Blog - Page 4 of 116

SmokeLoader Trojan Used to Deliver Phobos Ransomware

anti-malware tools, offline backups, Ophtek, Phobos ransomware, SmokeLoader, social engineering, Trojansanti-malware tools, offline backups, Ophtek, Phobos ransomware, SmokeLoader, social engineering, TrojansOphtek, LLC

Jan 2024

Be aware, your files are under threat from a new variant of the Phobos ransomware. And it’s being distributed by threat actors using the SmokeLoader trojan.

The Phobos ransomware was first detected in 2017 and, since then, has gone on to be used in numerous cyber-attacks. This new variant, however, is slightly different and more sophisticated than previous incarnations. The threat actors behind the new variant are believed to be the same team behind the 8Base ransomware syndicate, a powerful cybercrime operation.

As you know, any form of ransomware is dangerous, but one which is as clever and cunning as Phobos requires special attention. Luckily, Ophtek are here to provide you with all the advice you need.

The SmokeLoader Campaign

The SmokeLoader trojan is typically used to deliver the 8Base team’s variant of Phobos. A trojan is employed as the launchpad as Phobos, on its own, does not have the capability to breach a PC’s defenses. SmokeLoader operates by disguising itself within spam email campaigns and relies on social engineering techniques to unleash its malicious payload. Once SmokeLoader has been activated, it begins loading the Phobos ransomware.

And Phobos presents a very persistent and effective threat. It starts by identifying target files and automatically ends any processes which are accessing the files. From here, Phobos’ next step is to disable the PC’s system recovery tool, which ensures the victim is unable to roll back their PC to a pre-infection stage. Finally, before encrypting any files, Phobos makes a point of deleting any backups and shadow copies. Rest assured that Phobos doesn’t want to give you any chance of retrieving your files without paying a ransom.

What’s notable about this strain of Phobos is its encryption speed. Instead of fully encrypting all files, it only focuses on completing this on files under 1.5MB in size. Anything over this file size is only partially encrypted. Phobos alerts its victims to its encryption activities by issuing a ransom note on the infected system. This ransom note explains that the only way to decrypt the files is by making a payment in Bitcoin. And this payment is dependent on how quickly contact is made.

Staying Safe from SmokeLoader and Phobos

The financial damages arising from ransomware continue to rise and rise, so it’s crucial that you keep one step ahead of these attacks. The best way to stay safe is by following these best practices:

Understand social engineering: the Phobos attack, and many other ransomware attacks, are only able to initiate themselves due to victims falling for social engineering scams. Therefore, it’s vital your staff understand what social engineering is and how to combat it. For example, if an email sounds too good to be true, it probably is. And the best thing to do with a suspicious email is to take a deep breath and think long and hard before clicking any links.

Always keep offline backups: if all your files are encrypted then you’re going to have a hard time retrieving them without paying a costly ransom. And, remember, Phobos actively seeks out backups and shadow copies you may have stored on your network. However, if you regularly backup to an offline source, such as an isolated network or drive, you have the opportunity to minimize your file loss.

Use anti-malware tools: one of the best ways to add an extra layer of protection to your PCs is by ensuring that anti-malware tools are installed. These tools are discreet, mostly running in the background, and can identify malware before they launch their attacks. This allows you to quarantine and delete threats such as SmokeLoader before they can take over your system.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Sustainable Practices for a Greener IT Environment

cloud computing, dark data, green IT, Ophtek, outsourcing, sustainable IT, turn off pc, working remotelycloud computing, dark data, green IT, Ophtek, outsourcing, remote work, sustainable ITOphtek, LLC

Jan 2024

Modern businesses are constantly looking to reduce their carbon footprint. One of the best ways to achieve this is with a greener IT environment.

When it comes to the environment, digital data comes at a cost. Therefore, it’s important for businesses to evaluate their practices in order to reduce their impact on the environment. This is known as Green IT, a study and practice of the ways in which IT usage can be more environmentally friendly and sustainable. However, for many organizations, their adoption of eco-friendly practices tends to be focused on manufacturing and service elements.

How Do You Develop Sustainable IT Practices?

If you want to reduce the carbon footprint of your IT operations, you should start making changes in these areas:

Cloud computing: one of the best ways to reduce your impact on the environment is by embracing the cloud. Due to superior hardware setups, cloud data centers use less energy than traditional in-house data solutions. And the savings are seriously impressive. It’s estimated that cloud computing can improve energy efficiency by up to 93% and, in the process, release 98% fewer greenhouse gases.
Dark data: all businesses carry and store huge amounts of data, but does it all need to be kept? Data which is stored, but not required is referred to as dark data. Therefore, if you’re using cloud data centers, which are responsible for 2.5% of carbon dioxide emissions, to store dark data, you’re putting an unnecessary strain on the environment. The solution here is to evaluate your data governance policies and develop strategies for disposing of dark data.
Turn your PCs off: many employees fail to shut their PCs down at the end of the day. This is the result of wanting to get home and, of course, saving time the next day when they’re logging on. However, leaving a PC running overnight not only produces carbon emissions but also shortens the lifespan of the device. This means that you are more likely to have to replace the machine, contributing towards environmental damage. Accordingly, your employees need to be educated on the importance of shutting their PC down.
Outsourcing: if your business experiences a surge in demand, you don’t have to buy additional equipment to cope with the increased workload. Instead, you can outsource this workload, such as to a call center, to manage the demand. After all, this surge in activity may be short lived, and outsourcing represents a sustainable and more affordable option. Remember, anything which reduces the sale of new hardware will only have a positive effect
on the environment.
Remote working: advances in IT technology mean that any employee with a high-speed internet connection can seamlessly connect with your IT infrastructure from home. This means a reduction in not just emissions from travel, but also a number of energy saving costs in your office. As a result, allowing employees to work from home will easily enhance your green credentials and reduce your carbon footprint.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Facebook Ads Used to Deliver NodeStealer Malware

block social media, Facebook Ads, malware, NodeStealer, Ophtek, Phishing, Suspicious linksFacebook Ads, links, malware, NodeStealer, Ophtek, phishing, social mediaOphtek, LLC

Dec 2023

Threat actors have turned to Facebook ads to unleash NodeStealer on unsuspecting victims, and they’re using scantily clad women to achieve this.

Facebook is no stranger to finding its ad network compromised to spread malware, but what’s interesting about this latest campaign is that it primarily targets males. At the core of this attack is NodeStealer, a strain of malware which has been active for several months. However, NodeStealer has changed. At the start of its existence, it was designed in JavaScript, but it’s now being coded with the Python programming language.

NodeStealer is part of a wider campaign, believed to have its origins in Vietnam, to steal sensitive data, and it’s more than worthy of your attention.

How Does NodeStealer Target its Victims?

Using marketing strategies almost as old as time, the threat actors behind NodeStealer have used the provocative lure of female flesh to entice their victims. Taking advantage of the massive reach of Facebook’s ad network, these threat actors have created adverts which contain revealing photos of young women. The objective of these adverts is to encourage people to click on them, a process which will download an archive of malicious files.

One of these files is called Photo Album.exe but, far from containing any photos, it simply downloads a further executable file which unleashes NodeStealer. With NodeStealer running rampant on an infected system, it will begin harvesting login credentials and, in particular, it will attempt to take control of Facebook business accounts. With further business accounts compromised, NodeStealer can launch even more malicious ad campaigns and spread itself further.

Stay Safe from the Threat of NodeStealer

NodeStealer is a classic example of malware deceiving its victims to achieve its goal. And it’s not surprising to hear that the 18 – 65 male demographic have made up the majority of its victims. Regardless of the bait, however, NodeStealer provides us with a number of interesting lessons to learn. The most important takeaways should be:

Block social media sites: the NodeStealer campaign is the perfect example of why corporate networks should block social media sites. Yes, certain businesses will need to access these sites for marketing reasons, but general access should be shut down to employees.
Educate on phishing techniques: the threat actors behind NodeStealer have used typical phishing techniques to convince unsuspecting users that they should click on their ads. And this is where you need to educate your employees. Demonstrate how if it sounds too good to be true, then it almost always is. Make this not just part of your IT inductions, but also as regular refreshers to keep employees on their guard.
Always double check links: the malicious links contained in adverts will usually direct people to a different destination than promised. This means it’s crucial you understand the importance of checking links before clicking them. The simplest way to do this is by hovering your mouse cursor over links to reveal their true destination. And, always remember, if in doubt about a link (or advert), check with an IT expert before clicking it.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Striped Fly Malware Infected 1 Million Hosts in 5 Years

install updates, malware, network security, Ophtek, screen attachments, secure firewall, Striped Flymalware, Ophtek, phishing, security, Striped Fly, updatesOphtek, LLC

Dec 2023

Malware and flies share one thing in common: they’re pesky. However, while flies help the ecosystem, the Striped Fly malware is nothing but trouble.

Striped Fly has recently hit the headlines, but Kaspersky has revealed they’ve found evidence of its malicious activity dating back to 2017. Unfortunately, no one had been aware of its true identity until now. This means Striped Fly has enjoyed a five-year campaign where not even a single security researcher knew of its existence. And Kaspersky estimate that this invisibility has allowed it to infect over one million Windows and Linux hosts.

In 2017, Striped Fly was mistakenly labelled as a cryptocurrency miner, falling under the Monero trojan family. Subsequent findings, however, have revealed that Striped Fly is much more sophisticated.

What is Striped Fly?

Striped Fly’s exact mechanism is not fully understood at present, but researchers believe they know how it operates. It’s suspected that the threat actors exploited an EternalBlue SMBv1 exploit to gain a foothold in internet facing PCs. After discovering evidence of Striped Fly within the WININIT.exe application – used to help load subsystems within Windows – Kaspersky determined that it then downloads further files.

These files typically come from online software depositories such as GitHub and BitBucket. These are used to build the final Striped Fly payload. Cleverly, Striped Fly comes with Tor network capabilities to encrypt its communications. Tor, of course, is an internet router service used to encrypt data transferred over its network. And this is part of the reason why Striped Fly remained hidden for so long.

The main talking point about Striped Fly is its sophistication and wide range of functions. Striped Fly is capable of harvesting login credentials, taking unauthorized screenshots of infected devices, stealing Wi-Fi network configuration details, transferring files to remote sources, and recording microphone output. Clearly, it poses a significant threat to all PC users.

Swatting Striped Fly Away

Striped Fly’s half-decade long campaign has proved to be highly successful. Accordingly, your organization needs to be on its guard against Striped Fly and any similar threats. Kaspersky hasn’t revealed a specific fix for Striped Fly but, as ever, vigilance and good security practices are key. So, make sure the following is part of your established cybersecurity strategy:

Install all updates: Kaspersky believe that Striped Fly was able to launch its initial attack thanks to a vulnerability it exploited. Therefore, installing all updates needs to be a priority for your organization. If there’s a hole in your defenses, you need to plug it. And a vulnerability represents a huge hole.
Screen all attachments: all email attachments should be screened as part of a vital defense process in protecting businesses against malware. Attachments can often contain a malicious payload such as phishing scams, cryptocurrency or trojans. Accordingly, employees should always know what to question before clicking an email attachment.
Use network security tools: installing firewalls and ensuring that your Wi-Fi networks are secured is a sure-fire way to protect yourself against the threat of malware. Striped Fly, after all, sought out Wi-Fi details and transmitted stolen files across compromised networks. With a secure firewall in place, this will reduce the likelihood of malware being able to operate effectively.

For more ways to secure and optimize your business technology, contact your local IT professionals.

LinkedIn Used to Spread DarkGate Malware

authenticator app, Corsair, DarkGate, Linkedin, malware, malware-as-a-service, Ophtekauthenticator app, Corsair, DarkGate, Linkedin, malware, malware-as-a-service, OphtekOphtek, LLC

Dec 2023

The threat of malware strikes the business world again, and this time it’s using LinkedIn to trick users into downloading the DarkGate malware.

LinkedIn is designed to help professionals connect with each other and build professional relationships. It’s proven to be wildly popular, with 950 million members currently registered on the platform.

But where there are huge numbers of users, there will also be large amounts of data. And this data is like catnip to threat actors. This is why fake LinkedIn posts have started appearing on the platform. These posts, as well as a campaign of direct messages, are far from informative for the users of LinkedIn. Instead, they are being used to trick LinkedIn users, primarily those who hold positions within the social media niche, to download malware.

Unveiling the Essentials of DarkGate on LinkedIn

Security experts have been aware of DarkGate since 2017, but it was considered a low-level threat due to its limited activity in the digital wild. However, this changed in June 2023, when its creator began selling it as Malware-as-a-Service package. Since then, a campaign using DarkGate has been launched by threat actors, believed to be working in Vietnam, which targets LinkedIn users.

Mostly, these users have consisted of social media managers operating in the US, the UK, and India. Using LinkedIn posts, or sending direct messages to targets, the threat actors propose that a job offer at Corsair is on the table. LinkedIn is a highly popular recruitment tool, so there’s nothing out of the ordinary with these initial contacts. However, the targets are encouraged into downloading malicious documents, such as a Word document containing a job description and a text file discussing salary details.

Within these documents are malicious links. Once clicked, these links lead to a series of scripts being launched which are used to build DarkGate. The malware’s first move is to start uninstalling security tools located on the infected system. DarkGate’s next step is to begin harvesting data from the compromised system. In particular, DarkGate appears to be targeting login credentials for Facebook business accounts, hence the focus on social media managers.

Protecting Your Credentials from DarkGate

If you’re a social media manager and regularly log on to LinkedIn, the advice is simple: stay away from any links relating to job offers for Corsair. Unfortunately, the threat actors are likely to change the details of their attack now that it’s started generating headlines. Nonetheless, you can still do the following to protect your credentials:

Never click unsolicited links: it’s important to be vigilant against unsolicited links, especially when they’re found in unsolicited direct messages. If you do receive direct messages, or even emails, containing unsolicited links, it’s best to delete them and block the sender.
Install all updates: clicking a malicious link can help threat actors exploit vulnerabilities within your PC, so you need to minimize the number of vulnerabilities which are present. The best way to achieve this is by always installing updates when prompted or making sure that automatic updates are activated.

Use an authenticator app: both LinkedIn and Facebook allow you to use an authenticator app to provide a further layer of security to your credentials. Most commonly, the sites in question will require you, after entering your login credentials, to enter a unique code generated by the app. This means that, if your login credentials are compromised, they will be next to useless to threat actors.

For more ways to secure and optimize your business technology, contact your local IT professionals.

« Previous 1 2 3 4 5 6 … 116 Next »