Tag: Nasty | SpinSafe

Hackers hide a nasty secret in James Webb telescope images

August 31, 2022/in Computer Security

Space images from the James Webb telescope are being used by hackers to hide and distribute malware.

As reported by Bleeping Computer, a new malware campaign titled ‘GO#WEBBFUSCATOR’ has been uncovered, which also involves both phishing emails and malicious documents.

A depiction of a hacked computer sitting in an office full of PCs. — Getty Images

A phishing email named “Geos-Rates.docx” is initially sent to victims, who would then unknowingly download a template file if they fall for the trap.

Should the target system’s Office suite have the macros element enabled, the aforementioned file subsequently auto-executes a VBS macro. This will then allow a JPG image to be downloaded remotely, after which it is decoded into an executable format, and then finally loaded onto the machine.

If the file itself is opened with an image viewer application, the image displays the galaxy cluster SMACS 0723, captured by the recently launched James Webb telescope. That said, opening the same file with a text editor reveals how the image disguises a payload that turns into a malware-based 64-bit executable.

After it’s successfully launched, the malware allows a DNS connection to the command and control (C2) server to be set up. Hackers can then execute commands via the Windows cmd.exe tool.

To help avoid detection, the threat actors incorporated the use of XOR for the binary in order to conceal Golang (a programming language) assemblies from analysts. These assemblies also utilize case alteration so it’s not picked up by security tools.

As for Golang, Bleeping Computer highlights how it’s becoming increasingly popular for cybercriminals due to its cross-platform (Windows, Linux, and Mac) capabilities. And as evidenced above, it’s harder to detect.

Researchers from Securonix have found that domains used for the malware campaign were registered as recently as May 29, 2022. The payloads in question have yet to be flagged as malicious by antivirus scanning systems via VirusTotal.

It’s been a busy year for hackers looking to deliver malware. In addition to the regular tried and tested methods to spread malicious files and the like, they’re even delaying the launch of their dangerous codes once it’s found its way into PCs by up to a month.

Fake…

Source…

This nasty Android malware steals your passwords — and it’s still in Google Play right now

March 3, 2022/in Computer Security

Two more Android banking Trojans have turned up in the Google Play Store, report security researchers.

One malicious app was downloaded more than 50,000 times before being kicked out of Google Play last week, while the second app called QR Code & Barcode – Scanner was incredibly still in Google Play at the time of this writing and is targeting American users.

The first app, called Fast Cleaner, says it aims for “speeding up the device by removing unused clutter and removing battery optimization blocks,” according to a report last week from security firm ThreatFabric.

Fast Cleaner works as promised, but it also contains a dropper, which is malware designed to secretly install other programs on a device without the user’s knowledge. According to ThreatFabric’s analysis, Fast Cleaner’s chief payload was a new type of banking Trojan that ThreatFabric called “Xenomorph” after the hungry protagonist of the Alien movie series.

Xenomorph uses screen overlays to deceive the user into typing in usernames and passwords, collects information about infected devices and reads users’ text messages. With these powers, it can capture login credentials for bank and webmail accounts. It can also capture and hide the temporary PINs used in two-factor authentication, plus other notifications, texted to your phone.

ThreatFabric took apart Xenomorph’s code and found that it could generate convincing fake screens that looked like nearly 60 different apps made by banks in Belgium, Italy, Portugal and Spain. It also could fake (and steal credentials meant for) the Gmail, Google Play, Hotmail, Mail.com, Microsoft Outlook, PayPal and Yahoo Mail apps.

Unwelcome return

The other Android banking Trojan, TeaBot, is better known and made a return to Google Play last month after previously having been kicked out, reports Italian security firm Cleafy.

TeaBot can capture not only the login credentials for bank accounts, webmail and social media, but also snag two-factor-authentication codes meant to block bad guys from logging in with stolen passwords.

Despite Cleafy’s report, the malware is still in Google Play in the form of an app called “QR Code & Barcode – Scanner”, although there are many apps with similar…

Source…

Nasty new malware strain creeps quietly past Windows defenses

December 24, 2021/in Computer Security

Security researchers have identified a new malware campaign that leverages code signing certificates and other techniques to help it avoid detection by antivirus software.

According to a new blog post from Elastic Security, the cybersecurity firm’s researchers identified a cluster of malicious activity after reviewing its threat prevention telemetry.

The cybercriminals behind this new campaign are using valid code signing certificates to sign malware to help them remain under the radar of the security community. However, Elastic Security also discovered a new malware loader used in the campaign that it has named Blister.

Due to the use of valid code signing certificates and other measures taken to avoid detection, the cybercriminals responsible have been running this new campaign for at least three months.

Blister malware

The cybercriminals are using a code signing certificate issued by the digital identity firm Sectigo for a company called Blist LLC which is why Elastic Security gave their malware loader the name Blister. They may also be operating out of Russia as they are using Mail.Ru as their email service.

In addition to using a valid code signing certificate, the cybercriminals also relied on other techniques to remain undetected including embedding the Blister malware into a legitimate library. After being executed with elevated privileges by using the rundll32 command, the malware decodes bootstrapping code that is heavily obfuscated and stored in the resource section. From here, the code remains dormant for ten minutes to evade sandbox analysis.

Once enough time has passed, the malware starts up and begins decrypting embedded payloads that allow it to access a Windows system remotely and move laterally across a victim’s network. Blister also achieves persistence on an infected machine by storing a copy in the ProgramData folder as well as another posing as rundll32.exe. To make matters worse, the malware is added to a system’s startup location so it launches every time a machine boots.

Elastic Security has notified Sectigo to have Blister’s code signing certificate revoked though the firm has also created a Yara rule to help organization’s identify the new malware.

We’ve also…

Source…

‘Nasty stuff’: Research into Russian push-button cellphones uncovers legion of privacy and security issues

September 3, 2021/in Mobile Security

Itel, DEXP, Irbis, and F+ mobile devices put under the microscope

Many push-button phones on sale in Russia contain backdoors or trojans, a security researcher claims.

According to Russian researcher ‘ValdikSS’, some cellphones are automatically sending SMS messages or transmitting online the fact that the device has been purchased and used, among other issues.

Get the message

As outlined in a technical blog post (Russian language), some models were found to contain a built-in trojan that sends paid SMS messages to short numbers, transmitting text that is downloaded from the server. Others were said to have a backdoor that forwards incoming SMS messages to an unknown server.

ValdikSS says he discovered the issue while considering swapping the USB modems he used to receive SMS messages for phones, as these were cheaper and are capable of taking up to four SIM cards each.

“The research begun due to unexpected behavior of the phone – it sent SMS by itself,” he tells The Daily Swig.

Of the five Russian push-button phones tested, only one was said to be ‘clean’

He then tested a number of push-button models, including the Inoi 101, DEXP SD2810, Itel it2160, Irbis SF63, and F+ Flip 3.

And, he found, some of the phones were not only transmitting IMEI and IMSI numbers for the purposes of tracking sales, but also contained a trojan that sends SMS messages to paid short numbers, after downloading the text and number from a server via the internet.

Finally, a backdoor was found that intercepts incoming SMS messages and forwards them to the server, potentially allowing an attacker to use the phone’s number to register for services that require confirmation via SMS.

Read more of the latest mobile security news

“I was very confused when [a] DEXP SD2160 phone tried to send premium SMS to the number and with the body loaded from its server on the internet,” he says.

“The device, initially manufactured in 2019, was being sold by one of the largest electronic stores in June 2021, with lots of negative reviews in the same store’s website, and they didn’t recall it from sales.

“I’ve watched it to do all the nasty stuff in real time on my GSM…

Source…

Tag Archive for: Nasty

Get the message