'Karkoff' Is the New 'DNSpionage' With Selective Targeting Strategy

Karkoff DNSpionage malware

The cybercriminal group behind the infamous DNSpionage malware campaign has been found running a new sophisticated operation that infects selected victims with a new variant of the DNSpionage malware.

First uncovered in November last year, the DNSpionage attacks used compromised sites and crafted malicious documents to infect victims’ computers with DNSpionage—a custom remote administrative tool that uses HTTP and DNS communication to communicate with the attacker-controlled command and control server.

According to a new report published by Cisco’s Talos threat research team, the group has adopted some new tactics, techniques and procedures to improve the efficacy of their operations, making their cyber attacks more targeted, organised and sophisticated in nature.

Unlike previous campaigns, attackers have now started performing reconnaissance on its victims before infecting them with a new piece of malware, dubbed Karkoff, allowing them to selectively choose which targets to infect in order to remain undetected.

“We identified infrastructure overlaps in the DNSpionage and the Karkoff cases,” the researchers say.

During Reconnaissance phase, attackers gather system information related to the workstation environment, operating system, domain, and list of running processes on the victims’ machine.

“The malware searches for two specific anti-virus platforms: Avira and Avast. If one of these security products is installed on the system and identified during the reconnaissance phase, a specific flag will be set, and some options from the configuration file will be ignored,” the researchers say.

Developed in .NET, Karkoff allows attackers to execute arbitrary code on compromised hosts remotely from their C&C server. Cisco Talos identified Karkoff as undocumented malware earlier this month.

What’s interesting is that the Karkoff malware generates a log file on the victims’ systems which contains a list of all commands it has executed with a timestamp.

“This log file can be easily used to create a timeline of the command execution which can be extremely useful when responding to this type of threat,” the researchers explain.

“With this in mind, an organisation compromised with this malware would have the opportunity to review the log file and identify the commands carried out against them.”

Like the last DNSpionage campaign, the recently discovered attacks also target the Middle Eastern region, including Lebanon and the United Arab Emirates (UAE).

Besides disabling macros and using reliable antivirus software, you should most importantly stay vigilant and keep yourself informed about social engineering techniques in order to reduce the risk of becoming a victim of such attacks.

Due to several public reports of DNS hijacking attacks, the U.S. Department of Homeland Security (DHS) earlier this year issued an “emergency directive” to all federal agencies ordering IT staff to audit DNS records for their respective website domains, or other agency-managed domains.

Let’s block ads! (Why?)

Link to original source

Manufacturing giant Aebi Schmidt hit by ransomware

Aebi Schmidt, a European manufacturing giant with operations in the U.S., has been hit by a ransomware attack, TechCrunch has learned.

The Switzerland-based maker of airport maintenance and road cleaning vehicles had operations disrupted Tuesday following the malware infection, according to a source with knowledge of the incident.

Systems went down across the company’s international network, including its U.S. subsidiaries, but much of the damage was in the company’s European base. A number of systems connected to the Aebi Schmidt network across the world were left paralyzed. The source said systems necessary for manufacturing operations were inaccessible following the attack. The company’s email is also said to be affected.

It isn’t immediately known what kind of ransomware knocked the company’s systems offline.

The multinational manufacturing giant recently expanded its U.S. presence with the acquisition of M-B Companies, a maker of snow removal and cleaning machines, following earlier acquisitions of winter maintenance equipment maker Meyer Products and Swenson Products.

After several efforts to reach the company by email, phone or unsolicited LinkedIn messages, spokesperson Thomas Schiess confirmed a systems outage, specifically “e-mail system troubles,” in a Facebook message. “I can confirm that the availability of other systems was or may still be limited, our specialists are still working on resolving the issue, the cause is not yet clear,” he said, but would not comment further.

Aebi Schmidt is the latest company downed by ransomware in recent weeks.

Aluminum manufacturing giant Norsk Hydro was forced offline briefly following a ransomware attack in March. The company quickly recovered after it put in place its backup recovery process. It was a better response than drinks company Arizona Beverages, which was hit by ransomware a month later, causing its systems to shutter for a week — despite warnings from the FBI weeks earlier that the company was infected with malware lying dormant.

Let’s block ads! (Why?)

Link to original source

Russian hackers are hijacking computers at US embassies


John Greim/LightRocket via Getty Images

Russian hackers have apparently launched cyberattacks against American embassies, although it might not be the kind of campaign you’re expecting. Check Point Research reports that the attackers have attempted to compromise PCs at embassies in countries like Italy, Bermuda and Kenya by tricking officials into loading malware. Most often, they emailed Excel spreadsheets with malicious macros that would hijack a computer using the popular remote access app TeamViewer.

The attackers don’t seem to be state-backed, though. They’ve also attacked government officials at “several” revenue authorities, and Check Point noted that there have been similar campaigns that targeted Russian speakers. At least one of the culprits, nicknamed EvaPiks, has been linked to a hacking forum where card theft was a subject of discussion. The intruders may be “financially motivated” based on this evidence, Check Point said.

As it is, the group is occasionally sloppy. While it planned the campaign and created false documents specific to each target, some parts of the campaign have left the attacker’s personal info exposed. If this is a state attack, it wasn’t a particularly good one. Not that this is much comfort to victims — they’ve had potentially sensitive data exposed to crooks who intend to abuse it.

Let’s block ads! (Why?)

Link to original source

Malware researcher Marcus Hutchins pleads guilty, ending his legal case

Malware researcher Marcus Hutchins has pleaded guilty to two counts of creating and selling a powerful banking malware, ending a long and protracted battle with U.S. prosecutors.

Hutchins, a British national who goes by the online handle MalwareTech, was arrested in August 2017 as he was due to fly back to the U.K. following the Def Con security conference in Las Vegas. Prosecutors charged Hutchins with his involvement with creating the Kronos banking malware, dating back to 2014. He was later freed on bail.

A plea agreement was filed with the Eastern District of Wisconsin, where the case was being heard on Friday. His trial was set to begin later this year.

Hutchins agreed to plead guilty to distributing Kronos, a trojan that can be used to steal passwords and credentials from banking websites. In recent years, the trojan has continued to spread. He also agreed to plead guilty to a second count of conspiracy.

Hutchins faces up to 10 years in prison. Prosecutors have dropped the remaining charges.

In a brief statement on his website, Hutchins said: “I regret these actions and accept full responsibility for my mistakes.”

“Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes,” he said. “I will continue to devote my time to keeping people safe from malware attacks.”

His attorney Marcia Hofmann did not immediately return a request for comment.

Hutchins rose to prominence after he stopped the spread of the WannaCry ransomware attack in May 2017, months before his arrest. The attack used powerful hacking tools developed by the National Security Agency, which were later leaked, to backdoor thousands of Windows computers and install ransomware. The attack was later attributed to hackers backed by North Korea, knocking U.K. hospitals offline and crippling major companies around the world.

By registering a domain name found in the malware’s code, Hutchins stemmed the spread of the infection. He was hailed a hero for stopping the attack.

Prior to his release and after, Hutchins gained further praise and respect from the security community for his contributions to the malware-reversing field, and demonstrating his findings so others can learn from his findings.

Justice Department spokesperson Nicole Navas declined to comment.

Let’s block ads! (Why?)

Link to original source

Security flaw in EA’s Origin client exposed gamers to hackers

Electronic Arts has fixed a vulnerability in its online gaming platform Origin after security researchers found they could trick an unsuspecting gamer into remotely running malicious code on their computer.

The bug affected Windows users with the Origin app installed. Tens of millions of gamers use the Origin app to buy, access and download games. To make it easier to access an individual game’s store from the web, the client has its own URL scheme that allows gamers to open the app and load a game from a web page by clicking a link with origin:// in the address.

But two security researchers, Daley Bee and Dominik Penner of Underdog Security, found that the app could be tricked into running any app on the victims computer.

“An attacker could’ve ran anything they wanted,” Bee told TechCrunch.

‘Popping calc’ to demonstrate a remote code execution bug in Origin. (Image: supplied)

The researchers gave TechCrunch proof-of-concept code to test the bug for ourselves. The code allowed any app to run at the same level of privileges as the logged-in user. In this case, the researchers popped open the Windows calculator — the go-to app for hackers to show they can run code remotely on an affected computer.

But worse, a hacker could send malicious PowerShell commands, an in-built app often used by attackers to download additional malicious components and install ransomware.

Bee said a malicious link could be sent as an email or listed on a webpage, but could also triggered if the malicious code was combined with a cross-site scripting exploit that ran automatically in the browser.

It was also possible to steal a user’s account access token using a single line of code, allowing a hacker to gain access to a user’s account without needing their password.

Origin’s macOS client wasn’t affected by the bug.

EA spokesperson John Reseburg confirmed a fix was rolled out Monday. TechCrunch confirmed the code no longer worked following the update.

Let’s block ads! (Why?)

Link to original source