Thursday , February 6 2025
Coding

Alert
VCURMS and STRRAT Trojans deployed via AWS and GitHub

infosecbulletin Wednesday , March 13 2024 Alert, International

FortiGuard Labs found a phishing campaign that tricks users into downloading a malicious Java downloader to spread new VCURMS and STRRAT remote access trojans.

The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub to avoid detection. They used email as its command and control throughout the attack campaign. The receiving endpoint uses Proton Mail for privacy protection. Figure 1 shows the attack chain.

CISA Adds 4 Actively Exploited Vuls to KEV Catalog

By infosecbulletin / Wednesday , February 5 2025
CISA added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, noting they are actively being exploited. The list...
Read More
CISA Adds 4 Actively Exploited Vuls to KEV Catalog

AMD Patches CPU Vulnerability

By infosecbulletin / Wednesday , February 5 2025
AMD announced patches on Monday for a microprocessor vulnerability that risks the loss of Secure Encrypted Virtualization (SEV) protection, potentially...
Read More
AMD Patches CPU Vulnerability

Hackers To Use HTTP Client Tools To Compromise Microsoft 365 Accounts

By infosecbulletin / Wednesday , February 5 2025
Hackers are using HTTP client tools for advanced account takeover attacks on Microsoft 365. Seventy-eight percent of Microsoft 365 tenants...
Read More
Hackers To Use HTTP Client Tools To Compromise Microsoft 365 Accounts

Google patches 47 Android flaws, Including Actively Exploited CVE-2024-53104

By infosecbulletin / Wednesday , February 5 2025
Google has released patches for 47 security flaws in Android, including one that is actively being exploited. CVE-2024-53104 (CVSS score: 7.8)...
Read More
Google patches 47 Android flaws, Including Actively Exploited CVE-2024-53104

CVE-2025-21415
Microsoft Patches Critical Azure AI Face Service Vulnerability

By infosecbulletin / Tuesday , February 4 2025
Microsoft has released patches for two critical security flaws in Azure AI Face Service and Microsoft Account that could allow...
Read More
CVE-2025-21415 Microsoft Patches Critical Azure AI Face Service Vulnerability

Daily Security Update Dated:4.02.2025

By infosecbulletin / Tuesday , February 4 2025
Every day a lot of cyberattack happen around the world including ransomware, Malware attack, data breaches, website defacement and so...
Read More
Daily Security Update Dated:4.02.2025

768 Exploited CVEs in 2024, a 20% Increase from 639 in 2023

By infosecbulletin / Tuesday , February 4 2025
In 2024, 768 vulnerabilities with CVE identifiers were reported as exploited in the wild, a 20% increase from 639 in...
Read More
768 Exploited CVEs in 2024, a 20% Increase from 639 in 2023

.Gov Domains Weaponized in Phishing Surge

By infosecbulletin / Monday , February 3 2025
A recent report from Cofense Intelligence highlights a concerning trend: threat actors are increasingly misusing .gov top-level domains (TLDs) to...
Read More
.Gov Domains Weaponized in Phishing Surge

RedSentry presents
Hacked 101 Seminar Successfully Ended at UITS

By infosecbulletin / Sunday , February 2 2025
The cybersecurity seminar "RedSentry presents: Hacked 101," organized by RedSentry with the University of Information Technology and Sciences (UITS) as...
Read More
RedSentry presents Hacked 101 Seminar Successfully Ended at UITS

US scientists claim to replicate DeepSeek for $30 dubbed “TinyZero,”

By infosecbulletin / Sunday , February 2 2025
Researchers at the University of California, Berkeley, claims they’ve managed to reproduce the core technology behind DeepSeek’s at a total...
Read More
US scientists claim to replicate DeepSeek for $30 dubbed “TinyZero,”
                                                                                   Figure 1: Attack flow

Initial Access:

The email shown in Figure 2 is part of an attack campaign. It tricks staff members by pretending that a payment is being made and prompts them to click a button to confirm payment details. When the button is clicked, a harmful JAR file hosted on AWS is downloaded to the victim’s computer.

                                                                                     Figure 2: The phishing e-mail

Payment-Advice.jar:

The downloaded files look like typical phishing attachments with fake names meant to trick people into opening them. When checking the file with a JAR decompiler, many strings are hidden, and one of the class names, “DownloadAndExecuteJarFiles.class,” clearly shows the program’s intention. The program is designed to download two JAR files to a path provided by the attacker and run them.

                                                                              Figure 3: Code to download and execute Jar Files

The obfuscator uses a class called “sense loader”, as seen in Figure 4. This class selects the appropriate native loader module from the resources based on the current operating system during execution.

                                                                   Figure 4: A class employed by the obfuscator

The obfuscator‘s code is very similar to the code generated by a legitimate obfuscation tool called “Sense Shield Virbox Protector” shown in Figure 6.

                                                                                        Figure 6: Virbox Protector GUI

To read out the full report click here.

 

 

 

Check Also

Azure AI Face

CVE-2025-21415
Microsoft Patches Critical Azure AI Face Service Vulnerability

Microsoft has released patches for two critical security flaws in Azure AI Face Service and …

Leave a Reply

Your email address will not be published. Required fields are marked *

Mail: [email protected]
© Copyright 2025, All Rights Reserved InfoSecBulletin