Microsoft has released Sysmon 15, converting it into a protected process and adding the new ‘FileExecutableDetected’ option to log when executable files are created. […] Read More
BleepingComputer
The all in one place for non-profit security aid.
Microsoft has released Sysmon 15, converting it into a protected process and adding the new ‘FileExecutableDetected’ option to log when executable files are created. […] Read More
BleepingComputer
Retool Falls Victim to SMS-Based Phishing Attack Affecting 27 Cloud Clients
Software development company Retool has disclosed that the accounts of 27 of its cloud customers were compromised following a targeted and SMS-based social engineering attack.
The San Francisco-based firm blamed a Google Account cloud synchronization feature recently introduced in April 2023 for making the breach worse, calling it a "dark pattern."
"The fact that Google Authenticator syncs to Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Hackers Use Steganography Methods To Hide Malware In PNG File
[[{“value”:”
Steganography is employed by threat actors to hide malicious payloads in benign files such as pictures or documents.
By using this secret tool, threat actors are able to evade security systems and detect and assist in their undercover communications or data exports.
These things together make the cyber-attacks of the threat actors more operational and sophisticated.
Cybersecurity analysts at Morphisec Threat Labs recently discovered that hackers are actively using the Steganography methods to hide malware in PNG files.
Multiple attack indicators reveal threat actor UAC-0184 delivering Remcos RAT to a Ukrainian entity in Finland, and in this campaign, the IDAT loader is key.
Targeting Ukraine-based entities, the threat actor aims to expand to affiliated entities. However, Morphisec identifies a specific focus on Ukraine entities in Finland.
The IDAT loader attack utilized steganography to hide malicious code in images or videos. Stego techniques, like embedding code in the least significant bits, evade detection by obfuscating the payload.
Even with a visibly distorted image, the obfuscation allows successful defense evasion, which enables malware execution in memory.
Understanding the role of steganography is crucial for effective defense against such tactics.
Remcos is a commercial RAT that enables attackers to control infected computers, steal data, and monitor activities effortlessly.
As per the ANY.RUN report, Remcos has been identified as the most commonly uploaded threat among malware samples.
Top 10 last week’s threats by uploads
#Phishing 1493 (1220)
#Remcos 256 (130)
#Agenttesla 169 (153)
#Njrat 96 (78)
#Xworm 93 (80)
#Asyncrat 86 (157)
#Quasar 60 (58)
#Redline 53 (64)
#Dcrat 44 (39)
#Pikabot 35 (26)
Track them all at … pic.twitter.com/yeHqKAPGQK
— ANY.RUN (@anyrun_app) February 26, 2024
Morphisec highlighted the Remcos as a threat by detecting it in Guloader and the Babadeda crypter.
It has prevented numerous attacks, with a notable instance occurring in early January 2024. Early detection crucially aided the containment and response efforts.
The UA Cert’s alert validated the threat days later as Morphisec’s research identified shared artifacts and variances in subsequent attacks, which showcased its proactive stance.
A phishing email posing as an IDF consultant reveals the deceptive recruitment tactics of the 3rd Separate Assault Brigade and IDF.
The IDAT loader delivers the Remcos RAT, and all the key stages of the attacks are shown in the below payload delivery flow chart:-
IDAT is an advanced loader that deploys Danabot, SystemBC, and RedLine Stealer, which showcase the modular architecture with unique features.
Its sophisticated techniques include dynamic loading, HTTP connectivity tests, and syscalls for evasion. The infection unfolds in stages by involving module tables and instrumentation shellcode.
The loader adapts injection or execution based on file type and config flags by embedding the modules within the executable.
Besides this, the code connects and initiates the downloads from ‘hxxps://aveclagare[.]org/wp-content/plugins/wpstream/public/js/youtube.min.js’ by using the distinctive user-agent ‘racon’ for campaign delivery and connectivity checks.
IDAT’s modular operation uses steganography with a PNG to extract the payload. The embedded value 0xEA79A5C6 marks the starting point.
The primary goal is to load the ‘PLA.dll’ and employ ‘Module Stomping’ by injecting the next stage code to evade security solutions.
IoCs
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post Hackers Use Steganography Methods To Hide Malware In PNG File appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
Cyber and Critical Infrastructure
Frank Cilluffo, Director of the McCrary Institute, joins Ann on this week’s episode of Afternoon Cyber Tea. Frank is the Director for Cyber and Critical Infrastructure Security at Auburn University, which fuses theory with practice and policy with technology to protect and advance U.S. interests in national and economic security. Before joining Auburn, Frank served in senior roles at George Washington University, where he founded and led the Center for Cyber and Homeland Security. Ann and Frank discuss his role at Auburn, the National Cybersecurity Strategy released earlier this year, and what type of work needs to happen between the private and public sectors to make progress on the National Strategy. Read More
The CyberWire