A new malware campaign, targeting finance and insurance sectors, is using infected GitHub repositories to distribute the Remcos remote access trojan (RAT).

GitHub is an online platform which allows software developers to store and share code online. It’s like an online hard drive, but one which is specifically dedicated to coding projects. It’s main use is to foster collaboration between developers and track changes in their code as it evolves. However, as it’s a trusted source, it makes it the perfect target for hackers. On this occasion, the threat actors haven’t been starting malicious repositories. Instead, they’ve been taking advantage of the comments section in legitimate repositories.

The Dangers of GitHub Comments

The GitHub attack in question appears to be targeting genuine open-source repositories, with those affected including HMRC, Inland Revenue, and UsTaxes. These are well-known and trusted repositories. Users wouldn’t expect to be infected by malware visiting these, whereas lesser known and newer repositories pose more of an obvious risk. So, how are the threat actors compromising these accounts? Well, they’re uploading malware files into the comments section.

Although the comment is deleted, the link to file stays in place. Phishing emails are then used to redirect users to the infected link on GitHub. Again, as GitHub is a genuine, trusted platform, these phishing emails are not detected as being suspicious. This puts the recipient at risk of unknowingly downloading and executing the Remcos RAT. This RAT allows threat actors to remotely take control of an infected PC. From here, they can steal your data, execute further commands on your system, and monitor all your activity. This makes the attack highly dangerous and follows in the footsteps of numerous GitHub attacks in the last year.

Staying Safe from Malicious Comments

Your employees may not have anything to do with software development, but the Remcos RAT relies on phishing techniques which could easily deceive them. Therefore, you need to ensure your employees stay safe from this innovative threat. The best way to achieve this is by following these best practices:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


A new variant of the Bandook malware has been discovered which targets Windows PCs, so it’s crucial you know how to deal with it. 

From its earliest detection in 2007, Bandook has been a capable strain of malware. Being a remote access trojan, Bandook’s main objective has always been to take control of infected PCs. However, following a period of inactivity, the malware has recently started a new campaign aimed at a wide range of industries in different locations. And once Bandook takes control of a compromised PC, it can not only launch further malware attacks, but also steal whatever it wants from the PC. 

What is the Bandook Malware Attack? 

Bandook’s latest campaign starts with a phishing email, one which uses an infected PDF file. Within this file, there is a link which directs users towards a .7z file – a compressed, archive file. Prompted to enter a password – which is detailed in the original PDF file – to access the .7z archive, the victim will unwittingly activate the malware. Once Bandook is active, it will take advantage of the Msinfo32 application – typically used to collate system data – and edits the Window Registry to remain active on the infected PC. 

With Bandook fully established on the victim’s PC, Bandook opens a communication channel with a remote command-and-control server. This allows Bandook to receive further instructions from the threat actors behind the attack. From here, Bandook is able to establish additional malware payloads on the PC, and give full control of the PC over to the remote threat actors. This means that the hackers can steal data, kill active processes on the PC, execute applications, and even uninstall the Bandook malware to cover their tracks if necessary. 

How Do You Stay Safe from Bandook? 

As with many contemporary threats, Bandook relies on a momentary lapse of judgement from the recipient of their initial email. The impact of a single phishing email can lead to devastating results, so it’s essential your staff understand all the telltale signs of a phishing email. With this information at their fingertips, they’re significantly less likely to unleash malware across your IT infrastructure. 

But what else can you do? After all, no organization is 100% secure, and it’s likely your defenses will be breached at some point in the future. Well, you can make sure that you identify a breach and minimize its impact by practicing the following: 

  • Use anti-malware tools: security suites such as AVG and McAfee represent fantastic tools for protecting your IT infrastructure. As well as carrying out deep scans across your systems for malware, they also feature tools to block malicious websites and can scan files before they’re downloaded to verify their safety. 
     
  • Monitor network activity: one of the surest signs of a systems breach is, as featured in the Bandook attack, unusual network activity. Therefore, you should regularly monitor your network activity to identify unusual patterns e.g. prolonged communication with unknown destinations along with downloads from unidentified sources. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More


Webmail remains a crucial way in which you can keep on top of your digital communication, but what happens when people start spying on it?

While AOL email addresses are far from a popular choice in 2021, there are still significant numbers in use. Gmail, however, is much more in demand, with an estimated 1.8 billion users. So, it doesn’t take a genius to see why these platforms would turn a hacker’s head. Protecting such huge amounts of data, therefore, should be paramount. Unfortunately, both AOL and Gmail have fallen short in this respect due to a malicious browser extension. And the main impact of this is that their users have found their webmail accounts compromised.

With such significant data passing through webmail accounts, it’s important that you understand any relevant threats. This slice of malware – dubbed SHARPEXT – is the perfect example of one you need to be on your guard against, so let’s take a look at it.

How Does SHARPEXT Peer Over Your Shoulder?

The infected browser extensions are believed to target three specific browsers: Chrome, Edge and Naver Whale (a South Korean browser). Judging by the evidence on offer, security researchers have determined that SHARPEXT is the work of a North Korean cybercrime group known as SharpTongue. Once the malicious browser extension is activated, it works in a novel way. Whereas similar strains of malware focus on harvesting login credentials, SHARPEXT browses its victims mail and extracts individual emails from the inbox.

You may be wondering how the SHARPEXT extension finds its way into your browser, after all, who would knowingly install a sophisticated piece of spyware on their PC? Well, as ever, it’s down to a stealthy approach by the threat actors. After sending the victim an infected document, SharpTongue use social engineering techniques to convince the recipient to open it; this installs the spyware in the background, where it remains unseen by antivirus software.

How Do You Avoid the Threat of SHARPEXT?

No one wants their email compromised and, for an organization, this can be particularly troubling due to the data at risk. And SHARPEXT is unlikely to be the last attack which uses similar techniques. Therefore, it’s vital that you know how to protect yourself and your PC against it:

  • Understand the threat of phishing emails: it’s important that your staff know how to identify a phishing email; these are one of the most common methods employed by hackers to compromise PCs. A phishing attack can be activated in seconds and, in a worst-case scenario, turn over complete control of a PC or network to a hacker.
  • Block any SHARPEXT identifiers: the coding used within SHARPEXT is innovative as it uses coding unfamiliar to security tools. Thankfully, security experts Volexity have compiled a list of identifying code which IT professionals can use to identify extensions running SHARPEXT.
  • Restrict the Installation of Extensions: in a work-based setting, there’s little reason for your employees to be installing browser extensions onto their PCs. Accordingly, it makes sense for your organization to restrict who can install extensions. If a specific extension is required, then an employee should submit a request to their IT team.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More