The all in one place for non-profit security aid.
Ransomware actors and cryptocurrency scammers have joined nation-state actors in abusing cloud mining services to launder digital assets, new findings reveal.
"Cryptocurrency mining is a crucial part of our industry, but it also holds special appeal to bad actors, as it provides a means to acquire money with a totally clean on-chain original source," blockchain analytics firm Chainalysis said in Read More
The Hacker News | #1 Trusted Cybersecurity News Site
MS Exchange Server Flaws Exploited to Deploy Keylogger in Targeted Attacks
An unknown threat actor is exploiting known security flaws in Microsoft Exchange Server to deploy a keylogger malware in attacks targeting entities in Africa and the Middle East.
Russian cybersecurity firm Positive Technologies said it identified over 30 victims spanning government agencies, banks, IT companies, and educational institutions. The first-ever compromise dates back to 2021.
“This Read More
New Linux Bug Could Lead to User Password Leaks and Clipboard Hijacking
[[{“value”:”Details have emerged about a vulnerability impacting the "wall" command of the util-linux package that could be potentially exploited by a bad actor to leak a user’s password or alter the clipboard on certain Linux distributions.
The bug, tracked as CVE-2024-28085, has been codenamed WallEscape by security researcher Skyler Ferrante. It has been described as a case of improper”}]] Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Hackers Lures Drone Manual to Deliver Notorious MerlinAgent malware
Securonix Threat Research has found a significant attack called STARK#VORTEX, which appears to come from a group known as UAC-0154.
This campaign specifically targets Ukraine’s military, leveraging a cunning tactic involving drone-related lures.
Drones have played a pivotal role in Ukraine’s military operations, making them an attractive theme for malicious actors.
The attackers behind UAC-0154 initially used military-themed documents sent via email to Ukrainian targets on @ukr.net.
However, their tactics have evolved, and they have now turned to delivering the MerlinAgent malware using a novel approach.
Document
FREE Demo
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Lure File – The deceptive file is disguised as a Microsoft Help file, commonly known as a .chm file. Specifically, it was titled “Інфо про навчання по БПЛА для військових.v2.2.chm,” which translates to “information about UAV training for the military.”
When the user opens this document, it triggers a malicious JavaScript code embedded within it.
Obfuscated PowerShell – The JavaScript code within the .chm file communicates with a remote Command and Control (C2) server to download an obfuscated binary payload.
Payload Activation – This payload, once decoded, becomes a beacon payload for the MerlinAgent malware, establishing communication with the C2 server and granting full control to the attackers.
The attack chain may seem straightforward, but the threat actors employed complex tactics and obfuscation methods to avoid detection at each stage.
Initial Code Execution – Microsoft Help files, despite being an older format, can still be executed on modern Windows systems.
In this case, the .chm file launched the PowerShell process, bypassing antivirus and EDR detections.
Help File and JavaScript Execution – These files acted as containers, and their contents were analyzed, revealing obfuscated JavaScript code that executed another obfuscated PowerShell script.
PowerShell Execution – The PowerShell code involved multiple layers of obfuscation, including Base64 encoding, GZIP compression, and character substitutions. It downloaded the payload from a specific URL, deobfuscated it, and saved it locally.
Binary File Analysis – The downloaded binary, roughly 5MB in size, turned out to be a 64-bit executable associated with the MerlinAgent framework, an open-source command and control (C2) framework available on GitHub.
This framework offers various capabilities, including encrypted C2 communication, remote command shells, module support, and more.
C2 and Infrastructure – The attackers established encrypted communication with C2 servers over port 443, making detection more challenging.
This highly targeted attack campaign focused on the Ukrainian military. The use of files and documents that could easily bypass defenses and the attackers’ clever framing underscores the need for vigilance.
Securonix recommends several mitigations, including avoiding downloading files from untrusted sources, monitoring specific directories for suspicious activities, and deploying enhanced logging solutions for improved detection coverage.
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.
The post Hackers Lures Drone Manual to Deliver Notorious MerlinAgent malware appeared first on Cyber Security News.
Cyber Security News