Security News
A Chinese state-backed hacking crew named Taidoor is deploying a custom remote access trojan against Western organisations, according to US authorities. Taidoor is said by the Americans to be sponsored by the Chinese government, with their aim being "To maintain a presence on victim networks and to further network exploitation".
Attackers use the ongoing coronavirus pandemic as a lure, as well as malicious Excel documents, to convince victims to execute the RAT. Researchers with Microsoft's security intelligence team said this week that that the ongoing campaign started on May 12 and has used several hundred unique malicious Excel 4.0 attachments thus far - a trend that researchers said they've seen steadily increase over the past month. The emails are titled "WHO COVID-19 SITUATION REPORT" and claim to give an update on the confirmed cases and deaths related to the ongoing pandemic in the U.S. The attached malicious Excel 4.0 document opens with a security warning and shows a graph of supposed coronavirus cases in the U.S. If a victim enables it, the macro is downloaded and the NetSupport Manager RAT is executed.
North Korea-linked hacking group Lazarus has been leveraging a Mac variant of the Dacls Remote Access Trojan, Malwarebytes reports. Last year, security researchers identified at least two macOS-targeting malware families used by Lazarus in attacks, and a new one appears to have been added to their arsenal: a Mac variant of the Linux-based Dacls RAT. Initially identified by security researchers with Qihoo 360 NetLab in December 2019, the Dacls backdoor targeted both Windows and Linux systems.
A new variant of the the NetWire remote access trojan is hitching a ride on IRS-themed phishing ploys targeting taxpayers in hopes of snatching victims' credentials and tax information. The NetWire variant's payload has also been given a facelift, with improved keylogger and credential-collecting features.
ReversingLabs has analyzed clues from attacks by the Kwampirs remote access trojan to help software companies defend their organizations against this malware. In addition to attacks against supply chain software providers, the FBI said the same malware was also used in attacks against healthcare, energy, and financial companies.
A Pakistani-linked threat actor, APT36, has been using a decoy health advisory that taps into global panic around the coronavirus pandemic to spread the Crimson RAT. The functionalities of the Crimson RAT include stealing credentials from victims' browsers, capturing screenshots, collecting anti-virus software information, and listing the running processes, drives and directories from victim machines. Once victims click on the attached malicious document and enable macros, the Crimson RAT is dropped.
If a recipient opens the document via Microsoft Office Outlook, a prompt appears that asks users to "Enable content" to open the document - clicking "Yes" executes macros. This contains another PowerShell script that is responsible for installing the NetSupport Manager RAT onto the victim's machine.
Attacks recently identified to target a key organization in the European energy sector have employed a remote access Trojan previously associated with Iran-linked threat actors, Recorded Future reports. The researchers were able to identify a PupyRAT command and control server that communicated with a mail server for a European energy sector organization between November 2019 and at least January 5, 2020.
The defendant, Scott Crowley, said in a court hearing that he used Imminent Monitor to hack the victims' computer and phone webcams so he could spy on them and film them in various compromising positions, including undressing and having sex. The prosecutor on the case said that in examining Crowley's computer, officers discovered three folders named after each of his victims; these contained images and videos of the women undressing, and in some cases having sex.
A new Python-based remote access Trojan (RAT) has been used in campaigns targeting a wide range of industries, BlackBerry Cylance revealed this week. read more