Tag: Malware

China-Linked ValleyRAT Malware Resurfaces with Advanced Data Theft Tactics
News

China-Linked ValleyRAT Malware Resurfaces with Advanced Data Theft Tactics

Researchers studying cybersecurity have discovered that a new campaign is using an updated strain of malware known as ValleyRAT. Researchers from Zscaler ThreatLabz Muhammed Irfan V A and Manisha Ramcharan Prajapati stated, "In the most recent version, ValleyRAT introduced new commands, such as capturing screenshots, process filtering, forced shutdown, and clearing Windows event logs." In 2023, QiAnXin and Proofpoint first reported findings related to ValleyRAT, which was associated with a phishing campaign aimed at Chinese-speaking users and Japanese organizations. The campaign disseminated multiple malware families, including Purple Fox and Sainbox RAT read more China-Linked ValleyRAT Malware Resurfaces with Advanced Data Theft Tactics. Get up to date on the latest cybersecurit...
Ebury Botnet Malware Compromises 400,000 Linux Servers Over Past 14 Years
News

Ebury Botnet Malware Compromises 400,000 Linux Servers Over Past 14 Years

Since 2009, a malware botnet known as Ebury is thought to have infected 400,000 Linux systems; as of late 2023, over 100,000 of those machines remained affected. The Slovak cybersecurity company ESET released the findings, calling it one of the most sophisticated server-side malware campaigns for financial benefit. According to a thorough investigation by security researcher Marc-Etienne M. Léveillé, "Ebury actors have been pursuing monetization activities […], including the spread of spam, web traffic redirections, and credential theft." In addition, the operators engage in bitcoin thefts through the use of AitM and credit card theft by network traffic eavesdropping, also referred to as server-side web skimming. Ebury was first discovered more than ten years ago as a componen...
Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version
News

Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version

A more recent iteration of the malware loader known as Hijack Loader has been seen to use a revised set of anti-analysis strategies to evade detection. In a technical study, Zscaler ThreatLabz researcher Muhammad Irfan V A stated that the goal of these improvements is to make the virus more stealthy so that it can evade detection for longer periods of time. The most recent versions of Hijack Loader come with modules that allow users to disable User Account Control (UAC), create an exclusion for Windows Defender Antivirus, avoid inline API hooking—which security software frequently uses to detect malicious activity—and leverage process hollowing. In September 2023, the cybersecurity group published its first report on Hijack Loader, also known as IDAT Loader, a malware loader read...
ZLoader Malware Evolves with Anti-Analysis Trick from Zeus Banking Trojan
News

ZLoader Malware Evolves with Anti-Analysis Trick from Zeus Banking Trojan

The fact that the creators of the resurrected ZLoader malware included a function that was initially found in the banking trojan Zeus suggests that the malware is still under active development. According to a technical study by Zscaler ThreatLabz researcher Santiago Vicente, the most recent version, 2.4.1.0, adds a functionality to stop execution on machines that are different from the original infection. "The leaked Zeus 2.X source code included a similar anti-analysis capability, although it was built differently. ZLoader, also known as Terdot, DELoader, or Silent Night, was taken down in early 2022 then resurfaced in September 2023, almost two years after it had been absent. Updates to the malware's domain generation algorithm (DGA) and the addition of RSA encryption have mad...
Millions of Docker repos found pushing malware and phishing sites
News

Millions of Docker repos found pushing malware and phishing sites

Since early 2021, three extensive attacks have targeted users of Docker Hub, infecting millions of repositories with malware and phishing websites. About 20% of the 15 million repositories hosted by Docker Hub had malicious information, ranging from spam to harmful malware and phishing websites, as discovered by JFrog security researchers. The researchers linked over 2.81 million repositories to three significant harmful campaigns and found nearly 4.6 million repositories without Docker images, which could not be used with a Kubernetes cluster or a Docker engine. Different strategies were employed by each of these efforts to produce and disseminate the malicious repositories. While the "Website SEO" campaign established a few phony repositories per day and employed a single user ...
CoralRaider attacks use CDN cache to push info-stealer malware
News

CoralRaider attacks use CDN cache to push info-stealer malware

In an ongoing effort that targets systems in the United States, the United Kingdom, Germany, and Japan, a threat actor has been storing information-stealing malware in a content delivery network cache. Researchers think CoralRaider, a financially motivated threat actor that targets social media accounts, financial information, and credentials, is responsible for the attack. The hackers supply info stealers LummaC2, Rhadamanthys, and Cryptbot, which are sold on dark web forums by malware-as-a-service providers in exchange for a membership charge. Cisco Talos determines that the campaign is a CoralRaider operation with a moderate degree of confidence based on common tactics, methods, and procedures (TTPs) with other assaults that the threat actor has been linked to. The first at...
GitHub comments abused to push malware via Microsoft repo URLs
News

GitHub comments abused to push malware via Microsoft repo URLs

Threat actors are using a GitHub bug, or perhaps a design choice, to spread malware via URLs linked to a Microsoft repository, giving the files the appearance of being reliable. Threat actors could utilize this "flaw" to generate very convincing lures using any public repository on GitHub, even though the majority of malware activity has been focused on Microsoft GitHub URLs. A new LUA malware loader was discovered by McAfee yesterday, and it was made available via what looked to be an authentic Microsoft GitHub repository for the "C++ Library Manager for Windows, Linux, and MacOS," or vcpkg. Although the malware installers' URLs, which are displayed below, unmistakably point to the Microsoft repository, we were unable to locate any mention of the files in the project's source co...
Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites
News

Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites

Researchers studying cybersecurity have uncovered a new malware operation that uses HTML smuggling and fake Google Sites pages to spread AZORult, a commercial virus designed to help steal personal data. The malicious payload is encoded in a different JSON file hosted on an external website, according to a report released last week by Jan Michael Alcantara, a researcher at Netskope Threat Labs. This is an unconventional method of smuggling HTML. There is no one threat actor or organization identified as the source of the phishing campaign. According to the cybersecurity firm, it was a widespread operation with the goal of gathering private information to be sold on dark web forums read more Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites. Get up to dat...
Chinese Hackers Exploiting Ivanti VPN Flaws to Deploy New Malware
News

Chinese Hackers Exploiting Ivanti VPN Flaws to Deploy New Malware

Ivanti Connect Secure VPN appliances' security weaknesses have been linked to at least two distinct alleged China-related cyber espionage clusters, identified by the tracking numbers UNC5325 and UNC3886. UNC5325 exploited CVE-2024-21893 to distribute LITTLELAMB, a new type of malware that is quite diverse.Mandiant revealed that in addition to maintaining continuous access to compromised appliances, they also maintain WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK. Because of LITTLELAMB source code overlaps, the Google-owned threat intelligence company has determined that UNC5325 is related to UNC3886 with a reasonable degree of confidence.PITHOOK and WOOLTEA, using malware employed by the latter. It's important to note that UNC3886 has a history of using VMware and Fortinet zero-d...
RustDoor macOS Backdoor Targets Cryptocurrency Firms with Fake Job Offers
News

RustDoor macOS Backdoor Targets Cryptocurrency Firms with Fake Job Offers

An continuing malware operation using the recently found Apple macOS backdoor dubbed RustDoor is targeting several cryptocurrency-related businesses. Last week, Bitdefender published the initial description of RustDoor, describing it as a Rust-based malware that could upload and capture files in addition to collecting data about the compromised computers. Disguised as a Visual Studio upgrade, it is delivered. Even while earlier research had identified at least three distinct backdoor variations, the precise beginning dissemination mechanism was still a mystery. However, the Romanian cybersecurity company later informed The Hacker News that the malware was not part of a random distribution campaign, but rather was employed in a targeted attack read more RustDoor macOS Backdoor Tar...