All Posts in "malware"

New attacks use Windows security bypass zero-day to drop malware

Windows attack

New phishing attacks use a Home windows zero-day vulnerability to drop the Qbot malware devoid of exhibiting Mark of the Web stability warnings.

When documents are downloaded from an untrusted distant location, this kind of as the Internet or an email attachment, Home windows increase a particular attribute to the file called the Mark of the World-wide-web.

This Mark of the World-wide-web (MoTW) is an alternate info stream that has facts about the file, these kinds of as the URL stability zone the file originates from, its referrer, and its obtain URL.

When a person tries to open up a file with a MoTW attribute, Home windows will display screen a safety warning asking if they are sure they want to open the file.

“Even though information from the Web can be practical, this file style can potentially damage your computer system. If you do not have faith in the source, do not open this application,” reads the warning from Windows.

Windows Mark of the Web security warning
Home windows Mark of the World-wide-web stability warning
Source: BleepingComputer

Past month, the HP threat intelligence team claimed that a phishing attack was distributing the Magniber ransomware applying JavaScript data files.

These JavaScript files are not the very same as those applied on web sites but are standalone files with the ‘.JS’ extension that are executed using the Home windows Script Host (wscript.exe).

Right after examining the information, Will Dormann, a senior vulnerability analyst at ANALYGENCE, uncovered that the threat actors have been working with a new Home windows

Read more
Marion Kozub by November 20, 2022 in Lioness Gadget
VMware bug with 9.8 severity rating exploited to install witch’s brew of malware

Image of ones and zeros with the word

Hackers have been exploiting a now-patched vulnerability in VMware Workspace ONE Access in campaigns to install various ransomware and cryptocurrency miners, a researcher at security firm Fortinet said on Thursday.

CVE-2022-22954 is a remote code execution vulnerability in VMware Workspace ONE Access that carries a severity rating of 9.8 out of a possible 10. VMware disclosed and patched the vulnerability on April 6. Within 48 hours, hackers reverse-engineered the update and developed a working exploit that they then used to compromise servers that had yet to install the fix. VMware Workspace ONE access ​​helps administrators configure a suite of apps employees need in their work environments.

In August, researchers at Fortiguard Labs saw a sudden spike in exploit attempts and a major shift in tactics. Whereas before the hackers installed payloads that harvested passwords and collected other data, the new surge brought something else—specifically, ransomware known as RAR1ransom, a cryptocurrency miner known as GuardMiner, and Mirai, software that corrals Linux devices into a massive botnet for use in distributed denial-of-service attacks.

FortiGuard

“Although the critical vulnerability CVE-2022-22954 is already patched in April, there are still multiple malware campaigns trying to exploit it,” Fortiguard Labs researcher Cara Lin wrote. Attackers, she added, were using it to inject a payload and achieve remote code execution on servers running the product.

The Mirai sample Lin saw getting installed was downloaded from http[:]//107[.]189[.]8[.]21/pedalcheta/cutie[.]x86_64 and relied on a command and control server at “cnc[.]goodpackets[.]cc. Besides delivering junk traffic used in DDoSes, the sample

Read more
Marion Kozub by October 22, 2022 in Lioness Gadget