HeadCrab Attacks Servers with Advanced Malware

authentication, Hackers, HeadCrab, malware, Ophtek, Redis Servers, runtime monitoring, security scans, , , , , , ,
19
Mar 2024

A new strain of malware, which contains several different attack methods and is considered a severe threat, has been discovered and named HeadCrab.

The attack focuses its efforts on Redis servers, an open source, in-memory data structure store. In simpler terms, Redis acts as a database, cache, and message broker application which can store data, cookies, and authentication tokens. This means it contains confidential and personal data, which is a currency valued highly by threat actors. Redis is incredibly popular and used by many high-level clients, some of whom include Amazon, Adobe, OpenAI, and Airbnb. Therefore, it’s likely you and your team will visit websites using Redis servers, and you need to stay safe.

Unpacking the HeadCrab Attack

Redis servers appear to have been targeted by HeadCrab due to the fact they’re often exposed to the internet, without any solid authentication in place to protect them. This makes them highly vulnerable and puts any data stored on them at high risk. Using advanced coding techniques, the threat actor starts by taking control of a Redis server. This allows them to then download HeadCrab onto the infected server. This, as the command logs reveal, is a complex process, and one which leaves no stone unturned, highlighting the advanced skills of the threat actor.

With HeadCrab now active on the Redis server, it can get to work. Security researchers, who have reverse engineered HeadCrab, have discovered eight custom commands contained within its module. These allow HeadCrab to set up encrypted communication channels, reconfigure Redis servers, run exclusively in memory to avoid detection, and even run its own blog detailing its current activities and news.

Staying Safe from HeadCrab

Currently, HeadCrab has been detected in over 1200 servers and represents a serious threat. It doesn’t launch its attack using files, instead relying on advanced hacking techniques, so it’s a difficult threat to combat. However, by staying vigilant, your organization can stay safe against the threat of HeadCrab and similar attacks. The best ways to achieve this are:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Spica: New Malware Launched by Russian Hackers

backdoor malware, ColdRiver, cybersecurity, Ophtek, Phishing, Proton-decryptor.exe, Russian Hackers, Spica, , , , , , , ,
12
Mar 2024

Russian hackers are using a fake PDF decryption tool to trick innocent PC users into downloading Spica, a new strain of malware.

Discovered by Google’s Threat Analysis Group (TAG), Spica is a backdoor malware which has not been identified previously. It’s believed that the malware is the result of ColdRiver, a Russian hacking team with a proven track record in deploying malware. The attack, as with so many contemporary threats, is delivered by email and relies on malicious PDF files. Now, with close to 350 billion emails sent per day in 2023, it’s clear that email is hugely popular. And it’s estimated there are 2.5 trillion PDF files currently in circulation. Therefore, the chances of your business running into a similar attack is high.

The Threat of Spica

The Spica attack begins when the threat actors send a series of PDF files to their targets. Using phishing email techniques, they attempt to trick the targets into believing that these have been sent by legitimate contacts. These files appear encrypted and, if the target bites, they will email back to say they can’t open the files. This is where the threat actors are able to launch their payload.

By sending a malicious link back to the target, the threat actors can trick them into downloading what they claim is a decryption tool. However, this executable tool – going under the name of Proton-decryptor.exe – is far from helpful. Instead, it will provide backdoor access to the target’s PC. With this access in place, the malware can communicate with a control-and-command server to receive further instructions.

And Spica comes loaded with a wide range of weaponry. As well as being capable of launching internal shell commands on the infected PC, it’s also programmed to steal browser cookies, send and receive files, and create a persistent presence on the machine. Google believes that there are multiple variants of Spica, and the current targets of the malware seem to be high ranking officials in non-governmental organizations and former members of NATO governments.

Shielding Yourself from the Threat of Spica

While your organization may not be listed high on ColdRiver’s target list, the attack methods are familiar and could easily be launched against you at some point in the future. Therefore, it’s in your best interests to integrate the following advice into your cybersecurity measures:

  • Check for spelling/grammar errors: phishing emails are prone to poor grammar and spelling, especially when they originate from non-English speakers. Accordingly, poorly composed emails should be scrutinized closely. Also, watch out for generic and unusual greetings such as “Dear customer” as these may indicate that the email is part of a mass-campaign against unknown targets.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

The Dangers of Malware on GitHub

GitHub, malicious code, malware, Open Source Malware, Ophtek, , , ,
05
Mar 2024

GitHub is a wildly popular website for developers to create, share, and store their code, but it’s also being increasingly used to spread malware.

Launched in 2008, GitHub quickly became the number one destination for developers. Packed full of features – such as hosting open source code, bug tracking tools, and software requests – GitHub is the perfect one-stop shop for developers looking to collaborate and enhance their software. However, where there’s code, there’s also potential for malware to rear its ugly head. And, in the last few years, GitHub has been exploited by numerous threat actors.

How does GitHub Work?

GitHub is an online repository where developers can come together to pool resources and knowledge to improve their software builds. It may not be something that most of your staff are likely to log on to, but your IT team are likely to use it to manage projects they’re working on. The objective of GitHub is to create a community of friendly developers, but the open membership policy means this doesn’t always go to plan.

Why is GitHub Dangerous?

Threat actors can easily sign up for membership within a matter of minutes, and then they can begin uploading their malicious code under the pretense of being an innocent software project. Quite often, threat actors will sign up with a username previously used by another developer, this is to trick other developers into thinking this is a reputable account. The GitHub community will believe that any repositories uploaded to this account are safe, and they will download them without thinking. And this is when malware can be unknowingly unleashed on unsuspecting networks.

Threat actors are also using GitHub to host command and control servers, which allow attackers to create communication channels into infected devices. Usually, this would be indicated by an unusual domain address in your network traffic. But with GitHub’s credentials being used, this would look less suspicious, especially if you team access GitHub. It’s also convenient, for the threat actors, to use a public service where launching a command control server is much easier than building an infrastructure from scratch.

Finally, GitHub is being used as a storage space for malware, as demonstrated in this fake proof-of-concept software attack. This particular attack allowed the threat actors to exploit a known vulnerability within the Linux operating system, which is commonly used by developers working on GitHub. These attacks can even catch out the security experts, so they underline just how dangerous GitHub can be if you’re not vigilant.

How Can You Work Safely with GitHub?

Threat actors are essentially turning certain parts of GitHub into a malicious website, so it’s crucial you know how to manage this threat. The most effective step you can take is to block access to GitHub on your organization’s network. Your staff are highly unlikely to need to access GitHub anyway, so this makes sense. However, some of your IT staff, and any developers you employ, may still require access to complete their job.

GitHub, of course, isn’t the only legitimate website to be harboring malware. Huge sites such as Dropbox and Google Drive are all capable of delivering malware to unsuspecting members. Therefore, you should only ever download from trusted sources.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Bandook Malware Strikes Back 

anti-malware tools, Bandook Malware, network activity, Ophtek, Phishing Email, Remote Access Trojan, , , , ,
27
Feb 2024

A new variant of the Bandook malware has been discovered which targets Windows PCs, so it’s crucial you know how to deal with it. 

From its earliest detection in 2007, Bandook has been a capable strain of malware. Being a remote access trojan, Bandook’s main objective has always been to take control of infected PCs. However, following a period of inactivity, the malware has recently started a new campaign aimed at a wide range of industries in different locations. And once Bandook takes control of a compromised PC, it can not only launch further malware attacks, but also steal whatever it wants from the PC. 

What is the Bandook Malware Attack? 

Bandook’s latest campaign starts with a phishing email, one which uses an infected PDF file. Within this file, there is a link which directs users towards a .7z file – a compressed, archive file. Prompted to enter a password – which is detailed in the original PDF file – to access the .7z archive, the victim will unwittingly activate the malware. Once Bandook is active, it will take advantage of the Msinfo32 application – typically used to collate system data – and edits the Window Registry to remain active on the infected PC. 

With Bandook fully established on the victim’s PC, Bandook opens a communication channel with a remote command-and-control server. This allows Bandook to receive further instructions from the threat actors behind the attack. From here, Bandook is able to establish additional malware payloads on the PC, and give full control of the PC over to the remote threat actors. This means that the hackers can steal data, kill active processes on the PC, execute applications, and even uninstall the Bandook malware to cover their tracks if necessary. 

How Do You Stay Safe from Bandook? 

As with many contemporary threats, Bandook relies on a momentary lapse of judgement from the recipient of their initial email. The impact of a single phishing email can lead to devastating results, so it’s essential your staff understand all the telltale signs of a phishing email. With this information at their fingertips, they’re significantly less likely to unleash malware across your IT infrastructure. 

But what else can you do? After all, no organization is 100% secure, and it’s likely your defenses will be breached at some point in the future. Well, you can make sure that you identify a breach and minimize its impact by practicing the following: 

  • Use anti-malware tools: security suites such as AVG and McAfee represent fantastic tools for protecting your IT infrastructure. As well as carrying out deep scans across your systems for malware, they also feature tools to block malicious websites and can scan files before they’re downloaded to verify their safety. 
     
  • Monitor network activity: one of the surest signs of a systems breach is, as featured in the Bandook attack, unusual network activity. Therefore, you should regularly monitor your network activity to identify unusual patterns e.g. prolonged communication with unknown destinations along with downloads from unidentified sources. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More

DarkGate and NetSupport Malware is Surging 

anti-malware tools, BattleRoyal, DarkGate, install updates, malicious websites, malware, NetSupport, Ophtek, Phishing Email, Windows SmartScreen, , , , , , , , ,
13
Feb 2024

A new threat actor has spent the last few months ramping up attacks involving the DarkGate and NetSupport malware, and this is set to increase further. 

The name of this new threat actor is BattleRoyal, and between September and November 2023, they launched numerous attacks. These attacks featured the DarkGate and NetSupport malware, both powerful strains of malware. DarkGate employs multiple malicious activities such as keylogging, data theft, and cryptocurrency mining. Meanwhile, NetSupport – which is a legitimate application – is being exploited and repurposed as a remote access trojan, which gives threat actors unauthorized access to IT systems. 

DarkGate and NetSupport both have the potential to cause great damage to your IT infrastructure and the security of your data. This means you need to know how to identify and deal with them. 

BattleRoyal’s Malware Campaign 

BattleRoyal appears to have launched its first wave of attacks in September 2023. This campaign involved email techniques to unleash the DarkGate malware on unsuspecting victims. At least 20 instances of this attack have been recorded, but it’s highly likely that more users were infected. Perhaps due to the noise that DarkGate was creating, BattleRoyal quickly switched its choice of weaponry to NetSupport in November. As well as using email campaigns to spread NetSupport, BattleRoyal also employed malicious websites and fake updates to infect PC users. 

DarkGate is also notable for taking advantage of a vulnerability located in Windows SmartScreen. The main objective of SmartScreen is to protect users from accessing malicious websites. However, BattleRoyal were able to work around this by using a special URL which, due to the vulnerability in SmartScreen, gave users access to a malicious website. Clearly a sophisticated threat actor, BattleRoyal had discovered this vulnerability – logged as CVE-2023-36025 – long before Microsoft acknowledged its existence. 

How to Stay Safe from BattleRoyal 

Microsoft has since launched a security patch to combat the CVE-2023-36025 vulnerability, and installing this remains the surest way to combat the activity of DarkGate. However, given that BattleRoyal has used a multi-pronged attack, with NetSupport being used to download further malware, you can’t rely on patches alone. Vigilance, as ever, is vital. Therefore, you need to practice these best security tips to prevent any infections: 

  • Beware of phishing emails: one of the most popular ways to breach the defenses of IT infrastructures involves phishing emails. Not only can these emails be used to steal confidential information through social engineering techniques, but they can also be used to direct recipients towards malicious websites and files. Therefore, it’s important that everyone in your organization can identify phishing emails
     
  • Always install updates: although BattleRoyal was able to identify the SmartScreen vulnerability before the availability of a patch, this doesn’t mean you should minimize the importance of updates. All updates should be installed as soon as they’re available, activating automatic updates is the best way to guarantee that your defenses are fully up-to-date. 
     
  • Use security software: reputable security software is one of the simplest, yet most effective ways to protect your IT systems against malware. Capable of identifying and removing malware before it’s activated, anti-malware tools should be an essential part of your IT defenses. As well as carrying out automatic scans of your system, many of these security suites feature screening tools to warn against malicious websites and emails. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More
1 3 4 5 6 7 30