News Posts matching #Malware

Return to Keyword Browsing

Reports Warn of Pirated Windows 10 ISOs Containing Dangerous Malware

According to a report published by Bleeping Computer last week and research conducted by the Doctor Web team, nefarious online organizations are distributing Windows 10 ISO files laced with extremely dangerous clipper malware variants. Microsoft ceased direct sales of licenses for its last gen operating system earlier this year, and a select bunch of folks are resorting to grabbing copies (for free) from pirate sources. The Doctor Web alert states: "(we) discovered a malicious clipper program in a number of unofficial Windows 10 builds that cybercriminals have been distributing via a torrent tracker. Dubbed Trojan.Clipper.231, this trojan app substitutes crypto wallet addresses in the clipboard with addresses provided by attackers. As of this moment, malicious actors have managed to steal cryptocurrency in an amount equivalent to about $19,000 (USD)."

It continues: "At the end of May 2023, a customer contacted Doctor Web with their suspicion that their Windows 10 computer was infected. The analysis our specialists carried out confirmed the presence of trojan applications in the system. These were Trojan.Clipper.231 stealer malware as well as the Trojan.MulDrop22.7578 dropper and Trojan.Inject4.57873 injector, which were used to launch the clipper. Doctor Web's virus laboratory successfully localized all these threats and neutralized them." It seems that hackers are hiding cryptocurrency hijackers within Extensible Firmware Interface (EFI) partitions, thus evading detection by antivirus software(s).

Bad Week for MacOS Security: Two New Malware Threats Identified

As market share of Apple's ARM based Mac computers has increased, so too have efforts to compromise them by previously uninterested hacker groups. A recent string of malware created specifically for macOS has shown that these groups are turning their gaze toward the generally well protected Mac ecosystem. One of these new malware threats, discovered by Jamf Threat Labs and dubbed 'RustBucket,' acts as a simple third-party PDF viewer. The application itself does nothing malicious until a specific PDF is opened which includes an encoded key that triggers a connection to be made between the attacker's server and the victim's Mac, and a small malicious payload to be downloaded. The initial payload begins running system recon commands to determine the machine information, and then downloads a third stage payload which gives the attackers further access to the underlying operating system. All stages after the user opens the PDF are run silently in the background. The PDF viewer used as the catalyst for this hack does require manually overriding Apple's Gatekeeper as it carries no signature, so the obvious step to mitigate this attack is to not use third-party apps or services aside from those curated on Apple's App Store.

The second macOS malware of the week was discovered by Cyble Research and Intelligence Labs (CRIL) being offered for a paltry $1,000 USD per month on a Telegram channel, with the malware going by the name "Atomic macOS Stealer" or "AMOS." This malware has capabilities to scrape keychain passwords, system information, files from the desktop and documents folders, the macOS user password, browser auto-fills, passwords, cookies, wallets, and stored credit card info. The malware is especially adapted to go after cryptowallets with Cyble citing examples such as Electrum, Binance, Exodus, Atomic, and Coinomi. Cyble notes that they've seen the malware receiving active development to improve its capabilities and the threat actors even offering management software and web panels for keeping track of victimized machines, all with a logging system that dumps to Telegram. The current attack vector is a simple Golang.dmg file which installs the malware, so this does appear to require direct machine access. However once installed, "AMOS" does its handiwork without detection and sends a compressed file off to the attacker's server with all the information it collected.

Microsoft Fixes Windows Defender Bug After Five Years of Firefox Slowdowns

Microsoft's Window Defender engineering team has finally found the time to address a long term bug within its anti-malware software - relating to performance issues with Mozilla's Firefox web browser. User feedback stretching back to five years ago indicates extremely sluggish web surfing experiences, caused by a Windows "Anti-malware Service Executable" occupying significant chunks of CPU utilization (more than 30%). The combination of Firefox and Windows Defender running in parallel would guarantee a butting of (software) heads - up until last week's bug fix. A Microsoft issued update has reduced the "MsMpEng.exe" Defender component's CPU usage by a maximum of 75%.

Microsoft and Mozilla developers have collaborated on addressing the disharmonious relationship between Defender and Firefox. A plucky member of the latter's softwareengineering team has been very transparent about the sluggish browser experience. Yannis Juglaret has provided a string of project updates via Mozilla's Bugzilla tracking system - one of his latest entries provide details about the fix: "You may read online that Defender was making too many calls to VirtualProtect, and that global CPU usage will now go down by 75% when browsing with Firefox. This is absolutely wrong! The impact of this fix is that on all computers that rely on Microsoft Defender's Real-time Protection feature (which is enabled by default in Windows), MsMpEng.exe will consume much less CPU than before when monitoring the dynamic behavior of any program through Event Tracing for Windows (ETW). Nothing less, nothing more."

MSI Afterburner Laced with Malware Circulating in the Wild

MSI Afterburner is arguably the most popular graphics card overclocking utility, and the best place to find it is the MSI website. There are several other sites that redistribute the utility, many of them are trustworthy PC enthusiast tech publications; but some of them are not. There are some dubious websites that are using SEO techniques and ad-placements to find their way into online search results, appearing to be download mirrors for MSI Afterburner. While some of these sites are just in it for some web-traffic ad revenue, others downright spoof the MSI website (i.e. are visual clones), and host redistributables of Afterburner, only these have a more sinister motive—to infect you with malware.

Cybersecurity researchers at Cyble identified such spoof websites that are visually identical to the MSI website; which host modified versions of the Afterburner software laced with malware. This malware can infect your PC with a multitude of bad stuff, including cryptojacking (using your PC's system resources to mine cryptocurrency for the attacker); and data-theft. Cyble deconstructed the malware-laced Afterburner installer in a bid to identify its nature. Apparently it uses Monero XMR miner software to mine cryptocurrency. Apparently the attacker repackaged Afterburner into a custom installer that, in addition to installing Afterburner, fetches XMR miner from the Internet and infects Windows Explorer (explorer.exe) with a cryptojacking payload. The easiest way to avoid this is sticking to known sources such as the MSI website (www.msi.com); or known websites authorized to redistribute Afterburner. If infected, SFC (system file checker), coupled with Windows Defender or other popular antivirus software should help.

Several Older Asus Routers at Risk of Being Infected by Cyclops Blink Worm

If you own an Asus 802.11ac/WiFi 5 router, you might want to make sure your firmware is up-to-date, as several models are at risk of being infected by a Russian botnet malware. The group behind the worm, which goes under the name of Cyclops Blink, is Sandworm APT, the same group that created the VPNFilter botnet a few years ago. Cyclops Blink was detected by Trend Micro and although it seems it doesn't cause any direct harm to the network behind the router it infects at this point in time, it is a persistent malware and is believed to be a first of its kind. Unlike most malware that attack routers, the Cyclops Blink worm can save itself to the flash memory in the router, so even a factory reset won't wipe it off.

That said, a firmware flash will remove it and according to a security bulletin from Asus, the company advises all of its customers to install the latest firmware. On top of this, Asus also recommends to turn off remote management, if enabled and to change the admin login credentials and make sure to use a complex password. However, the company doesn't have an update that is guaranteed to prevent the malware from infecting their products, since at this point in time, it's unclear how the Cyclops Blink worm infects routers. Prior to the Asus routers listed below getting attacked, the malware was mainly going after WatchGuard Firebox devices, which are generally only used by businesses. Based on the information provided by Trend Micro, it looks like Asus is unlikely to be the only brand of routers that will be targeted by the malware, so even if you don't own an Asus router, it would be a good idea to make sure your firmware is up to date. Another option would be to install a third party firmware, although the Merlin firmwares for Asus are also likely to be affected, based on comments by the authour of the firmware over on the Small Net Builder forums.

Malware On the Prowl Using Stolen NVIDIA Code Signing Certificates

Stolen code-signing certificates of NVIDIA scored from the recent cyber-attack, are being used to develop a new breed of malware that can appear "trustworthy" to Windows PCs. The code-signing certificates leaked to the web as part of the hacker group expired in 2014 and 2018, but Windows PCs are still able to see them as being used for signing drivers. One such malware that hit anti-virus provider VirusTotal, is a variant of the Quasar RAT (remote-access trojan), signed with NVIDIA certificates. A RAT works in the background, granting remote-access to your machine to an attacking group with read-write access, who can then do anything from stealing data or holding it to ransom by encrypting it.

SonicWall Threat Intelligence Confirms Alarming Surge in Ransomware, Malicious Cyberattacks as Threats Double in 2021

SonicWall, the publisher of the world's most quoted ransomware threat intelligence, today released the 2022 SonicWall Cyber Threat Report. The bi-annual report details a sustained meteoric rise in ransomware with 623.3 million attacks globally. Nearly all monitored threats, cyberattacks and malicious digital assaults rose in 2021 including: ransomware, encrypted threats, IoT malware and cryptojacking. "Cyberattacks become more attractive and potentially more disastrous as dependence on information technology increases," said SonicWall President and CEO Bill Conner. "Securing information in a boundless world is a near impossible and thankless job, especially as the boundaries of organizations are ever-expanding to limitless endpoints and networks."

SonicWall Capture Labs threat researchers diligently tracked the dramatic rise in ransomware, recording an astounding 318.6 million more ransomware attacks than 2020, a 105% increase. Ransomware volume has risen 232% since 2019. High-profile ransomware attacks impacted businesses, state and federal governments, schools, hospitals and even individuals. Attacks hit supply chains, causing widespread system downtime, economic loss and reputational damage. Following global trends, all industries faced large increases of ransomware volume, including government (+1,885%), healthcare (755%), education (152%) and retail (21%).

Hackers Innovate Way to Store and Execute Malware from Video Memory to Evade Anti-Malware

Cybercriminals have innovated a way to store malware code inside GPU dedicated memory (video memory), and execute code directly from there. Execution from video memory may not be new, but they've mostly been confined to the academic space, and unrefined. This would be the first time a proof-of-concept of a working tool that injects executables to video memory, surfaced on a hacker forum.

The tool relies on OpenCL 2.0, and its developers claim to have successfully tested it on Intel Gen9, AMD RDNA, NVIDIA Kepler, and NVIDIA Turing graphics architectures (i.e. UHD 620, UHD 630, Radeon RX 5700, GeForce GTX 740M, and GTX 1650). What makes this ingenious is that the malware binary is stored entirely in GPU memory address-space and is executed by the GPU, rather than the CPUs. Conventional anti-malware software are only known to scan the system memory, disks, and network traffic for malware; but not video memory. Hopefully this will change.

QNAP NAS Affected by Qlocker Ransomware, Company Advises Immediate Action to Secure Your Data

QNAP Systems, Inc. (QNAP), a leading computing, networking and storage solution innovator, today issued a statement in response to recent user reports and media coverage that two types of ransomware (Qlocker and eCh0raix) are targeting QNAP NAS and encrypting users' data for ransom. QNAP strongly urges that all users immediately install the latest Malware Remover version and run a malware scan on QNAP NAS. The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version as well to further secure QNAP NAS from ransomware attacks. QNAP is urgently working on a solution to remove malware from infected devices.

QNAP has released an updated version of Malware Remover for operating systems such as QTS and QuTS hero to address the ransomware attack. If user data is encrypted or being encrypted, the NAS must not be shut down. Users should run a malware scan with the latest Malware Remover version immediately, and then contact QNAP Technical Support at this page.

Drivers from Over 40 Manufacturers Including Intel, NVIDIA, AMD Vulnerable to Privilege Escalation Malware Attacks

Cybersecurity research firm Eclypsium published a report titled "Screwed Drivers," chronicling a critical flaw in the design of modern device driver software from over 40 hardware manufacturers, which allows malware to gain privilege from Ring 3 to Ring 0 (unrestricted hardware access). The long list of manufacturers publishing drivers that are fully signed and approved by Microsoft under its WHQL program, includes big names such as Intel, AMD, NVIDIA, AMI, Phoenix, ASUS, Toshiba, SuperMicro, GIGABYTE, MSI, and EVGA. Many of the latter few names are motherboard manufacturers who design hardware monitoring and overclocking applications that install kernel-mode drivers into Windows for Ring-0 hardware-access.

As part of its study, Eclypsium chronicles three classes of privilege-escalation attacks exploiting device drivers, RWEverything, LoJax (first UEFI malware), SlingShot. At the heart of these are the exploitation of the way Windows continues to work with drivers with faulty, obsolete, or expired signing certificates. Eclypsium hasn't gone into the nuts-and-bolts of each issue, but has briefly defined the three in a DEF CON presentation. The firm is working by several of the listed manufacturers on mitigations and patches, and is under embargo to put out a whitepaper. RWEverything is introduced by Eclypsium as a utility to access all hardware interfaces via software. It works in user-space, but with a one-time installed signed RWDrv.sys kernel-mode driver, acts as a conduit for malware to gain Ring-0 access to your machine. LoJax is an implant tool that uses RWDrv.sys to gain access to the SPI flash controller in your motherboard chipset, to modify your UEFI BIOS flash. Slingshot is an APT with its own malicious driver that exploits other drivers with read/write MSR to bypass driver signing enforcement to install a rootkit.

Kaspersky: Most Cyber Attacks Directed at Microsoft Office in Q4 2018

Having the world's most pervasive operating system (or office suite) is sure to leave a big mark on any company when it comes to exploitation attempts from hackers. It's a simple equation: aim your efforts at a software that runs in millions (if not billions) of machines and even a light chink in the armor could be enough to cause a cascading effect through that many users.

This principle applies to almost everything: a small effect across a billion users usually provides greater returns than a large effect on one or two players. Kaspersky labs on its security report, presented at the Security Analyst Summit, reported that the favorite target for cyber attacks was Microsoft's Office suite - a 70% figure suggests an incredible attention given to Office, really. These Office-related cyber attacks don't directly relate to the suite itself; there are other, OS-integrated components that can be targeted, or simply that Office file extensions are used as clever, headache-inducing ways of disguising malware as the second greatest evil in the world - spreadsheets.

Hackers Get to ASUS Live Update Servers, Plant Malware in Thousands of Computers

In a chilling reminder of just why system software should always be manually updated and never automatically, Vice Motherboard citing Kaspersky Labs reports that hackers have compromised the Live Update servers of ASUS, making them push malware to thousands of computers configured to fetch and install updates automatically. These include not just PC motherboards, but also pre-builts such as notebooks and desktops by ASUS. Smartphones and IoT devices by ASUS are also affected. Hackers have managed to use valid ASUS digital certificates to masquerade their malware as legitimate software updates from ASUS.

Kaspersky Labs says that as many as half a million devices have fallen prey to malware pushed to them by ASUS. The cybersecurity firm says it discovered the malware in January 2019 when implementing a new supply-chain detection technology, and informed ASUS by late-January. Kaspersky even sent a technically-sound representative to meet with ASUS in February. Kaspersky claims that ASUS has since been "largely unresponsive since then and has not notified ASUS customers about the issue." ASUS is already drowning in bad-rep from the PC enthusiast community for its Armoury Crate feature that lets motherboard BIOS push software to a Windows installation through an ACPI table dubbed "the vendor's rootkit," which ASUS enabled by default on new motherboards. Who knows what recent motherboard BIOS updates have pushed into your PC through this method.

Snail Mail Malware: Chinese Hackers Go Old School

In today's world, data breaches, phishing attacks, malware, and exploits are a daily occurrence. We are all familiar with the typical phishing emails that grace our inbox day in day out. You might even get a phone call from a fake Microsoft tech support employee, who attempts to gain access to your system. However, in our always-online world, it is a bit surprising to hear about hackers that would decide to use snail mail. In what will likely elicit a few giggles, U.S. state and local government agencies, along with the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued an alert, in what I can only describe as an attack from the stone age; malware infested CDs.

US and UK Government Websites Infected with Crypto-mining Malware

Potentially thousands of websites operated by various government ministries, departments, and statutory agencies, of the United States and the United Kingdom, could be infected with crypto-currency mining malware. The already infamously slow government websites, often crippled with bandwidth and hosting deficiencies, not to mention webpage design that's often behind web standards, are now embedded with crypto-miners thanks to outdated accessibility software.

Most government websites implement a web-based text-to-speech software called Browsealoud. Outdated versions of the software can be surreptitiously infected with crypto-mining scripts, by exploiting a vulnerability in the way the software dials home to the text-to-speech server. The scripts slow down computers by forcing them to mine crypto-currency for unauthorized people. Browsealoud has been developed by British software company Texthelp, which is reaching out to all its customers to update to the latest version of their software. It's always handy to have mining script blocking browser extensions.

Web Cryptocurrency Mining Evolves: Now Keeps Running After Closing Browser

Well, after users think they've closed their browsers, more specifically. Researchers form anti-malware provider Malwarebytes have discovered a new form of web-based cryptocurrency mining that has a stealth-like approach to running mining code, which might cause less attentive users' machines to keep mining even after their web browsers have been closed. This is done via an utterly simple method, really: upon opening a malicious web page that has been coded to make users' machines mine cryptocurrency, the web page opens a pop-up window that is minimized behind the Windows Taskbar's clock. It's ingeniously simple - but could be surprisingly hard to detect, and could mean that the mining process will actually keep on using CPU cycles and mining crypto indefinitely until the next system reboot.

Several Critical Ukrainian Targets Hit by "Petya" Ransomware, Fear of Outbreak

After last month's WannaCry outbreak (which persisted in its effects as recently as last week), we now have a new variant of ransomware infecting PCs across Europe. The outbreak seems centered in Ukraine, where several government facilities and critical pieces of infrastructure have been shutdown due to the attacks. The Ukrainian government seemed almost defiantly optimistic, posting this decidedly awesome response to twitter during the attack.

WannaCry Strikes Again: Attack Forces Honda Factory to Shutdown

If you thought WannaCry was done, it would appear you were wrong. Honda has appeared as the latest victim of the outbreak, as late as this week. The outbreak was bad enough to stop production at its Sayama plant northeast of Tokyo. That factory can churn out nearly 1,000 vehicles a day, by the way, so this is not a small amount of money lost for the company.

The company says it discovered the malware Sunday, and by Wednesday it had managed to spread to several regions including Japan, North America, Europe, China and other locations (Sayama was the only place to experience an actual shutdown of operations, however).

Linux Raspberry Pi Devices Being Infected by Cryptocoin "Mining Malware"

If you have your Raspberry Pi setup and have never changed the default password on the standard "pi" user, it's probably time to do so. A new malware has come out that exploits the simple fact several users apparently have never changed this password. Once it installs itself, it exploits the recent rise in value on cryptocurrency (Bitcoin recently topped $3000 per BTC) to mine cryptocoins for the authors benefit. This not only uses almost 100% of your poor Raspberry Pi's limited CPU, but also makes it part of a "mining botnet" that nets the controller money, adding insult to injury. The malware also makes an anonymous proxy on your box, which needless to say is probably not a good thing.

Attacks Discovered that can Corrupt MLC-based SSD Data

It appears that although MLC NAND-based SSDs have many advantages to HDD's from a physical-reliability point of view, the old spinning rust drives might still have one advantage over SSDs: A specially crafted write operation can't corrupt your data.

That's what a new report from Carnegie Mellon University, Seagate, and ETH Zürich is showing: That MLC-based SSD Drives are vulnerable to data-corrupting attacks as simple as a specially crafted write operation.

Microsoft Adds Ability to Block Win32 Apps from Install on Windows 10

In a story headline that is sure to ruffle some reader's feathers, Microsoft has done exactly that: Added the ability to block installation of any app using the oldest remaining major API in Windows: Win32.

But hold on to your nerd-battlewagons, brave tech warrior. Microsoft is not enabling this feature by default. It is currently only in an experimental build, and per MS, it will not be on by default in any mainline build ever produced. It's simply there for "added security."

And yet, is this not a sort of admission of Win32's supposed inferiority from Microsoft? The fact that you can block this and not block the Windows Universal apps is in a way saying "here, these are safe. No, win32 is not."

Oh, and yes, if there is any question, this is an editorial in the fullest sense of the word. Enjoy.

Intel's Skylake and Kaby Lake-based Systems Vulnerable to USB Exploit

At this year's CCC hacker congress, researchers from Positive Technologies have released information, which documents vulnerabilities in Intel's Skylake and Kaby Lake series processors' handling of USB 3.0-based debugging - which could be used to attack, corrupt, and even subvert a user's system.

This vulnerability allows attackers to bypass typical security mechanisms - both at the hardware and at the OS level - by using a new debugging interface, which could allow them to install malware and/or rewrite the system's firmware and BIOS. The exploit is currently undetectable using existing security tools, and according to the researchers, this mechanism can be used on a hacked system regardless of the OS installed.

Windows 10 BSOD Errors to Come with Troubleshooting QR-Codes

With its latest Preview Build (build 14316), Microsoft patched Windows 10 to make BSOD (blue-screen of death) errors more useful for system analysts and power-users. The blue-screen now puts up a QR-code to the knowledge-base page related to the error. Microsoft also set up an easy to remember URL at "windows.com/stopcode" for quick-reference to info and possible fixes to various kinds of errors.

The Register makes a valid case for how QR-codes in BSOD screens can be misused by malware developers. Malware or ransomware developers can now make their wares fake a BSOD screen with a QR-code that leads to their web-page to steal your information, or point you to download even more malware.

Intel Announces Atom x3, x5, and x7 Series

Intel Corporation CEO Brian Krzanich today announced a series of mobile platforms including the company's new low-cost system-on-chip (SoC) for phones, phablets and tablets, a global LTE solution, innovative personal computing experiences, and a range of customers for mobile device and network infrastructure offerings. With technologies that span silicon, software and security, Krzanich said Intel was one of the few companies able to deliver solutions end-to-end, for devices, the network and the cloud.

The announcements include the Intel Atom x3 processor series, Intel's first integrated communications SoC solution for the growing value and entry device markets, and the five-mode Intel XMM 7360 LTE Advanced solution, designed for performance and worldwide coverage. In addition, Krzanich highlighted joint efforts with Alcatel-Lucent, Ericsson and Huawei to address the demand for new telecommunications, cloud and data center services, improve network efficiencies, and accelerate the industry's move toward a software-defined infrastructure.

NSA Hides Spying Backdoors into Hard Drive Firmware

Russian cyber-security company Kaspersky Labs exposed a breakthrough U.S. spying program, which taps into one of the most widely proliferated PC components - hard drives. With the last 5 years seeing the number of hard drive manufacturing nations reduce from three (Korean Samsung, Japanese Hitachi and Toshiba, and American Seagate and WD) to one (American Seagate or WD), swallowing-up or partnering with Japanese and Korean businesses as US-based subsidiaries or spin-offs such as HGST, a shadow of suspicion has been cast on Seagate and WD.

According to Kaspersky, American cyber-surveillance agency, the NSA, is taking advantage of the centralization of hard-drive manufacturing to the US, by making WD and Seagate embed its spying back-doors straight into the hard-drive firmware, which lets the agency directly access raw data, agnostic of partition method (low-level format), file-system (high-level format), operating system, or even user access-level. Kaspersky says it found PCs in 30 countries with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.

Synology DiskStation Manager Infected with a CryptoLocker Hack

Synology DiskStation Manager (DSM), the company's in-house NAS operating system, is vulnerable to a CryptoLocker hack, which the company is referring to as "SynoLocker." The nature of how NAS units get infected by this hack is unknown, but when it is, the malware encrypts portion of data stored on your NAS volumes, and holds it for ransom, for 0.6 BTC (US $350 as of now). It decrypts that data only upon payment of that money. There's no guarantee of your data being held for ransom again. The issue is currently localized to NAS units running non-updated versions of DSM 4.3, but Synology is investigating if the hack works on DSM 5.0 as well.

Synology is urging users to take the following steps - close all ports for external (Internet) access, and unplug your NAS from your local network; and with your NAS plugged into just one machine, update DSM to the latest version; and back-up your data. If your NAS unit is infected, disconnect it from the network, perform a hard-shutdown, and contact Synology. The issue highlights one of the many dangers of a distributed currency, in which the beneficiary of funds is difficult to trace.

Here's an emergency statement from Synology (the company is preparing a press-release):
Return to Keyword Browsing
Dec 7th, 2024 07:41 CST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts