The all in one place for non-profit security aid.
Security researchers discovered two malicious file management applications on Google Play with a collective installation count of over 1.5 million that collected excessive user data that goes well beyond what’s needed to offer the promised functionality. […] Read More
BleepingComputer
Remcos Everywhere! Attacking From a Weaponized Zip File
[[{“value”:”
Cybersecurity circles are abuzz with the latest campaign involving the notorious Remote Control System (RAT), Remcos.
This sophisticated malware has been making headlines for its widespread and targeted attacks, particularly in Eastern Europe.
The recent surge in activities has seen Romania, Moldova, and neighboring countries falling victim to a cleverly disguised threat, masquerading as a benign communication from a Romanian industrial equipment supplier.
The attackers have adopted a cunning approach to infiltrate companies’ defenses, leveraging social engineering tactics that exploit human psychology.
Companies in the targeted region have been receiving emails with “Comandă nouă” (New Order), seemingly originating from a legitimate supplier specializing in machine tools.
Document
Integrate ANY.RUN in your company for Effective Malware Analysis
Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers
Malware analysis can be fast and simple. Just let us show you the way to:
Interact with malware safely
Set up virtual machine in Linux and all Windows OS versions
Work in a team
Get detailed reports with maximum data
If you want to test all these features now with completely free access to the sandbox:
These emails contain a ZIP archive named “Noua lista de comenzi.zip” (New Order List.zip). Upon opening, it reveals a malicious executable file masquerading as a command list, “Noua lista de comenzi.exe” (New Order List.exe).
This file, once executed, unleashes the Remcos RAT onto the unsuspecting victim’s system.
The deployment of Remcos RAT is not to be taken lightly. This malware grants attackers remote access to compromised systems, paving the way for many nefarious activities, as reported by Broadcom.
The implications for affected companies are dire, encompassing data theft, system compromise, operational disruption, espionage, and significant reputational damage.
Furthermore, the legal and compliance ramifications can not be overstated, potentially leading to severe financial penalties and loss of business.
In the face of this escalating threat, Symantec has stepped up to offer robust protection against Remcos RAT. Symantec’s email security products have comprehensive coverage designed to thwart email-based attacks.
The company’s adaptive, file-based, machine learning-based, and network-based defenses are meticulously engineered to detect and neutralize threats like Remcos.
Symantec uses key identifiers to protect against this RAT, including ACM.Ps-RgPst!g1, Trojan.Gen.MBT, Trojan.Gen.NPE, and Heur.AdvML.B!100, along with monitoring for lousy reputation application activity.
The emergence of Remcos RAT in a weaponized ZIP file, exploiting social engineering tactics, underscores the evolving landscape of cyber threats.
Companies, particularly those in the targeted regions, must remain vigilant and adopt a proactive stance toward cybersecurity.
Leveraging advanced security solutions like those offered by Symantec, alongside fostering a culture of security awareness among employees, can significantly mitigate the risk posed by such sophisticated attacks.
The battle against cyber threats like Remcos RAT is ongoing and requires a concerted effort from organizations, cybersecurity vendors, and individuals.
By staying informed and prepared, we can collectively thwart cyber adversaries’ ambitions and safeguard our digital domains.
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter
The post Remcos Everywhere! Attacking From a Weaponized Zip File appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
Bondnet Using High-Performance Bots For C2 Server
Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently.
These bots can work quickly, flood systems, steal information, and conduct and orchestrate sophisticated cyber operations largely autonomously.
Cybersecurity researchers at ASEC recently discovered that Bondnet has used high-performance bots for C2 servers.
Bondnet, a threat actor deploying backdoors and cryptocurrency miners since 2017, was still finding new approaches.
The ASEC researchers noted that Bondnet configures reverse RDP environments on fast stolen systems using them as C2 servers.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
It meant modifying an open-source, fast reverse proxy (FRP) tool embedding the threat actor’s proxy server information.
This included setting up an FRP-based reverse RDP environment, whereby Bondnet ran various programs onto the targets, like the Cloudflare tunneling client, for remote access, ensuring that they remained vigilant about keeping hold of compromised valuables.
Cloudflare tunneling client is one of the attempts Bondnet threat actors used to connect a service on the compromised target with their C2 domain after registering a C2 domain on Cloudflare.
One of the applications executed was HFS, which provided a file server service on TCP port 4000. The software’s architecture resembled this threat actor’s Command and Control infrastructure.
The HFS Golang program encountered environmental issues, which made it impossible to observe how the system could have been changed into a command-and-control one.
However, strong evidence indicates that Bondnet wished to exploit high-speed compromised systems as part of their C2 infrastructure via this tunneling means.
Bondnet, a threat actor, linked compromised targets with the Cloudflare tunneling client and HFS program to associate system services with the Cloudflare-hosted C2 domain.
They might have intended to convert high-performance bots into their C2 infrastructure via reverse RDP connections.
No data exfiltration or lateral movement was detected, although similarities between the HFS program UI and the actor’s C2 suggested its expected use.
During analysis of this system, it turned out that the HFS program did not work properly.
Some months later, the actors’ C2 UI changed, with new malicious files appearing and those that were deleted previously being restored, suggesting that they may have used another compromised bot using different tooling after facing issues while turning the initial target into a C2 node.
MD5s
D6B2FEEA1F03314B21B7BB1EF2294B72(smss.exe)
2513EB59C3DB32A2D5EFBEDE6136A75D(mf)
E919EDC79708666CD3822F469F1C3714(hotfixl.exe)
432BF16E0663A07E4BD4C4EAD68D8D3D(main.exe)
9B7BE5271731CFFC51EBDF9E419FA7C3(dss.exe)
7F31636F9B74AB93A268F5A473066053(BulletsPassView64.exe)
D28F0CFAE377553FCB85918C29F4889B(VNCPassView.exe)
6121393A37C3178E7C82D1906EA16FD4(PstPassword.exe)
0753CAB27F143E009012053208B7F63E(netpass64.exe)
782DD6152AB52361EBA2BAFD67771FA0(mailpv.exe)
8CAFDBB0A919A1DE8E0E9E38F8AA19BD(PCHunter32.exe)
00FA7F88C54E4A7ABF4863734A8F2017(fast.exe)
AD3D95371C1A8465AC73A3BC2817D083(kit.bat)
15069DA45E5358578105F729EC1C2D0B(zmass_2.bat)
28C2B019082763C7A90EF63BFD2F833A(dss.bat)
5410539E34FB934133D6C689072BA49D(mimikatz.exe)
59FEB67C537C71B256ADD4F3CBCB701C(ntuser.cpl)
0FC84B8B2BD57E1CF90D8D972A147503(httpd.exe)
057D5C5E6B3F3D366E72195B0954283B(check.exe)
35EE8D4E45716871CB31A80555C3D33E(UpSql.exe)
1F7DF25F6090F182534DDEF93F27073D(svchost.exe)
DC8A0D509E84B92FBF7E794FBBE6625B(svchost.com)
76B916F3EEB80D44915D8C01200D0A94(RouterPassView.exe)
44BD492DFB54107EBFE063FCBFBDDFF5(rdpv.exe)
E0DB0BF8929CCAAF6C085431BE676C45(mass.dll)
DF218168BF83D26386DFD4ECE7AEF2D0(mspass.exe)
35861F4EA9A8ECB6C357BDB91B7DF804(pspv.exe)
URLs And C2s
223.223.188[.]19
185.141.26[.]116/stats.php
185.141.26[.]116/hotfixl.ico
185.141.26[.]116/winupdate.css
84.46.22[.]158:7000
46.59.214[.]14:7000
46.59.210[.]69:7000
47.99.155[.]111
d.mymst[.]top
m.mymst[.]top
frp.mymst007[.]top
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
The post Bondnet Using High-Performance Bots For C2 Server appeared first on Cyber Security News.
Discord adds Security Key support for all users to enhance security
Discord has made security key multi-factor authentication (MFA) available for all accounts on the platform, bringing significant security and anti-phishing benefits to its 500+ million registered users. […] Read More
BleepingComputer