Hackerzhome

hackerzhome-logo-bg

Cybersecurity news all over the world

HACKERZHOME NEWS

February 27, 2023

Monday

Malicious VHDs for popular games are used in the ChromeLoader campaign as bait.

Security experts have observed that the developers of the ChromeLoader adware and browser hijacking operation are now employing VHD files with game-related names. Such initiatives formerly depended on ISO-based dissemination.


A member of the Ahnlab Security Emergency Response Center (ASEC) found the infected files using Google search results for popular game inquiries.


Elden Ring, ROBLOX, Dark Souls 3, Red Dead Redemption 2, Need for Speed, Call of Duty, Portal 2, Legend of Zelda, Pokemon, Mario Kart, Animal Crossing, and other games are among those exploited for the distribution of adware.


The malicious files, which pose as authentic game-related downloads, are distributed through a network of malvertising websites, and they install the ChromeLoader extension.


In order to display adverts, ChromeLoader manipulates browser searches. Moreover, it captures login information and browser data and alters browser settings.


Red Canary data show that the malware became more common in May 2022. VMware disclosed new versions performing more complex network functions in September 2022.


They draw attention to the fact that the malicious Chrome extension created and utilized by ChromeLoader is also capable of collecting credentials saved in the browser.

NEWS 1
Malicious VHDs for popular games are used in the ChromeLoader campaign as bait.

Breaking news

LIVE

You are not up to date!

Subscribe to our newsletter and stay updated on cybersecurity news

Government organizations are being attacked by the PureCrypter malware with ransomware and information thieves.

A threat actor has been detected using the PureCrypter malware downloader to target government organizations and distribute a variety of information thieves and ransomware strains.

Menlo Security researchers found that the threat actor hijacked a non-profit organization to store additional hosts utilized in the campaign while also using Discord to host the campaign’s initial payload.

The researchers claim that the PureCrypter campaign they witnessed targeted various Asian and North American government agencies.

The attack starts with an email that links to a PureCrypter sample in a password-protected ZIP archive via a Discord app Address.

A.NET-based malware downloader called PureCrypter was first observed in the wild in March 2021. Its owner leases it out to other online criminals so they can disseminate other kinds of malware .

When it is executed, the compromised server of a non-profit organization serves as the next-stage payload from a compromised command and control server.

The researchers discovered that in order to minimize their footprint and limit the danger of being identified, the threat actors exploited leaked credentials rather than setting up their own FTP server to take control of the specific host.

NEWS 2

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news:

February 27, 2023 /

Monday

Hackerzhome News

2

Have you heard?
Top-Rated Android Applications In The Google Play Store Have False Data Safety Labeling Know more!

Recent attacks disguise the PlugX Trojan as a legitimate Windows debugger tool.

Recent attacks disguise the PlugX Trojan as a legitimate Windows debugger tool.

In an effort to get past security measures and take control of a target system, the PlugX remote access trojan has been seen disguising itself as an open-source Windows debugger utility named x64dbg.

This file is an authentic open-source debugger tool for Windows that is often used to examine kernel-mode and user-mode code, crash dumps, or CPU registers, according to Trend Micro specialists Buddy Tancio, Jed Valderama, and Catherine Loveria.

PlugX, also referred to as Korplug, is a post-exploitation modular implant that is renowned for its many features, including data exfiltration and the capacity to use the infected machine for evil.

Early samples of the malware stretch back to February 2008, despite being initially noted ten years ago in 2012, according to a Trend Micro study at the time. PlugX has been employed over time by cybercrime organizations as well as threat actors with ties to China.

In order to load a malicious DLL from a digitally signed software program, in this case, the x64dbg debugging tool, the malware uses a technique called DLL side-loading (x32dbg.exe).

It’s important to note that DLL side-loading attacks make use of Windows’ DLL search order mechanism to install and then launch a trustworthy application that runs a malicious payload.

NEWS 3

Tesla malware is delivered by a coronavirus-themed campaign.

Tesla malware is delivered by a coronavirus-themed campaign.
NEWS 4

Cybercriminals are actively taking advantage of the COVID-19 outbreak and assaulting vulnerable users and businesses while the rest of the world battles the disease.

Coronavirus-themed mail spam, which is being used to spread a variety of malware, has increased during the past few weeks.

These campaigns’ primary goal is to steal sensitive information by recording keystrokes, obtaining screenshots, and dumping browser passwords, among other methods.
using a Microsoft Office vulnerability CVE-2017-11882
using a Microsoft Office vulnerability CVE-2017-8570
executable archives with two extensions (ZIP, RAR, etc.)

A phishing email with the attachment “COVID-19 NEW ORDER FACE MASKS.doc.rtf” is sent to a victim.

This document is an RTF file that takes advantage of the stack-based buffer overflow flaw (CVE-2017-11882) in the Microsoft Equation editing tool.

After successfully exploiting this flaw, the attacker is able to execute any code and deliver the Agent Tesla payload.

Code injection is carried out via this dumped payload in the well-known Windows procedure RegAsm.exe. RegAsm.exe’s injected code handles all information-stealing tasks and transfers the data to the CnC server.

Abuse of OneNote Embedded files

OneNote has received a lot of media attention in recent weeks as a result of threat actors misusing the capability that allows OneNote users to incorporate files in their phishing campaigns.

It is immediately obvious that OneNote makes no attempt to encrypt or compress anything when looking at the OneNote file with a HEX editor.

If you are looking at a.one file rather than a.onepkg, that is. The exported files from a OneNote Notebook are contained in a.onepkg file, which functions similarly to a ZIP file. These files can be opened with 7zip.

Developing a detection rule that detects all malicious embedded files would be challenging since, in contrast to executables, scripts typically lack the infamous “magic byte” header.

The YARA rule will match any file that has the GUID, which indicates that an embedded file is present in the OneNote file.

The criteria are satisfied if there are further files present and there are more GUIDs present than the number of GUIDs that are directly followed by an image file (here given as #PNG + #JPG + #JPG20001 + #JPG20002 + #BMP + #GIF). If not, the file is presumed to be secure because it just includes photos.

To avoid detection, Emotet malware is now delivered as Microsoft OneNote files.
NEWS 5

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news: