Tag Archive for: targeting

AllaKore RAT Malware Targeting Mexican Firms with Financial Fraud Tricks

/in


Jan 27, 2024NewsroomMalware / Software Update

AllaKore RAT Malware

Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT.

The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021.

“Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process,” the Canadian company said in an analysis published earlier this week.

“The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud.”

Cybersecurity

The attacks appear to be designed to particularly single out large companies with gross revenues over $100 million. Targeted entities span retail, agriculture, public sector, manufacturing, transportation, commercial services, capital goods, and banking sectors.

The infection chain begins with a ZIP file that’s either distributed via phishing or a drive-by compromise, which contains an MSI installer file that drops a .NET downloader responsible for confirming the Mexican geolocation of the victim and retrieving the altered AllaKore RAT, a Delphi-based RAT first observed in 2015.

“AllaKore RAT, although somewhat basic, has the potent capability to keylog, screen capture, upload/download files, and even take remote control of the victim’s machine,” BlackBerry said.

The new functions added to the malware by the threat actor include support for commands related to banking fraud, targeting Mexican banks and crypto trading platforms, launching a reverse shell, extracting clipboard content, and fetching and executing additional payloads.

The threat actor’s links to Latin America come from the use of Mexico Starlink IPs used in the campaign, as well as the addition of Spanish-language instructions to the modified RAT payload. Furthermore, the lures employed only work for companies that are large enough to report directly to the Mexican Social…

Source…

Feds: Androxgh0st Botnet Is Targeting AWS, Office 365, and Azure Credentials

/in


Federal cybersecurity officials are warning server and website owners of a spike in Androxgh0st malware, which is targeting Amazon Web Services (AWS), Microsoft Office 365, SendGrip, and Twilio credentials.

The botnet has been around since late 2022 and is often used to steal credentials for use in spam or crypto-mining. According to FortiGuard Labs, the botnet has control of approximately 30,000 devices as of this week, though that’s down from 50,000 in the first week of January.

The botnet is capable of abusing the Simple Mail Transfer Protocol (SMTP) as well as application programming interfaces (APIs), according to a report from the Cybersecurity and Infrastructure Security Agency (CISA). Bleeping Computer says SendGrip and Twilio credentials can be “used by threat actors to conduct spam campaigns impersonating the breached companies.”

Recommended by Our Editors

CISA outlines how to check and see if your server is compromised and alternative monikers that you may see instead of Androxgh0st. The FBI and CISA also posted several mitigations that organizations can take to ensure that they stay safe from the botnet. They include:

  • Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50.

  • Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it.

  • Ensure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from ENV files and revoke them.

  • On a one-time basis for previously stored cloud credentials, and on an ongoing basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the ENV file for unauthorized access or use.

  • Scan the server’s file system for unrecognized PHP files.

  • Review outgoing GET requests (via cURL command) to file hosting sites.

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links….

Source…

Homeland Security warns federal agencies of hackers targeting Google Chrome, Excel spreadsheets

/in


The Cybersecurity and Infrastructure Security Agency, or CISA, is issuing a new warning: your Google Chrome browser and Excel spreadsheets could be at risk of an attack. The agency identified two new exploits that could give hackers easy access to your computer.

Federal agencies have until January 23 to make sure they’re protected. Here are some ways to make sure you’re protected too.

CLICK TO GET KURT’S FREE CYBERGUY NEWSLETTER WITH SECURITY ALERTS, QUICK VIDEO TIPS, TECH REVIEWS, AND EASY HOW-TO’S TO MAKE YOU SMARTER

Homeland Security warns federal agencies of hackers targeting Google Chrome, Excel spreadsheets

Microsoft logo on keyboard (Kurt “CyberGuy” Knutsson)

Microsoft Excel’s new exploit

Hackers are targeting Microsoft Excel using a huge vulnerability in a library that reads Excel files. The bug is in a library called Spreadsheet::ParseExcel. It allows hackers to run malware remotely. Specifically, hackers can utilize a string in the library to run programs on your computer.

This exploit has popped up before. Security firm Barracuda noticed Chinese hackers using the exploit last month. They would create custom Excel attachments to exploit the bug and run any program they wanted to.

While Barracuda addressed this with a patch, they say open-source libraries could still be at risk. The company also issued a warning to anyone who uses Spreadsheet::ParseExcel, recommending they review the bug and take any necessary action.

Homeland Security warns federal agencies of hackers targeting Google Chrome, Excel spreadsheets

Google Chrome browser on laptop (Kurt “CyberGuy” Knutsson)

MORE: THE 7 SIGNS YOU’VE BEEN HACKED

Google Chrome’s bug

Google’s eighth day zero attack comes in the form of an attack on an open-source project. WebRTC allows web browsers and mobile applications to communicate in real-time. However, hackers are using it to overload your browser and either cause it to crash or give them permission to do whatever they want. This exploit doesn’t just affect Google Chrome. It also affects other open-source web browsers using WebRTC to communicate. Google issued an emergency fix just last month, but there’s more you can do to protect yourself.

Four essential tips to secure your devices and data from hackers and scammers 

To protect yourself from malicious hackers and scammers, we recommend you do the following four things.

1) Be cautious about using open-source…

Source…

Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer

/in


A noticeable difference between NoaBot and Mirai is that rather than DDoS attacks, the botnet targets weak passwords connecting SSH connections to install cryptocurrency mining software.

Cybersecurity researchers at Akamai have discovered cryptomining malware called NoaBot based on the notorious Mirai botnet. The crytojacking malware NoaBot is currently targeting Linux servers and has been active since January 2023.

According to Akamai, a noticeable difference between NoaBot and Mirai is that rather than DDoS attacks (Distributed Denial of Service attacks), the malware targets weak passwords connecting SSH connections and installs cryptocurrency mining software, allowing attackers to generate digital coins using victims’ computing resources, electricity, and bandwidth.

Here, it is important to mention that NoaBot malware has also been used to deliver P2PInfect, a separate worm discovered by Palo Alto Networks in July 2023.

NoaBot is compiled using the UClibc code library, unlike the standard Mirai library. This changes how the antivirus protections detect NoaBot, categorizing it as an SSH scanner or generic trojan. The malware is statically compiled and stripped of symbols, while strings are obfuscated instead of saved as plaintext, making it harder for reverse engineers to extract details.

The NoaBot binary runs from a randomly generated folder, making searching devices harder. The standard Mirai dictionary is replaced with a large one, and a custom-made SSH scanner is used. Post-breach capabilities include installing a new SSH-authorized key.

This botnet has grown significantly, with over 800 unique IP addresses worldwide showing signs of NoaBot infections. The worm is a customized version of Mirai, a malware that infects Linux-based servers, routers, web cameras, and other Internet of Things devices.

Interestingly, the malware includes embedded song lyrics from the “Who’s Ready for Tomorrow” song by Rat Boy and IBDY, but later samples do not have these. The botnet also adds command line arguments, such as the “noa” flag, which installs a persistence method after a reboot.

Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer
Screenshot: Akamai
Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer
Screenshot: Akamai

Threat actors…

Source…