MassLogger malware has come back in a new variant which is much more powerful than the old spyware that has attacked the Windows platform for years. (Brand)New and better? Yes. We are dealing with a Trojan horse that tries to steal usernames and passwords from Microsoft Outlook, the Thunderbird email client, and password managers built into Google Chrome, Mozilla Firefox, Microsoft Edge and other browsers. Have you got any suspicious-looking email? Better never open it. Want to find out more about MassLogger? Check the article below for more information.
Masslogger, cred-stealing trojan harvests logins from Chrome, Outlook and more
Cisco Talos researchers warn against Masslogger Trojan being used in attacks designed to steal Microsoft Outlook, Google Chrome, and instant messengers account credentials. The operators have been linked to the use of AgentTesla, Formbook, and AsyncRAT.
Delivered through phishing emails, the Masslogger trojan’s latest variant is contained within a multi-volume RAR archive using the .chm file format and .r00 extensions, said Switchzilla’s security research arm.
Opening the “help” file deploys the malware onto the target system.
Cisco Talos added: “Masslogger is a credential stealer and keylogger with the ability to exfiltrate data through SMTP, FTP or HTTP protocols. For the first two, no additional server-side components are required, while the exfiltration over HTTP is done through the Masslogger control panel web application.”
Apps vulnerable to these dastardly cred-stealing doings include Discord, Microsoft Outlook, Mozilla Thunderbird, Firefox and Chromium-based browsers. The malware also tries to exclude itself from Windows Defender scans.
The second stage of the infection is a PowerShell script, a common technique, that loads the main Masslogger loader from compromised legitimate hosts as a .jpg file. From there the loader is deployed and executed.
Talos said the malicious folk behind Masslogger were mostly targeting southern and eastern European countries.
Windows and Linux servers targeted by new WatchDog botnet for almost… two years
Cryptocurrency-mining malware, called WatchDog, has been running under the radar for more than two years – in what researchers call one of the largest and longest-lasting Monero cryptojacking attacks to date. It is clear that the WatchDog operators are skilled coders and have enjoyed a relative lack of attention regarding their mining operations.
The attack is still in operation and due to the size and scope of the infrastructure, it will be difficult to fully contain. Attackers have hijacked at least 476 Windows and Linux devices, in order to abuse their system resources for mining Monero cryptocurrency. However, researchers estimated the size of the botnet to be around 500 to 1,000 infected systems.
Right now, the attackers behind this campaign are sticking to cryptojacking. But it is “highly likely” they could find identity and access management (IAM) data on previously-compromised cloud systems, due to the root and administrative access that’s acquired during the malware implantation. This could open the door for future – and more dangerous – attacks. On infected servers, WatchDog usually runs with admin privileges and could perform a credentials scan & dump without any difficulty, if its creators ever wished to.
The point of entry for their attacks has been outdated enterprise apps. According to an analysis of the WatchDog botnet operations published on Wednesday, Unit 42 said the botnet operators used 33 different exploits to target 32 vulnerabilities in software such as:
Drupal, Elasticsearch, Apache Hadoop, Redis, Spring Data Commons, SQL Server, ThinkPHP, Oracle WebLogic, CCTV.
Profits were estimated at 209 Monero coins, currently valued at around $32,000, but the real figure is believed to be much higher since researchers only managed to analyze a few binaries, and the WatchDog gang is thought to have used many more Monero addresses to collect their illegal crypto-mining funds.
How can you protect your system? Let us say it once again and again – keep systems and apps up to date to prevent attacks using exploits for old vulnerabilities.
Barcode Scanner: a popular Android app has become malware… overnight
Earlier this month, cybersecurity firm Malwarebytes explored how a trusted, useful barcode and QR code scanner app on Google Play became malware after a few malicious updates.
Innocent software until proven guilty?
The app gathered a quite large community – with over 10 million installs – over the years. But in recent months, users began to complain that their mobile devices were suddenly full of unwanted adverts. Barcode Scanner was fingered as the culprit and the source of the nuisance were, tracked as Android/Trojan.HiddenAds.AdQR. The researchers tracked malicious updates during which an aggressive advert pushing was implemented in the app’s code. The app’s analytics code was also modified and updates were heavily obfuscated.
The owner – Lavabird Ltd. – was likely to blame. However, further investigation showed that there was a third-party involved – literally, a buyer, later the app’s new owner.
What really happened?
For a start a clever social engineering feat in which malware developers purchased an already popular app and exploited it. This way, they were able to take an app with 10 million installs and turn it into malware. Even if a fraction of those installs updates the app, that is a lot of infections. And by being able to modify the app’s code before full purchase – during the test access to the Google Play app’s console to verify the software’s key and password prior to purchase – and transfer, they were able to test if their malware went undetected by Google Play on another company’s account.
Neat.
It’s official! SolarWinds hackers stole some Microsoft Azure, Exchange and Intune source code
In January we reported that SolarWinds attackers were able to view some of Microsoft source code. During that time Microsoft has not found evidence of access to production services or customer data. But it did find something – an internal account had been used to view source code in a number of code repositories.
Just a few days ago Microsoft released the final update into their investigation and determined that the hackers could only access a few files for most repositories. However, for some repos, including ones for Azure, Intune, and Exchange, the attackers could download component source code.
Small subsets of Azure (subsets of service, security, identity), Intune and Exchange components.
The investigation confirmed voiced earlier assumptions that the accessed code did not contain any credentials – which is good information.
Not just your every-day attack
Microsoft’s analysis of the SolarWinds supply chain attack revealed that the code used by the threat actors was the work of a thousand developers. It is possible that we are dealing with the largest and most sophisticated attack the world has ever seen. This discovery is disconcerting and could give us an idea of the complexity of the attack and of the effort spent by the threat actors.
Do you have thirst for knowledge? There are ten more cybersecurity stories below
1. Egregor ransomware criminals allegedly busted in Ukraine (Naked Security)
2. A new Bluetooth overlay skimmer block chip-based transactions (Dark Reading)
3. Microsoft will alert Office 365 admins of Forms phishing attempts (Bleeping Computer)
4. 270 addresses are responsible for 55% of all cryptocurrency money laundering (ZDNet)
5. Tracker pixels in emails are now an ‘endemic’ privacy concern (ZDNet)
6. Malvertiser abused WebKit zero-day to redirect iOS & macOS users to shady sites (ZDNet)
7. First Malware Designed for Apple M1 Chip Discovered in the Wild (The Hacker News)
8. Kia Faces $20M DoppelPaymer Ransomware Attack (Dark Reading)
9. Agora SDK Bug Left Several Video Calling Apps Vulnerable to Snooping (The Hacker News)
10. Hackers steal credit card data abusing Google’s Apps Script (Security Affairs)