Tag Archive for: Evasion

Jupyter Malware Variant Targets Browsers, Crypto-Wallets with Sophisticated Evasion Techniques

/in


Security researchers have identified a significant uptick in attacks by a new, more sophisticated variant of the Jupyter malware, targeting popular browsers and crypto-wallets with advanced evasion techniques. This variant, also known as Yellow Cockatoo, Solarmarker, and Polazert, has been active since at least 2020 but has seen a resurgence with enhancements that make it harder to detect.

A Persistent Data-Stealing Cyber Threat

VMware’s Carbon Black team recently observed the malware leveraging PowerShell command modifications and legitimate-looking, digitally signed payloads to infect a growing number of systems. These modifications enhance Jupyter’s evasion capabilities, allowing it to backdoor machines and harvest a variety of credential information without detection. Morphisec and BlackBerry have further detailed its capabilities, including support for command and control communications and the execution of PowerShell scripts and commands, highlighting its function as a full-fledged backdoor.

Jupyter: Getting Around Malware Detection

The recent attacks have seen the Jupyter operator using valid certificates to digitally sign the malware, making it appear legitimate to malware detection tools. VMware researchers noted the malware’s use of SEO poisoning and search engine redirects as part of its attack chain, demonstrating its sophisticated credential harvesting and encrypted communication capabilities. Abe Schneider, threat analyst lead at Carbon Black, highlighted new improvements to the infostealer, including the use of an installer called InnoSetup, which serves as the first payload delivered to victim devices.

A Troubling Increase in Infostealers

Jupyter’s resurgence is part of a broader, concerning trend in the rise of infostealers, exacerbated by the shift to remote work during the COVID-19 pandemic. Organizations like Red Canary and Uptycs have reported sharp increases in infostealer distribution, with attackers leveraging the malware to gain quick, persistent, and privileged access to enterprise networks and systems. The demand for stolen data on criminal forums remains high, underscoring the ongoing threat posed…

Source…

Crypto an Unlikely Route for Russian Sanctions Evasion, Experts Say

/in


Cyberattack ransoms and cryptocurrency mining are unlikely to generate enough revenue to replace regular business activity in sanctioned nations, digital money experts and former law-enforcement officials told a U.S. Senate hearing Thursday.

The amount of cash needed to operate a major economy far outstrips the ability of crypto markets to handle such volumes, witnesses said in testimony to the Senate’s Committee on Banking, Housing and Urban Affairs.

“You can’t flip a switch overnight and run a G-20 economy on cryptocurrency, there just isn’t enough liquidity,” said

Michael Mosier,

former acting director of the Financial Crimes Enforcement Network, an arm of the U.S. Treasury Department.

The hearing was held as fears grow that Russia may turn to cyberattacks and cryptocurrency to prop up its economy, which has been battered by an array of economic sanctions during its continuing invasion of Ukraine.

On March 11, ratings agency

Moody’s Corp.’s

Investors Service unit warned that banks, crypto platforms and intellectual property could become targets for Russian state-sponsored hackers.

“There is a growing risk that Russian government and nongovernment cyber actors will try to perpetrate cyberattacks on entities across sectors and regions as an illicit means of raising money,” Moody’s said.

At Thursday’s hearing, Sen.

Elizabeth Warren

(D., Mass.) said she was introducing a bill immediately that would authorize the White House and Treasury Department to sanction cryptocurrency firms that do business with already-sanctioned Russian entities. The aim is to close…

Source…

Ongoing Autom Cryptomining Malware Attacks Using Upgraded Evasion Tactics

/in


Cryptomining Campaign

An ongoing crypto mining campaign has upgraded its arsenal while adding new defense evasion tactics that enable the threat actors to conceal the intrusions and fly under the radar, new research published today has revealed.

Since first detected in 2019, a total of 84 attacks against its honeypot servers have been recorded to date, four of which transpired in 2021, according to researchers from DevSecOps and cloud security firm Aqua Security, who have been tracking the malware operation for the past three years. That said, 125 attacks have been spotted in the wild in the third quarter of 2021 alone, signaling that the attacks have not slowed down.

Initial attacks involved executing a malicious command upon running a vanilla image named “alpine:latest” that resulted in the download of a shell script named “autom.sh.”

“Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use,” the researchers said in a report shared with The Hacker News. “Over the years, the malicious command that was added to the official image to carry out the attack has barely changed. The main difference is the server from which the shell script autom.sh was downloaded.”

Automatic GitHub Backups

The shell script initiates the attack sequence, enabling the adversary to create a new user account under the name “akay” and upgrade its privileges to a root user, using which arbitrary commands are run on the compromised machine with the goal of mining cryptocurrency.

While early stages of the campaign in 2019 featured no special techniques to hide the mining activity, later versions show the extreme measures its developers have taken to keep it invisible to detection and inspection, chief among them being the ability to disable security mechanisms and retrieve an obfuscated mining shell script that was Base64-encoded five times to get around security tools.

Cryptomining Campaign

Malware campaigns carried out to hijack computers to mine cryptocurrencies have been dominated by multiple threat actors such as Kinsing, which has been found scanning the internet for misconfigured Docker servers to break into the unprotected hosts and install a previously…

Source…

John McAfee arrested on US tax evasion charges

/in

Anti-virus veteran John McAfee has been arrested in Spain on US tax evasion charges. According to the US Department of Justice, McAfee is charged with failing to file tax returns despite making millions of dollars promoting cryptocurrencies.
Graham Cluley