Tag Archive for: Sophisticated

Jupyter Malware Variant Targets Browsers, Crypto-Wallets with Sophisticated Evasion Techniques


Security researchers have identified a significant uptick in attacks by a new, more sophisticated variant of the Jupyter malware, targeting popular browsers and crypto-wallets with advanced evasion techniques. This variant, also known as Yellow Cockatoo, Solarmarker, and Polazert, has been active since at least 2020 but has seen a resurgence with enhancements that make it harder to detect.

A Persistent Data-Stealing Cyber Threat

VMware’s Carbon Black team recently observed the malware leveraging PowerShell command modifications and legitimate-looking, digitally signed payloads to infect a growing number of systems. These modifications enhance Jupyter’s evasion capabilities, allowing it to backdoor machines and harvest a variety of credential information without detection. Morphisec and BlackBerry have further detailed its capabilities, including support for command and control communications and the execution of PowerShell scripts and commands, highlighting its function as a full-fledged backdoor.

Jupyter: Getting Around Malware Detection

The recent attacks have seen the Jupyter operator using valid certificates to digitally sign the malware, making it appear legitimate to malware detection tools. VMware researchers noted the malware’s use of SEO poisoning and search engine redirects as part of its attack chain, demonstrating its sophisticated credential harvesting and encrypted communication capabilities. Abe Schneider, threat analyst lead at Carbon Black, highlighted new improvements to the infostealer, including the use of an installer called InnoSetup, which serves as the first payload delivered to victim devices.

A Troubling Increase in Infostealers

Jupyter’s resurgence is part of a broader, concerning trend in the rise of infostealers, exacerbated by the shift to remote work during the COVID-19 pandemic. Organizations like Red Canary and Uptycs have reported sharp increases in infostealer distribution, with attackers leveraging the malware to gain quick, persistent, and privileged access to enterprise networks and systems. The demand for stolen data on criminal forums remains high, underscoring the ongoing threat posed…

Source…

Sophisticated KV-botnet linked to Volt Typhoon – SC Media



Sophisticated KV-botnet linked to Volt Typhoon  SC Media

Source…

Researchers Reveal “Most Sophisticated” iMessage Exploit Targeting iPhones


Recently, the 37th Chaos Communication Congress took place in Hamburg, Germany. A team of cybersecurity experts, including Boris Larin from Moscow-based security firm Kaspersky, Leonid Bezvershenko, and Georgy Kucherin were part of the congress. They uncovered a series of zero-day vulnerabilities in iPhones, exploited through iMessage. This “Operation Triangulation” presentation marked the first public revelation of these susceptibilities and their exploitation methods.

Beware! Researchers Found iMessage Exploit

Reports claim that the attack, refined in its execution, starts with a seemingly harmless iMessage attachment. After that, the iMessage attachment exploits CVE-2023-41990. It is a vulnerability in an undocumented TrueType font instruction. Moreover, it also triggers a chain of events without any observable signs to the user. The exploit uses advanced techniques, including return/jump-oriented programming and a multi-staged JavaScript exploit, to achieve deep access to the device’s system.

For all those unaware, a “zero-day exploit” is similar to finding a secret way into a computer program or any system that nobody else knows about. In the case of Apple, even the people who made the program do not know about it. It is pertinent to mention here that there is no protection against it yet. The name “zero-day” means that the program makers have had zero days to resolve the problem because they just found out about it.

The researchers also disclosed how the attack exploits the JavaScriptCore debugging feature and an integer overflow vulnerability (CVE-2023-32434) to get read/write access to the entire physical memory of the machine at the user level. This strategy allows the hackers to bypass the Page Protection Layer (PPL).

It’s pertinent to mention that these exploits were patched by Apple’s iOS software updates with iOS and iPadOS 15.7.8 for older devices and 16.6. The presentation also highlighted the exploit’s ability to support older and newer iPhone models, including a Pointer Authentication Code (PAC) bypass for the latest models. The exploit’s sophistication is further evidenced by its use of hardware memory-mapped I/O (MMIO) registers.

PTA…

Source…

Russian hackers targeted US intel officers in ‘sophisticated spear phishing campaign,’ DOJ says


Hackers acting on behalf of the Russian government targeted U.S. intelligence officers in a “sophisticated spear phishing campaign” designed to influence elections in the United Kingdom, the Justice Department (DOJ) alleged Thursday.

The operation successfully hacked into computer networks in the U.S., the U.K., Ukraine and other NATO member countries and “stole information used in foreign malign influence operations designed to influence the U.K.’s 2019 elections,” the DOJ said.

The DOJ unsealed a federal indictment Thursday against two individuals connected to the plot, after a federal grand jury in San Francisco returned an indictment Tuesday.

The two individuals charged are Ruslan Aleksandrovich Peretyatko, an officer in Russia’s Federal Security Service (FSB), the DOJ claimed, and Andrey Stanislavovich Korinets. They are each charged with one count of conspiracy to commit an offense against the United States and one count of conspiracy to commit wire fraud.

Along with other unindicted co-conspirators, the defendants were part of the so-called “Callisto Group,” the DOJ said.

The indictment alleges that the hacking campaign took place between at least October 2016 and October 2022 and targeted current and former employees of the U.S. Intelligence Community, Department of Defense, Department of State, defense contractors, and Department of Energy facilities.

The spear phishing campaign often was carried out by sending “sophisticated looking emails” that tricked the targets into providing their log-in credentials, thereby allowing the hackers to access the victims’ email accounts whenever they wanted to, the DOJ said.

Some of the emails were sent from “spoofed” accounts designed to look like other personal and work-related emails the victims would receive, the DOJ said. Sometimes, the emails claimed the users had violated terms of service on an account and had to log in via a provided link. When the users thought they were signing into their accounts, they were actually providing the account credentials to hackers, the DOJ said.

U.S. officials pointed to the indictments as evidence that Russia still is trying to target democratic elections, and they pledged to…

Source…