Security News

A phishing campaign that mostly targeted the global aviation industry may be connected to Nigeria, according to Cisco Talos. The malicious campaigns centred around phishing emails linking to "Off-the-shelf malware" being sent to people around the world - even those with a marginal interest in commercial aviation.

A never-before-documented Windows malware strain dubbed MosaicLoader is spreading worldwide, acting as a full-service malware-delivery platform that's being used to infect victims with remote-access trojans, Facebook cookie stealers and other threats. "The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service," researchers at Bitdefender explained, in an analysis released on Tuesday.

The malware was identified by a team of threat researchers at Trend Micro, and named BIOPASS RAT. "What makes BIOPASS RAT particularly interesting is that it can sniff its victim's screen by abusing the framework of Open Broadcaster Software Studio, a popular live streaming and video recording app, to establish live streaming to a cloud service via real-time messaging protocol," the Trend Micro team reported. The attack misuses the object storage service of Alibaba Cloud to host the BIOPASS RAT Python scripts as well as to store the exfiltrated data from victims."

"Attached herewith is the revised circular," the malicious email reads. "Since 50 percent of the malicious emails targeted South Korea, we can speculate that threat actors were closely monitoring local news about the vaccination campaign in the country and anticipated shipment of 14 million doses of coronavirus vaccine," the spokesperson said.

An email campaign is delivering a Java-based remote access trojan that can not only steal credentials and take control of systems, but also presents as fake ransomware, Microsoft researchers have discovered. The Microsoft Security Intelligence team has outlined details of a "Massive email campaign" delivering the StrRAT malware that they observed last week and reported in a series of tweets earlier this week.

A cyberattack campaign that goes after aviation targets has been uncovered, which is spreading remote access trojan malware bent on cyber-espionage. Once installed, the RATs connect to a command-and-control server that's hosted on a dynamic hosting site to register with the attackers.

A new email-based campaign by an emerging threat actor aims to spread various remote access trojans to a very specific group of targets who use Bloomberg's industry-based services. Researchers have been tracking the email based campaign since Fajan first commenced activity in March, recovering a "Relatively low volume" of samples that make it tricky to determine "Whether the campaigns are carefully targeted or mass-spammed," according to a report posted online Wednesday.

A spear-phishing attack operated by a North Korean threat actor targeting its southern counterpart has been found to conceal its malicious code within a bitmap image file to drop a remote access trojan capable of stealing sensitive information. Attributing the attack to the Lazarus Group based on similarities to prior tactics adopted by the adversary, researchers from Malwarebytes said the phishing campaign started by distributing emails laced with a malicious document that it identified on April 13.

Hackers are using search-engine optimization tactics to lure business users to more than 100,000 malicious Google sites that seem legitimate, but instead install a remote access trojan, used to gain a foothold on a network and later infect systems with ransomware, credential-stealers, banking trojans and other malware. Attackers use Google search redirection and drive-by-download tactics to direct unsuspecting victims to the RAT-tracked by eSentire as SolarMarker.

More than 100,000 web pages hosted by Google Sites are being used to trick netizens into opening business documents booby-trapped with a remote-access trojan that takes over victims' PCs and hands control to miscreants. Infosec outfit eSentire on Tuesday said it has noted a wave of so-called search redirection shenanigans, in which people Googling for business forms and the like are shown links to web pages published via Google Sites - a Google-hosted web service - that offer a download of whatever materials they were looking for.