Security News

An advanced persistent threat group with links to Iran has updated its malware toolset to include a novel PowerShell-based implant called PowerLess Backdoor, according to new research published by Cybereason. The Boston-headquartered cybersecurity company attributed the malware to a hacking group known as Charming Kitten, while also calling out the backdoor's evasive PowerShell execution.

A previously undocumented cyber-espionage malware aimed at Apple's macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong. "The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely," ESET researchers said.

In late 2021, a never before seen macOS backdoor was delivered to pro-democracy individuals in Hong Kong via fake and compromised sites by exploiting vulnerabilities in Webkit, the browser engine powering Safari, and XNU, the macOS and iOS kernel. On Tuesday, ESET researchers shared their knowledge about the attacks and the results of the analysis of that final malicious payload: a macOS backdoor with many capabilities, including collecting and exfiltrating system information, executing files, starting a remote screen session, dumping the contents of the victims' iCloud Keychain, and more.

In yet another instance of software supply chain attack, dozens of WordPress themes and plugins hosted on a developer's website were backdoored with malicious code in the first half of September 2021 with the goal of infecting further sites. The backdoor gave the attackers full administrative control over websites that used 40 themes and 53 plugins belonging to AccessPress Themes, a Nepal-based company that boasts of no fewer than 360,000 active website installations.

An Iranian state-sponsored actor has been observed scanning and attempting to abuse the Log4Shell flaw in publicly-exposed Java applications to deploy a hitherto undocumented PowerShell-based modular backdoor dubbed "CharmPower" for follow-on post-exploitation. Log4Shell aka CVE-2021-44228 concerns a critical security vulnerability in the popular Log4j logging library that, if successfully exploited, could lead to remote execution of arbitrary code on compromised systems.

The OceanLotus group of state-sponsored hackers are now using the web archive file format to deploy backdoors to compromised systems. A report from Netskope Threat Labs shared with Bleeping Computer in advance notes that OceanLotus' campaign using web archive files is still active, although the targeting scope is narrow and despite the command and control server being disrupted.

A novel multi-platform backdoor dubbed SysJoker has been successfully evading security solutions since mid-2021. "In the Linux and macOS versions, it masquerades as a system update. In the Windows version, it masquerades as Intel drivers. The update names are somewhat generic: In the macOS version, the file is relocated and named 'updateMacOs' and in the Linux version it is named 'updateSystem'," Avigayil Mechtinger, security researcher at Intezer, has shared with Help Net Security.

Hackers believed to be part of the Iranian APT35 state-backed group has been observed leveraging Log4Shell attacks to drop a new PowerShell backdoor. As part of their research, the analysts also spotted something new in the form of a PowerShell modular backdoor named 'CharmPower.

A new multi-platform backdoor malware named 'SysJoker' has emerged in the wild, targeting Windows, Linux, and macOS with the ability to evade detection on all three operating systems. The discovery of the new malware comes from researchers at Intezer who first saw signs of its activity in December 2021 after investigating an attack on a Linux-based web server.

A new multi-platform backdoor malware named 'SysJocker' has emerged in the wild, targeting Windows, Linux, and macOS with the ability to evade detection on all three operating systems. The discovery of the new malware comes from researchers at Intezer who first saw signs of its activity in December 2021 after investigating an attack on a Linux-based web server.