US nuclear weapons contractor hit by REvil Group / SolarMarker malware / Minecraft modpacks

Welcome to the Xopero Security Center! It’s a strange, strange world we live in… There is a new malware primary designed to block victims from entering torrent sites and other services with pirated content. And it doesn’t look like some sophisticated anti-piracy operation – generally, specialists have no idea what is going on. Victims should prepare themselves for some future scam or 2nd attack. This news open today’s review but what else our team prepared for you? REvil Group is getting more active again – this time the ransomware has hit US nuclear weapons contractor. There is also a new SolarMarker campaign that uses SEO poisoning to infect targets with a remote access trojan. The last news reports malicious Minecraft modpacks that hit Google Play Store. Ready for more details? Then check the text below.

This strange malware blocks you from visiting pirate websites

Researchers from Sophos have admitted they’re baffled by a new piece of malware primarily designed to… prevent victims from visiting software piracy sites. It’s said to be one of the strangest cases seen in a while… 

It’s hidden in pirated copies of various software, including security products, and distributed on game chat service Discord and through Bittorent. Once double-clicked, it works by flashing up a bogus error message on the victim’s screen while executing.

The malware apparently blocks infected users from visiting a large number of piracy sites by modifying the HOSTS file on their systems.

The malware also downloads and executes a second payload, an executable named “ProcessHacker.jpg.”

The malware developer’s end game is still a mystery. Any ideas about what is going on? “On the face of it, the adversary’s targets and tools suggest this could be some kind of crudely compiled anti-piracy vigilante operation. However, the attacker’s vast potential target audience — from gamers to business professionals — combined with the curious mix of dated and new tools, techniques, and procedures (TTPs) and the bizarre list of websites blocked by the malware, all make the ultimate purpose of this operation a bit murky” – said Andrew Brandt, Sophos researcher. 

The malware seems too good to be true so “victims” should be prepared for some risks or potential disruption. We hope we don’t have to remind you to avoid downloading pirated software and have all robust security solutions in place.


US nuclear weapons contractor hit by REvil ransomware 

US nuclear weapons contractor Sol Oriens has suffered a cyberattack allegedly at the hands of the REvil ransomware gang, which claims to be auctioning data stolen during the attack.

Last week, the REvil ransomware operation listed companies whose data they were auctioning off to the highest bidder. One of the listed companies is Sol Oriens, where REvil claims to have stolen business data and employees’ data, including salary information and social security numbers.

As proof that they stole data during the attack, REvil published images of a hiring overview document, payroll documents, and a wages report. 

Sols Oriens confirmed a cyberattack in May 2021 that affected their network. During the investigation, they determined that an unauthorized individual acquired certain documents from their systems.

According to the company states they have no indication that this incident involves client classified or critical security-related information. The company is committed to notifying individuals and entities whose information is involved. 

This attack shows that ransomware gangs have no limits and compunctions. We don’t even want to imagine what would happen if secret information about nuclear technology and know-how ended up in the hands of cybercriminals.


SEO poisoning is used to backdoor targets with SolarMarker malware

A newly observed series of attacks use SEO poisoning to infect targets with a remote access trojan (RAT). is capable of stealing the victims’ sensitive info and backdooring their systems. The malware delivered in this campaign is SolarMarker, a .NET RAT that runs in memory and is used by attackers to drop other payloads on infected devices.

The interesting part – SolarMarker is designed to provide its masters with a backdoor to compromised systems and steal credentials from web browsers. The data harvested from infected systems is exfiltrated to the command-and-control server (located somewhere in Russia). It will also gain persistence by adding itself to the Startup folder and modifying shortcuts on the victims’ desktop.

Malicious docs stuffed with SEO keywords

In April, we reported the first SolarMarker attack wave. Then eSentire researchers observed threat actors behind the malware flooding search results with over 100,000 web pages claiming to provide free office forms. In more recent attacks spotted by Microsoft, the attackers have switched to keyword-stuffed documents hosted on AWS and Strikingly, and are now targeting other sectors, including finance and education.

Attackers use thousands of PDF documents stuffed w/ SEO keywords and links that start a chain of redirections eventually leading to the malware. Cybercriminals padded these documents with >10 pages of keywords on a wide range of topics, from ‘insurance form’ and ‘acceptance of contract’ to ‘how to join in SQL’ and ‘math answers’. Once the victims find one of the maliciously crafted PDFs and open them, they are prompted to download another PDF or DOC document containing the information they are looking for. But instead of gaining access to the info, they are redirected through multiple websites using .site, .tk, and .ga TLDs to a cloned Google Drive web page where they are served the last payload, the SolarMaker malware.


Minecraft modpacks with a nasty malware package has hit Google Play Store

Are you a Minecraft player? Then you must exercise caution and do some research before installing the game’s add-ons, apps, plug-ins, and mods.

Minecraft is a top-rated game with followers spread worldwide. No wonder then it continues to attract cybercriminals over and over again. This time, researchers have found that malicious apps being distributed in the guise of Minecraft mods and a file recovery utility available in Google Play are concealing adware.

The adware nature…

Adware can make your game unusable, as well as the handheld device you are using to play the game inoperable. In addition, it will start showing unnecessary advertisements. This new version opens the browser after every few seconds and displays a full-screen ad, eventually rendering the device disabled. The app is also able to expose victims to various new threats.

Always look at the reputation and reviews of an app before downloading it. In fact, in this case, most such apps are said to have 1-star reviews – a classic red flag for people to recognize a fraud. And if you installed any app that looks suspicious or has been charging you some extra subscriptions, it is important to cancel the subscription first through Google Play Store before uninstalling the app.


Do you have thirst for knowledge? There are ten more cybersecurity stories below

1. Apple issues urgent patches for 2 zero-day flaws exploited in the wild (The Hacker News)
2. Microsoft experts disrupted a large-scale BEC campaign (Security Affairs)
3. Cyber analytics database exposed 5 Billion records online (Dark Reading)
4. Google confirms sixth zero-day Chrome attack in 2021 (Security Week)
5. Alibaba suffers billion-item data leak of usernames and mobile numbers (The Register)
6. IKEA fined $1.2m for spying on employees (Infosecurity Magazine)
7. Black Kingdom ransomware (Secure List)
8. Hackers could access photos, videos without unlocking your phone (HackRead)
9. An international joint operation resulted in the arrest of Clop ransomware members (Security Affairs)
10. Microsoft will release future PowerShell updates via Windows Update (Bleeping Computer)