Novel DJVU ransomware variant emerges
Novel DJVU ransomware variant emerges Attacks involving the use of cracked software have been distributing a novel version of the DJVU ransomware dubbed “Xaro” for its use of the .xaro extension for …
Tag Archive for: Variant
New Agent Tesla Variant Uses Excel Exploit to Infect Windows PC
The new Agent Tesla variant exploits CVE-2017-11882/CVE-2018-0802 vulnerability to execute the malware.
Key Findings
- A new variant of the Agent Tesla malware family is being used in a phishing campaign.
- The malware can steal credentials, keylogging data, and active screenshots from the victim’s device.
- The malware is spread through a malicious MS Excel attachment in phishing emails.
- The malware exploits an old security vulnerability (CVE-2017-11882/CVE-2018-0802) to infect Windows devices.
- The malware ensures persistence even when the device is restarted or the malware process is killed.
New Agent Tesla Variant Detected in Malicious Phishing Campaign
FortiGuard Labs threat researchers have detected a new variant of the notorious Agent Tesla malware family used in a phishing campaign. Report author Xiaopeng Zhang revealed that the malware can steal “credentials, keylogging data, and active screenshots” from the victim’s device. Stolen data is transferred to the malware operator through email or SMTP protocol. The malware mainly infects Windows devices.
For your information, Agent Tesla malware is also offered as a Malware-as-a-Service tool. The malware variants use a data stealer and .NET-based RAT (remote access trojan) for initial access.
How Phishers Trap Users?
This is a phishing campaign, so initial access is gained through a phishing email designed to trick users into downloading the malware. The email is a Purchase Order notification that asks the recipient to confirm their order from an industrial equipment supplier.
The email contains a malicious MS Excel attachment titled Order 45232429.xls. This document is in OLE format and contains crafted equation data that exploits an old security RCE vulnerability tracked as CVE-2017-11882/CVE-2018-0802 instead of using a VBS macro.
This vulnerability causes memory corruption in the EQNEDT32.EXE process and allows arbitrary code execution through ProcessHollowing method, in which a hacker replaces the executable file’s code with malicious code.
A shellcode download/execute the Agent Tesla file (dasHost.exe) from this link “hxxp://2395.128.195/3355/chromium.exe” onto the targeted…
New Python Variant of Chaes Malware Targets Banking and Logistics Industries
Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes.
“It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol,” Morphisec said in a new detailed technical write-up shared with The Hacker News.
Chaes, which first emerged in 2020, is known to target e-commerce customers in Latin America, particularly Brazil, to steal sensitive financial information.
A subsequent analysis from Avast in early 2022 found that the threat actors behind the operation, who call themselves Lucifer, had breached more than 800 WordPress websites to deliver Chaes to users of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago.
Further updates were detected in December 2022, when Brazilian cybersecurity company Tempest Security Intelligence uncovered the malware’s use of Windows Management Instrumentation (WMI) in its infection chain to facilitate the collection of system metadata, such as BIOS, processor, disk size, and memory information.
The latest iteration of the malware, dubbed Chae$ 4 in reference to debug log messages present in the source code, packs in “significant transformations and enhancements,” including an expanded catalog of services targeted for credential theft as well as clipper functionalities.
Despite the changes in the malware architecture, the overall delivery mechanism has remained the same in attacks that were identified in January 2023.
Potential victims landing on one of the compromised websites are greeted by a pop-up message asking them to download an installer for Java Runtime or an antivirus solution, triggering the deployment of a malicious MSI file that, in turn, launches a primary orchestrator module known as ChaesCore.
The component is responsible for establishing a communication channel with the command-and-control (C2) server from where it fetches additional modules that support post-compromise activity and data theft –
- Init, which gathers extensive information about the system
- Online, which…
At least S$12 million lost in fake friend call scams since January; new variant involving Android malware
SINGAPORE: At least S$12 million (US$8.9 million) has been lost in fake friend call scams since January 2023, the police said on Wednesday (Jul 5), warning of a new variant involving malicious Android links.
At least 3,700 victims have fallen prey to such scams since the beginning of the year.
They would receive text messages or phone calls from unknown numbers – with or without the +65 prefix. Scammers would claim to be a friend or an acquaintance and ask the victims to guess their real identity.
Once a name is provided, the scammer would assume the identity of the victim’s friend and ask them to update their contact details.
“The scammers would contact the victims subsequently to ask for a loan and would claim that he or she is unable to perform a banking transaction or is experiencing financial difficulties,” said the police.
Victims would then be provided with a local bank account to transfer the money.
While there has been a “persistent trend” of such scams, the police said they have seen a new variant where scammers would send victims malicious links, asking them to help with simple tasks such as making purchases, reserving seats at a restaurant or tracking a missing phone.
“These malicious links will lead victims to either phishing sites and/or the download of an Android Package Kit (APK) file, an application created for Android’s operating system,” said the police, adding that victims would discover unauthorised transactions after keying in their banking credentials or card details.