The source code for the BlackLotus UEFI bootkit has leaked online, allowing greater insight into a malware that has caused great concern among the enterprise, governments, and the cybersecurity community. […] Read More
BleepingComputer
The all in one place for non-profit security aid.
The source code for the BlackLotus UEFI bootkit has leaked online, allowing greater insight into a malware that has caused great concern among the enterprise, governments, and the cybersecurity community. […] Read More
BleepingComputer
Watch Out For Malicious Python Packages That Can Hijack Your Computer
Recently, security researchers have discovered that cybercriminals are distributing harmful Python packages that are camouflaged as genuine obfuscation tools, but in reality, they contain malicious code.
These packages are being used by threat actors to spread malware and launch cyber attacks on unsuspecting victims.
Open-source tools and packages significantly simplify tasks and speed up development processes.
Code obfuscation is probably used by developers who handle sensitive and valuable data. As a result, hackers regard them as desirable targets to pursue, and they are consequently likely to be the victims of this attack.
Most malicious package downloads originate from the United States and are then followed by China, Russia, Ireland, Hong Kong, France, Croatia, and Spain.
According to Checkmarx researchers, attackers distributed several packages with the following names:
Pyobftoexe
Pyobfusfile
Pyobfexecute
Pyobfpremium
Pyobflite
Pyobfadvance
Pyobfuse
Pyobfgood
“These packages, masquerading as helpful tools for Python code obfuscation at first glance, have hidden agendas,” Checkmarx researchers.
The attackers deliberately chose names like those of legitimate packages, such “pyobf2” and “pyobfuscator,” which programmers use to obfuscate their Python code.
The most recent package of this kind, pyobfgood was published into the Python ecosystem at the end of October 2023 and had a destructive payload.
Upon investigation into the fetched Python code, it was discovered that the malware, labeled as “BlazeStealer,” runs a Discord bot.
Once triggered, this bot gives the attacker complete control over the target’s system, enabling them to carry out a variety of destructive operations on the victim’s device.
Document
Protect Your Storage With SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
Exfiltrate detailed host information
Steal passwords from the Chrome web browser
set up a keylogger.
Download files from the victim’s system.
Capture screenshots and record both screen and audio
Render the computer inoperative by ramping up CPU usage, inserting a batch script in the startup directory to shut down the PC, or forcing a BSOD error with a Python script
Encrypt files, potentially for ransom.
Deactivate Windows Defender and Task Manager
Execute any command on the compromised host.
The Discord bot has a specific command for controlling the computer’s camera. It accomplishes this by covertly downloading and extracting a zip file from a remote server and then launching WebCamImageSave.exe.
This enables the bot to use the webcam to covertly take a picture. After deleting the downloaded files, the generated image is returned to the Discord channel, leaving no trace of its existence.
The bot’s malicious humor is evident in its messages, which ridicule the imminent destruction of the hacked machine, such as “Your computer is going to start burning, good luck. :)” as well as “Your computer is going to die now, good luck getting it back :)”
Hence, open-source software is still a great place to innovate, but use caution while working with it. Developers need to be on the lookout and inspect the packages before consumption.
Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.
The post Watch Out For Malicious Python Packages That Can Hijack Your Computer appeared first on Cyber Security News.
Cyber Security News
New FireScam Android Malware Abusing Firebase Services To Evade Detection
FireScam, an information stealer malware with spyware capabilities, is being disseminated as a fake “Telegram Premium” application. The malware spreads through a phishing website on GitHub.io that imitates the legitimate RuStore app store.
The malware uses a multi-stage infection procedure that begins with a dropper APK and then does comprehensive surveillance once installed.
The malware steals sensitive data from a Firebase Realtime Database endpoint, including messages, notifications, and other app data.
FireScam secretly collects useful data by tracking device behaviors such as screen state changes, e-commerce transactions, clipboard activity, and user involvement.
It also obtains alerts from a variety of apps, including system programs, with the ability to steal sensitive information and track user activity. It uses obfuscation techniques to conceal its purpose and avoid being discovered by security tools and researchers.
FireScam, an information-stealing malware, masquerades as a legitimate application to deceive users into installing it, from which it takes sensitive information and exfiltrated data to the Firebase C2 endpoint.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
“An APK is downloaded from this phishing website, acting as a dropper that subsequently installs the FireScam malware, disguised as the “Telegram Premium” application,” Cyfirma said in a report shared with Cyber Security News.
The exfiltrated data is temporarily stored in the Firebase Realtime Database at the URL “https[:]//androidscamru-default-rtdb[.]firebaseio[.]com” and is later erased after perhaps filtering and saving the vital content in another private storage place.
The dropper requests Extensive rights, including storage access, app administration, and the ability to update or remove programs without the user’s permission.
An application can manage its updates with the ENFORCE_UPDATE_OWNERSHIP permission, which helps with persistence by preventing others from updating and needing user consent for external updates.
Additional permissions that FireScam requests enable access to notifications on the infected device and unrestricted background activities (exclusion from battery optimization).
The spyware tracks and records USSD responses upload important events to the C2 server and steals private information such as account balances.
Additionally, it avoids analysis and detection by using sandbox detection measures, dynamic receiver access restriction, and obfuscation techniques.
These malicious websites take advantage of user confidence by imitating legitimate platforms, like the RuStore app store, to trick people into downloading and installing fake apps, such as “Telegram Premium.”
Because consumers frequently overlook the warning indicators of phishing or malicious intent, these phishing methods have a high success rate.
Organizations must put strong cybersecurity safeguards and proactive defensive tactics in place as attacks like FireScam continue to change.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
The post New FireScam Android Malware Abusing Firebase Services To Evade Detection appeared first on Cyber Security News.
Google rejected 2.28 million risky Android apps from Play store in 2023
Google blocked 2.28 million Android apps from being published on Google Play after finding various policy violations that could threaten user’s security. […] Read More
BleepingComputer