Tag Archive for: Variant

‘Purple Fox’ Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks

/in


Purple Fox

The operators of the Purple Fox malware have retooled their malware arsenal with a new variant of a remote access trojan called FatalRAT, while also simultaneously upgrading their evasion mechanisms to bypass security software.

“Users’ machines are targeted via trojanized software packages masquerading as legitimate application installers,” Trend Micro researchers said in a report published on March 25, 2022. “The installers are actively distributed online to trick users and increase the overall botnet infrastructure.”

Automatic GitHub Backups

The findings follow prior research from Minerva Labs that shed light on a similar modus operandi of leveraging fraudulent Telegram applications to distribute the backdoor. Other disguised software installers include WhatsApp, Adobe Flash Player, and Google Chrome.

These packages act as a first-stage loader, triggering an infection sequence that leads to the deployment of a second-stage payload from a remote server and culminating in the execution of a binary that inherits its features from FatalRAT.

Purple Fox

FatalRAT is a C++-based implant designed to run commands and exfiltrate sensitive information back to a remote server, with the malware authors incrementally updating the backdoor with new functionality.

“The RAT is responsible for loading and executing the auxiliary modules based on checks performed on the victim systems,” the researchers said. “Changes can happen if specific [antivirus] agents are running or if registry keys are found. The auxiliary modules are intended as support for the group’s specific objectives.”

Purple Fox

Furthermore, Purple Fox, which comes with a rootkit module, comes with support for five different commands, including copying and deleting files from the kernel as well as evading antivirus engines by intercepting calls sent to the file system.

Prevent Data Breaches

The findings also follow recent disclosures from cybersecurity firm Avast, which detailed a new campaign that involved the Purple Fox exploitation framework acting as a deployment channel for another botnet called DirtyMoe.

“Operators of the Purple Fox botnet are still active and consistently updating their arsenal with new malware, while also upgrading the malware variants they have,” the researchers said….

Source…

New MyloBot Malware Variant Sends Sextortion Emails Demanding $2,732 in Bitcoin

/in


Sextortion Emails

A new version of the MyloBot malware has been observed to deploy malicious payloads that are being used to send sextortion emails demanding victims to pay $2,732 in digital currency.

MyloBot, first detected in 2018, is known to feature an array of sophisticated anti-debugging capabilities and propagation techniques to rope infected machines into a botnet, not to mention remove traces of other competing malware from the systems.

Chief among its methods to evade detection and stay under the radar included a delay of 14 days before accessing its command-and-control servers and the facility to execute malicious binaries directly from memory.

Automatic GitHub Backups

MyloBot also leverages a technique called process hollowing, wherein the attack code is injected into a suspended and hollowed process in order to circumvent process-based defenses. This is achieved by unmapping the memory allocated to the live process and replacing it with the arbitrary code to be executed, in this case a decoded resource file.

“The second stage executable then creates a new folder under C:\ProgramData,” Minerva Labs researcher Natalie Zargarov said in a report. “It looks for svchost.exe under a system directory and executes it in suspended state. Using an APC injection technique, it injects itself into the spawned svchost.exe process.”

Sextortion Emails

APC injection, similar to process hollowing, is also a process injection technique that enables the insertion of malicious code into an existing victim process via the asynchronous procedure call (APC) queue.

Prevent Data Breaches

The next phase of the infection involves establishing persistence on the compromised host, using the foothold as a stepping stone to establish communications with a remote server to fetch and execute a payload that, in turn, decodes and runs the final-stage malware.

This malware is designed to abuse the endpoint to send extortion messages alluding to the recipients’ online behaviors, such as visiting porn sites, and threatening to leak a video that was allegedly recorded by breaking into their computers’ webcam.

Minerva Labs’ analysis of the malware also reveals its ability to download additional files, suggesting that the threat actor left behind a backdoor for carrying out further…

Source…

Fears of new omicron Covid variant prompts Israel to ban entry to foreigners

/in


Israel will on Sunday become the first country to ban the entry of all foreigners as the world races to understand and contain the new worrying variant of Covid-19 that emerged in southern Africa. The government also promised to use controversial phone-tracking technology to track and locate cases of the new omicron variant.

While no cases of the new variant have been detected in the United States, the nation’s leading infectious disease expert, Dr. Anthony Fauci, told NBC News that mutations displayed by omicron indicate that it may be highly transmissible and able to escape the body’s immune response, including the protection rendered by antibodies induced by the vaccines.

“You don’t want to frighten the American public but when something occurs that you need to take seriously, you take it seriously and you do whatever you can to mitigate against that,” Fauci said. 

Travelers wearing protective face masks arrive at the Ben Gurion Airport near Tel Aviv on Sunday.Ariel Schalit / AP

“If ever there was a reason for unvaccinated people to get vaccinated, and for those who have been vaccinated, when you time comes up, to go and get a booster shot,” he added. 

The U.S. has restricted travel from South Africa and seven neighboring countries, effective Monday. 

But experts, including Fauci, have told NBC News the variant could already be in the U.S.

“It’s already here,” NBC News’ medical contributor Dr Kavita Patel said. “We know from previous variants that by the time we pick it up in Africa and the European Union, it’s already likely.”

While there is still little understanding about omicron and how virulent it can be, a South African doctor who treated early cases of the variant told the BBC Sunday that countries could be “panicking unnecessarily” and the symptoms she had seen were “extremely mild.”

Dr Angelique Coetzee said she had first encountered the variant in patients who had fatigue, aches and pains, but no cough or change in sense of smell or taste, the BBC said. But she acknowledged that understanding of the variant was still developing.

Dr Angelique Coetzee, chair of the South African Medical Association, said she had first encountered the variant in patients…

Source…

COVID-19 themed malware and credential theft campaigns make a resurgence as Delta variant spreads

/in


Proofpoint finds COVID-19 themed email threats make a resurgence as the Delta variant spreads.

Since late June 2021, Proofpoint has observed high volumes of COVID-19 themed threats distributing malware and credential theft campaigns, including a Microsoft credential theft campaign targeting thousands of organisations globally. Proofpoint researchers also identified an increase in business email compromise, with threat actors posing as human resource professionals to gain an individual’s trust.  

The new attacks follow a lull in COVID-19-themed threat campaigns through the Spring and early Summer of 2021. Now, multiple types of high-volume threats have pivoted back to using COVID-19 social engineering themes as global concern about the Delta variant rises. 

Proofpoint has been tracking ongoing threats using COVID-19 and related coronavirus themes since the beginning of the pandemic. TA452, known to distribute Emotet, first began using COVID-19 in email threats in January 2020. Although the virus has remained an ongoing theme, researchers have observed a significant increase in messages leveraging COVID-19 in recent months. 

Since late June 2021, Proofpoint has observed high a volume COVID-19 themed campaigns distributing RustyBuer, Formbook, and Ave Maria malware, in addition to multiple corporate phishing attempts to steal Microsoft and O365 credentials. The researchers also found an increase in business email compromise threats using COVID-19 themes during this timeframe.

“The increase in COVID-19 themes in our data aligns with public interest in the highly contagious COVID-19 Delta variant,” says Proofpoint.

“According to global Google Trend data, worldwide searches for “Delta variant” first peaked the last week in June 2021 and have continued through August 2021 so far. The increase in COVID-19 related threats is global. We observed tens of thousands of messages intended for customers in various industries worldwide.” 

Open-source data also supports a greater threat actor adoption of COVID-19 themes. South Korea, for example, recently raised its cyber threat warning level in response to an increase of threats related to its COVID-19 relief programs. 

Threat actors…

Source…