The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of a medium-severity flaw affecting Samsung devices.
The issue, tracked as CVE-2023-21492 (CVSS score: 4.4), impacts select Samsung devices running Android versions 11, 12, and 13.
The South Korean electronics giant described the issue as an information disclosure flaw that could be exploited by a
Related Posts
Fake FlipperZero sites promise free devices after completing offer
Fake FlipperZero sites promise free devices after completing offer
A site impersonating Flipper Devices promises a free Flipper Zero after completing an offer but only leads to shady browser extensions and scam sites. […] Read More
BleepingComputer
New Meterpreter Backdoor Hides Malicious Codes Within the Image
New Meterpreter Backdoor Hides Malicious Codes Within the Image
ANY.RUN sandbox has analyzed a new strain of Meterpreter backdoor malware that leverages sophisticated steganography techniques to conceal its malicious payload within an image file.
The malware, dubbed “Meterpreter Backdoor,” is designed to evade detection by hiding its code in the first two rows of a seemingly innocuous image, using only the green and blue color channels from the RGB color space.
The attack begins with a .NET executable file containing a PowerShell script that downloads a PNG image from a remote command-and-control (C2) server. Although the image appears to be a picturesque landscape, it harbors a sinister secret.
The malware calculates a byte array from the image channels using the System.Drawing library and a specific formula: (149 & 15)*16) || (83^15) = 83.
This formula extracts the hidden code from the image’s first two rows’ green and blue color values.
Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.
Once the byte array is obtained, the malware decodes it into ASCII characters, revealing a User-Agent string and the IP address of the C2 server to which the malware will attempt to connect.
This connection allows the attacker to issue commands and potentially gain unauthorized access to the compromised system.
The decoded information is then converted into a script that the malware executes, enabling it to establish a persistent backdoor on the infected machine.
This backdoor can be used for various malicious activities, such as data exfiltration, remote code execution, or further spreading of the malware within the network.
Here, you can find how the malware executes in the Windows Sandbox
Steganography: A Potent Weapon for Malware Delivery
Steganography, the practice of concealing information within seemingly innocuous data, has become an increasingly popular technique among cybercriminals.
Attackers can bypass traditional security measures and deliver their payloads undetected by hiding malicious code within images, audio files, or other multimedia content.
The Meterpreter Backdoor campaign highlights the sophistication and adaptability of modern malware authors. By leveraging steganography, they can effectively cloak their malicious activities, making it more challenging for security professionals to identify and mitigate threats.
“This campaign underscores the importance of adopting a multi-layered security approach that combines traditional signature-based detection with advanced techniques like behavioral analysis and machine learning,” said a cybersecurity expert. “Staying ahead of these ever-evolving threats requires constant vigilance and a proactive approach to cybersecurity.”
As the threat landscape evolves, organizations and individuals must remain vigilant and prioritize cybersecurity best practices, such as keeping software up-to-date, implementing robust access controls, and educating users on identifying and reporting suspicious activities.
The post New Meterpreter Backdoor Hides Malicious Codes Within the Image appeared first on Cyber Security News.
MultiRDP Malware Let Multiple Attackers Connect Via RDP At Same Time
MultiRDP Malware Let Multiple Attackers Connect Via RDP At Same Time
Threat actors use Remote Desktop Protocol (RDP) to gain unauthorized access to computers and networks, fully control systems, extract sensitive data, and implant malware, among other things.
Cybersecurity researchers at ASEC recently discovered that MultiRDP malware lets multiple attackers connect with RDP by patching memory.
AhnLab Security Intelligence Center (ASEC) is responding to SmallTiger Malware attacks against South Korean businesses, including defense contractors, automobile part manufacturers, and semiconductor companies.
MultiRDP Malware
The attacks were initially discovered in November 2023 and appeared to be related to the Kimsuky group but differed in that they utilized software updaters for lateral movement and installed Andariel’s DurianBeacon backdoor.
They resumed in February 2024, replacing the final payload with the SmallTiger downloader.
Despite the use of known malware strains, these ongoing campaigns employing SmallTiger for malware distribution reveal how threat actors have changed their tactics toward South Korean industries.
In November 2023, researchers discovered the Kimsuky and Andariel groups exhibiting tactics in attacks that used the MultiRDP malware to enable multiple RDP connections and the Metasploit Meterpreter backdoor.
To move laterally, the threat actor dropped a service known as “mozillasvcone” through software updater programs, which loaded an encrypted DLL.
With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis
This DLL decrypted and executed additional files directly in memory with which an updated edition of DurianBeacon RAT, formerly attributed to Andariel, was deployed.
The evolving techniques used by these threat actors against their targets are indicated by the multistage infection process that combines unknown delivery mechanisms with familiar malware families.
Organization of the DurianBeacon RAT, “The new Go” developed DurianBeacon RAT operating over SSL after the initial access was spread for internal Structure Control along with the mobility, self-erasure features, and SOCKS proxy.
Since February 2024, the same threat actor has utilized different software exploiting a vulnerability, a downloader malware identified as SmallTiger, to download and load the subsequent payload in memory.
Credential theft was also attributed to the use of Mimikatz and ProcDump.
On April 8, 2024, another SmallTiger different from the previous ones downloaded JavaScript from the C2 and created the payload exploiting an alternate data stream to run it.
It is important to note that GitHub hosted SmallTiger distribution in May 2024.
Although the threat actor actively employed known malware that includes DurianBeacon and SmallTiger, along with the media intrusion, it introduced alterations in the delivery mechanisms and new features, illustrating a persistent need to monitor the threats and introduce newer defense mechanisms.
ASEC confirmed attacks on South Korean companies distributing SmallTiger in November 2023.
One should be cautious of unknown email attachments and downloaded executables as they may contain SmallTiger.
Companies should improve their security monitoring and implement vulnerability patches. To avoid infection with malware, users should ensure they install the latest operating system, browser, and V3 patches.
Looking for Full Data Breach Protection? Try Cynet’s All-in-One Cybersecurity Platform for MSPs: Try Free Demo
The post MultiRDP Malware Let Multiple Attackers Connect Via RDP At Same Time appeared first on Cyber Security News.