Alerts

A malicious Chrome and Edge Browser Extension delivers powerful backdoor to stealing information from the browsers and monitor the victim’s activities.

A downloader that delivers the malware payload that contains Revisit remote administration tool along with a backdoor extension to hijack the infected system.

The two payloads are apparently distributing from a group of Malware authors called Moldova who is delivering this backdoor and RAT via malicious attachments contains spam emails.

Previously Various malware attacks that were targeted to legitimate remote access tools likewise TeamSpy malware that abuses TeamViewer to take over affected systems remotely which is not a new method.

But attacker still abusing the legitimate windows tools and open source tools such as Chrome WebDriver and Microsoft WebDriver.

 

How Does This Backdoor Works?

This malware using various social engineering technique in an email along with an attachment that contains embedded document malicious macro which is heavily obfuscated.

Once the malicious dropper executed a JavaScript file that has packed with ZIP archive which contains two kinds of payloads- one based on Java and another based on NodeJS.

NodeJS payload packed with ZIP archive that contains several files. once the users enable the macro then it executes the node.exe install.js which contains installation script to check the administrator rights and the groups to confirm the user.

later it calls install.vbs to escalate the privilege and add new firewall rules to enable traffic between the remote access tool it will install.

According to researches, “It establishes persistence by adding shortcut (LNK) files in the Startup folder. install_do.js will also install a browser extension to the system’s browser extension directory and creates a timestamp.dat file.”

NodeJS extension leads to execute the remote access tool and kill the currently opened web browser via taskkill /IM <filename> then executes a certain revisit 0.63 application which is legitimate and signed remote access tool.

Later all the stolen documents are uploaded from remote access tool to the command-and-control (C&C) server. Attackers will now see the machine ID and password, allowing them to connect to the victim’s machine remotely and gain full control over it.

 

Browser Extension Backdoor

Once the NodeJS and Java modules detect Chrome and Edge Browser open then it will kill the original browser extension and create another one and it will load the malicious extension in the new process.

Later it disables security checks and proceeds to load the malicious extension and the researchers found this malicious extension in Chrome but they confirm that the extension comfortable with Edge.

“This compatibility was a feature introduced by Microsoft last year to help developers port their Chrome extensions to Edge. Selenium is also used to load the extension into Edge.”

The loaded malicious extension designed as a backdoor and it will keep collecting the users opening webpage and URL and send it to the attacker via C&C server.

The extension can also sniff certain actions including clicking buttons, selecting items from a drop-down list, and typing any value into a form inside the webpage. Researches said.

 

The information contained in this website is for general information purposes only. The information is gathered from GB Hackers while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Recently, researchers unveiled a DNS hijacking campaign that was found to spread malware from banking Trojans to Android smartphone users mostly in Asia, which has now extended its reach to iOS and PC users.

Mantis Roaming malware now targets IOS devices for phishing attacks. A publication in April, gave details about the Mantis Roaming malware that performs targeted operations to hijack Android devices. The information security experts said that the malware is evolving and its objective is to capture confidential data of the user infecting.

“The landing pages and apk files now support 27 languages covering Europe and the Middle East, and malicious actors added an option for phishing to iOS devices and cryptography capabilities for PCs,” says publication.

Now, you can perform various functionalities, as they are; the extraction of cryptocurrencies and the phishing of iOS devices; is also capable of targeting Android devices to steal information. A researcher, said the company also analysed the previous Campaign Roaming Mantis and the findings were detailed in his blog.

It expanded to 27 different languages, including English, Hindi, Russian, Chinese and Hebrew. Initially, the malware was distributed in only five languages, but now the range is widened using an automatic translator, information security experts commented.

Experts explain that it was designed to be distributed through DNS hijacking, for now, this malware is more active in Asian regions, such as; Bangladesh, India, Japan and South Korea. Although, there are reports of the malware targeting devices in the Middle East and Europe.

According to information security experts, Roaming Mantis, works by redirecting victims to a malicious web page through the hijacking of DNS while the page is distributed through a fake Facebook or Chrome application (‘facebook.apk’ or ‘chrome.apk ‘). This application contains an Android Trojan-Banker, and must be installed manually by the victim. The professionals also noted that the comments are published in simplified Chinese.

To hijack iOS devices, a page that mimics Apple’s official website that claims to be ‘security.app.com’ is distributed. Upon entering the page, you are required to provide user ID, passwords, CVV, card expiration and card number. This site supports 25 languages.

The information security researchers say that Roaming Mantis is able to steal private and confidential data from Apple and Android mobile phones, and that cryptocurrency mining is done in the inclusion of a script in the HTML source code of the malware, which runs every time open the browser.

A Coinhive Javascript miner runs to exploit the device’s CPU and extract the Monero cryptocurrency. The professionals also commented that the cryptocurrency mining of Mantis Roaming is quite subtle. Since most users may not realize that the resources of their device are being used.

So far, more than 150 successful attacks have been observed, but this could represent only a small fraction of the overall picture, since DNS hijacking is quite difficult to identify.

 

 

url: http://www.securitynewspaper.com/2018/05/23/roaming-mantis-malware-evolve-preys-pc-android-ios-users/

Websites running the content management system Drupal have now become the target for cyber attackers who are not only hacking into the systems, but also executing commands to carry out crypto mining on the sly.

 

This cryptojacking scheme is run by a malicious script dubbed “Kitty.” The cyberattacks have just come to light, and if you have Drupal on your system, check it out thoroughly so that you are not under any risk.

 

DRUPALGEDDON 2.0 BEHIND THE MALWARE ATTACKS

Cybersecurity experts who have studied these Kitty malware attacks on Drupal sites are of the opinion that a vulnerability known as Drupalgeddon 2.0 is the cause of the attacks being reported. The vulnerability exploit has a remote execution code glitch and is used by the hackers to plant the malware.

It is also pointed out that versions 7.x and 8.x of the content management system (CMS) are the most vulnerable in this respect.

The remote code execution exploit is capable of inflicting severe damage on the target system; these include cryptocurrency mining apart from data theft and even scanning of the files on the system. And even worse, it can command the malware to carry on cryptocurrency mining on other connected computers as well by sending in a special script.

FILE EXTENSION MEOW.JS VERY DANGEROUS

The script is named meow.js and it enters the Drupal websites through a file index.php. This file is invariably found in the CMS module of Drupal. The moment the hacker is able to reach this file, the meow.js mining script will enter the scene and through file scans, the person perpetrating the attack will add the JavaScript files as well to the list for mining.

The sadistic part is that the Kitty malware leaves a note saying it’s just a “harmless cute little kitty,” urging users to refrain from deleting the script. And the word “meow” appears twice; in the beginning of this message and again in the end.

APPEARS AN ORGANIZED ATTACKER

Those engaged in research on these malware programs and their effects are of the opinion that the Kitty malware is quite an evolved tool and is being constantly upgraded by whoever is behind the malware. They’ve detected newer versions of the mining script that are able to execute the job very well.

This gives the impression that the people behind the Kitty malware must be organized and have a sound technical backing.

DRUPAL MAY HAVE TO REVIEW ITS MODULES

The content management solutions provider Drupal will have to revisit their embedded codes and add safety features so that the vulnerabilities are not exploited by malicious elements.

This has been the bane of modern technology that hackers and cybercriminals are on many occasions found to be ahead of the curve when it comes to their savvy.

Law enforcement is normally found wanting in locating the professional threat actors and stopping their activities.

This is one of the reasons why hacking and data theft often cannot be stopped before it occurs. It is only after the damage has been done that the law enforcement agencies try to catch the culprit.

KEEP YOUR ANTI-MALWARE PROGRAM UPDATED

The current case of the Drupal CMS computers being affected by the Kitty malware is ironic since the owner of the computer would have taken the precaution, but an outside program installed with an element of trust can bring about the disaster.

Whatever the situation, never compromise on the best anti-malware program for your computer, whether it is a standalone device or part of a system.

Ensure that you have an up-to-date program installed and that the periodical patches sent to you are instantly downloaded with the software version upgraded.

If you are not fully satisfied, try calling a cybersecurity expert in to conduct a thorough audit of your system from the safety viewpoint and listen to the advice the expert gives you.

The regular warnings, like being alert while clicking on email attachments, apply here as well. Just like the way you would take a closer look at a physical piece of mail delivered to you to know where it has come from and who has sent it, you also have to be cautious while opening a digital message through your email. You should only download the attachments if you fully trust the sender.

Newly discovered spyware distributed via YouTube Videos comments sections is capable of stealing files and other confidential information from infected devices.

A Malicious Link that distributed via YouTube comments focusing on a computer game called cheats and trainers related videos that make easier to play the computer games.

Cybercriminal generates a malicious link that pointed to Yandex and leaving comments to videos with a link using fake accounts. Also, these malicious links are distributed through Twitter as well.

This Spyware discovered as Trojan.PWS.Stealer.23012 that was written in Python and transformed into an executable file using py2exe.

Cyber-criminals are distributing this Spyware using Telegram channel where they are trying to touch with Channel administrator and invited them to write a post on a new program which is developed by them and suggested testing it.

 

Spyware Infection Operation via YouTube Videos

Once it completes the infection process, it scans all the infected disk searching for saved passwords and cookies files of Chromium-based browsers.

Also, a new version of this trojan steals information from Telegram, FileZilla FTP client, later it archived all the collected data that will be stored in Yandex.Disk.

This Spyware Performing some modification and perform other malicious activities such as steals passwords and cookies files from Google Chrome, Opera, Yandex. Browser, Vivaldi, Kometa, Orbitum, Comodo, Amigo and Torch.

It also attempts to access the Telegram account by copies the SSFN files from the config subfolder and it creates a copy of the images and documents which is stored in Desktop.

Finally, all the information packed and stored on to the cloud storage called pCloud and the attacker will gain the access those stolen files later.

It steals confidential information from infected devices. All the other Trojan components are written in Go. One of them scans discs searching for folders where browsers are installed, and another one packs stolen data into archives and loads them onto the pCloud storage.

The researcher also identified the Author is this Spyware and he was actively spreading it with the name of “Yenot Pogromist” and he sells it on the popular website.

The creator of spyware also has a YouTube channel dedicated to developing malicious software and has his own GitHub page where he posts the source code of his malicious programs.

An aggressive form of malware designed to mine cryptocurrency is now crashing PCs when you try to remove it from the system. Dubbed “WinstarNssmMiner”, the malware essentially hijacks the target PC by consuming loads of processing power to mine the digital coins and attaching itself to the critical system services in Windows to prevent removal.

What’s not clear is how victims end up with this malware in the first place. Presumably, though, they are opening files in emails or through social media. Once it lands on a victim’s PC, it scans for antivirus software and will disable any solution not developed by Kaspersky, Avast, and other high-tier providers. If a high-profile antivirus solution is present, the malware doesn’t do anything while the antivirus software scans the file, avoiding detection.

After that, the malware creates two system processes called “svchost.exe,” injects malicious code into these processes, and sets their attributes to “CriticalProcess.” One svchost process then begins too mine digital currency while the second svhost process keeps an eye on the installed antivirus software. If the antivirus wakes up, they stop in their tracks to avoid detection.

That said, antivirus software doesn’t detect the new malware. But the side effect of mining digital currency is that the process eats tremendous loads of CPU horsepower, slowing down victim PCs to an annoying crawl. Device owners digging into the Task Manager will attempt to manually close the offending Service Host only to get the dreaded Blue Screen of Death. Ouch.

The cryptocurrency miner is connected to four mining pools, which are groups of miners who share their processing power and split the coin stash based on their contribution. It relies on an open-source cryptocurrency mining project called XMRig for digging up Monero coins. Given the heavy load XMRig throws onto the CPU, it’s originally designed to run on dedicated PCs, not laptops and desktops used for everyday tasks.

This isn’t the first encounter with XMRig in malware. The WaterMiner trojan appeared in a user-made mod for Grand Theft Auto V in late 2017 by an alleged Russian hacker. After installing the mod, a hidden downloader retrieves the cryptocurrency miner and hides it as a legitimate application. It then proceeds to mine digital coins, slowing down the host PC. To avoid manual termination by the device owner, it halts once the victim opens Task Manager, disappearing from the Processes list.

The distribution of cryptocurrency miners is a growing trend with hackers. Instead of leaking information on the black market for profit or hijacking PCs for ransom, many have taken to generating digital coins on target PCs. Current methods include malware distribution, fake browser extensions, infected advertisements, and special code embedded in malicious websites.

So far the hackers behind the new WinstarNssmMiner malware have only generated around $28,000 in Monero coins.

https://www.digitaltrends.com/computing/malware-digital-coin-miner-crashes-pc-if-tampered/