Security News

A new campaign distributing the RomCom backdoor malware is impersonating the websites of well-known or fictional software, tricking users into downloading and launching malicious installers. The first documented use of RomCom was reported in August 2022 by Palo Alto Networks, attributing the attacks to a Cuba ransomware affiliate they named 'Tropical Scorpius.

The QBot malware operation has started to abuse a DLL hijacking flaw in the Windows 10 WordPad program to infect computers, using the legitimate program to evade detection by security software. Windows applications will prioritize DLLs in the same folder as the executable, loading them before all others.

Google-owned threat intelligence firm Mandiant dubbed the malware COSMICENERGY, adding it was uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. "The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 devices, such as remote terminal units, that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia," the company said.

Malware designed to disrupt electric power grids was likely developed by a Russian contractor, according to Mandiant's threat intel team that discovered the malicious software and dubbed it CosmicEnergy. The team say it's likely a contractor created the malware as a red-teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cybersecurity company.

If you are not aware that the Caller ID number that shows up on your phone is nothing more than a hint, that anybody can put in anything, and that anybody with your worst interests at heart who wants to stalk you can, for a modest monthly outlay, buy into a service that will help them do it automatically. If you don't know that that's the case, you're probably going to have your guard way, way down when that call comes through and says, "I'm calling from the bank. You can see that from the number. Oh dear, there's been fraud on your account", and then the caller talks you into doing a whole load of things that you wouldn't listen to for a moment otherwise.

Mandiant security researchers have discovered a new malware called CosmicEnergy designed to disrupt industrial systems and linked to Russian cybersecurity outfit Rostelecom-Solar. CosmicEnergy was discovered after a sample was uploaded to the VirusTotal malware analysis platform in December 2021 by someone with a Russian IP address.

Google Play has been caught with its cybersecurity pants down yet again after a once-legit Android screen-and-audio recorder app was updated to include malicious code. Potentially tens of thousands of people downloaded the software before ESET researchers found the hidden malware and alerted Google, which pulled the app from its online store.

A new PowerShell-based malware dubbed PowerExchange was used in attacks linked to APT34 Iranian state hackers to backdoor on-premise Microsoft Exchange servers. Notably, the malware communicates with its command-and-control server via emails sent using the Exchange Web Services API, sending stolen info and receiving base64-encoded commands through text attachments to emails with the "Update Microsoft Edge" subject.

Google has removed a screen recording app named "iRecorder - Screen Recorder" from the Play Store after it was found to sneak in information stealing capabilities nearly a year after the app was published as an innocuous app. The app, which accrued over 50,000 installations, was first uploaded on September 19, 2021.

An updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services credentials associated with DynamoDB and CloudWatch. "This recent update demonstrates a widening of scope, with new capabilities such the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications," Cado Labs researcher Matt Muir said in a report shared with The Hacker News.