Developments in the C2C marketplace. Hacktivist auxiliaries and false flags in the hybrid war.
ALPHV threatens to leak stolen Reddit data. Mystic Stealer malware: evasive, and with a feedback loop in the C2C market. RDStealer cyberespionage tool in the wild. US offers reward for information on Cl0p ransomware gang. Anonymous Sudan looks like a Russian front group. KillNet, REvil, and Anonymous Sudan form a “DARKNET Parliament” and “sanction” the European Banking system. British Government commits £25 million in cybersecurity aid to Ukraine. What’s turning up in cloud honeypots. Read More
FTC Fines Mental Health Startup Cerebral $7 Million for Major Privacy Violations
[[{“value”:”The U.S. Federal Trade Commission (FTC) has ordered the mental telehealth company Cerebral from using or disclosing personal data for advertising purposes.
It has also been fined more than $7 million over charges that it revealed users’ sensitive personal health information and other data to third parties for advertising purposes and failed to honor its easy cancellation policies.
"Cerebral and”}]] Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Hackers Weaponize PDF Files to Deliver Multiple Ransomware Variants
PDF files are commonly used for their versatility, making them a prime target for malware delivery because they can embed malicious scripts or links.
Their widespread use and trusted reputation make users more susceptible to opening infected PDFs without knowledge or intent.
Cybersecurity analysts at AhnLab Security Emergency Response Center (ASEC) have discovered that hackers are actively using PDF files as a delivery method for various ransomware variants.
The hackers distributed weaponized PDF files that contained malicious URLs.
Hackers Weaponize PDF Files
A malicious URL can be accessed by clicking on buttons in PDFs. The presented screen prompts users, and clicking on the red buttons takes them to a certain URL.
Malicious PDF (Source – ASEC)
Here below, we have mentioned the URL:-
hxxps://fancli[.]com/21czb7
The link redirects to a URL with a blue download button. After downloading an encrypted file, users are redirected to a page where the decryption password is revealed.
Redirected page (Source – ASEC)
Here below, we have mentioned the redirected URL:-
After downloading, the page prompts users to decompress the encrypted file with the password ‘1234.’ Upon decompression of ‘Setup.7z,’ users find the executable file, “File.exe.”
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
Executing File.exe as administrator changes the registry and uses browser login credentials to collect IP and location data. After that, further malware is downloaded to the designated location:-
C:Users%USERNAME%Pictures
C:Users%USERNAME%PicturesMinor Policy
Here below, we have mentioned the contents of the downloaded malware:-
A few of the downloaded files had hidden and system properties set. The flow starts from a PDF with a malicious URL, leading to the download and execution of various malware types.
Malware distribution (Source – ASEC)
The malicious file, “bus50.exe” from the following location is an SFX file containing a CAB file, and executing the SFX file creates malicious files in the ‘IXP000.TMP’ folder:-
hxxp://109.107.182[.]2/race/bus50.exe
SFX files that come after one another create directories that contain more and more data, totaling-
6 SFX files
7 additional malware
Execution flow (Source – ASEC)
As a recommendation, researchers urged to avoid downloading cracks and illegal programs and not only that, even during the execution of files, make sure to exercise strong caution.
