Turkorat-poisoned packages sat in the npm development library for months, researchers say.
Related Posts
![8Base Group Deploying New Phobos Ransomware Variant via SmokeLoader](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhociuCYxWJVK6nf2SILAGdbtvM9K2THWlEF6EJdHOfnQbhJl7EcfWWkSrJ-kF56ajSgsGA3Z2A0WpXGtV536IhXZ_0H7lZ4-oSPy4rl1U3rbmQuPUVPD2CnpCUVofvVxX3_ozsbGi2Nm7-yOYuTCVlh4cS_nx_WwK18xDu-UAutDEqsfOPlsWIU2ctI9VJ/s72-c/ransomware.jpg)
8Base Group Deploying New Phobos Ransomware Variant via SmokeLoader
8Base Group Deploying New Phobos Ransomware Variant via SmokeLoader
The threat actors behind the 8Base ransomware are leveraging a variant of the Phobos ransomware to conduct their financially motivated attacks.
The findings come from Cisco Talos, which has recorded an increase in activity carried out by cybercriminals.
“Most of the group’s Phobos variants are distributed by SmokeLoader, a backdoor trojan," security researcher Guilherme Venere said in an Read More
The Hacker News | #1 Trusted Cybersecurity News Site
![U.S. Treasury Sanctions North Korean Kimsuky Hackers and 8 Foreign Agents](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLgyq8_P4lY6rLujpWTsjgHO51_lD7x_iSjl5ihFisCNXs8WkPHBW8dKJa50cVsAHO_-fXG4gUnBfAJdU3SQjYKkjRO8EFqvMZ56MLPlRTuY5k0EIy1OjAtjHVyXn94v3YXT_IOUI5-G3uh3jaXHrQMj8OQBsHH4e8fc7O72QPQZz9MXZ8Rb2-0_37lL3X/s72-c/korean-hackers.jpg)
U.S. Treasury Sanctions North Korean Kimsuky Hackers and 8 Foreign Agents
U.S. Treasury Sanctions North Korean Kimsuky Hackers and 8 Foreign Agents
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Thursday sanctioned the North Korea-linked adversarial collective known as Kimsuky as well as eight foreign-based agents who are alleged to have facilitated sanctions evasion.
The agents, the Treasury said, helped in "revenue generation and missile-related technology procurement that support the DPRK’s Read More
The Hacker News | #1 Trusted Cybersecurity News Site
![Hackers Use Fake Update Page Mimicking Victim’s Browser to Deliver NetSupport RAT](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi88rav19mruPhtc_tOtXiTWden-iw_5LEBOcdU8uBACN9W4oJMCNjRvrHOQblQEPYzOs8oVU-uCRXzFljF2RiBztdR2y0nM9fjOG7krvUHjTF4Z518gkOagvLJJC8k2wuEeqWynOxFK2wjNNNlCMTr5L9BpLNM0m6-eIdMVpBFBz0UkQjG_-ZZPt-nzNeP/w618-h640/Fake%20Updates1.png)
Hackers Use Fake Update Page Mimicking Victim’s Browser to Deliver NetSupport RAT
Hackers Use Fake Update Page Mimicking Victim’s Browser to Deliver NetSupport RAT
Threat actors deliver NetSupport RAT through a new campaign called Fake SG which could rival with SocGholish.
This campaign utilizes hacked WordPress websites to display a custom landing page mimicking the victim’s browser to deliver payloads to compromise victims.
According to Malwarebytes lab, these types of campaigns have been active since 2019, and Fake SG is a newbie to the arsenal.
One of the campaigns, called “FakeUpdates” (also called “SocGholish”), tricked people into running a fake browser update by hacking their websites.
Fake Update Page Mimicking Victim’s Browser
SocGholish is a well-known player who has hacked a lot of people and sent spyware to them after helping them install tools like Cobalt Strike and Mimikatz.
Initially, the threat actors took control of the compromised websites, mostly targeting WordPress and injecting the code snippet to show fake update templates.
FakeSG has different browser templates depending on which browser the victim is running.
The themed “updates” look very professional and are more up-to-date than its SocGholish counterpart.
The threat actors load source code of many domains like google-analytiks[.]com and updateadobeflash[.]website, pretending to be Google and Adobe, respectively.
That source file has all the graphics, fonts, and text that will be used to display the fake browser update page in order to look legit.
SocGholish has just switched to utilizing self-contained Base64 encoded images, but previously it relied on external web queries to retrieve media files.
This campaign follows different ways to install the RAT malware on the compromised device. One of the techniques used is URL shortcuts.
It utilizes the decoy installer (Install%20Updater%20(V104.25.151)-stable. URL), an Internet shortcut downloaded from another compromised WordPress site.
This shortcut downloads the file launcher-up.hta from a remote server using the WebDav extension to the HTTP protocol.
This complexly encrypted script launches PowerShell to download the actual malware NetSupport RAT.
Once NetSupport RAT is successfully installed, it will connect with the C2 server to extract the information.
Stay up-to-date with the latest Cyber Security News; follow us on GoogleNews, Linkedin, Twitter, and Facebook.
The post Hackers Use Fake Update Page Mimicking Victim’s Browser to Deliver NetSupport RAT appeared first on Cyber Security News.
Cyber Security News