phishing Archives

A new malware attack has been discovered which uses the SnipBot malware to dig deep into the victim’s network and harvest data.

SnipBot is a variant of the RomCom malware, which has previously been used for data harvesting and financially motivated attacks such as the Cuba ransomware attack. SnipBot’s malicious campaign has been widespread, with victims identified in multiple industries including legal, agriculture, and IT sectors. SnipBot performs what is referred to as a pivot, a process by which malware moves between compromised systems on the same network to access as many workstations as possible. This maximizes the amount of data SnipBot can steal and marks it out as a major threat.

SnipBot Unleashed

With 3.4 billion phishing emails sent daily, it’s clear that phishing attacks are incredibly popular with threat actors. And this is the exact approach adopted by SnipBot.

The SnipBot malware attack starts with phishing emails which trick recipients into downloading fake files disguised as legitimate PDFs. When the victim clicks on a link contained within the PDF, a malicious downloader is activated. As these downloaders are signed using real security certificates, they avoid detection by security software.

The malware can then inject itself into core system processes such as explorer.exe, and it can maintain this presence even after a reboot. Once inside the victim’s system, SnipBot sets about collecting sensitive data from popular folders, like Documents and OneDrive. This harvested data is then sent back to the attacker via a remote server.

Palo Alto Networks researchers, who discovered the SnipBot campaign, are unsure as to the true objectives of SnipBot. At present, there appears to be no financial motive present in the attack, so it has been labelled purely as an espionage threat.

How Can You Stay Safe from SnipBot?

Luckily, phishing attacks such as SnipBot can be easily managed. By following these best practices, you’ll not only prevent malware being executed, but also avoid it in the first place:

Verify the Sender: it’s paramount that you always check and double check the sender’s email address, especially when the email is laced with a sense of urgency to perform an action. Phishing emails will often use addresses which look genuine but contain slight errors e.g. admin@0phtek.com where the letter O has been replaced with a zero. If you’re unsure, you can always Google the company to find their official website and verify the domain used.
Don’t Click on Suspicious Links: instead of clicking on suspicious links, the safest option to take is to hover over any links to preview the URL. Embedded links can easily be faked to appear genuine, but contain a link to a different, malicious website. Again, you can Google websites directly to navigate your way to any sections referenced in the email. This prevents you from accessing a malicious website loaded full of malware.
Contact the Sender: legitimate businesses and clients will never request sensitive information – such as login credentials – over emails, so these requests should always ring alarm bells. If you do receive such a request, the best option to take is contact the sender via telephone to confirm whether the email is genuine.
Use Spam Filters: one of the best ways to stop phishing emails reaching your inbox is to activate your emails spam filters. These use vast databases to identify potential threats and redirect them to your spam folder. You can also use your spam filters to block repeat offenders, enhancing the safety of your inbox.

For more ways to secure and optimize your business technology, contact your local IT profe ssionals.

Italian PC users have become the target of SambaSpy, a new strain of malware which appears to originate from Brazil and employs phishing emails.

First detected by Kaspersky in May 2024, SambaSpy currently only seems to have targeted PC users in Italy. This is unusual as threat actors tend to focus their attacks on a more global range to maximize potential victims. However, it’s being speculated that SambaSpy may be using Italy as a test run before going global. Regardless of its future plans, SambaSpy utilizes a multifunctional attack, and can log keystrokes, harvest data, take screenshots, download files, and take control of process management on infected PCs.

With its strong range of weaponry, SambaSpy represents a significant threat to PC users and needs investigating further.

Say Ciao to SambaSpy

The SambaSpy attack originates within a phishing email, one which contains either an embedded link or an HTML attachment. Once the HTML attachment has been activated, one of either a malware dropper or downloader is executed from a ZIP archive. The malware dropper will load the main payload of SambaSpy from the same ZIP archive whereas the downloader will retrieve it from a remote server. The dropper is used to retrieve the malware payload from a remote location. The embedded link route sends users on a convoluted journey to a malicious site hosting the downloader or dropper.

Once SambaSpy is fully activated, it has the potential to launch all of the attack threats previously mentioned. Therefore, it’s capable of compromising every single activity taking place on your PC. SambaSpy is also clever enough to load plugins when an infected PC starts up, this allows it to shape and change its activities as required. Also of note is that SambaSpy will actively seek out web browsers in order to steal data, putting login credentials and financial information at risk of being harvested.

The attack is believed to have originated from a Brazilian threat actor as one of the malicious webpages involved features JavaScript code with Brazilian Portuguese comments. A number of recent banking trojans – including BBTok and Mekotio – have recently targeted Latin American users with phishing scams, so there may be a connection between these and SambaSpy.

Navigating the Threat of SambaSpy

While SambaSpy has only been detected in Italy, this could change very quickly as the malware becomes more powerful and widespread. Therefore, to safeguard your PCs against this and other similar threats, you need to keep your team up to date with these best practices:

Always Scrutinize the Sender: if you don’t recognize the sender of an email, then this should immediately be cause for concern when attachments or embedded links are included. Also, many threat actors will fake genuine email addresses, but use slightly different spellings e.g. support@m1crosoft.com in order to lull you into a false sense of security. Additionally, if an email claims to be from a large company but is using a generic email address such as BankofAmerica@gmail.com, this is also likely to be a phishing email.
Identify Red Flags: phishing emails will often contain urgent language designed to provoke you into making an immediate response. These call-to-actions are often along the lines of “your account has been compromised” or “this update must be downloaded to secure your PC” to instill a sense of fear. Additionally, phishing emails often have numerous grammatical errors and poor spelling, so make sure you’re aware of these telltale signs.

For more ways to secure and optimize your business technology, contact your loc al IT professionals.

Macros make our lives easier when it comes to repetitive tasks on PCs, but they’re also a potential route for malware to take advantage of.

The most up to date version of MS Office prevents macros from running automatically, and this is because macros have long been identified as a major malware risk. However, older versions of MS Office still run macros automatically, and this puts the PC running it at risk of being compromised. Legacy software, such as outdated versions of MS Office, comes with a number of risks and drawbacks, but budgetary constraints mean many businesses are unable to update.

Malicious MS Office Macro Clusters

A macro is a mini program which is designed to be executed within a Microsoft application and complete a routine task. So, for example, rather than taking 17 clicks through the Microsoft Word menu to execute a mail merge, you can use a single click of a macro to automate this process. Problems arise, however, when a macro is used to complete a damaging process, such as downloading or executing malware. And this is exactly what Cisco Talos has found within a cluster of malicious macros.

Several documents have been discovered which contain malware-infected macros, and they all have the potential to download malware such as PhantomCore, Havoc and Brute Ratel. Of note is that all of the macros detected so far appear to have been designed with the MacroPack framework, typically used for creating ‘red team exercises’ to simulate cybersecurity threats. Cisco Talos also discovered that the macros contained several lines of harmless code, this was most likely to lull users into a false sense of security.

Cisco Talos has been unable to point the finger of blame at any specific threat actor. It’s also possible that these macros were originally designed as a part of a legitimate cybersecurity exercise. Regardless of the origins of these macros, the fact remains that they have the potential to expose older versions of MS office to dangerous strains of malware.

Protect Your Systems from Malicious Macros

The dangers of malicious macros require you to remain vigilant about their threat. Clearly, with this specific threat, the simplest way to protect your IT systems is to upgrade to the latest version of MS Office. This will enable you to block the automatic running of macros and buy you some thinking time when you encounter a potentially malicious macro. As well as this measure, you should also ensure you’re following these best practices:

Always Verify Email Attachments: a common delivery method for malicious macros is through attachments included with phishing emails. This is why it’s crucial that you avoid opening macros in documents which have been received from unknown sources. As with all emails, it’s paramount that you verify the sender before interacting with any attachments.
Install All Security Updates: almost all software is regularly updated with security patches to prevent newly discovered vulnerabilities from being exploited. Macros are often used to facilitate the exploitation of software vulnerabilities, so it pays to be conscientious and install any security updates as soon as they’re available.
Use Anti-Malware Software: security suites, such as AVG, perform regular, automated scans of your PCs to identify any potential malware infections. In particular, many of these security suites target malicious macros, so they make a useful addition to your arsenal when targeting the threat of macros.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

A malware infection is always bad news but imagine being infected with multiple strains at once. Welcome to the new threat of malware cluster bombs.

Researchers at the cybersecurity firm KrakenLabs have revealed the dangers of a new malware technique launched by Unfurling Hemlock, a new threat actor group. Their malware cluster bombs have been verified as active in at least 10 countries, but most Unfurling Hemlock’s targets have been US-based. This attack has also been active for some time, with evidence of the earliest infections going back to February 2023.

The mere concept of malware cluster bombs is enough to worry any IT professional, so that’s why we’re going to delve a bit deeper and discuss how you can keep your IT systems safe.

Understanding Unfurling Hemlock’s Attack

This new attack starts, as with many malware attacks, through malicious emails or malware loaders. It would appear, perhaps to cover their own tracks, Unfurling Hemlock are paying other hackers to distribute their malware. The initial attack is focused around a malicious file named WEXTRACT.EXE. Within this executable is a collection of compressed cabinet files, each of which contains a strain of malware.

The final part of the attack comes when all of the malicious files have been extracted and are executed in reverse order. Each cluster bomb is believed to contain multiple strains of malware, so while the number is varied, the impact is always significant. Among these malware strains are a cocktail of different attacks, with botnets, backdoors, and info stealers all detected so far. Unfurling Hemlock’s ultimate aim, aside from causing digital chaos, is unknown, but KrakenLabs believe the threat actor may be harvesting sensitive data to sell.

The malware cluster bomb approach is innovative and effective for two reasons: the opportunities for monetization are increased and the multiple strains in use mean that persistence is enhanced. Ultimately, dropping ten strains of malware onto one device is more likely to provide opportunities for threat actors than a single strain.

Staying Safe from Malware Cluster Bombs

It’s clear that malware cluster bombs represent a serious threat to your IT infrastructure, and that’s why you need to keep your defenses secure. You can put this into action by following these best practices:

Regular Software Updates: ensure that all software, including operating systems and applications, is regularly updated and patched. Automated patch management tools can help make this easier, and Windows allows you to set automatic updates for Microsoft apps. Regular updates protect against known vulnerabilities and exploits which malicious actors often target with malicious files.
Antivirus and Anti-malware Solutions: always use reputable antivirus and anti-malware software across your network. These tools should be regularly updated to recognize and handle the latest threats. High-level security solutions will provide real-time protection, scanning, and removal of malicious files. This is conducted by regular scans and monitoring to ensure potential threats are detected and dealt with promptly.

Employee Education: carry out regular training sessions for employees to recognize phishing attempts, suspicious emails, and other potential threats. Training should include best practices for safe internet use, identifying social engineering tactics, and reporting suspicious activities. Your employees are your first line of defense, so it’s crucial you reduce the likelihood of attacks due to human error.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

Polyfill Website Compromised with Malicious JavaScript

antivirus software, DNS Filtering, Malicious JavaScript, Ophtek, Polyfill, secure firewallAntivirus software, DNS filtering, malicious JavaScript, Ophtek, phishing, Polyfill, secure firewallOphtek, LLC

Jul 2024

The Polyfill.io website has been caught up in a supply chain attack, with the result that malicious JavaScript is now being supplied through the site.

Along with sites such as Bootcss and BootCDN, Polyfill has been compromised by threat actors and transformed into a malicious site. Typically, Polyfill was a treasure trove of JavaScript code which allowed the use of contemporary JavaScript functions in older browsers. The Polyfill domain was sold to a new firm at the start of 2024, and it appears the infected code was inserted into the JavaScript shortly after this. With Polyfill supplying JavaScript code to an estimated 110,000 websites, the potential for damage is high.

Understanding the Polyfill Attack

Unsuspecting web developers are downloading JavaScript code from Polyfill and incorporating it into their websites, under the understanding it will help their sites load in older browsers. However, the malicious JavaScript code now hosted on Polyfill does something very different. As JavaScript will be activated once a user loads an infected website, this means the malware is then downloaded to that user’s PC.

The main impact of this malicious JavaScript is a combination of data theft and clickjacking (where a user is tricked into clicking an element on a page). Some of the infected scripts also redirect users to malicious sites containing further malware, sports betting websites, and pornographic content. The attack has been significant, with notable victims affected including Intuit and the World Economic Forum.

The infected code has been difficult to analyze as security researchers have found it’s protected by high levels of obfuscation. By generating payloads which are specific to HTTP headers and only activating on certain devices, the malicious JavaScript has been difficult to pin down and examine. The attack has also been significant enough for Google to start banning Google Ads linking to the infected sites.

Protecting Your PCs from Polyfill

If your organization has used code from Polyfill.io in the past, it’s time to remove this code from your website. This is simplest and most effective way to minimize the threat to your visitors. Nonetheless, there’s much more you can do to stay safe from malicious websites:

Use Strong Firewall and Antivirus Solutions: you can protect against malicious websites by using comprehensive firewall and antivirus software, such as AVG and McAfee. These tools filter out harmful traffic, block access to known malicious sites, and detect suspicious activities. This combination of protection prevents malware infections and data breaches which can originate from unsafe web pages.

Employ DNS Filtering: access to malicious websites can be blocked at a network level by using DNS filtering services. By filtering out dangerous domains and websites known for malware distribution or phishing, these services provide an additional layer of security, preventing users from visiting harmful sites and protecting the integrity of your IT infrastructure.

Employee Education: training your employees to recognize phishing attempts, avoid suspicious links, and understand the importance of secure browsing habits is crucial. Regularly updated cybersecurity training programs ensure your staff can identify and avoid potential threats, reducing the risk of falling victim to malicious websites.

For more ways to secure and optimize your business technology, contact your local IT professionals.

1 2 3 … 12 Next »

SnipBot Malware Used to Steal Data from Victims

SambaSpy Targets Italian PC Users with Phishing Emails

Malicious Macros Target Old Versions of MS Office

Malware Cluster Bombs: A New Threat

Polyfill Website Compromised with Malicious JavaScript

Tag Archives: phishing