Tag Archive for: spread

North Korean hackers exploited Internet Explorer zero-day to spread malware

/in


North Korean state-sponsored hackers exploited a previously unknown zero-day vulnerability in Internet Explorer to target South Korean users with malware, according to Google’s Threat Analysis Group.

Google researchers first discovered the zero-day flaw on October 31 when multiple individuals uploaded a malicious Microsoft Office document to the company’s VirusTotal tool. These documents purported to be government reports related to the Itaewon tragedy, a crowd crush that occurred during Halloween festivities in the Itaewon neighborhood of Seoul. At least 158 people were killed and 196 others were injured.

“This incident was widely reported on, and the lure takes advantage of widespread public interest in the accident,” Google TAG’s Clement Lecigne and Benoit Stevens said on Wednesday.

The malicious documents were designed to exploit a zero-day vulnerability in Internet Explorer’s Script engine, tracked as CVE-2022-41128 with a CVSS severity rating of 8.8. Once opened, the document would deliver an unknown payload after downloading a rich text file (RTF) remote template that would render remote HTML using Internet Explorer. Although Internet Explorer was officially retired back in June and replaced by Microsoft Edge, Office still uses the IE engine to execute the JavaScript that enables the attack.

“This technique has been widely used to distribute IE exploits via Office files since 2017,” Lecigne and Stevens said. “Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser.”

The researchers added that Google reported the vulnerability to Microsoft on October 31 before it was fixed a week later as part of Microsoft’s November 2022 Patch Tuesday security updates.

Google has attributed the activity to a North Korean-backed hacking group known as APT37, which has been active since at least 2012 and has been previously observed exploiting zero-day flaws to target South Korean users, North Korean defectors, policymakers, journalists and human rights activists. Cybersecurity company FireEye previously said it assessed with “high confidence” that APT37 activity is carried out on behalf of the North…

Source…

SharkBot Trojan Spread Via Android File Manager Apps

/in


Cybercrime
,
Cybercrime as-a-service
,
Fraud Management & Cybercrime

Now-Removed Apps Have 10K Downloads, Target Victims in the UK, Italy

Prajeet Nair (@prajeetspeaks) •
November 26, 2022    

SharkBot Trojan Spread Via Android File Manager Apps

The operators behind banking Trojan SharkBot are targeting Google Play users by masquerading as now-deactivated Android file manager apps and have tens of thousands of installations so far.

See Also: Live Webinar | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

Cybersecurity firm Bitdefender says it found applications on Google Play store disguised as file managers and acting “as droppers for SharkBot bankers shortly after installation, depending on the user’s location.”

“The Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals resort to more covert methods. One way is with an app, sometimes legitimate with some of the advertised features, that doubles as a dropper for more insidious malware,” Bitdefender researchers say.

The apps uncovered by Bitdefender are disguised as file managers and require permission to install external packages, leading to malware downloading.

“As Google Play apps only need the functionality of a file manager to install another app and the malicious behavior is activated to a restricted pool of users, they are challenging to detect,” researchers say.

However, the apps are removed for now, and researchers warn that they are still present across the web in different third-party stores, making them a current threat.

Users primarily from…

Source…

Antivirus used to spread malware, White House ransomware summit

/in


Threat group rides antivirus software to install malware

Researchers at Kaspersky discovered the China-based threat group Cicada targeting Japanese organizations. The group used a spear-phishing email to prompt the install of the legitimate K7Security Suite. However it also included a malicious DLL to install it’s custom LODEINFO backdoor. Because Cicada effectively uses a legitimate security app to sideload the DLL, other security apps may not detect it. Targeted organizations span across media groups, diplomatic agencies, and public sector organizations, indicating the group plans to use the backdoor for cyberespionage. 

(Bleeping Computer)

White House organizes ransomware summit

The White House hosted its second International Counter Ransomware Summit starting on October 31st, bringing together three dozen nations as well as private-sector companies. The Summit focused on how to make systems more resilient to attacks overall and disrupting threat actors in the planning stages. Private companies attending included Microsoft, Maniant, Crowdstrike, and Palo Alto Networks. The Biden administration cited the recent ransomware attack on the Los Angeles school district as a factor in deciding to call the summit now. 

(AP)

Ed tech company exposed user data

The Federal Trade Commission filed a complaint against the ed tech company Chegg, alleging “careless” security practices that compromised personal data. Based on the filing, these practices data back to 2017. In 2018, sensitive information on about 40 million customers became exposed after a former contractor accessed a third-party database. This included names, emails, passwords, sexual orientation, and parents’ income. SInce then, this dataset appears for sale online. The company also reportedly exposed information of employees, including social security numbers. The complaint chided Chegg for not requiring multi-factor authentication, storing personal data in plain text, a lack of any written security policy until 2021, and using “outdated and weak” encryption. 

(Engadget)

Twitter exploring paid verification

According to documents seen by and sources…

Source…

Hackers Use NullMixer and SEO to Spread Malware More Efficiently

/in


Security researchers from Kaspersky have spotted a new series of campaigns focusing on the malware tool they named NullMixer.

According to an advisory published by the firm earlier today, NullMixer spreads malware via malicious websites that can be easily found via popular search engines, including Google.

“These websites are often related to crack, keygen and activators for downloading software illegally, and while they may pretend to be legitimate software, they actually contain a malware dropper,” reads the advisory.

The researchers further explained that when users attempt to download software from one of these sites, they are redirected several times and eventually land on a page containing download instructions alongside an archived password–protected malware acting as the desired software tool. 

When a user extracts and executes NullMixer, however, the malicious software drops several malware files to the compromised machine. 

“These malware families may include backdoors, bankers, credential stealers and so on,” Kaspersky wrote. “For example, the following families are among those dropped by NullMixer: SmokeLoader/Smoke, LgoogLoader, Disbuk, RedLine, Fabookie, ColdStealer.”

At the time of writing, the security researchers said in 2022 alone, they’ve blocked attempts to infect more than 47,778 victims worldwide, located mainly across Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey and the United States.

Kaspersky also clarified that they are currently unable to attribute NullMixer to any specific group or threat actor.

More generally, the cybersecurity company warned individuals against trying to save money by using unlicensed software.

“A single file downloaded from an unreliable source can lead to a large–scale infection of a computer system,” the company wrote.

Multiple malware families dropped by NullMixer are classified by the company and the general security community as Trojan–Downloaders. This suggests infections may not be limited to the malware families described in the report. 

“Many of the other malware families mentioned here are stealers, and compromised credentials can be used for further attacks inside a…

Source…