UnitedHealth Hacked, Department Leaks Huge Amounts of Data

In February 2024, UnitedHealth Group experienced a massive cyberattack that compromised the data security of Change Healthcare. This division of the corporation processes medical claims and payments. As a result, systems responsible for processing prescriptions, medical claims and electronic payments were affected. This caused major problems for healthcare providers, pharmacies and payment systems across the country.

UnitedHealth Group responded quickly to the incident. They announced their intention to work with law enforcement to investigate the attack and strengthen security measures to protect patient data. The company also began notifying affected customers and offered them free credit history monitoring and fraud protection services as a compensation.

On Wednesday, UnitedHealth Group announced that it has made significant progress in restoring various core systems that were hit in the attack. It in particular caused an outage during the company’s response and impacted more than 100 Change Healthcare IT products and services.

Government Response

Size of UnitedHealth and its importance for the national healthcare industry could not keep the government silent. The U.S. Department of Health and Human Services has opened an investigation into the incident for a violation of the Health Information Protection and Accountability Act (HIPAA). The investigation is aimed at determining whether a breach of patient protection occurred. It also seeks to ascertain whether the relevant legal requirements for confidentiality of information were met.

UnitedHealth Group’s response was quick. They announced their intention to work with law enforcement to investigate the attack. Additionally, they vowed to strengthen security measures to protect patient data. The company also began notifying affected customers and offered them free credit history monitoring and fraud protection services.

BlackCat/ALPHV Claims Responsibility

ALPHV/BlackCat ransomware gang claimed responsibility for this attack earlier this year. Hackers announced that it was able to expropriate 6 terabytes of “highly selective data” regarding Change Healthcare customers. This information covers a wide range of data, including Tricare, Medicare, CVS Caremark, MetLife, and other large companies. It highlights the potential scale of the damage.

According to their story, UnitedHealth Group paid a $22 million ransom for a decryption key and a promise not to distribute the stolen data. This is a forced measure where the company is forced to pay huge sums to regain access to its own data and prevent further dissemination of stolen information. However, questions remain open as to whether BlackCat actually held the full ransom amount as claimed. Additionally, there are concerns about what assurances there are that the data will not be distributed or used in the future.

At the end of 2023, BlackCat’s infrastructure was seized in a coordinated law enforcement action. This severely disrupted the group’s operations for a period. Though as you can see BlackCat’s continued operations in defiance of law enforcement efforts. Disruption definitely slowed them down, but did not stop the operation entirely.

What stopped though is an exit scam, that group admins managed to pull in early March 2024. Hackers defrauded their partners, quitting the business with all the money of their affiliates. The said UnitedHealth subdivision appears to be one of their last targets – at least under this name. I expect them to resurface in this form or another.

The post UnitedHealth Hack Leaks 6 TB of User Data appeared first on Gridinsoft Blog.

Remote code execution vulnerability

A vulnerability designated with the identifier CVE-2023-24955 (CVSS: 7,2) has been discovered in the popular Microsoft SharePoint product. It includes SharePoint Enterprise Server 2013, SharePoint Server 2016 and SharePoint Server 2019. The vulnerability allows attackers to exploit the code injection vulnerability. This involves replacing a specific file (/BusinessDataMetadataCatalog/BDCMetadata.bdcm) on the server, which leads to the injected code being compiled into an assembly that SharePoint then executes. This action effectively grants the attacker the ability to execute arbitrary code on the server.

The vulnerability was originally identified by a group of security researchers who then reported their findings to Microsoft. The specifics of the vulnerability is that it exploits a flaw in the mechanism for handling specially crafted web requests. This means that for a successful attack, an attacker only needs to send a specially crafted request to a SharePoint server. Moreover, it does not require the attacker to have credentials or prior access to the victim’s network.

Remote code execution flaws are traditionally considered the most severe ones. They effectively allow attackers to execute the code they need in several systems across the environment. Such flaws can serve as both entry points and the instrument for lateral movement. And considering the popularity of Microsoft solutions, it is expected for this vulnerability to be used along with other ones within the Microsoft ecosystem.

Official Microsoft Patches and Updates

Interestingly enough, the vulnerability was fixed before it was uncovered by the researchers. The fix appeared within the course of Patch Tuesday in May 2023. Despite that, after the public disclosure, the company published security advisories and provided updates for all supported versions of the product, urging users to immediately apply patches to protect their systems. Official patches are available through Microsoft’s standard update channels and on the official support site. Though, this should have been done way earlier, considering the high CVSS score of the flaw.

At the same time, other vulnerabilities are rarely patched before the public disclosure. Protecting against them requires strong security solutions, particularly ones that can detect potential exploitation. EDR/XDR and the programs of this grade will not only protect against vulnerability exploitation, but also give you the ability to orchestrate the response to minimize the damage.

The post Microsoft SharePoint Vulnerability Exploited, Update Now appeared first on Gridinsoft Blog.

Shadow Ray Vulnerability Allows for RCE

Ray, one of the most popular open source AI frameworks, contains a severe vulnerability, with hundreds of exploitation cases known at the moment. The research of Oligo Security uncovers the peculiar story of CVE-2023-48022: it was originally detected together with four others back in December 2023. While Anyscale, the developer, managed to fix the rest pretty quickly, one became a subject of discussions. The devs stated it is an intended behavior and not a bug, refusing to fix the issue.

CVE-2023-48022, coined ShadowRay, is a remote code execution flaw that stems from lack of authorization in Jobs API. The latter in fact allows anyone to create jobs for the cluster after accessing the dashboard. Among the possible jobs is code execution – a function the users need quite often in the typical workflow. This in fact was the point of controversy when another research team discovered the flaw in 2023. Anyscale insists that security around the framework and all its assets should be established by the users.

Remote code execution vulnerabilities are one of the most severe out there, as they in fact allow for simultaneous code execution on several machines. In this specific case, it is not workstations that are in danger, but ML clusters, with all the computing power and data they have.

How Critical is This Flaw?

As I said, the Ray framework is among the most popular ones for handling AI workloads. Among its users are loud names like Amazon, Netflix, Uber, Spotify, LinkedIn and OpenAI, though there are hundreds and thousands of smaller companies. Their GitHub repository boasts of over 30k stars, meaning that the total user count definitely exceeds this number. So yes, the attack surface is pretty significant.

Much worse things surface when we think about what exactly is compromised. When compared to workstations, corporate networks and servers, machine learning clusters are completely different. They are powerhouse systems, with ML workloads oriented hardware and related data, like access tokens, credentials to the connected apps, and so on. Numerous system that keep such info are interconnected using Ray framework. So a successful exploitation of ShadowRay effectively equals accessing the entirety of all this.

Despite being oriented towards AI workloads, hardware, more specifically GPUs, are still usable for other workloads. In particular, upon accessing the ML cluster, frauds can deploy coin miner malware that would fill their purses at the expense of the victim company. But what is more concerning here is the possibility of dataset leak. Quite a few companies learn their AIs using their own unique developments, or the selection of carefully picked data. Leaking corporate secrets may be critical for large companies, and fatal for smaller ones.

ShadowRay Vulnerability Exploited in the Wild

The most unfortunate part about the ShadowRay flaw is that it is already exploited in real-world attacks. Moreover, hackers most likely exploited it way before its discovery. The original research says the first exploitation cases happened back in September 2023. However, they did not stop, as there were also attacks that happened less than a month ago – in late February 2024.

Among the visible consequences of the attack were malicious coin miners that exploited the powerful hardware of hacked clusters. Hackers particularly deployed XMRig, NBMiner and Zephyr malicious miners. All of them were running off the land, meaning that static analysis was practically useless against this malware.

Less obvious, but potentially more critical was the leak of data kept on the clusters. I am talking not only about the datasets, but also workflow related information, like passwords, credentials, access tokens, and even cloud environments access. From this point of view, this is rather similar to compromising a server that handles the workflow of a software developing team.

ShadowRay Fixes Are Not Available

As I’ve mentioned above, Anyscale does not agree with the definition of absent input authentication in Jobs API as vulnerability. They believe that the user should take care about the security of the Ray framework. And I somewhat agree with this, with only one caveat: the need for a visible warning about such a “feature” during the setup. When it comes to the scale of OpenAI or Netflix, such shortcomings are inacceptable.

At the moment, the best mitigation is to filter the access to the dashboard. A properly configured firewall will fit well for this purpose. Experts also offer to set up the authentication to the Ray Dashboard port (8265), effectively fixing the vulnerability.

Use advanced security solutions that will be able to detect memory threats as well as malware on the disk. In almost all attack cases, adversaries did not leave any files on the disk, performing the attack in the LOTL form. EDR/XDR solutions may look costly, but recovering after the hack of all company’s assets costs more, both in monetary and reputational terms.

The post ShadowRay Vulnerability Threatens AI Workloads, No Patch Available appeared first on Gridinsoft Blog.

Short About STRRAT and Vcurms

STRRAT is a Java-based RAT, notorious for its ability to steal information. It’s primarily used to gather credentials from browsers and email clients, log keystrokes, and provide backdoor access to infected systems. Same as other remote access trojans, STRRAT also relies on stealthiness of its operations and detection evasion.

Vcurms, is another Java-based RAT, but with distinct operational tactics. It communicates with its command-and-control server via a Proton Mail email address and executes commands received through specific email subject lines. This malware carries the functionality of infostealer, capable of extracting data from various applications like Discord and Steam. Aside from this, it can grab credentials, cookies, and autofill data from multiple web browsers. It shares similarities with another malware known as Rude Stealer.

Attack Overview

ANY.RUN researchers say the attack begins with a phishing email convincing recipients to click a button to verify payment information. This action leads to the download of a malicious JAR file masquerading as a payment receipt. The downloaded file then launches two additional JAR files that activate both Vcurms and STRRAT trojans.

Both malware samples try to remain stealthy, using detection and analysis evasion techniques. Researchers found them using these specific tricks:

• Using legitimate services and tools – when attackers can use legitimate cloud platforms such as AWS and GitHub to store or distribute malware. Such a trick also complicates filtering network requests of malicious origin.
• Code Obfuscation – in which the source code of a program is converted into a form that makes it difficult to read. This is used to hide malicious functions from antivirus scanners and analysts. (By the way, the first JAR file received via email is obfuscated and downloads malware using a PowerShell command).
• Packing – where malicious code is compressed or “packed” together with some type of unpacking mechanism. This makes it difficult to analyze the code without executing the malware.

This is not the first time malware actors abuse GitHub or other developer platforms. Unfortunately, there are not a lot of options to mitigate this proactively: it is easy to masquerade the code and make it look innocent. GitLab administrators reacted to user complaints and removed the malicious repository, but this does not guarantee that there won’t be a comeback.

Sandbox attack analysis

A phishing campaign begins by spreading the initial loader via phishing emails. The goal of these emails is to convince the user to download and run a malicious JAR file. This file acts as a primary loader that initiates a series of malicious actions on the infected machine.

Primary Loader

Once launched, the primary loader downloads a secondary malicious file from the aforementioned repository on GitHub. The file is launched using a command pointing to the Java file execution:

"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\64e8cb522a3a4664791c27512d94a911bc2fbcbae09b625976ff8ac6809819d3.jar"

Persistence and disguise

Then, malware creates a copy of itself in the AppData\Roaming directory and registers a task in the Windows scheduler to automatically restart every 30 minutes. Interestingly enough, malware tries to mimic the Skype application, judging by the name of the task it creates. This ensures the permanence of the malware on the system.

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\admin\AppData\Roaming\64e8cb522a3a4664791c27512d94a911bc2fbcbae09b625976ff8ac6809819d3.jar"

Collecting information about the system

Next, the malware gathers information about the system, including a list of disks and the presence of installed security programs, using the following commands:

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"

One of the malware programs, in this case Vcurms, uses PowerShell command to dump the passwords kept in Windows, rather than in the third party tool. Obviously, it gathers data from browsers, too, but in a different manner – by accessing their data directly.

powershell.exe "[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ }"

I assume this command is related to Vcurms as STRRAT does not exhibit password stealing functionality.

Strengthening cybersecurity

This case shows vigilance and cooperation in cybersecurity. This phishing attack showed that even trusted platforms like GitHub can be used as a tool to spread malware. Cybersecurity experts offer the following tips to protect against such threats:

• Firstly, always verify the sender and avoid opening attachments or clicking on links in emails that seem suspicious or unexpected. If an email asks you to confirm payment details or personal information, it is better to contact the sender directly through another channel.
• Then, enable spam filters on your email to reduce the number of phishing and junk emails reaching your inbox.
• Make sure your antivirus software and all systems are updated to the latest versions. Regular updates help protect against known threats and vulnerabilities.
• Also, regularly monitor systems for suspicious activity and respond quickly to cybersecurity incidents. Use analytics and intelligent detection tools.
• And last, back up important data regularly and store it in a safe place. This will help you recover information in the event of a successful attack.

The post STRRAT and Vcurms Malware Abuse GitHub for Spreading appeared first on Gridinsoft Blog.

Fortinet SQLi Vulnerability Causes Remote Code Execution

As I mentioned, the vulnerability is classified as SQL injection, which stems from improper neutralization of special elements used in SQL commands. However, successful exploitation can lead to the execution of the code, embedded into a specially crafted packet. Such a combination of two grants this flaw a CVSS rating of 9.8.

The discovery was made jointly by Fortinet and the UK’s National Cyber Security Center (NCSC). Fortunately, there is currently no information on whether the vulnerability exploited in the wild. But given the researcher’s promise to release indicators of compromise (IoCs), a proof of concept (POC), and a detailed blog next week, the possibility is rather high.

CVE-2023-48788 Vulnerability Overview

The vulnerability, identified as CVE-2023-48788, is considered severe, with urgent patches been released. Versions affected by the vulnerability include FortiClientEMS 7.2 (versions 7.2.0 through 7.2.2) and FortiClientEMS 7.0 (versions 7.0.1 through 7.0.10).

An attacker can exploit a SQL injection vulnerability (CWE-89) in FortiClientEMS to execute commands via maliciously crafted HTTP requests on a server with SYSTEM privileges. This jeopardizes the integrity of the system and could result in complete control of the vulnerable server. Also of particular concern is the fact that no authentication is required to exploit the vulnerability. It definitely adds to its severity rating.

Recall that in February, Fortinet disclosed a critical remote code execution (RCE) bug (CVE-2024-21762) in the FortiOS operating system and FortiProxy secure web proxy. The company also noted it as “potentially being exploited in the wild”.

Fortinet Releases Immediate Patch

Fortinet recommends that all users immediately upgrade their systems to the latest versions to address the vulnerability. Furthermore, you should regularly check the DAS logs for suspicious requests that may indicate an attempt to exploit the vulnerability.

The developers also patched several other vulnerabilities this week. These including a critical write outside array (CVE-2023-42789) and buffer-based stack overflow (CVE-2023-42790) vulnerability in the FortiOS Capture Portal and FortiProxy. Also it could “allow an insider attacker with access to the Capture Portal to execute random code or commands via specially crafted HTTP requests”.

The post Fortinet RCE Vulnerability Affects FortiClient EMS Servers appeared first on Gridinsoft Blog.

Infostealer Spreads in Fake Adobe Reader Installers

The recent attack campaign detected by ASEC Intelligence Center starts with email spam. The messages have a PDF file attached to them, with their contents in Portuguese. This seriously narrows down the list of countries the campaign is targeting – to Brazil and Portugal. Inside of the file, there is a pop-up prompt to install Adobe Reader, which is allegedly required to open the document. Short side note – modern web browsers can handle PDFs of any complexity with ease.

Following the instruction of a document triggers the downloading of a file named Reader_Install_Setup.exe, which obviously mimics a legit installation file of the program. It even repeats the icon, which makes the fraud even harder to understand at this stage. Running the thing, which in fact is a loader, initiates the malware execution.

However, it does not happen instantly – malware performs a series of actions to pull the DLL hijack and run the final payload with the max privileges possible. First, it spawns an executable file and drops a DLL that contains actual payload and runs the msdt.exe process. The latter is a genuine Windows diagnostics tool that malware uses to call for a subordinate service.

C:\Windows\SysWOW64\msdt.exe" -path "C:\WINDOWS\diagnotics\index\BluetoothDiagnostic.xml" -skip yes – code used to call for MSDT, specifically its Bluetooth Diagnostic tool

This service will consequently load a malicious DLL I’ve mentioned above. The library, in turn, runs the said executable file, legitimizing the infostealer and providing it with max privileges.

Stealer Malware Analysis

Even though the malware used in the campaign appears to be unique and does not belong to any of the known malware families, its functionality can barely be called unusual. This infostealer gathers basic info about the system, sends it to the command server and then creates a directory to store the collected data. Malware adds the latter to the list of Microsoft Defender exclusions, so it will not disrupt its operations. Also, it mimics the legit Chrome folder by adding a fake executable file and also some of the files typical for a genuine browser folder.

The C2 servers used by some of the samples confirms the attack targeting hypotheses I’ve mentioned above. Hxxps://thinkforce.com[.]br/ and hxxps://blamefade.com[.]br/ receive the AutoFill data from all the browsers. While this is less than what modern infostealers typically gather, it is still sensible – browsers keep almost all of our passwords.

How to protect against infostealer malware?

Information stealers never were an underdog of the malware world, and they remain a potent threat regardless of the circumstances. However, even though their samples may feature outstanding anti-detection tricks, they still need to get in. And this is where you can avoid them with max efficiency.

Be careful with emails. Email spam is probably going to be the most widespread malware delivery way of this decade. Users tend to believe their content or simply ignore the related risks, which inevitably leads to malware infection. Seeing such a sketchy offer to install a long-forgotten app or perform an action that is not normally needed with this type of documents should raise suspicion. At the same time, texts of such messages may be ridiculous enough to make the fraud apparent.

Use official software sources. It happens for certain files to require specific software, but try to use only official distributions of one. Going to the developer’s site and downloading one is not that longer when compared to clicking a link.

Have decent anti-malware software on hand. Malware finds new spreading ways pretty much every day. To avoid falling victim to the most tricky sample, a software that will not allow it to get in is essential. GridinSoft Anti-Malware is a program that will provide you with real-time protection and network filters with hourly updates. This security tool will make sure that malware will not even launch in the first place.

The post Adobe Reader Infostealer Plagues Email Messages in Brazil appeared first on Gridinsoft Blog.

LockBit Taken Down by NCA

On February 19, 2024, analysts noticed that the LockBit leak site on the Darknet went offline. Some time after, a banner stating about the takedown appeared. On that banner, the UK National Crime Agency claims about this being the result of a successful multinational law enforcement cooperation, called Operation Cronos. The text also contains the offer to visit the page the next day – on February 20 – to get more information.

That is not the first network asset takeover from law enforcement that high-end ransomware group suffers. A couple of months ago, a similar story happened to ALPHV/BlackCat, another infamous ransomware group. In their case, however, not all Onion websites were down, and they managed to get the access back. That in fact turned into a comic story, where the access to the site was more like a reversed hot potatoes game.

Nonetheless, the current takedown appears to be as serious as it can be. All the mirrors of their main Darknet site are now having the said banner. Well, it is possible for any miraculous thing to happen, but in my humble opinion, their onion infrastructure is done. Either this, or NCA will be quite ashamed for announcing details disclosure on 11:30 GMT, and failing to fulfill the promise.

International Law Enforcement Blocks LockBit Infrastructure

Shortly after the original news release, the info from LockBit affiliates arrived. VX-Undeground team shares a unique info and a screenshot taken by one of the gang members upon the attempt to log into the system.

The text states the following:

Another piece of info comes from the gang’s Tox chat. In a short message, they say about the PHP servers being taken over, while the non-PHP reserve servers being OK. Considering the use of obscene language, non-typical for LockBit representatives, the situation is rather tense, to say the least.

LockBit Decryptor Coming Soon?

What is more exciting than the info that will be published tomorrow is the thing that will follow. The takedown supposes leaking the decryption keys along with their proprietary decryptor tool. Maybe not all of them are available that easily, but accessing such a large chunk of internal info is definitely a key for exposing it all.

The fact of the leak and the decryptor being available is just miraculous for the victims. Sure enough, this will not delete the data the frauds have stolen from the network. But getting all the files back at no cost is much more important. And since it will work even for victims that failed the payment deadline, the question arises once again – why would you pay the ransom? It may be a much more reasonable option to just wait, and it looks like more and more ransomware victims stick to that opinion.

UPD 20.02 – LockBit Darknet Site Filled With Leaks and Announcements

On the designated time of 11:30 GMT on February 20, all of the LockBit’s sites that were taken over started redirecting to what used to be their leak page. Now, it is filled with the information gathered by law enforcement agencies. In particular, the information about the backend structure of the cybercrime network was revealed, demonstrating the screenshots of seized servers.

Aside from that, law enforcement added a tempting one – the info about the admin of the group, known as LockBitSupp. “The $10m question” will be answered on February 23, 2024. Some of the lower-ranked staff have already been arrested in Poland and Ukraine. Well, LockBitSupp did not lie by saying their group is multi-national.

What is even better news is the confirmation of decryption keys release, as I’ve predicted in the original text. The keys, along with recovery tools, will be available to any victim upon contacting NCA for UK residents, IC3 for US and NoMoreRansom project for others.

What is LockBit Ransomware?

LockBit is one of the most successful ransomware groups that are currently active on the ransomware market. Its efficient software and meticulous attack planning rendered them dominant over the last few years. Their ransom sums are large, attacks are rapid and methods are as unprincipled as you can ever imagine. To be brief – nothing short of leaders in the cybercrime industry.

It is obvious that LockBit will eventually become a target for law enforcement, sooner or later. They were attacked before, but in a more mild form, that led to the temporal downtime or the urgent shift to a different software. Still, they were recognizing their mistakes and opening the entire bug bounty programs (!!) for people who can find issues in their software. This, along with continuous modernization of their software and updates to the online infrastructure is what made LockBit the image of unbreakable. And that is why the fact of the takedown set the community abuzz.

The post LockBit Ransomware Taken Down by NCA appeared first on Gridinsoft Blog.

MIT Hacked, Data Leaked in the Darknet

The post on infamous BreachForums discloses the recent data leak that happened in the #2 universities in the world. As the leak is exquisitely fresh, posted only 2 hours prior to this blog post being written, there is no reaction from MIT yet. Though it should be, as the fact of such a leak raises a lot of questions.

As I’ve mentioned in the introduction, the fact that it is posted “as is”, accessible to everyone without any pay, means that there are no really valuable things inside. But if so, maybe the hackers have got something valuable enough to just publish a lean dataset? Massachusetts university is one involved in different government-backed programs, including ones related to aerospace and defense. Hence, there is definitely enough valuable stuff to put the eye on.

Each row in the leaked database consists of 4 parts: faculty (or department), surname, name of a student, and email address. Occasionally, a “No Student” value is added, potentially meaning a graduate. Not much, sure, but already enough to arrange a phishing campaign – the typical way such data is used by frauds. As the total number of entries – 27,961 – exceeds the number of students currently studying in MIT, there could be either duplicates or data about the students from previous years.

Should Students be Worried?

If I were in the students’ hat, I would have my worries. Even though there are a lot of other ways to retrieve one’s personal information, especially things like email and name, the source is what matters here. Being a student of a certain university is a perfect identifier for further scam campaigns targeting. And be sure they will come: a free database like this pushes the margin for frauds even higher.

In the near future, I’d recommend the students present in the database to be exceptionally careful with any email messages. Even if this leak will not be used for spamming, precautions will not be excessive. Email phishing is too widespread nowadays to ignore such a threat.

The post MIT Hacked, Students’ Data Sold on the Darknet appeared first on Gridinsoft Blog.

Warzone RAT Masters Arrested and Charged

The operation of US Department of Justice resulted in the indictment of two key figures. Daniel Meli, 27, of Zabbar, Malta, and Prince Onyeosiri Odinakachi, 31, of Nigeria. Meli was detained in Malta, facing charges of unauthorized computer damage and selling electronic interception devices. Odinakachi, arrested in Nigeria, is charged with conspiracy to commit computer intrusion offenses.

These arrests are the result of international cooperation in combating this threat. The success of the operation was largely due to the collaborative efforts of various international law enforcement agencies, including the FBI, Europol, the Economic and Financial Crimes Commission of Nigeria, and others. This coordinated approach has helped in the fight against cybercrime, which is increasingly borderless.

Implications and Sentencing

The charges against Meli and Odinakachi carry penalties of up to five years in prison, three years of parole, and a $250,000 fine. These lawsuits send a strong message to cybercriminals and those who facilitate their activities. Certainly, the international community is taking strong action to protect cyber integrity and hold criminals accountable.

James R. Drabick and Carol E. Head, who are Assistant U.S. Attorneys for the District of Massachusetts, obtained seizure warrants for Odinakachi. Drabick is also prosecuting the case against Odinakachi. Meanwhile, Bethany L. Rupert and Michael Herskowitz, who are Assistant U.S. Attorneys for the Northern District of Georgia, are prosecuting Meli.

What is Warzone RAT?

Warzone RAT is a malicious remote access tool that allows unauthorized users to secretly access and control victims’ computers. The malware has facilitated a range of illegal activities, from data theft to webcam surveillance, without the knowledge or consent of victims. In early 2024, Warzone malware was marketed at $37.95 per month, and was primarily sold to individuals through the clear web page.

The overall action around Warzone is most likely to be a part of an anti-spyware policy wave that was raised in early February 2024. A number of governments across the globe, together with major security vendors, started the campaign against “legal spyware”. That includes both government-backed vendors of such malware and handymen who market malicious programs under the guise of legit surveillance tools. Such people will be detained or at least banned from entering the countries that participate in the campaign. The story around Warzone RAT may be not a major, but still a part of the action.

The post Warzone RAT Dismantled, Members Arrested appeared first on Gridinsoft Blog.

What is HijackLoader?

According to the researchers’ report, the HijackLoader malware, or IDAT Loader, has recently included advanced evasion techniques. This malware has gained immense popularity as a loader with outstanding flexibility. The attackers frequently use this malware to introduce various payloads and tools. Its structure not only facilitates the seamless integration of new functionalities but also comprises a variety of dynamic anti-analysis methods.

First observed in July 2023, the malware employs some techniques to fly under the radar. Although HijackLoader is not a highly advanced malware, it has a modular architecture. This means it can use different modules for code injection and execution – a feature that most loaders do not have. The loader downloads an encrypted configuration block that varies from one sample to another, indicating that the threat actors can change or update it quickly. This adaptability makes it a difficult target, making the development of effective countermeasures challenging.

HijackLoader Enhanced Detection Evasion Techniques

The HijackLoader follows a complex infection chain, employing multi-stage behavior to obfuscate its activities. Initially, the malware utilizes WinHTTP APIs to check for an active internet connection before proceeding with its malicious operations. Upon successful connectivity, it downloads a second-stage configuration blob from a remote address, initiating decryption and decompression processes to retrieve essential payloads. The subsequent stages involve loading legitimate Windows DLLs specified in the configuration blob, followed by the execution of position-independent shellcode.

This shellcode orchestrates various evasion activities, including injecting subsequent payloads into child processes, such as cmd.exe and logagent.exe. HijackLoader uses advanced hook bypass methods, including Heaven’s Gate, to evade user mode hooks and security monitoring. It also uses process hollowing, injecting malicious shellcodes into legitimate processes to gain persistence. The malware employs interactive and transacted hollowing techniques to enhance stealthiness. These new defense evasion capabilities for HijackLoader may make it healthier and more complex to detect than traditional security solutions.

Safety Recommendations

To protect against HijackLoader and other malware, we recommend following several cybersecurity tips:

• Educate yourself. Stay informed about the latest malware threats. They constantly seek for new ways to trick users into revealing sensitive information or downloading malicious files. Educating users about these threats and the importance of avoiding opening suspicious attachments or clicking on dubious links is crucial in cybersecurity.
• Keep software updated. You should regularly update your operating system, applications, and software to ensure you have the latest versions. Malware often exploits known vulnerabilities that have been fixed in newer versions.
• Use anti-malware software. This is a complex measure to protect you against threats. Install a reputable anti-malware solution and keep it updated. These programs can detect and remove known malware strains, including variants of HijackLoader.

The post HijackLoader Malware Comes With New Evasion Methods appeared first on Gridinsoft Blog.