Tag Archive for: Steals

Hackers Hijack Websites to Inject Malware that Steals Credentials

/in


Concerning a development for internet security, a new form of website malware known as “Angel Drainer” has been increasingly targeting Web3 and cryptocurrency assets since January 2024.

This malware is part of a broader trend of rising Web3 phishing sites and crypto drainers that significantly threaten user credentials and wallets.

Document

Live Account Takeover Attack Simulation

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks

.

Web3 Crypto Malware: Angel Drainer Overview

Angel Drainer is a crypto drainer implicated in security breaches, including a notable incident with Ledger Connect Kit in December.

It operates by injecting itself directly into compromised websites or redirecting visitors to phishing sites containing the drainer. Once in place, it can steal and redistribute assets from compromised wallets, reads the Sucuri report.

The surge in malicious activity is alarming, with over 20,000 unique Web3 phishing sites created in 2023 alone.

As per recent reports, the Angel Drainer phishing group has illicitly acquired a sum of over $400,000 from a total of 128 cryptocurrency wallets.

The group has utilized a new and sophisticated tactic to carry out their fraudulent activities, which is a cause of concern for businesses and individuals alike.

In the first two months of 2024, at least three unrelated malware campaigns have begun using crypto drainers in website hacks.

fake browser update + crypto drainer

Sucuri’s SiteCheck remote website scanner detected the Angel Drainer variant on over 550 sites since early February, and the public showed this injection on 432 sites at the time of writing.

The impact of these attacks is profound, with Angel Drainer found on 5,751 different unique domains over the past four weeks.

The malware leverages phishing tactics and malicious injections to exploit the Web3 ecosystem’s reliance on direct wallet interactions, endangering both website owners and the safety of user assets.

Injection Methods and Strategies

The injection methods used by these attackers are sophisticated and varied. They can…

Source…

Androxgh0st Botnet Malware Steals AWS, Microsoft Credentials

/in


Threat actors use botnet malware to gain access to the network of compromised systems that enable them to perform several types of illicit activities.

They get attracted to botnet malware due to its distributed and anonymous infrastructure, which makes it stealthy and sophisticated.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently discovered that hackers are actively deploying Androxgh0st botnet malware that steals AWS and Microsoft credentials.

Document

Free Webinar

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Androxgh0st Botnet Malware

Androxgh0st malware builds a botnet to find and exploit victims in target networks. It’s a Python-scripted threat targeting .env files with sensitive data, like credentials for AWS, Office 365, SendGrid, and Twilio. 

This botnet malware, “Androxgh0st,” also misuses SMTP for scanning, exploiting credentials and APIs, and deploying web shells on compromised targeted systems.

To scan for websites with vulnerabilities, Androxgh0st malware uses scripts by exploiting CVE-2017-9841 to run PHP code remotely via PHPUnit.

It targets /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI on websites with exposed /vendor folders, which allows threat actors to execute code. 

Not only that, but this malware also enables downloading malicious files, setting up fake pages for backdoor access, and accessing databases in cyber operations.

The malware targets the .env files for credentials, and to scan Laravel web applications, it forms a botnet.

Threat actors issue GET/POST requests to /.env URI by searching for usernames, passwords, and more. In debug mode, they use a POST variable (0x[]) as an identifier. 

If successful, they access email, AWS credentials, and the Laravel application key. 

Besides this, by exploiting CVE-2018-15133, they encrypt PHP code to pass…

Source…

Androxgh0st Malware Botnet Steals AWS, Microsoft Credentials and More

/in


The Federal Bureau of Investigation and Cybersecurity & Infrastructure Security Agency warned in a joint advisory about a threat actor deploying a botnet that makes use of the Androxgh0st malware. This malware is capable of collecting cloud credentials, such as those from AWS or Microsoft Azure and more, abusing the Simple Mail Transfer Protocol, and scanning for Amazon Simple Email Service parameters.

What is the Androxgh0st malware?

The Androxgh0st malware was exposed in December 2022 by Lacework, a cloud security company. The malware is written in Python and is primarily used to steal Laravel.env files, which contain secrets such as credentials for high-profile applications. For instance, organizations can integrate applications and platforms such as AWS, Microsoft Office 365, SendGrid or Twilio to the Laravel framework, with all of the applications’ secrets being stored in the .env file.

The botnet hunts for websites using the Laravel web application framework before determining if the domain’s root level .env file is exposed and contains data for accessing additional services. The data in the .env file might be usernames, passwords, tokens or other credentials.

The cybersecurity company Fortinet exposed telemetry on Androxgh0st, which shows more than 40,000 devices infected by the botnet (Figure A).

Figure A

Graph showing number of devices infected by Androxgh0st.
Number of devices infected by Androxgh0st. Image: Fortinet

The FBI/CISA advisory states: “Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment.”

How can Androxgh0st malware exploit old vulnerabilities?

In addition, Androxgh0st can access the Laravel application key; if that key is exposed and accessible, the attackers will try to use it to encrypt PHP code that is passed to the website as a value for the XSRF-TOKEN variable. This is an attempt to exploit the CVE-2018-15133 vulnerability in some versions of the Laravel web application framework. A successful attempt allows the attacker to remotely upload files to the website. CISA added the CVE-2018-15133 Laravel…

Source…

Sneaky Chameleon Banking Malware Defeats Biometric Security On Android, Steals PINs

/in


Security researchers first spotted the Chameleon Android malware this past spring. This pervasive banking trojan has now evolved to become something much more dangerous. Through a series of fake system dialogs, the malware attempts to use the Android system Accessibility service, whic effectively gives Chameleon the keys to the kingdom, allowing it to modify security settings to steal passcodes and raid your personal data. 

When Chameleon first popped up, it posed as crypto, banking, and government apps. Now, the malware uses the Zombinder service, which attaches malicious apps to legitimate ones. The user believes they’ve installed a particular app, and it appears to work normally, but the malware comes along for the ride. The creators of Zombinder claim the sidecar virus is undetectable by Google Protect security and Chameleon is using this platform to pose as Google Chrome.

The other new twist for Chameleon is the way it tries to gain deeper access to the system. Android’s Accessibility service allows trusted apps to emulate buttons, control the screen, or disable features to help disabled individuals use their phones more efficiently. However, the capabilities granted through Accessibility can also be used to compromise the device, so Google has clamped down on how devs can use these APIs. Apps can’t just flip the Accessibility switch on their own. It’s a multistep process, so the updated Chameleon malware has added an HTML pop-over that guides the user through the steps. Because the malware is hiding behind a legitimate app (in this case Chrome), the user might not know anything is amiss.

When Chameleon has Accessibility control, it will disable the biometric unlock method. As soon as the user unlocks their device with a PIN or password, the malware records it for later use. The malware can then wake up at any time and unlock the device to upload stolen personal information and login data.

Chameleon has also gained support for Android’s AlarmManager API, which gives apps the ability to wake up in the…

Source…