Taiwan Businesses Targeted by Winos 4.0 Malware

malicious emails, National Taxation Bureau, Ophtek, Phishing, Silver Fox, Taiwan, Win 4.0, , , , , , ,
01
Apr 2025

A recent cyberattack has targeted Taiwanese companies using phishing emails which appear to be from Taiwan’s National Taxation Bureau.

In this attack, cybercriminals sent phishing emails to businesses in Taiwan, pretending to be officials from the National Taxation Bureau. These emails contained malicious attachments designed to infect victims’ computers with malware. The threat actors’ aim was to steal sensitive information and gain unauthorized access to IT infrastructures, enabling the attackers to have easy access to secure data.

How Did the Winos Attack Unfold?

The threat actors created emails which, at a quick glance, appeared official and claimed to provide a list of companies scheduled for tax inspections. The recipients were urged to download a zip file containing this list. However, contained within this ZIP file was a dangerous DLL file named lastbld2Base.dll. Once this file was activated, it set in motion a series of malicious actions – the most prominent of which was to download the Winos 4.0 malware. Winos 4.0 allowed the threat actors to take screenshots, record keystrokes, and remotely execute commands on the infected devices.

Once installed, Winos 4.0 gave the attackers deep access to the compromised systems. This access made the malware a powerful tool for carrying out espionage, especially given that the main targets appeared to be corporate businesses. These types of targets allowed the threat actors to gain access to huge amounts of personal data, rather than targeting individuals one at a time to harvest such data.

Security researchers believe that a hacking group known as Silver Fox are the perpetrators behind the attack. Silver Fox has a history of targeting Chinese-speaking users and has previously been observed using fake software installers and malicious game optimization apps to deceive victims.

Protecting Yourself from Such Attacks

This incident is further evidence that phishing campaigns are becoming more deceptive and underlining the importance of social engineering tactics for hackers. Many people glance over their emails quickly and, if they see an official and trusted government logo, the chances are that they’ll believe it’s genuine. However, it’s important that you and your employees stay safe, so make sure you practice the following:

  • Be Careful with Email Attachments: Always double check the authenticity of and email before downloading or opening email attachments, especially if they are unexpected or urge you to perform a specific action. If an email claims, for example, to be from a government agency, visit the official website to confirm its legitimacy before opening any attachments.
  • Keep Software Updated: Regularly updating your operating system and security software is crucial for protecting your PCs against known vulnerabilities. Many cyberattacks take advantage of outdated software with numerous vulnerabilities, so keeping your system up to date should be a priority at all times.
  • Educate Employees: Ensuring that your staff can recognize phishing attempts is crucial in 2025, as is carrying out safe email practices to prevent accidental exposure to malware or malicious links. Implementing cybersecurity awareness programs should be a priority for your IT inductions. Regular refresher courses should also be to help consolidate this learning.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Google Ads Used to Push Fake Google Chrome Installer

google ads, Google Chrome, malware, Ophtek, SecTopRat, security software, security_updates, , , , , ,
25
Mar 2025

Cybercriminals are exploiting Google Ads to distribute malware disguised as a genuine Google Chrome installer, tricking users into downloading the malware.

Threat actors are always innovative, and this recent attack underlines exactly why you need to be on your guard when online. Attackers have been purchasing ads which appear when PC users search for popular software downloads e.g. Google Chrome. Unfortunately, the ads which are served up lead to dangerous websites which closely resemble official download pages. This deception tricks users into downloading and installing malware.

As we spend a high proportion of our work time online, we’re going to dig deep into this attack to see what we can learn.

How Can Google Ads Compromise Your PC?

In this attack, users searching with terms such as “download Google Chrome” might find themselves confronted with a sponsored ad at the top of their search results. This ad can, at first, appear genuine, often having a URL which includes “sites.google.com” – a Google platform used to build free websites. Accordingly, users feel confident that these pages are official and trustworthy, especially when they look very similar to official download sites.

Once a user clicks the ad, they’re redirected to a malicious page which is a highly convincing imitation of the official Google Chrome download site. This page urges users to download a file named “GoogleChrome.exe” and, so far, everything appears as you would expect. With nothing unusual to suspect, users make the decision to trust the page, download the file, and then launch it.

However, once executed, the installer begins to act suspiciously. Firstly, it connects to a remote server to retrieve additional instructions. Secondly, it requests that they user grants it administrative privileges to assist in completing the download. At this point, alarm bells should start ringing, but most users still feel as though the software can be trusted. Once administrative privileges are granted, the installer executes a PowerShell command which prevents Windows Defender from scanning the malware’s location, enabling it to operate quietly in the background.

A further file is then downloaded to the BackupWin directory and, masquerading under the name of a genuine piece of software, opens up a communication channel with the threat actors’ remote server. The malware used is SecTopRAT, a Remote Access Trojan which allows the attackers to take remote control of the infected system and steal sensitive data such as capturing keystrokes, accessing files, and recording user activities.

Protecting Against the SecTopRAT Threat

Your employees are busy with their daily tasks and, therefore, it’s easy for them to have a lapse of judgement and quickly click on something they believe to be genuine. However, this can be disastrous for your IT infrastructure, so it’s crucial that your staff are mindful of the following:

  • Be Cautious of Sponsored Ads: Just because an ad is that the top of the search results, this doesn’t mean it can be trusted. This is why it’s important to always verify the authenticity of a URL before clicking it. Check for any unusual spellings or, to be fully safe, navigate directly to the official website for that software.
  • Only Download from Official Sources: The best approach is to always head straight to the developers website rather than trusting other online sources. Aside from sponsored ads, it’s critical that your team avoids downloading via links in emails or through torrent sites – both of these sources often lead to nothing but malware.
  • Keep Your Security Software Updates: One of the simplest ways to thwart attackers is to make sure your security software is up to date. This software regularly scans your system for threats, but it needs to be updated as soon as possible to detect the latest threats.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Fake Job Scam Used to Serve Up Malware

fake recruiters, Linkedin, malicious websites, Ophtek, phishing_email, update security software, verify identities, webcams, , , , ,
28
Jan 2025

Threat actors are highly innovative – one recent attack tricked victims into addressing fake webcam and microphone issues to gain system access.

We’re constantly advised to be aware of phishing emails, infected documents, and malicious websites, but what happens when threat actors take a different approach? Well, they increase their chances of breaching your defenses. This is why it’s crucial to keep up to date with developments in the world of cybersecurity. This latest attack targeted professionals on LinkedIn, but it could easily be used in other environments.

Ophtek wants to keep you secure from these types of threats, so we’re going to summarize this attack and show you how to stay safe.

The Interview from Hell

Job interviews are always stressful affairs, but at least they don’t hit you financially. However, there is an exception – the LinkedIn attack. With 1 billion members, LinkedIn is hugely popular and this makes it the perfect target for a threat actor.

Victims are approached on LinkedIn by fake recruiters who claim to be working for crypto firms such as Kraken and Gemini. On offer is the opportunity of a number of high-ranking roles at these firms, and the victims has been specially chosen to apply. Victims who take the bait and then posed a series of long-form questions relating to the crypto industry e.g. which crypto trends will have the most impact in the next 12 months.

It may, at first, seem like any other job interview, but the final question posed requires an answer filmed on video. This is where the breach begins. The threat actor will issue an error message stating that there’s an access issue for the victim’s camera and microphone. The problem is apparently caused by a cache issue but, luckily, the ‘interviewer’ has a set of instructions to fix the error. Unfortunately, following these instructions simply hands the threat actor access to the victim’s PC, where their crypto wallet is likely to be targeted.

How to Stay Safe on LinkedIn

You may have a LinkedIn account, and even if you don’t, it’s important that you know how to defend against a similar attack. The three main ways you can protect your PC are:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

What is a BYOVD Attack and How Can You Stay Safe?

BYOVD, cryptojacking, data theft, DDoS attacks, driver whitelisting, drivers, educate staff, Hacking, Ophtek, Updates, , , , , , , , ,
24
Dec 2024

One of the recent developments in hacking has been the Bring Your Own Vulnerable Driver (BYOVD) attack, but what is it and how do you defend against one?

By now, the Ophtek blog should have informed you about ransomware, trojans, and cryptojacking, but we’ve rarely mentioned the dangers of a BYOVD attack. In the past, BYOVD attacks were mostly carried out by only the most sophisticated threat actors, but they’re now becoming increasingly popular with even basic bedroom hackers. Therefore, today is the day we remedy this and provide you with a fully comprehensive look at BYOVD attacks and how you can stay safe.

The Role of Drivers within Your PC

Before we dig deep down into the mechanics of a BYOVD attack, it’s important that you understand what’s at the heart of their malicious activities: drivers. You’ve no doubt heard of drivers in passing, but it’s only the most die-hard PC user who would fully understand what they do. Their main role is as a file used to support software applications. They work by acting as a bridge between an operating system and a device e.g. between Windows and a graphics card.

Without drivers, your PC simply wouldn’t work. From your display through to your speakers and printer, there would be no way for your operating system to communicate with these devices. This makes drivers a crucial part of any PC, but it also means they’re ripe for cyberattacks.

Breaking Down a BYOVD Attack

We’re all aware of software vulnerabilities, and a BYOVD is a unique take on this method of hacking. In a BYOVD attack, threat actors will trick their victims into downloading outdated, vulnerable drivers onto their PC. This could be through phishing emails or pop-up adverts, with the main objective of getting these unsafe drivers downloaded onto a PC along with a nasty dose of malware. With these vulnerable drivers in place, threat actors can take control of the infected PC.

BYOVD attacks are dangerous for the following reasons:

  • Data Theft: With BYOVD attacks capable of bypassing your security software, they not only have easy access to all your data but can effortlessly transmit it to remote servers.
  • Install Further Malware: IT systems with vulnerabilities exploited are at risk of having further malware installed on them. So, for example, a threat actor could first gain access to your system before downloading further malware to facilitate DDoS attacks or support cryptojacking.
  • Damage Your Productivity: A BYOVD attack can quickly render your IT systems unusable due to the capabilities of drivers. By exploiting the deep access and reach drivers have, threat actors have the opportunity to disable network components, corrupt system files, and damage hardware.

You can find out more specifics of the impact of a BYOVD attack by checking out our article on the EDRKillShifter malware.

Protecting Your IT Systems from BYOVD Attacks

You may have been unfamiliar with BYOVD attacks, but you should now have a basic understanding of how they operate. The next step is to protect yourself by implementing these security practices:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Infostealers: What They Are and How to Stay Protected

Infostealers, malicious sites, malware, Ophtek, Phishing Email, SambaSpy, security software, SnipBot, software updates, , , , , , , ,
03
Dec 2024

Infostealer malware is frequently referenced as the go-to weapon for threat actors, but what is it? And how do you protect your IT systems from it?

You only have to take a quick look over the Ophtek blog to understand the popularity of infostealers in modern hacking. From fake Zoom sites through to SnipBot and SambaSpy, threat actors are determined to get their hands on your sensitive data. Infostealers, therefore, present an everyday threat to PC users and it’s crucial you understand their methods and impact.

Luckily, Ophtek has your back, and we’re going to take a deep dive into infostealers to equip you with the knowledge you need to stay safe.

What is an Infostealer?

The main objective of all infostealer malware is to harvest confidential data from a compromised system. With this stolen data, threat actors have the opportunity to conduct numerous crimes such as identity theft or financial damage. This makes infostealer malware such a serious threat, especially in the age of big data, where organizations hold huge amounts of data on their IT systems. As with most modern malware, infostealer has strong stealth capabilities, allowing it to operate in the background without being detected and strengthening its impact.

The Danger Behind Infostealers

Infostealers can be individual malware threats or part of a more extensive suite of malware applications. Whatever their method, infostealers tend to focus on stealing the following data:

  • System login credentials
  • Social media and email passwords
  • Bank details
  • Personal details

All of these data categories have the potential for serious damage e.g. hacking someone’s personal emails and reading confidential information or clearing someone’s bank account out. From a business perspective, infostealers also have the potential to gain access to secure areas of your IT infrastructure and compromise the operations of your business. All of this data is taken directly from your servers and then discreetly transmitted to a remote server set up by the threat actors.

How Do Infostealers Strike?

Threat actors have developed numerous strategies to launch successful infostealer attacks with the two most common methods being:

Protecting Your Systems Against Infostealers

Despite the threat of infostealers, it’s relatively easy to stay safe and protect your systems from them. All you need to do is follow these best practices:

  • Be Wary of Suspicious Emails: Any emails which ring even the slightest alarm bell should be closely scrutinized. If something about the wording doesn’t sound quite right, or there’s a sense of urgency to commit to an action, the chances are that this could be a phishing email. In these instances, don’t click anything and, instead, contact an IT professional to review the content.
  • Always Update Your Software: One of the easiest ways for threat actors to deploy infostealers on your system is through software vulnerabilities. No piece of software is perfect, and they often contain weak spots which can be exploited. However, as these vulnerabilities are picked up by the developers, security patches are issued to remedy these weak spots. Accordingly, installing these updates should be a major priority.
  • Install Security Software: There are numerous security packages available such as AVG and Kaspersky which monitor your systems in real time and can block malware threats instantly. This automatic defense enables you to stay safe from infostealers and keeps your networks healthy and productive.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
1 2 3 11