Ophtek Archives

WarmCookie Malware Serves Up Fake Browser Updates

backdoor malware, compromised websites, fake updates, Ophtek, pop-up prompts, WarmCookiebackdoor malware, compromised websites, fake updates, Ophtek, pop-up prompts, WarmCookieOphtek, LLC

Oct 2024

Cybercriminals are using fake browser updates to spread the WarmCookie backdoor malware in a new campaign targeting users in France.

Browsers are a crucial component of modern business IT and are used almost continuously throughout the day. Whether its placing orders for stock, updating customer portals, or researching your competitors, your employees will be utilizing apps such as Chrome, Edge, and Firefox. And it’s this essential nature of browsers which makes them the perfect target for threat actors. WarmCookie was first detected in 2023, when fake OneDrive attachments were used to deploy its payload, and has recently resurfaced in France. Backdoor attacks have the potential to cause major damage to your IT infrastructures and data security, so it’s vital that you’re aware of how these attacks work.

The Basics of the WarmCookie Attack

The WarmCookie malware campaign targets its victims by concealing itself as fake browser or application updates. When a user visits a compromised website, they’re advised to download what, for all intents and purposes, looks like an update for popular browsers such as Chrome or essential Browser tools like Java. Some of the websites involved in the WarmCookie attack appear to be compromised websites, yet some seem manufactured to promote the downloading of browser updates.

Regardless of the type of website involved, instead of downloading a genuine update, the user will only be able to download the WarmCookie malware. Once this malware is activated, it opens a backdoor into the user’s system, this allows the attackers to carry out a wide range of malicious activities. Primarily, WarmCookie seeks to steal sensitive information such as login credentials, but it also focuses on executing remote commands and downloading further strains of malware onto the infected system.

So far, the campaign appears to have limited its activities to targeting PC users in France. WarmCookie is also renowned for being stealthy and evasive, which enables it to remain undetected on systems for long periods. This allows the attackers to access compromised systems at their own pace, increasing the risk of more severe damage. Therefore, due to this silent and persistent operation, WarmCookie should be classified as a highly dangerous piece of malware.

Avoid the Dangers of Malicious Downloads

Thankfully, you don’t have to become one of WarmCookie’s victims as it’s relatively simple to avoid. With a little education, you can equip yourself and your staff with the best practices to deflect any malicious download threats:

Only Download from Official Sources: it’s paramount that you stick to downloading software, updates, and files from official websites with a direct link from the software’s developer. Third-party or unofficial websites may appear appealing and simple, but they’re often hosting pirated or infected files which could easily contain malware.
Be Wary of Pop-up Update Prompts: pop-up messages are part and parcel of life online in the 21st century, but it’s important that you analyze their content before taking any actions. While they may claim to be linking to a legitimate update, it could very easily be a slice of malware which is on offer. Therefore, always double check by visiting the developer’s website to confirm this update is genuine.
Verify File Integrity: to verify how trustworthy a file is, you can always check its digital signature or file hash to ensure its authenticity. A genuine and valid signature will indicate that the file hasn’t been tampered with by third parties. And file-checking tools – such as VirusTotal – can help you avoid installing infected or manipulated versions of file updates.

For more ways to secure and optimize your business technology, contact your local IT professionals.

A new malware attack has been discovered which uses the SnipBot malware to dig deep into the victim’s network and harvest data.

SnipBot is a variant of the RomCom malware, which has previously been used for data harvesting and financially motivated attacks such as the Cuba ransomware attack. SnipBot’s malicious campaign has been widespread, with victims identified in multiple industries including legal, agriculture, and IT sectors. SnipBot performs what is referred to as a pivot, a process by which malware moves between compromised systems on the same network to access as many workstations as possible. This maximizes the amount of data SnipBot can steal and marks it out as a major threat.

SnipBot Unleashed

With 3.4 billion phishing emails sent daily, it’s clear that phishing attacks are incredibly popular with threat actors. And this is the exact approach adopted by SnipBot.

The SnipBot malware attack starts with phishing emails which trick recipients into downloading fake files disguised as legitimate PDFs. When the victim clicks on a link contained within the PDF, a malicious downloader is activated. As these downloaders are signed using real security certificates, they avoid detection by security software.

The malware can then inject itself into core system processes such as explorer.exe, and it can maintain this presence even after a reboot. Once inside the victim’s system, SnipBot sets about collecting sensitive data from popular folders, like Documents and OneDrive. This harvested data is then sent back to the attacker via a remote server.

Palo Alto Networks researchers, who discovered the SnipBot campaign, are unsure as to the true objectives of SnipBot. At present, there appears to be no financial motive present in the attack, so it has been labelled purely as an espionage threat.

How Can You Stay Safe from SnipBot?

Luckily, phishing attacks such as SnipBot can be easily managed. By following these best practices, you’ll not only prevent malware being executed, but also avoid it in the first place:

Verify the Sender: it’s paramount that you always check and double check the sender’s email address, especially when the email is laced with a sense of urgency to perform an action. Phishing emails will often use addresses which look genuine but contain slight errors e.g. admin@0phtek.com where the letter O has been replaced with a zero. If you’re unsure, you can always Google the company to find their official website and verify the domain used.
Don’t Click on Suspicious Links: instead of clicking on suspicious links, the safest option to take is to hover over any links to preview the URL. Embedded links can easily be faked to appear genuine, but contain a link to a different, malicious website. Again, you can Google websites directly to navigate your way to any sections referenced in the email. This prevents you from accessing a malicious website loaded full of malware.
Contact the Sender: legitimate businesses and clients will never request sensitive information – such as login credentials – over emails, so these requests should always ring alarm bells. If you do receive such a request, the best option to take is contact the sender via telephone to confirm whether the email is genuine.
Use Spam Filters: one of the best ways to stop phishing emails reaching your inbox is to activate your emails spam filters. These use vast databases to identify potential threats and redirect them to your spam folder. You can also use your spam filters to block repeat offenders, enhancing the safety of your inbox.

For more ways to secure and optimize your business technology, contact your local IT profe ssionals.

Italian PC users have become the target of SambaSpy, a new strain of malware which appears to originate from Brazil and employs phishing emails.

First detected by Kaspersky in May 2024, SambaSpy currently only seems to have targeted PC users in Italy. This is unusual as threat actors tend to focus their attacks on a more global range to maximize potential victims. However, it’s being speculated that SambaSpy may be using Italy as a test run before going global. Regardless of its future plans, SambaSpy utilizes a multifunctional attack, and can log keystrokes, harvest data, take screenshots, download files, and take control of process management on infected PCs.

With its strong range of weaponry, SambaSpy represents a significant threat to PC users and needs investigating further.

Say Ciao to SambaSpy

The SambaSpy attack originates within a phishing email, one which contains either an embedded link or an HTML attachment. Once the HTML attachment has been activated, one of either a malware dropper or downloader is executed from a ZIP archive. The malware dropper will load the main payload of SambaSpy from the same ZIP archive whereas the downloader will retrieve it from a remote server. The dropper is used to retrieve the malware payload from a remote location. The embedded link route sends users on a convoluted journey to a malicious site hosting the downloader or dropper.

Once SambaSpy is fully activated, it has the potential to launch all of the attack threats previously mentioned. Therefore, it’s capable of compromising every single activity taking place on your PC. SambaSpy is also clever enough to load plugins when an infected PC starts up, this allows it to shape and change its activities as required. Also of note is that SambaSpy will actively seek out web browsers in order to steal data, putting login credentials and financial information at risk of being harvested.

The attack is believed to have originated from a Brazilian threat actor as one of the malicious webpages involved features JavaScript code with Brazilian Portuguese comments. A number of recent banking trojans – including BBTok and Mekotio – have recently targeted Latin American users with phishing scams, so there may be a connection between these and SambaSpy.

Navigating the Threat of SambaSpy

While SambaSpy has only been detected in Italy, this could change very quickly as the malware becomes more powerful and widespread. Therefore, to safeguard your PCs against this and other similar threats, you need to keep your team up to date with these best practices:

Always Scrutinize the Sender: if you don’t recognize the sender of an email, then this should immediately be cause for concern when attachments or embedded links are included. Also, many threat actors will fake genuine email addresses, but use slightly different spellings e.g. support@m1crosoft.com in order to lull you into a false sense of security. Additionally, if an email claims to be from a large company but is using a generic email address such as BankofAmerica@gmail.com, this is also likely to be a phishing email.
Identify Red Flags: phishing emails will often contain urgent language designed to provoke you into making an immediate response. These call-to-actions are often along the lines of “your account has been compromised” or “this update must be downloaded to secure your PC” to instill a sense of fear. Additionally, phishing emails often have numerous grammatical errors and poor spelling, so make sure you’re aware of these telltale signs.

For more ways to secure and optimize your business technology, contact your loc al IT professionals.

There’s nothing worse that a new and innovative malware approach, but that’s exactly what Google users have been exposed to.

This latest attack takes advantage of Google’s kiosk mode. For those of you not familiar with kiosk mode, here’s a quick breakdown: it’s a Chrome browser mode which limits devices to use only one specific app or function, perfect for public or business use. It protects devices by locking access to the rest of the device away. Typically, they can be seen in staff sign-in devices or on devices which provide access to in-person catalogues. And hackers are now exploiting kiosk mode to launch data harvesting malware.

Understanding the Google Kiosk Attack

OALABS security researchers have revealed how the attack unfolds, so we’re going to walk you through the nefarious activity and processes. Initially starting with the execution of, in the majority of cases, the Amadey malware, the attack starts with Amadey scanning the device for available browsers. Once it finds, for example, Chrome, Amadey will launch the browser in kiosk mode and direct it to a legitimate, yet compromised URL.

Cleverly, Amadey ensures that both the F11 and Escape keys are disabled, making it difficult for victims to close kiosk mode down in an instant. It’s also particularly tricky, for users, as kiosk mode tends to run in full-screen mode, meaning typical browser features such as navigation buttons and toolbars are absent. Users, therefore, are severely restricted in what actions they can take while locked in kiosk mode.

The URL, which launches in kiosk mode, is a genuine ‘change password’ page for Google credentials. However, in the background, Amadey has launched StealC, an information stealer which will then harvest the inputted credentials and forward them to the hackers. The attack is a frustrating one, and one where the hackers hope this frustration will lead to victims entering their login credentials in sheer desperation.

How Do You Escape Kiosk Mode and Stay Safe?

If you find yourself stuck in kiosk mode, there’s a risk that you could be under attack. Luckily, there are a number of measures you can take to nullify the threat:

Use Hotkey Combos: while the F11 and Escape keys may be disabled, other hotkey combos can be used to escape kiosk mode. By trying ‘Alt + F4’, ‘Alt + Tab’, and ‘Ctrl + Alt + Delete’, you may be able to break out of kiosk mode and return to your desktop. Additionally, you can hold down ‘Win Key + R’ to open Windows command prompt where you can type ‘cmd’ and then close down Chrome by typing the following command ‘taskkill /IM chrome.exe /F.’

Perform a Hard Reset: Drastic times often call for drastic measures, so that’s why a hard reset may be your best option here. Simply hold down the power button on your device, usually for five seconds, until it shuts down. You will lose any unsaved work, but it does buy you some breathing time to rescue your device.

Run an Anti-Virus in Safe Mode: Once you’ve escaped kiosk mode, it’s important to remove the initial threat from your device. You can do this by restarting your PC and entering Safe Mode – usually by pressing F8 during the bootup process – and then running anti-virus software such as AVG or Malwarebytes.

For more ways to secure and optimize your business technology, contact your local IT professio nals.

Macros make our lives easier when it comes to repetitive tasks on PCs, but they’re also a potential route for malware to take advantage of.

The most up to date version of MS Office prevents macros from running automatically, and this is because macros have long been identified as a major malware risk. However, older versions of MS Office still run macros automatically, and this puts the PC running it at risk of being compromised. Legacy software, such as outdated versions of MS Office, comes with a number of risks and drawbacks, but budgetary constraints mean many businesses are unable to update.

Malicious MS Office Macro Clusters

A macro is a mini program which is designed to be executed within a Microsoft application and complete a routine task. So, for example, rather than taking 17 clicks through the Microsoft Word menu to execute a mail merge, you can use a single click of a macro to automate this process. Problems arise, however, when a macro is used to complete a damaging process, such as downloading or executing malware. And this is exactly what Cisco Talos has found within a cluster of malicious macros.

Several documents have been discovered which contain malware-infected macros, and they all have the potential to download malware such as PhantomCore, Havoc and Brute Ratel. Of note is that all of the macros detected so far appear to have been designed with the MacroPack framework, typically used for creating ‘red team exercises’ to simulate cybersecurity threats. Cisco Talos also discovered that the macros contained several lines of harmless code, this was most likely to lull users into a false sense of security.

Cisco Talos has been unable to point the finger of blame at any specific threat actor. It’s also possible that these macros were originally designed as a part of a legitimate cybersecurity exercise. Regardless of the origins of these macros, the fact remains that they have the potential to expose older versions of MS office to dangerous strains of malware.

Protect Your Systems from Malicious Macros

The dangers of malicious macros require you to remain vigilant about their threat. Clearly, with this specific threat, the simplest way to protect your IT systems is to upgrade to the latest version of MS Office. This will enable you to block the automatic running of macros and buy you some thinking time when you encounter a potentially malicious macro. As well as this measure, you should also ensure you’re following these best practices:

Always Verify Email Attachments: a common delivery method for malicious macros is through attachments included with phishing emails. This is why it’s crucial that you avoid opening macros in documents which have been received from unknown sources. As with all emails, it’s paramount that you verify the sender before interacting with any attachments.
Install All Security Updates: almost all software is regularly updated with security patches to prevent newly discovered vulnerabilities from being exploited. Macros are often used to facilitate the exploitation of software vulnerabilities, so it pays to be conscientious and install any security updates as soon as they’re available.
Use Anti-Malware Software: security suites, such as AVG, perform regular, automated scans of your PCs to identify any potential malware infections. In particular, many of these security suites target malicious macros, so they make a useful addition to your arsenal when targeting the threat of macros.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

1 2 3 … 57 Next »

WarmCookie Malware Serves Up Fake Browser Updates

SnipBot Malware Used to Steal Data from Victims

SambaSpy Targets Italian PC Users with Phishing Emails

Kiosk Mode Exploited to Steal Google Credentials

Malicious Macros Target Old Versions of MS Office

Category Archives: Ophtek