Chinese Hackers Use HTML Smuggling to Infiltrate European Ministries with PlugX
A Chinese nation-state group has been observed targeting Foreign Affairs ministries and embassies in Europe using HTML smuggling techniques to deliver the PlugX remote access trojan on compromised systems.
Cybersecurity firm Check Point said the activity, dubbed SmugX, has been ongoing since at least December 2022.
"The campaign uses new delivery methods to deploy (most notably – HTML Smuggling) Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Microsoft 365 users hit by random product deactivation errors
Microsoft is investigating a known issue randomly triggering “Product Deactivated” errors for customers using Microsoft 365 Office apps. […] Read More
Microsoft Seizes 240 Domains Used By phishing-As-A-Service (PhaaS) Platform
The Digital Crimes Unit (DCU) of Microsoft has taken down 240 fraudulent websites that were utilized by the Egyptian phishing-as-a-service operation “ONNX.”
Abanoub Nady, also known online as “MRxC0DER,” created and marketed “do it yourself” phish kits under the false identity of “ONNX”.
These kits were purchased by a large number of cybercriminals and online threat actors, who then utilized them in extensive phishing campaigns to bypass security measures and access Microsoft user accounts.
The financial services industry has been aggressively targeted due to the sensitive data and transactions it handles. In some cases, the victims of a successful phish may suffer terrible real-world consequences.
Significant sums of money, including life savings, may be lost as a result, and once stolen, they may be extremely difficult to get back.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Overview Of The Fraudulent ONNX Operation
As early as 2017, Microsoft monitored activities connected to Abanoub Nady’s operation. In addition to using the ONNX trademark fraudulently, Nady also operated under the names “Caffeine” and, more recently, “FUHRER,” which DCU witnessed.
The phish kits are made especially for coordinated phishing attacks and are intended to send emails at large volumes.
One example of a subscription model is the fraudulent ONNX organization, which sells Basic, Professional, and Enterprise subscriptions for varying levels of access and assistance.
The “Unlimited VIP Support” add-on option, which is effectively continuous technical support that offers detailed instructions on how to successfully utilize the phishing kits to commit cybercrime, is also available to enterprise users.
After purchasing a kit, cybercriminals can use the supplied templates and fake ONNX technological facilities to carry out their own phishing attacks.
They can expand and scale their phishing operations by connecting to the fraudulent ONNX technical infrastructure using domains they buy elsewhere.
According to this year’s Microsoft Digital Defense Report, the fraudulent ONNX operations were one of the top five phish kit providers by email volume in the first half of 2024.
They are a part of the larger “Phishing-as-a-Service” (PhaaS) industry. Abanoub Nady and his companions used branded storefronts, such as the fake “ONNX Store,” to market and sell their illegal offerings, just like e-commerce companies do.
DCU is safeguarding consumers against a range of downstream threats, such as financial fraud, data theft, and ransomware, by attacking this well-known service and disrupting the illegal cybercriminal supply chain.
According to Microsoft’s Digital Defense Report for this year, the company has seen a 146% increase in these AiTM threats alone.
A public Cyber Alert was recently released by FINRA, the non-profit self-regulatory body that regulates U.S. broker-dealers, alerting members of an increase in AiTM assaults that are being driven by the fraudulent ONNX scheme.
In this warning, FINRA outlined new methods that hackers are using to get over cybersecurity safeguards, such as QR code phishing, or quishing.
When a user scans an embedded QR code, “Quishing” exploits it to take them to malicious impersonation domains, usually fake sign-in pages where they are asked to provide credentials.
Microsoft analysts noticed a sharp rise in phishing attempts employing QR codes starting about September 2023 (to almost one quarter of all email phishes).
“Our goal in all cases is to protect customers by severing bad actors from the infrastructure required to operate and to deter future cybercriminal behavior by significantly raising the barriers of entry and the cost of doing business”, Steven Masada, Assistant General Counsel, Microsoft’s Digital Crimes Unit.
“We are joined by co-plaintiff LF (Linux Foundation) Projects, LLC, the trademark owner of the actual registered “ONNX” name and logo”.
He added that rather than watching helplessly while bad actors unlawfully use our names and trademarks to give their attacks more validity, we are working together to take proactive steps to defend internet users everywhere.
Companies and individuals must remain knowledgeable and cautious as cybercriminals continue to develop their tactics.
Hence, we can all work together to create a safer online environment by comprehending the strategies used by hackers and putting strong security measures in place.
Are you from SOC/DFIR Teams? – Analyse Malware & Phishing with ANY.RUN -> Try for Free
Infostealer Malwares Bypassing Chrome’s Cookie Protection to Steal Data
Multiple infostealer malware families have developed new techniques to circumvent Google Chrome’s Application-Bound Encryption security feature, which was introduced in July 2024 to protect stored cookies and user data.
This sophisticated security measure, Application-Bound Encryption, was launched in July 2024 with Chrome version 127 to enhance the security of stored cookies on Windows systems.
Application-bound encryption was designed to address vulnerabilities in the previous Windows Data Protection API (DPAPI) encryption method. However, malware developers have quickly adapted, developing new bypass techniques to maintain their ability to steal sensitive user data.
Elastic Security Labs observed several notorious malware families, including STEALC/VIDAR, METASTEALER, PHEMEDRONE, XENOSTEALER, and LUMMA, have implemented sophisticated bypass methods to continue stealing sensitive browser data.
Strategies to Defend Websites & APIs from Malware Attack -> Free Webinar
These malware variants are using various techniques such as remote debugging, memory reading of Chrome processes, and system token manipulation.
Infostealer Malware
Prominent Steals Bypassing Cookie Protection
STEALC/VIDAR has integrated components from the offensive security tool ChromeKatz, allowing it to scan and terminate Chrome processes before extracting unencrypted cookie values from the browser’s memory.
METASTEALER employs a different approach by impersonating the SYSTEM token and leveraging Chrome’s elevation service through COM interfaces to decrypt protected data. Despite claims of working without administrator privileges, testing has revealed that elevated access is required.
PHEMEDRONE utilizes Chrome’s remote debugging capabilities, establishing connections through the browser’s DevTools Protocol to extract cookies. The malware operates stealthily by positioning Chrome windows off-screen to avoid detection.
The emergence of these bypass techniques represents a significant challenge to browser security. While Google’s Application-Bound Encryption has successfully forced malware authors to adopt more sophisticated and detectable methods, it hasn’t completely stopped the threat, reads the report.
Security experts recommend monitoring for several suspicious behaviors:
Unusual processes accessing browser cookies
Multiple Chrome process terminations followed by elevation service activation
Browser debugging from unexpected parent processes
Unsigned executables running from Chrome application folders.
The security community is actively tracking these developments. Researchers note that while these new techniques may be successful, they generate more detectable patterns than security tools can identify.
Organizations are advised to maintain robust endpoint monitoring and security instrumentation to detect these evolving threats.
The ongoing battle between security measures and malware developers highlights the need for continuous innovation in browser security.
While Google’s protection mechanisms have raised the bar for attackers, the rapid adaptation of malware families demonstrates the persistent nature of this security challenge.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!