chain attacks, namely typosquatting and repojacking.

The two malicious PyPI packages were involved in the Typosquatting attacks as the package names are identical to one of the legitimate NP6 packages.

Malware infection stages (Source: Reversing Labs)

Developers mostly ignore the spelling and consider the packages legitimate, proceeding to use them in development.

Once this is done, threat actors can pivot their ways into the organizations and perform malicious activities.

Malicious Script Abusing DLL Sideloading

Both of the malicious PyPI packages consisted of a setup.py script that extends the setup tools command for downloading two other files: Comserver.exe and dgdeskband64.dll.

Comserver.exe is a legitimate file signed with a valid certificate from Beijing-based Kingsoft Corp, while dgdeskband64.dll is a malicious file that downloads further and runs a second-stage payload.

Setup.py file (Source: Reversing Labs)

The Comserver.exe has the purpose of loading a library, dgdeskband64.dll, for invoking its exported function Dllinstall.

However, the dgdeskband64.dll malicious file inside the package is not the legitimate one expected from comserver.exe. 

Different exports for the legit and malicious dll (Source:…

Source…

VileRAT Attacking Windows Machines via Malicious Software

/in


A new variant of VileRAT is being distributed through fake software pirate websites to infect Windows systems on a large scale.

This Python-based VileRAT malware family is believed to be specific to the Evilnum threat group, DeathStalker, which has been active since August 2023.

It is frequently observed being spread by the VileLoader loader, which is designed to run VileRAT in-memory and limit on-disk artifacts. 

It functions similarly to conventional remote access tools, allowing attackers to record keystrokes, run commands, and obtain information remotely. Because VileRAT is extensible and modular, actors can use the framework to implement new features.

According to public reports, Evilnum is a hacker-for-hire service with a history of attacking governments, legal offices, financial institutions, and cryptocurrency-related organizations in the Middle East, the UK, the EU, and the Americas.

Document

Run Free ThreatScan on Your Mailbox

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

New Variants of VileRAT

Researchers at Stairwell have seen new activity and VileRAT variants spread through modified, legitimate installers that also carry VileLoader.

Kaspersky reported that in the past, the infection was distributed via malicious documents and LNK files, as well as utilizing companies’ public chatbots. 

New TTP in contrast with their past use of malicious documents

It relies on a malicious Nulloy media player installer that is used to deploy VileLoader. VileLoader is packaged in the Nulloy installer and launched by the NSIS install script.

This copy of VileLoader (NvStTest.exe) is a modified version of a legitimate NVIDIA 3D Vision Test Application.

“VileRAT’s core component is stored in a compressed, Xored, and base64 encoded buffer within the payload unpacked from VileLoader. The decoded output contains a JSON configuration for the implant, containing the time VileRAT was started, control servers, and the encryption key for C2 communication, ” researchers explain.

Final…

Source…