Bandook Malware Strikes Back 

anti-malware tools, Bandook Malware, network activity, Ophtek, Phishing Email, Remote Access Trojan, , , , ,
27
Feb 2024

A new variant of the Bandook malware has been discovered which targets Windows PCs, so it’s crucial you know how to deal with it. 

From its earliest detection in 2007, Bandook has been a capable strain of malware. Being a remote access trojan, Bandook’s main objective has always been to take control of infected PCs. However, following a period of inactivity, the malware has recently started a new campaign aimed at a wide range of industries in different locations. And once Bandook takes control of a compromised PC, it can not only launch further malware attacks, but also steal whatever it wants from the PC. 

What is the Bandook Malware Attack? 

Bandook’s latest campaign starts with a phishing email, one which uses an infected PDF file. Within this file, there is a link which directs users towards a .7z file – a compressed, archive file. Prompted to enter a password – which is detailed in the original PDF file – to access the .7z archive, the victim will unwittingly activate the malware. Once Bandook is active, it will take advantage of the Msinfo32 application – typically used to collate system data – and edits the Window Registry to remain active on the infected PC. 

With Bandook fully established on the victim’s PC, Bandook opens a communication channel with a remote command-and-control server. This allows Bandook to receive further instructions from the threat actors behind the attack. From here, Bandook is able to establish additional malware payloads on the PC, and give full control of the PC over to the remote threat actors. This means that the hackers can steal data, kill active processes on the PC, execute applications, and even uninstall the Bandook malware to cover their tracks if necessary. 

How Do You Stay Safe from Bandook? 

As with many contemporary threats, Bandook relies on a momentary lapse of judgement from the recipient of their initial email. The impact of a single phishing email can lead to devastating results, so it’s essential your staff understand all the telltale signs of a phishing email. With this information at their fingertips, they’re significantly less likely to unleash malware across your IT infrastructure. 

But what else can you do? After all, no organization is 100% secure, and it’s likely your defenses will be breached at some point in the future. Well, you can make sure that you identify a breach and minimize its impact by practicing the following: 

  • Use anti-malware tools: security suites such as AVG and McAfee represent fantastic tools for protecting your IT infrastructure. As well as carrying out deep scans across your systems for malware, they also feature tools to block malicious websites and can scan files before they’re downloaded to verify their safety. 
     
  • Monitor network activity: one of the surest signs of a systems breach is, as featured in the Bandook attack, unusual network activity. Therefore, you should regularly monitor your network activity to identify unusual patterns e.g. prolonged communication with unknown destinations along with downloads from unidentified sources. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More

Google Accounts Compromised by Cookie Vulnerability 

gmail, Google, Google cookies, Hackers, Hacking, multi factor authentication, Ophtek, Suspicious links, suspicious software, , , , , , ,
20
Feb 2024

A recently discovered vulnerability appears to allow threat actors to hack into your Google account, even if you change your password. 

Given that there are 1.8 billion people actively using Gmail, it should come as no surprise that Google accounts represent a mouthwatering target for hackers. Google claims that their users are protected by world-class security and, on the whole, it is a secure system. No infrastructure, however, is 100% safe. Threat actors are industrious individuals and won’t rest until they’ve tried every avenue to compromise a system. Unfortunately, for Google and its users, this is exactly what’s happened. 

Losing Control of Google 

Google accounts are highly valuable to their owners. Packed full of apps such as Gmail and Google Drive, there’s a lot of personal data involved. A new vulnerability, attributed to a flaw in Google cookies, gives access to these accounts over to threat actors. Worst of all, this can be achieved time after time. Sure, you can try changing your password, but they will still be able to unlock your account. 

The attack starts when a user unwittingly allows malware to be installed on their PC. This malware then gets to work by searching for and identifying any Google login tokens, which are typically stored in the application’s local database. These stolen tokens can then be used to trick Google’s API interface. 

One of the main duties of a Google API is to help sync the various Google services across one account. So, for example, if you were logged into Google Drive, you wouldn’t have to log into Gmail as well. The threat actors exploit a vulnerability with Google cookies to create new cookies which can be used to gain unauthorized access to the compromised account. And this trick can be completed multiple times. Changing your password, naturally, would be the simple choice here. But even doing this still grants the hacker one more chance to access your account. 

The vulnerability in question is currently being sold by threat actors online, with at least six hacking groups advertising it. These threat actors also claim that that this vulnerability has been redesigned to tackle the efforts Google has taken to shut this exploit down. 

Keep Your Google Account Safe 

No one wants to lose their Google account, aside from the loss of personal data, there’s also the sheer inconvenience of having to create a new account and updating any services associated with your original account. Accordingly, make sure you play safe by following these best practices: 

  • Use multi-factor authentication: at present, Google hasn’t revealed whether multi-factor authentication will prevent this vulnerability from seizing control of your account. However, if you don’t have it activated, you need to make this a priority as it’s one of the simplest ways to add extra security to your account. 
  • Do not download suspicious software: the first stepping stone for the threat actors to compromise your Google account involves installing malware on your PC. This gives them a foothold to begin stealing your Google login tokens. Therefore, you need to remain vigilant as to the software you’re downloading. The most obvious question to ask here is whether the download comes from an official source. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More

DarkGate and NetSupport Malware is Surging 

anti-malware tools, BattleRoyal, DarkGate, install updates, malicious websites, malware, NetSupport, Ophtek, Phishing Email, Windows SmartScreen, , , , , , , , ,
13
Feb 2024

A new threat actor has spent the last few months ramping up attacks involving the DarkGate and NetSupport malware, and this is set to increase further. 

The name of this new threat actor is BattleRoyal, and between September and November 2023, they launched numerous attacks. These attacks featured the DarkGate and NetSupport malware, both powerful strains of malware. DarkGate employs multiple malicious activities such as keylogging, data theft, and cryptocurrency mining. Meanwhile, NetSupport – which is a legitimate application – is being exploited and repurposed as a remote access trojan, which gives threat actors unauthorized access to IT systems. 

DarkGate and NetSupport both have the potential to cause great damage to your IT infrastructure and the security of your data. This means you need to know how to identify and deal with them. 

BattleRoyal’s Malware Campaign 

BattleRoyal appears to have launched its first wave of attacks in September 2023. This campaign involved email techniques to unleash the DarkGate malware on unsuspecting victims. At least 20 instances of this attack have been recorded, but it’s highly likely that more users were infected. Perhaps due to the noise that DarkGate was creating, BattleRoyal quickly switched its choice of weaponry to NetSupport in November. As well as using email campaigns to spread NetSupport, BattleRoyal also employed malicious websites and fake updates to infect PC users. 

DarkGate is also notable for taking advantage of a vulnerability located in Windows SmartScreen. The main objective of SmartScreen is to protect users from accessing malicious websites. However, BattleRoyal were able to work around this by using a special URL which, due to the vulnerability in SmartScreen, gave users access to a malicious website. Clearly a sophisticated threat actor, BattleRoyal had discovered this vulnerability – logged as CVE-2023-36025 – long before Microsoft acknowledged its existence. 

How to Stay Safe from BattleRoyal 

Microsoft has since launched a security patch to combat the CVE-2023-36025 vulnerability, and installing this remains the surest way to combat the activity of DarkGate. However, given that BattleRoyal has used a multi-pronged attack, with NetSupport being used to download further malware, you can’t rely on patches alone. Vigilance, as ever, is vital. Therefore, you need to practice these best security tips to prevent any infections: 

  • Beware of phishing emails: one of the most popular ways to breach the defenses of IT infrastructures involves phishing emails. Not only can these emails be used to steal confidential information through social engineering techniques, but they can also be used to direct recipients towards malicious websites and files. Therefore, it’s important that everyone in your organization can identify phishing emails
     
  • Always install updates: although BattleRoyal was able to identify the SmartScreen vulnerability before the availability of a patch, this doesn’t mean you should minimize the importance of updates. All updates should be installed as soon as they’re available, activating automatic updates is the best way to guarantee that your defenses are fully up-to-date. 
     
  • Use security software: reputable security software is one of the simplest, yet most effective ways to protect your IT systems against malware. Capable of identifying and removing malware before it’s activated, anti-malware tools should be an essential part of your IT defenses. As well as carrying out automatic scans of your system, many of these security suites feature screening tools to warn against malicious websites and emails. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More

InfectedSlurs Botnet Launches DDos Swarm 

DDoS swarm, factory reset, InfectedSlurs, Mirai, Ophtek, password change, update firmware, zero-day vulnerabilities, , , , , , ,
06
Feb 2024

Based upon the Mirai botnet, a new botnet has emerged onto the digital landscape in the form of InfectedSlurs, and it’s helping to fuel DDoS attacks.  

Once again, the cause of infection behind InfectedSlurs attack are a number of zero-day vulnerabilities. These vulnerabilities – now identified as CVE-2023-49897 and CVE-2023-47565 – allowed InfectedSlurs to compromise both a series of WiFi routers and a QNAP network video recorder. The potential for data loss here is huge, but InfectedSlurs also makes sure that it hijacks infected devices and integrates them into a huge DDoS swarm. 

The InfectedSlurs Attack 

It’s believed that the attack by InfectedSlurs involved vulnerabilities which should have been addressed by firmware updates released several years ago. However, many organizations appear to still be using legacy versions of the QNAP software. And this is what’s allowed them to be compromised. It’s also been revealed that InfectedSlurs has been running in the digital wild since late 2022, so it’s had close to a year to take advantage of legacy versions. 

A security patch was launched at the start of December 2023, to provide the strongest possible protection, and users were told to perform a factory reset alongside a password change. Users have also been advised to initiate a firmware update, found within the network video recorder settings, to ensure they have the latest and most secure version in place. Again, it’s been recommended that all passwords and access privileges are verified. 

However, for the older, legacy devices which are in their end-of-life phase, there will be no further firmware updates released. In these instances, users have no alternative but to replace their devices with the latest models, which will be fully patched against all known threats. 

How Can You Prevent These Attacks? 

There are two big takeaways from the InfectedSlurs attack: 

  1. Always install software updates as soon as possible 
  1. Replace legacy devices when they have reached their end-of-life phase 

Both these points are easy to implement, but the evidence of the InfectedSlurs attack proves this is not always undertaken by organizations. However, to protect the security of your IT infrastructure, it’s crucial that this is given priority. 

InfectedSlurs was also able to execute its attack for close to a year without being detected, so what else should you be looking out for? Well, the following signs may indicate that you have fallen victim to an attack: 

  • Slow performance: one of the telltale signs of being involved in a DDoS attack is a drop in performance from the infected PC. This is because all the processing power is diverted away from the PC’s day-to-day operations and dedicated to supporting the DDoS attack. Therefore, if your PCs are running slow, and you can’t pinpoint the cause to hardware issues, there’s a chance they may have become involved in a DDoS attack. 
     
  • Unusual server patterns: if your PCs have been integrated into a DDoS swarm, it’s likely this will result in abnormal spikes in traffic related to your server. This is because DDoS attacks usually involve high volumes of traffic from multiple sources at once. So, if your server logs indicate behavior such as this, it’s important you investigate immediately to identify if the cause is known. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More