Tag Archive for: Variant

New AdLoad malware variant slips through Apple’s XProtect defenses

/in


New AdLoad malware variant slips through Apple's XProtect defenses

A new AdLoad malware variant is slipping through Apple’s YARA signature-based XProtect built-in antivirus tech to infect Macs as part of multiple campaigns tracked by American cybersecurity firm SentinelOne.

AdLoad is a widespread trojan targeting the macOS platform since at least since late 2017 and used to deploy various malicious payloads, including adware and Potentially Unwanted Applications (PUAs), 

This malware can also harvest system information that later gets sent to remote servers controlled by its operators.

Increasingly active since July

These massive scale and ongoing attacks have started as early as November 2020, according to SentinelOne threat researcher Phil Stokes, with an increase in activity beginning with July and the beginning of August.

Once it infects a Mac, AdLoad will install a Man-in-The-Middle (MiTM) web proxy to hijack search engine results and inject advertisements into web pages for monetary gain.

It will also gain persistence on infected Macs by installing LaunchAgents and LaunchDaemons and, in some cases, user cronjobs that run every two and a half hours.

While monitoring this campaign, the researcher observed more than 220 samples, 150 of them unique and undetected by Apple’s built-in antivirus even though XProtect now comes with roughly a dozen AdLoad signatures.

Many of the samples detected by SentinelOne are also signed with valid Apple-issued Developer ID certificates, while others are also notarized to run under default Gatekeeper settings.

XProtect AdLoad signatures
XProtect AdLoad signatures (SentinelOne)

“At the time of writing, XProtect was last updated around June 15th. None of the samples we found are known to XProtect since they do not match any of the scanner’s current set of Adload rules,” Stokes concluded.

“The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices.”

Hard to ignore threat

To put things into perspective, Shlayer, another common macOS malware strain that has also been able to bypass XProtect…

Source…

New Mirai Variant and ZHtrap Botnet Malware Emerge in the Wild

/in


Cybersecurity researchers on Monday disclosed a new wave of ongoing attacks exploiting multiple vulnerabilities to deploy Mirai variants on compromised systems.

“Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers,” Palo Alto Networks’ Unit 42 Threat Intelligence Team said in a write-up.

The rash of vulnerabilities being exploited include:

  • VisualDoor — a SonicWall SSL-VPN remote command injection vulnerability that came to light earlier this January
  • CVE-2020-25506 – a D-Link DNS-320 firewall remote code execution (RCE) vulnerability
  • CVE-2021-27561 and CVE-2021-27562 – Two vulnerabilities in Yealink Device Management that allow an unauthenticated attacker to run arbitrary commands on the server with root privileges
  • CVE-2021-22502 – an RCE flaw in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40
  • CVE-2019-19356 – a Netis WF2419 wireless router RCE exploit, and
  • CVE-2020-26919 – a Netgear ProSAFE Plus RCE vulnerability

Also included in the mix are three previously undisclosed command injection vulnerabilities that were deployed against unknown targets, one of which, according to the researchers, has been observed in conjunction with MooBot.

The attacks are said to have been detected over a month-long period starting from February 16 to as recent as March 13.

Regardless of the flaws used to achieve successful exploitation, the attack chain involves the use of wget utility to download a shell script from the malware infrastructure that’s then used to fetch Mirai binaries, a notorious malware that turns networked IoT devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks.

Besides downloading Mirai, additional shell scripts have been spotted retrieving executables to facilitate brute-force attacks to break into vulnerable devices with weak passwords.

“The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences,” the researcher said.

New ZHtrap Botnet…

Source…

New Grelos skimmer variant reveals overlap in Magecart group activities, malware infrastructure

/in


A new variant of a skimmer has revealed the increasingly muddy waters associated with tracking groups involved in Magecart-style attacks. 

On Wednesday, researchers from RiskIQ described how a new Grelos skimmer has shown there is “increased overlaps” in Magecart infrastructure and groups, with this malware — alongside other forms of skimmer — now being hosted on domain infrastructure used by multiple groups, or connected via WHOIS records, known phishing campaigns, and the deployment of other malware, creating crossovers that can be difficult to separate. 

See also: Magecart group uses homoglyph attacks to fool you into visiting malicious websites

Magecart is an umbrella term used to describe information stealing campaigns and threat actors that specialize in the theft of payment card data from e-commerce websites. 

Several years ago, well-known brands including British Airways and Ticketmaster became the first major victims of this form of attack, and since then, countless websites have fallen prey to the same technique. 

The new variant of the Grelos skimmer, malware that has been around since at least 2015 and associated with Magecart groups 1 and 2, is similar to a separate strain described by researcher @AffableKraut in July. This variant is a WebSocket-based skimmer that uses base64 obfuscation to hide its activities. 

“We believe this skimmer is not directly related to Group 1-2’s activity from 2015-16, but instead a rehash of some of their code,” RiskIQ says. “This version of the skimmer features a loader stage and a skimmer stage, both of which are base64 encoded five times over.”

CNET: Trump fires top cybersecurity official for debunking election fraud claims

Following a Magecart attack on Boom! Mobile, RiskIQ examined links established by Malwarebytes and this attack, in which the Fullz House group loaded malicious JavaScript on the mobile network provider to scrape customer data.

The domains used in this cyberattack led the team to a cookie and associated skimmer websites, including facebookapimanager[.]com and googleapimanager[.]com.

However, instead of finding the Fullz House…

Source…