Tag Archive for: targeting

Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer

/in


A noticeable difference between NoaBot and Mirai is that rather than DDoS attacks, the botnet targets weak passwords connecting SSH connections to install cryptocurrency mining software.

Cybersecurity researchers at Akamai have discovered cryptomining malware called NoaBot based on the notorious Mirai botnet. The crytojacking malware NoaBot is currently targeting Linux servers and has been active since January 2023.

According to Akamai, a noticeable difference between NoaBot and Mirai is that rather than DDoS attacks (Distributed Denial of Service attacks), the malware targets weak passwords connecting SSH connections and installs cryptocurrency mining software, allowing attackers to generate digital coins using victims’ computing resources, electricity, and bandwidth.

Here, it is important to mention that NoaBot malware has also been used to deliver P2PInfect, a separate worm discovered by Palo Alto Networks in July 2023.

NoaBot is compiled using the UClibc code library, unlike the standard Mirai library. This changes how the antivirus protections detect NoaBot, categorizing it as an SSH scanner or generic trojan. The malware is statically compiled and stripped of symbols, while strings are obfuscated instead of saved as plaintext, making it harder for reverse engineers to extract details.

The NoaBot binary runs from a randomly generated folder, making searching devices harder. The standard Mirai dictionary is replaced with a large one, and a custom-made SSH scanner is used. Post-breach capabilities include installing a new SSH-authorized key.

This botnet has grown significantly, with over 800 unique IP addresses worldwide showing signs of NoaBot infections. The worm is a customized version of Mirai, a malware that infects Linux-based servers, routers, web cameras, and other Internet of Things devices.

Interestingly, the malware includes embedded song lyrics from the “Who’s Ready for Tomorrow” song by Rat Boy and IBDY, but later samples do not have these. The botnet also adds command line arguments, such as the “noa” flag, which installs a persistence method after a reboot.

Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer
Screenshot: Akamai
Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer
Screenshot: Akamai

Threat actors…

Source…

Pro-Iranian Hacker Group Targeting Albania with No-Justice Wiper Malware

/in


Jan 06, 2024NewsroomMalware / Cyber Attack

No-Justice Wiper Malware

The recent wave of cyber attacks targeting Albanian organizations involved the use of a wiper called No-Justice.

The findings come from cybersecurity company ClearSky, which said the Windows-based malware “crashes the operating system in a way that it cannot be rebooted.”

The intrusions have been attributed to an Iranian “psychological operation group” known as Homeland Justice, which has been active since July 2022, specifically orchestrating destructive attacks against Albania.

On December 24, 2023, the adversary resurfaced after a hiatus, stating it’s “back to destroy supporters of terrorists,” describing its latest campaign as #DestroyDurresMilitaryCamp. The Albanian city of Durrës currently hosts the dissident group People’s Mojahedin Organization of Iran (MEK).

Targets of the attack included ONE Albania, Eagle Mobile Albania, Air Albania, and the Albanian parliament.

Two of the primary tools deployed during the campaign include an executable wiper and a PowerShell script that’s designed to propagate the former to other machines in the target network after enabling Windows Remote Management (WinRM).

Cybersecurity

The No-Justice wiper (NACL.exe) is a 220.34 KB binary that requires administrator privileges to erase the data on the computer.

This is accomplished by removing the boot signature from the Master Boot Record (MBR), which refers to the first sector of any hard disk that identifies where the operating system is located in the disk so that it can be loaded into a computer’s RAM.

Also delivered over the course of the attack are legitimate tools like Plink (aka PuTTY Link), RevSocks, and the Windows 2000 resource kit to facilitate reconnaissance, lateral movement, and persistent remote access.

No-Justice Wiper Malware

The development comes as pro-Iranian threat actors such as Cyber Av3ngers, Cyber Toufan, Haghjoyan, and YareGomnam Team have increasingly set their sights on Israel and the U.S. amid continuing geopolitical tensions in the Middle East.

“Groups such as Cyber Av3ngers and Cyber Toufan appear to be adopting a narrative of retaliation in their cyber attacks,” Check Point disclosed last month.

“By opportunistically targeting U.S. entities using…

Source…

Researchers Reveal “Most Sophisticated” iMessage Exploit Targeting iPhones

/in


Recently, the 37th Chaos Communication Congress took place in Hamburg, Germany. A team of cybersecurity experts, including Boris Larin from Moscow-based security firm Kaspersky, Leonid Bezvershenko, and Georgy Kucherin were part of the congress. They uncovered a series of zero-day vulnerabilities in iPhones, exploited through iMessage. This “Operation Triangulation” presentation marked the first public revelation of these susceptibilities and their exploitation methods.

Beware! Researchers Found iMessage Exploit

Reports claim that the attack, refined in its execution, starts with a seemingly harmless iMessage attachment. After that, the iMessage attachment exploits CVE-2023-41990. It is a vulnerability in an undocumented TrueType font instruction. Moreover, it also triggers a chain of events without any observable signs to the user. The exploit uses advanced techniques, including return/jump-oriented programming and a multi-staged JavaScript exploit, to achieve deep access to the device’s system.

For all those unaware, a “zero-day exploit” is similar to finding a secret way into a computer program or any system that nobody else knows about. In the case of Apple, even the people who made the program do not know about it. It is pertinent to mention here that there is no protection against it yet. The name “zero-day” means that the program makers have had zero days to resolve the problem because they just found out about it.

The researchers also disclosed how the attack exploits the JavaScriptCore debugging feature and an integer overflow vulnerability (CVE-2023-32434) to get read/write access to the entire physical memory of the machine at the user level. This strategy allows the hackers to bypass the Page Protection Layer (PPL).

It’s pertinent to mention that these exploits were patched by Apple’s iOS software updates with iOS and iPadOS 15.7.8 for older devices and 16.6. The presentation also highlighted the exploit’s ability to support older and newer iPhone models, including a Pointer Authentication Code (PAC) bypass for the latest models. The exploit’s sophistication is further evidenced by its use of hardware memory-mapped I/O (MMIO) registers.

PTA…

Source…

New KV-Botnet Targeting Cisco, DrayTek, and Fortinet Devices for Stealthy Attacks

/in


Dec 15, 2023NewsroomBotnet / Advanced Persistent Threat

A new botnet consisting of firewalls and routers from Cisco, DrayTek, Fortinet, and NETGEAR is being used as a covert data transfer network for advanced persistent threat actors, including the China-linked threat actor called Volt Typhoon.

Dubbed KV-botnet by the Black Lotus Labs team at Lumen Technologies, the malicious network is an amalgamation of two complementary activity clusters that have been active since at least February 2022.

“The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years,” the company said.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it’s too late. Register for our webinar today.

Join Now

The two clusters – codenamed KV and JDY – are said to be distinct yet working in tandem to facilitate access to high-profile victims as well as establish covert infrastructure. Telemetry data suggests that the botnet is commandeered from IP addresses based in China.

While the bots part of JDY engages in broader scanning using less sophisticated techniques, the KY component, featuring largely outdated and end-of-life products, is assessed to be reserved for manual operations against high-profile targets selected by the former.

It’s suspected that Volt Typhoon is at least one user of the KV-botnet and it encompasses a subset of their operational infrastructure, which is evidenced by the noticeable decline in operations in June and early July 2023, coinciding with the public disclosure of the adversarial collective’s targeting of critical infrastructure in the U.S.

Microsoft, which first exposed the threat actor’s tactics, said it “tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware.”

The exact initial infection mechanism process used to breach the devices is currently unknown. It’s followed by the first-stage malware…

Source…