Tag Archive for: Malware

Crooks manipulate GitHub’s search results to distribute malware

/in


Crooks manipulate GitHub’s search results to distribute malware

Pierluigi Paganini
April 13, 2024

Researchers warn threat actors are manipulating GitHub search results to target developers with persistent malware.

Checkmarx researchers reported that threat actors are manipulating GitHub search results to deliver persistent malware to developers systems.

Attackers behind this campaign create malicious repositories with popular names and topics, they were observed using techniques like automated updates and fake stars to boost search rankings.

“By leveraging GitHub Actions, the attackers automatically update the repositories at a very high frequency by modifying a file, usually called “log”, with the current date and time or just some random small change. This continuous activity artificially boosts the repositories’ visibility, especially for instances where users filter their results by “most recently updated,” increasing the likelihood of unsuspecting users finding and accessing them.” reads the report published by Checkmarx. “While automatic updates help, the attackers combine another technique to amplify the effectiveness of their repo making it to the top results. The attackers employed multiple fake accounts to add bogus stars, creating an illusion of popularity and trustworthiness.”

To evade detection, threat actors concealed the malicious code in Visual Studio project files (.csproj or .vcxproj), it is automatically executed when the project is built.

GitHub malware

The researchers noticed that the payload is delivered based on the victim’s origin, and is not distributed to users in Russia.

In the recent campaign, the threat actors used a sizable, padded executable file that shares similarities with the “Keyzetsu clipper” malware.

The recent malware campaign involves a large, padded executable file that shares similarities with the “Keyzetsu clipper” malware, targeting cryptocurrency wallets.

On April 3rd, the attacker updated the code in one of their repositories, linking to a new URL that downloads a different encrypted .7z file. The archive contained an executable named feedbackAPI.exe.

Threat actors padded the executable with numerous zeros…

Source…

Van Nuys man indicted for allegedly selling ‘trojan’ malware to help others crack computers – Daily News

/in


Federal authorities on Thursday announced the arrest of a Van Nuys man who allegedly schemed to market and sell malware that gave purchasers control over computers and enabled them to access victims’ private communications, their login credentials and other personal information.

Edmond Chakhmakhchyan, 24, allegedly used the screen name “Corruption.” He was arrested Wednesday by special agents with the FBI. During his arraignment in federal court, he pleaded not guilty to charges contained in a two-count indictment and was ordered back to court on June 4. His bond was set at $70,000.

The indictment charges Chakhmakhchyan with one count of conspiracy to advertise a device as an interception device, to transmit a code to intentionally cause damage to a protected computer and to intentionally access a computer to obtain information, as well as one count of advertising a device as an interception device. Each count carries a maximum sentence of five years in federal prison.

The indictment alleges an agreement between the malware’s creator and Chakhmakhchyan in which the defendant allegedly would post ads for the Hive remote access trojan, or RAT, on the Hack Forums website, accept Bitcoin payments for licenses to use the Hive RAT and provide customer service to those who purchased the licenses.

Customers purchasing the malware would transmit Hive RAT to protected computers and gain unauthorized control over and access to those devices, allowing the RAT purchaser to close or disable programs, browse files, record keystrokes, access incoming and outgoing communications and steal victim passwords and other credentials for bank accounts and cryptocurrency wallets, all without the victims’ knowledge or permission, according to the indictment.

Chakhmakhchyan allegedly began working with the creator of the Hive RAT, previously known as “Firebird,” about four years ago and advertised online the RAT’s many features.

Source…

CISA Launches New System for Automated Malware Analysis

/in


The Cybersecurity and Infrastructure Security Agency has unveiled Malware Next-Gen, a new platform designed to provide automated analysis of newly identified malware to support threat detection and response efforts.

Malware Next-Gen works to enable government agencies to submit malware samples and suspicious artifacts for automated analysis to inform their cyber defense initiatives, CISA said Wednesday.

“Our new automated system enables CISA’s cybersecurity threat hunting analysts to better analyze, correlate, enrich data, and share cyber threat insights with partners. It facilitates and supports rapid and effective response to evolving cyber threats, ultimately safeguarding critical systems and infrastructure,” said Eric Goldstein, executive assistant director for cybersecurity at CISA.

Since November, Malware Next-Gen has analyzed over 1,600 files from nearly 400 registered users from defense and civilian agencies and has identified and shared approximately 200 suspicious or malicious files and uniform resource locators.

The Potomac Officers Club will host the 2024 Cyber Summit on June 6 to hear from government and industry experts about the dynamic and ever-evolving role of cyber in the public sector. Register here!

Source…

An AI Chatbot May Have Helped Create This Malware Attack

/in


A hacking group has been spotted possibly using an AI program such as ChatGPT, Google’s Gemini, or Microsoft Copilot to help refine a malware attack. 

Security firm Proofpoint today published a report about the group, dubbed “TA547,” sending phishing emails to businesses in Germany. The emails are designed to deliver the Windows-based Rhadamanthys malware, which has been around for several years. But perhaps the most interesting part of the attack is that it uses a PowerShell script that contains signs it was created with an AI-based large language model (LLM).

Hackers often exploit PowerShell since it’s a powerful tool in Windows that can be abused to automate and execute tasks. In this case, the phishing email contains a password-protected ZIP file, that when opened, will run the hacker-created PowerShell script to decode and install Rhadamanthys malware on the victim’s computer. 

While investigating the attacks, Proofpoint researchers examined the PowerShell script and found “interesting characteristics not commonly observed in code used” by human hackers, the company wrote in a blog post.  

What stuck out was the presence of the pound sign #, which can be used in PowerShell to make single line comments explaining the purpose of a line of computer code

Image of the powershell script code

(Credit: Proofpoint)

“The PowerShell script included a pound sign followed by grammatically correct and hyper specific comments above each component of the script. This is a typical output of LLM-generated coding content, and suggests TA547 used some type of LLM-enabled tool to write (or rewrite) the PowerShell, or copied the script from another source that had used it,” Proofpoint says.

Indeed, if you ask ChatGPT, Copilot, or Gemini to create a similar PowerShell script, they’ll respond in the same format, placing pound symbols along with an explanation. In contrast, a human hacker would probably avoid such comments, especially since their goal is to disguise their techniques.

Recommended by Our Editors

ChatGPT placing the pound symbols

(Credit: ChatGPT)

Still, Proofpoint can’t definitively say TA547 created the PowerShell script with the help of an AI chatbot. Nevertheless, the case illustrates how cybercriminals can harness…

Source…