Tag Archive for: windows

ZenRAT Malware Targets Windows Users Via Fake Bitwarden Password Manager Installation Package

/in


Windows operating systems are the target of new malware dubbed ZenRAT by U.S.-based cybersecurity company Proofpoint. The attackers built a website that impersonates the popular Bitwarden password manager; if accessed via Windows, the fake site delivers the ZenRAT malware disguised as Bitwarden software. It’s currently unknown if the malware is used by threat actors for cyberespionage or for financial fraud.

We’ll delve into the technical details and share more information from Proofpoint researchers, as well as provide tips on mitigating this ZenRAT malware threat.

Jump to:

What is ZenRAT malware, and what happens when it’s executed?

ZenRAT is malware developed in .NET. It was previously unreported and specifically targets Microsoft Windows operating systems. Once executed, the ZenRAT malware queries the system to gather information:

  • CPU and GPU names.
  • Operating system version.
  • RAM capabilities.
  • IP address and gateway IP address.
  • Installed software including antivirus.

The data is sent as a ZIP archive file to its command and control server, along with stolen browser data and credentials. The ZIP file contains two files named InstalledApps.txt and SysInfo.txt. Proofpoint told TechRepublic that they ” … observed ZenRAT stealing data from both Chrome and Firefox” and believe “It’s reasonable to assume that it would have support for most Chromium-based browsers.”

The malware executes several checks when running. For starters, it checks that it doesn’t operate from Belarus, Kyrgyzstan, Kazakhstan, Moldova, Russia or Ukraine.

Then, the malware ensures it doesn’t already run on the system by checking for a specific mutex and that the hard drive isn’t less than 95GB in size, which might indicate a sandbox system to the malware. It also checks for known virtualization products’ process names to verify it isn’t running in a virtualized environment.

Once the checks have been passed, the malware sends a ping command to be sure it’s connected to the internet, and checks if there is an update for the malware.

In addition, the malware has the ability to send its log files to the C2 server in clear text, probably for debugging…

Source…

New Agent Tesla Variant Uses Excel Exploit to Infect Windows PC

/in


The new Agent Tesla variant exploits CVE-2017-11882/CVE-2018-0802 vulnerability to execute the malware. 

Key Findings

  • A new variant of the Agent Tesla malware family is being used in a phishing campaign.
  • The malware can steal credentials, keylogging data, and active screenshots from the victim’s device.
  • The malware is spread through a malicious MS Excel attachment in phishing emails.
  • The malware exploits an old security vulnerability (CVE-2017-11882/CVE-2018-0802) to infect Windows devices.
  • The malware ensures persistence even when the device is restarted or the malware process is killed.

New Agent Tesla Variant Detected in Malicious Phishing Campaign

FortiGuard Labs threat researchers have detected a new variant of the notorious Agent Tesla malware family used in a phishing campaign. Report author Xiaopeng Zhang revealed that the malware can steal “credentials, keylogging data, and active screenshots” from the victim’s device. Stolen data is transferred to the malware operator through email or SMTP protocol. The malware mainly infects Windows devices.

For your information, Agent Tesla malware is also offered as a Malware-as-a-Service tool. The malware variants use a data stealer and .NET-based RAT (remote access trojan) for initial access.

How Phishers Trap Users?

This is a phishing campaign, so initial access is gained through a phishing email designed to trick users into downloading the malware. The email is a Purchase Order notification that asks the recipient to confirm their order from an industrial equipment supplier.

The email contains a malicious MS Excel attachment titled Order 45232429.xls. This document is in OLE format and contains crafted equation data that exploits an old security RCE vulnerability tracked as CVE-2017-11882/CVE-2018-0802 instead of using a VBS macro.

This vulnerability causes memory corruption in the EQNEDT32.EXE process and allows arbitrary code execution through ProcessHollowing method, in which a hacker replaces the executable file’s code with malicious code.

A shellcode download/execute the Agent Tesla file (dasHost.exe) from this link “hxxp://2395.128.195/3355/chromium.exe” onto the targeted…

Source…

LockBit ransomware gang steals data related to security of UK military bases, due to unpatched Windows 7 PC • Graham Cluley

/in


LockBit ransomware gang steals data related to security of UK military bases

An attack by the notorious LockBit ransomware gang stole 10 GB of data from a company that provides high-security fencing for military bases.

Zaun says that on 5-6 August a “sophisticated cyber attack” saw hackers exploit an obsolete Windows 7 PC to gain access to the company’s servers, and exfiltrate data which has since been published on the dark web.

According to the firm, classified documents are not believed to have been included in the haul:

“LockBit will have potentially gained access to some historic emails, orders, drawings and project files, we do not believe that any classified documents were stored on the system or have been compromised. We are in contact with relevant agencies and will keep these updated as more information becomes available. This is an ongoing investigation and as such subject to further updates.”

In what appears to be an attempt to reduce concern about the security breach, Zaun says that its perimeter fencing is hardly top secret:

“Zaun is a manufacturer of fencing systems and not a Government approved security contractor. As a manufacturer of perimeter fencing, any member of the public can walk up to our fencing that has been installed at these sites and look at it.”

Well, maybe that’s the case. But I would still be alarmed if there was sensitive information contained in the emails and other documents that were stolen. For instance, the contact details of personnel at military sites, or the specifics of a most sensitive area’s physical security.

I get the feeling that Zaun may know what it is doing when it comes to physical security, but may be lagging a little behind when it comes to digital security. Mainstream support for Windows 7 ended back in 2015.

Even if your organisation had managed to get itself on the list for extended Windows 7 security updates, the very last time you were able to receive them was until January 2023.

Zaun says it has contacted the National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) about the data breach.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the…

Source…

Watch out for this new malicious ransomware disguised as Windows updates

/in


Is that really a Windows update you are about to click on? Or ransomware in disguise? As first documented by Fortinet FortiGuard Labs and followed up by Trend Micro, new ransomware is currently on the rise and disguising itself as fake Windows updates and Word installers as part of a malvertising campaign. Also, multiple variants of this ransomware have been discovered.

Here’s what we know so far and what you can do to protect yourself.

CLICK TO GET KURT’S FREE CYBERGUY NEWSLETTER WITH SECURITY ALERTS, QUICK TIPS, TECH REVIEWS AND EASY HOW-TO’S TO MAKE YOU SMARTER

The ransomware, which is called Big Head, infects devices and encrypts the device’s files by displaying a fake Windows update alert on the victim’s computer. Three encrypted executable files are deployed in the attack – one for propagating the malware, one for facilitating communications via Telegram, and one for encrypting the files and displaying the fake Windows update.

If a person clicks on this fake Windows update alert, Big Head will begin its attack by deleting backups, checking the virtualized environment, disabling the computer’s Task Manager to prevent the user from deleting it, and more.

Trend Micro flow chart

The ransomware, which is called Big Head, infects devices and encrypts the device’s files by displaying a fake Windows update alert on the victim’s computer.

There have also been variants discovered of the Big Head ransomware that are capable of stealing web browser history, directory lists, running processes, product keys and network information. Most of the samples of this ransomware have been submitted from the U.S., France, Turkey and Spain.

READ ON THE FOX NEWS APP

RUSSIAN RANSOMWARE ATTACK SOFTWARE TARGETS APPLE MAC AND MACBOOK

Ransomware criminals will try to get you to pay money to them to get your files back. However, paying the ransom does not guarantee that you will regain access to anything a criminal takes from you and will only permit them to do it more.

Your best bet is to prevent an attacker from gaining access to your files altogether so that you don’t have to try to fight to get them back. Here are some of my tips for avoiding having your files stolen in a ransomware attack.

If you receive an…

Source…