Microsoft is working to address a known issue affecting Outlook for Microsoft 365 customers, causing slow starts and freezes as if Offline Outlook Data Files (OST) are being synced right after launch. […] Read More
BleepingComputer
The all in one place for non-profit security aid.
Microsoft is working to address a known issue affecting Outlook for Microsoft 365 customers, causing slow starts and freezes as if Offline Outlook Data Files (OST) are being synced right after launch. […] Read More
BleepingComputer
Loda Malware Attack Windows To Control RDP, Spread Malware, And Log User Inputs
Threat actors have been actively employing Loda, a remote access trojan (RAT) developed in AutoIT, an accessible language for automating Windows computer scripting.
The malware may deliver various harmful payloads in addition to keylogging, taking pictures, and stealing passwords and other sensitive information.
The most frequent attack method used to infect victims’ systems with Loda is phishing email campaigns, which have been used since 2016.
The Kasablanka group, an advanced persistent threat (APT) from Morocco that often released new versions of the malware, appears to have been the original developers of Loda.
Other threat actors also use the malware, such as YoroTrooper, who has used a Loda malware variant to attack numerous organizations globally, with the most recent attacks starting as early as 2023.
Targeting mostly hospitality companies in Europe and North America, TA558 is another APT that uses Loda in its harmful operations.
Utilize Remote Desktop Protocol (RDP) to access the infected machine.
Data and file theft.
Run more malicious software that has been uploaded to the system.
Keep track of user keystrokes and mouse clicks.
Listen to the microphone.
Take screenshots and webcam pictures.
Use a chat window to communicate with the victim.
To get a list of every antivirus program installed on the host machine, do a WMI query.
According to the Any Run report shared with Cyber Security News, Threat actors use phishing email campaigns to spread Loda onto victims’ computers. Typically, such emails include attachments in various forms, such as PDFs, executables, and Microsoft Office documents, all of which contain dangerous malware.
Lada analyzed in Any Run.
Loda RAT employs string obfuscation on most of its variables, making it challenging for security researchers to analyze its code.
Loda RAT initializes the variables appropriately and deobfuscates the strings during runtime. Another method that Loda RAT uses is function name randomization, which involves giving functions in the code random names.
Loda replicates itself within the temporary files folder of the targeted machine, then runs the copy to avoid detection. Additionally, Loda RAT creates a scheduled job to launch immediately as soon as the machine boots up.
Following the execution, the malware sends critical system information to its C&C server, including the IP address, operating system version, and architecture.
Document
14 Days FREE Trial
Analyzing any suspicious attachment or URL in a free interactive malware sandbox like ANY.RUN can instantly provide you with a conclusive verdict.
Loda RAT also has an Android version. It is a tracking tool that can track down victims and record any audio-based conversations that start with the user. In addition, it can spy on SMSs and even place calls without the users’ awareness.
Loda first dumps executables into the %appdata%, Startup, and Temp directories. After that, it launches a service using schtasks to gain persistence, runs a Visual Basic script, and connects to the C&C server.
A sample of Loda RAT executed in the ANY.RUN interactive sandbox exposes the malware’s malicious activities and IOCs.
Several criminal groups employ Loda RAT. For instance, to disseminate Loda and Revenge RAT in 2019, TA558 used PowerPoint attachments loaded with macros. In contrast, in 2022, the group shifted to container formats (such as RAR) and broadened their payload choices to include AsyncRAT.
Similarly, the Kasablanka APT launched a multi-stage attack in 2022 that targeted government institutions and used .iso email attachments for distributing the Loda and WarZone RAT malware.
Many criminal actors use the configuration design and accessibility of this malware to launch attacks on companies and governmental institutions worldwide.
Therefore, the simplest way to prevent Loda from unintentionally installing on your system is to avoid opening spam emails and exercise caution when opening suspicious URLs and files.
We recommend ANY.RUN sandbox for free without limit to get nearly instant reports on any file or link, gain an in-depth look at their activities, and discover the latest samples in the service’s database.
Experience the Power of Interactive Malware Analysis from ANY(.)RUN For Free Here
The post Loda Malware Attack Windows To Control RDP, Spread Malware, And Log User Inputs appeared first on Cyber Security News.
Cyber Security News
Windows Zero-days & Firefox Vulnerability Exploited by RomCom Hackers Group
Russian-aligned hacking group RomCom has been discovered exploiting two critical zero-day vulnerabilities affecting Mozilla Firefox and Windows systems in a sophisticated cyber-espionage campaign.
The vulnerabilities allowed attackers to execute malicious code on victims’ computers without any user interaction.
The first vulnerability, identified as CVE-2024-9680 with a critical CVSS score of 9.8, affected Mozilla products, including Firefox, Thunderbird, and Tor Browser. When combined with a Windows vulnerability (CVE-2024-49039, CVSS 8.8), attackers could execute arbitrary code with user-level privileges.
ESET researchers discovered the exploit on October 8th, 2024, prompting Mozilla to respond immediately and release patches within 24 hours. Microsoft subsequently patched the Windows vulnerability on November 12th through update KB5046612.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
The attack chain began when victims visited compromised websites that redirected them to servers hosting the exploit.
The group used deceptive domain names mimicking legitimate websites, adding prefixes or suffixes like “redir” or “red” to appear authentic. Once successful, the exploit chain delivered RomCom’s signature backdoor, which was capable of executing commands and downloading additional malicious modules.
Between October 10th and November 4th, 2024, the campaign primarily targeted victims in Europe and North America, with affected numbers ranging from single digits to 250 per country. RomCom’s activities in 2024 have shown a dual focus on both cybercrime and espionage operations, targeting various sectors, including:
The Firefox vulnerability stemmed from a use-after-free bug in the animation timeline feature, while the Windows vulnerability exploited an undocumented RPC endpoint in the Task Scheduler service. The combination of these vulnerabilities allowed attackers to bypass Firefox’s sandbox restrictions and elevate privileges on targeted systems.
This marks RomCom’s second major zero-day exploitation in recent months, following their abuse of CVE-2023-36884 via Microsoft Word in June 2023. The group, also known as Storm-0978, Tropical Scorpius, or UNC2596, has demonstrated increasing sophistication in its attack methods.
The vulnerabilities have been patched in the following versions:
Users are strongly advised to update their systems and browsers to the latest versions to protect against these vulnerabilities.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.
The post Windows Zero-days & Firefox Vulnerability Exploited by RomCom Hackers Group appeared first on Cyber Security News.
New Banshee Stealer Targets 100+ Browser Extensions on Apple macOS Systems
Cybersecurity researchers have uncovered new stealer malware that’s designed to specifically target Apple macOS systems.
Dubbed Banshee Stealer, it’s offered for sale in the cybercrime underground for a steep price of $3,000 a month and works across both x86_64 and ARM64 architectures.
“Banshee Stealer targets a wide range of browsers, cryptocurrency wallets, and around 100 browser Read More