Sunday , November 24 2024
Coding

Alert
VCURMS and STRRAT Trojans deployed via AWS and GitHub

FortiGuard Labs found a phishing campaign that tricks users into downloading a malicious Java downloader to spread new VCURMS and STRRAT remote access trojans.

The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub to avoid detection. They used email as its command and control throughout the attack campaign. The receiving endpoint uses Proton Mail for privacy protection. Figure 1 shows the attack chain.

Cisco Talos
Over 60% of Emails with QR Codes are spam

Generally scanning a malicious QR code from an unknown source can be harmful. Cisco Talos research shows that many people...
Read More
Cisco Talos  Over 60% of Emails with QR Codes are spam

CERT-In Flags Multiple Critical Vulnerabilities in Zoom app

CERT-In issued a security advisory for multiple vulnerabilities in the Zoom app that could let attackers access sensitive information, escalate...
Read More
CERT-In Flags Multiple Critical Vulnerabilities in Zoom app

Daily Security Digest Dated 11/23/24

Every day a lot of cyberattack happenings around the world including ransomware, Malware attack, data breaches, website defacement and so...
Read More
Daily Security Digest Dated 11/23/24

SafetyDetectives’ Research
Malware evades Microsoft Defender and 2FA, stealing $24K in crypto (video)

SafetyDetectives researchers found that Microsoft Defender was tricked by malware which allowed cryptocurrency theft from a user while analyzing a...
Read More
SafetyDetectives’ Research  Malware evades Microsoft Defender and 2FA, stealing $24K in crypto (video)

Over 145,000 ICS Across 175 Countries Found Exposed Online

A study by Censys found that more than 145,000 Industrial Control Systems (ICS) are exposed online in 175 countries, highlighting...
Read More
Over 145,000 ICS Across 175 Countries Found Exposed Online

World to see AI powered “human washing machines”

Osaka-based showerhead maker Science Co. is developing a new version of human washing machine based on cutting-edge technology. The company...
Read More
World to see AI powered “human washing machines”

Hacker compromised over 2000 Palo Alto Networks Firewalls

Over 2,000 Palo Alto Networks firewalls have been compromised in a widespread attack using two recently patched vulnerabilities (CVE-2024-0012 and...
Read More
Hacker compromised over 2000 Palo Alto Networks Firewalls

“Forces Penpals” exposed US and UK Military Social Network’s 1 Million Records

Renowned cybersecurity researcher Jeremiah Fowler uncovered a non-password-protected database having over 1.1 million records linked to Conduitor Limited (Forces Penpals)....
Read More
“Forces Penpals” exposed US and UK Military Social Network’s 1 Million Records

CVE-2024-51503
Trend Micro released updates for Deep Security Agent RCE

Trend Micro released a security update for Deep Security 20 Agent Manual Scan Command Injection RCE Vulnerability (CVE-2024-51503) that resolves...
Read More
CVE-2024-51503  Trend Micro released updates for Deep Security Agent RCE

Apple Releases Patch for two Actively Exploited Zero-Day

Apple released critical updates for its various products including for iOS, iPadOS, macOS, visionOS, and Safari to fix two zero-day...
Read More
Apple Releases Patch for two Actively Exploited Zero-Day
                                                                                   Figure 1: Attack flow

Initial Access:

The email shown in Figure 2 is part of an attack campaign. It tricks staff members by pretending that a payment is being made and prompts them to click a button to confirm payment details. When the button is clicked, a harmful JAR file hosted on AWS is downloaded to the victim’s computer.

                                                                                     Figure 2: The phishing e-mail

Payment-Advice.jar:

The downloaded files look like typical phishing attachments with fake names meant to trick people into opening them. When checking the file with a JAR decompiler, many strings are hidden, and one of the class names, “DownloadAndExecuteJarFiles.class,” clearly shows the program’s intention. The program is designed to download two JAR files to a path provided by the attacker and run them.

                                                                              Figure 3: Code to download and execute Jar Files

The obfuscator uses a class called “sense loader”, as seen in Figure 4. This class selects the appropriate native loader module from the resources based on the current operating system during execution.

                                                                   Figure 4: A class employed by the obfuscator

The obfuscator‘s code is very similar to the code generated by a legitimate obfuscation tool called “Sense Shield Virbox Protector” shown in Figure 6.

                                                                                        Figure 6: Virbox Protector GUI

To read out the full report click here.

 

 

 

Check Also

ICS

Over 145,000 ICS Across 175 Countries Found Exposed Online

A study by Censys found that more than 145,000 Industrial Control Systems (ICS) are exposed …

Leave a Reply

Your email address will not be published. Required fields are marked *