malware Archives

Microsoft Defender Caught Out by Fake Gaming Malware

cryptocurrency, cryptojacking, data harvest, Defender, malware, Malwarebytes, Ophtek, Orbit Unitcryptocurrency, cryptojacking, data harvest, Defender, malware, Malwarebytes, Ophtek, Orbit UnitOphtek, LLC

Dec 2024

Microsoft Defender is an app whose objective is to defend against malware, but what happens when malware outsmarts it?

We’ve all heard the headlines about the volatile world of NFTs, but a new development is that they’re being used to help spread malware. In a particularly extreme case, one PC user thought they were downloading an NFT game, but the only thing which got played was the victim’s Google account. As a result of the Google account being hijacked, the victim ended up losing over $24,000 in cryptocurrency.

This incident, as with many other scams, relied on a momentary lapse of judgement, so we’re going to put it under the spotlight to see what we can learn.

How Did an NFT Game Carry Out a Robbery?

The attack started when the victim received a message from a stranger over Telegram, an encrypted messaging service which prides itself on the anonymity it provides users. The message urged the victim to download a blockchain game called Orbit Unit. Deciding that the message was harmless and the recommendation worthy of investigation, the victim downloaded Orbit Unit and installed it.

Unfortunately, the download was fake and riddled with malware. Once activated, the malware went on to install a malicious Chrome extension. Housed within the Chrome browser, the extension was titled Google Keep Chrome Extension, in an attempt to mimic the genuine Google note keeping app. The malicious app certainly fulfilled its promise of taking notes but did so in a way which compromised the victim’s data. All data entered into Chrome, be it login credentials, cookies, or browser history, was harvested by the malware.

For the victim, it was particularly frustrating as they had Malwarebytes on their PC and it failed to detect the malware. This has been attributed to the victim most likely having the free version of Malwarebytes, where real-time protection isn’t activated. What they did have, though, was Microsoft Defender, an app which promises to help “individuals and families protect their personal data and devices.” In this instance, Microsoft Defender failed spectacularly.

The threat actor behind the malware was able to access the victims Google passwords through Chrome and gain access to their cryptocurrency wallets. It was from here that they were able to steal $24,000 worth of cryptocurrency.

Staying Safe When Malware Protection Fails

You and your employees may not deal in cryptocurrency, but this cyberattack demonstrates the importance of being able to identify a potential attack and protect your data. Therefore, make sure you practice these best security practices:

Don’t Click Suspicious Links: Any links you receive via email, websites, or mobile devices should always be scrutinized closely before clicking. If they originate from an unknown sender or use unusual language with a sense of urgency to click, you need to get them verified by an IT professional in order to prevent downloading malware.
Use Real Time Protection Software: Installing anti-malware software should always be a priority, but you need to make sure you’re using one with real-time protection tools. This ensures that malware is identified and stopped in its tracks before it can activate its malicious payload.
Don’t Use Autologin on Chrome: Sure, it saves you a few minutes over the course of a week, but the autologin feature on Chrome also sets you up to fail. This tool stores login tokens in your browser and means you don’t have to use your password to access sites each time. However, if a threat actor gains access to them – as they did in the attack on LinusTechTips – they can gain access to all of your accounts. Learn how to turn autologin off in this guide.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

Infostealer malware is frequently referenced as the go-to weapon for threat actors, but what is it? And how do you protect your IT systems from it?

You only have to take a quick look over the Ophtek blog to understand the popularity of infostealers in modern hacking. From fake Zoom sites through to SnipBot and SambaSpy, threat actors are determined to get their hands on your sensitive data. Infostealers, therefore, present an everyday threat to PC users and it’s crucial you understand their methods and impact.

Luckily, Ophtek has your back, and we’re going to take a deep dive into infostealers to equip you with the knowledge you need to stay safe.

What is an Infostealer?

The main objective of all infostealer malware is to harvest confidential data from a compromised system. With this stolen data, threat actors have the opportunity to conduct numerous crimes such as identity theft or financial damage. This makes infostealer malware such a serious threat, especially in the age of big data, where organizations hold huge amounts of data on their IT systems. As with most modern malware, infostealer has strong stealth capabilities, allowing it to operate in the background without being detected and strengthening its impact.

The Danger Behind Infostealers

Infostealers can be individual malware threats or part of a more extensive suite of malware applications. Whatever their method, infostealers tend to focus on stealing the following data:

System login credentials
Social media and email passwords
Bank details
Personal details

All of these data categories have the potential for serious damage e.g. hacking someone’s personal emails and reading confidential information or clearing someone’s bank account out. From a business perspective, infostealers also have the potential to gain access to secure areas of your IT infrastructure and compromise the operations of your business. All of this data is taken directly from your servers and then discreetly transmitted to a remote server set up by the threat actors.

How Do Infostealers Strike?

Threat actors have developed numerous strategies to launch successful infostealer attacks with the two most common methods being:

Phishing Emails: 3.4 billion phishing emails are sent every day, so it’s fair to say they’re an incredibly popular route for malware. These highly deceptive emails will contain either malicious links or attachments which, when activated, expose the recipient to malware downloads.
Malicious Sites: As seen in our article on fake Zoom sites, threat actors regularly set up malicious websites in order to lure visitors into downloading either fake updates or complete applications. However, these downloads are never genuine and only contain malware such as infostealers.

Protecting Your Systems Against Infostealers

Despite the threat of infostealers, it’s relatively easy to stay safe and protect your systems from them. All you need to do is follow these best practices:

Be Wary of Suspicious Emails: Any emails which ring even the slightest alarm bell should be closely scrutinized. If something about the wording doesn’t sound quite right, or there’s a sense of urgency to commit to an action, the chances are that this could be a phishing email. In these instances, don’t click anything and, instead, contact an IT professional to review the content.
Always Update Your Software: One of the easiest ways for threat actors to deploy infostealers on your system is through software vulnerabilities. No piece of software is perfect, and they often contain weak spots which can be exploited. However, as these vulnerabilities are picked up by the developers, security patches are issued to remedy these weak spots. Accordingly, installing these updates should be a major priority.
Install Security Software: There are numerous security packages available such as AVG and Kaspersky which monitor your systems in real time and can block malware threats instantly. This automatic defense enables you to stay safe from infostealers and keeps your networks healthy and productive.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

The headlines generated by cybersecurity attacks always focus on the damage caused by hackers, but who exactly are the hackers and why do they hack?

Financial losses associated with cybercrime hit a mighty $12.5 billion in 2023, so it’s clear to see that hackers have a major impact on society. And yet we know so little about them. Characterized as shady, hidden figures, hackers rely on this mysterious air to create panic and fear when they strike. Technically savvy, they pose a major threat to computer systems all over the world, and they often get away with it through a mixture of ingenuity and bravado.

To help you understand their motives better, we’re going to pull back the digital curtain and show you who these hackers are and what drives them to attack IT infrastructures.

The Main Types of Hackers

There are many different types of hackers, with different methods of operation and varying skillsets. The main variants you’re likely to encounter are:

Black Hat Hackers: Perhaps the most infamous type of hacker, black hat hackers are regularly discussed on the Ophtek blog due to their love of breaking into IT systems. Their main activities involve launching malware, compromising software vulnerabilities, and setting up phishing campaigns.
White Hat Hackers: In contrast to their black hat counterparts, white hat hackers are a force for good. Typically, they work in conjunction with organizations to identify weak spots in their IT security e.g. demonstrating where software vulnerabilities are present or highlighting the use of default passwords on routers.
Hacktivists: These hackers aren’t out to commit cybercrime in the same way as a black hat hacker, but hacktivists operate on the wrong side of the law in order to bring about social or political change. A good example of this can be found in the 2022 attacks launched against Russian websites by the hacking group Anonymous, an attack designed in response to the Russian war on Ukraine.

What are the Motivations Behind Hacking?

Every hack will have a motive behind it and it’s important to understand these motives in order to better protect our computer systems. The main driving forces behind cyberattacks include:

Financial Gain: As with all crime, money acts as a significant motivating factor. Stolen credentials, for example, can be sold on the dark web for large amounts of cash. Likewise, the rise of Malware-as-a-Service has proved highly lucrative for hackers and been responsible for some devastating attacks.
Challenging Themselves: Hackers love the prestige of a successful hack, and this hit of dopamine is enough to encourage them to set about launching increasingly audacious attacks. This not only challenges them and provides a firm motivation, but it also encourages them to hone their skills and make their attacks harder to defend against.
Personal Grievances: Often, the main motivation behind a hack is simply a slice of old-fashioned revenge. An ex-employee, perhaps terminated unfairly in their eyes, may seek revenge by exploiting their knowledge of an organization’s IT system. This insider knowledge may offer them the opportunity to strike back and hurt the organization.

Final Thoughts

Hackers, with their varying objectives and motivations, are a complex set of individuals and groups. While some may be a force for good, just as many have taken up their craft to inflict damage and benefit financially from their digital chaos. Whatever their circumstances, one thing remains clear: it’s crucial to strengthen your IT systems against all threats all the time.

For more ways to secure and optimize your business technology, contact your local IT p rofessionals.

Hackers have designed fake Google Meet error pages to distribute info-stealing malware which can compromise all the data on a network.

It feels as though malicious websites are springing up on a daily basis, and with 12.8 million websites infected with malware, this is a fair assumption to make. The latest attack under the Ophtek spotlight centers around Google Meet, a videoconferencing service hosted online by Google. The threat uses fake connectivity errors to lure victims into inadvertently launching the malware on their own system. And with Google Meet having over 300 million active users every month, the chance of this campaign tripping people up is exceptionally high.

The Danger of Fake Google Meet Pages

Google Meet attack appears to be part of a wider hacking campaign known as ClickFix, which has also been identified using similar fake websites impersonating Google Chrome and Facebook. In all these cases, the objective of the campaign is to install info stealers onto infected PCs. Malware used in these attacks include DarkGate and Lumma Stealer.

Fake error messages are displayed in the web browsers of victims to indicate a connectivity issue with a Google Meet call. However, there is no Google Meet call taking place, it’s simply a ruse to deceive victims into following through on a malicious call-to-action. These ‘errors’ recommend copying a ‘fix’ and then running it in Windows PowerShell, an app commonly used to automate processes on a Microsoft system.

Unfortunately, rather than fixing the ‘error’ with Google Meet, the execution of this code within PowerShell simply downloads and installs the malware. Once installed, malware such as DarkGate and Lumma Stealer has the potential to search out sensitive data on your network, establish remote network connections, and transmit stolen data out of your network.

Victims are redirected to these malicious websites via phishing emails, which claim to contain instructions for joining important virtual meetings and webinars. The URLs used within the emails appear like genuine Google Meet links but take advantage of slight differences in the address to deceive recipients.

Protecting Yourself from Fake Google Meet Malware

The best way to stay safe in the face of the fake Google Meet pages (and similar attacks) is by being proactive and educating your staff on the threats of malicious websites. Accordingly, following these best practices gives you the best chance of securing your IT infrastructure:

Double Check URLs: malicious websites often mimic genuine ones to catch people off guard. Therefore, always verify any URL for anything unusual such as misspelled words or lengthened and unusual domain endings, before clicking them. This will minimize your risk of falling victim to phishing and malware attacks.
Use Browser Security Features: many browsers, such as Google Chrome, come with built-in security features which can block sites known to be harmful or detect suspicious downloads. If you have these protections enabled, and this is easily done through your browser settings, you can rest assured you’re putting a strong security measure in place.
Install Antivirus and Firewall Software: one of the simplest way to protect yourself is by installing antivirus and firewall software, which is often available for free in the form of AVG and Kaspersky. This software can not only detect malware, but also block it before it reaches your system, so it can be considered a very strong form of defense.

For more ways to secure and optimize your business technology, contact your local IT profes sionals.

A new malware attack has been discovered which uses the SnipBot malware to dig deep into the victim’s network and harvest data.

SnipBot is a variant of the RomCom malware, which has previously been used for data harvesting and financially motivated attacks such as the Cuba ransomware attack. SnipBot’s malicious campaign has been widespread, with victims identified in multiple industries including legal, agriculture, and IT sectors. SnipBot performs what is referred to as a pivot, a process by which malware moves between compromised systems on the same network to access as many workstations as possible. This maximizes the amount of data SnipBot can steal and marks it out as a major threat.

SnipBot Unleashed

With 3.4 billion phishing emails sent daily, it’s clear that phishing attacks are incredibly popular with threat actors. And this is the exact approach adopted by SnipBot.

The SnipBot malware attack starts with phishing emails which trick recipients into downloading fake files disguised as legitimate PDFs. When the victim clicks on a link contained within the PDF, a malicious downloader is activated. As these downloaders are signed using real security certificates, they avoid detection by security software.

The malware can then inject itself into core system processes such as explorer.exe, and it can maintain this presence even after a reboot. Once inside the victim’s system, SnipBot sets about collecting sensitive data from popular folders, like Documents and OneDrive. This harvested data is then sent back to the attacker via a remote server.

Palo Alto Networks researchers, who discovered the SnipBot campaign, are unsure as to the true objectives of SnipBot. At present, there appears to be no financial motive present in the attack, so it has been labelled purely as an espionage threat.

How Can You Stay Safe from SnipBot?

Luckily, phishing attacks such as SnipBot can be easily managed. By following these best practices, you’ll not only prevent malware being executed, but also avoid it in the first place:

Verify the Sender: it’s paramount that you always check and double check the sender’s email address, especially when the email is laced with a sense of urgency to perform an action. Phishing emails will often use addresses which look genuine but contain slight errors e.g. admin@0phtek.com where the letter O has been replaced with a zero. If you’re unsure, you can always Google the company to find their official website and verify the domain used.
Don’t Click on Suspicious Links: instead of clicking on suspicious links, the safest option to take is to hover over any links to preview the URL. Embedded links can easily be faked to appear genuine, but contain a link to a different, malicious website. Again, you can Google websites directly to navigate your way to any sections referenced in the email. This prevents you from accessing a malicious website loaded full of malware.
Contact the Sender: legitimate businesses and clients will never request sensitive information – such as login credentials – over emails, so these requests should always ring alarm bells. If you do receive such a request, the best option to take is contact the sender via telephone to confirm whether the email is genuine.
Use Spam Filters: one of the best ways to stop phishing emails reaching your inbox is to activate your emails spam filters. These use vast databases to identify potential threats and redirect them to your spam folder. You can also use your spam filters to block repeat offenders, enhancing the safety of your inbox.

For more ways to secure and optimize your business technology, contact your local IT profe ssionals.

1 2 3 … 30 Next »

Microsoft Defender Caught Out by Fake Gaming Malware

Infostealers: What They Are and How to Stay Protected

Hackers Unmasked: Who Are They and What Motivates Them?

Fake Google Meet Pages Used to Spread Malware

SnipBot Malware Used to Steal Data from Victims

Tag Archives: malware