malware Archives - Page 4 of 19

HeadCrab Attacks Servers with Advanced Malware

authentication, Hackers, HeadCrab, malware, Ophtek, Redis Servers, runtime monitoring, security scansauthentication, hackers, HeadCrab, malware, Ophtek, Redis Servers, runtime monitoring, security scansOphtek, LLC

Mar 2024

A new strain of malware, which contains several different attack methods and is considered a severe threat, has been discovered and named HeadCrab.

The attack focuses its efforts on Redis servers, an open source, in-memory data structure store. In simpler terms, Redis acts as a database, cache, and message broker application which can store data, cookies, and authentication tokens. This means it contains confidential and personal data, which is a currency valued highly by threat actors. Redis is incredibly popular and used by many high-level clients, some of whom include Amazon, Adobe, OpenAI, and Airbnb. Therefore, it’s likely you and your team will visit websites using Redis servers, and you need to stay safe.

Unpacking the HeadCrab Attack

Redis servers appear to have been targeted by HeadCrab due to the fact they’re often exposed to the internet, without any solid authentication in place to protect them. This makes them highly vulnerable and puts any data stored on them at high risk. Using advanced coding techniques, the threat actor starts by taking control of a Redis server. This allows them to then download HeadCrab onto the infected server. This, as the command logs reveal, is a complex process, and one which leaves no stone unturned, highlighting the advanced skills of the threat actor.

With HeadCrab now active on the Redis server, it can get to work. Security researchers, who have reverse engineered HeadCrab, have discovered eight custom commands contained within its module. These allow HeadCrab to set up encrypted communication channels, reconfigure Redis servers, run exclusively in memory to avoid detection, and even run its own blog detailing its current activities and news.

Staying Safe from HeadCrab

Currently, HeadCrab has been detected in over 1200 servers and represents a serious threat. It doesn’t launch its attack using files, instead relying on advanced hacking techniques, so it’s a difficult threat to combat. However, by staying vigilant, your organization can stay safe against the threat of HeadCrab and similar attacks. The best ways to achieve this are:

Run security scans: using scanning tools contained within software, such as AVG and McAfee, gives your organization the opportunity to discover and nullify malware threats. These scans can be automated and provide you with real-time updates of the scan results. Many of these applications are available in freeware versions, with paid subscriptions allowing you to access more powerful security options.
Use authentication: you may not operate Redis servers, but the HeadCrab attack serves as a cautionary tale for failing to install strict authentication protocols on your servers. This extra layer of security ensures that only those users who are known to your organization can directly access your servers. This minimizes the chances of rogue commands being received by your IT infrastructure by threat actors.
Employ runtime monitoring: it’s important to use runtime monitoring to constantly analyze your IT system’s behavior and performance. This gives you real-time visibility into the operations of your infrastructure, and you can use these metrics to identify suspicious behaviors – such as data packets being sent to unknown addresses – and take actions.

For more ways to secure and optimize your business technology, contact your local IT professionals.

The Dangers of Malware on GitHub

GitHub, malicious code, malware, Open Source Malware, OphtekGitHub, malicious code, malware, open source malware, OphtekOphtek, LLC

Mar 2024

GitHub is a wildly popular website for developers to create, share, and store their code, but it’s also being increasingly used to spread malware.

Launched in 2008, GitHub quickly became the number one destination for developers. Packed full of features – such as hosting open source code, bug tracking tools, and software requests – GitHub is the perfect one-stop shop for developers looking to collaborate and enhance their software. However, where there’s code, there’s also potential for malware to rear its ugly head. And, in the last few years, GitHub has been exploited by numerous threat actors.

How does GitHub Work?

GitHub is an online repository where developers can come together to pool resources and knowledge to improve their software builds. It may not be something that most of your staff are likely to log on to, but your IT team are likely to use it to manage projects they’re working on. The objective of GitHub is to create a community of friendly developers, but the open membership policy means this doesn’t always go to plan.

Why is GitHub Dangerous?

Threat actors can easily sign up for membership within a matter of minutes, and then they can begin uploading their malicious code under the pretense of being an innocent software project. Quite often, threat actors will sign up with a username previously used by another developer, this is to trick other developers into thinking this is a reputable account. The GitHub community will believe that any repositories uploaded to this account are safe, and they will download them without thinking. And this is when malware can be unknowingly unleashed on unsuspecting networks.

Threat actors are also using GitHub to host command and control servers, which allow attackers to create communication channels into infected devices. Usually, this would be indicated by an unusual domain address in your network traffic. But with GitHub’s credentials being used, this would look less suspicious, especially if you team access GitHub. It’s also convenient, for the threat actors, to use a public service where launching a command control server is much easier than building an infrastructure from scratch.

Finally, GitHub is being used as a storage space for malware, as demonstrated in this fake proof-of-concept software attack. This particular attack allowed the threat actors to exploit a known vulnerability within the Linux operating system, which is commonly used by developers working on GitHub. These attacks can even catch out the security experts, so they underline just how dangerous GitHub can be if you’re not vigilant.

How Can You Work Safely with GitHub?

Threat actors are essentially turning certain parts of GitHub into a malicious website, so it’s crucial you know how to manage this threat. The most effective step you can take is to block access to GitHub on your organization’s network. Your staff are highly unlikely to need to access GitHub anyway, so this makes sense. However, some of your IT staff, and any developers you employ, may still require access to complete their job.

GitHub, of course, isn’t the only legitimate website to be harboring malware. Huge sites such as Dropbox and Google Drive are all capable of delivering malware to unsuspecting members. Therefore, you should only ever download from trusted sources.

For more ways to secure and optimize your business technology, contact your local IT professionals.

A new threat actor has spent the last few months ramping up attacks involving the DarkGate and NetSupport malware, and this is set to increase further.

The name of this new threat actor is BattleRoyal, and between September and November 2023, they launched numerous attacks. These attacks featured the DarkGate and NetSupport malware, both powerful strains of malware. DarkGate employs multiple malicious activities such as keylogging, data theft, and cryptocurrency mining. Meanwhile, NetSupport – which is a legitimate application – is being exploited and repurposed as a remote access trojan, which gives threat actors unauthorized access to IT systems.

DarkGate and NetSupport both have the potential to cause great damage to your IT infrastructure and the security of your data. This means you need to know how to identify and deal with them.

BattleRoyal’s Malware Campaign

BattleRoyal appears to have launched its first wave of attacks in September 2023. This campaign involved email techniques to unleash the DarkGate malware on unsuspecting victims. At least 20 instances of this attack have been recorded, but it’s highly likely that more users were infected. Perhaps due to the noise that DarkGate was creating, BattleRoyal quickly switched its choice of weaponry to NetSupport in November. As well as using email campaigns to spread NetSupport, BattleRoyal also employed malicious websites and fake updates to infect PC users.

DarkGate is also notable for taking advantage of a vulnerability located in Windows SmartScreen. The main objective of SmartScreen is to protect users from accessing malicious websites. However, BattleRoyal were able to work around this by using a special URL which, due to the vulnerability in SmartScreen, gave users access to a malicious website. Clearly a sophisticated threat actor, BattleRoyal had discovered this vulnerability – logged as CVE-2023-36025 – long before Microsoft acknowledged its existence.

How to Stay Safe from BattleRoyal

Microsoft has since launched a security patch to combat the CVE-2023-36025 vulnerability, and installing this remains the surest way to combat the activity of DarkGate. However, given that BattleRoyal has used a multi-pronged attack, with NetSupport being used to download further malware, you can’t rely on patches alone. Vigilance, as ever, is vital. Therefore, you need to practice these best security tips to prevent any infections:

Beware of phishing emails: one of the most popular ways to breach the defenses of IT infrastructures involves phishing emails. Not only can these emails be used to steal confidential information through social engineering techniques, but they can also be used to direct recipients towards malicious websites and files. Therefore, it’s important that everyone in your organization can identify phishing emails.
Always install updates: although BattleRoyal was able to identify the SmartScreen vulnerability before the availability of a patch, this doesn’t mean you should minimize the importance of updates. All updates should be installed as soon as they’re available, activating automatic updates is the best way to guarantee that your defenses are fully up-to-date.
Use security software: reputable security software is one of the simplest, yet most effective ways to protect your IT systems against malware. Capable of identifying and removing malware before it’s activated, anti-malware tools should be an essential part of your IT defenses. As well as carrying out automatic scans of your system, many of these security suites feature screening tools to warn against malicious websites and emails.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Agent Raccoon Malware Strikes Targets Across the Globe

Agent Raccoon, backdoor attack, malware, network traffic, Ophtek, Phishing Email, trusted updatesAgent Raccoon, backdoor attack, malware, network traffic, Ophtek, phishing, trusted updatesOphtek, LLC

Jan 2024

A new strain of malware called Agent Raccoon has been discovered, and it appears to have been launched by nation-state threat actors.

A wide range of different organizations – based in sectors such as education, government, non-profit, and telecommunications – have fallen victim to Agent Raccoon. And these organizations aren’t based purely in the US, with attacks also discovered in African and the Middle East. Clearly, Agent Raccoon is an ambitious piece of malware and, given the nation-state approach of the attack, it’s one to be on your guard against.

How Does Agent Raccoon Work?

Although the exact identity of the threat actors behind Agent Raccoon remains unknown, security researchers have been able to detail how the malware works. Disguised as either a Microsoft OneDrive Update or Google Update, Agent Raccoon tricks unwitting victims into downloading an executing it. Once initiated, Agent Raccoon launches its backdoor attack. Using Domain Name Service protocols, Agent Raccoon can communicate directly with the command-and-control server set up by its creators.

Primarily, Agent Raccoon focuses its malicious attention on three main areas:

Opening up remote access to the infected PC
Incoming and outgoing file transfers
Remote command execution

However, Agent Raccoon’s activities do not appear to be set in stone. Researchers have discovered numerous variants of Agent Raccoon, suggesting that the threat actors are regularly updating it.

Can Agent Raccoon Be Stopped?

Agent Raccoon isn’t the most persistent piece of malware to have been developed, but it remains a major problem for those that it infects. As ever, maintaining strict security practices is vital for protecting your IT infrastructure. Accordingly, you need to make sure that all members of your organization are fully versed in the following:

Question all emails and links: even if an email appears to have been sent by a trusted source, this can easily be faked. Therefore, all incoming emails should be scrutinized closely. This means hovering your mouse cursor over any links to reveal their true destination, double checking email addresses to confirm they are correct and not a close variation, and contacting the sender of emails to double check they are genuine.
Only accept updates from genuine sources: software updates are an important aspect of PC security but should only even be downloaded directly from the developer. Online adverts and emails suggesting that you download these from alternative sources should never be trusted. Often, the files at the heart of these downloads are nothing but malware. So, stick to legitimate downloads and rest assured that they will be safe.
Monitor network traffic: Agent Raccoon communicates with a remote server and also transmits significant amounts of data. This means that you should be monitoring your network activity for any unusual traffic. If, for example, an unknown destination regularly starts connecting with your network, it could be a sign that your network has been compromised. In these situations, connections to this destination should be terminated and fully investigated.

For more ways to secure and optimize your business technology, contact your local IT professionals

Facebook Ads Used to Deliver NodeStealer Malware

block social media, Facebook Ads, malware, NodeStealer, Ophtek, Phishing, Suspicious linksFacebook Ads, links, malware, NodeStealer, Ophtek, phishing, social mediaOphtek, LLC

Dec 2023

Threat actors have turned to Facebook ads to unleash NodeStealer on unsuspecting victims, and they’re using scantily clad women to achieve this.

Facebook is no stranger to finding its ad network compromised to spread malware, but what’s interesting about this latest campaign is that it primarily targets males. At the core of this attack is NodeStealer, a strain of malware which has been active for several months. However, NodeStealer has changed. At the start of its existence, it was designed in JavaScript, but it’s now being coded with the Python programming language.

NodeStealer is part of a wider campaign, believed to have its origins in Vietnam, to steal sensitive data, and it’s more than worthy of your attention.

How Does NodeStealer Target its Victims?

Using marketing strategies almost as old as time, the threat actors behind NodeStealer have used the provocative lure of female flesh to entice their victims. Taking advantage of the massive reach of Facebook’s ad network, these threat actors have created adverts which contain revealing photos of young women. The objective of these adverts is to encourage people to click on them, a process which will download an archive of malicious files.

One of these files is called Photo Album.exe but, far from containing any photos, it simply downloads a further executable file which unleashes NodeStealer. With NodeStealer running rampant on an infected system, it will begin harvesting login credentials and, in particular, it will attempt to take control of Facebook business accounts. With further business accounts compromised, NodeStealer can launch even more malicious ad campaigns and spread itself further.

Stay Safe from the Threat of NodeStealer

NodeStealer is a classic example of malware deceiving its victims to achieve its goal. And it’s not surprising to hear that the 18 – 65 male demographic have made up the majority of its victims. Regardless of the bait, however, NodeStealer provides us with a number of interesting lessons to learn. The most important takeaways should be:

Block social media sites: the NodeStealer campaign is the perfect example of why corporate networks should block social media sites. Yes, certain businesses will need to access these sites for marketing reasons, but general access should be shut down to employees.
Educate on phishing techniques: the threat actors behind NodeStealer have used typical phishing techniques to convince unsuspecting users that they should click on their ads. And this is where you need to educate your employees. Demonstrate how if it sounds too good to be true, then it almost always is. Make this not just part of your IT inductions, but also as regular refreshers to keep employees on their guard.
Always double check links: the malicious links contained in adverts will usually direct people to a different destination than promised. This means it’s crucial you understand the importance of checking links before clicking them. The simplest way to do this is by hovering your mouse cursor over links to reveal their true destination. And, always remember, if in doubt about a link (or advert), check with an IT expert before clicking it.

For more ways to secure and optimize your business technology, contact your local IT professionals.

« Previous 1 2 3 4 5 6 … 19 Next »

Category Archives: malware