Charming Kitten, the nation-state actor affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), has been attributed to a bespoke spear-phishing campaign that delivers an updated version of a fully-featured PowerShell backdoor called POWERSTAR.
"There have been improved operational security measures placed in the malware to make it more difficult to analyze and collect intelligence," Read More
The Hacker News | #1 Trusted Cybersecurity News Site
VMware ESXi Flaw Exploited by Ransomware Groups for Admin Access
A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by “several” ransomware groups to gain elevated permissions and deploy file-encrypting malware.
The attacks involve the exploitation of CVE-2024-37085 (CVSS score: 6.8), an Active Directory integration authentication bypass that allows an attacker to obtain administrative access to the host.
“A Read More
In recent findings from Check Point Research, a significant phishing attack targeting more than 40 prominent Colombian companies has been uncovered.
The attackers behind this campaign aimed to infect victims’ systems with the notorious “Remcos” malware, known for its versatility in malicious activities.
Remcos is categorized as a Remote Access Trojan (RAT), granting attackers complete control over compromised computers. This control allows them to carry out various malicious actions, including data theft, further malware installations, and the hijacking of user accounts.
Attack’s Modus Operandi
Fraudulent Email: Attackers initiated the campaign by sending deceptive emails impersonating trusted entities like banks or Colombian companies. These emails typically contained urgent messages, unpaid debts, or enticing offers.
Email Attachment: The emails included seemingly harmless attachments, often in ZIP or RAR file formats, claiming to contain essential documents or invoices.
Hidden Commands: Within the archive files were highly obfuscated Batch (BAT) files. When executed, these BAT files ran PowerShell commands, also obfuscated, creating a multi-layered obfuscation to evade security solutions.
Loading .NET Modules: These instructions caused the victim’s computer to load two critical components necessary for the subsequent stages of the attack.
Protect your Business Email from threats like tracking, blocking, modifying, phishing, account takeover, business email compromise, malware, and ransomware with Trustifi’s AI-powered email security solution.
First .NET Module: Evasion and Unhooking: The first component aimed to disable and deceive the computer’s security mechanisms, preventing the detection of malicious activities.
Second .NET Module: Loading “LoadPE” and Remcos: This part dynamically loaded another component named “LoadPE” from file resources. “LoadPE” was responsible for reflective loading, allowing the Remcos malware to be loaded directly into memory without being stored on disk.
Reflective Loading with “LoadPE”: Using “LoadPE,” attackers loaded the final payload, the Remcos malware, into memory. This reflective loading technique further evaded traditional antivirus and endpoint security solutions.
The Final Payload: Remcos – Swiss Army Knife RAT: With Remcos successfully loaded into memory, the attackers gained full control over the compromised system, enabling a wide range of malicious activities, including unauthorized access, data theft, keylogging, and remote surveillance.
The detailed technical research by Check Point Research provides insights into the complexity of this attack’s execution, focusing on evasion techniques and deobfuscation procedures used by the malicious actors.
Banks in Singapore to phase out one-time passwords in 3 months
The Monetary Authority of Singapore (MAS) has announced a new requirement impacting all major retail banks in the country to phase out the use of one-time passwords (OTPs) within the next three months. […] Read More