A financially motivated threat actor of Indonesian origin has been observed leveraging Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances to carry out illicit crypto mining operations.
Cloud security company’s Permiso P0 Labs, which first detected the group in November 2021, has assigned it the moniker GUI-vil (pronounced Goo-ee-vil).
“The group displays a preference for Graphical Read More
Related Posts
Hackers Use Fake Update Page Mimicking Victim’s Browser to Deliver NetSupport RAT
Hackers Use Fake Update Page Mimicking Victim’s Browser to Deliver NetSupport RAT
Threat actors deliver NetSupport RAT through a new campaign called Fake SG which could rival with SocGholish.
This campaign utilizes hacked WordPress websites to display a custom landing page mimicking the victim’s browser to deliver payloads to compromise victims.
According to Malwarebytes lab, these types of campaigns have been active since 2019, and Fake SG is a newbie to the arsenal.
One of the campaigns, called “FakeUpdates” (also called “SocGholish”), tricked people into running a fake browser update by hacking their websites.
Fake Update Page Mimicking Victim’s Browser
SocGholish is a well-known player who has hacked a lot of people and sent spyware to them after helping them install tools like Cobalt Strike and Mimikatz.
Initially, the threat actors took control of the compromised websites, mostly targeting WordPress and injecting the code snippet to show fake update templates.
FakeSG has different browser templates depending on which browser the victim is running.
The themed “updates” look very professional and are more up-to-date than its SocGholish counterpart.
The threat actors load source code of many domains like google-analytiks[.]com and updateadobeflash[.]website, pretending to be Google and Adobe, respectively.
That source file has all the graphics, fonts, and text that will be used to display the fake browser update page in order to look legit.
SocGholish has just switched to utilizing self-contained Base64 encoded images, but previously it relied on external web queries to retrieve media files.
This campaign follows different ways to install the RAT malware on the compromised device. One of the techniques used is URL shortcuts.
It utilizes the decoy installer (Install%20Updater%20(V104.25.151)-stable. URL), an Internet shortcut downloaded from another compromised WordPress site.
This shortcut downloads the file launcher-up.hta from a remote server using the WebDav extension to the HTTP protocol.
This complexly encrypted script launches PowerShell to download the actual malware NetSupport RAT.
Once NetSupport RAT is successfully installed, it will connect with the C2 server to extract the information.
Stay up-to-date with the latest Cyber Security News; follow us on GoogleNews, Linkedin, Twitter, and Facebook.
The post Hackers Use Fake Update Page Mimicking Victim’s Browser to Deliver NetSupport RAT appeared first on Cyber Security News.
Cyber Security News
Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks
Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks
[[{“value”:”Threat actors are actively scanning and exploiting a pair of security flaws that are said to affect as many as 92,000 internet-exposed D-Link network-attached storage (NAS) devices.
Tracked as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3), the vulnerabilities impact legacy D-Link products that have reached end-of-life (EoL) status. D-Link, in”}]] Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Twitter Hacker Sentenced to 5 Years in Prison for $120,000 Crypto Scam
Twitter Hacker Sentenced to 5 Years in Prison for $120,000 Crypto Scam
A U.K. citizen who took part in the massive July 2020 hack of Twitter has been sentenced to five years in prison in the U.S.
Joseph James O’Connor (aka PlugwalkJoe), 24, was awarded the sentence on Friday in the Southern District of New York, a little over a month after he pleaded guilty to the criminal schemes. He was arrested in Spain in July 2021.
The infamous Twitter breach allowed the Read More
The Hacker News | #1 Trusted Cybersecurity News Site