Tag Archive for: Malware

Hackers are loading SVG files with multi-stage malware in new phishing attack

/in


A sophisticated new phishing attack was spotted in the wild, leveraging a wide variety of tools to bypass antivirus protections and ultimately deliver different Remote Access Trojan (RAT) malware.

According to cybersecurity researchers at Fortinet, an unidentified threat actor was seen sending phishing emails, stating a shipment has been delivered, and attaching an invoice. This attachment, however, is a Scalable Vector Graphics (SVG) file which, when run, triggers the infection sequence. 

Source…

Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks

/in


Apr 09, 2024NewsroomBotnet / Vulnerability

D-Link NAS Devices

Threat actors are actively scanning and exploiting a pair of security flaws that are said to affect as many as 92,000 internet-exposed D-Link network-attached storage (NAS) devices.

Tracked as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3), the vulnerabilities impact legacy D-Link products that have reached end-of-life (EoL) status. D-Link, in an advisory, said it does not plan to ship a patch and instead urges customers to replace them.

“The vulnerability lies within the nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hard-coded credentials, and a command injection vulnerability via the system parameter,” security researcher who goes by the name netsecfish said in late March 2024.

Cybersecurity

Successful exploitation of the flaws could lead to arbitrary command execution on the affected D-Link NAS devices, granting threat actors the ability to access sensitive information, alter system configurations, or even trigger a denial-of-service (DoS) condition.

The issues affect the following models –

  • DNS-320L
  • DNS-325
  • DNS-327L, and
  • DNS-340L

Threat intelligence firm GreyNoise said it observed attackers attempting to weaponize the flaws to deliver the Mirai botnet malware, thus making it possible to remotely commandeer the D-Link devices.

D-Link NAS Devices

In the absence of a fix, the Shadowserver Foundation is recommending that users either take these devices offline or have remote access to the appliance firewalled to mitigate potential threats.

Cybersecurity

The findings once again illustrate that Mirai botnets are continuously adapting and incorporating new vulnerabilities into their repertoire, with threat actors swiftly developing new variants that are designed to abuse these issues to breach as many devices as possible.

With network devices becoming common targets for financially motivated and nation-state-linked attackers, the development comes as Palo Alto Networks Unit 42 revealed that threat actors are increasingly switching to malware-initiated scanning attacks to flag vulnerabilities in target networks.

“Some scanning attacks originate from benign networks likely driven by malware on infected machines,”…

Source…

Vedalia APT Group Exploits Oversized LNK Files to Malware

/in


The Vedalia Advanced Persistent Threat (APT) group, also known by its alias Konni, has been distributing malware using an innovative technique involving oversized LNK files.

This method marks an evolution in the group’s operational tactics, aiming to bypass conventional security measures and compromise targeted systems.

Broadcom recently published a blog post stating that the Vedalia APT group has utilized huge LNK files in their latest malware campaign.

Document

Run Free ThreatScan on Your Mailbox

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Key Highlights of the Campaign

  • Innovative Delivery Mechanism: The Vedalia APT group has ingeniously utilized LNK files with double extensions, effectively masking the malicious .lnk extension.
  • This tactic deceives users into believing the files are harmless, increasing the likelihood of execution.
  • Obscuration through Whitespace: A notable characteristic of these LNK files is the excessive use of whitespace.
  • This technique is designed to hide the malicious command lines embedded within, making detection by security software and analysts more challenging.
  • Bypassing Security Defenses: The embedded command line script within the LNK files is crafted to search for and execute PowerShell commands.
  • This approach is specifically chosen to evade detection mechanisms. It leverages PowerShell’s legitimate system functions to locate and deploy the embedded malicious files and payload.

File-based

  • CL.Downloader!gen20
  • Scr.Mallnk!gen13
  • Trojan.Gen.NPE
  • WS.Malware.1

Implications and Recommendations

The Vedalia APT group’s adoption of oversized LNK files for malware delivery underscores the evolving landscape of cyber threats.

Organizations and individuals are advised to remain vigilant, update their security solutions, and educate users about the risks of opening files from unknown sources.

This campaign by the Vedalia APT group serves as a reminder of the continuous innovation among cyber adversaries.

By staying informed and proactive, organizations…

Source…

Sophisticated Latrodectus Malware Linked to 2017 Strain

/in


Cybercrime
,
Fraud Management & Cybercrime
,
Governance & Risk Management

New Malware With Ties to IcedID Loader Evades Detection, Gains Persistence

Prajeet Nair (@prajeetspeaks) •
April 5, 2024    

Sophisticated Latrodectus Malware Linked to 2017 Strain
Image: Shutterstock

Security researchers are warning about a relatively new malware called Latrodectus, believed to be an evolutionary successor to the IcedID loader. It has been detected in malicious email campaigns since November 2023, and recent enhancements make it harder to detect and mitigate.

See Also: OnDemand | Overcoming the Limitations of Addressing Insider Threat in Banking: Real Solutions for Real Security Challenges

Proofpoint’s Threat Research team, in partnership with Team Cymru S2 Threat Research, spotted nearly a dozen campaigns delivering Latrodectus beginning in February 2024. The malware, used by initial access brokers, downloads payloads and executes arbitrary commands.

While initial analysis suggested Latrodectus is a new variant of IcedID, subsequent research found that it is a new malware most likely named Latrodectus because of a string identified in the code. Latrodectus employs infrastructure used in historic IcedID operations, indicating potential ties to the same threat actors. IcedID, first discovered in 2017, has been described as a banking Trojan and remote access Trojan.

Researchers discovered insights into the activities of threat actors TA577 and TA578 – the primary distributors of Latrodectus that illustrate the evolving tactics threat actors have used over time.

TA577, previously…

Source…