Security News

Cybercriminals are increasingly outsourcing the task of deploying ransomware to affiliates using commodity malware and attack tools, according to new research. The SystemBC RAT has since expanded the breadth of its toolset with new characteristics that allow it to use a Tor connection to encrypt and conceal the destination of C2 communications, thus providing attackers with a persistent backdoor to launch other attacks.

The new 'Abaddon' remote access trojan may be the first to use Discord as a full-fledged command and control server that instructs the malware on what tasks to perform on an infected PC. Even worse, a ransomware feature is being developed for the malware. In the past, we have reported on how threat actors use Discord as a stolen data drop or have created malware that modifies the Discord client to have it steal credentials and other information.

Networking equipment maker Cisco has released a new version of its Jabber video conferencing and messaging app for Windows that includes patches for multiple vulnerabilities-which, if exploited, could allow an authenticated, remote attacker to execute arbitrary code. Two of the four flaws can be exploited to gain remote code execution on target systems by sending specially crafted chat messages in group conversations or specific individuals.

An adversary known for targeting the fintech sector at least since 2018 has switched up its tactics to include a new Python-based remote access Trojan that can steal passwords, documents, browser cookies, email credentials, and other sensitive information. In an analysis published by Cybereason researchers yesterday, the Evilnum group has not only tweaked its infection chain but has also deployed a Python RAT called "PyVil RAT," which possesses abilities to gather information, take screenshots, capture keystrokes data, open an SSH shell and deploy new tools.

The malware's emergence dovetails with a change in the chain of infection and an expansion of infrastructure for the APT. According to researchers at Cybereason, PyVil RAT enables the attackers to exfiltrate data, perform keylogging and take screenshots, and can roll out secondary credential-harvesting tools such as LaZagne. The latest series of campaigns observed by Cybereason that use PyVil RAT are widespread yet targeted, taking aim at FinTech companies across the U.K. and E.U. The attack vector is spear-phishing emails, which use the Know Your Customer regulations as a lure.

A previously undocumented malware family called KryptoCibule is mounting a three-pronged cryptocurrency-related attack, while also deploying remote-access trojan functionality to establish backdoors to its victims. Looking at timestamps in the various versions of KryptoCibule that ESET has identified, the malware dates from December 2018, researchers said.

A Chinese state-backed hacking crew named Taidoor is deploying a custom remote access trojan against Western organisations, according to US authorities. Taidoor is said by the Americans to be sponsored by the Chinese government, with their aim being "To maintain a presence on victim networks and to further network exploitation".

Attackers use the ongoing coronavirus pandemic as a lure, as well as malicious Excel documents, to convince victims to execute the RAT. Researchers with Microsoft's security intelligence team said this week that that the ongoing campaign started on May 12 and has used several hundred unique malicious Excel 4.0 attachments thus far - a trend that researchers said they've seen steadily increase over the past month. The emails are titled "WHO COVID-19 SITUATION REPORT" and claim to give an update on the confirmed cases and deaths related to the ongoing pandemic in the U.S. The attached malicious Excel 4.0 document opens with a security warning and shows a graph of supposed coronavirus cases in the U.S. If a victim enables it, the macro is downloaded and the NetSupport Manager RAT is executed.

North Korea-linked hacking group Lazarus has been leveraging a Mac variant of the Dacls Remote Access Trojan, Malwarebytes reports. Last year, security researchers identified at least two macOS-targeting malware families used by Lazarus in attacks, and a new one appears to have been added to their arsenal: a Mac variant of the Linux-based Dacls RAT. Initially identified by security researchers with Qihoo 360 NetLab in December 2019, the Dacls backdoor targeted both Windows and Linux systems.

A new variant of the the NetWire remote access trojan is hitching a ride on IRS-themed phishing ploys targeting taxpayers in hopes of snatching victims' credentials and tax information. The NetWire variant's payload has also been given a facelift, with improved keylogger and credential-collecting features.