Tag Archive for: hides

Hacker group hides malware in images to target Ukrainian organizations

/in


A group of attackers targeting Ukraine-affiliated organizations has been delivering malicious payloads hidden within the pixels of image files. Known as steganography, it is just one of many advanced techniques the group uses to evade detection as part of a malware loader known as IDAT.

Tracked as UAC-0184 by several security firms, as well as the Computer Emergency Response Team of Ukraine (CERT-UA), the group was seen targeting Ukrainian servicemen via phishing emails masquerading as messages from Ukraine’s ​​3rd Separate Assault Brigade and the Israeli Defense Forces (IDF). While most of the recipients of these messages were located in Ukraine, security firm Morphisec has confirmed targets outside of the country as well.

“While the adversary strategically targeted Ukraine-based entities, they apparently sought to expand to additional entities affiliated with Ukraine,” researchers said in a new report. “Morphisec findings brought to the forefront a more specific target — Ukraine entities based in Finland.” Morphisec also observed the new steganography approach in delivering malicious payloads after the initial compromise.

Staged malware injection ends with Remcos trojan

The attacks detected by Morphisec delivered a malware loader known as IDAT or HijackLoader that has been used in the past to deliver a variety of trojans and malware programs including Danabot, SystemBC, and RedLine Stealer. In this case, UAC-0184 used it to deploy a commercial remote access trojan (RAT) program called Remcos.

“Distinguished by its modular architecture, IDAT employs unique features like code injection and execution modules, setting it apart from conventional loaders,” the Morphisec researchers said. “It employs sophisticated techniques such as dynamic loading of Windows API functions, HTTP connectivity tests, process blocklists, and syscalls to evade detection. The infection process of IDAT unfolds in multiple stages, each serving distinct functionalities.”

The infection happens in stages, with the first stage making a call to a remote URL to access a .js (JavaScript) file. The code in this file tells the executable where to look for an…

Source…

WoofLocker Toolkit Hides Malicious Codes in Images to Run Tech Support Scams

/in


Aug 19, 2023THNMalvertising / Website Security

Cybersecurity researchers have detailed an updated version of an advanced fingerprinting and redirection toolkit called WoofLocker that’s engineered to conduct tech support scams.

The sophisticated traffic redirection scheme was first documented by Malwarebytes in January 2020, leveraging JavaScript embedded in compromised websites to perform anti-bot and web traffic filtering checks to serve next-stage JavaScript that redirects users to a browser locker (aka browlock).

This redirection mechanism, in turn, makes use of steganographic tricks to conceal the JavaScript code within a PNG image that’s served only when the validation phase is successful. Should a user be detected as a bot or not interesting traffic, a decoy PNG file without the malicious code is used.

WoofLocker is also known as 404Browlock due to the fact that visiting the browlock URL directly without the appropriate redirection or one-time session token results in a 404 error page.

The cybersecurity firm’s latest analysis shows that the campaign is still ongoing.

Cybersecurity

“The tactics and techniques are very similar, but the infrastructure is now more robust than before to defeat potential takedown attempts,” Jérôme Segura, director of threat intelligence at Malwarebytes, said.

“It is just as difficult to reproduce and study the redirection mechanism now as it was then, especially in light of new fingerprinting checks” to detect the presence of virtual machines, certain browser extensions, and security tools.

A majority of the sites loading WoofLocker are adult websites, with the infrastructure using hosting providers in Bulgaria and Ukraine that give the threat actors stronger protection against takedowns.

The primary goal of browser lockers is to get targeted victims to call for assistance to resolve (non-existent) computer problems and gain remote control over the computer to draft an invoice that recommends affected individuals to pay for a security solution to address the problem.

“This is handled by third-parties via fraudulent call centers,” Segura noted back in 2020. “The threat actor behind the traffic redirection and browlock will get paid for each successful…

Source…

Chinese malware hides in App Store apps for macOS

/in


A Chinese publisher has managed to deceive the vigilance of Apple, which has accepted malicious applications on the App Store for macOS.

Apple puts a lot of its communication on the security of the App Store, its application store, thus justifying more closed ecosystems than Android or Windows. But even the apple brand is not infallible and can overlook threats. This is according to a report by Alex Kleber, a cybersecurity researcher, who identified several malicious Chinese apps on the macOS App Store.

The investigation uncovered seven different Apple developer accounts, actually belonging to a single China-based publisher. Applications from this publisher contain hidden malware that can receive commands from a server. Thus, the malicious code can be active only once the application in question has been available on the App Store, and thus deceive Apple’s security systems.

Investigation report about the abuse of the Mac App store

Apple App Store

Using this technique, the developer can even change the interface of the application entirely. The app validated by Apple therefore bears no resemblance to the app that is ultimately downloaded and installed by users. To make it harder to trace them, all communication is with domains using services like Cloudflare and GoDaddy. Which allows them to hide their hosting provider.

One of the applications is a PDF reader that has got a countless times downloads on the App Store for macOS in the United States. Even making it one of the most installed apps. The app requires a paid subscription, while it offers the same features as any regular free PDF reader. Or even does not work at all.

To make believe that the app is legitimate and encourage users to download it. It is drowned in false positive comments, which hide the real opinions denouncing it. Since the report’s release, Apple has responded by removing many fake reviews of these apps. Some of them are no longer available in the App Store altogether.

Source…

Tiny Open Hardware Linux SBC Hides In Plain Sight

/in


There was a time, not quite so long ago, when a computer was a beige box that sat on your desk. Before that, computers were big enough to double as desks, and even farther back, they took up a whole room. Today? Well today it’s complicated. Single-board computers (SBCs) like the Raspberry Pi put a full desktop experience in the palm of your hand, for a price that would have been unfathomable before the smartphone revolution increased demand for high-performance ARM chips.

But compared to the tiny open hardware Linux SBC that lives inside the WiFiWart, even the Raspberry Pi looks massive. Developed by [Walker] as a penetration testing tool, the custom computer is housed in an enclosure designed to make it look like a traditional (if a bit large) USB phone charger. In fact, it doesn’t just look like a USB charger, it actually is one. The internal power supply is not only capable of converting AC into the various DC voltages required to run the miniature Linux box, but also features a USB port where you can plug in your phone to charge it.

For the infosec folks in the audience, the applications for the WiFiWart are obvious. Just plug this thing in somewhere inconspicuous, and you’ve got a foot in the door. The dual WiFi interfaces mean you can connect to a target network on one card and use the second to spin up a fake access point or exfiltrate data. Plus with a quad-core Cortex-A7 ARM processor running at 1.2 GHz and a healthy 1 GB of DDR3, you’ll have enough power to run many security tools locally.

But of course, nothing keeps you from using the WiFiWart for non-security purposes. That’s what has us particularly excited, as you can never have enough open hardware Linux boards. Especially ones this tiny. Removed from its wall charger disguise, the brains of the WiFiWart could be used for all kinds of projects. Plus, not only is the final design open source, but [Walker] made sure to only use free and open source tools to create it. Keeping his entire workflow open means it will be easier for the community to utilize and improve upon his initial design, which in the end, is the whole idea behind the open hardware movement and efforts such as the Hackaday…

Source…