malware

github-abused-to-distribute-payloads-on-behalf-of-malware-as-a-service

GitHub abused to distribute payloads on behalf of malware-as-a-service

Biz & IT, GitHub, malware, Security / /

Researchers from Cisco’s Talos security team have uncovered a malware-as-a-service operator that used public GitHub accounts as a channel for distributing an assortment of malicious software to targets.

The use of GitHub gave the malware-as-a-service (MaaS) a reliable and easy-to-use platform that’s greenlit in many enterprise networks that rely on the code repository for the software they develop. GitHub removed the three accounts that hosted the malicious payloads shortly after being notified by Talos.

“In addition to being an easy means of file hosting, downloading files from a GitHub repository may bypass Web filtering that is not configured to block the GitHub domain,” Talos researchers Chris Neal and Craig Jackson wrote Thursday. “While some organizations can block GitHub in their environment to curb the use of open-source offensive tooling and other malware, many organizations with software development teams require GitHub access in some capacity. In these environments, a malicious GitHub download may be difficult to differentiate from regular web traffic.”

Emmenhtal, meet Amadey

The campaign, which Talos said had been ongoing since February, used a previously known malware loader tracked under names including Emmenhtal and PeakLight. Researchers from security firm Palo Alto Networks and Ukraine’s major state cyber agency SSSCIP had already documented the use of Emmenhtal in a separate campaign that embedded the loader into malicious emails to distribute malware to Ukrainian entities. Talos found the same Emmenhtal variant in the MaaS operation, only this time the loader was distributed through GitHub.

The campaign using GitHub was different from one targeting Ukrainian entities in another key way. Whereas the final payload in the one targeting the Ukrainian entities was a malicious backdoor known as SmokeLoader, the GitHub one installed Amadey, a separate malware platform known. Amadey was first seen in 2018 and was initially used to assemble botnets. Talos said the primary function of Amadey is to collect system information from infected devices and download a set of secondary payloads that are customized to their individual characteristics, based on the specific purpose in different campaigns.

GitHub abused to distribute payloads on behalf of malware-as-a-service Read More »

hackers-exploit-a-blind-spot-by-hiding-malware-inside-dns-records

Hackers exploit a blind spot by hiding malware inside DNS records

Biz & IT, DNS, domain name system, malware, Security / /

Hackers are stashing malware in a place that’s largely out of the reach of most defenses—inside domain name system (DNS) records that map domain names to their corresponding numerical IP addresses.

The practice allows malicious scripts and early-stage malware to fetch binary files without having to download them from suspicious sites or attach them to emails, where they frequently get quarantined by antivirus software. That’s because traffic for DNS lookups often goes largely unmonitored by many security tools. Whereas web and email traffic is often closely scrutinized, DNS traffic largely represents a blind spot for such defenses.

A strange and enchanting place

Researchers from DomainTools on Tuesday said they recently spotted the trick being used to host a malicious binary for Joke Screenmate, a strain of nuisance malware that interferes with normal and safe functions of a computer. The file was converted from binary format into hexadecimal, an encoding scheme that uses the digits 0 through 9 and the letters A through F to represent binary values in a compact combination of characters.

The hexadecimal representation was then broken up into hundreds of chunks. Each chunk was stashed inside the DNS record of a different subdomain of the domain whitetreecollective[.]com. Specifically, the chunks were placed inside the TXT record, a portion of a DNS record capable of storing any arbitrary text. TXT records are often used to prove ownership of a site when setting up services like Google Workspace.

An attacker who managed to get a toehold into a protected network could then retrieve each chunk using an innocuous-looking series of DNS requests, reassembling them, and then converting them back into binary format. The technique allows the malware to be retrieved through traffic that can be hard to closely monitor. As encrypted forms of IP lookups—known as DOH (DNS over HTTPS) and DOT (DNS over TLS)—gain adoption, the difficulty will likely grow.

Hackers exploit a blind spot by hiding malware inside DNS records Read More »

destructive-malware-available-in-npm-repo-went-unnoticed-for-2-years

Destructive malware available in NPM repo went unnoticed for 2 years

Biz & IT, code repositories, malware, npm, Security / /

Some of the payloads were limited to detonate only on specific dates in 2023, but in some cases a phase that was scheduled to begin in July of that year was given no termination date. Pandya said that means the threat remains persistent, although in an email he also wrote: “Since all activation dates have passed (June 2023–August 2024), any developer following normal package usage today would immediately trigger destructive payloads including system shutdowns, file deletion, and JavaScript prototype corruption.”

Interestingly, the NPM user who submitted the malicious packages, using the registration email address 1634389031@qq[.]com, also uploaded working packages with no malicious functions found in them. The approach of submitting both harmful and useful packages helped create a “facade of legitimacy” that increased the chances the malicious packages would go unnoticed, Pandya said. Questions emailed to that address received no response.

The malicious packages targeted users of some of the largest ecosystems for JavaScript developers, including React, Vue, and Vite. The specific packages were:

Anyone who installed any of these packages should carefully inspect their systems to make sure they’re no longer running. These packages perfectly mimic legitimate development tools, so it may be easy for them to have remained undetected.

Destructive malware available in NPM repo went unnoticed for 2 years Read More »

hundreds-of-e-commerce-sites-hacked-in-supply-chain-attack

Hundreds of e-commerce sites hacked in supply-chain attack

backdoors, Biz & IT, magento, malware, Security, supply chain attack / /

Hundreds of e-commerce sites, at least one owned by a large multinational company, were backdoored by malware that executes malicious code inside the browsers of visitors, where it can steal payment card information and other sensitive data, security researchers said Monday.

The infections are the result of a supply-chain attack that compromised at least three software providers with malware that remained dormant for six years and became active only in the last few weeks. At least 500 e-commerce sites that rely on the backdoored software were infected, and it’s possible that the true number is double that, researchers from security firm Sansec said.

Among the compromised customers was a $40 billion multinational company, which Sansec didn’t name. In an email Monday, a Sansec representative said that “global remediation [on the infected customers] remains limited.”

Code execution on visitors’ machines

The supply chain attack poses a significant risk to the thousands or millions of people visiting the infected sites, because it allows attackers to execute code of their choice on ecommerce site servers. From there, the servers run info-stealing code on visitor machines.

“Since the backdoor allows uploading and executing arbitrary PHP code, the attackers have full remote code execution (RCE) and can do essentially anything they want,” the representative wrote. “In nearly all Adobe Commerce/Magento breaches we observe, the backdoor is then used to inject skimming software that runs in the user’s browser and steals payment information (Magecart).”

The three software suppliers identified by Sansec were Tigren, Magesolution (MGS), and Meetanshi. All three supply software that’s based on Magento, an open source e-commerce platform used by thousands of online stores. A software version sold by a fourth provider named Weltpixel has been infected with similar code on some of its customers’ stores, but Sansec so far has been unable to confirm whether it was the stores or Weltpixel that were hacked. Adobe has owned Megento since 2018.

Hundreds of e-commerce sites hacked in supply-chain attack Read More »

new-android-spyware-is-targeting-russian-military-personnel-on-the-front-lines

New Android spyware is targeting Russian military personnel on the front lines

android, Biz & IT, malware, Policy, russia, Security, spyware, Ukraine / /

Russian military personnel are being targeted with recently discovered Android malware that steals their contacts and tracks their location.

The malware is hidden inside a modified app for Alpine Quest mapping software, which is used by, among others, hunters, athletes, and Russian personnel stationed in the war zone in Ukraine. The app displays various topographical maps for use online and offline. The trojanized Alpine Quest app is being pushed on a dedicated Telegram channel and in unofficial Android app repositories. The chief selling point of the trojanized app is that it provides a free version of Alpine Quest Pro, which is usually available only to paying users.

Looks like the real thing

The malicious module is named Android.Spy.1292.origin. In a blog post, researchers at Russia-based security firm Dr.Web wrote:

Because Android.Spy.1292.origin is embedded into a copy of the genuine app, it looks and operates as the original, which allows it to stay undetected and execute malicious tasks for longer periods of time.

Each time it is launched, the trojan collects and sends the following data to the C&C server:

  • the user’s mobile phone number and their accounts;
  • contacts from the phonebook;
  • the current date;
  • the current geolocation;
  • information about the files stored on the device;
  • the app’s version.

If there are files of interest to the threat actors, they can update the app with a module that steals them. The threat actors behind Android.Spy.1292.origin are particularly interested in confidential documents sent over Telegram and WhatsApp. They also show interest in the file locLog, the location log created by Alpine Quest. The modular design of the app makes it possible for it to receive additional updates that expand its capabilities even further.

New Android spyware is targeting Russian military personnel on the front lines Read More »

android-apps-laced-with-north-korean-spyware-found-in-google-play

Android apps laced with North Korean spyware found in Google Play

android, Biz & IT, Google, google play, malware, North Korea, Security, spyware / /

Researchers have discovered multiple Android apps, some that were available in Google Play after passing the company’s security vetting, that surreptitiously uploaded sensitive user information to spies working for the North Korean government.

Samples of the malware—named KoSpy by Lookout, the security firm that discovered it—masquerade as utility apps for managing files, app or OS updates, and device security. Behind the interfaces, the apps can collect a variety of information including SMS messages, call logs, location, files, nearby audio, and screenshots and send them to servers controlled by North Korean intelligence personnel. The apps target English language and Korean language speakers and have been available in at least two Android app marketplaces, including Google Play.

Think twice before installing

The surveillanceware masquerades as the following five different apps:

  • 휴대폰 관리자 (Phone Manager)
  • File Manager
  • 스마트 관리자 (Smart Manager)
  • 카카오 보안 (Kakao Security) and
  • Software Update Utility

Besides Play, the apps have also been available in the third-party Apkpure market. The following image shows how one such app appeared in Play.

Credit: Lookout

The image shows that the developer email address was mlyqwl@gmail[.]com and the privacy policy page for the app was located at https://goldensnakeblog.blogspot[.]com/2023/02/privacy-policy.html.

“I value your trust in providing us your Personal Information, thus we are striving to use commercially acceptable means of protecting it,” the page states. “But remember that no method of transmission over the internet, or method of electronic storage is 100% secure and reliable, and I cannot guarantee its absolute security.”

The page, which remained available at the time this post went live on Ars, has no reports of malice on Virus Total. By contrast, IP addresses hosting the command-and-control servers have previously hosted at least three domains that have been known since at least 2019 to host infrastructure used in North Korean spy operations.

Android apps laced with North Korean spyware found in Google Play Read More »

nearly-1-million-windows-devices-targeted-in-advanced-“malvertising”-spree

Nearly 1 million Windows devices targeted in advanced “malvertising” spree

Biz & IT, maltertising, malware, microsoft, Security / /

A broad overview of the four stages. Credit: Microsoft

The campaign targeted “nearly” 1 million devices belonging both to individuals and a wide range of organizations and industries. The indiscriminate approach indicates the campaign was opportunistic, meaning it attempted to ensnare anyone, rather than targeting certain individuals, organizations, or industries. GitHub was the platform primarily used to host the malicious payload stages, but Discord and Dropbox were also used.

The malware located resources on the infected computer and sent them to the attacker’s c2 server. The exfiltrated data included the following browser files, which can store login cookies, passwords, browsing histories, and other sensitive data.

  • AppDataRoamingMozillaFirefoxProfiles.default-releasecookies.sqlite
  • AppDataRoamingMozillaFirefoxProfiles.default-releaseformhistory.sqlite
  • AppDataRoamingMozillaFirefoxProfiles.default-releasekey4.db
  • AppDataRoamingMozillaFirefoxProfiles.default-releaselogins.json
  • AppDataLocalGoogleChromeUser DataDefaultWeb Data
  • AppDataLocalGoogleChromeUser DataDefaultLogin Data
  • AppDataLocalMicrosoftEdgeUser DataDefaultLogin Data

Files stored on Microsoft’s OneDrive cloud service were also targeted. The malware also checked for the presence of cryptocurrency wallets including Ledger Live, Trezor Suite, KeepKey, BCVault, OneKey, and BitBox, “indicating potential financial data theft,” Microsoft said.

Microsoft said it suspects the sites hosting the malicious ads were streaming platforms providing unauthorized content. Two of the domains are movies7[.]net and 0123movie[.]art.

Microsoft Defender now detects the files used in the attack, and it’s likely other malware defense apps do the same. Anyone who thinks they may have been targeted can check indicators of compromise at the end of the Microsoft post. The post includes steps users can take to prevent falling prey to similar malvertising campaigns.

Nearly 1 million Windows devices targeted in advanced “malvertising” spree Read More »

microsoft-warns-that-the-powerful-xcsset-macos-malware-is-back-with-new-tricks

Microsoft warns that the powerful XCSSET macOS malware is back with new tricks

Apple, Biz & IT, macOS, malware, Security, Xcode, xcsset / /

“These enhanced features add to this malware family’s previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files,” Microsoft wrote. XCSSET contains multiple modules for collecting and exfiltrating sensitive data from infected devices.

Microsoft Defender for Endpoint on Mac now detects the new XCSSET variant, and it’s likely other malware detection engines will soon, if not already. Unfortunately, Microsoft didn’t release file hashes or other indicators of compromise that people can use to determine if they have been targeted. A Microsoft spokesperson said these indicators will be released in a future blog post.

To avoid falling prey to new variants, Microsoft said developers should inspect all Xcode projects downloaded or cloned from repositories. The sharing of these projects is routine among developers. XCSSET exploits the trust developers have by spreading through malicious projects created by the attackers.

Microsoft warns that the powerful XCSSET macOS malware is back with new tricks Read More »

found-in-the-wild:-the-world’s-first-unkillable-uefi-bootkit-for-linux

Found in the wild: The world’s first unkillable UEFI bootkit for Linux

Biz & IT, bootkit, malware, Security, uefi / /

Over the past decade, a new class of infections has threatened Windows users. By infecting the firmware that runs immediately before the operating system loads, these UEFI bootkits continue to run even when the hard drive is replaced or reformatted. Now the same type of chip-dwelling malware has been found in the wild for backdooring Linux machines.

Researchers at security firm ESET said Wednesday that Bootkitty—the name unknown threat actors gave to their Linux bootkit—was uploaded to VirusTotal earlier this month. Compared to its Windows cousins, Bootkitty is still relatively rudimentary, containing imperfections in key under-the-hood functionality and lacking the means to infect all Linux distributions other than Ubuntu. That has led the company researchers to suspect the new bootkit is likely a proof-of-concept release. To date, ESET has found no evidence of actual infections in the wild.

The ASCII logo that Bootkitty is capable of rendering. Credit: ESET

Be prepared

Still, Bootkitty suggests threat actors may be actively developing a Linux version of the same sort of unkillable bootkit that previously was found only targeting Windows machines.

“Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats,” ESET researchers wrote. “Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats.”

A rootkit is a piece of malware that runs in the deepest regions of the operating system it infects. It leverages this strategic position to hide information about its presence from the operating system itself. A bootkit, meanwhile, is malware that infects the boot-up process in much the same way. Bootkits for the UEFI—short for Unified Extensible Firmware Interface—lurk in the chip-resident firmware that runs each time a machine boots. These sorts of bootkits can persist indefinitely, providing a stealthy means for backdooring the operating system even before it has fully loaded and enabled security defenses such as antivirus software.

The bar for installing a bootkit is high. An attacker first must gain administrative control of the targeted machine, either through physical access while it’s unlocked or somehow exploiting a critical vulnerability in the OS. Under those circumstances, attackers already have the ability to install OS-resident malware. Bootkits, however, are much more powerful since they (1) run before the OS does and (2) are, at least practically speaking, undetectable and unremovable.

Found in the wild: The world’s first unkillable UEFI bootkit for Linux Read More »

hundreds-of-code-libraries-posted-to-npm-try-to-install-malware-on-dev-machines

Hundreds of code libraries posted to NPM try to install malware on dev machines

code libraries, malware, Security, typosquatting / /

The IP address returned by a package Phylum analyzed was: hxxp://193.233.201[.]21: 3001.

While the method was likely intended to conceal the source of second-stage infections, it ironically had the effect of leaving a trail of previous addresses the attackers had used in the past. The researchers explained:

An interesting thing about storing this data on the Ethereum blockchain is that Ethereum stores an immutable history of all values it has ever seen. Thus, we can see every IP address this threat actor has ever used.

On 2024-09-23 00: 55: 23Z it was hxxp://localhost: 3001

From 2024-09-24 06: 18: 11Z it was hxxp://45.125.67[.]172: 1228

From 2024-10-21 05: 01: 35Z it was hxxp://45.125.67[.]172: 1337

From 2024-10-22 14: 54: 23Z it was hxxp://193.233[.]201.21: 3001

From 2024-10-26 17: 44: 23Z it is hxxp://194.53.54[.]188: 3001

When installed, the malicious packages come in the form of a packed Vercel package. The payload runs in memory, sets itself to load with each reboot, and connects to the IP address from the ethereum contract. It then “performs a handful of requests to fetch additional Javascript files and then posts system information back to the same requesting server,” the Phylum researchers wrote. “This information includes information about the GPU, CPU, the amount of memory on the machine, username, and OS version.”

Attacks like this one rely on typosquatting, a term for the use of names that closely mimic those of legitimate packages but contain small differences, such as those that might occur if the package was inadvertently misspelled. Typosquatting has long been a tactic for luring people to malicious websites. Over the past five years, typosquatting has been embraced to trick developers into downloading malicious code libraries.

Developers should always double-check names before running downloaded packages. The Phylum blog post provides names, IP addresses, and cryptographic hashes associated with the malicious packages used in this campaign.

Hundreds of code libraries posted to NPM try to install malware on dev machines Read More »

android-trojan-that-intercepts-voice-calls-to-banks-just-got-more-stealthy

Android Trojan that intercepts voice calls to banks just got more stealthy

android, bank fraud, Biz & IT, malware, Security, trojans / /

Much of the new obfuscation is the result of hiding malicious code in a dynamically decrypted and loaded .dex file of the apps. As a result, Zimperium initially believed the malicious apps they were analyzing were part of a previously unknown malware family. Then the researchers dumped the .dex file from an infected device’s memory and performed static analysis on it.

“As we delved deeper, a pattern emerged,” Ortega wrote. “The services, receivers, and activities closely resembled those from an older malware variant with the package name com.secure.assistant.” That package allowed the researchers to link it to the FakeCall Trojan.

Many of the new features don’t appear to be fully implemented yet. Besides the obfuscation, other new capabilities include:

Bluetooth Receiver

This receiver functions primarily as a listener, monitoring Bluetooth status and changes. Notably, there is no immediate evidence of malicious behavior in the source code, raising questions about whether it serves as a placeholder for future functionality.

Screen Receiver

Similar to the Bluetooth receiver, this component only monitors the screen’s state (on/off) without revealing any malicious activity in the source code.

Accessibility Service

The malware incorporates a new service inherited from the Android Accessibility Service, granting it significant control over the user interface and the ability to capture information displayed on the screen. The decompiled code shows methods such as onAccessibilityEvent() and onCreate() implemented in native code, obscuring their specific malicious intent.

While the provided code snippet focuses on the service’s lifecycle methods implemented in native code, earlier versions of the malware give us clues about possible functionality:

  • Monitoring Dialer Activity: The service appears to monitor events from the com.skt.prod.dialer package (the stock dialer app), potentially allowing it to detect when the user is attempting to make calls using apps other than the malware itself.
  • Automatic Permission Granting: The service seems capable of detecting permission prompts from the com.google.android.permissioncontroller (system permission manager) and com.android.systemui (system UI). Upon detecting specific events (e.g., TYPE_WINDOW_STATE_CHANGED), it can automatically grant permissions for the malware, bypassing user consent.
  • Remote Control: The malware enables remote attackers to take full control of the victim’s device UI, allowing them to simulate user interactions, such as clicks, gestures, and navigation across apps. This capability enables the attacker to manipulate the device with precision.

Phone Listener Service

This service acts as a conduit between the malware and its Command and Control (C2) server, allowing the attacker to issue commands and execute actions on the infected device. Like its predecessor, the new variant provides attackers with a comprehensive set of capabilities (see the table below). Some functionalities have been moved to native code, while others are new additions, further enhancing the malware’s ability to compromise devices.

The Kaspersky post from 2022 said that the only language supported by FakeCall was Korean and that the Trojan appeared to target several specific banks in South Korea. Last year, researchers from security firm ThreatFabric said the Trojan had begun supporting English, Japanese, and Chinese, although there were no indications people speaking those languages were actually targeted.

Android Trojan that intercepts voice calls to banks just got more stealthy Read More »

north-korean-hackers-use-newly-discovered-linux-malware-to-raid-atms

North Korean hackers use newly discovered Linux malware to raid ATMs

banks, Biz & IT, hiddencobra, Linux, malware, North Korea, Security / /

Credit: haxrob

Credit: haxrob

The malware resides in the userspace portion of the interbank switch connecting the issuing domain and the acquiring domain. When a compromised card is used to make a fraudulent translation, FASTCash tampers with the messages the switch receives from issuers before relaying it back to the merchant bank. As a result, issuer messages denying the transaction are changed to approvals.

The following diagram illustrates how FASTCash works:

Credit: haxrob

Credit: haxrob

The switches chosen for targeting run misconfigured implementations of ISO 8583, a messaging standard for financial transactions. The misconfigurations prevent message authentication mechanisms, such as those used by field 64 as defined in the specification, from working. As a result, the tampered messages created by FASTCash aren’t detected as fraudulent.

“FASTCash malware targets systems that ISO8583 messages at a specific intermediate host where security mechanisms that ensure the integrity of the messages are missing, and hence can be tampered,” haxrob wrote. “If the messages were integrity protected, a field such as DE64 would likely include a MAC (message authentication code). As the standard does not define the algorithm, the MAC algorithm is implementation specific.”

The researcher went on to explain:

FASTCash malware modifies transaction messages in a point in the network where tampering will not cause upstream or downstream systems to reject the message. A feasible position of interception would be where the ATM/PoS messages are converted from one format to another (For example, the interface between a proprietary protocol and some other form of an ISO8583 message) or when some other modification to the message is done by a process running in the switch.

CISA said that BeagleBoyz—one of the names the North Korean hackers are tracked under—is a subset of HiddenCobra, an umbrella group backed by the government of that country. Since 2015, BeagleBoyz has attempted to steal nearly $2 billion. The malicious group, CISA said, has also “manipulated and, at times, rendered inoperable, critical computer systems at banks and other financial institutions.”

The haxrob report provides cryptographic hashes for tracking the two samples of the newly discovered Linux version and hashes for several newly discovered samples of FASTCash for Windows.

North Korean hackers use newly discovered Linux malware to raid ATMs Read More »