CyberSecurity news

FlagThis - #kaspersky

@securityonline.info - 7d

Trojanized Game Installers Deploy Cryptocurrency Miner Globally - The StaryDobry campaign uses trojanized game installers to deploy XMRig cryptocurrency miner, targeting users in Russia, Brazil, Germany, Belarus, and Kazakhstan.
A global attack campaign named StaryDobry has been discovered, utilizing trojanized game installers to deploy the XMRig cryptocurrency miner on compromised Windows systems. Attackers uploaded poisoned installers for popular games such as BeamNG.drive, Garry's Mod, and Dyson Sphere Program to torrent sites, luring users into downloading them. Once executed, these installers initiate a complex infection chain, ultimately leading to the installation of the XMRig miner. The campaign, detected by Kaspersky on December 31, 2024, lasted for a month and has primarily targeted individual users and businesses.

Researchers have identified that the attack chain employs several evasion techniques, including anti-debugging checks and geolocation verification. The malware gathers a fingerprint of the machine, decrypts an executable, and modifies Windows Shell Extension Thumbnail Handler functionality. The campaign focused on gaming PCs with 8+ core CPUs to maximize mining efficiency. While the perpetrators remain unknown, the presence of Russian language strings suggests the involvement of Russian-speaking actors. The most affected countries included Russia, Brazil, Germany, Belarus, and Kazakhstan.

Recommended read:
References :
  • securityonline.info: Cracked Games, Cryptojacked PCs: The StaryDobry Campaign
  • The Hacker News: Trojanized Game Installers Deploy Cryptocurrency Miner in Large-Scale StaryDobry Attack
  • www.scworld.com: Global XMRig attack campaign involves trojanized game installers
  • Talkback Resources: Trojanized Game Installers Deploy Cryptocurrency Miner in Large-Scale StaryDobry Attack [net] [sys] [mal]
  • Talkback Resources: Cracked Games, Cryptojacked PCs: The StaryDobry Campaign [net] [mal]
  • Talkback Resources: StaryDobry campaign targets gamers with XMRig miner [mal]
  • gbhackers.com: A sophisticated malware campaign was launched by cybercriminals, targeting users through trojanized versions of popular games.
  • BleepingComputer: A large-scale malware campaign dubbed StaryDobry has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.
  • securityonline.info: Cybercriminals launched a mass infection campaign, dubbed StaryDobry, leveraging the holiday season’s increased torrent traffic The
  • www.bleepingcomputer.com: A large-scale malware campaign dubbed "StaryDobry" has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.
  • Anonymous ???????? :af:: A large-scale malware campaign dubbed "StaryDobry" has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.
do son@securityonline.info - 51d

EAGERBEE Backdoor Targets Middle East - The EAGERBEE backdoor is deployed in the Middle East, targeting ISPs and government entities using DLL hijacking, novel service injection, and plugins for file manipulation, remote access, and process exploration.
A sophisticated cyberespionage campaign employing the EAGERBEE backdoor is targeting Internet Service Providers (ISPs) and government entities in the Middle East. This malware uses a novel service injector to embed itself into running services, and previously undocumented plugins to perform malicious activities like file manipulation, remote access, and process exploration. The attackers leverage a DLL hijacking vulnerability for initial access, deploying a backdoor injector and payload using the SessionEnv service. Once active, EAGERBEE gathers system information and communicates with a command-and-control server via encrypted protocols.

The EAGERBEE backdoor employs a plugin orchestrator that injects itself into memory, collecting system data and receiving commands to manage various plugins. These plugins include a File Manager, which can enumerate, manipulate, and execute files; a Process Manager, which controls system processes; a Remote Access Manager for data exfiltration and remote control; and a Service Manager for controlling system services. Analysis also suggests potential links between EAGERBEE and the CoughingDown threat group, but attribution remains uncertain. This campaign shows an evolution in malware frameworks used in sophisticated and targeted cyber attacks.

Recommended read:
References :
  • malware.news: EAGERBEE, with updated and novel components, targets the Middle East
  • ciso2ciso.com: EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets – Source: www.darkreading.com
  • : Kaspersky : Kaspersky reports that an in-memory backdoor called EAGERBEE is being deployed at ISPs and governmental entities in the Middle East.
  • securityaffairs.com: Eagerbee backdoor targets govt entities and ISPs in the Middle East
  • securityonline.info: EAGERBEE: Advanced Backdoor Targets Middle Eastern ISPs and Government Entities
  • Pyrzout :vm:: EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets – Source: www.darkreading.com
  • ciso2ciso.com: EAGERBEE, with updated and novel components, targets the Middle East – Source: securelist.com
  • ciso2ciso.com: EAGERBEE, with updated and novel components, targets the Middle East – Source: securelist.com
  • securityonline.info: EAGERBEE: Advanced Backdoor Targets Middle Eastern ISPs and Government Entities
  • The Hacker News: New EAGERBEE Variant Targets ISPs and Governments with Advanced Backdoor Capabilities
  • gbhackers.com: EAGERBEE Malware Updated It’s Arsenal With Payloads & Command Shells
  • gbhackers.com: EAGERBEE Malware Updated It’s Arsenal With Payloads & Command Shells
  • ciso2ciso.com: EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets – Source: www.darkreading.com
  • securelist.com: EAGERBEE, with updated and novel components, targets the Middle East
  • ciso2ciso.com: EAGERBEE Malware Detection: New Backdoor Variant Targets Internet Service Providers and State Bodies in the Middle East
CISO2CISO Editor 2@ciso2ciso.com - 64d

Charming Kitten Deploys BellaCPP Malware Variant - The Iranian hacking group Charming Kitten is deploying a new C++ variant of the BellaCiao malware.
The Iranian nation-state hacking group, known as Charming Kitten, has been observed deploying a new variant of their BellaCiao malware, called BellaCPP. This new version is written in C++, marking a shift from the original .NET-based BellaCiao. The discovery was made by Kaspersky during an investigation of a compromised machine in Asia, which was found to be infected with both BellaCiao and BellaCPP. This suggests the group is evolving its tactics and potentially enhancing the malware's evasion capabilities.

The BellaCPP malware is a DLL file named "adhapl.dll", and it retains similar functionalities as its ancestor, including the ability to load another DLL ("D3D12_1core.dll") to create an SSH tunnel. A key difference is the absence of the web shell feature that was used in the original BellaCiao for uploading, downloading, and command execution. According to Kaspersky, BellaCPP is essentially a C++ port of BellaCiao without the web shell, using domains previously associated with the hacking group.

Recommended read:
References :
  • ciso2ciso.com: Iran’s Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware – Source:thehackernews.com
  • The Hacker News: Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware
  • Pyrzout :vm:: Iran’s Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware – Source:thehackernews.com
  • ciso2ciso.com: Iran’s Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware – Source:thehackernews.com
  • securityaffairs.com: BellaCPP, Charming Kitten’s BellaCiao variant written in C++
  • ciso2ciso.com: BellaCPP, Charming Kitten’s BellaCiao variant written in C++ – Source: securityaffairs.com
  • ciso2ciso.com: BellaCPP, Charming Kitten’s BellaCiao variant written in C++ – Source: securityaffairs.com
  • Pyrzout :vm:: BellaCPP, Charming Kitten’s BellaCiao variant written in C++ – Source: securityaffairs.com
  • www.scworld.com: Novel BellaCiao malware variant launched by Charming Kitten
  • Security Risk Advisors: 🚩 BellaCPP Variant Emerges as C++ Rewrite of BellaCiao Malware Used by Charming Kitten
CISO2CISO Editor 2@ciso2ciso.com - 65d

Lazarus Group Targets Nuclear Industry - The Lazarus Group is actively targeting the nuclear industry with sophisticated malware, using trojanized VNC utilities and updated malware like 'CookiePlus' for espionage and financial gain.
References: cyberinsider.com , osint10x.com , Osint10x ...
The Lazarus Group, a hacking collective with ties to North Korea, is intensifying its cyber operations against the nuclear industry, employing sophisticated new malware and tactics. Recent attacks have targeted employees within 'nuclear-related' organizations using trojanized virtual network computing (VNC) utilities disguised as job assessment tests. These disguised archives delivered malware via ISO and ZIP files, and they used a modified AmazonVNC.exe, combined with legitimate UltraVNC components to execute attacks. This method allows the group to establish a layered infection chain that helps them to evade detection.

These cyber intrusions use complex infection chains and modular malware that use a variety of components, such as downloaders, loaders and backdoors. The malware includes 'CookieTime' which can download payloads and 'CookiePlus', disguised as a Notepad++ plugin, which uses advanced decryption techniques to fetch plugins. The group's motivation behind the attacks is believed to be both financial gain and espionage. The ongoing attacks highlight the evolving threat landscape posed by state-sponsored actors targeting sensitive industries and organizations.

Recommended read:
References :
  • cyberinsider.com: North Korean Hackers ‘Lazarus’ Target Nuclear Orgs with New Malware
  • osint10x.com: North Korean hackers spotted using new tools on employees of 'nuclear-related' org
  • CyberInsider: The notorious Lazarus Group has evolved its infection tactics, employing both updated and novel malware like ‘CookiePlus' to infiltrate targets in defense, aerospace, cryptocurrency, and nuclear industries.
  • Osint10x: North Korean hackers spotted using new tools on employees of 'nuclear-related' org
  • ciso2ciso.com: Lazarus APT targeted employees at an unnamed nuclear-related organization
  • securityaffairs.com: Lazarus APT targeted employees at an unnamed nuclear-related organization
  • www.cybersecurity-insiders.com: Lazarus launches malware on Nuclear power org and Kaspersky Telegram Phishing scams
  • ciso2ciso.com: Lazarus APT targeted employees at an unnamed nuclear-related organization
  • www.cybersecurity-insiders.com: Lazarus launches malware on Nuclear power org and Kaspersky Telegram Phishing scams
  • ciso2ciso.com: Lazarus Group Targets Nuclear Industry with CookiePlus Malware – Source:hackread.com
  • Pyrzout :vm:: Lazarus Group Targets Nuclear Industry with CookiePlus Malware – Source:hackread.com
Field Effect@Blog - 2d

Australia Bans Kaspersky Software Over National Security Concerns - Australia banned Kaspersky software from government networks due to national security concerns, citing risks of foreign interference, espionage, and sabotage.
The Australian government has banned Kaspersky Lab products and web services from all government systems, citing an "unacceptable security risk" stemming from potential foreign interference, espionage, and sabotage. Effective April 1, 2025, government entities must remove the software, reflecting concerns about Kaspersky's data collection practices and possible exposure to foreign government influence. The ban follows a threat and risk analysis that concluded the software posed a significant threat to Australian Government networks and data.

The directive aims to also encourage critical infrastructure providers and personal users to reconsider their use of Kaspersky products due to the identified security risks. While the directive does not explicitly name the foreign government, Kaspersky Lab is a Russian cybersecurity company, raising concerns about ties to the Russian government. Similar bans have been implemented in other countries, including the United States, which banned Kaspersky products from federal systems back in 2017. Exemptions to the ban may be considered for legitimate business reasons related to national security, subject to appropriate mitigations.

Recommended read:
References :
  • BleepingComputer: The Australian government has banned all Kaspersky Lab products and web services from its systems and devices following an analysis that claims the company poses a significant security risk to the country.
  • securityaffairs.com: Australia bans Kaspersky software over national security concerns, citing risks of foreign interference, espionage, and sabotage of government networks.
  • Talkback Resources: The Australian Government has banned Kaspersky Lab products and web services from all government systems and devices due to security concerns related to potential foreign interference and espionage, effective April 1, 2025.
  • Talkback Resources: Australia Bans Kaspersky Software Over National Security and Espionage Concerns [app]
  • Blog: FieldEffect reports on the Australian government banning Kaspersky software.

Blogs

Research Tools