Three Android apps on Google Play were used by state-sponsored threat actors to collect intelligence from targeted devices, such as location data and contact lists. […] Read More
BleepingComputer
The all in one place for non-profit security aid.
Three Android apps on Google Play were used by state-sponsored threat actors to collect intelligence from targeted devices, such as location data and contact lists. […] Read More
BleepingComputer
Warning: New Adware Campaign Targets Meta Quest App Seekers
A new campaign is tricking users searching for the Meta Quest (formerly Oculus) application for Windows into downloading a new adware family called AdsExhaust.
“The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes,” cybersecurity firm eSentire said in an analysis, adding it identified the activity earlier this month.
” Read More
New Stealthy Zardoor Malware Uses Reverse Proxy Tools to Evade Detection
[[{“value”:”
A new malware has been reported to be distributed by threat actors, which is likely known to be a stealthy espionage campaign going on since March 2021. This new malware backdoor has been named “Zardoor.”
This malware is deployed with several advanced techniques that use reverse proxy tools to evade detection and maintain persistence for several years.
Additionally, the threat actor has been using living-off-the-land binaries to deploy the backdoor and establish C2 control over the compromised systems. However, currently, there has been only one compromised target, which is an Islamic non-profit organization affected by this backdoor.
It is speculated that the threat actor could be based out of China due to the use of reverse proxy tools that are predominantly utilized by TTPs of threat groups originating from China.
Document
Protect Your Network From Data Breach
Perimeter’s 81 Malware Protection for Network Based Threats
Prevent malware from infecting your network at the delivery stage by intercepting malicious files in transit from their source to the target device’s web browser.
.
The initial access vector of this backdoor is unknown, but the threat actor uses open-source reverse proxy tools like Fast Reverse Proxy (FRP), sSocks, and Venom, which are typically used by penetration testers.
Once the threat actor establishes connectivity with the compromised system, the threat actor uses Windows Management Instrumentation to move laterally and spread the backdoor alongside other attacker tools.
This backdoor is specifically designed to maintain persistent access over the compromised system. which uses several DLL files like “zar32.dll” and “zor32.dll”. “Zar32.dll” is found to be the main backdoor component that communicates with the C2 server, whereas “zor32.dll” ensures that zar32.dll has been deployed with proper admin privileges.
The original dropper of this backdoor is still not found, but based on the samples collected, the dropper’s main purpose is to configure “msdtc.exe” for loading the “oci.dll” malicious payload.
For executing the “zar32.dll”, the ServiceMain() is executed by the msdtc.exe, which loader this malicious DLL using the command rundll32.exe C:WINDOWSsystem32zar32.dll MainEntry. While this is operating, the “Zor32.dll” is also loaded from the same exported method with the command rundll32.exe C:WINDOWSsystem32zor32.dll MainEntry.
When the connection is fully established, “zar32.dll” is capable of the following C2 commands:
Encrypt and send data to C2.
Execute remotely fetched PE payload.
Search for session ID.
(Plugin exit).
Remote shellcode execution.
Delete this RAT.
Update C2 IP (IP/domain_name:port).
Do nothing.
Talos provides detailed information about the source code, techniques involved, DLL behavior, and other information.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post New Stealthy Zardoor Malware Uses Reverse Proxy Tools to Evade Detection appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
Microsoft Offers New Recovery Tool for Customers Affected by CrowdStrike Issue
Microsoft has released an updated recovery tool to assist customers affected by the recent CrowdStrike Falcon agent issue that impacted millions of Windows devices worldwide.
The new tool, available for download from the Microsoft Download Center, offers two repair options to help IT administrators expedite the recovery process for affected machines.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
The recovery tool now provides two methods for repairing impacted systems:
Recover from WinPE (recommended): This option allows for quick and direct system recovery without requiring local admin privileges. However, users may need to manually enter the BitLocker recovery key if BitLocker is enabled on the device.
Recover from safe mode: This method may enable recovery on BitLocker-enabled devices without requiring the entry of BitLocker recovery keys. However, access to an account with local administrator rights on the device is required.
To use the recovery tool, IT administrators need:
A 64-bit Windows client with at least 8GB of free space
Administrative privileges on the Windows client
A USB drive with 1-32GB capacity
BitLocker recovery keys for affected devices (if applicable)
The tool creates a bootable USB drive that can be used to access and repair affected systems. Microsoft has provided detailed instructions for downloading, preparing, and using the recovery media.
Microsoft estimates that the CrowdStrike update affected approximately 8.5 million Windows devices globally, representing less than 1% of all Windows machines. Despite this relatively small percentage, the incident caused significant disruptions across various industries and critical infrastructure worldwide.
Here’s how the tool works:
Creation of Recovery Media:
IT administrators download the signed Microsoft Recovery Tool from the Microsoft Download Center.
They run the provided PowerShell script from an elevated prompt on a 64-bit Windows client with at least 8GB of free space.
The tool downloads the Windows Assessment and Deployment Kit (ADK) and creates the recovery media.
Recovery Process:
For WinPE recovery:
Boot the affected device from the USB drive.
If BitLocker is enabled, enter the recovery key.
The tool automatically runs issue-remediation scripts.
For Safe Mode recovery:
Boot the device into safe mode using the USB drive.
Run the repair.cmd script from the USB drive root.
The script performs the necessary remediation steps.
Hyper-V Virtual Machine Recovery:
The tool can generate an ISO for recovering Hyper-V VMs.
Administrators add the ISO as a DVD drive to the VM and adjust the boot order.
They then follow either the WinPE or safe mode recovery process
In addition to releasing the recovery tool, Microsoft has:
Deployed hundreds of engineers to work directly with customers
Collaborated with cloud providers like Google Cloud Platform and Amazon Web Services
Posted manual remediation documentation and scripts
Kept customers informed through the Azure Status Dashboard
Microsoft emphasized the importance of safe deployment practices and disaster recovery mechanisms across the tech ecosystem. The company continues to work closely with CrowdStrike and other stakeholders to address the issue and prevent similar incidents in the future.
IT administrators and affected users are encouraged to download the recovery tool and follow Microsoft’s instructions to restore impacted systems. As the situation evolves, Microsoft has committed to providing ongoing updates and support to its customers.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
The post Microsoft Offers New Recovery Tool for Customers Affected by CrowdStrike Issue appeared first on Cyber Security News.