install updates Archives

A new threat actor has spent the last few months ramping up attacks involving the DarkGate and NetSupport malware, and this is set to increase further.

The name of this new threat actor is BattleRoyal, and between September and November 2023, they launched numerous attacks. These attacks featured the DarkGate and NetSupport malware, both powerful strains of malware. DarkGate employs multiple malicious activities such as keylogging, data theft, and cryptocurrency mining. Meanwhile, NetSupport – which is a legitimate application – is being exploited and repurposed as a remote access trojan, which gives threat actors unauthorized access to IT systems.

DarkGate and NetSupport both have the potential to cause great damage to your IT infrastructure and the security of your data. This means you need to know how to identify and deal with them.

BattleRoyal’s Malware Campaign

BattleRoyal appears to have launched its first wave of attacks in September 2023. This campaign involved email techniques to unleash the DarkGate malware on unsuspecting victims. At least 20 instances of this attack have been recorded, but it’s highly likely that more users were infected. Perhaps due to the noise that DarkGate was creating, BattleRoyal quickly switched its choice of weaponry to NetSupport in November. As well as using email campaigns to spread NetSupport, BattleRoyal also employed malicious websites and fake updates to infect PC users.

DarkGate is also notable for taking advantage of a vulnerability located in Windows SmartScreen. The main objective of SmartScreen is to protect users from accessing malicious websites. However, BattleRoyal were able to work around this by using a special URL which, due to the vulnerability in SmartScreen, gave users access to a malicious website. Clearly a sophisticated threat actor, BattleRoyal had discovered this vulnerability – logged as CVE-2023-36025 – long before Microsoft acknowledged its existence.

How to Stay Safe from BattleRoyal

Microsoft has since launched a security patch to combat the CVE-2023-36025 vulnerability, and installing this remains the surest way to combat the activity of DarkGate. However, given that BattleRoyal has used a multi-pronged attack, with NetSupport being used to download further malware, you can’t rely on patches alone. Vigilance, as ever, is vital. Therefore, you need to practice these best security tips to prevent any infections:

Beware of phishing emails: one of the most popular ways to breach the defenses of IT infrastructures involves phishing emails. Not only can these emails be used to steal confidential information through social engineering techniques, but they can also be used to direct recipients towards malicious websites and files. Therefore, it’s important that everyone in your organization can identify phishing emails.
Always install updates: although BattleRoyal was able to identify the SmartScreen vulnerability before the availability of a patch, this doesn’t mean you should minimize the importance of updates. All updates should be installed as soon as they’re available, activating automatic updates is the best way to guarantee that your defenses are fully up-to-date.
Use security software: reputable security software is one of the simplest, yet most effective ways to protect your IT systems against malware. Capable of identifying and removing malware before it’s activated, anti-malware tools should be an essential part of your IT defenses. As well as carrying out automatic scans of your system, many of these security suites feature screening tools to warn against malicious websites and emails.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Striped Fly Malware Infected 1 Million Hosts in 5 Years

install updates, malware, network security, Ophtek, screen attachments, secure firewall, Striped Flymalware, Ophtek, phishing, security, Striped Fly, updatesOphtek, LLC

Dec 2023

Malware and flies share one thing in common: they’re pesky. However, while flies help the ecosystem, the Striped Fly malware is nothing but trouble.

Striped Fly has recently hit the headlines, but Kaspersky has revealed they’ve found evidence of its malicious activity dating back to 2017. Unfortunately, no one had been aware of its true identity until now. This means Striped Fly has enjoyed a five-year campaign where not even a single security researcher knew of its existence. And Kaspersky estimate that this invisibility has allowed it to infect over one million Windows and Linux hosts.

In 2017, Striped Fly was mistakenly labelled as a cryptocurrency miner, falling under the Monero trojan family. Subsequent findings, however, have revealed that Striped Fly is much more sophisticated.

What is Striped Fly?

Striped Fly’s exact mechanism is not fully understood at present, but researchers believe they know how it operates. It’s suspected that the threat actors exploited an EternalBlue SMBv1 exploit to gain a foothold in internet facing PCs. After discovering evidence of Striped Fly within the WININIT.exe application – used to help load subsystems within Windows – Kaspersky determined that it then downloads further files.

These files typically come from online software depositories such as GitHub and BitBucket. These are used to build the final Striped Fly payload. Cleverly, Striped Fly comes with Tor network capabilities to encrypt its communications. Tor, of course, is an internet router service used to encrypt data transferred over its network. And this is part of the reason why Striped Fly remained hidden for so long.

The main talking point about Striped Fly is its sophistication and wide range of functions. Striped Fly is capable of harvesting login credentials, taking unauthorized screenshots of infected devices, stealing Wi-Fi network configuration details, transferring files to remote sources, and recording microphone output. Clearly, it poses a significant threat to all PC users.

Swatting Striped Fly Away

Striped Fly’s half-decade long campaign has proved to be highly successful. Accordingly, your organization needs to be on its guard against Striped Fly and any similar threats. Kaspersky hasn’t revealed a specific fix for Striped Fly but, as ever, vigilance and good security practices are key. So, make sure the following is part of your established cybersecurity strategy:

Install all updates: Kaspersky believe that Striped Fly was able to launch its initial attack thanks to a vulnerability it exploited. Therefore, installing all updates needs to be a priority for your organization. If there’s a hole in your defenses, you need to plug it. And a vulnerability represents a huge hole.
Screen all attachments: all email attachments should be screened as part of a vital defense process in protecting businesses against malware. Attachments can often contain a malicious payload such as phishing scams, cryptocurrency or trojans. Accordingly, employees should always know what to question before clicking an email attachment.
Use network security tools: installing firewalls and ensuring that your Wi-Fi networks are secured is a sure-fire way to protect yourself against the threat of malware. Striped Fly, after all, sought out Wi-Fi details and transmitted stolen files across compromised networks. With a secure firewall in place, this will reduce the likelihood of malware being able to operate effectively.

For more ways to secure and optimize your business technology, contact your local IT professionals.

State-sponsored hacking remains a serious problem for PC users around the world, and the latest headline grabber – with links to North Korea – is EarlyRAT.

A remote access trojan (RAT) is nothing new in the world of cybercrime, with the earliest examples believed to have been released in the late 1980s. However, their impact has grown significantly over the last 30 years, and this means they need to be taken seriously. There’s a culture of evolution in the world of hacking and, as a result, new RATs are always more powerful than the previous generation. And that’s why the emergence of EarlyRAT has got so many IT professionals concerned.

What is a Remote Access Trojan?

You may not be familiar with the ins and outs of a RAT, so we’re going to take a second to explain what they are and why they are so dangerous. A RAT is a malicious software program designed to provide unauthorized remote access and control over a targeted PC. They tend to be disguised as genuine files – this is why RATs are often distributed through phishing emails – but are nothing short of digital chaos.

Once installed, a RAT allows attackers to gain control of the victim’s computer, and this is all carried out remotely. This allows the threat actors to steal sensitive information, monitor user activity, execute commands, and even activate the webcam or microphone to carry out surveillance. All of these dangers put the victim at risk of data theft and further cyber-attacks.

How Does EarlyRAT Work?

EarlyRAT was first detected by security experts at Kaspersky, who were analyzing a hacking campaign from 2022. The attack was made possible due to a flaw discovered in Log4j, a Java library used to log error messages generated by applications. This vulnerability was exploited by the Andariel hacking group, a team believed to be sponsored by North Korea. Once Log4j had been compromised, Andariel was able to download malware to the victims’ PCs.

Part of this initial attack also included a phishing campaign, and it was here that EarlyRAT was first detected. Phishing documents, once activated, would download EarlyRAT from servers well known for having connections to threat actors. EarlyRAT’s first objective was to start logging system information and, after this, it would begin downloading additional malware, affecting the productivity of infected machines and stealing user credentials.

Keeping Safe from EarlyRAT

It’s important that you protect your IT infrastructure and your data, so staying one step ahead of threats like EarlyRAT is vital. To achieve this, make sure you always practice the following:

Install ALL updates: EarlyRAT’s campaign is a fine example of why installing updates is essential. All it takes is one vulnerability for malware to spread through an IT system and steal huge amounts of data. Therefore, plugging any holes in your defenses should be a priority. And installing updates as soon as possible is the best way to achieve this.

Educate your staff: phishing campaigns, as EarlyRAT has demonstrated, can cause you a severe IT headache. With this in mind, it’s crucial that your staff are well educated on the dangers posed by phishing emails. If your employees can take that important step of stopping and thinking before opening an email, they could save your IT system significant down time.

Identify malicious websites: a large number of RATs are located on malicious websites, so it’s important that you know how to spot one of these. With this knowledge at your disposal, you will be able to not only identify a malicious website, but you’ll be able to realize a link is malicious before you even click it.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Security Experts Targeted by Malware on GitHub

GitHub, Hackers, install updates, malicious websites, malware, Ophtek, POC, proof of conceptGitHub, hackers, malware, Ophtek, POC, security, updates, vulnerabilityOphtek, LLC

Sep 2023

It’s always important to be cautious online, but it’s easy for people to fall victim to malware. Even security experts can fall for the tricks of hackers.

Yes, even those skilled and highly experienced security researchers can find themselves on the receiving end of malware. The most recent piece of evidence for this phenomena is an attack which is as brazen as it is powerful. It revolves around a piece of bait left, by threat actors, on GitHub, an online repository for developers to store and share their code. And it was a piece of code, disguised as a highly tempting piece of software for a security expert, which led to many of these professionals being left embarrassed.

How Were the Experts Fooled?

The GitHub attack involved a piece of software being made available which claimed to be a proof-of-concept (POC). Typically, a POC is a demonstration of a software project, and is used to determine how feasible the project is and the potential of its long-term success. For a security researcher, a POC is a useful way to test for security vulnerabilities, and this is why they are frequently downloaded and analyzed.

However, this specific ‘POC’ proved to be little more than malware in disguise. Within the fake POC structure was a malware downloader, which was used to download malware and set off a chain of malicious events. Once the malware was downloaded, it began by executing a Linux script to automate specific commands. This allowed the threat actors to start stealing data, which was automatically downloaded to a remote location, by scraping the entire directory of the infected PC.

The fake POC also allowed the threat actors to gain full access to any of the infected systems. This was achieved by adding their secure shell (a protocol for operating network services) to the authorized keys file on the infected system. All of this was made possible, for the threat actors, due to a vulnerability – known as CVE-2023-35829 – discovered in the Linux operating system, an OS usually used by software developers.

Avoid the Mistakes of the Experts

You may be thinking that, if a security expert can fall victim to malware, what hope do you have in the face of targeted attacks? However, as we know, nobody is 100% immune from the efforts of threat actors, and this includes security researchers. As ever, vigilance is key to maintaining the security of your IT infrastructure:

Always update: the surest way to minimize the risk of your PC being infected is to always install updates. No piece of software, due to the sheer amount of coding involved, is going to be free from mistakes. However, developers are keen to patch these mistakes as soon as they are aware of them, hence the issuing of security patches. Therefore, it makes sense to install these as soon as they are available.

Be wary of malicious websites: while GitHub is far from malicious, the people using it often are. This means you should always do some research on what you’re downloading and who you’re downloading it from. So, for example, try Googling the username of whoever is offering you a download, and see whether there are any trustworthy results or otherwise. Alternatively, ask an IT professional to take a look and assess the risk – contrary to the GitHub attack, they can usually spot malware from a mile away.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Microsoft Teams at Risk of Letting Malware In

install updates, malware, Microsoft Teams, Ophtek, Phishing, securitymalware, Microsoft Teams, Ophtek, phishing, security, updatesOphtek, LLC

Aug 2023

Microsoft Teams has experienced a surge in popularity among businesses since the pandemic, and this makes it a highly prized target for hackers.

Businesses find Microsoft Teams a powerful tool as it allows employees to work remotely, communicate and be productive. And it’s all through one app. This is why it’s a fantastic business solution and used by 280 million people. Naturally, the size of this audience is going to turn a threat actor’s head. Where there are high numbers of users, there’s an opportunity for malware to be successful. And that’s why the discovery of a vulnerability in Teams has caused so much concern.

The Vulnerability Lying Within Microsoft Teams

One of the main uses of Teams is as a communication tool, a nd this means that the potential for spreading malware via file transfers and linked hard drives is high. But this newly discovered vulnerability is very different. Therefore, it’s important you understand the threat it poses.

Now, Microsoft Teams allows you to communicate with a wide range of people within your organization. It also allows you to communicate with external parties e.g. subcontractors, clients and facility management teams. Usually, these external users are unable to transmit files to other organizations through Teams. And this is a good thing, as it lowers the risk of malware being sent between businesses.

However, the security protocols which are in place to stop unauthorized file sending can, it turns out, be compromised. Once this vulnerability is exploited, a threat actor can start sending malware direct to the Teams inbox of staff within that business. Often, the threat actors are increasing the chances of their attack being successful by setting up similar email addresses to that of their target. All it takes is for one employee to open the malware and it can start to spread.

While the incoming message will still be tagged as “External”, the busy nature of many employees’ days means that it’s likely this message will be ignored. Also, this method of attack is relatively new. Users are well drilled in the telltale signs of a phishing email, but a Teams instant message is very different. Accordingly, the risk of falling victim to this attack is concerning.

Staying Safe on Microsoft Teams

Curiously, Microsoft has advised that this vulnerability doesn’t, at present, warrant fixing. No doubt, at some point, it will be patched, but for now you should remain cautious. To help strengthen your defenses, make sure you practice the following:

Always update: there’s never an excuse for not carrying out software updates once they are available. It’s the quickest and simplest way to plug weak points in your cyber defenses, so, if they are not already in place, setting up automatic updates should be your priority.

Warn your staff: make sure that your staff are aware of this new threat to minimize the risk of your business falling victim. You can achieve this by sending out email updates to your staff and also updating your IT induction process to cover this new form of attack.

Reduce your availability: it’s possible to limit your communication through Teams to specific domains only. Again, this reduces your risk by ensuring that your staff can only communicate with trusted sources and not threat actors operating from similar, yet malicious domains.

For more ways to secure and optimize your business technology, contact your local IT professionals.

1 2 Next »

DarkGate and NetSupport Malware is Surging

Striped Fly Malware Infected 1 Million Hosts in 5 Years

New EarlyRAT Malware Linked to North Korea Emerges

Security Experts Targeted by Malware on GitHub

Microsoft Teams at Risk of Letting Malware In

Category Archives: install updates