data harvest Archives

Microsoft Defender Caught Out by Fake Gaming Malware

cryptocurrency, cryptojacking, data harvest, Defender, malware, Malwarebytes, Ophtek, Orbit Unitcryptocurrency, cryptojacking, data harvest, Defender, malware, Malwarebytes, Ophtek, Orbit UnitOphtek, LLC

Dec 2024

Microsoft Defender is an app whose objective is to defend against malware, but what happens when malware outsmarts it?

We’ve all heard the headlines about the volatile world of NFTs, but a new development is that they’re being used to help spread malware. In a particularly extreme case, one PC user thought they were downloading an NFT game, but the only thing which got played was the victim’s Google account. As a result of the Google account being hijacked, the victim ended up losing over $24,000 in cryptocurrency.

This incident, as with many other scams, relied on a momentary lapse of judgement, so we’re going to put it under the spotlight to see what we can learn.

How Did an NFT Game Carry Out a Robbery?

The attack started when the victim received a message from a stranger over Telegram, an encrypted messaging service which prides itself on the anonymity it provides users. The message urged the victim to download a blockchain game called Orbit Unit. Deciding that the message was harmless and the recommendation worthy of investigation, the victim downloaded Orbit Unit and installed it.

Unfortunately, the download was fake and riddled with malware. Once activated, the malware went on to install a malicious Chrome extension. Housed within the Chrome browser, the extension was titled Google Keep Chrome Extension, in an attempt to mimic the genuine Google note keeping app. The malicious app certainly fulfilled its promise of taking notes but did so in a way which compromised the victim’s data. All data entered into Chrome, be it login credentials, cookies, or browser history, was harvested by the malware.

For the victim, it was particularly frustrating as they had Malwarebytes on their PC and it failed to detect the malware. This has been attributed to the victim most likely having the free version of Malwarebytes, where real-time protection isn’t activated. What they did have, though, was Microsoft Defender, an app which promises to help “individuals and families protect their personal data and devices.” In this instance, Microsoft Defender failed spectacularly.

The threat actor behind the malware was able to access the victims Google passwords through Chrome and gain access to their cryptocurrency wallets. It was from here that they were able to steal $24,000 worth of cryptocurrency.

Staying Safe When Malware Protection Fails

You and your employees may not deal in cryptocurrency, but this cyberattack demonstrates the importance of being able to identify a potential attack and protect your data. Therefore, make sure you practice these best security practices:

Don’t Click Suspicious Links: Any links you receive via email, websites, or mobile devices should always be scrutinized closely before clicking. If they originate from an unknown sender or use unusual language with a sense of urgency to click, you need to get them verified by an IT professional in order to prevent downloading malware.
Use Real Time Protection Software: Installing anti-malware software should always be a priority, but you need to make sure you’re using one with real-time protection tools. This ensures that malware is identified and stopped in its tracks before it can activate its malicious payload.
Don’t Use Autologin on Chrome: Sure, it saves you a few minutes over the course of a week, but the autologin feature on Chrome also sets you up to fail. This tool stores login tokens in your browser and means you don’t have to use your password to access sites each time. However, if a threat actor gains access to them – as they did in the attack on LinusTechTips – they can gain access to all of your accounts. Learn how to turn autologin off in this guide.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

Hackers Use Microsoft Platform to Launch Malware Attacks

data harvest, Hackers, malware, MSBuild, Ophtek, redline stealerdata harvest, hackers, malware, MSBuild, Redline StealerOphtek, LLC

Jun 2021

Hackers are innovative and industrious individuals, a description which is best demonstrated by their recent leverage of MSBuild to deliver malware.

The Microsoft Build Engine (MSBuild) is an open-source platform which allows software developers to test and compile their source codes. Operational since 2003, the platform has proved to be highly popular with developers and, accordingly, supports a large number of users. And it’s this popularity which has made it so attractive to hackers. By targeting these source codes at a development stage, the hackers are able to piggyback their malicious software into genuine software.

While your organization may not be involved in software development, there’s always the risk that you could end up working with software which is pre-loaded with malware. Therefore, we’re going to take a look at this MSBuild hack.

How are Hackers Infecting MSBuild?

Project files housed within MSBuild can be integrated within executable files which allow the hackers to launch their malicious payloads. But, as ever, hackers have been keen to remain stealthy; the infected payload does not run as a file. Instead, the malicious code is loaded into the PCs memory and it is here that the attack is launched. So far, it has been established that at least three forms of malware have been injected into systems via this approach. Redline Stealer, Remcos and QuasarRAT are the most recognisable forms of malware and have the potential to cause great damage.

Redline Stealer is primarily used as a data harvester and, as such, is mostly employed to steal login credentials and sensitive data. Remote access and surveillance, meanwhile, is the heartbeat of Remcos and allows hackers to hijack PCs remotely. Finally, QuasarRAT is another remote access tool and one which grants hackers full control of infected PCs. Naturally, these three malware variants are the last things you want on your system. And, given that they run filelessly and in the memory of a PC, it’s a threat which is difficult to tackle.

Protecting Yourself Against Memory Based Malware

Malware which operates from within the memory of your PC is difficult to tackle, but not impossible. Start by making sure you carry out these best security practices:

Monitor Network Activity: Regardless of whether a malware attack is file-based or fileless, there will be noticeable changes in your network activity. Any unusual spikes in data transfer or transmissions to unusual destinations should be investigated immediately.

Ensure PCs are Updated and Patched: Many fileless attacks take advantage of hardware and software vulnerabilities. Therefore, it’s critical that all updates are implemented as soon as they are available. This strategy ensures that, even if your PCs memory is breached, the chance of this malware taking hold is minimized.

Disable Macros where Possible: Macros are useful pieces of code that can save users time by carrying out automated procedures instantly. But they can also be manipulated by hackers to carry out malicious procedures. And that’s why many IT departments choose to disable these within organizations except where trusted macros have been tested and verified.

Unfortunately, not all antivirus software can detect fileless malware such as that involved with the MSBuild hack. Conventional, file-based malware leaves behind digital footprints which are easy to detect, but this is not the case with fileless variants. In order to fully protect yourself, check with vendors whether their software has the capability to combat fileless malware.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Tag Archives: data harvest