malicious code Archives

Financial Firms Targeted by JsOutProx Malware

JavaScript Malware, JsOutProx Malware, malicious code, Ophtek, Phishing Email, ScriptSafe for ChromeJavaScript, JsOutProx, malware, Ophtek, phishing, ScriptSafeOphtek, LLC

May 2024

A new phishing campaign, launched in March 2024, has been targeting financial firms all over the world with the JsOutProx banking trojan.

The JsOutProx malware campaign was first detected by Visa, with their Payment Fraud Disruption team sending out security alerts to stakeholders about the threat. So far, the targets of the attack have been based in Africa, South Asia, and the Middle East. The identity of the threat actors behind the attack are currently unknown, but it’s speculated they may be China-based or receiving support from China.

Financial malware always has the potential to cause great damage to organizations and individuals, so it’s important you understand the threat posed by JsOutProx.

The Lowdown on JsOutProx

First detected online in 2019, JsOutProx provides remote access to infected PCs by way of a JavaScript backdoor. This foothold allows threat actors to carry out numerous malicious attacks within the infected system. These include downloading further malware, data harvesting, taking screenshots, executing files, and embedding itself deep within the target. Plugins are utilized to launch these attack methods, an indicator this is a sophisticated piece of malware.

JsOutProx relies on JavaScript to carry out its attacks, and this method has been employed to deceive targets. Whereas many PC users understand the threat of a specific file type – such as a Word document or .exe file – they’re less likely to have knowledge of the threat posed by JavaScript code. Additionally, JavaScript coding is unintelligible to many anti-malware tools, so it has the potential to go undetected by software expected to keep PCs secure.

How is the JsOutProx Attack Launched?

Using phishing email techniques, JsOutProx is distributed through emails purporting to be related to MoneyGram or SWIFT payment notifications. However, far from being from genuine financial institutions, the senders behind these emails only have malicious intentions. Once recipients have fallen for the bait in the phishing emails, the JsOutProx code is activated and allows the threat actors to position themselves within the infected PC. Once installed, JsOutProx adopts a number of functionalities to enhance its position, such as changing DNS settings, editing proxy settings, and bypassing User Account Control detection.

Protect Your PCs from JsOutProx

A significant proportion of internet users have access to online banking services, and this is why JsOutProx has maximized its chances of snaring victims. Thankfully, you don’t have to fall victim to JsOutProx and compromise the security of your PC. All you have to do is make sure you practice the following:

Scrutinize all emails: an email which relates to a payment notification will always grab attention, but it’s vital you scrutinize emails which seem too good to be true. Threat actors will use persuasive and attractive arguments to convince you a suspicious link has to be clicked. However, if you take the time to analyze links in emails – do this by hovering your mouse cursor over them to reveal the true destination of the link – you can quickly minimize your chances of falling victim to malware.

Protect your browsers from scripts: many malware attacks such as JsOutProx rely on scripts to launch their attack within browsers. Therefore, it makes sense to protect your browsers from malicious scripts. Luckily, this is a relatively simple task thanks to ready-made browser plugins such as ScriptSafe for Chrome. These browser extensions protect you by blocking unwanted content and providing alerts against blacklisted sites which are malicious.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

The Dangers of Malware on GitHub

GitHub, malicious code, malware, Open Source Malware, OphtekGitHub, malicious code, malware, open source malware, OphtekOphtek, LLC

Mar 2024

GitHub is a wildly popular website for developers to create, share, and store their code, but it’s also being increasingly used to spread malware.

Launched in 2008, GitHub quickly became the number one destination for developers. Packed full of features – such as hosting open source code, bug tracking tools, and software requests – GitHub is the perfect one-stop shop for developers looking to collaborate and enhance their software. However, where there’s code, there’s also potential for malware to rear its ugly head. And, in the last few years, GitHub has been exploited by numerous threat actors.

How does GitHub Work?

GitHub is an online repository where developers can come together to pool resources and knowledge to improve their software builds. It may not be something that most of your staff are likely to log on to, but your IT team are likely to use it to manage projects they’re working on. The objective of GitHub is to create a community of friendly developers, but the open membership policy means this doesn’t always go to plan.

Why is GitHub Dangerous?

Threat actors can easily sign up for membership within a matter of minutes, and then they can begin uploading their malicious code under the pretense of being an innocent software project. Quite often, threat actors will sign up with a username previously used by another developer, this is to trick other developers into thinking this is a reputable account. The GitHub community will believe that any repositories uploaded to this account are safe, and they will download them without thinking. And this is when malware can be unknowingly unleashed on unsuspecting networks.

Threat actors are also using GitHub to host command and control servers, which allow attackers to create communication channels into infected devices. Usually, this would be indicated by an unusual domain address in your network traffic. But with GitHub’s credentials being used, this would look less suspicious, especially if you team access GitHub. It’s also convenient, for the threat actors, to use a public service where launching a command control server is much easier than building an infrastructure from scratch.

Finally, GitHub is being used as a storage space for malware, as demonstrated in this fake proof-of-concept software attack. This particular attack allowed the threat actors to exploit a known vulnerability within the Linux operating system, which is commonly used by developers working on GitHub. These attacks can even catch out the security experts, so they underline just how dangerous GitHub can be if you’re not vigilant.

How Can You Work Safely with GitHub?

Threat actors are essentially turning certain parts of GitHub into a malicious website, so it’s crucial you know how to manage this threat. The most effective step you can take is to block access to GitHub on your organization’s network. Your staff are highly unlikely to need to access GitHub anyway, so this makes sense. However, some of your IT staff, and any developers you employ, may still require access to complete their job.

GitHub, of course, isn’t the only legitimate website to be harboring malware. Huge sites such as Dropbox and Google Drive are all capable of delivering malware to unsuspecting members. Therefore, you should only ever download from trusted sources.

For more ways to secure and optimize your business technology, contact your local IT professionals.

5 Forms of Hacking Which You May Not Be Familiar With

Free WiFi, Hacking, malicious code, malicious extensions, malicious links, malicious websites, Ophtekmalware, Ophtek, phishing, public wifi, ransomware, security, vulnerabilityOphtek, LLC

Jun 2022

All organizations are at risk of being hacked, and that’s why we’re familiar with the most common forms of hacking. But what about the lesser-known hacks?

With 300,000 new strains of malware being created every day, it comes as no surprise to discover that some of these are less familiar than others to PC users. And it’s this lack of familiarity which makes them so dangerous. Not only is it harder to be on your guard against them, but there’s also the small problem of not knowing how to remove them from an infected system. However, a little bit of education goes a long way. And that’s why we’re going to give you the lowdown on 5 forms of hacking which you may not be familiar with.

The Hacks You Need to Know About

Attack strategies such as phishing and ransomware are well known, so it’s time to learn about the lesser known cyberattacks you need to be prepared for:

SQL Injection Attacks: SQL is a common coding language used to design and manage databases, many of which are connected to a public facing website. Typically, these databases will hold significant amounts of secure data e.g. personal details and financial information. As a result, these are highly attractive targets for hackers. Attacks are made on these databases by injecting malicious SQL code and manipulating the server’s responses in numerous ways. This strategy allows hackers to gain access to unauthorized information and steal it.

Man in the Middle Attacks: using compromised IoT devices, or simply taking advantage of poorly secured public Wi-Fi, a Man in the Middle Attack allows threat actors to access your network connections. It’s a scenario which grants hackers the opportunity to monitor your communications and data transfers in real time. Therefore, confidential data can be stolen and traffic redirected with ease.

Brute Force Attacks: this is one of the oldest hacking strategies devised by hackers, but it doesn’t grab the headlines in the same way modern threats such as ransomware do. However, it remains an effective strategy, and one which is only getting more sophisticated. As the name suggests, brute force attacks launch a relentless campaign whereby a bot will try numerous login credential combinations until it finds the correct one to breach your security.

DNS Cache Poisoning: a DNS server takes domain names, such as ophtek.com, and translates them into an IP address which can be used to deliver data between two points. However, if a threat actor identifies a vulnerability in a DNS server, they can inject false data into its cache. This ‘poisoning’ of the DNS cache means that internet traffic will be directed away from its intended location, and this will most commonly be re-routed to a malicious website.

Fake Public Wi-Fi: hackers will go as far as setting up a fake public Wi-Fi which uses your company’s name or one that sounds similar. For example, a visitor to a Starbucks café, may detect a wireless network with a name such as “St@rbucks Free Wi-Fi” and assume it’s genuine. However, connecting to a public connection such as this opens a whole world of potential trouble. And, don’t forget, your own employees are also at risk of connecting their work devices to a fake Wi-Fi network, the result of which will expose your genuine network.

As with the most common forms of hacking, understanding the basics of good IT security is the most effective way to minimize the chances of these rarer attacks.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Solid State Drives Targeted by Stubborn New Malware

Hackers, malicious code, Ophtek, solid state drive (SSD), Updateshackers, malicious code, Ophtek, solid state drive (SSD), updateOphtek, LLC

Jan 2022

A new strain of malware has been developed which allows threats to be delivered to an inaccessible area of a solid state drive (SSD).\

The attack in question is not currently active, but the possibility of this attack has been modeled and proved successful by a group of Korean security researchers. However, hackers are persistent and they have likely been investigating such an attack for some time – similar strategies have already been employed to hide malware on hard disk drives (HDD). And, thanks to the rapid rise of SSDs over the last decade, threats to their security are only going to become more common.Combatting threats that have stealth on their side is crucial for protecting your IT infrastructures, so you need to take this threat very seriously. Let’s take a look at why and how your SSDs are at risk.

How Does This New Attack Work?

The Korean researchers have found a specific vulnerability in the design of certain SSDs which makes hacking them that little bit easier. An SSD which employs flex capacity (a technique where storage devices adjust their space to enhance performance) is the main target of this latest threat. Such an SSD contains an area known as over-provisioning which is located in an inaccessible area of the SSD. This area takes up, depending on the current demand, between 7 – 25% of the SSD capacity. And this over-provisioning area is invisible to the PCs operating system.

Due to the invisible nature of this over-provisioning space, it cannot be reached by applications such anti-virus tools or user intervention. However, it’s possible to exploit the size of this ‘hidden’ area and enlarge it by manipulation through the SSD firmware manager. Not only does this allow a hacker to deposit malware here, but it gives them access to the over-provisioning space – where sensitive data may remain for several months. It’s this sophisticated attack method which makes it difficult to detect and even more difficult to remove.

What Should You Do If You Have an SSD?

It’s believed that the attack required to exploit the over-provisioning area is not currently active. But it remains a viable threat and it’s only a matter of time before a hacker formulates a successful strategy. The sophisticated nature of this exploit means that tackling such an attack is difficult for an average PC user to complete. Solving this vulnerability lies with the manufacturers of SSDs who need to rethink the design of their systems.

Ideally, real time monitoring of these hidden areas needs implementing, with a view to providing a ‘wipe’ option when the over-positioning capacity increases rapidly. Nonetheless, it remains good practice to install every update and patch which is released for your SSD. Software within the SSD software will regularly need updating and these could be used to strengthen the defense of your SSD. Therefore, prioritizing and automating updates remains important to protect your PCs.

For more ways to secure and optimize your business technology, contact your local IT professionals.

What are Zero-Click Attacks?

malicious code, Ophtek, Pegasus spyware, Software Security Patches, zero-click attacksmalicious code, Ophtek, pegasus spyware, Software security patches, zero-click attacksOphtek, LLC

Dec 2021

One of the less mentioned security threats for PCs is the zero-click attack. Nonetheless, zero-click attacks are one of the most dangerous threats we face.

Traditional cyber security measures tend to focus on PC users following best practices to protect their PC. And, overall, it’s an effective approach. Understanding the importance, for example, of verifying a link in an email before clicking is crucial. But there’s only so much that individuals can do to protect themselves. If hackers can remove this ‘human’ factor from gaining access to a PC then they should, in theory, be home free. And, with a zero-click attack in their toolbox, hackers can quickly exploit even the most vigilant PC users.

How Does a Zero-Click Attack Work?

The most common technique employed in carrying out a zero-click attack is:

A hacker codes a section of malicious data which is then sent to a victim over a wireless connection; the intended target can be either hardware or software. This chunk of data is used to activate a vulnerability in the target. The hacker is then free to gain unauthorized access to the affected device/application. And, using a series of predefined actions, further damage can then be caused e.g. downloading further malware and stealing data.

As you can see from the above description, at no point does the victim have any involvement. It’s this element of the strategy which makes it most troubling for PC users. The technique involved could, for example, involve a message being sent over Skype, a message which is not even opened by the recipient. Yet, the fact that it has been received on a PC means that it can unleash a malicious payload. Perhaps the most famous example of a zero-click attack is the Pegasus spyware hack which allowed hackers to gain access to users’ smartphones via a single WhatsApp message being received.

How Can You Combat Zero-Click Attacks?

It may seem difficult to protect yourself against the unprotectable and that’s why concern has been rapidly building around zero-click attacks. Thankfully, most zero-click attacks – such as Pegasus – have only targeted a tiny proportion of people, mostly government officials and high-ranking journalists. But this is far from a guarantee that you can’t fall victim to a zero-click attack.

As ever, key to protecting your PC and your devices is by installing security patches when they become available. Don’t put them off “until tomorrow” as it only takes a zero-click attack a few seconds to exploit a vulnerability. With your software and hardware running with optimal protection, it’s less likely to become another statistic of security failure. Encryption is also central to keeping your data safe should you find your device breached. Remember: all sensitive documents should be encrypted and backed up.

Final Thoughts

We’re used to malware and ransomware grabbing all the headlines, so that’s why many of us feel confident about battling these threats. But zero-click attacks are more enigmatic, a factor which works heavily in their favor. The discretion achieved by foregoing the need for user error positions zero-click attacks as a favorite of hackers. It may be a method of attack which doesn’t generate many column inches at present, but it’s likely to become more popular as hackers look at more innovative approaches. For more ways to secure and optimize your business technology, contact your local IT professionals.

1 2 Next »

Category Archives: malicious code