Tag: Word | SpinSafe

A sneaky new steganography malware is exploiting Microsoft Word — hundreds of firms around the world hit by attack

April 16, 2024/in Computer Security

Hackers have been observed using steganography to target hundreds of organizations in Latin America with infostealers, remote access trojans (RAT), and more.

The campaign, dubbed SteganoArmor, was discovered by researchers from Positive Technologies.

For those unfamiliar with steganography, it’s a technique of hiding data inside benign files. Hackers use it to hide malware in JPG and similar files, and thus bypass email security solutions.

Infostealers and other malware

As per the researchers, a threat actor dubbed TA558 sent out hundreds of phishing emails, through which they shared Microsoft Word and Excel files.

These files exploit a seven-year-old flaw tracked as CVE-2017-1182. To minimize the chances of the emails being picked up by email security solutions, they were sent from compromised SMTP servers.

If the victim runs the files, they will download a Visual Basic Script (VBS) from the legitimate “paste upon opening the file.ee” service. This script will download a JPG file holding a base-64 encoded payload. This payload will, ultimately, result in the download and installation of one of these malware variants:

AgentTesla, FormBook, Remcos, LokiBot, Guloader, Snake Keylogger, and XWorm. The majority of these are infostealers, with a few RATs and stage-two downloaders. While the attackers do seem to have cast a wide, global net, the majority of the victims are located in Latin America, the researchers added. So far, more than 320 attacks were discovered.

Defending against this attack is relatively easy. First, users should be wary of incoming emails, especially those carrying files and links, as that’s the usual modus operandi of cybercriminal groups. Also, they could patch their Office suite to prevent the malware from exploiting CVE-2017-1182. The patch for this vulnerability has been around for more than half a decade.

TA558 has been around for almost a decade, mostly targeting organizations in the hospitality and tourism industries.

Via BleepingComputer

More from TechRadar Pro

Source…

Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware

December 22, 2023/in Computer Security

Dec 22, 2023NewsroomSocial Engineering / Malware Analysis

A new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the Nim programming language.

“Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers’ unfamiliarity can hamper their investigation,” Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara said.

Nim-based malware has been a rarity in the threat landscape, although that has been slowly changing in recent years as attackers continue to either develop custom tools from scratch using the language or port existing versions of their nefarious programs to it.

This has been demonstrated in the case of loaders such as NimzaLoader, Nimbda, IceXLoader, as well as ransomware families tracked under the names Dark Power and Kanti.

The attack chain documented by Netskope begins with a phishing email containing a Word document attachment that, when opened, urges the recipient to enable macros to activate the deployment of the Nim malware. The email sender disguises themselves as a Nepali government official.

Once launched, the implant is responsible for enumerating running processes to determine the existence of known analysis tools on the infected host and promptly terminate itself should it find one.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust – Webinar for Security Professionals

Traditional security measures won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.

Join Now

Otherwise, the backdoor establishes connections with a remote server that mimics a government domain from Nepal, including the National Information Technology Center (NITC) and awaits further instructions. The command-and-control (C2) servers are no longer accessible –

mail[.]mofa[.]govnp[.]org
nitc[.]govnp[.]org
mx1[.]nepal[.]govnp[.]org
dns[.]govnp[.]org

“Nim is a statically typed compiled programming language,” the researchers said. “Aside from its familiar syntax, its cross-compilation features allow attackers to write one malware variant and have it cross-compiled to target different…

Source…

Konni Group Use Weaponized Word Documents Deliver RAT Malware

November 27, 2023/in Computer Security

In the ever-evolving cybersecurity domain, the resurgence of NetSupport RAT, a Remote Access Trojan (RAT), has raised concerns among security professionals.

This sophisticated malware, initially developed as a legitimate remote administration tool, has been repurposed by malicious actors to infiltrate systems and establish remote control.

NetSupport Manager, the software upon which NetSupport RAT is based, originated as a genuine remote technical support tool three decades ago.

It provided capabilities for file transfers, support chat, inventory management, and remote access.

While its initial purpose was legitimate, threat actors have exploited its functionalities for malicious purposes.

Document

Free Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

In collaboration with the Threat Analysis Unit, the Carbon Black Managed Detection & Response (MDR) team has witnessed a significant increase in NetSupport RAT infections in recent weeks.

This surge primarily affects Education, Government, and Business Services organizations.

Delivery Mechanisms and Actor Landscape

The distribution of NetSupport RAT involves a variety of tactics, including fraudulent updates, drive-by downloads, exploitation of malware loaders like GhostPulse, and phishing campaigns.

Unlike some malware exclusively utilized by specific threat actors, NetSupport RAT has been employed by a range of malicious entities, from novice hackers to sophisticated adversaries.

Recent NetSupport RAT attacks typically involve tricking victims into downloading fake browser updates from compromised websites.

The initial infection process may vary depending on the specific threat actor’s methodology.

One observed infection scenario involves a victim downloading a fake browser update from a compromised website.

This update hosts a PHP script that displays a seemingly authentic update prompt.

Upon…

Source…

Despite word of ‘radical malware attack,’ it took hours to shut down Suffolk’s computer network

December 4, 2022/in Computer Security

The email sent at 11:18 a.m. on Sept. 8 from a top computer manager at the Suffolk County Clerk’s Office to the Bellone administration’s technology commissioner was as blunt as it was chilling.

“We are currently experiencing a radical malware attack and we shut down all outside access to the systems until such time as we are safe,” said the email, which was obtained by Newsday.

Yet, more than four hours had elapsed before the rest of the county’s computer networks, encompassing nearly 600 servers from Hauppauge to Riverhead, were severed from access to the outside world, starting the clock on the county’s broader response to one of the most devastating ransomware attacks faced by a U.S. municipality of any size in the history of such cyberattacks.

A series of emails obtained by Newsday from the day of the attack and the day prior show that awareness of the attack had been slowly dawning on technology staff and officials in the 24 hours preceding the shutdown. Among those was the actual ransomware message, first circulated at 10:53 a.m. on Sept. 8, 25 minutes before the clerk’s office shut down.

WHAT TO KNOW

More than four hours passed between the time Suffolk County was warned of a “radical malware attack” and most of the county’s computer networks were shut down.
Emails obtained by Newsday show that awareness of the attack had been slowly dawning on technology staff and officials in the 24 hours preceding the shutdown.
The cyberattack on Suffolk could be one of the most expensive attacks in U.S. history on municipal governments.

Whether the four-hour lag in shutting down all county computer networks caused a sizable loss of data is open for debate. One tech expert called it “significant,” but said that considerably more data could have been taken in the days and weeks before the Black Cat/ALPHV message was first noted in a 10:53 email. Suffolk Comptroller John M. Kennedy Jr. said it likely made the difference between the clerk’s unscathed backup data and the impacts that continue to ripple through Bellone administration operations.

The emails obtained by Newsday provide a limited look inside the attack at the time it was happening, chiefly…

Source…

Tag Archive for: Word

Delivery Mechanisms and Actor Landscape

WHAT TO KNOW