Tag Archives: Malware and Virus Protection

Posted on Author Atlantic Computer Services Categories Blog

ISO Files Are Being Used To Deliver Malware

Researchers at Trustwave have observed a notable increase in the use of .ISO files to deliver malware. Hackers have relied on poisoned disk image files for years to deliver malware to their targets.

It makes sense in a Windows environment because it allows attackers to disguise their payloads as an innocent, standard file type.

In terms of scope and scale, the Trustwave researchers have noted a 6 percent increase in 2019 of this particular attack vector. It is noteworthy enough to be of genuine concern, especially given the fact that .ISO files are often overlooked by antivirus software. That makes it more likely that attackers can deliver their payload undetected.

In one particular campaign unearthed by the researchers, the attackers sent an email that appeared to come from FedEx and offered package tracking information. This was in an attempt to trick recipients into clicking on a file to gain additional information about an incoming package. Of course, the package didn’t actually exist, and clicking on the (.ISO) file installed a malicious payload on the victim’s computer.

It should be noted that .ISO files are not the only image file used in this way. Trustwave also reports a modest uptick in the use of Direct Access Archive (DAA) files. Use of DAA files for the purpose of delivering malware is seen as being somewhat less efficient and effective than using the .ISO format. That’s because specialized software is required to open a .DAA file.

Nonetheless, if a hacking group has done their due diligence and knows the software is installed on a target computer, the DAA file represents another possible inroad that’s likely to go undetected.

Hackers are becoming increasingly inventive, using old tricks mixed with new to infect target systems, making it more difficult than ever for harried IT managers to keep their networks safe. Stay on high alert. The threat landscape is more unpredictable than ever.

0
Posted on Author Atlantic Computer Services Categories Blog

New Trojan Malware Steals Passwords From Chrome

If you use Google’s Chrome web browser, there’s a new threat you should be aware of.  A new trojan targeting Windows-based machines will attempt to steal passwords stored in the Chrome browser.

Dubbed CStealer, it was discovered by the Malware Hunter Team. They found some points of interest that make this threat more notable than others in its class.

If infected by this malware, the code will connect to a MongoDB database where it will upload stolen credentials at periodic intervals.  There are hardcoded MongoDB credentials embedded in the code that facilitate the connection, with the goal being to create a convenient password repository for the owners of the malware.

Unfortunately, the same hooks used to create this database connection can easily be modified to redirect to a command and control server. So once infected, the hacker who controls the malware could easily use it to infect the compromised machine with other types of malware that is capable of causing whatever mayhem the hacker felt like inflicting.

The other point that’s worth mentioning here is this:  Potentially anyone could gain access to the password repository.  Again, the MongoDB credentials are hardcoded into the malware, so anyone who takes the time to analyze the code can connect to the server and retrieve whatever happens to be stored there.

Given that hackers aren’t known for their altruism, this is almost certainly an unintended consequence of the design of the code. So, it’s likely that this method of execution will be corrected in some future build of the trojan.  For now though, if you are infected with CStealer, know that your stored passwords can easily be accessed by any number of hackers.

As ever, awareness and vigilance are the keys to keeping these sorts of things from happening.  Stay alert, and make sure your employees are aware of this latest threat.

 

0
Posted on Author Atlantic Computer Services Categories Blog

New Malware Can Spy On You In Scary Ways

There’s a new strain of malware in the wild. It is targeting Android devices and disguised as an innocuous chat app.

Researchers at Trend Micro have discovered it in two different apps so far:  Chatrious and the Apex App.  Chatrious has since vanished from Google’s Play Store, but at the time this piece was written, the Apex App is still available for download.

If you have either of these, you should delete them immediately.

In both strains unearthed so far, when a user downloads the app and launches it, the program will quietly connect to a command and control server. It will then begin rooting around in the device the app is installed on, collecting contact lists, text messages, call logs and any files stored locally on the device.

In addition to that, the malware can activate the device’s microphone to create audio recordings to be sent to the command and control server, and it is capable of taking screenshots of anything displayed on the device.

The app has only been found on the Play Store at this point. However, an analysis of the code reveals that the person or group behind it has already built in hooks that would make it capable of attacking iOS and Windows-based machines. The researchers fear that this malware is in an early stage of development.  What they found in the code points to this being the leading edge of a much larger and more widespread attack.

In addition to its being a potentially devastating piece of malware, the researchers indicated that this code would be perfect for conducting highly advanced cyberespionage campaigns. That is, given that high ranking corporate and government employees have such a wealth of information on their phones and almost always keep them close at hand.  The ability to make recordings of things going on in the immediate vicinity of the infected device could lead to no end of trouble.

In any case, if you have either of the apps mentioned above installed on your phone, delete them immediately.  Trend Micro has promised further updates about this latest malware threat as they get them.

 

 

0
Posted on Author Atlantic Computer Services Categories Blog

New Cryptomining Malware Targets Windows Computers

Since October 2018, Microsoft engineers have been tracking a new strain of malware specifically designed to target Windows machines.

As malware goes, this one isn’t particularly dangerous.

It’s not designed to mass delete files, lock your system down or flood you with pop-up ads.

Rather, its purpose is to install itself stealthily and live in the background where it will steal resources from your PC. It plans on using the resources to mine various forms of cryptocurrency on behalf of the malware’s owners, giving them a fat payday and you a frustratingly slow system.

The malware dubbed Dexphot started off as a relatively minor threat, but the average number of infections per day grew steadily until mid-June 2019 before leveling off.  At its peak, Dexphot boasted a botnet of some 80,000 computers, creating a globe-spanning network of cryptomining capability that rewarded the malware’s creators handsomely.

Although the type of attack the code relies on isn’t very newsworthy, the thing that caught the attention of Microsoft’s engineers was the complexity of the code.

The team tracking the malware had this to say about it:

“Dexphot is not the type of attack that generates mainstream media attention.  It’s one of the countless malware campaigns that are active at any given time.  Its goal is a very common one in cybercriminal circles – to install a coin miner that silently seals computer resources and generates revenue for the attackers. Yet Dexphot exemplifies the level of complexity and rate of evolution that even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit.”

The bottom line is, if you’ve noticed that several of the machines on your corporate network are running notoriously slowly, it’s worth doing a deep dive to make sure they haven’t been infected with something like this.

0
Posted on Author Atlantic Computer Services Categories Blog

Hackers Are Imitating Government Agencies To Spread Malware

Researchers at Proofpoint have found evidence of a new threat actor who has been sending out convincing looking emails.

They are claiming to come from several government agencies.

These include the Italian Revenue Agency, the German Federal Ministry of Finance, and the United States Postal Service.

This is all part of a malicious campaign designed to infect targeted recipients with a variety of malware.

The bulletin Proofpoint released on matter reads, in part, as follows:

“Between October 16 and November 12, 2019, Proofpoint researchers observed the actor sending malicious email messages to organizations in Germany, Italy, and the United States, targeting no particular vertical but with recipients that were heavily weighted towards business and IT services, manufacturing, and healthcare.

These spoofs are notable for using convincing stolen branding and lookalike domains of European taxation agencies and other public-facing entities such as Internet service providers.  Most recently, the actor has attacked US organizations spoofing the United States Postal Service.  The increasing sophistication of these lures mirrors improved social engineering and a focus on effectiveness over quantity appearing in many campaigns globally across the email threat landscape.”

In the US, emails claiming to be from the post office come with an attached Word Document called “USPS_Delivery.doc.”  If a recipient clicks on the document to open it, they’ll receive a message that the file has been encrypted for additional security and in order to view it, they’ll be required to “enable content.”

Naturally, clicking on the “enable content” button does nothing of the sort.  Instead, it installs whatever malware the senders have associated with the email in question.

The identity of the threat actor is not known at this time, but this is a serious issue that you should immediately alert all employees about in order to minimize the risk to your company.

0
1 38 39 40 41 42 43