The APT33 Iranian hacking group has used new Tickler malware to backdoor the networks of organizations in the government, defense, satellite, oil and gas sectors in the United States and the United Arab Emirates. […] Read More
The all in one place for non-profit security aid.
The APT33 Iranian hacking group has used new Tickler malware to backdoor the networks of organizations in the government, defense, satellite, oil and gas sectors in the United States and the United Arab Emirates. […] Read More
HiddenGh0st Malware Attacking MS-SQL & MySQL Servers
A remote control malware called Gh0st RAT, which is popular with Chinese threat actors and has publicly available source code was created by China’s C. Rufus Security Team.
ASEC (AhnLab Security Emergency Response Center) finds the Gh0st RAT variant using a Hidden rootkit to target MS-SQL servers, hiding malware presence and preventing its removal.
The HiddenGh0st is a Gh0st RAT variant with QQ Messenger data theft capabilities that have persisted since 2022 and are likely to target Chinese users.
Cybersecurity researchers at ASEC recently reported that HiddenGh0st malware actively targets and attacks poorly managed MS-SQL and MySQL servers.
Hackers Attacking MS-SQL & MySQL Servers
HiddenGh0st evades detection by packing, decrypting, and executing its PE file in memory while transmitting 0x848-sized configuration data.
Besides this, it covers the following things:-
C&C URL
Installation method
Path
File name
Rootkit activation
Deactivated options in the configuration data, like the downloader thread’s URL, could have triggered external malware downloads.
Document
FREE Demo
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Another option fetches the infected system’s public IP address from http[:]//www[.]taobao[.]com/help/getip[.]php when enabled, sending it to the C&C server.
The configured ‘Service’ mode in HKLMSYSTEMSelect saves installation time as ‘MarkTime’ and sets HiddenGh0st as a service, launching it with ‘-auto’ argument.
MarkTime value (Source – ASEC)
The configuration specifies dummy data size, appending 0x00800000-sized data. After that, the original file is deleted, and HiddenGh0st relaunches as a service with ‘-acsi’ argument.
Configured ‘Startup Folder’ mode in HKLMSYSTEMSelect stores installation time in ‘MarkTime,’ then HiddenGh0st copies itself using DefineDosDeviceA() API.
After that, it creates a symbolic link ‘.agmkis2,’ adds dummy data, then runs the copied malware, and deletes the original one.
Here below, we have mentioned all the collected data:-
0x66
Windows version information
CPU speed
Number of CPUs
Public IP address
Private IP address
Host name of the infected system
Number of webcams
Internet connection delay time
Network interface speed
Memory capacity
Local disk capacity
“Default” string (decrypted from the configuration data) or the “5750b8de793d50a8f9eaa777adbf58d4” value of the BITS registry
System boot time
“1.0” (version)
List of installed security products
Wow64 availability
Malware installation time (MarkTime)
Logged in QQ Messenger number
Whether 3 minutes has passed since the last key input
Internet connection status (MODEM, LAN, PROXY)
Security product info gathered by scanning process names for specific keywords:-
“360tray.exe”, “360sd.exe”, “kxetray.exe”, “KSafeTray.exe”, “QQPCRTP.exe” ,”HipsTray.exe” ,”BaiduSd.exe” ,”baiduSafeTray.exe” ,”KvMonXP.exe” ,”RavMonD.exe” ,”QUHLPSVC.EXE” ,”QuickHeal” ,”mssecess.exe” ,”cfp.exe”, “SPIDer.exe”, “DR.WEB”, “acs.exe”, “Outpost”, “V3Svc.exe” ,”AYAgent.aye” ,”avgwdsvc.exe” ,”AVG” ,”f-secure.exe” ,”F-Secure” ,”avp.exe” ,”Mcshield.exe”, “NOD32”, “knsdtray.exe”, “TMBMSRV.exe”, “avcenter.exe”, “ashDisp.exe” ,”rtvscan.exe” ,”remupd.exe” ,”vsserv.exe”, “BitDefender”, “PSafeSysTray.exe”, “ad-watch.exe”, “K7TSecurity.exe”, “UnThreat.exe”, “UnThreat”
HiddenGh0st extends original Gh0st RAT features, including version info “1.0” and identifier “Default” from config data. Activated keylogger saves data as “6gkIBfkS+qY=.key” in %SystemDirectory%.
Moreover, HiddenGh0st does the following things to send the extracted data to the C&C server:-
Installs Mimikatz
Extracts account credentials
Defend MS-SQL servers from brute force attacks with strong passwords, regular changes, and updated security tools like firewalls to block external threats and prevent ongoing infections.
MD5
69cafef1e25734dea3ade462fead3cc9: HiddenGh0st
0d92b5f7a0f338472d59c5f2208475a3: Hidden x86 Rootkit (QAssist.sys)
4e34c068e764ad0ff0cb58bc4f143197: Hidden x64 Rootkit (QAssist.sys)
C&C
leifenghackyuankong.e3.luyouxia[.]net:14688
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.
The post HiddenGh0st Malware Attacking MS-SQL & MySQL Servers appeared first on Cyber Security News.
Cyber Security News
JumpCloud Resets API Keys Amid Ongoing Cybersecurity Incident
JumpCloud, a provider of cloud-based identity and access management solutions, has swiftly reacted to an ongoing cybersecurity incident that impacted some of its clients.
As part of its damage control efforts, JumpCloud has reset the application programming interface (API) keys of all customers affected by this event, aiming to protect their valuable data.
The company has informed the concerned Read More
The Hacker News | #1 Trusted Cybersecurity News Site
New Android Banking Trojan BingoMod Steals Money, Wipes Devices
Cybersecurity researchers have uncovered a new Android remote access trojan (RAT) called BingoMod that not only performs fraudulent money transfers from the compromised devices but also wipes them in an attempt to erase traces of the malware.
Italian cybersecurity firm Cleafy, which discovered the RAT towards the end of May 2024, said the malware is under active development. It attributed the Read More