Tag: Phishing | SpinSafe

Hackers are loading SVG files with multi-stage malware in new phishing attack

April 9, 2024/in Computer Security

A sophisticated new phishing attack was spotted in the wild, leveraging a wide variety of tools to bypass antivirus protections and ultimately deliver different Remote Access Trojan (RAT) malware.

According to cybersecurity researchers at Fortinet, an unidentified threat actor was seen sending phishing emails, stating a shipment has been delivered, and attaching an invoice. This attachment, however, is a Scalable Vector Graphics (SVG) file which, when run, triggers the infection sequence.

The SVG file drops a ZIP archive created with BatCloak – a tool designed to help malware bypass antivirus protection. This archive unpacks a ScrubCrypt batch file, which is another antivirus-evading tool which, in turn, sets up persistence, and bypasses AMSI and ETW protections to deliver the Venom RAT.

Rat infestation

While ScrubCrypt was first seen last year, and linked to the 8220 Gang threat actor, Fortinet does not mention if the same group was behind this campaign as well.

Venom RAT is described as a fork of Quasar RAT, and a powerful remote access trojan allowing threat actors full system takeover, sensitive data exfiltration, and more.

“While Venom RAT’s primary program may appear straightforward, it maintains communication channels with the C2 server to acquire additional plugins for various activities,” the researchers said in the report. “This includes Venom RAT v6.0.3 with keylogger capabilities, NanoCore RAT, XWorm, and Remcos RAT.

“This [Remcos RAT] plugin was distributed from VenomRAT’s C2 using three methods: an obfuscated VBS script named ‘remcos.vbs,’ ScrubCrypt, and Guloader PowerShell,” they added.

Besides Venom RAT, the researchers observed the malware dropping Remcos RAT, XWorm, NanoCore RAT, and a stealer that grabs information from cryptocurrency wallets such as Atomic Wallet, Electrum, Exodus, Jaxx Liberty, and others. Information from Foxmail and Telegram were also being exfiltrated to a remote server, they concluded.

The best way to protect against these attacks is to be extra careful when receiving emails with links, attachments, or similar…

Source…

New Phishing Attack Delivers Keylogger Disguised as Bank Payment Notice

March 27, 2024/in Computer Security

Mar 27, 2024NewsroomVulnerability / Cybercrime

A new phishing campaign has been observed leveraging a novel loader malware to deliver an information stealer and keylogger called Agent Tesla.

Trustwave SpiderLabs said it identified a phishing email bearing this attack chain on March 8, 2024. The message masquerades as a bank payment notification, urging the user to open an archive file attachment.

The archive (“Bank Handlowy w Warszawie – dowód wpłaty_pdf.tar.gz”) conceals a malicious loader that activates the procedure to deploy Agent Tesla on the compromised host.

“This loader then used obfuscation to evade detection and leveraged polymorphic behavior with complex decryption methods,” security researcher Bernard Bautista said in a Tuesday analysis.

“The loader also exhibited the capability to bypass antivirus defenses and retrieved its payload using specific URLs and user agents leveraging proxies to further obfuscate traffic.”

The tactic of embedding malware within seemingly benign files is a tactic that has been repeatedly employed by threat actors to trick unsuspecting victims into triggering the infection sequence.

The loader used in the attack is written in .NET, with Trustwave discovering two distinct variants that each make use of a different decryption routine to access its configuration and ultimately retrieve the XOR-encoded Agent Tesla payload from a remote server.

In an effort to evade detection, the loader is also designed to bypass the Windows Antimalware Scan Interface (AMSI), which offers the ability for security software to scan files, memory, and other data for threats.

It achieves this by “patching the AmsiScanBuffer function to evade malware scanning of in-memory content,” Bautista explained.

The last phase involves decoding and executing Agent Tesla in memory, allowing the threat actors to stealthily exfiltrate sensitive data via SMTP using a compromised email account associated with a legitimate security system supplier in Turkey (“merve@temikan[.]com[.]tr”).

The approach, Trustwave said, not only does not raise any red flags, but also affords a layer of anonymity that makes it harder to trace the attack back to the adversary, not to mention save…

Source…

Google Chrome to get real-time phishing protection

March 15, 2024/in Computer Security

Google will bring real-time malware protection and phishing protection to all Chrome users in an update later this month.

The update from Google is expected later this month and will come with an opt-in for enhanced browsing protection mode.

Currently the safe browsing standard uses a local list against which sites, downloads, and extensions are checked. This list is downloaded every 30 to 60 minutes from Google’s servers. However, with the update Google plans to switch to real-time checks against ist server-side list to keep up with malicious websites that surface and disappear in under 10 minutes.

This improved time is expected to block 25% more phishing attempts, Google shared in a blog post.

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

The new capability will also be rolling out to Android later this month. Google says the feature uses encryption and other privacy enhancing techniques ensuring user privacy.

Source…

India Braces Against Phishing, Ransomware Surge and Alert Fatigue, Urging Swift Adoption of AI, and Automation for Security Operations

March 12, 2024/in Internet Security

Fortinet^®, the global cybersecurity leader driving the convergence of networking and security, has revealed the outcomes of a new survey conducted by IDC on the state of Security Operations (SecOps) in the Asia-Pacific region. The survey, commissioned by Fortinet, provides valuable insights into the current SecOps landscape, emphasizing the role of Artificial Intelligence (AI) and automation. It explores various aspects, including prevalent security practices, attack frequency and impact, detection and response times, alert fatigue, the status, and impact of automation in SecOps workflows, and challenges related to skill development within the SecOps domain. Key findings from India include:

Current Security Challenges: Threats and Team Readiness

Most Common Cyber Threats: Phishing and Insider threats are the most predominant cyber threat in India, with Approximately 50% of organizations ranking them as their top concerns. The top five threats include phishing, insider threats, ransomware, unpatched vulnerabilities, and identity theft.

Ransomware Surge: Ransomware incidents have doubled across India, with 70% of organizations reporting at least a 2X increase in 2023, compared to 2022. Phishing and malware are the primary attack vectors. Other significant vectors include social engineering attacks, insider threats, and zero-day exploits.

Insider Threats and Remote Work: 88% of the respondents feel that Remote work has led to an increase in insider threat incidents. Insufficient training, lack of employee care, and inadequate communication contribute to this surge, emphasizing the need to address human factors in cybersecurity.

Resourcing IT Security Teams: Only 44% of businesses have dedicated IT resources for security teams. This augments the challenges faced by organizations in strengthening their security measures.

Impact of Emerging Technologies: Hybrid work, AI, and IT/OT system convergence pose significant challenges. Cloud technology adoption emerges as a primary challenge, impacting organizational vulnerability to cyber threats.

SecOps SOS: Struggles with Alert Fatigue and Threat Containment

Threat Containment and Preparedness: Approximately one out of three…

Source…

Tag Archive for: Phishing