Tag Archive for: Malware

Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks

/in


Apr 09, 2024NewsroomBotnet / Vulnerability

D-Link NAS Devices

Threat actors are actively scanning and exploiting a pair of security flaws that are said to affect as many as 92,000 internet-exposed D-Link network-attached storage (NAS) devices.

Tracked as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3), the vulnerabilities impact legacy D-Link products that have reached end-of-life (EoL) status. D-Link, in an advisory, said it does not plan to ship a patch and instead urges customers to replace them.

“The vulnerability lies within the nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hard-coded credentials, and a command injection vulnerability via the system parameter,” security researcher who goes by the name netsecfish said in late March 2024.

Cybersecurity

Successful exploitation of the flaws could lead to arbitrary command execution on the affected D-Link NAS devices, granting threat actors the ability to access sensitive information, alter system configurations, or even trigger a denial-of-service (DoS) condition.

The issues affect the following models –

  • DNS-320L
  • DNS-325
  • DNS-327L, and
  • DNS-340L

Threat intelligence firm GreyNoise said it observed attackers attempting to weaponize the flaws to deliver the Mirai botnet malware, thus making it possible to remotely commandeer the D-Link devices.

D-Link NAS Devices

In the absence of a fix, the Shadowserver Foundation is recommending that users either take these devices offline or have remote access to the appliance firewalled to mitigate potential threats.

Cybersecurity

The findings once again illustrate that Mirai botnets are continuously adapting and incorporating new vulnerabilities into their repertoire, with threat actors swiftly developing new variants that are designed to abuse these issues to breach as many devices as possible.

With network devices becoming common targets for financially motivated and nation-state-linked attackers, the development comes as Palo Alto Networks Unit 42 revealed that threat actors are increasingly switching to malware-initiated scanning attacks to flag vulnerabilities in target networks.

“Some scanning attacks originate from benign networks likely driven by malware on infected machines,”…

Source…

Vedalia APT Group Exploits Oversized LNK Files to Malware

/in


The Vedalia Advanced Persistent Threat (APT) group, also known by its alias Konni, has been distributing malware using an innovative technique involving oversized LNK files.

This method marks an evolution in the group’s operational tactics, aiming to bypass conventional security measures and compromise targeted systems.

Broadcom recently published a blog post stating that the Vedalia APT group has utilized huge LNK files in their latest malware campaign.

Document

Run Free ThreatScan on Your Mailbox

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Key Highlights of the Campaign

  • Innovative Delivery Mechanism: The Vedalia APT group has ingeniously utilized LNK files with double extensions, effectively masking the malicious .lnk extension.
  • This tactic deceives users into believing the files are harmless, increasing the likelihood of execution.
  • Obscuration through Whitespace: A notable characteristic of these LNK files is the excessive use of whitespace.
  • This technique is designed to hide the malicious command lines embedded within, making detection by security software and analysts more challenging.
  • Bypassing Security Defenses: The embedded command line script within the LNK files is crafted to search for and execute PowerShell commands.
  • This approach is specifically chosen to evade detection mechanisms. It leverages PowerShell’s legitimate system functions to locate and deploy the embedded malicious files and payload.

File-based

  • CL.Downloader!gen20
  • Scr.Mallnk!gen13
  • Trojan.Gen.NPE
  • WS.Malware.1

Implications and Recommendations

The Vedalia APT group’s adoption of oversized LNK files for malware delivery underscores the evolving landscape of cyber threats.

Organizations and individuals are advised to remain vigilant, update their security solutions, and educate users about the risks of opening files from unknown sources.

This campaign by the Vedalia APT group serves as a reminder of the continuous innovation among cyber adversaries.

By staying informed and proactive, organizations…

Source…

Sophisticated Latrodectus Malware Linked to 2017 Strain

/in


Cybercrime
,
Fraud Management & Cybercrime
,
Governance & Risk Management

New Malware With Ties to IcedID Loader Evades Detection, Gains Persistence

Prajeet Nair (@prajeetspeaks) •
April 5, 2024    

Sophisticated Latrodectus Malware Linked to 2017 Strain
Image: Shutterstock

Security researchers are warning about a relatively new malware called Latrodectus, believed to be an evolutionary successor to the IcedID loader. It has been detected in malicious email campaigns since November 2023, and recent enhancements make it harder to detect and mitigate.

See Also: OnDemand | Overcoming the Limitations of Addressing Insider Threat in Banking: Real Solutions for Real Security Challenges

Proofpoint’s Threat Research team, in partnership with Team Cymru S2 Threat Research, spotted nearly a dozen campaigns delivering Latrodectus beginning in February 2024. The malware, used by initial access brokers, downloads payloads and executes arbitrary commands.

While initial analysis suggested Latrodectus is a new variant of IcedID, subsequent research found that it is a new malware most likely named Latrodectus because of a string identified in the code. Latrodectus employs infrastructure used in historic IcedID operations, indicating potential ties to the same threat actors. IcedID, first discovered in 2017, has been described as a banking Trojan and remote access Trojan.

Researchers discovered insights into the activities of threat actors TA577 and TA578 – the primary distributors of Latrodectus that illustrate the evolving tactics threat actors have used over time.

TA577, previously…

Source…

Attention Android users: A malware posing as McAfee security app can steal your sensitive data

/in


New Delhi,UPDATED: Apr 4, 2024 19:00 IST

Security researchers have found that a trojan malware has been posing as the McAfee security app. The malware only affects Android users, and aims to steal personal data like passwords, credit card details, photos, videos, and other sensitive information. This was first reported by Bleeping Computer.

The trojan malware is reportedly a more powerful version of the Vultur malware. Vultur was among the earliest Android banking malware to incorporate screen recording abilities and include functions like keylogging and interacting with a victim’s device screen. Its primary focus was to target banking apps for keylogging and remote control. The discovery of Vultur was initially made by ThreatFabric in late March 2021.

The malware is being circulated via Google Play Store. Apparently, the malware was first distributed on the Android app store in 2022 and has since been active on the platform.

How does the malware work?

The malware pretty much looks like a promotion message for the MacAfee security app, and it is quite easy to fall for. Usually, an Android user will receive an SMS that will claim to have found an unauthorised transaction in your bank account, urging them to call a provided number for assistance.

When you call that number, users will get connected to the scammers, who will send a follow-up SMS with a link to download a malicious version of the McAfee Security app containing the Brunhilda malware dropper.

By installing this fake app, it will gain access to your device’s ‘Accessibility Services’, which will eventually connect it to the malware’s main server. And once that happens, the attackers can access any information on your device remotely.

How to stay safe from such malware?

To ensure you are safe from such malware, never download any app from random links sent to you. Don’t even download apps off browsers. Only download official apps through the Google Play Store. It is also good to always check reviews and ratings of an app before you download it, which can give you a good sense of the authenticity of the app. Also, always pay attention to the developer details of every app before you download it.

Published By:

Nandini…

Source…