Hackerzhome

hackerzhome-logo-bg

Cybersecurity news all over the world

HACKERZHOME NEWS

March 7, 2023

Tuesday

Malware was once dropped via old Windows 'Fake Folders' UAC bypass.

With the aid of an outdated Windows User Account Control bypass found more than two years ago, a new phishing campaign targets businesses in Eastern European nations with the Remcos RAT malware.


The technique stands out for the use of fake trusted folders to get against Windows User Account Control because it has been around since 2020 but is still useful today.


The phishing campaign emails are often disguised as invoices, tender material, and other financial documents and are sent from top-level domains that correspond to the recipient’s jurisdiction.


Other than what is necessary to draw the recipient’s attention to the attachment, a tar.lz archive containing the DBatLoader program, the emails don’t contain much text.


The odds of the victims successfully opening the attachment are decreased by the choice of such an unusual file type, but it also aids in avoiding detection by antivirus software and email security measures.


To deceive the victim into opening it, the malware loader’s first stage payload impersonates a Microsoft Office, LibreOffice, or PDF document using double extensions and program icons.


A second-stage payload is downloaded from a public cloud service, such as Microsoft OneDrive or Google Drive, after the malware loader has been launched.

NEWS 1
Malware was once dropped via old Windows 'Fake Folders' UAC bypass.

Breaking news

LIVE

You are not up to date!

Subscribe to our newsletter and stay updated on cybersecurity news

Critical Microsoft Word RCE flaw proof-of-concept release

Over the weekend, a proof-of-concept was released for the significant Microsoft Word vulnerability CVE-2023-21716, which permits remote code execution.

The vulnerability was assigned a severity rating of 9.8 out of 10, and Microsoft fixed it in the February Patch Tuesday security releases along with a few remedies.

The attack’s low severity score is a result of its simplicity, lack of privileges, and user involvement requirements for its exploitation.

Microsoft warns users that presenting a malicious RTF document in the Preview Pane, as opposed to having them actually open it, can start the compromise.

The researcher describes a heap corruption problem that occurs “when dealing with a font table (*fonttbl*) containing an excessive number of fonts (*f###*)” in Microsoft Word’s RTF parser.

The proof-of-concept (PoC) developed by the researcher demonstrates the heap corruption problem but refrains from running the Windows Calculator program to demonstrate code execution.

NEWS 2

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news:

March 7, 2023 /

Tuesday

Hackerzhome News

2

Did you know?
Google Cloud Platform’s Blind Spot For Data Exfiltration Attacks Is Revealed By Experts Know more!

Android App from Shein Caught Sending Clipboard Info to External Services

Android App from Shein Caught Sending Clipboard Info to External Services

An error in an earlier version of Shein’s Android app might occasionally collect and send the contents of the clipboard to a remote server.

The issue was found, according to the Microsoft 365 Defender Research Team, in the app’s 7.9.2 update, which was made available on December 16, 2021. As of May 2022, the problem has been fixed.

Chinese online fast fashion store Shein, formerly known as ZZKKO, is based in Singapore. The program has been downloaded over 100 million times as of version 9.0.0.

It also noted that upon opening the programe after copying any content to the device’s clipboard, an HTTP POST request containing the copied data was automatically sent to the server “api-service[.]shein[.]com.”

In order to reduce these privacy issues, Google has added new features to Android in recent years, such as toast alerts that appear whenever an app accesses the clipboard and a restriction that prevents apps from accessing the data unless they are actively operating in the foreground.

NEWS 3

A blockchain sandbox game was compromised to send emails with links to malware.

NEWS 4

A security incident led to some players receiving fake emails pretending to be from the blockchain game Sandbox and attempting to infect them with malware, the game’s community is being informed by the developer.

The Sandbox is an open-world multiplayer game powered by blockchain that has over 350,000 active monthly users and gives them the ability to create, own, and make money from interactive content like virtual places, things, and experiences.

The game’s metaverse provides players with a variety of ways to make money, including producing pixel art NFTs that can be sold on OpenSea or The Sandbox NFT Marketplace or earning the game’s native “SAND” currency, which can be traded on Binance and Coinbase.

An employee of The Sandbox was hacked on February 26th, according to the security incident report, giving the attacker access to many business email addresses.

With this access, the attacker then sent emails to victims that seemed to be from The Sandbox and contained links to malware that was kept on another website.

Business routers are infected with new malware for data theft and spying.

The DrayTek Vigor router models 2960 and 3900 are being targeted by the ongoing “Hiatus” hacking campaign, which aims to steal data from victims and set up a covert proxy network.

Small to medium-sized businesses employ DrayTek Vigor devices, which are business-class VPN routers, to connect remotely to corporate networks.

Three elements make up the current hacking campaign, which began in July 2022 and is still active today: a malicious bash script, the malware “HiatusRAT,” and the legitimate “tcpdump,” which is used to record network traffic passing through the router.

The campaign’s name comes from the HiatusRAT component, which is the most intriguing element.

The device is turned into a SOCKS5 proxy to route traffic to command and control servers, run commands on the compromised device, and download further payloads using the tool.

Lumen’s Black Lotus Laboratories, which saw at least 100 businesses infected with HiatusRAT, mostly in Europe, North America, and South America, say they first learned of the campaign.

The DrayTek routers’ initial infiltration remains a mystery to the researchers at this time. The HiatusRAT and the authentic tcpdump program are downloaded to the router by the threat actors once they get access to the devices through a bash script.

Business routers are infected with new malware for data theft and spying.
NEWS 5

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news: