Security News

A recently discovered Mobile Remote Access Trojan can take control of the infected Android devices and exfiltrate a trove of user data, Check Point security researchers warn. Dubbed Rogue, the Trojan is the work of Triangulum and HeXaGoN Dev, known Android malware authors that have been selling their malicious products on underground markets for several years.

"The email, with the subject"GOOD LOAN OFFER!!," at first glance, looks like a usual investment scam," Lopera said in the report about the find. "No obfuscation in the email headers or body is found. Interestingly, attached to the email is an archive containing a Java Archive file called"TRUMP SEX SCANDAL VIDEO.jar.

Reseachers are raising the alarm for a newly identified operation leveraging a new Remote Access Tool written in Golang to steal crypto-currency from unsuspecting users. Discovered last month, the campaign is believed to have been active since January 2020, consisting of a fully-fledged marketing campaign, custom applications related to crypto-currency, fake social media accounts, websites, and the new RAT, which Intezer calls ElectroRAT. Widely undetected, the Golang backdoor is written from scratch and is designed to target Windows, Linux, and macOS. To lure crypto-currency users into downloading Trojanized apps, the threat actor behind the campaign promoted the tools on crypto-currency and blockchain forums, as well as on social media platforms.

Cybercriminals are increasingly outsourcing the task of deploying ransomware to affiliates using commodity malware and attack tools, according to new research. The SystemBC RAT has since expanded the breadth of its toolset with new characteristics that allow it to use a Tor connection to encrypt and conceal the destination of C2 communications, thus providing attackers with a persistent backdoor to launch other attacks.

The new 'Abaddon' remote access trojan may be the first to use Discord as a full-fledged command and control server that instructs the malware on what tasks to perform on an infected PC. Even worse, a ransomware feature is being developed for the malware. In the past, we have reported on how threat actors use Discord as a stolen data drop or have created malware that modifies the Discord client to have it steal credentials and other information.

Networking equipment maker Cisco has released a new version of its Jabber video conferencing and messaging app for Windows that includes patches for multiple vulnerabilities-which, if exploited, could allow an authenticated, remote attacker to execute arbitrary code. Two of the four flaws can be exploited to gain remote code execution on target systems by sending specially crafted chat messages in group conversations or specific individuals.

An adversary known for targeting the fintech sector at least since 2018 has switched up its tactics to include a new Python-based remote access Trojan that can steal passwords, documents, browser cookies, email credentials, and other sensitive information. In an analysis published by Cybereason researchers yesterday, the Evilnum group has not only tweaked its infection chain but has also deployed a Python RAT called "PyVil RAT," which possesses abilities to gather information, take screenshots, capture keystrokes data, open an SSH shell and deploy new tools.

The malware's emergence dovetails with a change in the chain of infection and an expansion of infrastructure for the APT. According to researchers at Cybereason, PyVil RAT enables the attackers to exfiltrate data, perform keylogging and take screenshots, and can roll out secondary credential-harvesting tools such as LaZagne. The latest series of campaigns observed by Cybereason that use PyVil RAT are widespread yet targeted, taking aim at FinTech companies across the U.K. and E.U. The attack vector is spear-phishing emails, which use the Know Your Customer regulations as a lure.

A previously undocumented malware family called KryptoCibule is mounting a three-pronged cryptocurrency-related attack, while also deploying remote-access trojan functionality to establish backdoors to its victims. Looking at timestamps in the various versions of KryptoCibule that ESET has identified, the malware dates from December 2018, researchers said.

A Chinese state-backed hacking crew named Taidoor is deploying a custom remote access trojan against Western organisations, according to US authorities. Taidoor is said by the Americans to be sponsored by the Chinese government, with their aim being "To maintain a presence on victim networks and to further network exploitation".