A former employee of Discovery Bay Water Treatment Facility in California was indicted by a federal grand jury for intentionally attempting to cause malfunction to the facility’s safety and protection systems. […] Read More
BleepingComputer
The all in one place for non-profit security aid.
A former employee of Discovery Bay Water Treatment Facility in California was indicted by a federal grand jury for intentionally attempting to cause malfunction to the facility’s safety and protection systems. […] Read More
BleepingComputer
Notorious Mystic Stealer Attacks 40 Web Browsers & 70 Extensions to Steal Login Credentials
A brand-new information stealer named Mystic Stealer appeared in April 2023; nearly 40 web browsers and more than 70 browser extensions had their credentials stolen by Mystic.
This spyware also targets Steam, Telegram, and cryptocurrency wallets. Additionally, the RC4-encrypted proprietary binary protocol is implemented by Mystic.
Particularly, the code is substantially obscured using polymorphic string obfuscation, hash-based import resolution, and runtime constant computation.
Together, Zscaler and InQuest offered an in-depth technical analysis of the malware. Mystic Stealer specializes in data theft and can steal a variety of different types of data.
It is intended to gather computer data such as the system hostname, user name, and GUID.
Additionally, it determines the geolocation of a likely system user using the locale and keyboard layout. Key Data may be extracted from cryptocurrency wallets and web browsers using Mystic Stealer’s functionalities.
It gathers information on cryptocurrency wallets, browser history, arbitrary files, cookies, and auto-fill data.
Mystic Stealer is equipped to handle any major cryptocurrency wallet, including Bitcoin, DashCore, Exodus, and more. Mystic may also steal Steam and Telegram login information.
To decrypt or decode target credentials, the stealer does not require the integration of third-party libraries.
“Mystic Stealer collects and exfiltrates information from an infected system and then sends the data to the command & control (C2) server that handles parsing”, researchers said.
Keyboard layout
Locale
CPU information
Number of CPU processors
Screen dimensions
Computer name
Username
Running processes
System architecture
Operating system version
The cyber security news learned that the malware targets over 70 web browser extensions for cryptocurrency theft and employs the same capabilities to target two-factor authentication (2FA) services.
The capacity to download and execute new malware payloads is referred to as a loader.
This reflects a continuing trend in which loaders enable one threat actor to promote the dissemination of affiliate malware on compromised devices.
Further, the constant values in the code are obfuscated and computed dynamically at runtime.
Mystic Stealer uses a unique binary protocol over TCP to interact with its command and control (C2) servers.
The stealer has been associated with many server-hosting IP addresses in a wide range of countries, including but not limited to registrations in France, Germany, Russia, the United States, and China.
Additionally, researchers mention that some servers are found in the hosting areas of Latvia, Bulgaria, and Russia.
Since Mystic Stealer is a new player, it is challenging to forecast its future. But it’s a sophisticated danger with the ability to cause significant harm.
Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus
The post Notorious Mystic Stealer Attacks 40 Web Browsers & 70 Extensions to Steal Login Credentials appeared first on Cyber Security News.
Cyber Security News
DJvu Ransomware Mimic as Cracked Software to Compromise Computers
A recent campaign has been observed to be delivering DJvu ransomware through a loader that pretends to be freeware or cracked software. This ransomware has been previously reported to provide a .xaro extension to infected files, and threat actors demand a ransom for decrypting those files.
The main goals of this ransomware are data exfiltration, stealing information, and ransom demand. This malware uses a Shotgun approach and is found to be deployed with a variety of other malicious files.
Document
Protect Your Storage With SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
The threat actors distributed malicious .7z archive files for the initial access vector with an untrusted website masquerading as a legitimate freeware distribution site. When the victims download the malicious install.7z archive file and extract it, it consists of an install.exe file.
This file is a large binary-packed file with a size of about ~0.7 GB. Further analysis of this file revealed that this was a PrivateLoader first observed in 2021.
If victims execute the install.exe file, it downloads several additional malware like Redline Stealer (infostealer), Vidar (infostealer), Amadey (botnet), Nymaim (downloader), GCleaner(loader), XmRig(Crytominer), Fabookie (Facebook infostealer) and LummaC Stealer (MaaS platform acting as an infostealer).
In addition to this, the Xaro payload was found to be running on the compromised machine within three minutes of the install.exe execution. There were two observed flows of the execution and termination of the Xaro payload.
The first flow uses a process name with a four-character long alphanumeric string, such as 5r64.exe, and injects itself a code by creating a child process of itself. This child process creates a registry at the location softwaremicrosoftwindowscurrentversionrunsyshelper.
The second flow was similar to the first but used certain bypass security measures. The child process in this flow connects to a C2 server api.2ip[.]ua. In addition to this, it also encrypts files in the C:UsersUser directory on the compromised machines.
Furthermore, a complete report about this ransomware variant has been published by CyberReason, which provides detailed information about the execution process, payloads used, source code, and other information.
TypeValueCommentSHA-25610ef30b7c8b32a4c91d6f6fee738e39dc02233d71ecf4857bec6e70520d0f5c1install.exeSHA-25683546201db335f52721ed313b9078de267eaf1c5d58168b99e35b2836bf4f0fcXaro payloadSHA-2563d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4Build2.exeSHA-2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0Build3.exeDomainapi.2ip[.]uaXaro C2 ServerDomaincolisumy[.]comXaro C2 ServerDomainzexeq[.]comXaro C2 ServerTask NameAzure-Update-TaskScheduled TaskTask NameTime Trigger TaskScheduled task used to rerun XaroRegistrysoftwaremicrosoftwindowscurrentversionrunsyshelperRegistry entry used by Xaro for persistence
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
The post DJvu Ransomware Mimic as Cracked Software to Compromise Computers appeared first on Cyber Security News.
Cyber Security News
CISA shares free tools to help secure data in the cloud
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has shared a factsheet providing details on free tools and guidance for securing digital assets after switching to the cloud from on-premises environments. […] Read More
BleepingComputer