Security News

A cyberespionage group with ties to North Korea has resurfaced with a stealthier variant of its remote access trojan called Konni to attack political institutions located in Russia and South Korea. "The authors are constantly making code improvements," Malwarebytes researcher Roberto Santos said.

NET malware packer being used to deliver a variety of remote access trojans and infostealers has a fixed password named after Donald Trump, giving the new find its name, "DTPacker." The ProofPoint team that discovered DTPacker reported that the malware is notable because it delivers both embedded payloads, as well as those fetched from a command-and-control server.

Cyberattackers are abusing Amazon Web Services and Azure Cloud services to deliver a trio of remote access trojans, researchers warned - all aimed at hoovering up sensitive information from target users. "When the initial script is executed on the victim's machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance."

A Nottingham man was imprisoned this week for more than two years after hacking the computers and phones of dozens of victims, some of them underage, and spying on them using remote access trojans. 32-year-old Robert Davies used fake online social media profiles and Skype accounts for catfishing his victims and hacking their devices by sending links that allowed him to infect them with RATs obfuscated using crypters.

A novel remote access trojan being distributed via a Russian-language spear-phishing campaign is using unique manipulation of Windows Registry to evade most security detections, demonstrating a significant evolution in fileless malware techniques. Dubbed DarkWatchman, the RAT - discovered by researchers at Prevailion's Adversarial Counterintelligence Team - uses the registry on Windows systems for nearly all temporary storage on a machine and thus never writes anything to disk.

A new stealthy JavaScript loader named RATDispenser is being used to infect devices with a variety of remote access trojans in phishing attacks. Once launched, the loader will write a VBScript file to the %TEMP% folder, which is then executed to download the malware payload. These layers of obfuscation help the malware evade detection 89% of the time, based on VirusTotal scan results.

A new malware campaign targeting Afghanistan and India is exploiting a now-patched, 20-year-old flaw affecting Microsoft Office to deploy an array of commodity remote access trojans that allow the adversary to gain complete control over the compromised endpoints. The attacks work by taking advantage of political and government-themed lure domains that host the malware payloads, with the infection chains leveraging weaponized RTF documents and PowerShell scripts that distribute malware to victims.

An ongoing malware distribution campaign targeting South Korea is disguising RATs as an adult game shared via webhards and torrents. The attackers are using easily obtainable malware such as njRAT and UDP RAT, wrap them in a package that appears like a game or other program, and then upload them on webhards.

A novel threat actor with unclear motivesis running a crimeware campaign delivering multiple Windows and Android RATs through the exploitation of CVE-2017-11882. The actor has registered multiple domains that feature political themes such as diplomatic and humanitarian efforts and uses them to deliver malware payloads to the victims.

An APT described as a "Lone wolf" is exploiting a decades-old Microsoft Office flaw to deliver a barrage of commodity RATs to organizations in India and Afghanistan, researchers have found. Attackers use political and government-themed malicious domains as lures in the campaign, which targets mobile devices with out-of-the-box RATs such as dcRAT and QuasarRAT for Windows and AndroidRAT. They're delivering the RATs in malicious documents by exploiting CVE-2017-11882, according to a report published Tuesday by Cisco Talos.