48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems
A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems.
"These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said.
All the counterfeit packages have been published by Read More
The Hacker News | #1 Trusted Cybersecurity News Site
SysJoker Malware Attacking Windows, Linux and Mac Users Abusing OneDrive
SysJoker malware, a multi-platform backdoor with several variants for Windows, Linux, and Mac, has been observed being used by a Hamas-affiliated APT to target Israel. This malware was first identified by Intezer in 2021 and was recently used in targeted attacks.
Checkpoint researchers disclosed the malware’s growth, variations in the intricacy of its execution flow, and most recent switch to the Rust language and the recent infrastructure it uses.
Furthermore, the threat actor switched from using Google Drive to OneDrive to keep dynamic C2 (command and control server) URLs.
This allows them to maintain an advantage over various reputation-based services. This behavior is constant throughout the various SysJoker versions.
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
Rust version of SysJoker
During analysis, at certain points throughout its execution, the malware uses unpredictable sleep intervals, which the researchers say could be anti-analysis or anti-sandbox methods.
SysJoker uses OneDrive to reach a URL to obtain the C2 server address. Attackers can simply modify the C2 address by using OneDrive, which gives them an advantage over other reputation-based services.
“The malware collects information about the infected system, including the Windows version, username, MAC address, and various other data,” Checkpoint said in a report shared with Cyber Security News.
Command Request and Response
It is noteworthy to note that in earlier SysJoker activities, the malware was also capable of downloading and running remote files from an archive, as well as executing operator-dictated commands. The Rust version lacks this capability.
Windows SysJoker Variants
Researchers have found two more SysJoker samples that had previously not been made public. Possibly due to the malware’s public discovery and examination, both of these samples have a marginally higher level of complexity than the Rust version.
A multi-stage execution flow comprising a downloader, an installer, and a separate payload DLL is present in one of these samples, which differs from the others.
This campaign takes advantage of dynamically configured infrastructure. The malware first establishes a connection with a OneDrive address and then decrypts the JSON containing the C2 address.
The C2 address is base64-encrypted and uses a hardcoded XOR key. This threat actor frequently uses cloud storage services.
Metadata of OneDrive file containing the encrypted C2 server
According to researchers, the malware’s initial versions were written in C++. It indicates that the malware underwent a thorough rebuild and might perhaps serve as a foundation for future modifications and enhancements, as there is no simple way to translate that code to Rust.
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
A Gigantic New ICBM Will Take US Nuclear Missiles Out of the Cold War-Era but Add 21st-Century Risks
New “Sentinel” nuclear missiles will need to be well protected from cyberattacks, while its technology will have to cope with frigid winter temperatures where the silos are located.
The Journey of ‘Cyber for Builders’ with Ross Haleliuk.
The author of the viral cyber bestseller Cyber for Builders joins us today! If you ever wanted to write a book, but couldn’t overcome time constraints, procrastination, or even resources, then this episode is tailor-made just for you. Meet Ross Haleliuk, Best Selling Author of Cyber for Builders, Head of Product at LimaCharlie, and Angel/Syndicate Co-Lead plus Blogger at Venture in Security. Ross started to write Cyber for Builders during the weekend and in his free time, inspired by a big gap he noticed in cybersecurity business advice. His story on today’s episode and the book itself aren’t just a reflection of the challenges of starting a cybersecurity business, but also how writing can fill gaps and share crucial insights with others. Read More