CyberSecurity news
FlagThis - #backdoor
|
Veronika Telychko@SOC Prime Blog
//
Mocha Manakin, a threat actor named by Red Canary, is employing a sophisticated "paste-and-run" technique to compromise systems. This method involves tricking users into executing malicious scripts via PowerShell, leading to the deployment of a custom NodeJS backdoor known as NodeInitRAT. Red Canary's report highlights that this backdoor could potentially lead to ransomware attacks. SocPrime has also released information regarding the detection of Mocha Manakin attacks, emphasizing the backdoor's capabilities.
Red Canary notes the adversary leverages ClickFix technique to deliver NodeJS-based backdoor named NodeInitRAT. Hunting for suspicious events related to PowerShell spawning node.exe can be an effective detection method. Security analysts can monitor process creation events where powershell.exe is the parent process and node.exe is the child process to identify potentially malicious activity associated with the NodeInitRAT backdoor. Soc Prime offers Sigma rules to detect Mocha Manakin paste-and-run attacks spreading the NodeInitRAT backdoor. It's crucial to detect this threat as early as possible, as researchers note overlaps with Interlock ransomware. These rules can aid in identifying suspicious behavior and mitigating the risk of further compromise, including data exfiltration and ransomware deployment. Recommended read:
References :
securebulletin.com@Secure Bulletin
//
Sophos has revealed a significant malware campaign operating on GitHub, targeting a diverse audience, including hackers, gamers, and cybersecurity researchers. The threat actor, identified by the alias "ischhfd83," has cleverly disguised malicious code within seemingly legitimate repositories, some appearing as malware development tools and others as gaming cheats. This deceptive approach aimed to infect users with infostealers and Remote Access Trojans (RATs) like AsyncRAT and Remcos. Upon investigation, Sophos uncovered a network of 133 backdoored repositories linked to the same threat actor, indicating a widespread and coordinated effort to compromise unsuspecting individuals.
The campaign employed sophisticated techniques to enhance its credibility and evade detection. The threat actor used multiple accounts and contributors, alongside automated commits to mimic active development. Victims who compiled the code in these repositories inadvertently triggered a multi-stage infection chain. This chain involved VBS scripts, PowerShell downloads, and obfuscated Electron apps, all designed to stealthily deploy malicious payloads. By masquerading as valuable resources, such as hacking tools or game enhancements, the threat actor successfully lured users into downloading and executing the backdoored code, showcasing the campaign's deceptive effectiveness. Sophos reported the malicious repositories to GitHub, leading to the takedown of most affected pages and related malicious pastes. However, the incident highlights the importance of vigilance when downloading and running code from unverified sources. Cybersecurity experts recommend users carefully inspect code for obfuscated strings, unusual domain calls, and suspicious behavior before execution. Employing online scanners and analysis tools, as well as running untested code in isolated environments, can further mitigate the risk of infection. The discovery also underscores the growing trend of cybercriminals targeting each other, further complicating the threat landscape. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
A new botnet campaign, dubbed AyySSHush, is targeting ASUS routers, compromising over 9,000 devices globally. The attackers are exploiting a known command injection vulnerability, CVE-2023-39780, along with other authentication bypass techniques to gain unauthorized access. Models such as RT-AC3100, RT-AC3200, and RT-AX55 are among those being targeted, with attackers seeking to establish a persistent presence within the compromised routers. GreyNoise researchers, who uncovered the campaign, emphasize the stealthy tactics employed, which include disabling router logging and avoiding the installation of malware, making detection difficult.
Attackers initially gain access to ASUS routers through brute-force login attempts and the exploitation of authentication bypass flaws, including techniques that have not yet been assigned CVEs. Once inside, they leverage the CVE-2023-39780 command injection vulnerability to execute system commands and modify router settings. These commands enable SSH access on a custom port, typically TCP/53282, and insert an attacker-controlled public key for remote access. This allows the attackers to maintain a persistent backdoor into the compromised routers, even after firmware upgrades and reboots. As a result of this sophisticated campaign, compromised ASUS routers require a factory reset to fully remove the persistent SSH backdoor. Standard firmware updates are insufficient, as the attackers abuse legitimate router configuration features stored in non-volatile memory (NVRAM). GreyNoise recommends users rotate all authentication tokens, including passwords and SSH keys, and perform a factory reset to clear the affected devices' NVRAM. Users can also use runZero's service inventory to locate potentially impacted assets by querying for SSH protocol on port 53282, or scan for the attacker’s public key using the SSHamble tool. Recommended read:
References :
Daryna Olyniychuk@SOC Prime Blog
//
References:
securityaffairs.com
Attackers are actively exploiting vulnerabilities in popular content management systems (CMS) like WordPress and Craft CMS to gain unauthorized access to web servers. These attacks highlight the critical need for website administrators to stay vigilant and promptly apply security patches. A significant phishing campaign has been identified targeting WordPress WooCommerce users, where victims are tricked into downloading a fake security patch that actually installs a backdoor on their sites, allowing attackers persistent access.
Craft CMS is also facing active exploitation of a critical vulnerability, CVE-2025-32432, which allows for Remote Code Execution (RCE). This flaw is particularly dangerous as it is being chained with another vulnerability, CVE-2024-58136 in the Yii framework, to facilitate zero-day attacks. These chained exploits enable attackers to breach servers and steal sensitive data. Researchers are urging Craft CMS users to update to patched versions immediately to mitigate the risk. An investigation into a compromised server revealed that attackers used CVE-2025-32432 to download a PHP-based file manager, which then enabled them to upload further malicious PHP files. The investigation involved analyzing access logs from the web server and Craft CMS logs, including web logs and phperrors.log, to identify the attacker's actions. The attack leverages Craft CMS's asset management system, exploiting a flaw in how the system handles asset IDs and image transformations. Recommended read:
References :
@securityonline.info
//
A new malware campaign is targeting WordPress websites by using a plugin disguised as a security tool. The malicious plugin, often named 'WP-antymalwary-bot.php', provides attackers with administrator access to compromised sites, all while remaining hidden from the WordPress admin dashboard. The Wordfence Threat Intelligence team discovered this threat in late January 2025 during a site cleanup, revealing the plugin's ability to maintain access, execute remote code, and inject malicious JavaScript. Other names associated with the plugin include addons.php, wpconsole.php, and wp-performance-booster.php, underscoring the campaign's wide reach and adaptability.
The disguised plugin is designed to appear legitimate, mimicking genuine plugin structure and code indentation, which allows it to easily evade detection by site administrators. Once installed, the plugin exploits the REST API to facilitate remote code execution, injecting malicious PHP code into the site theme's header file or clearing caches of popular caching plugins. Furthermore, the plugin incorporates a "pinging" function to report back to a command-and-control server and the ability to spread malware into other directories. A particularly concerning feature is a modified wp-cron.php file that can reactivate the plugin if removed, ensuring the malware's persistence on the compromised site. Security researchers have observed newer versions of this malware handling code injections differently. These updated versions fetch JavaScript code from compromised domains to serve ads or spam, demonstrating the malware's evolving sophistication. The presence of Russian language comments within the code suggests that the threat actors may be Russian-speaking. The discovery of this malware campaign highlights the importance of vigilance when installing WordPress plugins. Site owners should always verify the legitimacy and reputation of plugins before installation to prevent compromise and maintain the integrity of their websites. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
A large-scale phishing campaign is actively targeting WordPress WooCommerce users, employing deceptive tactics to compromise their websites. Cybercriminals are sending out fake security alerts, urging recipients to download a "critical patch." Unsuspecting users who fall for the scam and download the so-called patch are actually installing a malicious plugin that creates a hidden administrator account and gives attackers backdoor access to their WordPress sites. This campaign highlights the evolving sophistication of cyber threats against e-commerce platforms.
The phishing emails are designed to mimic official WooCommerce communications and often warn of a non-existent "Unauthenticated Administrative Access" vulnerability. To further deceive users, the attackers employ homograph attacks, using domain names that closely resemble the legitimate WooCommerce website but contain subtle character differences such as 'woocommėrce[.]com'. The fake patch, once installed, allows attackers to inject malicious code, redirect site visitors, or even encrypt server resources for extortion. Cybersecurity researchers advise WooCommerce users to be extremely cautious when receiving security alerts and to verify the authenticity of any patches directly through official WooCommerce channels. Users should also scan their instances for suspicious plugins or administrator accounts and ensure all software is up to date. The ultimate goal of the attackers is to gain remote control over the websites, allowing them to inject spam or sketchy ads, redirect site visitors to fraudulent sites, enlist the breached server into a botnet for carrying out DDoS attacks, and even encrypt the server resources as part of an extortion scheme. Recommended read:
References :
Anna Ribeiro@Industrial Cyber
//
Trend Micro researchers have uncovered a novel controller linked to the BPFDoor backdoor, enabling stealthy reverse shell attacks on Linux servers across Asia and the Middle East. This previously unseen controller is attributed to the Red Menshen advanced persistent threat (APT) group, tracked by Trend Micro as Earth Bluecrow. The attacks, observed in the telecommunications, finance, and retail sectors, have been documented in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. This discovery highlights the ongoing cyberespionage activities leveraging sophisticated and evasive techniques to compromise Linux systems.
The controller's primary function is to open a reverse shell on compromised systems, which allows attackers to move laterally within the network, control additional systems, and access sensitive data. BPFDoor uses the packet filtering features of Berkeley Packet Filtering (BPF) to inspect network packets, using "magic sequences" to activate the backdoor. This method allows BPFDoor to evade traditional security measures, making it a perfect tool for long-term espionage, as casual security sweeps won’t detect anything unusual. The malware can also change process names and does not listen to any port, further masking its presence. Trend Micro's investigation indicates that BPFDoor has been active since at least 2021, with consistent campaigns targeting Linux servers across multiple industries. The attackers are known to hide malware in non-standard paths, such as /tmp/zabbix_agent.log or /bin/vmtoolsdsrv. Defenders are advised to monitor for TCP packets starting with 0x5293, followed by IP:port and password and UDP/ICMP packets. While static indicators are unreliable due to customizable magic packets and varying passwords, proactive network monitoring and analysis of BPF code are crucial for protecting organizations against BPF-powered threats. Recommended read:
References :
@www.bleepingcomputer.com
//
Over 16,000 Fortinet devices have been compromised due to a novel symlink backdoor, allowing attackers to maintain read-only access to sensitive files. This was reported by The Shadowserver Foundation. The attackers are exploiting known vulnerabilities in FortiGate devices, specifically targeting the SSL-VPN language file directory. By creating a symbolic link between the user filesystem and the root filesystem, attackers can bypass security measures and access critical files even after patches are applied.
Researchers observed that threat actors are leveraging a new method to exploit previously patched vulnerabilities in Fortinet's FortiOS, specifically targeting FortiGate VPN appliances. The original flaw, CVE-2023-27997, had a fix issued, but threat actors can still gain access by manipulating symbolic links during the device's boot process. This enables threat actors with prior access to maintain control over the device, even after firmware updates. The issue stems from how FortiOS handles file permissions and symlinks when restarting, allowing malicious files to persist and re-enable vulnerabilities that were supposedly fixed. Fortinet has responded by releasing several updates and new security measures to block further attacks. These measures include launching an internal investigation, coordinating with third-party experts, and developing an AV/IPS signature to detect and remove the symbolic link automatically. Multiple updates have been issued across different FortiOS versions, including 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the backdoor but also modify the SSL-VPN interface to prevent future occurrences. Organizations are urged to upgrade to the latest secure versions to mitigate the risk. Recommended read:
References :
do son@securityonline.info
//
A new "ClickFake Interview" campaign, attributed to the Lazarus Group, is targeting professionals in the cryptocurrency sector with fraudulent job offers. Security researchers at Sekoia discovered the operation, revealing that threat actors impersonate recruiters on platforms like LinkedIn and X (formerly Twitter) to lure victims into fake job interviews. These interviews are designed to trick candidates into opening malicious documents or clicking on compromised links, ultimately leading to malware infection and potential data theft.
The malware, dubbed "ClickFix" or sometimes distributed through the GolangGhost backdoor, grants attackers remote access to compromised systems. This allows the Lazarus Group to steal sensitive information, including cryptocurrency wallet credentials, execute arbitrary commands, and maintain persistent access. Sekoia warns that this campaign reflects a new Lazarus strategy targeting cryptocurrency industry employees, even those with limited technical expertise, making them less likely to detect malicious activity during the interview process. Professionals are advised to verify recruiter identities, avoid downloading files from unknown sources, and utilize endpoint protection to mitigate risks. Recommended read:
References :
do son@securityonline.info
//
Cybersecurity analysts have uncovered a sophisticated campaign exploiting a fake Zoom installer to deliver BlackSuit ransomware across Windows-based systems. The attack, beginning with a malicious download from a website mimicking the teleconferencing application Zoom, lures unsuspecting victims into installing malware capable of crippling entire networks. When the victim clicked the “Download” button, they unknowingly triggered a chain reaction of events.
The fake installer, crafted with Inno Setup, hides the d3f@ckloader, a Pascal-based loader. After gaining initial access, the attackers deploy Brute Ratel and Cobalt Strike for lateral movement, using QDoor to facilitate RDP access. After 9 days, they deploy the BlackSuit ransomware across the network, deleting Volume Shadow Copies to hinder data recovery efforts before encrypting files and dropping ransom notes. The attackers also used WinRAR to compress file share data and uploaded the archives to Bublup, a cloud storage service for data exfiltration. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Russia-linked Gamaredon is actively targeting Ukrainian users with a phishing campaign designed to deploy the Remcos Remote Access Trojan (RAT). This ongoing cyber campaign, uncovered by Cisco Talos, utilizes malicious LNK files disguised as Microsoft Office documents within ZIP archives. The filenames of these files often reference troop movements and other sensitive geopolitical themes related to the conflict in Ukraine, demonstrating a deliberate attempt to exploit the current situation to lure victims.
The attack chain begins with the execution of a PowerShell downloader embedded within the LNK file. This downloader then contacts geo-fenced servers located in Russia and Germany to retrieve a second-stage ZIP payload that contains the Remcos backdoor. The downloaded payload employs DLL sideloading techniques to execute the backdoor. Cisco Talos assesses that the threat actor, Gamaredon, is affiliated with Russia's Federal Security Service (FSB) and known for targeting Ukrainian organizations for espionage and data theft since at least 2013. Recommended read:
References :
|