malware Archives

Financial Firms Targeted by JsOutProx Malware

JavaScript Malware, JsOutProx Malware, malicious code, Ophtek, Phishing Email, ScriptSafe for ChromeJavaScript, JsOutProx, malware, Ophtek, phishing, ScriptSafeOphtek, LLC

May 2024

A new phishing campaign, launched in March 2024, has been targeting financial firms all over the world with the JsOutProx banking trojan.

The JsOutProx malware campaign was first detected by Visa, with their Payment Fraud Disruption team sending out security alerts to stakeholders about the threat. So far, the targets of the attack have been based in Africa, South Asia, and the Middle East. The identity of the threat actors behind the attack are currently unknown, but it’s speculated they may be China-based or receiving support from China.

Financial malware always has the potential to cause great damage to organizations and individuals, so it’s important you understand the threat posed by JsOutProx.

The Lowdown on JsOutProx

First detected online in 2019, JsOutProx provides remote access to infected PCs by way of a JavaScript backdoor. This foothold allows threat actors to carry out numerous malicious attacks within the infected system. These include downloading further malware, data harvesting, taking screenshots, executing files, and embedding itself deep within the target. Plugins are utilized to launch these attack methods, an indicator this is a sophisticated piece of malware.

JsOutProx relies on JavaScript to carry out its attacks, and this method has been employed to deceive targets. Whereas many PC users understand the threat of a specific file type – such as a Word document or .exe file – they’re less likely to have knowledge of the threat posed by JavaScript code. Additionally, JavaScript coding is unintelligible to many anti-malware tools, so it has the potential to go undetected by software expected to keep PCs secure.

How is the JsOutProx Attack Launched?

Using phishing email techniques, JsOutProx is distributed through emails purporting to be related to MoneyGram or SWIFT payment notifications. However, far from being from genuine financial institutions, the senders behind these emails only have malicious intentions. Once recipients have fallen for the bait in the phishing emails, the JsOutProx code is activated and allows the threat actors to position themselves within the infected PC. Once installed, JsOutProx adopts a number of functionalities to enhance its position, such as changing DNS settings, editing proxy settings, and bypassing User Account Control detection.

Protect Your PCs from JsOutProx

A significant proportion of internet users have access to online banking services, and this is why JsOutProx has maximized its chances of snaring victims. Thankfully, you don’t have to fall victim to JsOutProx and compromise the security of your PC. All you have to do is make sure you practice the following:

Scrutinize all emails: an email which relates to a payment notification will always grab attention, but it’s vital you scrutinize emails which seem too good to be true. Threat actors will use persuasive and attractive arguments to convince you a suspicious link has to be clicked. However, if you take the time to analyze links in emails – do this by hovering your mouse cursor over them to reveal the true destination of the link – you can quickly minimize your chances of falling victim to malware.

Protect your browsers from scripts: many malware attacks such as JsOutProx rely on scripts to launch their attack within browsers. Therefore, it makes sense to protect your browsers from malicious scripts. Luckily, this is a relatively simple task thanks to ready-made browser plugins such as ScriptSafe for Chrome. These browser extensions protect you by blocking unwanted content and providing alerts against blacklisted sites which are malicious.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

In a highly embarrassing incident for Acemagic, a Chinese PC manufacturer, a number of its products have been shipped with numerous vulnerabilities.

When setting up a brand-new PC out of the box, you would expect it to be highly secure and as protected against current threats as it could be. However, this isn’t always the case. PCs are complex pieces of machinery, packed full of processes, apps and coding to provide the full PC experience. And all of this leaves room for mistakes. Acemagic has learned this the hard way, as have their customers, who have now found their brand-new PCs are vulnerable to countless malware threats.

It’s a nightmare scenario for all involved, so we’re going to look at what’s happened.

The Dangers of Tinkering with Windows Source Code

In a bid to improve the performance of their PCs, Acemagic’s software developers decided to adjust Microsoft’s source code for Windows. This involved altering network settings, but inadvertently resulted in the process of digital signature verification being skipped. Digital signatures are used to verify the authenticity of data passing through PCs, so, without these in place, applications are at risk of being compromised with malware. Acemagic’s aim was to reduce boot times for its customers, but it resulted in the PCs becoming infected with malware.

From bootup, security researchers have been able to discover malware such as Bladabindi and Redline on Acemagic PCs. Both these strains of malware are designated as info stealers, so they have the potential to steal login credentials, financial data, and also download further malware. Additionally, Redline is capable of stealing cryptocurrency.

Acemagic has announced that the software adjustments were stopped on November 18^th 2023, but this still leaves a large number of compromised PCs in use by unsuspecting users. Going forwards, Acemagic has pledged to put more focus on digital certificates, a move they claim will be able to stop unauthorized modifications in the future. But the damage to Acemagic’s reputation has been done, and it’s not been helped by the fact that Acemagic has been unable to pinpoint exactly when the malware was downloaded onto their machines.

Staying Safe with New PCs

A new PC should be as safe as you can get, but the Acemagic fiasco has demonstrated how they can be just as dangerous as a PC which is several years old. Therefore, it’s crucial you take precautions when setting up a new PC:

Set it up offline: to protect your existing network, it’s a good idea to fully set up your PC before connecting it to your network. Not only does this ensure the PC is correctly configured to join your network, but it also allows you to secure the device and limit the spread of any pre-installed malware.
Scan for malware: one of the first things you should do with a new PC is scan it for malware. As we’ve seen with Acemagic, even brand-new PCs can be compromised with malware, so it makes sense to eliminate this threat before it can become active on your network. Running a quick scan with apps such as AVG or McAfee will identify any threats and quickly remove them.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Threat actors have compromised 70,000 previously legitimate websites and created a powerful network capable of distributing malware.

Named VexTrio, this network of compromised websites appears to have started in 2017, but it’s only more recently that details around its activity have emerged. As well as distributing malware, the VexTrio network also utilizes phishing pages, and allows the VexTrio hackers to harvest login credentials. The campaign is a significant one, and one which is powerful enough to cause harm to anyone who gets caught up in its operations. Therefore, it’s time to take a look at the VexTrio campaign to see what we can learn.

Understanding the VexTrio Network

The VexTrio campaign relies on a malicious traffic distribution system (TDS) to lead unsuspecting internet users to compromised websites. A TDS is, in simple terms, a web application used to analyze and filter incoming traffic and, following the analysis, redirect it to a specific page. Typically, the activities of a TDS are facilitated by malvertising activities or malicious websites. VexTrio favors using malicious websites.

Working with a number of affiliates, many of whom offer access to hijacked websites, VexTrio has managed to amass a sizeable network over the last seven years. And VexTrio are very much the middle-man in the operation. For a fee, VexTrio will feed incoming traffic through their TDS and forward innocent victims towards the websites they’re mostly likely to be interested in. It’s very similar to legitimate advertising networks, but with a vicious sting in its tale.

The malicious websites which comprise the VexTrio network contain a wide range of threats. For example, one of the affiliates, known as ClearFake, tricks users into downloading what is claimed to be a browser update, but is little more than malware. SocGholish, another well-known malware threat, is part of the VexTrio network and uses it to push unauthorized access to corporate websites.

Don’t Fall Victim to VexTrio

The threat of VexTrio is a substantial one, and organizations need to be aware of the damage it can cause. Luckily, you can protect yourself and your IT systems by implementing the following best practices:

Use an adblocker: you can minimize the risk of being lured to a malicious website by installing an adblocker on your systems. Not only will this block annoying popups, but it will also block any malvertising threats from being activated. These adblockers are usually available as browser extensions e.g. Ghostery and AdBlock for Chrome.
Disable JavaScript: attacks launched through VexTrio often rely on JavaScript to execute their malicious tasks. Accordingly, disabling JavaScript will eliminate the chances of such an attack taking place on your system. However, JavaScript is essential for many legitimate websites, so it’s recommended that you allow it to run only on trusted sites.
Install anti-malware tools: if you install an anti-malware app, such as AVG, you benefit from tools which block malicious websites. These tools are connected to databases which are constantly updated to identify and block malicious websites, such as those featured in the VexTrio network.

For more ways to secure and optimize your business technology, contact your local IT professionals.

HeadCrab Attacks Servers with Advanced Malware

authentication, Hackers, HeadCrab, malware, Ophtek, Redis Servers, runtime monitoring, security scansauthentication, hackers, HeadCrab, malware, Ophtek, Redis Servers, runtime monitoring, security scansOphtek, LLC

Mar 2024

A new strain of malware, which contains several different attack methods and is considered a severe threat, has been discovered and named HeadCrab.

The attack focuses its efforts on Redis servers, an open source, in-memory data structure store. In simpler terms, Redis acts as a database, cache, and message broker application which can store data, cookies, and authentication tokens. This means it contains confidential and personal data, which is a currency valued highly by threat actors. Redis is incredibly popular and used by many high-level clients, some of whom include Amazon, Adobe, OpenAI, and Airbnb. Therefore, it’s likely you and your team will visit websites using Redis servers, and you need to stay safe.

Unpacking the HeadCrab Attack

Redis servers appear to have been targeted by HeadCrab due to the fact they’re often exposed to the internet, without any solid authentication in place to protect them. This makes them highly vulnerable and puts any data stored on them at high risk. Using advanced coding techniques, the threat actor starts by taking control of a Redis server. This allows them to then download HeadCrab onto the infected server. This, as the command logs reveal, is a complex process, and one which leaves no stone unturned, highlighting the advanced skills of the threat actor.

With HeadCrab now active on the Redis server, it can get to work. Security researchers, who have reverse engineered HeadCrab, have discovered eight custom commands contained within its module. These allow HeadCrab to set up encrypted communication channels, reconfigure Redis servers, run exclusively in memory to avoid detection, and even run its own blog detailing its current activities and news.

Staying Safe from HeadCrab

Currently, HeadCrab has been detected in over 1200 servers and represents a serious threat. It doesn’t launch its attack using files, instead relying on advanced hacking techniques, so it’s a difficult threat to combat. However, by staying vigilant, your organization can stay safe against the threat of HeadCrab and similar attacks. The best ways to achieve this are:

Run security scans: using scanning tools contained within software, such as AVG and McAfee, gives your organization the opportunity to discover and nullify malware threats. These scans can be automated and provide you with real-time updates of the scan results. Many of these applications are available in freeware versions, with paid subscriptions allowing you to access more powerful security options.
Use authentication: you may not operate Redis servers, but the HeadCrab attack serves as a cautionary tale for failing to install strict authentication protocols on your servers. This extra layer of security ensures that only those users who are known to your organization can directly access your servers. This minimizes the chances of rogue commands being received by your IT infrastructure by threat actors.
Employ runtime monitoring: it’s important to use runtime monitoring to constantly analyze your IT system’s behavior and performance. This gives you real-time visibility into the operations of your infrastructure, and you can use these metrics to identify suspicious behaviors – such as data packets being sent to unknown addresses – and take actions.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Russian hackers are using a fake PDF decryption tool to trick innocent PC users into downloading Spica, a new strain of malware.

Discovered by Google’s Threat Analysis Group (TAG), Spica is a backdoor malware which has not been identified previously. It’s believed that the malware is the result of ColdRiver, a Russian hacking team with a proven track record in deploying malware. The attack, as with so many contemporary threats, is delivered by email and relies on malicious PDF files. Now, with close to 350 billion emails sent per day in 2023, it’s clear that email is hugely popular. And it’s estimated there are 2.5 trillion PDF files currently in circulation. Therefore, the chances of your business running into a similar attack is high.

The Threat of Spica

The Spica attack begins when the threat actors send a series of PDF files to their targets. Using phishing email techniques, they attempt to trick the targets into believing that these have been sent by legitimate contacts. These files appear encrypted and, if the target bites, they will email back to say they can’t open the files. This is where the threat actors are able to launch their payload.

By sending a malicious link back to the target, the threat actors can trick them into downloading what they claim is a decryption tool. However, this executable tool – going under the name of Proton-decryptor.exe – is far from helpful. Instead, it will provide backdoor access to the target’s PC. With this access in place, the malware can communicate with a control-and-command server to receive further instructions.

And Spica comes loaded with a wide range of weaponry. As well as being capable of launching internal shell commands on the infected PC, it’s also programmed to steal browser cookies, send and receive files, and create a persistent presence on the machine. Google believes that there are multiple variants of Spica, and the current targets of the malware seem to be high ranking officials in non-governmental organizations and former members of NATO governments.

Shielding Yourself from the Threat of Spica

While your organization may not be listed high on ColdRiver’s target list, the attack methods are familiar and could easily be launched against you at some point in the future. Therefore, it’s in your best interests to integrate the following advice into your cybersecurity measures:

Always double check attachments: with email attachments representing one of the surest ways to transmit malware, it’s vital you remain vigilant. If you have even the slightest inkling that something seems suspicious with an email from a known contact, don’t email them back. Instead, contact them by phone to confirm the email is genuine, as it may be that their email account has been hacked.

Check for spelling/grammar errors: phishing emails are prone to poor grammar and spelling, especially when they originate from non-English speakers. Accordingly, poorly composed emails should be scrutinized closely. Also, watch out for generic and unusual greetings such as “Dear customer” as these may indicate that the email is part of a mass-campaign against unknown targets.

Use email filters: by using email filters, often included with anti-malware software such as McAfee, you can provide your organization with an extra layer of security. Connected to databases which are regularly updated, these email filters can identify malicious files before they’re downloaded to your PC.

For more ways to secure and optimize your business technology, contact your local IT professionals.

1 2 3 … 26 Next »

Financial Firms Targeted by JsOutProx Malware

Chinese PC Maker Ships PCs Customized for Malware

VexTrio Uses 70,000 Hijacked Websites to Spread Malware

HeadCrab Attacks Servers with Advanced Malware

Spica: New Malware Launched by Russian Hackers

Tag Archives: malware