Hackerzhome

hackerzhome-logo-bg

Cybersecurity news all over the world

HACKERZHOME NEWS

April 4, 2023

Tuesday

PowerShell can be executed from WinRAR SFX archives without being seen.

PowerShell can be executed from WinRAR SFX archives without being noticed.

WinRAR self-extracting archives with harmless decoy files have malicious functionality added by hackers, enabling them to install backdoors without triggering the security agent on the target system.


Self-extracting archives (SFX) are essentially executables that include archived data and a built-in decompression stub.


They are produced by compression tools like WinRAR or 7-Zip (the code for unpacking the data). It is possible to password-protect SFX files to stop unwanted access.


SFX files make it easier to distribute archived data to users who lack the software to extract the package.


According to Crowdstrike’s investigation, an adversary misused ‘utilman.exe’ and set it to execute a password-protected SFX file that had been previously planted on the system using stolen credentials.


The password-protected SFX file that utilman.exe launches include an empty text file that acts as a ruse.


The SFX file’s true purpose is to exploit WinRAR’s setup parameters in order to launch PowerShell, Windows command prompt (cmd.exe), and task manager with administrative rights.


Jai Minton of CrowdStrike investigated the method employed and discovered that the attacker had included many instructions to execute once the target extracted the archived text file.

NEWS 1
PowerShell can be executed from WinRAR SFX archives without being seen.

Breaking news

LIVE

You are not up to date!

Subscribe to our newsletter and stay updated on cybersecurity news

IRS-approved tax return software from eFile.com was discovered to be serving JS malware.

Many people use eFile.com, an IRS-approved provider of e-file software services, to file their tax returns, yet it has been discovered to be hosting JavaScript malware.

According to security experts, the malicious JavaScript file was there on the eFile.com website for several weeks.

Note that this security incident only affects eFile.com and not other websites with similar names or the IRS’ e-filing infrastructure.

Several consumers and researchers noticed that eFile.com was serving malware. ‘popper.js’ is the name of the malicious JavaScript file in question.

The change occurs just as American taxpayers are finishing up their IRS tax returns ahead of the April 18th deadline.

The base64-encoded version of the highlighted code from above is presented below. When infoamanewonliag[.]online returns JavaScript, the code tries to load it:

If the threat actor makes any changes, the usage of Math. random() at the end is likely to prevent caching and load a new version of the virus each time eFile.com is visited.

The endpoint was down at the time this was written.

NEWS 2

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news:

April 4, 2023 /

Tuesday

Hackerzhome News

2

Have you heard?
New Azure AD Vulnerability Impacting Bing Search And Major Applications Is Fixed By Microsoft Know more!

Zimbra bug exploited in assaults against NATO nations, CISA says

Zimbra bug exploited in assaults against NATO nations, CISA says

The Zimbra Collaboration (ZCS) cross-site scripting vulnerability was exploited by Russian hackers to steal emails in assaults against NATO countries, according to a warning from the Cybersecurity and Infrastructure Security Agency (CISA) to federal agencies.

A Russian hacking organization known as Winter Vivern and TA473 exploited the vulnerability (CVE-2022-27926) in assaults on several NATO-aligned states’ webmail portals to get access to the email accounts of officials, governments, military personnel, and diplomats.

The hackers behind Winter Vivern’s attacks begin by searching for vulnerable ZCS servers using the Acunetix tool vulnerability scanner before sending users phishing emails that imitate well-known senders.

Each email sent the recipients to a server controlled by the attacker, which either exploited the CVE-2022-27926 flaw or tried to deceive them into giving over their credentials.

The URLs also contain a JavaScript snippet that, if exploited, will download a second-stage payload to start a Cross-Site Request Forgery (CSRF) attack and steal the login information and CSRF tokens of Zimbra users.

The threat actors either persisted to keep track of exchanged emails over time or used the stolen credentials to access critical information from the compromised webmail accounts in the subsequent steps.

NEWS 3

The Capita cyberattack made its Microsoft Office 365 programs inaccessible.

The Capita cyberattack made its Microsoft Office 365 programs inaccessible.
NEWS 4

A cyberattack on Friday stopped access to Capita, a British outsourced services business, from using its internal Microsoft Office 365 apps.

Capita, situated in London, provides a wide range of services to customers in the government, healthcare, education, financial, and Technology industries. Capita has 50,000 specialists working for the company.

Among its clients include well-known businesses like O2, Vodafone, and the Royal Bank of Scotland, as well as crucial infrastructural organizations in the UK including the National Health Service (NHS), the UK military, and the Department for Labour and Pensions.

The Company announced an IT problem affecting its internal systems on March 31 as a result of the cyber intrusion. Yet, the business did not provide any additional information regarding the incident’s origin.

Capita acknowledged in a brief press release that a hack was to blame for the disruption. Staff was attempting to log into the system three hours after the incident, which happened around 4 AM on Friday.

According to the organization, the security issue was successfully isolated and contained as a result of its quick response.

Middle Eastern Cyber Attacks by the Arid Viper Hacker Gang Use Upgraded Malware

Since September 2022, assaults on Palestinian entities have been seen to use updated versions of the malware toolkit developed by the threat actor known as Arid Viper.

According to Symantec, the adversary is making considerable efforts to maintain a continuous presence on targeted networks, which is monitoring the organization under the insect-themed moniker Mantis.

The cyber organization, also known as APT-C-23 and Desert Falcon, has been connected to strikes against Palestine and the Middle East at least since 2014.

According to research released by Kaspersky in February 2015, the threat actors are thought to be native Arabic speakers who are based in Palestine, Egypt, and Turkey.

The outfit has also been linked to Hamas’ cyber warfare branch in earlier public reports.

High-profile Israeli workers in sensitive defense, law enforcement, and emergency services institutions were seen to be the target of a unique Windows backdoor known as BarbWire in April 2022.

Middle Eastern Cyber Attacks by the Arid Viper Hacker Gang Use Upgraded Malware
NEWS 5

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news: