CyberSecurity news
FlagThis - #infostealer
|
Amar Ćemanović@CyberInsider
//
Microsoft is warning of a large-scale malvertising campaign that has impacted nearly one million devices worldwide, starting in early December 2024. The attack originates from illegal streaming websites using embedded malvertising redirectors. These redirectors lead users to GitHub, Discord, and Dropbox where initial access payloads are hosted. The primary goal of this campaign, tracked under the name Storm-0408, is to steal sensitive information from both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.
The attackers used a multi-stage approach, with GitHub serving as the primary platform for delivering the initial malware. This malware then deploys additional malicious files and scripts designed to collect system information and exfiltrate documents and data. Microsoft has since taken down the malicious repositories with the collaboration of the GitHub security team. The attack also employs a sophisticated redirection chain, with the initial redirector embedded within an iframe element on the illegal streaming websites. Recommended read:
References :
Deeba Ahmed@hackread.com
//
A new wave of Android malware campaigns are exploiting Microsoft’s .NET MAUI framework to target users, particularly in India and China. Cybersecurity researchers at McAfee Labs have identified these malicious applications, which disguise themselves as legitimate services like banking and social media apps, to steal sensitive user information. These fake apps, collectively codenamed FakeApp, are not distributed through official channels like Google Play, but rather through bogus links sent via messaging apps and unofficial app stores. .NET MAUI, designed as a cross-platform development framework, allows these threats to conceal malicious code, making them difficult to detect by traditional antivirus solutions.
Researchers have found that the malware's core functionalities are written entirely in C# and stored as binary large objects, evading detection methods that typically analyze DEX files or native libraries. For instance, a fraudulent banking app impersonates IndusInd Bank, targeting Indian users by prompting them to enter personal and financial details, which are then sent to the attacker's command-and-control server. Another instance involves a fake social networking service app aimed at Chinese-speaking users, employing multi-stage dynamic loading to decrypt and execute its payload in separate stages, further complicating analysis and disrupting security tools. Recommended read:
References :
Andres Ramos@Arctic Wolf
//
A resurgence of a fake CAPTCHA malware campaign has been observed, with threat actors compromising widely used websites across various industries. They are embedding a fake CAPTCHA challenge that redirects victims to a site triggering PowerShell code execution. This campaign exploits social engineering tactics and fake software downloads to deceive users into executing malicious scripts.
This tactic is also utilized with fake captchas which resemble legitimate sites. When users attempt to pass the captcha, they are prompted to execute code that has been copied to their clipboard. The OBSCURE#BAT malware campaign is a major cybersecurity threat to both individuals and organizations, primarily due to its ability to compromise sensitive data through advanced evasion techniques, including API hooking. This allows the malware to hide files and registry entries, making detection difficult. Recommended read:
References :
@The DefendOps Diaries
//
Valve has recently removed the video game "Sniper: Phantom's Resolution" from Steam after users discovered that its free demo contained infostealer malware. This marks the second instance in recent months where Steam has been exploited to distribute malicious software, raising concerns about the platform's security measures. The incident came to light when users on Reddit analyzed the demo and reported their findings.
The malware in "Sniper: Phantom's Resolution" follows a similar incident from last month involving a game called "PirateFi," which also turned out to be a malware plant designed to steal player passwords. These incidents emphasize the need for Steam to enhance its vetting process for game demos. Users are advised to exercise caution when downloading and installing content from the platform, ensuring they have up-to-date antivirus software and are vigilant about potential threats. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Cybersecurity researchers have uncovered a large-scale phishing campaign distributing the Lumma Stealer malware. Attackers are using fake CAPTCHA images embedded in PDF documents hosted on Webflow's content delivery network (CDN) to redirect victims to malicious websites. These malicious actors are employing SEO tactics to trick users into downloading the PDFs through search engine results, ultimately leading to the deployment of the information-stealing malware. The Lumma stealer is designed to steal sensitive information stored in browsers and cryptocurrency wallets.
Netskope Threat Labs identified 260 unique domains hosting 5,000 phishing PDF files, affecting over 1,150 organizations and 7,000 users. The attacks primarily target users in North America, Asia, and Southern Europe, impacting the technology, financial services, and manufacturing sectors. Besides Webflow, attackers are also utilizing GoDaddy, Strikingly, Wix, and Fastly to host the fake PDFs. Some PDF files were uploaded to legitimate online libraries like PDFCOFFEE and Internet Archive to further propagate the malware. Recommended read:
References :
@cyberalerts.io
//
The Splunk Threat Research Team has revealed a widespread cyber campaign specifically targeting Internet Service Provider (ISP) infrastructure providers on the West Coast of the United States and in China. Over 4,000 ISP-related IP addresses were explicitly targeted. This mass exploitation campaign involves the deployment of information stealers and crypto miners on compromised systems.
The attack leverages brute-force tactics to exploit weak credentials, gaining initial access to the targeted networks. Once inside, the attackers deploy cryptomining and info-stealing malware. This campaign is believed to have originated from Eastern Europe, highlighting the global nature of cyber threats and the importance of robust security measures for critical infrastructure providers. Recommended read:
References :
@www.infosecurity-magazine.com
//
Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT (Remote Access Trojan) via malicious PowerShell commands, according to recent findings. These campaigns involve tricking users into running PowerShell commands that ultimately install the Lumma Stealer. Attackers direct potential victims to attacker-controlled sites and prompt them to complete fake authentication challenges. These challenges often involve directing potential victims to malicious websites where they are prompted to complete verification steps, but instead of a CAPTCHA, it instructs them to press Windows + R and run a PowerShell command—under the false pretense of running “Windows Defender.”
These attacks leverage weaponized CAPTCHAs, with users being directed to malicious websites where they are prompted to complete verification steps. Upon completing these steps, users inadvertently copy and run PowerShell scripts that download and install malware, such as the Lumma Stealer. This allows the attackers to steal sensitive data like cryptocurrency wallets. The exploitation involves fake Cloudflare verification prompts, which lead users to execute malicious PowerShell commands to install the LummaStealer Trojan through infected WordPress sites, posing a significant threat. Recommended read:
References :
SC Staff@scmagazine.com
//
The FakeUpdate malware campaigns are becoming increasingly complex with the emergence of new cybercrime groups, TA2726 and TA2727, now involved in pushing a new macOS infostealer called FrigidStealer. This malware is being distributed through web inject campaigns, where users are tricked into downloading fake browser updates. Proofpoint researchers have identified FrigidStealer as a new threat targeting Mac users.
This campaign also uses Windows and Android payloads, suggesting a broad targeting strategy. The malicious JavaScript used to display the fake browser update messages is being adopted by an increasing number of threat actors, making tracking and analysis more challenging. Proofpoint identified two new cybercriminal threat actors, TA2726 and TA2727, operating components of web inject campaigns. Recommended read:
References :
Amar Ćemanović@CyberInsider
//
Have I Been Pwned (HIBP) has recently integrated a massive dataset of 23 billion rows of stolen credentials from the ALIEN TXTBASE stealer logs. This integration has exposed 284 million unique email addresses that were compromised through infostealer malware. The data, which includes 244 million previously unseen passwords, was originally shared on the Telegram channel ALIEN TXTBASE. HIBP users who are signed up to be notified when their emails appear in a database dump will receive a notification email. All users can also check manually via the service’s website.
This staggering collection of information is a result of likely millions of people's computers being infected by one or more data-stealing malware strains. This addition of stolen credentials highlights the scale of unstoppable infostealer malware. HIBP has also added 244 million new compromised passwords to Pwned Passwords. Recommended read:
References :
Aman Mishra@gbhackers.com
//
References:
gbhackers.com
, www.bleepingcomputer.com
,
Cybersecurity researchers have revealed a sophisticated campaign where hackers are exploiting Microsoft Teams and Quick Assist for remote access. The attacks have been attributed to ransomware groups such as Black Basta and Cactus, highlighting a growing trend of cybercriminals abusing legitimate tools to bypass security defenses and infiltrate corporate networks. The attackers use social engineering tactics, including email flooding, followed by direct contact via Microsoft Teams, impersonating IT support staff to trick victims into granting access through Microsoft’s Quick Assist tool.
Once inside, attackers deploy additional malware by abusing OneDriveStandaloneUpdater.exe, a legitimate Microsoft process. By sideloading malicious DLLs, they establish persistent control and use BackConnect malware for command-and-control communication. This campaign has impacted various regions and industries, with a significant number of incidents occurring in North America, particularly the United States, and Europe. Manufacturing, financial services, and real estate sectors have been particularly targeted, as these threat actors are actively working around conventional security measures. Recommended read:
References :
Swagta Nath@www.the420.in
//
The cybercriminal group EncryptHub, also known as LARVA-208, has successfully breached 618 organizations globally since June 2024. The group utilizes sophisticated social engineering techniques, including spear-phishing, to steal credentials and deploy ransomware on corporate networks. The attacks are designed to compromise systems and steal sensitive information, showcasing a high level of sophistication and a clear focus on targeting businesses worldwide.
LARVA-208's methods involve impersonating IT personnel and deceiving employees into divulging VPN credentials or installing remote management software. They have also been observed registering domain names mimicking popular VPN services to enhance the credibility of their phishing campaigns. After gaining access, the group deploys custom-developed PowerShell scripts to install information-stealing malware and ransomware, encrypting files on compromised systems and demanding cryptocurrency payments via ransom notes left on the victim device. Recommended read:
References :
@securityonline.info
//
A new malware campaign is underway, distributing the Lumma Stealer information stealer via weaponized PDF documents. This campaign specifically targets educational institutions, exploiting compromised infrastructure to deliver malicious LNK files disguised as legitimate PDFs. These files, when executed, initiate a multi-stage infection process designed to steal sensitive data, including passwords, browser information, and cryptocurrency wallet details.
The attackers lure users into downloading these malicious files by disguising them as innocuous documents, such as school fee structures. Once executed, the LNK files trigger PowerShell commands that download and run obfuscated JavaScript code, ultimately deploying the Lumma Stealer payload. The malware employs advanced evasion techniques, including obfuscated JavaScript and encrypted payloads, to avoid detection. This campaign highlights the urgent need for robust cybersecurity measures within educational institutions and other sectors. Lumma Stealer targets various industries beyond education, including finance, healthcare, technology, and media. The use of compromised educational infrastructure as a distribution channel underscores the vulnerabilities in organizational cybersecurity frameworks. Recommended read:
References :
@www.malwarebytes.com
//
References:
malware.news
, www.infostealers.com
,
Lumma, an advanced information stealer, has become a dominant force in the cybercrime landscape throughout 2024. Marketed as Malware-as-a-Service (MaaS), it is readily available on Russian-speaking forums and Telegram channels. This malware targets Windows systems, aiming to exfiltrate credentials, cryptocurrency wallet data, browser information, and two-factor authentication details. Lumma employs sophisticated methods such as binary morphing and server-side data decryption to avoid detection. It operates on a subscription basis, with tiered plans offering features such as customizable log management, data filtering, and advanced stealth capabilities, making it accessible to both novice and experienced cybercriminals.
Lumma’s capabilities are extensive and include data exfiltration, regular updates, and the ability to collect detailed data logs, as well as the capability to download additional malware to compromised systems. It has been observed in multiple campaigns that use techniques like phishing, malvertising, and fake software updates. These campaigns have targeted a diverse range of sectors including manufacturing, transportation, and individuals such as gamers, users of cracked software, and cryptocurrency enthusiasts. The developers of Lumma have implemented policies to avoid targeting Russia, further demonstrating the malware's reach beyond Russian-speaking regions. Recommended read:
References :
|