phishing Archives

Financial Firms Targeted by JsOutProx Malware

JavaScript Malware, JsOutProx Malware, malicious code, Ophtek, Phishing Email, ScriptSafe for ChromeJavaScript, JsOutProx, malware, Ophtek, phishing, ScriptSafeOphtek, LLC

May 2024

A new phishing campaign, launched in March 2024, has been targeting financial firms all over the world with the JsOutProx banking trojan.

The JsOutProx malware campaign was first detected by Visa, with their Payment Fraud Disruption team sending out security alerts to stakeholders about the threat. So far, the targets of the attack have been based in Africa, South Asia, and the Middle East. The identity of the threat actors behind the attack are currently unknown, but it’s speculated they may be China-based or receiving support from China.

Financial malware always has the potential to cause great damage to organizations and individuals, so it’s important you understand the threat posed by JsOutProx.

The Lowdown on JsOutProx

First detected online in 2019, JsOutProx provides remote access to infected PCs by way of a JavaScript backdoor. This foothold allows threat actors to carry out numerous malicious attacks within the infected system. These include downloading further malware, data harvesting, taking screenshots, executing files, and embedding itself deep within the target. Plugins are utilized to launch these attack methods, an indicator this is a sophisticated piece of malware.

JsOutProx relies on JavaScript to carry out its attacks, and this method has been employed to deceive targets. Whereas many PC users understand the threat of a specific file type – such as a Word document or .exe file – they’re less likely to have knowledge of the threat posed by JavaScript code. Additionally, JavaScript coding is unintelligible to many anti-malware tools, so it has the potential to go undetected by software expected to keep PCs secure.

How is the JsOutProx Attack Launched?

Using phishing email techniques, JsOutProx is distributed through emails purporting to be related to MoneyGram or SWIFT payment notifications. However, far from being from genuine financial institutions, the senders behind these emails only have malicious intentions. Once recipients have fallen for the bait in the phishing emails, the JsOutProx code is activated and allows the threat actors to position themselves within the infected PC. Once installed, JsOutProx adopts a number of functionalities to enhance its position, such as changing DNS settings, editing proxy settings, and bypassing User Account Control detection.

Protect Your PCs from JsOutProx

A significant proportion of internet users have access to online banking services, and this is why JsOutProx has maximized its chances of snaring victims. Thankfully, you don’t have to fall victim to JsOutProx and compromise the security of your PC. All you have to do is make sure you practice the following:

Scrutinize all emails: an email which relates to a payment notification will always grab attention, but it’s vital you scrutinize emails which seem too good to be true. Threat actors will use persuasive and attractive arguments to convince you a suspicious link has to be clicked. However, if you take the time to analyze links in emails – do this by hovering your mouse cursor over them to reveal the true destination of the link – you can quickly minimize your chances of falling victim to malware.

Protect your browsers from scripts: many malware attacks such as JsOutProx rely on scripts to launch their attack within browsers. Therefore, it makes sense to protect your browsers from malicious scripts. Luckily, this is a relatively simple task thanks to ready-made browser plugins such as ScriptSafe for Chrome. These browser extensions protect you by blocking unwanted content and providing alerts against blacklisted sites which are malicious.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

Healthcare Industry Rocked by Major Hack

ALPHV, auto updates, Backup Strategies, BlackCat, Hackers, identify phishing, Ophtek, RansomwareALPHV, backup data, BlackCat, hackers, Ophtek, phishing, ransomware, updatesOphtek, LLC

Apr 2024

Healthcare data is some of the most sensitive data in existence, but a major hack has just affected up to 15 billion records.

Change Healthcare, who provide revenue and payment services for healthcare providers and patients, has announced that its systems have been compromised by threat actors. With Change Healthcare processing around 15 billion transactions a year, this represents a major attack. And the impact has already been felt. Healthcare providers have been struggling to charge for their services, while patients have been struggling to get their prescriptions issued. It’s a nightmare scenario for all involved and underlines the effect malware can have.

How Did Change Healthcare Get Hacked?

The precise details of how Change Healthcare was hacked has not, as yet, been revealed. However, we do know it was carried out by a ransomware group which goes by the names of ALPHV or BlackCat. Naturally, their trademark attack style involves ransomware, and it’s most likely that this was utilized in the Change Healthcare attack. With ransomware typically encrypting data, this is highly damaging for any service handling healthcare data. By encrypting patient records, the hackers would be severing a crucial flow of information.

The attack came on the 21^st February 2024, and Change Healthcare took down their systems on the same day. A week later, BlackCat announced they had been behind the attack. Details of a $22 million payment to the ransomware groups have also been revealed, although Change Healthcare are yet to confirm this was made by themselves. Prescription claim submissions and payment systems have recently been reinstated by Change Healthcare, but full access to their systems is unlikely to be restored until mid-March.

Who is BlackCat?

BlackCat has been active online since 2021 and, since then, has launched a series of audacious attacks. The group was linked to the Colonial Pipeline ransomware attack in 2021, and it also took responsibility for the MGM Casino attack in 2023. Headlines such as these didn’t go unnoticed, and in December 2023, the US Department of Justice set about disrupting BlackCat’s activities. Clearly, though, the resulting Change Healthcare attack has demonstrated how BlackCat was unharmed by this resistance.

Staying Safe from Ransomware

The threat of ransomware is well known, but the Change Healthcare attack is a big deal and acts as an important reminder to stay vigilant. With this in mind, we’re going to show you the best ways to stay safe from ransomware:

Regular software updates: ransomware often takes control of IT infrastructures due to software vulnerabilities. Accordingly, you need to make sure automatic updates are activated on your operating system. This ensures your software is updated as soon as an update is available, preventing you from running a network with open doors for threat actors.
Employee training: your employees are one of your most powerful forms of defense against ransomware threats. Therefore, regular training on cybersecurity threats such as identifying phishing emails, malicious websites, and understanding how to report cybersecurity incidents is vital. With this in place, you can rest assured your network is as secure as possible.
Regular, isolated backups: you need to regularly back up critical data and ensure that backups are stored in a secure, isolated location. Automated backup solutions can help ensure consistency and reliability in the event of your data being encrypted by ransomware.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Threat actors have compromised 70,000 previously legitimate websites and created a powerful network capable of distributing malware.

Named VexTrio, this network of compromised websites appears to have started in 2017, but it’s only more recently that details around its activity have emerged. As well as distributing malware, the VexTrio network also utilizes phishing pages, and allows the VexTrio hackers to harvest login credentials. The campaign is a significant one, and one which is powerful enough to cause harm to anyone who gets caught up in its operations. Therefore, it’s time to take a look at the VexTrio campaign to see what we can learn.

Understanding the VexTrio Network

The VexTrio campaign relies on a malicious traffic distribution system (TDS) to lead unsuspecting internet users to compromised websites. A TDS is, in simple terms, a web application used to analyze and filter incoming traffic and, following the analysis, redirect it to a specific page. Typically, the activities of a TDS are facilitated by malvertising activities or malicious websites. VexTrio favors using malicious websites.

Working with a number of affiliates, many of whom offer access to hijacked websites, VexTrio has managed to amass a sizeable network over the last seven years. And VexTrio are very much the middle-man in the operation. For a fee, VexTrio will feed incoming traffic through their TDS and forward innocent victims towards the websites they’re mostly likely to be interested in. It’s very similar to legitimate advertising networks, but with a vicious sting in its tale.

The malicious websites which comprise the VexTrio network contain a wide range of threats. For example, one of the affiliates, known as ClearFake, tricks users into downloading what is claimed to be a browser update, but is little more than malware. SocGholish, another well-known malware threat, is part of the VexTrio network and uses it to push unauthorized access to corporate websites.

Don’t Fall Victim to VexTrio

The threat of VexTrio is a substantial one, and organizations need to be aware of the damage it can cause. Luckily, you can protect yourself and your IT systems by implementing the following best practices:

Use an adblocker: you can minimize the risk of being lured to a malicious website by installing an adblocker on your systems. Not only will this block annoying popups, but it will also block any malvertising threats from being activated. These adblockers are usually available as browser extensions e.g. Ghostery and AdBlock for Chrome.
Disable JavaScript: attacks launched through VexTrio often rely on JavaScript to execute their malicious tasks. Accordingly, disabling JavaScript will eliminate the chances of such an attack taking place on your system. However, JavaScript is essential for many legitimate websites, so it’s recommended that you allow it to run only on trusted sites.
Install anti-malware tools: if you install an anti-malware app, such as AVG, you benefit from tools which block malicious websites. These tools are connected to databases which are constantly updated to identify and block malicious websites, such as those featured in the VexTrio network.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Russian hackers are using a fake PDF decryption tool to trick innocent PC users into downloading Spica, a new strain of malware.

Discovered by Google’s Threat Analysis Group (TAG), Spica is a backdoor malware which has not been identified previously. It’s believed that the malware is the result of ColdRiver, a Russian hacking team with a proven track record in deploying malware. The attack, as with so many contemporary threats, is delivered by email and relies on malicious PDF files. Now, with close to 350 billion emails sent per day in 2023, it’s clear that email is hugely popular. And it’s estimated there are 2.5 trillion PDF files currently in circulation. Therefore, the chances of your business running into a similar attack is high.

The Threat of Spica

The Spica attack begins when the threat actors send a series of PDF files to their targets. Using phishing email techniques, they attempt to trick the targets into believing that these have been sent by legitimate contacts. These files appear encrypted and, if the target bites, they will email back to say they can’t open the files. This is where the threat actors are able to launch their payload.

By sending a malicious link back to the target, the threat actors can trick them into downloading what they claim is a decryption tool. However, this executable tool – going under the name of Proton-decryptor.exe – is far from helpful. Instead, it will provide backdoor access to the target’s PC. With this access in place, the malware can communicate with a control-and-command server to receive further instructions.

And Spica comes loaded with a wide range of weaponry. As well as being capable of launching internal shell commands on the infected PC, it’s also programmed to steal browser cookies, send and receive files, and create a persistent presence on the machine. Google believes that there are multiple variants of Spica, and the current targets of the malware seem to be high ranking officials in non-governmental organizations and former members of NATO governments.

Shielding Yourself from the Threat of Spica

While your organization may not be listed high on ColdRiver’s target list, the attack methods are familiar and could easily be launched against you at some point in the future. Therefore, it’s in your best interests to integrate the following advice into your cybersecurity measures:

Always double check attachments: with email attachments representing one of the surest ways to transmit malware, it’s vital you remain vigilant. If you have even the slightest inkling that something seems suspicious with an email from a known contact, don’t email them back. Instead, contact them by phone to confirm the email is genuine, as it may be that their email account has been hacked.

Check for spelling/grammar errors: phishing emails are prone to poor grammar and spelling, especially when they originate from non-English speakers. Accordingly, poorly composed emails should be scrutinized closely. Also, watch out for generic and unusual greetings such as “Dear customer” as these may indicate that the email is part of a mass-campaign against unknown targets.

Use email filters: by using email filters, often included with anti-malware software such as McAfee, you can provide your organization with an extra layer of security. Connected to databases which are regularly updated, these email filters can identify malicious files before they’re downloaded to your PC.

For more ways to secure and optimize your business technology, contact your local IT professionals.

A new threat actor has spent the last few months ramping up attacks involving the DarkGate and NetSupport malware, and this is set to increase further.

The name of this new threat actor is BattleRoyal, and between September and November 2023, they launched numerous attacks. These attacks featured the DarkGate and NetSupport malware, both powerful strains of malware. DarkGate employs multiple malicious activities such as keylogging, data theft, and cryptocurrency mining. Meanwhile, NetSupport – which is a legitimate application – is being exploited and repurposed as a remote access trojan, which gives threat actors unauthorized access to IT systems.

DarkGate and NetSupport both have the potential to cause great damage to your IT infrastructure and the security of your data. This means you need to know how to identify and deal with them.

BattleRoyal’s Malware Campaign

BattleRoyal appears to have launched its first wave of attacks in September 2023. This campaign involved email techniques to unleash the DarkGate malware on unsuspecting victims. At least 20 instances of this attack have been recorded, but it’s highly likely that more users were infected. Perhaps due to the noise that DarkGate was creating, BattleRoyal quickly switched its choice of weaponry to NetSupport in November. As well as using email campaigns to spread NetSupport, BattleRoyal also employed malicious websites and fake updates to infect PC users.

DarkGate is also notable for taking advantage of a vulnerability located in Windows SmartScreen. The main objective of SmartScreen is to protect users from accessing malicious websites. However, BattleRoyal were able to work around this by using a special URL which, due to the vulnerability in SmartScreen, gave users access to a malicious website. Clearly a sophisticated threat actor, BattleRoyal had discovered this vulnerability – logged as CVE-2023-36025 – long before Microsoft acknowledged its existence.

How to Stay Safe from BattleRoyal

Microsoft has since launched a security patch to combat the CVE-2023-36025 vulnerability, and installing this remains the surest way to combat the activity of DarkGate. However, given that BattleRoyal has used a multi-pronged attack, with NetSupport being used to download further malware, you can’t rely on patches alone. Vigilance, as ever, is vital. Therefore, you need to practice these best security tips to prevent any infections:

Beware of phishing emails: one of the most popular ways to breach the defenses of IT infrastructures involves phishing emails. Not only can these emails be used to steal confidential information through social engineering techniques, but they can also be used to direct recipients towards malicious websites and files. Therefore, it’s important that everyone in your organization can identify phishing emails.
Always install updates: although BattleRoyal was able to identify the SmartScreen vulnerability before the availability of a patch, this doesn’t mean you should minimize the importance of updates. All updates should be installed as soon as they’re available, activating automatic updates is the best way to guarantee that your defenses are fully up-to-date.
Use security software: reputable security software is one of the simplest, yet most effective ways to protect your IT systems against malware. Capable of identifying and removing malware before it’s activated, anti-malware tools should be an essential part of your IT defenses. As well as carrying out automatic scans of your system, many of these security suites feature screening tools to warn against malicious websites and emails.

For more ways to secure and optimize your business technology, contact your local IT professionals.

1 2 3 … 11 Next »

Financial Firms Targeted by JsOutProx Malware

Healthcare Industry Rocked by Major Hack

VexTrio Uses 70,000 Hijacked Websites to Spread Malware

Spica: New Malware Launched by Russian Hackers

DarkGate and NetSupport Malware is Surging

Tag Archives: phishing