Security News
A new stealthy JavaScript loader named RATDispenser is being used to infect devices with a variety of remote access trojans in phishing attacks. Once launched, the loader will write a VBScript file to the %TEMP% folder, which is then executed to download the malware payload. These layers of obfuscation help the malware evade detection 89% of the time, based on VirusTotal scan results.
A new malware campaign targeting Afghanistan and India is exploiting a now-patched, 20-year-old flaw affecting Microsoft Office to deploy an array of commodity remote access trojans that allow the adversary to gain complete control over the compromised endpoints. The attacks work by taking advantage of political and government-themed lure domains that host the malware payloads, with the infection chains leveraging weaponized RTF documents and PowerShell scripts that distribute malware to victims.
An ongoing malware distribution campaign targeting South Korea is disguising RATs as an adult game shared via webhards and torrents. The attackers are using easily obtainable malware such as njRAT and UDP RAT, wrap them in a package that appears like a game or other program, and then upload them on webhards.
A novel threat actor with unclear motivesis running a crimeware campaign delivering multiple Windows and Android RATs through the exploitation of CVE-2017-11882. The actor has registered multiple domains that feature political themes such as diplomatic and humanitarian efforts and uses them to deliver malware payloads to the victims.
An APT described as a "Lone wolf" is exploiting a decades-old Microsoft Office flaw to deliver a barrage of commodity RATs to organizations in India and Afghanistan, researchers have found. Attackers use political and government-themed malicious domains as lures in the campaign, which targets mobile devices with out-of-the-box RATs such as dcRAT and QuasarRAT for Windows and AndroidRAT. They're delivering the RATs in malicious documents by exploiting CVE-2017-11882, according to a report published Tuesday by Cisco Talos.
The TA505 cybercrime group is whirring its financial rip-off machinery back up, pelting malware at a range of industries in what was initially low-volume waves that researchers saw spiral up late last month. In an analysis published on Tuesday, Proofpoint said that its researchers have been tracking renewed malware campaigns from TA505 that started out slowly at the beginning of September - with only several thousand emails per wave, distributing malicious Excel attachments - and then pumped up the volume later in the month, resulting in tens to hundreds of thousands of emails by the end of September.
It's a well-known fact that powerful malware can be bought on the dark web and used with relative ease. A new report from Cisco's Talos cybersecurity research team illustrates just how dangerous out-of-the-box remote access trojan malware can be: A campaign it has dubbed "Armor Piercer" has been attacking the Indian government since December 2020.
A phishing campaign that mostly targeted the global aviation industry may be connected to Nigeria, according to Cisco Talos. The malicious campaigns centred around phishing emails linking to "Off-the-shelf malware" being sent to people around the world - even those with a marginal interest in commercial aviation.
A never-before-documented Windows malware strain dubbed MosaicLoader is spreading worldwide, acting as a full-service malware-delivery platform that's being used to infect victims with remote-access trojans, Facebook cookie stealers and other threats. "The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service," researchers at Bitdefender explained, in an analysis released on Tuesday.
The malware was identified by a team of threat researchers at Trend Micro, and named BIOPASS RAT. "What makes BIOPASS RAT particularly interesting is that it can sniff its victim's screen by abusing the framework of Open Broadcaster Software Studio, a popular live streaming and video recording app, to establish live streaming to a cloud service via real-time messaging protocol," the Trend Micro team reported. The attack misuses the object storage service of Alibaba Cloud to host the BIOPASS RAT Python scripts as well as to store the exfiltrated data from victims."