Security News

Palo Alto Networks Unit 42 has detailed the inner workings of a malware called OriginLogger, which has been touted as a successor to the widely used information stealer and remote access trojan known as Agent Tesla. A.NET based keylogger and remote access, Agent Tesla has had a long-standing presence in the threat landscape, allowing malicious actors to gain remote access to targeted systems and beacon sensitive information to an actor-controlled domain.

According to a report by Symantec's Threat Hunter team that dives into the activity, the intelligence-gathering attacks have been underway since at least early 2021 and are still ongoing. Symantec presents an example of an attack that unfolded in April 2022 to showcase how the espionage group compromises its government targets.

The malware was dubbed "Shikitega" for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to "Mutate" its code to avoid detection. Shikitega alters its code each time it runs through one of several decoding loops that AT&T said each deliver multiple attacks, beginning with an ELF file that's just 370 bytes.

Linux is the most secure operating system on the market; for years, that has been one of the open source platform's best selling points. If I had to guess, I'd say that the rise of malicious software targeting Linux deployments will become staggering over the next decade.

The Lampion malware is being distributed in greater volumes lately, with threat actors abusing WeTransfer as part of their phishing campaigns. In a new campaign observed by email security firm Cofense, Lampion operators are sending phishing emails from compromised company accounts urging users to download a "Proof of Payment" document from WeTransfer.

A new version of the Bumblebee malware loader has been spotted in the wild, featuring a new infection chain that uses the PowerSploit framework for stealthy reflective injection of a DLL payload into memory. As Bumblebee is an evolved loader with advanced anti-analysis and anti-detection features, it was assumed that it would replace other loaders, such as BazarLoader, in initial compromise attacks followed by ransomware deployment.

In July 2022, one third of all malware downloads came from cloud apps. The overwhelming majority of the downloads were trojans, a type of malware that is disguised as legitimate software.

A new piece of stealthy Linux malware called Shikitega has been uncovered adopting a multi-stage infection chain to compromise endpoints and IoT devices and deposit additional payloads. The findings add to a growing list of Linux malware that has been found in the wild in recent months, including BPFDoor, Symbiote, Syslogk, OrBit, and Lightning Framework.

With 3 billion players globally, the $200 billion gaming market is an increasingly ripe target for cybercriminals - with the perennially popular Minecraft one of the most targeted lures. Using statistics gathered by the Kaspersky Security Network, which processes anonymized threat data shared voluntarily by customers, the security vendor examined the most widespread malware strains that were found to have an association with the biggest games on PC and mobile.

The prolific North Korean nation-state actor known as the Lazarus Group has been linked to a new remote access trojan called MagicRAT. The previously unknown piece of malware is said to have been deployed in victim networks that had been initially breached via successful exploitation of internet-facing VMware Horizon servers, Cisco Talos said in a report shared with The Hacker News. Lazarus Group, also known as APT38, Dark Seoul, Hidden Cobra, and Zinc, refers to a cluster of financial motivated and espionage-driven cyber activities undertaken by the North Korean government as a means to sidestep sanctions imposed on the country and meet its strategic objectives.