16 New CODESYS SDK Flaws Expose OT Environments to Remote Attacks
A set of 16 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service under specific conditions, posing risks to operational technology (OT) environments.
The flaws, tracked from CVE-2022-47378 through CVE-2022-47393 and dubbed CoDe16, carry a CVSS score of 8.8 with the exception of CVE-2022- Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Researchers Unveil The Attackers Behind The Agent Tesla Campaign
[[{“value”:”
Check Point Research has exposed a recent wave of cyberattacks utilizing the infamous Agent Tesla malware. This campaign targeted organizations in the United States and Australia.
First appearing in 2014, Agent Tesla masquerades as legitimate software but acts as a silent thief in the background.
It functions as a keylogger, recording every keystroke made on an infected device.
This allows attackers to steal sensitive information like usernames, passwords, and financial data, potentially leading to devastating consequences.
The attack, initiated in November 2023, relied heavily on phishing emails. These deceptive emails, often crafted with social engineering tactics, are designed to trick recipients into clicking malicious links or attachments.
In this case, the emails likely appeared to be legitimate purchase orders or delivery notifications, increasing the chance of someone clicking.
Check Point Research identified two key players in this operation: Bignosa, the main threat actor, and Gods, a possible collaborator.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Bignosa appears to be part of a larger group targeting organizations globally. Evidence suggests they possess vast email databases focusing on businesses, educational institutions, and even individuals in both the US and Australia.
Additionally, they maintain a network of servers used for remote access and launching phishing campaigns.
Attack Breakdown
Activity of the “Bignosa” threat actor shown on the timeline
Bignosa set up servers, installed email software like RoundCube, and uploaded malicious payloads protected with a custom tool called “Cassandra Protector.”
This tool disguises the initial code and converts the malware into seemingly harmless ISO files. Bignosa utilized stolen email credentials to send out phishing emails with disguised Agent Tesla attachments.
The emails mimicked legitimate business communications, likely leveraging content from online resources.
Upon clicking the attachment, the Agent Tesla malware downloaded and executed, silently stealing sensitive information from the infected device.
This information was then relayed back to the attacker’s servers. Following the initial attack on Australian organizations on November 7th, a second wave targeted both the US and Australia on November 30th.
The tactics remained consistent, highlighting the effectiveness of phishing emails for Bignosa.
Both campaigns employed Cassandra Protector, a commercially available tool that allows attackers to obfuscate malware and bypass security measures.
Bignosa leveraged Cassandra Protector’s functionalities like anti-virus evasion and creating ISO files to mask the true nature of the malware.
Bignosa, a cybercriminal likely from Kenya, appears to be a seasoned attacker. He uses the alias Nosakhare and has been conducting phishing campaigns for a while.
Evidence suggests he uses Agent Tesla and other malware (Quasar, Warzone, PureCrypter) and relies on tools like Grammarly and SuperMailer for his malicious activities.
Bignosa collaborates with Gods, another attacker who may operate under multiple aliases (Gods & Kmarshal).
Gods transitioned from phishing to malware campaigns around June 2023 and appears to be more technically skilled, even helping Bignosa clean Agent Tesla infections.
While the investigation couldn’t fully identify Gods, it revealed interesting clues. He potentially studied at a Turkish university, doesn’t speak Turkish fluently, and uses ChatGPT to translate spam messages.
Additionally, a YouTube channel (“8 Letter Tech”) linked to Gods’ email address provides tutorials on setting up email servers, potentially used for his malicious campaigns.
Bignosa & Gods Jabber conversations
The investigation uncovers their collaboration through shared resources and communication.
For example, a VDS server paid for by Bignosa was later administered by Gods. Social media analysis further strengthens the connection between Bignosa and Gods.
The investigation identified connections between accounts associated with both individuals, including a web design business potentially run by Gods (using the alias Kingsley Fredrick).
The investigation also revealed God’s continued malicious activity. He launched phishing campaigns in December 2023 and January 2024, highlighting the ongoing threat posed by this group.
Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide
Cybersecurity firm executive pleads guilty to hacking hospitals
The former chief operating officer of a cybersecurity company has pleaded guilty to hacking two hospitals, part of the Gwinnett Medical Center (GMC), in June 2021 to boost his company’s business. […] Read More
SmokeLoader – A Modular Malware With Range Of Capabilities
Hackers misuse malware for diverse illicit intentions, including data theft, disrupting systems, espionage, or distortion for unethical monetary benefits.
Besides this malware is also helpful in conducting cyber warfare or receptive intelligence by the nation-state actors of a certain country as well.
SmokeLoader is a versatile and modular malware initially functioning as a downloader. It has evolved into a sophisticated framework with information-stealing capabilities.
Over the years, it’s been undergoing significant development. Zscaler ThreatLabz’s analysis supported Operation Endgame in 2024, disinfecting tens of thousands of infections, and has documented SmokeLoader’s versions extensively.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot.
SmokeLoader – A Modular Malware
Starting from 2011, the earliest SmokeLoader samples without any version numbers were quite simple but laid down a base for C2 client communication.
These “prehistoric” variants had two shellcodes injected into svchost.exe processes that included one with “getload” or “getgrab” commands for querying the C2 server and the other registering bot using HTTP GET requests.
Malware has undergone different injection techniques ranging from shared sections to APC queue injection.
Although simple in nature, these initial steps set a foundation for the subsequent development of SmokeLoader into modular and advanced threats.
A timeline of SmokeLoader’s evolution (Source – Zscaler)
The SmokeLoader 2012 panel leaked source code showed that it supported different commands, including “getgrab” for retrieving a module used to steal information and “getshell” for implementing a remote shell.
Hash-based API resolution, string encryption, and others were built to prevent the analysis process.
By 2014, significant changes had been implemented in the SmokeLoader program, such as a multi-stage loading process, an updated bot ID generation algorithm, a separate encrypted C2 list, and a new stager component.
That is why the next versions of the malware stealing part will be separated into standalone plugins with multifunctional options for proper execution.
This illustrated that SmokeLoader was never static but always developing with more sophisticated evasions and expanding its features.
In SmokeLoader version 2014, the stager component contains the main module’s decryption and decompression function.
It also executes a few anti-analysis checks and injects the malware into svchost.exe via APC queue code injection.
The essential obfuscation techniques applied include non-polymorphic decryption loops and string encryption.
It was modified to allow persistence, updated its bot ID generation algorithm, kept strings in plain text, implemented environment checks against analysis tools, and introduced a copy-protection mechanism based on CRC32 values.
The network protocol was changed so encrypted commands and arguments could be sent via HTTP POST requests.
This marks one of the significant evolutionary advancements made by SmokeLoader.
FreeWebinar! 3 Security Trends to Maximize MSP Growth -> Register For Free