Dark Web Data Leak Exposes RaidForums Members

May 31, 2023

Cybercrime site was taken down by the authorities in 2022

Undetected Attacks Against Middle East Targets Conducted Since 2020

Targeted attacks against Saudi Arabia and other Middle East nations have been detected with a tool that’s been in the wild since 2020. Read More

Beware of Malicious Notepad++ Websites that Attack Developers

[[{“value”:”

Threat actors target Notepad++ as it is a widely used text editor among developers and users, offering a large potential victim pool.

Exploiting vulnerabilities in Notepad++ can provide access to sensitive data or even systems as well.

Besides this targeting popular software increases the likelihood of successful attacks and intensifies the impact.

Cybersecurity researchers at Kaspersky Lab recently discovered that threat actors are actively targeting and attacking developers via malicious Notepad++ websites.

Technical analysis

Malvertising lures victims via malicious ads atop search results, as the top results seem trustworthy.

Last year, RedLine stealer spread via Google Ads malvertising campaign using typosquatting.

Trojanized Notepad (Source – Kaspersky Lab)

A similar threat now affects major Chinese search engines.

Threat actors are distributing modified versions of text editors, one via ad section, another atop results.

Page with fake NotePad++ (Source – Kaspersky Lab)

The malicious Notepad++ site uses an ad block.

The site has amusing inconsistencies – the URL mentions “vnote”, the title offers “Notepad–” (Notepad++ analog), and the image shows Notepad++.

Fake VNote site (Source – Kaspersky Lab)

But downloads contain Notepad–, besides this, the site offers installers for Windows, Linux, and macOS but only macOS, and Linux links are malicious.

The downloaded apps differ from the originals, and the malicious Linux and macOS versions have similar functionality.

On examining the macOS version (MD5: 00fb77b83b8ab13461ea9dd27073f54f) – it’s been found that the DMG image contents are identical to the original 2.0.0, except executable NotePad– (MD5: 6ace1e014863eee67ab1d2d17a33d146).

Before launch, a suspicious Uplocal class was initialized which is absent in the source code.

Researchers couldn’t analyze the downloaded file as it was unavailable.

However, the server has subdomain dns[.]transferusee[.]com accessed by Mach-O file DPysMac64 (MD5: 43447f4c2499b1ad258371adff4f503f), previously uploaded to VirusTotal but undetected during investigation.

The same server hosts a mysterious updater download and DPysMac64 file, suggesting that the updater leads to DPysMac64 loading.

DPysMacM1 is identical to DPysMac64 for Apple Silicon processors.

It’s a CobaltStrike-like backdoor, open-source Geacon implementation written in Go with matching code/functions despite Geacon references being removed.

Moreover, it has normal and service launch modes, C2 comms via HTTPS to dns[.]transferusee[.]com.

Threat actors named the remote command execution functionality “spaces.”

The name of the backdoor module (Source – Kaspersky Lab)

While uncertain about prior vnote[.]info downloads, it’s been found that both sites distribute the same applications.

Interestingly, the modified NotePad– executable had “About” text linking to vnotepad[.]com – another vnote[.]info copy with invalid cert issued for vnote[.]info, confirming the connection between cases.

The certificate used by the site vnotepad[.]com (Source – Kaspersky Lab)

There is a high probability that modified VNote editors aim to deliver the next infection stage, like NotePad–. Identical Linux/macOS app changes suggest a possible Linux backdoor mirroring macOS one.

IoCs

IoCs (Source – Kaspersky Lab)

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

The post Beware of Malicious Notepad++ Websites that Attack Developers appeared first on Cyber Security News.

“}]] Read More

Cyber Security News

Webwyrm Malware Affects More Than 100,000 Users in 50 Countries

Threat actors are evolving their Tactics, Techniques, and Procedures (TTPs) at an alarming rate.

With technological advancements and increased awareness of cybersecurity measures, they continually adapt to exploit vulnerabilities and enhance their attack success rates.

Webwyrm, a worldwide scam mimicking 1000 plus companies, impacts over 100,000 victims in more than 50 countries, with potential losses exceeding $100 million, resembling the ‘Blue Whale Challenge.’

Document

FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Webwyrm Key Numbers (Source – Cloudesk)

Scams’ scale and sophisticated TTPs indicate a skilled and persistent threat group using strong OpSec. CloudSEK shared findings with global law enforcement to take down infrastructure and notify impersonated organizations.

Webwyrm Malware Attack

Victim complaints reveal losses of over $200,000 for one impersonated company, and besides this, the researchers uncovered:-

1000 impersonated organizations

6000 fake domains spanning 12 Autonomous Systems

With losses averaging $100,000 per impersonated company and numerous victims, the scam’s potential collective impact could exceed $100 million, affecting over 100,000 people, highlighting its substantial threat.

Webwyrm scammers target victims on social media, especially WhatsApp, possibly focusing on job seekers by referencing recruitment portals.

They lure victims with fake job offers, requiring cryptocurrency deposits on platforms like KUCOIN or SHAKEPAY for supposed security or returns.

Victims, once onboard, create organization-related accounts and receive 100 USDT. They perform combo tasks initially, earning well, but later get stuck in a loop, depleting their bank accounts in hopeless attempts to complete tasks.

After getting in touch with the referrer or developers, they demand that the victims complete their daily responsibilities or threaten to freeze their accounts while providing a 24-hour money extension.

When victims are shut out, they join a discussion where others brag about their successes in order to support the authenticity of the scam.

Campaign Enablers

Here below, we have mentioned the campaign enablers:-

Understanding Victim Susceptibility Factors

Initial Gains and Trust-Building Withdrawal

Eluding Detection through Infrastructure Rotation

Precise Regional Targeting

Strategic Victim Engagement

Mobile-Centric Design and Cryptocurrency Transactions

Keyword Selection

Researchers conducted a thorough investigation to identify the corporate sources affected by impersonation, demonstrating Webwyrm’s global reach and varied impact locations.

Geographic origins (Source – Cloudesk)

Targeted Industries

Here below, we have mentioned all the targeted industries:-

IT Services

Software Development

Mobile App Development

User Experience

Digital Marketing

Web Development

SEO

E-Commerce

Countermeasures

Here below, we have mentioned all the recommended countermeasures:-

Tracing Scammer Origins through Job Portals

Collaborative Action

Rapid Response Teams

Domain Blacklisting

Seize Assets

Educational Campaigns

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

The post Webwyrm Malware Affects More Than 100,000 Users in 50 Countries appeared first on Cyber Security News.