PlugX Malware Found Infecting USB Drives

Ophtek, PlugX malware, USB Drives, USB Malware, , , ,
21
Mar 2023

We all use USB devices daily, but these innovative and simple devices also make the perfect environment for the PlugX malware to take hold.

USB devices are installed and ready to use within seconds of being plugged into a PC, a setup procedure which is a marked improvement on the traditional approach of installing via a CD. In fact, since the 1990s, USB connections have become ubiquitous in the hardware market. One of the most popular USB devices is the portable drive, a simple way of transferring data from one PC to another. However, USB drives have always represented a security risk and it’s this risk which PlugX is now exploiting.

How Did PlugX Get onto USB Drives?

First gaining notoriety around 15 years ago, PlugX is far from a new and mysterious strain of malware. However, it remains a viable threat when it comes to spreading malware and infecting systems.

This recent attack started with a popular Windows debugging tool called x64dbg being hijacked and manipulated by threat actors. Using the 32-bit version of x64dbg (x32dbg.exe), the threat actors execute a malicious file they have created called x32bridge.dat. Once activated, x32bridge.dat infects the resident PC and, more importantly, searchew out any USB drives connected to it. The PlugX malware is then loaded onto this USB drive.

To cover its tracks, PlugX uses a Unicode character technique to prevent the true contents and structure of the USB drive being displayed by Windows Explorer. A shortcut .LNK file is then installed in the root directory of the USB drive, which appears to be a link to the USB drive and even copys the device’s name. However, the link actually activates the PlugX malware from a hidden directory on the USB drive and allows it to search out other USB drives attached to the PC. And each time this drive is connected to a new PC, the infection process begins again.

PlugX, of course, does much more than simply spread from PC to PC without causing any damage. In fact, PlugX has the capability to launch the following attacks:

  • Keystroke logging
  • Screen captures
  • Managing processes on PCs
  • Rebooting the system
  • Remote control of the keyboard and mouse
  • Copying PDF and Word documents from the infected PC to the USB’s hidden directories

How Do You Pull the Plug on PlugX?

PlugX is currently difficult to detect due to the way in which it works, with only 11 out of 5U9 anti-malware tools currently detecting it according to Virus Total. Therefore, it’s a tough slice of malware to contend with. Nonetheless, you can minimize the risk it presents to your organization by:

  • Blocking access to USB storage drives: it’s a good idea to restrict access to USB storage drives by employees. After all, there’s little reason why they should be removing data from a company PC. Accordingly, you can block employee access to USB drives through your administration settings, effectively rendering USB ports as unusable. If an employee does need to transfer data, make this an action only privileged users can process.
  • Monitor network activity: PlugX falls under the category of being a Remote Access Trojan, so it’s likely that unusual network activity will be caused by the threat actors connecting to infected PCs. As such, any network activity which involves connections to unknown destinations should immediately be halted and investigated.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Middle East Countries Targeted by World Cup Malware

Hackers, malware, Ophtek, Phishing, World Cup, , , ,
20
Dec 2022

The World Cup has arrived and, as ever, it is creating headlines around the world, but it’s also creating numerous opportunities for hacking groups.

Fair play should be at the heart of everything taking place on the pitch during the World Cup, which is being held in Qatar, but matters off the pitch are slightly different. Threat actors thrive on a good opportunity and the popularity of the World Cup – over 3.5 billion people watched the last World Cup final in 2018 – makes it full of potential. And it’s an opportunity which hackers have taken advantage of, with a string of malware campaigns launched before the first ball is kicked.

While these attacks have, so far, mostly targeted countries in the Middle East, it’s likely these efforts will spread globally as the tournament progresses. Therefore, you need to understand the tactics that the hackers are following.

Football Phishing Attacks Hit the Middle East

Security researchers at Trellix have discovered, in the lead up to the World Cup, a significant increase in the number of phishing attacks hitting the Middle East. These phishing campaigns have been shown to be unashamedly cashing in on the interest in the World Cup, with many of the emails claiming to originate from either departments within FIFA or even from specific team managers.

The emails being delivered to unsuspecting victims are used to tempt the recipients into clicking links which, for example, promise to take them to payment pages for match tickets. However, the true destination of these links are malicious websites. As with most malicious websites, the potential for risk is very high, and the websites involved in this latest attack have been found to be housing malware such as Emotet, Qakbot, Remcos, Quad Agent and Formbook. All these malware strains have the potential to harvest data and gain remote access to infected PCs.

How To Defend Against the World Cup Malware

Whilst the malware at the heart of this campaign may not be the most dangerous ever seen, the fact remains that it is malware. And all malware should be considered a major problem for your IT infrastructure. Accordingly, protecting yourself against these phishing campaigns, and any others in the digital wild, is paramount for your cybersecurity. Therefore, make sure you adopt these tactics into your team:

  • Analyze every email: if an email sounds too good to be true, it’s likely it is. Say, for example, you receive an email from a manager of one of the World Cup teams, it’s unlikely they would be contacting you directly. Likewise, if you receive an email regarding payment for something you’ve never ordered – such as World Cup tickets – you should be equally suspicious.
  • Use an anti-malware suite: one of the best ways to protect your organization is by installing an anti-malware suite. This is a collection of tools which provides protection against malicious websites and emails by evaluating their risk level as well as monitoring network connections and installing a firewall.
  • Install all updates: you can maximize your security by ensuring that all software updates are installed and in place. Taking this crucial step will maximize the security of your IT infrastructure by protecting you against software vulnerabilities.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

VMware Exploit Allows Hackers to Deliver Malware Package

install updates, malware, Ophtek, Security, VMware Exploit, Workspace ONE, , , , ,
07
Nov 2022

The importance of installing updates has been highlighted by VMware Users who have failed to update and found themselves at the mercy of malware attacks.

VMware is a tech company which specializes in providing both cloud computing services and virtualization technology (such as remote desktop software). Founded nearly 25 years ago, VMware has proved to be highly popular with businesses of all sizes. However, this experience doesn’t mean their software is perfect. In fact, no tech company – not even the biggest ones – can claim to create products which are 100% resistant to threat actors.

And that’s why VMware’s Workspace ONE Access service, an application which allows digital apps in an organization to be accessed on any device, has been compromised. The attack has been declared a significant one, so we’re going to take you through it.

Workspace ONE Compromised

The attack, which was discovered by security experts at Fortiguard Labs, centers around a vulnerability patched by VMware back in April 2022. However, this attack is still targeting this exploit, an indicator that the uptake of VMware’s patch has been poor. As a result, the CVE-2022-22954 vulnerability has the potential to open your PC up to all manner of malware.

If the vulnerability is still present, threat actors have the opportunity to launch remote code execution attacks against an infected PC. With the help of this foothold, the hackers have been able to download a wide range of malware to PCs and their associated networks. Examples involved in this attack have included:

  • Cryptoware
  • Ransomware
  • Software which removes other cryptomining apps
  • Malware used to spread the attack even further
  • Botnets

All of these campaigns are installed and operated separately, indicating that this is a well-organized attack by the unknown threat actors. Activity for the overall campaign peaked in August 2022, but it remains active as it seeks further users of Workspace ONE who have failed to patch their software.

Protecting Yourself Against Software Exploits

The impact of falling victim to the Workspace ONE vulnerability is huge as it attacks its victims on numerous fronts. Not only is there the financial risk of ransomware, but the activity of cryptoware and ransomware is going to seriously eat into the resources of your IT infrastructure. Therefore, you need to make sure you carry out the following:

  • Install all updates: if you are a Workspace ONE user then you need to ensure it’s fully patched and up to date. And, once this is complete, it’s crucial you make sure all your software is patched.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

USB Malware is Being Delivered by Mail

BadUSB, malware, Ophtek, UPS, USB Flash Drives, USB Malware, USPS, , , , , ,
18
Oct 2022

It may sound like a backwards step, but a group of cyber criminals have decided to enlist the help of the postal service to deliver their malware.

Snail mail may feel like an archaic method of attack for cyber criminals, but it’s surprisingly effective as a series of attacks – using the BadUSB malware – have proven. We all deal with traditional mail daily, so it’s easy to take it for granted, and it’s this familiarity that the hackers are targeting. This particular attack, as the name suggests, involves a malicious USB drive. These attacks have proved successful in the past and the BadUSB campaign has the potential to cause significant damage.

How Does BadUSB Work?

Delivered through the United Parcel Service and United States Postal Service, the malicious USB drives come loaded with malware and allow a threat actor to take control of a victim’s USB port. Activating the malware is simple: all it needs is to be plugged into a USB port.

However, there needs to be a reason why a victim decides to plug the device into their PC. And the minds behind BadUSB do this by instilling a sense of urgency in the recipient. This is achieved by claiming that the USB drive contains official Covid-19 warnings or that the drive is an Amazon gift from a friend.

Once plugged into a PC, the affected USB port can be manipulated to believe that an alternate device is installed e.g. a keyboard or mouse. These fake devices can then be controlled by remote cyber criminals and used to cause untold damage. For example, a keyboard and mouse could be used to take full control of a PC and download further malware. In 2020, the BadUSB malware was involved in a series of attacks which downloaded ransomware to exploit the finances of those attacked, and this could easily happen again.

Staying Safe from Malicious USB Drives

BadUSB has the potential to cause you a serious headache, both in terms of your data and your finances. As a result, it’s crucial that you steer clear of this and similar attacks, an outcome which is possible if you do the following:

  • Be wary of USB drives: while they are not one of the ‘go to’ options for hackers, infected USB drives (and the USB killer) have the capacity to cause real damage. Therefore, if you are presented (or even find) a USB drive which doesn’t belong to your company, do not plug it in to your PC. Instead, ask an IT professional to safely analyze it.
  • Disable USB ports: there’s not a pressing need for your employees to be plugging additional devices into their PC, so it makes sense to disable access to USB ports. Sometimes, this is as simple as blocking any unused ports and, in other scenarios, you may want to restrict access to these ports through administration privileges.
  • Disable Autorun: if your employees do need access to their USB ports, then it may be worth disabling the autorun feature associated with them. This feature allows USB drives to automatically open – and activate their contents – once plugged in. However, with autorun disabled, there is a chance to view the drive’s contents before running it.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Stealer Malware Hidden in Fake Zoom Sites

Cyber Security, Data Security, malware, Ophtek, stealer malware, zoom, , , , , ,
11
Oct 2022

Six malicious websites have been discovered which claim to offer downloads of Zoom, but contain nothing but the Vidar stealer malware.

The popularity of Zoom – a video meeting application – has exploded in the post-Covid landscape we find ourselves living in. No longer do people need to travel for face-to-face meetings, they can now be conveniently arranged and carried out over video. Accordingly, the demand for Zoom is huge, with around 485 million downloads completed since 2020. Due to this popularity, a gang of cybercriminals have decided to use Zoom as the bait for downloading the Vidar stealer.

As your employees are likely to consider a Zoom install safe, it’s important that we delve a little deeper and demonstrate why it may be far from safe.

Beware of Fake Zoom Sites

Vidar has been an active threat for some time now, but this latest attack is a new campaign and carries a number of unique threats. The six sites, discovered by Cyble Research, use a variety of URLs such as ‘zoom-download’ and ‘zoomus’ to appear legitimate. And, if you visit one of these sites, the visual aesthetics are remarkably similar to the official Zoom website, but this is where all similarities end.

Attempting to download the Zoom application from these malicious sites will, instead, redirect you to a GitHub file depository. From here, two files will be downloaded to your temporary folder:

  • ZOOMIN~1.exe: this is a genuine Zoom installer which is included to create a front that nothing untoward is taking place.
  • Decoder.exe: this is the malicious file which injects Vidar’s ability to steal into the Microsoft Build Engine. With this infection in place, Vidar is then able to contact remote Command and Control servers and begin transmitting data from the infected PC.

Like most stealer malware, Vidar concentrates on extracting confidential data such as login credentials, network details and whether any further vulnerabilities are present in the IT infrastructure. If vulnerabilities are detected, then it’s highly likely these will be logged and sold by criminal gangs. Protecting yourself against Vidar, therefore, is crucial.

How to Avoid Having Your Data Stolen

The mechanics of the Vidar Zoom threat are relatively common in the world of malware, so it’s likely you will run into a similar threat at some point. The best way to protect your PCs is by following these practices:

  • Always Verify Websites: Vidar’s latest attack relies on poor judgement from its intended victims, the main error coming when they assume that the malicious website is genuine. Many antivirus suites contain tools which allow search results to be rated as to their level of safety, and there is also the option for these tools to present warning screens before accessing sites deemed unsafe. If these are unavailable, and you need to download some software, reach out to your IT team instead.
  • Install Updates: Vidar is keen on logging any vulnerabilities contained within your PC, so it makes sense to limit these vulnerabilities. The best way to achieve this is by always installing updates as soon as they are available.
  • Segment Your Network: to protect your data, it makes sense to adopt network segmentation. This procedure divides your network into different segments and allows you to keep them separate. Therefore, if one segment is breached, the others will remain protected, and this allows you to limit the spread of the malware.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
1 8 9 10 11 12 29