cybersecurity researchers Archives

Winsage

April 8, 2025

Neptune RAT malware is hijacking Windows PCs, holding them for ransom and stealing passwords

Cybercriminals have released a new malware strain called Neptune RAT, which targets Windows PCs and is capable of stealing cryptocurrencies and passwords, as well as holding data for ransom. It features a crypto clipper that can alter cryptocurrency wallet addresses, a password-stealing function affecting over 270 applications, and ransomware capabilities that lock files until a ransom is paid. The malware can disable antivirus software, monitor victims' screens in real-time, and has the ability to wipe a PC. It is distributed through platforms like GitHub, Telegram, and YouTube, making it difficult for cybersecurity researchers to analyze. Users are advised to be cautious with downloads, consider identity theft protection services, and practice safe browsing habits to mitigate risks.

Winsage

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

Microsoft's Windows Defender Application Control (WDAC) has become a target for cybersecurity researchers, with bug bounty payouts for successful bypasses. IBM's X-Force team reported various outcomes from WDAC bypass submissions, including successful bypasses that lead to potential bounties, those added to the WDAC recommended block list, and submissions without recognition. Notable contributors like Jimmy Bayne and Casey Smith have made significant discoveries, while the LOLBAS Project has documented additional bypasses, including the Microsoft Teams application. The X-Force team successfully bypassed WDAC during Red Team Operations using techniques such as utilizing known LOLBINs, DLL side-loading, exploiting custom exclusion rules, and identifying new execution chains in trusted applications. Electron applications, which can execute JavaScript and interact with the operating system, present unique vulnerabilities, as demonstrated by a supply-chain attack on the MiMi chat application. In preparation for a Red Team operation, Bobby Cooke's team explored the legacy Microsoft Teams application, discovering vulnerabilities in signed Node modules that allowed them to execute shellcode without triggering WDAC restrictions. They developed a JavaScript-based C2 framework called Loki C2, designed to operate within WDAC policies and facilitate reconnaissance and payload deployment. A demonstration of Loki C2 showcased its ability to bypass strict WDAC policies by modifying resources of the legitimate Teams application, allowing undetected code execution. The ongoing development of techniques and tools by the X-Force team reflects the evolving cybersecurity landscape and the continuous adaptation required to counter emerging threats.

Tech Optimizer

February 28, 2025

Evolving Snake Keylogger Variant Targets Windows Users

Cybersecurity researchers at Fortinet have identified a new variant of the Snake Keylogger malware, which has blocked over 280 million infection attempts globally. This malware captures sensitive user information, including credentials and browser data, and has the highest infection rates in China, Turkey, Indonesia, Taiwan, and Spain. The Snake Keylogger operates in three phases: distribution through phishing emails, data collection by capturing keystrokes and extracting credentials from browsers, and data transmission to command-and-control servers via encrypted channels. It employs advanced evasion techniques, such as process hollowing and persistence mechanisms, to operate stealthily. The malware uses obfuscation tools like AutoIt scripting to evade antivirus defenses and specifically targets browser-stored credentials. Security experts recommend caution with emails, using updated antivirus software, and regular patching of systems to mitigate risks.

Tech Optimizer

February 27, 2025

New Malware Uses Legitimate Antivirus Driver to Bypass All System Protections

Cybersecurity researchers at Trellix have identified a malware campaign utilizing a legitimate antivirus driver, specifically the Avast Anti-Rootkit driver (aswArPot.sys), to gain kernel-level access and bypass security protocols. The malware, named “kill-floor.exe,” deploys the Avast driver as a file called “ntfs.bin” and registers it as a service using the Service Control utility (sc.exe) to obtain unrestricted privileges. It monitors active processes and terminates security-related processes by communicating with the Avast driver through the DeviceIoControl API. The malware exploits kernel-mode capabilities to execute actions that dismantle system defenses. Organizations are advised to implement BYOVD protection strategies, including detection rules for vulnerable drivers. Key indicators associated with this campaign include the MD5 hashes: 40439f39f0195c9c7a3b519554afd17a (kill-floor.exe) and a179c4093d05a3e1ee73f6ff07f994aa (ntfs.bin).

AppWizard

February 25, 2025

Popular Android financial help app is actually dangerous malware

Cybersecurity researchers discovered a predatory loan application called SpyLoan on the Google Play Store, which targeted Indian consumers and achieved around 100,000 downloads before being removed. The app presented itself as a financial management tool but required extensive permissions, accessing sensitive user information. User reviews indicated experiences of blackmail and low loan amounts. SpyLoan falsely claimed affiliation with a registered non-banking financial company and redirected users to download a separate loan application from an external site, circumventing some Google safeguards. Google confirmed the app's removal and stated that Android devices are protected against known malware through Google Play Protect.

AppWizard

February 18, 2025

Elon Musk Is Trying to Hinder Anti-Trump Whistleblowers

Elon Musk has blocked links to the encrypted messaging app Signal on his platform, X, causing concerns about the selective application of free speech. Cybersecurity researchers reported that accessing Signal links results in a warning page, although users can still proceed. Donald Trump is advocating for leniency towards Andrew Tate, who, along with his brother, faces serious legal charges in Romania but has temporarily blocked his indictment and remains under investigation. Musk's DOGE initiative seeks access to sensitive taxpayer information from the IRS, prompting ethical and security concerns among officials. Musk has also expressed support for Trump's criticisms of CBS’s 60 Minutes, reflecting a growing alignment with Trump's narrative against mainstream media. The Associated Press is in conflict with the Trump administration over the renaming of the Gulf of Mexico to the "Gulf of America," resulting in the revocation of its access to significant areas like the Oval Office and Air Force One.

Tech Optimizer

November 29, 2024

8.8 Rated PostgreSQL Vulnerability Puts Databases at Risk

Cybersecurity researchers Tal Peleg and Coby Abrams from Varonis have identified a significant security vulnerability in PostgreSQL, designated as CVE-2024-10979, which has a CVSS severity score of 8.8. This vulnerability affects all PostgreSQL versions prior to 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. It allows unprivileged users to manipulate environment variables within the PostgreSQL PL/Perl extension, potentially enabling arbitrary code execution. PostgreSQL's advisory states that this flaw can lead to data theft or system takeover by altering sensitive process environment variables. Users are advised to update to the fixed versions and implement restrictions on allowed extensions and user permissions to mitigate the risk.

Winsage

November 7, 2024

New Winos4.0 Malware Targeting Windows via Fake Gaming Apps

Cybersecurity researchers at Fortinet’s FortiGuard Labs have identified a malware campaign named Winos4.0 that disguises itself as benign gaming applications targeting Microsoft Windows users. This malware framework is similar to threats like Cobalt Strike and Sliver. Users who download these applications inadvertently install Trojan horses that deploy the Winos4.0 framework, which has been found in various gaming-related tools. The malware appears to focus on the education sector, as indicated by its file description “校园政务” (Campus Administration). Winos4.0 is a re-engineered version of the Gh0stRat remote access trojan and consists of modular components for specific tasks. The attack begins with the retrieval of a BMP file from a remote server, leading to the extraction of a DLL file named “you.dll.” This file downloads additional files, including the main malicious file “libcef.dll,” which injects shellcode to establish a connection with a command and control (C2) server. The malware executes various tasks, such as monitoring system information and maintaining a connection to the C2 server. To protect against such threats, users are advised to download applications only from reputable sources, avoid third-party app stores, and scan new files before execution. Regular device scans are recommended, especially after downloading new content.

Winsage

October 21, 2024

Beast Ransomware Attacking Windows, Linux, And ESXi Systems

Ransomware groups, such as Beast ransomware, have become significant threats in cybersecurity, utilizing advanced malware to encrypt data and demand ransoms. Beast ransomware, identified by Cybereason, has been active since 2022 and can target Windows, Linux, and ESXi operating systems. Originally developed in Delphi, it now uses C and Go. The ransomware employs elliptic-curve and ChaCha20 encryption techniques, features multithreaded file encryption, process termination, and shadow copy deletion on Windows. For Linux and ESXi, it offers customizable encryption paths and VM shutdown options. It spreads through phishing emails, compromised RDP endpoints, and SMB network scans, exploiting the RstrtMgr.dll for file access manipulation. Recent enhancements include an offline builder for configuring builds across various systems. The attack sequence starts with shadow copy deletion via a WMI query, followed by efficient file encryption targeting various file formats. A ransom note is placed in each affected directory, and users can access the ransomware's GUI during encryption. Recommendations to mitigate risks include tracking affiliates, promoting multi-factor authentication, enabling anti-malware solutions, implementing anti-ransomware measures, ensuring regular system patching, and backing up files.

Winsage

October 14, 2024

Middle Eastern nations targeted by dangerous “OilRig” malware

Iranian threat actors, specifically a group known as OilRig (also referred to as APT43 or Cobalt Gipsy), are actively seeking login credentials to infiltrate organizations and personal systems in the UAE and the Gulf region. They target vulnerable servers to deploy web shells, allowing them to execute PowerShell commands and introduce malware. One vulnerability exploited is CVE-2024-30088, a Windows Kernel Elevation of Privilege flaw with a high base score of 7.0, which was patched by Microsoft in June 2024. This vulnerability enables attackers to escalate privileges and extract sensitive information. The malware used in these operations is STEALHOOK, an infostealer that exfiltrates data to a command and control server and can blend stolen information with legitimate data. OilRig is state-sponsored and primarily targets the energy sector, with connections to another Iranian APT group, FOX Kitten, involved in ransomware. Despite evidence of exploitation related to CVE-2024-30088, the US Cybersecurity and Infrastructure Agency (CISA) has not included it in its Known Exploited Vulnerabilities catalog.