Azorult Malware Resurfaces After 2 Years

A recent research in the cyber threat landscape has brought to light concerning news about the Azorult malware. First identified in 2016, this malware gained quite an image back in the days>. Among its most noticeable campaigns is spreading together with STOP/Djvu ransomware. However, its activity was declining since early 2020, with activity curve going flat in late 2021.

Being a stealer malware from the mid-10’s, it originally carried functionality that suited the times. Azorult specializes in stealing sensitive information. It includes things such as browsing history, cookies, and login credentials. No crypto wallets, no session and 2FA tokens – those were not that valuable back in the days.

Among the key news of the resurfaced version are more sophisticated and stealthy methods, which could make it very difficult to detect. It also uses a new infection chain and uses RAM as a springboard for deploying and executing the entire payload. Researchers stumbled upon shortcut files masquerading as PDF files, eventually leading to Azorult infecting the device. As for the distribution method, experts suggest using classic means like email phishing.

What is Azorult Malware?

The Azorult malware is a spyware that can steal various data types, including credentials for applications and cryptocurrencies. It is known for its capabilities in harvesting sensitive data from infected systems. Azorult can also download and execute additional payloads, increasing its threat to compromised systems.

In its latest variant, Azorult uses process injection and “Living Off the Land” (LotL) techniques to evade detection by security tools and is primarily sold on Russian underground hacker forums. Data stolen with Azorult is also sold on Russian Dark Web marketplaces. In addition to stealing information, >the malware captured data for a service that sells ready-made virtual identities. This included as much detailed data as possible about users’ online behavior: history of website visits, information about the operating system, browser, installed plugins, etc.

In particular, researchers found that 90% of all digital footprints provided on an infamous Genesis Market were associated with Azorult. However, in February 2020, Google released a Chrome update that enforced the use of AES-256 for password encryption. This affected Azorult ability to retrieve passwords from Chrome. As the development of AZORult was discontinued in 2018, this release was concidered a “death” of AZORult, impacting Genesis’s business as well.

Azorult Uses Email Spam and LNK Files

The reviewed example of Azorult, as I mentioned above, came as an .lnk file disguised as a PDF document through the double extension tricks. A file named citibank_statement_dec_2023.lnk triggers a sequence of events that downloads and executes a JavaScript file from a remote server. The JavaScript file downloads two PowerShell scripts, one of which retrieves an executable file and initiates a new thread to execute the injected code. The loader file terminates if the user’s language code matches specific codes linked to Russia – the most probable region of its developers. The final payload is, obviously, the Azorult infostealer.

Upon execution, it generates a unique identifier for the victim and collects system information, including crypto wallets. Azorult terminates execution if certain conditions are met, such as the presence of a mutex or a file named “password.txt” on the Desktop. It also checks for specific machine names and usernames on the victim’s system. If any of the checks return true, the binary terminates. Azorult captures screenshots and targets multiple applications. The data is compressed, encrypted, and sent to a remote server.

Safety Recommendations

Since human error is mostly to blame, the most important recommendation is to beware of phishing. To elaborate, the following points will be helpful:

• Unsolicited Emails. Always be skeptical and cautious of emails from unknown sources. Especially those that request personal information or urge you to click on a link.
• Verify Email Sources. Before responding or clicking any links, verify the sender’s email address and ensure it’s legitimate. Don’t click on links in emails, especially if they seem suspicious or too good to be true.
• Educate Yourself. Stay informed about phishing methods and various phishing-based scam techniques.

The post AzorUlt Stealer Is Back In Action, Uses Email Phishing appeared first on Gridinsoft Blog.

Trojanized Telegram Clients Spread on Google Play

Telegram’s Play Store version is identified with the package name "org.telegram.messenger," while the direct APK file downloaded from Telegram’s website is associated with the package name "org.telegram.messenger.web". Malicious packages named “wab,” “wcb,” and “wob” were used by threat actors to trick users into downloading fake Telegram apps. Despite looking like the authentic Telegram app with a localized interface, infected versions contained an additional module. That was missed by Google Play moderators. A few days ago, experts revealed that a malware campaign called BadBazaar was using such rogue Telegram clients to gather chat backups.

Examples of fake Telegram apps:

Security experts have recently discovered a number of malicious apps on Google Play that claim to be versions of Telegram in Uyghur, Simplified Chinese, and Traditional Chinese languages. These apps have descriptions written in their respective languages and contain images that are very similar to the official Telegram page on Google Play, making it difficult to distinguish them from the genuine app.

The devs of these fake apps promote them as a faster version of a regular client, citing a distributed network of data centers worldwide. They use this as bait to persuade users to download the mods instead of the official Telegram app.

How dangerous are fake Telegram apps?

Millions of users have downloaded apps that were found to have malicious features. Among other things, malicious copies have functionality to capture and transmit sensitive information such as names, user IDs, contacts, phone numbers and chat messages to a server controlled by an unknown actor. Experts who discovered this activity have codenamed it Evil Telegram. Google has since taken down these apps from its platform.

Nonetheless, the poor app moderation problem in Google Play has persisted for almost a decade. You can upload literally whatever you want – even malware – and it may be deleted only after numerous reports saying it is malicious. And there’s still no guarantee that the reports will be processed in a suitable time; some rogue apps remain in GP for months. For that reason, the threat will most probably resurface later, especially considering the growing popularity of Telegram.

How to stay safe?

Here are some important tips to keep yourself safe from infected versions of popular messaging apps and other threats that target Android users:

• As I’ve just said, Google Play isn’t completely immune to malware attacks. However, it’s still a much safer option than other sources, so always download and install apps from official stores.
• Before installing any app, even from official stores, please take a closer look at its page and ensure it’s legitimate. Pay attention to the app’s name and developer. Cybercriminals frequently apply typosquatting or spoofing in order to spread their malware.
• Reading negative user reviews is a good way to identify potential issues with an app. If there’s a problem with an app, someone has likely already written about it. Also try searching for reviews on the web. There are plenty of sites where you can leave your feedback without any censorship from the developer or Google. Using several independent sources will give a more clear view.

The post Spyware in Fake Telegram Apps Infected Over 10 million Users appeared first on Gridinsoft Blog.

New Chae$4 Malware Targets Banking and Logistic Industries.

According to a report, researchers have discovered an advanced variant of Chaes malware that predominantly targets e-commerce customers in Latin America. Chae$4 is an infostealer malware, discovered back in early 2023. Usually, it can be stealing bank data, intercepting bank payments, stealing personal data, and controlling infected computers. It is spread via phishing emails containing links or malicious code attachments. When the user opens the link or attachment, the malicious code is downloaded to the computer and installs Chae$4.

Once installed, Chae$4 monitors the user’s browser activity, including entering data into banking forms. The malware can also intercept bank payments and send them to attackers. Chae$4 can also be used to steal user’s personal information such as passwords, logins, and credit card numbers. It was named “Chae$4” because it was the fourth major malware version and had a debugging seal labeled Chaes in the main module. It threatens customers of well-known platforms and banks, including WhatsApp Web, MetaMask, Mercado Libre, Mercado Pago, Caixa Bank, and Itau Bank. Additionally, services such as WordPress, Magento, Drupal, and Joomla are affected.

What is Chaes Malware?

Chaes malware first appeared in mid-2020. It included using multiple programming languages and LOLbins and was adept at stealing sensitive financial data. In November of that year, experts published the first study of Chaes malware. The following research was published in January 2022 and indicated increased Chaes activity in the fourth quarter of 2021. In addition, the details of its behavior became known. Thus, the developers significantly improved the infection chain communication with C2 and added new integrations.

In February 2022, Chaes malware developers published a response to the research. The attacker was impressed with the analysis and thanked the experts for their work. In addition, he specified that thanks to the analysis, he could fix the flaws that had been discovered. However, it is unclear whether one person or a group is behind the development of Chaes, as the address was addressed both in the person of one person and in the plural. However, the experts labeled the attacker “Lucifer” since the blog name and identifier for contacting C2 was “lucifer6”.

Chae$4 Malware Update – What’s New?

Since version 4 has been significantly revised, all of the above applies to the first three versions for the most part. In terms of the latest version, improvements include an improved code architecture and modularity, as well as new levels of encryption and stealth capabilities. In addition, the move to Python has resulted in lower detection rates by traditional means.

Seven different modules were identified during the analysis. These modules can be updated independently without changing the core functionality. The malware has several modules, including one for identification and data gathering, an online module for monitoring active victims, a credential stealer and clipper module, and modules for stealing data from specific banks and browsers. It also has a module for uploading files to the C2 server. This version has re-implemented previous modules with improved functionalities and unique techniques.

How to protect yourself against Chae$ 4?

Since Chae$ 4 is a fileless malware, meaning it does not create any files on the victim’s computer, making it more difficult to detect and remove. However, here are some tips on how to protect yourself against Chae$4:

• Keep your software up to date. Software updates are an integral part of using any device. They include security patches that protect you from malware attacks.
• Use a firewall. It will help prevent cyberattacks from outside. In other words, a firewall can block unauthorized access to your computer.
• Back up your data regularly. This way, you can restore your data if infected with malware.
• Use protecting software. Anti-malware solution will be the last line of defense and protect your device if you are not vigilant. It will detect and remove malware if it has infiltrated the machine.

The post Chae$4 Malware Released, Targets Banking & Logistic Orgs appeared first on Gridinsoft Blog.

What is Decoy Dog Malware?

In April, Researchers discovered Decoy Dog, a remote access trojan (RAT) toolkit that uses DNS domains that act as command and control (C2) servers for the malware. It caused abnormal DNS signatures in enterprise networks across various regions, and some communications are being sent to a controller in Russia. Then researchers discovered DNS query patterns in enterprise networks that were not linked to consumer devices. They confirmed that the queries came from network appliances in only a few customer networks. Despite researchers announcement and technical analysis of this malware similarity to the Pupy open-source RAT, the toolkit’s operators continued their activity. At that time, had the following domains, which experts recommended organizations to block:

• claudfront[.]net
• allowlisted[.]net
• atlas-upd[.]com
• ads-tm-glb[.]click
• cbox4[.]ignorelist[.]com
• hsdps[.]cc

However, new research reveals that Decoy Dog significantly improves from Pupy, utilizing new domains, unique commands, and configurations that are not publicly available. Pupy is an open-source post-penetration remote access toolkit that emerged in 2015. Its primary purpose was serving a role of RAT in penetration testing simulations. The configs I mentioned as unavailable were hidden until 2019, and are related to the way malware resolves the C2 DNS. But even having the code, it was needed to perform a thorough name server setup for each malware run – which is a complicated task worthy of network engineers.

Decoy Dog Is a Better Pupy RAT

Researchers have been investigating the differences between Decoy Dog and Pupy since April. They set up their own C2 server for Pupy to analyze its DNS communication protocol. Thus, they could create DNS signatures to detect new controllers of this malware. Pupy and Decoy Dog both use nonces to identify sessions with clients and establish the ordering of messages. However, the subject uses the same query structure as Pupy. So, researchers decoded nonce values and correlated queries to the same compromised device.

Moreover, researchers could track each controller’s activity, including the sessions’ length and number of active clients. Unfortunately, encryption prevented researchers from seeing the specific data communicated, but they identified the types of messages sent and profiled the overall communication behavior of both clients. Decoy Dog responds to replays, while Pupy does not and has a richer set of commands and responses. The malware also exhibits more variance in message payload length than Pupy.

From this, researchers confirmed that Decoy Dog is a major refactor of Pupy with advanced capabilities that have changed over time. It includes a domain generation algorithm and the ability for clients to execute arbitrary Java code. These features indicate sophistication and intentionality beyond many threat actors. Security vendor detectors still identify Decoy Dog as Pupy, possibly Since reverse engineers assumed the binary samples were identical.

Today’s activity

Decoy Dog’s creators quickly adjusted their system in response to its initial disclosure. Malware has expanded its reach, with at least three different actors now using it. Thus, they ensured uninterrupted operations and still access to previously compromised devices. Though based on the open-source RAT Pupy, researchers have identified Decoy Dog as a new and previously unknown form of malware with advanced features that allow it to persist on compromised machines. Today research shows how Decoy Dog significantly improved over Pupy. The former utilizes unique commands and configurations that are not publicly available. TAs use it in ongoing nation-state cyber-attacks through DNS to establish Command and Control.

While much about Decoy Dog remains unclear, specialists determined that the malware can only be detected through DNS threat detection algorithms. At least three threat actors have been identified using this malware based on the open-source remote access trojan called Pupy. However, significant changes to the code suggest the involvement of a sophisticated black hat. The security firm stated that the subject can respond to complex DNS requests that do not follow the typical communication structure. In addition, they specified that Pupy, which is associated with Decoy Dog, is a cover-up for the actual abilities of the program.

Threat Actors Use Decoy Dog for Precise Hacking

Based on the analysis of passive DNS traffic, analysts have difficulty determining the exact number of Data Dog targets and affected devices. However, the lowest and highest number of active concurrent connections detected by investigators on any one controller were 4 and 50, respectively. In addition, the number of compromised devices is less than a few hundred. This indicates a minimal target list, typical of a reconnaissance operation. In any case, experts suggest that well-secured and sophisticated attackers are using the malware.

The attackers are likely targeting specific organizations with high information value. As mentioned above, there is a possibility that the victims are located in Russia. However, experts do not rule out that the attackers directed the victims’ traffic through this region as bait or to limit requests to relevant ones. Since it is quite difficult to change this system in modern networks, Decoy Dog behaves similarly to Pupy and uses the default recursive resolver to connect to DNS.

Safety recommendations

Security measures against Decoy Dog are generally similar to basic cyber security recommendations. However, there are key points to consider first. Here are some safety recommendations against this malware:

• Keep your software up to date. Auto-update should be enabled by default because it includes security patches that can help to protect your devices from malware.
• Use a firewall and antivirus software. A firewall can help to block unauthorized traffic from reaching your devices, and antivirus software can help to detect and remove malware.
• Be careful on the web. Look at what websites you visit and what links you click on. Decoy Dog can be spread through malicious websites and links.
• Use strong passwords and change them regularly. While this is a general recommendation, it is essential because strong passwords can protect your accounts from unauthorized access.
• Be aware of the signs of malware infection. Some symptoms include the computer running slowly, pop-ups and new programs appearing that you didn’t initiate, your browser settings changing, and files disappearing.

If you think your computer may be infected with Decoy Dog, contact your IT security team immediately. They will be able to help you to remove the malware and protect your organization from further attacks.

Web safety tips

Here are some additional tips to help you stay safe while web surfing:

• Use VPN when connecting to public Wi-Fi. This will help to protect your traffic from being intercepted by malicious actors.
• Be careful about what information you share online. Don’t share your personal information, such as your Social Security or credit card number, with websites or individuals you don’t trust.
• Please educate yourself about malware and how to protect yourself from it. Forewarned is forearmed. There is a lot of helpful, valuable information in the public domain today to help you keep up to date with the latest developments in cybersecurity.

By following these tips, you can help to protect yourself from Decoy Dog and other malware.

The post Decoy Dog Malware Uncovered: Next-Gen Spyware appeared first on Gridinsoft Blog.

njRAT Hides in Trojanized TeamViewer App

For some reason, people show high levels of trust towards downloading links they’re given on various forums or other thematic communities. This is where the major share of trojanized installers are spread. Cybercriminals, or even users they pay for spreading offer this installer as a “hacked full version” of the well-known remote access tool. As it allows for some functions absent in a free version, and folks are exceptionally eager for any free stuff, they inevitably stick to this crack. And, as it often happens, using the crack ends up with some really bad things.

The installer I am talking about looks like a legit thing – neither its name, nor the size calls any suspicion. However, upon execution, it drops two files: the legitimate TeamViewer app installer and an item called “TeamViewer Starting.exe”. This, exactly, is a payload, specifically njRAT – an infamous remote-access trojan from 2013. Then the forged installer runs a legit TeamViewer app, to make the victim think everything is OK.

What is njRAT?

njRAT, also known under the name of Bladabindi, is an old-timer of the malware scene. It appeared almost a decade ago, while some analysts trace it even further in the past – to 2012. Such a long life is already a mark of success, and there are a couple of things going for it.

Being a classic remote access trojan, njRAT manages to conjoin the functionality of a stealer with the one of a backdoor. It grants its masters access to the infected system, which is already beneficial. Commanding to send requests to a target server, using the machine as a dummy for malicious operations, rummaging through the files in a manual mode – cybercriminals are ready to pay for that. And with an extensive botnet, you can do nothing but count money for leasing it to other crooks.

Though that is only one side of njRAT dirty deeds. As I said, it can act as an infostealer, grabbing passwords and logging keystrokes. It particularly targets cryptocurrency wallets, both desktop and ones present as browser add-ons. This appears to be a modern trend – and it would be shortsightedly to ignore it. Stealers that started in 2018 adopted this feature in progress, and njRAT did so as well.

One more thing this malware is distinctive for is detection evasion methods. Aside from heavy obfuscation that is a must-have in modern malware, it also employs hooking itself to critical system processes. This prevents users – and some antiviruses – from stopping the process. Moreover, it seriously disguises the malware, as it hides among system processes rather than user ones in the Task Manager.

How to protect your system in such situations?

Well, there is one major thing that makes this malware spreading campaign happen is users’ trust towards software advised on third-party websites and overall – software cracks. If you would not stick to downloading TeamViewer from warez sites and forums, you would not face njRAT running in your system – that’s plain and simple. Though, there are several other tips that will help you to prevent any infections, regardless of their source.

Use a great anti-malware program. To be sure it will protect you from the trickiest malware samples, choose one with a heuristic system. It allows for detecting threats by their behaviour, thus any obfuscations or mimicking the system processes are useless. GridinSoft Anti-Malware is one that can offer such a feature – consider trying it out.

Use licensed software. Trojanized TeamViewer is just one example of possible malware injection into the programs you get from unofficial sources. Paying for a licence is always less expensive and unpleasant than sorting out the consequences of spyware/backdoor activity. If there is no way to get the program from an official source (a common situation with abandonware) be sure to scan it with anti-malware software before launching.

Keep an eye on cybersecurity news. This is cherry-on-top advice, that does not change much, but will surely help you to know where the traps are. Malicious Google ads, fake installers, email spam campaigns that convincingly mimic legit mailings – awareness sometimes can save you better than any reactive measures.

The post Trojanized TeamViewer Installer Spreads njRAT appeared first on Gridinsoft Blog.

HTML smuggling as a method to bypass network detection.

The PlugX activity targets foreign policy entities in Europe, mainly Eastern Europe, by using HTML Smuggling. HTML Smuggling is a method used by hackers to conceal harmful payloads within HTML documents. The SmugX email campaign uses HTML Smuggling to download a JavaScript or a ZIP file. This creates a long infection chain that ultimately results in the victim being infected with PlugX.

Adversaries have used HTML smuggling for a while. Still, it has become more common since Microsoft blocked other popular methods of sneaking malware onto systems, like default-blocking macros in Word documents.

Lure for European politicians

The Attackers primarily focused on European domestic and foreign policy and were mainly used by Eastern and Central European governmental organizations.

Most of the documents found had content related to diplomacy, with some specifically concerning China and human rights. Furthermore, the names of the files imply that the targets were likely government officials and diplomats.

Attack on the European government

The attackers implemented HTML smuggling to enable downloading a JavaScript or ZIP file onto a compromised system. In the case of a ZIP archive, it includes a harmful LNK file that triggers PowerShell. On the other hand, if a JavaScript file is utilized, it will download and activate an MSI file from the attackers’ server.

After infecting a system, the DLL decrypts the PlugX malware. This malware can conduct several harmful activities, such as capturing screenshots, logging keystrokes, executing commands, and extracting files. A legitimate executable is hijacked and downloaded during the infection process to ensure that the malware remains on the system. The malware then duplicates the fair program and DLL, storing them in a hidden directory. The malware adds the legitimate program to the Run registry key to maintain persistence.

Is it possible to evade PlugX infection?

Potential targets of such attacks must prioritize defense. In a significant cyber attack, resetting the organization’s cyber security approach and posture is recommended. Every organization must reflect on its actions and decisions following a considerable spell. Though, it should be a lesson not only for governmental services but also for companies.

• Regularly update the systems. It is essential to regularly update your operating systems, software, and applications with the latest security patches and updates to fix known vulnerabilities.
• To enhance your security measures, it is necessary to revamp the cybersecurity training provided to government officials.
• A unique role for such organizations is the Zero Trust principles, so you can completely change the state of affairs in security.
• Implementing strict access controls such as strong passwords, multi-factor authentication (MFA), and role-based access control is essential to prevent unauthorized access to sensitive data and systems.

To minimize the risk of attacks, companies should implement various security measures. These include adopting robust security strategies, such as the Zero Trust model, regularly updating and patching systems, providing thorough security awareness training, implementing strict access controls, segmenting networks, using advanced threat detection tools, regularly backing up data, conducting security assessments, and utilizing third-party security services. By taking these steps, companies can significantly reduce their vulnerability to attacks.

The post PlugX malware attacks European diplomats appeared first on Gridinsoft Blog.

What is Ducktail Malware?

Ducktail is malware built on .NET Core that predominantly targets individuals and employees who may have access to a Facebook Business account. The Ducktail campaign is believed to have been active since 2018. However, the author became actively involved in developing and distributing malware related to the DUCKTAIL operation in the second half of 2021. The chain of evidence suggests that the attacker’s motives are driven by financial considerations and that the cybercriminal behind the campaign hails from Vietnam.

As mentioned at the outset, the primary targets of this stealer were individuals who hold senior positions in clothing, footwear, and cosmetics companies, as well as employees involved in digital marketing, digital media, and human resources. However, the author is believed to have recently updated the malware, expanding its capabilities. The new version of Ducktail is written in PHP. Now it targets users with any level of access to Facebook Business accounts.

How does it work?

The Ducktail malware is specifically designed to extract browser cookies and use social media sessions. In this way, the attacker obtains sensitive information from the victim’s social media accounts and over Social Media Business accounts respectively. The scammers then use the access to place advertisements for financial gain. We will now look at this process in more detail.

Delivery

To infect a target device, attackers use time-tested social engineering. I have repeatedly mentioned that the weakest link in any defense is the human factor, so this tactic will always be relevant. First, scammers place a malicious file on popular cloud storage. They typically use Google Drive, OneDrive, Mega, MediaFire, Discord, Trello, iCloud, and Dropbox. Next, they trick the victim into downloading and opening the malicious file. To do this, hackers contact the victim via social networks, and send a link to the archive. To make it look more legitimate, they pick a name like “Project Information And Salary Details At AVALON ORGANICS.zip”. Consequently, no suspicion is raised by the victim.

Inside the archive, there may be some thematic images (e.g., images of cosmetics, if it is a cosmetics company) and PDF or PDF document files. In reality, however, these are executable files disguised as documents, as can be seen by checking the file extension. These files are actual payloads – .NET assemblies that carry both executable sections and DLLs in it.

Info Stealing

Once launched, Ducktail scans web browsers, mainly Google Chrome, Mozilla Firefox, Microsoft Edge, and Brave Browser. The malware extracts all stored cookies as well as access tokens. It is also interested in information such as name, user ID, email address, and date of birth from the victim’s Facebook account. The malware scans registry data in HKLM\SOFTWARE\WOW6432Node\Clients\StartMenuInternet to get each installed browser’s name, path, and icon path.

Hacking process

Ducktail uses the victim’s social media session cookie and other security credentials obtained. This allows it to interact directly with other social media endpoints from the victim’s computer, extracting information from the victim’s social media account. In addition, the malware checks for two-factor authentication and, if positive, tries to obtain recovery codes. It can also steal access tokens, IP addresses, and user agents, data from commercial and advertising accounts connected to the victim’s personal account. This allows attackers to hijack these accounts and add their email addresses to gain admin and financial editor access.

While the former is self-explanatory, administrator rights give complete control over the Facebook Business account. Financial editor rights allow the change of credit card information and financial details of the business, such as transactions, bills, account charges, and payment methods. Because Ducktail accesses this information by sending requests from the victim’s computer, he impersonates a legitimate user and his session. This is achieved by masking its activity behind the victim’s IP address, cookie values, and system configuration. In addition to the data obtained, the malware attempts to get data from the Facebook Business page the following information:

• Payment initiated
• Payment required
• Verification Status
• Owner ad accounts
• Amount spent
• Currency details
• Account status
• Ads Payment cycle
• Funding source
• Payment method [ credit card, debit card, etc.]
• Paypal Payment method [email address]
• Owned pages.

Exfiltration

As C&C server, Ducktail uses Telegram messenger as a channel. Fraudsters use Telegram.Bot client library makes it easy to upload a file to a chat with a Telegram bot. Finally, the malware runs an infinite loop in the background, establishing a continuous exfiltration process.

How to protect yourself?

Ducktail is a narrowly targeted information thief that can have severe financial losses and identity theft. Its authors constantly make changes and improve delivery mechanisms and approaches to steal sensitive user information. However, the following tips can help you keep the chances of infection to a minimum:

• Only download applications from trusted sources. Please avoid URLs that may be used to spread malware, like Torrent or Warez.
• Use strong passwords and remember to update them regularly.
• Enable multi-factor authentication whenever possible.
• Use reliable antivirus and internet security software on all your devices, such as your PC, laptop, and workplace PC.
• Avoid opening links and email attachments unless you can verify their authenticity.
• Keep an eye on the network beacon to prevent data exfiltration by malware or TAs.
• Consider enabling Data Loss Prevention (DLP) solutions on your employees’ systems.

Ducktail IoCs

MD5:691ca596a4bc5f3e77494239fb614093
MD5:618072b66529c1a3d8826b2185048790
MD5:b4125e56a96e71086467f0938dd6a606

SHA1:20f53032749037caa91d4b15030c2f763e66c14e
SHA1:936139fc7f302e3895f6aea0052864a6cb130c59
SHA1:e692a626c6236332bd659abbd4b1479b860bf84a

SHA256:f024e7b619d3d6e5759e9375ad50798eb64d1d4601f22027f51289d32f6dc0ca
SHA256:2650e6160606af57bd0598c393042f60c65e453f91cde5ecc3d0040a4d91214d
SHA256:385600d3fa3b108249273ca5fe77ca4872dee7d26ce8b46fe955047f164888e7

The post Ducktail Infostealer Malware Targeting Facebook Business Accounts appeared first on Gridinsoft Blog.

Infostealer Malware Market in 2024

Infostealer malware gained more and more popularity during the last decade. However, the biggest spike happened during the course of the last few years. First noticeable factor is a massive popularisation of cryptocurrencies. How is that related? Well, relatively big amounts of money always attracted the attention of hackers. Carding and banking fraud though is now less effective as banks implemented strict controlling measures back in early ‘10s. Cryptocurrency wallets, on the other hand, have low to no control, making them ideal targets for Infostealer.

Another reason that made spyware and infostealers so popular and widespread is their massive application in attacks on corporations. Even when hackers break into the network to cipher the files and ask a ransom for their decryption, they also drop a Infostealer malware that will exfiltrate as much valuable information as possible. Afterwards, hackers request an additional ransom to keep this data secret. Some attacks are based exclusively on stealers, and the result of their job is both sold on the Darknet or used for business email compromise (BEC) attacks. Additionally, some ransomware groups that aim at home users started adding spyware to their attack chain a while ago.

Infostealer Malware Market Leaders

As of May 2024, there are 3 major malware families that dominate the market – RedLine, Raccoon and Vidar. All of them are not new at that point of time, with Vidar being active for the longest time. Let’s have a closer look at them, starting with the youngest one.

RedLine Infostealer

RedLine infostealer appeared in 2020, and saw a pretty wide application in different cyberattacks. Most of the time, however, it was aimed against single users, as its functionality fits best for this purpose. Key targets for the RedLine are cryptocurrency wallets data, both from desktop versions and browser plugins. Still, it can gather other data, like FTP/VPN configurations and session tokens for apps like Discord or Steam. Having a pretty large market share at the edge of 2023, it became much less active starting from March 2024. Yet an enormous number of new samples that popped out recently may be the sign of another campaign getting ready. Key way the RedLine developers find hackers who buy this malware is through Telegram groups and Darknet forums.

Raccoon Infostealer

Raccoon has key properties similar to ones RedLine offers, but is capable of capturing a much wider selection of data. In its scope are browser autofill files, cookies and online banking credentials, on top of the ability to pluck cryptocurrency wallets. Since the emergence in early 2019, Raccoon was holding dominant positions on the market – and keeps holding them even now. In summer 2022, its developers released a new version, promising faster and more reliable malware for a slightly bigger pay. Same as RedLine, Raccoon stealer is commonly spread through ads in Telegram channels and bots; Darknet platforms are less preferred, though are used for public communication.

Vidar Infostealer

Among top 3 Infostealer threats, Vidar is most definitely a dark horse. It is considered to be an offspring of Arkei stealer, malware that made quite an image back in early 10’s. After the launch in 2018, it never had a dominant share on the market, being at best #2. Nonetheless, its efficiency and unique design is hard to deny – Vidar offers a modular approach towards data stealing, and has an uncommon way of C2 communication. It also performs self-destruction after the successful data exfiltration. Additionally, it is often spread in a bundle with other malware, such as STOP/Djvu ransomware. Methods of selling it to cybercriminals, however, are less unique – it uses Telegram channels dedicated to malware promotion.

Newbies

It would be quite reckless to deny the importance of new malware. For sure, not all of them will make it even to the 1-year milestone, but Raccoon and Vidar once were newbies as well – and you can see where they are. Among stealer families that popped out over the last year, there are a couple you should keep in mind.

Lumma

Also known as LummaC2, this infostealer appeared in December 2022. At the outset of familiarity with this malware, you can already see some fairly noteworthy details. At the “pricing plans” panel, developers mention the ability to configure the payload in a specific manner, and add network sniffer functionality. The presence of these functions depends on the price of the chosen plan – $250, $500 or $1,000. Additionally, masters offer access to malware and panel source codes and the right to sell them – for $20,000. Other functions, however, are available regardless of the plan. Lumma can grab browser cookies, autofill forms, data from 2FA plugins/apps, and crypto wallets credentials – from both apps and browser plugins.

Stealc

Stealc is another youngster, which was first mentioned on January 9, 2023, on several Darknet forums. It appears to utilise best practices from most popular stealers, which already makes it pretty potent. Among unusual practices is a free test and weekly releases of new features. As for other functions, malware has a classic set of a modern infostealer: it gathers data from web browsers (cookies, autofill forms etc), cryptocurrency wallets extensions and even email clients and messengers. Such extended functionality, especially compared to other new malware examples, will definitely be appreciated.

How to Protect Against Infostealer Malware?

Protection against threats like infostealer is always a tough question to answer. Thing is, malware like this is forced to evolve constantly, finding new ways to be more efficient and stealthy. This makes any advice that reacts to some malware features useless in the long-term. However, there are still some things Infostealer Malware developers can’t (or don’t want to) change.

Beware of spear phishing. It may have different forms – from email messages that are sent from a compromised business email to posts in social media from the hijacked account of a legit company. But even after all the sophistications, hackers can never make a check-proof legend. Most commonly, they attract victims by urgent events or exclusive deals. A simple source check will reveal any possible scam – if the impersonated company has nothing to do with such claims, ignore the spooking message.

Avoid using pirated software. Despite losing a significant portion of market share due to email spam expansion, software cracks are still used for malware spreading. Torrent-trackers and third party websites are flooded with numerous offers on a brand new software – and try to guess which one is infected. Using only licensed software will not make you clear before the law, but also nail any risk of malware injection. And, believe me – dealing with malware activity consequences will cost you way more than you can save on program licences.

Protect your system with proper anti-malware software. Yes, it is better to avoid muddy waters at all, but having a security tool that will take care of problems will make your life much easier. Not any utility will fit though, as infostealer malware have some tricks to avoid basic anti-malware software. GridinSoft Anti-Malware gives them no chances, thanks to its three-component detection system and constant updates that retain its databases’ relevance.

The post Infostealer Malware: Top Stealers in 2024 appeared first on Gridinsoft Blog.

What is RedLine malware?

First, let me remind you what RedLine is. It is a classic infostealer that targets cryptocurrency wallet credentials, browser AutoFill forms, cookies, and credentials from other applications. The most common way of spreading this malware is spear phishing, which contains infected files and phishing links. Another option used by malware masters recently is malvertising through Google Search ads. The latter supposes the creation of a website that replicates the downloading page of a legit free software – like 7zip, OBS Studio or LibreOffice.

Emerged in early 2020, RedLine had moderate activity throughout its lifespan. The first noticeable activity happened only half a year after the first sample detection – meaning its developers were raising their malware from scratch. But now it made an enormous spike, that peaked on May 7 – over 39,000 samples emerged that day.

What does that mean?

Actually, almost a hundred thousand samples do not correspond to 100,000 victims. RedLine malware toolkit offers sample recompilation and its developers recommend compiling a fresh sample for each attack. That makes every malware unit unique, which makes it way harder to detect by classic anti-virus programs. Encrypting utility, which is also recommended by the malware developers to use, makes it even tougher.

Sure, some of these samples are definitely used in ongoing attacks. RedLine bears on continuous operations and botnet expansions, which requires retaining high infection rates. “Background” activity of this malware is about 1,500 samples a day – meaning most of them are used in actual attacks. Meanwhile, no huge infection spikes were detected recently, at least not of the scale of the sample generation.

The most concerning hypothesis is that RedLine is getting ready for a massive attack. How will this attack be conducted – this is about to be guessed or seen, yet cybercriminals rarely betray their “classic” spreading ways. Email spam, especially precision-made ones, remains very effective and exceptionally cheap – so why would they reinvent the bicycle?

Another possible occasion is way less dramatic, yet does not mean that the threat is over. Such a massive sample generation may be an outcome of some tests – for example, ones done to test the compiler, crypto, or other mechanism. Neither me nor any other analyst can know for sure what exactly they test, but these changes may have qualitative differences. The best way to understand what that means is to spectate, fortunately, these maneuvers do not disrupt threat intelligence in any way.

IoC RedLine Stealer

• Spy.Win32.Redline.lu!heur: 0d5caf9c9e0da55980cda1dd5d9f3f95a8d1b12b0992030b995f49ce54b31f6c
• Malware.U.RedLine.tr: 6e2cf634bd101c5474bcaf2ed9145ab70cc2ea17b717e047498a4e0eff2d6058
• Malware.U.RedLine.tr: 07b0145a4ce9d7a4b01d0cbc46e8926b3dcbc3bce2abd510ffb81e38e464a813
• Malware.Win32.RedLine.tr: fea43fd0b4e01c02a0b4d04413fdab976eee6a36e7364a39f43512ca74de9219
• Malware.U.RedLine.tr: 0c6669dc42df67f65ecdd7cfb36f10c4f55cfd664a546b1fb3acc24aa6da92ae
• Malware.U.RedLine.tr: e365596c8b51835dcea310af6603707a4c87bda046e476fcfeb3a82869e6132e
• Spy.Win32.Redline.lu!heur: 8f6d6ad88f1feb1e5cf723cef754e845e8da6271b34db41afebdfa07e750f605
• Malware.Win64.RedLine.bot: 0f7f86530b7fa2e693a2a3a5bf69957e61c2f45d39418d077285a1ea6f4bb992
• Malware.U.RedLine.tr: e4fed416cc98b62c09eb6bb535751b9fa362b106b62e4c858361433487f83a05
• Spy.Win32.Redline.lu!heur: 0abd67edd302610c2f17419320c6a53dc1f441807e45e87b0c974d34ee6c3053

How to stay protected?

I’ve already mentioned preferred spreading ways that RedLine has used since its emergence in 2020. Protective measures should be built around counteracting these methods. And, of course, as the last line of defense, there should be anti-malware software.

Perform a diligent check for each email you receive. It may look like a too paranoid measure for messages, but be aware – it is not about “just emails”. The number of cyberattacks on companies of all sizes done through email spam is terrifying, thus such a threat should not be ignored. Any questionable attachment, link, or strange email address of a sender is a red flag.

Use network monitoring tools. Both active and passive will fit, as RedLine does not apply complicated anti-detection methods. Still, it tries to spoof the traffic path during the C2 communication – and here is where protective solutions shine. Firewalls are much cheaper and easier to set up, but lack reactive response capabilities. Meanwhile, NDR solutions trade their complexity and expense for the ability to intercept even the most novice threats.

Anti-malware software – the last argument of kings. The ideal network security situation is preventing malware from making its way to the live workstation. Though idealism is sometimes synonymous with naivety. For that reason, a thing to back up your security is essential, both if you’re a home user or are connected to the corporate LAN. GridinSoft Anti-Malware is a great choice for home protection, though it will be better to seek a specialized option to protect an entire network.

The post RedLine Stealer Issues 100,000 Samples – What is Happening? appeared first on Gridinsoft Blog.

The US Federal Bureau of Investigation on Tuesday reported the disruption of a massive spying program by the Russian Federal Security Service (FSB) using cyberspyware codenamed “Snake”.

This is stated in a press release from the US Department of Justice.

Let me remind you that we also talked about the fact that Europe’s largest private hospital operator Fresenius was attacked with an eponymous Snake ransomware. Don’t be confused – now we talk about a completely different malware.

US law enforcers believe that the spy tool was used by the hacker unit of the 16th FSB center, codenamed “Turla” for almost 20 years. We also reported that Fake DDoS App from Turla Targets Pro-Ukrainian Hacktivists.

The Snake program was designed to steal confidential documents from hundreds of computer systems in at least 50 countries that belonged to the governments of NATO member countries, in particular the United States, as well as journalists and other persons of interest to the Russian Federation.

To eliminate the “Snake”, the FBI developed an operation code-named “Medusa“. Within its framework, the spy application was forced to rewrite its own code, which disabled it. A senior FBI official said the Bureau’s tool was only designed to communicate with Russian spyware.

At a briefing ahead of the announcement, a US official involved in the operation called the Snake the “prime tool” of Russia’s cyber-espionage, Reuters reported.He expressed the hope that as a result of the liquidation of the program, Moscow could be “eradicated from the virtual battlefield.”

The media also reported that the FBI and NSA discovered Drovorub malware, created by Russian Intelligence services.

The post The FBI Disrupted the Cyberspyware “Snake” that the Russian FSB Used for 20 Years appeared first on Gridinsoft Blog.