Tag Archive for: Strikes

FritzFrog Botnet Strikes Back Exploiting Log4Shell Vulnerability

/in


A new variant of the sophisticated botnet “FritzFrog” has emerged, leveraging the Log4Shell vulnerability for propagation. Despite more than two years passing since the Log4j flaw was discovered, attackers continue to exploit it effectively due to many organizations neglecting to patch their systems. Notably, the botnet appears to target seemingly secure sections of internal networks where patches may be lacking.

 

Understanding FritzFrog Botnet

 

Initially identified by Guardicore (now part of Akamai) in August 2020, FritzFrog operates as a peer-to-peer (P2P) botnet, primarily targeting internet-facing servers with weak SSH credentials. The Log4Shell vulnerability (CVE-2021-44228), which gained widespread attention due to its critical nature, is now being exploited by FritzFrog as a secondary infection vector. Unlike its previous strategies that focused on targeting internet-facing servers, this variant takes aim at internal hosts within compromised networks. This shift underscores the importance of comprehensive patch management practices, as even seemingly less vulnerable internal systems can become prime targets for exploitation.

One of the noteworthy enhancements of this variant is that it identifies potential targets with vulnerabilities within the network by analyzing system logs on compromised hosts. This implies that despite patching internet-facing applications, any breach of other endpoints can still leave unpatched internal systems vulnerable to exploitation, facilitating the spread of the malware. Additionally, the malware now exploits the PwnKit vulnerability (CVE-2021-4034) for local privilege escalation, further enhancing its persistence and reach.

Moreover, FritzFrog botnet employs evasion tactics to evade detection, including minimizing its footprint by avoiding file drops to disk whenever possible. By utilizing shared memory locations and executing memory-resident payloads, it maintains a stealthy presence that poses challenges for detection and mitigation efforts.

 

Conclusion

 

Akamai, a leading web infrastructure and security company, has dubbed this latest activity as Frog4Shell, highlighting the convergence of FritzFrog’s capabilities with the…

Source…

NoaBot: Another Mirai Botnet Strikes at Linux Devices

/in


Akamai’s team of security experts has discovered a new cryptomining campaign, dubbed NoaBot, leveraging the SSH protocol to spread its malware.

Mirai is a self-propagating worm that can turn consumer devices running Linux on ARC processors into remotely controlled bots. For over seven years now, it’s been used to launch Distributed Denial of Service (DDoS) attacks and, of course, to spread cryptominer malware. That’s where the money is, after all.

Now, Akamai security researchers have discovered a new Mirai variation, NoaBot, that deploys a modified version of the XMRig cryptominer.

What makes this latest version interesting is that instead of relying on Telnet to spread its malware, it used SSH. It does this by initiating a connection, sending a simple “hi” message, and then terminating the connection. This quick scanning strategy aids in keeping a low profile.

It also comes with all the usual Mirai nastiness, such as a scanner module and an attacker module, hiding its process name, etc. NoaBot also seeks to install itself as a crontab entry so that it will run even after an infected device is rebooted. Once in place, it will also try to spread itself to other vulnerable systems.

In addition, it uses an obfuscated configuration and a custom mining pool to disguise itself from investigators. This approach effectively conceals the wallet address, complicating efforts to track the campaign’s profitability.

Interestingly, unlike Mirai, which is usually compiled with GCC, NoaBot is compiled with uClibc. This appears to change how antivirus engines detect the malware. While other Mirai variants are usually detected with a Mirai signature, NoaBot’s antivirus signatures show as an SSH scanner or a generic trojan. The malware also comes statically compiled and stripped of any symbols making reverse engineering it harder.

The P2PInfect Connection

Oddly, there seems to be a link between NoaBot and the P2PInfect worm, This is a peer-to-peer, self-replicating worm written in Rust that targets Redis servers. What’s the point of this? Good question. I wish we had a good answer.

The Akamai security researchers speculate, “The threat actors seem quite tech-savvy, so it could…

Source…

When Predatory Sparrow Strikes: Israel-Iran Shadow War Awakens – National Security & Cyber – Haaretz

/in



When Predatory Sparrow Strikes: Israel-Iran Shadow War Awakens – National Security & Cyber  Haaretz

Source…

Gozi strikes again, targeting banks, cryptocurrency and more

/in


ttps://securityintelligence.com/posts/gozi-strikes-again-targeting-banks-cryptocurrency-and-more/”http://www.w3.org/TR/REC-html40/loose.dtd”>

In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest.

Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms, recognizing the lucrative nature of these sectors.

The history of Gozi

In 2006, a Russian developer named Nikita Kurmin created the first version of Gozi CRM. While developing the malware, Kurmin borrowed code from another spyware called Ursnif, also known as Snifula, developed by Alexey Ivanov around 2000. As a result, Gozi v1.0 featured a formgrabber module and was often classified as Ursnif/Snifula due to the shared codebase. With these capabilities, Gozi CRM quickly gained attention in the cybercriminal community.

In September 2010, a significant event occurred that would shape the future of Gozi. The source code of a specific Gozi CRM dynamic link library (DLL) version was leaked, exposing its inner workings to the wider world. This leak had far-reaching consequences, as it enabled the creation of new malware strains that leveraged Gozi’s codebase.

In June 2023, Mihai Ionut Paunescu, a Romanian hacker, was sentenced to three years in U.S. federal prison for his role in running a “bulletproof hosting” service called PowerHost[.]ro. This service aided cybercriminals in distributing various malware strains, including Gozi Virus, Zeus Trojan, SpyEye Trojan and BlackEnergy malware.

New Gozi campaigns aim high

Cryptocurrency companies are an attractive target, and the latest iteration of Gozi has brought new elements to its modus operandi. Notably, it is now spreading across Asia, broadening its reach beyond its previous target regions. 

A key weapon in Gozi’s arsenal is the use of web injects. These…

Source…