Cyberattckers can easily exploit a command-injection bug in the popular device, but Belkin has no plans to address the security vulnerability.
Related Posts
Power Management Product Flaws Can Expose Data Centers to Damaging Attacks, Spying
Power Management Product Flaws Can Expose Data Centers to Damaging Attacks, Spying
Vulnerabilities in CyberPower and Dataprobe power management products could be exploited in data center attacks, including to cause damage and for spying.
The post Power Management Product Flaws Can Expose Data Centers to Damaging Attacks, Spying appeared first on SecurityWeek.
SecurityWeek RSS Feed
Ransomware Group Starts Leaking Data Allegedly Stolen From Change Healthcare
Ransomware Group Starts Leaking Data Allegedly Stolen From Change Healthcare
[[{“value”:”
The RansomHub group has started leaking information allegedly stolen from Change Healthcare in February 2024.
The post Ransomware Group Starts Leaking Data Allegedly Stolen From Change Healthcare appeared first on SecurityWeek.
“}]] Read More
SecurityWeek RSS Feed
.webp)
HijackLoader Using Weaponized PNG Files To Deliver Multiple Malware
HijackLoader Using Weaponized PNG Files To Deliver Multiple Malware
[[{“value”:”
HijackLoader, a modular malware loader observed in 2023, is evolving with new evasion techniques, as it is a variant using a PNG image to deliver next-stage malware like Amadey and Racoon Stealer.
The variant includes new modules (modCreateProcess, modUAC) for process creation, UAC bypass, and anti-hooking (Heaven’s Gate).
It also uses dynamic API resolution and blacklisting to evade detection, while researchers created a Python script to extract configuration and modules from HijackLoader samples.
Document
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
Real-time Detection
Interactive Malware Analysis
Easy to Learn by New Security Team members
Get detailed reports with maximum data
Set Up Virtual Machine in Linux & all Windows OS Versions
Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
It’s first stage dynamically resolves APIs by traversing the PEB and parsing the PE header by utilizing the SDBM hashing algorithm to find WinHTTP APIs and check for internet connectivity using a specific URL.
The loader then uses a simple addition to decrypt the embedded shellcode, and it then receives authorization to run before running.
SDBM hashing algorithm
HijackLoader, a malware loader, uses blocklists to identify antivirus software and delay its execution. It then employs two methods for second-stage loading.
The first checks for a pre-defined value embedded in the malware and compares it with a calculated value.
If they match, an embedded PNG containing encrypted modules is used. Otherwise, the research said a downloaded PNG is used, and the malware searches for the PNG’s IDAT and magic headers to locate the modules.
An embedded PNG image containing the encrypted modules used by HijackLoader in a PNG viewer.
Encrypted blobs within the PNG are decrypted using a key and decompressed with LZNT1. Finally, a specified DLL is loaded, and a module named “ti” is located and injected for execution.
The decompiled output for the injection of the second stage.
The second stage injects the main payload using multiple modules for increased stealth, which include functionalities like UAC bypass, Windows Defender exclusion, and process hollowing.
The first module, ti, dynamically resolves APIs and checks for a specific mutex, then copies itself to the appropriate location if needed and employs Heaven’s Gate to bypass user-mode hooks.
After that, it injects the main instrumentation module into a designated process (e.g., cmd.exe) using process hollowing, then decrypts and executes the final payload.
HijackLoader using Heaven’s Gate to execute a x64 direct syscall.
Researchers at Zscaler analyzed HijackLoader samples to identify distributed malware. Amadey, a Trojan capable of data collection and further malware loading, was the most prevalent at 52.9%.
Other distributed malware families included the information stealers Lumma Stealer, Racoon Stealer v2, and Meta Stealer, which targeted various data like passwords, crypto wallets, and browser information. Remcos, a Remote Access Trojan, enabled backdoor access.
A pie chart showing the different malware families distributed by HijackLoader.
Rhadamanthys is another information stealer targeting a broader range of data, including wallets, emails, and messaging apps.
It not only delivers a number of threats, such as Amadey, Lumma Stealer, and Remcos RAT, but it also decrypts and extracts information from a PNG image in order to load its second stage, which is the Ti module.
The post HijackLoader Using Weaponized PNG Files To Deliver Multiple Malware appeared first on Cyber Security News.
“}]] Read More
Cyber Security News