CyberSecurity news

FlagThis - #kaspersky

@The DefendOps Diaries //

Triada Trojan Preinstalled on Counterfeit Android Devices - A new version of the Triada trojan has been discovered preinstalled on thousands of counterfeit Android devices, allowing threat actors to steal data immediately after setup.
A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, raising significant cybersecurity concerns. This sophisticated malware, initially identified in 2016, has evolved to embed itself deeply into the Android system framework, making it difficult for users to detect or remove. Discovered on counterfeit versions of popular smartphone models sold at discounted prices through online stores, Triada poses a severe threat as it can steal user data immediately after device setup.

Triada's capabilities include stealing user data, such as social media and messenger accounts, and manipulating cryptocurrency transactions by replacing wallet addresses. The malware can also falsify caller IDs, monitor browser activity, and even activate premium SMS services. Experts warn that this new version infiltrates the device at the firmware level, indicating a compromised supply chain and urging users to exercise caution and purchase Android devices from reputable sources.

Recommended read:
References :
  • bsky.app: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • BleepingComputer: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • The DefendOps Diaries: Explore the threat of Triada malware in counterfeit Android devices and learn how to protect against this sophisticated cyber threat.
  • BleepingComputer: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • www.it-daily.net: Triada Trojan discovered on counterfeit Android smartphones
  • PCMag UK security: Counterfeit Android Phones Preloaded With a Special Surprise: Malware
  • Sam Bent: Triada Malware Preloaded on Counterfeit Androids Hijacks 2,600+ Devices for Crypto Theft and Espionage
  • www.scworld.com: Updated Triada trojan compromises thousands of Android devices
  • securityaffairs.com: New Triada Trojan comes preinstalled on Android devices
  • The Hacker News: Triada Malware Preloaded on Counterfeit Android Phones Infects 2,600+ Devices
  • Cyber Security News: Trinda Malware Infects Android Devices to Manipulate Phone Numbers During Calls
  • Cyber Security News: New Triada Malware Attacking Android Devices to Replaces Phone Numbers During Calls
@securityonline.info //

Trojanized Game Installers Deploy Cryptocurrency Miner Globally - The StaryDobry campaign uses trojanized game installers to deploy XMRig cryptocurrency miner, targeting users in Russia, Brazil, Germany, Belarus, and Kazakhstan.
A global attack campaign named StaryDobry has been discovered, utilizing trojanized game installers to deploy the XMRig cryptocurrency miner on compromised Windows systems. Attackers uploaded poisoned installers for popular games such as BeamNG.drive, Garry's Mod, and Dyson Sphere Program to torrent sites, luring users into downloading them. Once executed, these installers initiate a complex infection chain, ultimately leading to the installation of the XMRig miner. The campaign, detected by Kaspersky on December 31, 2024, lasted for a month and has primarily targeted individual users and businesses.

Researchers have identified that the attack chain employs several evasion techniques, including anti-debugging checks and geolocation verification. The malware gathers a fingerprint of the machine, decrypts an executable, and modifies Windows Shell Extension Thumbnail Handler functionality. The campaign focused on gaming PCs with 8+ core CPUs to maximize mining efficiency. While the perpetrators remain unknown, the presence of Russian language strings suggests the involvement of Russian-speaking actors. The most affected countries included Russia, Brazil, Germany, Belarus, and Kazakhstan.

Recommended read:
References :
  • securityonline.info: Cracked Games, Cryptojacked PCs: The StaryDobry Campaign
  • The Hacker News: Trojanized Game Installers Deploy Cryptocurrency Miner in Large-Scale StaryDobry Attack
  • www.scworld.com: Global XMRig attack campaign involves trojanized game installers
  • Talkback Resources: Trojanized Game Installers Deploy Cryptocurrency Miner in Large-Scale StaryDobry Attack [net] [sys] [mal]
  • Talkback Resources: Cracked Games, Cryptojacked PCs: The StaryDobry Campaign [net] [mal]
  • Talkback Resources: StaryDobry campaign targets gamers with XMRig miner [mal]
  • gbhackers.com: A sophisticated malware campaign was launched by cybercriminals, targeting users through trojanized versions of popular games.
  • BleepingComputer: A large-scale malware campaign dubbed StaryDobry has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.
  • securityonline.info: Cybercriminals launched a mass infection campaign, dubbed StaryDobry, leveraging the holiday season’s increased torrent traffic The
  • www.bleepingcomputer.com: A large-scale malware campaign dubbed "StaryDobry" has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.
  • Anonymous ???????? :af:: A large-scale malware campaign dubbed "StaryDobry" has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.
info@thehackernews.com (The@The Hacker News //

SideWinder APT Targets Maritime, Nuclear Sectors - The SideWinder APT group is intensifying attacks on the maritime sector and nuclear power plants across Asia, the Middle East, and Africa, using phishing tactics and exploiting old vulnerabilities.
The APT group SideWinder is expanding its attacks, now targeting maritime, nuclear, and IT sectors across Asia, the Middle East, and Africa. Previously focused on government, military, and diplomatic institutions, the group has shifted its attention to maritime infrastructure, logistics companies, nuclear power plants, and energy facilities. The attacks, observed by Kaspersky, have spread across multiple countries including Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam.

Kaspersky experts have noted an increase in attacks on nuclear power plants and energy generation facilities with the attackers utilizing spear-phishing emails and malicious documents containing industry-specific terminology to gain trust. The group exploits an older Microsoft Office vulnerability (CVE-2017-11882) to bypass detection systems and access operational data, research projects, and personnel data. According to Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov, SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems.

Recommended read:
References :
  • The Register - Security: Sidewinder goes nuclear, charts course for maritime mayhem in tactics shift
  • The Hacker News: SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa
  • www.it-daily.net: SideWinder now also attacks nuclear power plants
  • securityaffairs.com: SideWinder APT targets maritime and nuclear sectors with enhanced toolset
  • Rescana: Inside the Mind of Sidewinder: A Real-World Look at a Sophisticated Cyber Adversary
do son@securityonline.info //

EAGERBEE Backdoor Targets Middle East - The EAGERBEE backdoor is deployed in the Middle East, targeting ISPs and government entities using DLL hijacking, novel service injection, and plugins for file manipulation, remote access, and process exploration.
A sophisticated cyberespionage campaign employing the EAGERBEE backdoor is targeting Internet Service Providers (ISPs) and government entities in the Middle East. This malware uses a novel service injector to embed itself into running services, and previously undocumented plugins to perform malicious activities like file manipulation, remote access, and process exploration. The attackers leverage a DLL hijacking vulnerability for initial access, deploying a backdoor injector and payload using the SessionEnv service. Once active, EAGERBEE gathers system information and communicates with a command-and-control server via encrypted protocols.

The EAGERBEE backdoor employs a plugin orchestrator that injects itself into memory, collecting system data and receiving commands to manage various plugins. These plugins include a File Manager, which can enumerate, manipulate, and execute files; a Process Manager, which controls system processes; a Remote Access Manager for data exfiltration and remote control; and a Service Manager for controlling system services. Analysis also suggests potential links between EAGERBEE and the CoughingDown threat group, but attribution remains uncertain. This campaign shows an evolution in malware frameworks used in sophisticated and targeted cyber attacks.

Recommended read:
References :
  • malware.news: EAGERBEE, with updated and novel components, targets the Middle East
  • ciso2ciso.com: EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets – Source: www.darkreading.com
  • : Kaspersky : Kaspersky reports that an in-memory backdoor called EAGERBEE is being deployed at ISPs and governmental entities in the Middle East.
  • securityaffairs.com: Eagerbee backdoor targets govt entities and ISPs in the Middle East
  • securityonline.info: EAGERBEE: Advanced Backdoor Targets Middle Eastern ISPs and Government Entities
  • Pyrzout :vm:: EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets – Source: www.darkreading.com
  • ciso2ciso.com: EAGERBEE, with updated and novel components, targets the Middle East – Source: securelist.com
  • ciso2ciso.com: EAGERBEE, with updated and novel components, targets the Middle East – Source: securelist.com
  • securityonline.info: EAGERBEE: Advanced Backdoor Targets Middle Eastern ISPs and Government Entities
  • The Hacker News: New EAGERBEE Variant Targets ISPs and Governments with Advanced Backdoor Capabilities
  • gbhackers.com: EAGERBEE Malware Updated It’s Arsenal With Payloads & Command Shells
  • gbhackers.com: EAGERBEE Malware Updated It’s Arsenal With Payloads & Command Shells
  • ciso2ciso.com: EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets – Source: www.darkreading.com
  • securelist.com: EAGERBEE, with updated and novel components, targets the Middle East
  • ciso2ciso.com: EAGERBEE Malware Detection: New Backdoor Variant Targets Internet Service Providers and State Bodies in the Middle East
Sunny Yadav@eSecurity Planet //

SilentCryptoMiner Targets Russian Users - A large-scale cryptocurrency miner campaign is targeting Russian users with SilentCryptoMiner, disguised as a tool to bypass internet restrictions, distributed through popular YouTube channels, affecting over 2,000 users.
A large-scale cryptocurrency miner campaign is currently targeting Russian users, employing the SilentCryptoMiner malware. The malware disguises itself as a legitimate tool designed to bypass internet restrictions, enticing users to download and install it. This campaign has already affected over 2,000 Russian users, who were tricked into downloading fake VPN and DPI bypass tools.

The attackers are distributing the malware through popular YouTube channels, with some boasting over 60,000 subscribers. The malicious files are presented as safe tools, while in reality, the archive contains a Python-based loader that retrieves the miner payload. To further their deception, attackers instruct victims to disable their antivirus programs, falsely claiming they trigger false positives, further exposing their systems to persistent, hidden threats.

Recommended read:
References :
  • securityaffairs.com: Large-scale cryptocurrency miner campaign targets Russian users with SilentCryptoMiner
  • thehackernews.com: SilentCryptoMiner infects 2,000 Russian users via fake VPN and DPI Bypass Tools
  • eSecurity Planet: SilentCryptoMiner Infects 2,000 Russian Users via Fake VPN Tools
Field Effect@Blog //

Australia Bans Kaspersky Software Over National Security Concerns - Australia banned Kaspersky software from government networks due to national security concerns, citing risks of foreign interference, espionage, and sabotage.
The Australian government has banned Kaspersky Lab products and web services from all government systems, citing an "unacceptable security risk" stemming from potential foreign interference, espionage, and sabotage. Effective April 1, 2025, government entities must remove the software, reflecting concerns about Kaspersky's data collection practices and possible exposure to foreign government influence. The ban follows a threat and risk analysis that concluded the software posed a significant threat to Australian Government networks and data.

The directive aims to also encourage critical infrastructure providers and personal users to reconsider their use of Kaspersky products due to the identified security risks. While the directive does not explicitly name the foreign government, Kaspersky Lab is a Russian cybersecurity company, raising concerns about ties to the Russian government. Similar bans have been implemented in other countries, including the United States, which banned Kaspersky products from federal systems back in 2017. Exemptions to the ban may be considered for legitimate business reasons related to national security, subject to appropriate mitigations.

Recommended read:
References :
  • BleepingComputer: The Australian government has banned all Kaspersky Lab products and web services from its systems and devices following an analysis that claims the company poses a significant security risk to the country.
  • securityaffairs.com: Australia bans Kaspersky software over national security concerns, citing risks of foreign interference, espionage, and sabotage of government networks.
  • Talkback Resources: The Australian Government has banned Kaspersky Lab products and web services from all government systems and devices due to security concerns related to potential foreign interference and espionage, effective April 1, 2025.
  • Talkback Resources: Australia Bans Kaspersky Software Over National Security and Espionage Concerns [app]
  • Blog: FieldEffect reports on the Australian government banning Kaspersky software.

Posts

Blogs

Research Tools