Tag Archive for: Stealthy

New KV-Botnet Targeting Cisco, DrayTek, and Fortinet Devices for Stealthy Attacks

/in


Dec 15, 2023NewsroomBotnet / Advanced Persistent Threat

A new botnet consisting of firewalls and routers from Cisco, DrayTek, Fortinet, and NETGEAR is being used as a covert data transfer network for advanced persistent threat actors, including the China-linked threat actor called Volt Typhoon.

Dubbed KV-botnet by the Black Lotus Labs team at Lumen Technologies, the malicious network is an amalgamation of two complementary activity clusters that have been active since at least February 2022.

“The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years,” the company said.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it’s too late. Register for our webinar today.

Join Now

The two clusters – codenamed KV and JDY – are said to be distinct yet working in tandem to facilitate access to high-profile victims as well as establish covert infrastructure. Telemetry data suggests that the botnet is commandeered from IP addresses based in China.

While the bots part of JDY engages in broader scanning using less sophisticated techniques, the KY component, featuring largely outdated and end-of-life products, is assessed to be reserved for manual operations against high-profile targets selected by the former.

It’s suspected that Volt Typhoon is at least one user of the KV-botnet and it encompasses a subset of their operational infrastructure, which is evidenced by the noticeable decline in operations in June and early July 2023, coinciding with the public disclosure of the adversarial collective’s targeting of critical infrastructure in the U.S.

Microsoft, which first exposed the threat actor’s tactics, said it “tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware.”

The exact initial infection mechanism process used to breach the devices is currently unknown. It’s followed by the first-stage malware…

Source…

A Stealthy Multi-Platform Malware Leveraging NKN for DDoS Attacks

/in


A recently discovered multi-platform malware named ‘NKAbuse,’ leveraging Go-based technology, has raised concerns as it marks the first instance of malware exploiting NKN (New Kind of Network) technology for data exchange. This innovative approach poses a stealthy threat, using NKN, a decentralized peer-to-peer network protocol built on blockchain technology, to conduct distributed denial of service (DDoS) attacks. This article explores the intricate details of NKAbuse, its modus operandi, and the challenges it poses to cybersecurity.

 

The NKN Technology Landscape:

NKN, a decentralized peer-to-peer network protocol, operates by leveraging blockchain technology to efficiently manage resources and establish a secure and transparent model for network operations. With the primary goal of optimizing data transmission speed and latency across the network, NKN achieves this by calculating efficient data packet travel paths. Individuals can participate in the NKN network by running nodes, contributing to its robustness, decentralization, and capacity to handle high volumes of data.

NKAbuse: Targeting Linux Systems in Specific Regions:

Kaspersky reports the discovery of NKAbuse, a novel malware that primarily targets Linux desktops, with notable infection instances identified in Mexico, Colombia, and Vietnam. The malware exploits an old Apache Struts flaw (CVE-2017-5638) to compromise Linux systems, demonstrating its adaptability by supporting multiple architectures, including MIPS, ARM, and 386.

 

NKN Exploitation for DDoS Attacks:

NKAbuse stands out by abusing NKN to launch DDoS attacks, characterized by their difficulty to trace and likelihood of evading detection by conventional security tools. The malware utilizes the NKN public blockchain protocol to execute flooding attacks and establish a backdoor within Linux systems. Its communication with the bot master through NKN allows it to send and receive data, while the ability to maintain multiple concurrent channels adds resilience to its communication line.

 

Versatile Capabilities: A Unique Threat in the DDoS Botnet Space:

Beyond its DDoS capabilities, NKAbuse functions as a remote access trojan (RAT) on compromised…

Source…

Lazarus Group Exploits Critical Zoho ManageEngine Flaw to Deploy Stealthy QuiteRAT Malware

/in


Aug 24, 2023THNCyber Attack / Hacking

Zoho ManageEngine Flaw

The North Korea-linked threat actor known as Lazarus Group has been observed exploiting a now-patched critical security flaw impacting Zoho ManageEngine ServiceDesk Plus to distribute a remote access trojan called such as QuiteRAT.

Targets include internet backbone infrastructure and healthcare entities in Europe and the U.S., cybersecurity company Cisco Talos said in a two-part analysis published today.

What’s more, a closer examination of the adversary’s recycled attack infrastructure in its cyber assaults on enterprises has led to the discovery of a new threat dubbed CollectionRAT.

The fact that the Lazarus Group continues to rely on the same tradecraft despite those components being well-documented over the years underscores the threat actor’s confidence in their operations, Talos pointed out.

QuiteRAT is said to be a successor to MagicRAT, itself a follow-up to TigerRAT, while CollectionRAT appears to share overlaps with EarlyRAT (aka Jupiter), an implant written in PureBasic with capabilities to run commands on the endpoint.

Cybersecurity

“QuiteRAT has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size is significantly smaller,” security researchers Asheer Malhotra, Vitor Ventura, and Jungsoo An said. “Both implants are built on the Qt framework and include capabilities such as arbitrary command execution.”

The use of the Qt framework is seen as an intentional effort on the part of the adversary to make analysis a lot more challenging as it “increases the complexity of the malware’s code.”

The activity, detected in early 2023, involved the exploitation of CVE-2022-47966, a mere five days after proof-of-concept (Poc) for the flaw emerged online, to directly deploy the QuiteRAT binary from a malicious URL.

QuiteRAT Malware

“QuiteRAT is clearly an evolution of MagicRAT,” the researchers said. “While MagicRAT is a bigger, bulkier malware family averaging around 18 MB in size, QuiteRAT is a much much smaller implementation, averaging around 4 to 5 MB in size.”

Another crucial difference between the two is the lack of a built-in persistence mechanism in QuiteRAT, necessitating that a command be issued from the server…

Source…

Stealthy HeadCrab Malware Compromised Over 1,200 Redis Servers

/in


Feb 02, 2023Ravie LakshmananDatabase Security / Cryptocurrency

HeadCrab Malware

At least 1,200 Redis database servers worldwide have been corralled into a botnet using an “elusive and severe threat” dubbed HeadCrab since early September 2021.

“This advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers,” Aqua security researcher Asaf Eitani said in a Wednesday report.

A significant concentration of infections has been recorded in China, Malaysia, India, Germany, the U.K., and the U.S. to date. The origins of the threat actor are presently unknown.

The findings come two months after the cloud security firm shed light on a Go-based malware codenamed Redigo that has been found compromising Redis servers.

The attack is designed to target Redis servers that are exposed to the internet, followed by issuing a SLAVEOF command from another Redis server that’s already under the adversary’s control.

HeadCrab Malware

In doing so, the rogue “master” server initiates a synchronization of the newly hacked server to download the malicious payload, which contains the sophisticated HeadCrab malware.

“The attacker seems to mainly target Redis servers and has a deep understanding and expertise in Redis modules and APIs as demonstrated by the malware,” Eitani noted.

HeadCrab Malware

While the ultimate end goal of using the memory-resident malware is to hijack the system resources for cryptocurrency mining, it also boasts of numerous other options that allows the threat actor to execute shell commands, load fileless kernel modules, and exfiltrate data to a remote server.

What’s more, a follow-on analysis of the Redigo malware has revealed it to be weaponizing the same master-slave technique for proliferation, and not the Lua sandbox escape flaw (CVE-2022-0543) as previously disclosed.

Users are recommended to refrain from exposing Redis servers directly to the internet, disable the “SLAVEOF” feature in their environments if not in use, and configure the servers to only accept connections from trusted hosts.

Eitani said “HeadCrab will persist in using cutting-edge techniques to penetrate servers, either through…

Source…