Hackerzhome

hackerzhome-logo-bg

Cybersecurity news all over the world

HACKERZHOME NEWS

April 18, 2023

Tuesday

The latest QBot email attacks combine malware installation with PDF and WSF.

To infect Windows devices, QBot email malware is currently delivered through phishing tactics that use PDFs and Windows Script Files (WSF).


Formerly a banking trojan, Qbot (also known as QakBot) has developed into malware that grants other threat actors first access to business networks. Additional payloads like Cobalt Strike, Brute Ratel, and other malware are dropped during this first access to give other threat actors access to the compromised device.


Through the use of this access, threat actors were able to move laterally through a network, steal data, and eventually use ransomware in extortion campaigns.


Security researcher ProxyLife and the Cryptolaemus are collective have been tracking Qbot’s use of a new email distribution technique — PDF attachments that download Windows Script Files to install Qbot on victims’ devices — since this month.


Currently, threat actors are using stolen email exchanges to spread QBot using reply-chain phishing emails, which are emails that contain links to malicious websites or files.


To lessen the suspicion surrounding a phishing email by having it appear as a response to an existing conversation, reply-chain emails are used.


This is a global malware distribution effort because phishing emails are written in a number of different languages.

NEWS 1
The latest QBot email attacks combine malware installation with PDF and WSF.

Breaking news

LIVE

You are not up to date!

Subscribe to our newsletter and stay updated on cybersecurity news

FIN7 developers and ex-Conti members collaborate to spread new Domino malware.

Together with the FIN7 threat actors, former Conti ransomware participants are using the ‘Domino’ malware family to attack corporate networks.

A backdoor called “Domino Backdoor” drops a “Domino Loader” that then injects an info-stealing malware DLL into the memory of another process. Domino is a newer malware family made up of these two components.

Since February 2023, IBM’s Security Intelligence experts have been keeping tabs on former Conti and TrickBot members who have used the new malware in assaults.

However, a new IBM assessment issued on Friday links the FIN7 hacker gang, a cybercrime organization tied to a variety of viruses as well as the BlackBasta and DarkSide ransomware operations, with the actual development of the Domino malware.

The ‘Dave Loader’ malware loader, which has been linked to former TrickBot and Conti ransomware members, has been used in attacks since the fall of 2022, according to IBM experts who have been monitoring the activity.

NEWS 2

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news:

April 18, 2023 /

Tuesday

Hackerzhome News

2

Have you read?
Google Discovers APT41 Targeting Of Media And Job Sites With The Open Source GC2 Tool Know more!

The new Chameleon Android spyware imitates government, bank, and cryptocurrency apps.

The new Chameleon Android spyware imitates government, bank, and cryptocurrency apps.

Since the beginning of the year, the ‘Chameleon’ Android malware has been preying on victims in Australia and Poland by impersonating the CoinSpot cryptocurrency exchange, an Australian government institution, and the IKO bank.

Cybersecurity company Cyble reported the dissemination of the mobile virus through hacked websites, Discord attachments, and Bitbucket hosting services.

A wide range of dangerous features is included in Chameleon, such as the ability to steal user credentials through overlay injections, keylogging, cookies, and SMS texts from the infected device.

The possibility that the app is running in an analyst’s environment is increased by these checks, which also include anti-emulation checks to find out if the device is rooted and if debugging is turned on.

In order to characterize the new infection, Chameleon likely sends the device version, model, root status, nationality, and precise location during the first connection with the C2.

The malware then opens its genuine URL in a WebView and begins loading harmful modules in the background, depending on the entity it is impersonating.

Among them are a cookie thief, a keylogger, a phishing page injector, a lock screen PIN/pattern grabber, and an SMS thief that can harvest one-time passwords and assist the attackers in getting past 2FA security measures.

NEWS 3

QuaDream, an Israeli spyware vendor, will close after Citizen Lab and Microsoft's exposure

QuaDream, an Israeli spyware vendor, will close after Citizen Lab and Microsoft's exposure
NEWS 4

Less than a week after Citizen Lab and Microsoft disclosed QuaDream’s hacking arsenal, the Israeli spyware vendor is reportedly closing its doors.
The Israeli business newspaper Calcalist reported the development, citing anonymous sources, and said that the company “hasn’t been fully active for a while” and that it “has been in a difficult situation for several months.”

The report also stated that the company’s board of directors is considering selling the company’s intellectual property.

According to Haaretz and The Jerusalem Post, QuaDream, which specializes in hacking Apple devices via “zero-click” viruses that don’t require the victim to take any action, is also alleged to have fired all of its staff and undergone a severe reduction.

It was revealed that the company’s spyware framework, known as REIGN, had been utilized against journalists, political opponents, and NGO employees throughout North America, Central Asia, Southeast Asia, Europe, and the Middle East at the same time as news of the alleged shutdown.

The attacks involved the use of sophisticated surveillance software that was able to covertly capture private information, such as audio, photographs, passwords, files, and locations, by exploiting an iOS bug that has since been patched.

Iranian hackers are using the remote support tool SimpleHelp to gain persistent access.

The well-established practice of using legitimate remote administration tools to seize control of targeted systems is being continued by the Iranian threat actor known as MuddyWater.

Despite using Syncro, RemoteUtilities, and ScreenConnect in the past, the nation-state group will start using SimpleHelp in June 2022, according to a recent Group-IB research.

It is believed that MuddyWater, active at least since 2017, is a subordinate unit of Iran’s Ministry of Intelligence and Security (MOIS). Turkey, Pakistan, the United Arab Emirates, Iraq, Israel, Saudi Arabia, Jordan, the United States, Azerbaijan, and Afghanistan are a few of the main targets.

Although the gang is known to send spear-phishing emails with malicious URLs from already infiltrated corporate mailboxes, the precise distribution strategy used to drop the SimpleHelp samples is presently unknown.

When discussing MuddyWater’s attacks in Egypt and Saudi Arabia that involved the exploitation of SimpleHelp to distribute its Ligolo reverse the tunneling tool and a credential harvester codenamed MKL64, Group-IB’s findings were confirmed by the Slovak cybersecurity firm ESET earlier this January.

Iranian hackers are using the remote support tool SimpleHelp to gain persistent access.
NEWS 5

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news: