malware distribution Archives

AppWizard

March 20, 2025

Signal Messenger Exploited in Targeted Attacks on Defense Industry Employees

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned about targeted cyberattacks against employees in the defense-industrial complex and members of the Defense Forces of Ukraine, which have been ongoing since at least summer 2024 and have intensified recently. Attackers are using the Signal messenger app to distribute malicious files by compromising trusted contacts' accounts. In March 2025, CERT-UA observed that attackers were sending archived messages through Signal, which included a PDF and an executable file called DarkTortilla, designed to activate the DarkCrystal RAT (DCRAT) software. The focus of these deceptive messages has shifted to critical topics like unmanned aerial vehicles (UAVs) and electronic warfare equipment. CERT-UA has labeled this activity UAC-0200 and advises reporting any suspicious messages immediately. They have also compiled indicators related to the attacks, including specific file hashes, IP addresses, and URLs linked to the attackers' infrastructure.

Winsage

March 9, 2025

Threat Actors Leverage YouTubers to Attack Windows Systems Via SilentCryptoMiner

Security researchers have identified a malware campaign targeting YouTubers to spread SilentCryptoMiner malware disguised as tools to bypass restrictions. Over 2,000 victims in Russia have been reported, with the actual number likely higher. The malware exploits Windows Packet Divert drivers, with over 2.4 million detections in the past six months. Threat actors issue copyright strikes to compel YouTubers to promote infected files, manipulating their reputations. One YouTuber with 60,000 subscribers linked to a malicious archive that was downloaded over 40,000 times. The infection starts with an archive containing a modified script that executes a malicious executable via PowerShell. If security software removes the file, users are prompted to disable their antivirus. The malware's infection chain is multi-staged, using a Python-crafted loader to retrieve payloads from specific domains. It employs anti-VM techniques, modifies defender exclusions, and stealthily mines cryptocurrencies while pausing during certain program activities. Security experts warn against using restriction bypass tools due to their association with malware distribution.

Winsage

March 8, 2025

Lumma Stealer Launch “Click Fix” Style Attack via Fake Google Meet & Windows Update Sites

Recent investigations from Palo Alto have revealed the use of "click fix" campaigns for distributing Lumma Stealer malware, which exploit user interaction by embedding malicious scripts into the copy-paste buffer. Victims are tricked into executing harmful commands through seemingly benign instructions on malicious web pages. Key tactics include: - Domain Impersonation: Registering domains that resemble legitimate services (e.g., windows-update[.]site). - Abuse of Trusted Platforms: Hosting malicious pages on reputable platforms like Google Sites. - PowerShell Script Delivery: Using data binaries that execute as PowerShell scripts. - DLL Side-Loading: Distributing zip archives with decoy files alongside legitimate executables for side-loading Lumma Stealer DLLs. Examples of malicious activity include: 1. Fake Google Meet Page: A fraudulent page instructs users to execute a PowerShell command that downloads a script from tlgrm-redirect[.]icu, leading to the download of Lumma Stealer files from plsverif[.]cfd/1.zip and executing a DLL file (DuiLib_u.dll) through side-loading. 2. Fake Windows Update Site: The site windows-update[.]site prompts users to run a PowerShell command that downloads a file from overcoatpassably[.]shop/Z8UZbPyVpGfdRS/maloy[.]mp4, which functions as a PowerShell script. Malicious traffic patterns include HTTP POST requests to tlgrmverif[.]cyou/log.php and downloads from plsverif[.]cfd and overcoatpassably[.]shop. Active command-and-control (C2) domains for Lumma Stealer are: - web-security3[.]com - techspherxe[.]top Inactive C2 domains include: - hardswarehub[.]today - earthsymphzony[.]today Key files associated with these campaigns are: - A PowerShell script from tlgrm-redirect[.]icu/1.txt (SHA256: 909ed8a135…). - A zip archive from plsverif[.]cfd/1.zip (SHA256: 0608775a345…). - A side-loaded DLL (DuiLib_u.dll, SHA256: b3e8b610ef…). Indicators of compromise include active domains like windows-update[.]site and sites[.]google[.]com/view/get-access-now-test/verify-your-account, and associated domains such as authentication-safeguard[.]com, plsverif[.]cfd, and tlgrmverif[.]cyou.

Tech Optimizer

March 5, 2025

Cybercriminals are distributing a miner disguised as a restriction-bypassing toolCybercriminals are distributing a miner disguised as a restriction-bypassing tool

In recent months, the use of Windows Packet Divert drivers in Russia has surged, nearly doubling between August 2023 and January 2024, primarily for tools that bypass access restrictions to foreign resources. Cybercriminals are exploiting this trend by distributing malware disguised as these tools, with some bloggers unknowingly promoting such malicious programs. An investigation revealed that a YouTube channel with 60,000 subscribers posted videos on bypassing restrictions, linking to a malicious archive that had been downloaded over 40,000 times. The malware, a variant of SilentCryptoMiner, is designed to mine cryptocurrencies while evading detection. Users are advised to ensure their devices have trusted protection, avoid obscure downloads, and be cautious of even reputable bloggers who may inadvertently share malware.

Winsage

February 12, 2025

Russian military hackers deploy malicious Windows activators in Ukraine

The Sandworm group, a Russian military cyber-espionage entity, has intensified attacks on Windows users in Ukraine by distributing trojanized Microsoft Key Management Service (KMS) activators and counterfeit Windows updates since late 2023. Threat analysts at EclecticIQ have linked these activities to Sandworm through overlapping infrastructure and consistent tactics. The attackers use a BACKORDER loader to deploy DarkCrystal RAT (DcRAT) malware, with evidence of Russian military involvement indicated by debug symbols from a Russian-language build environment. Seven distinct malware distribution campaigns have been cataloged, with the latest incident on January 12, 2025, involving DcRAT during data exfiltration attacks. The counterfeit KMS tool installs a deceptive activation interface while secretly loading malware and disabling Windows Defender. The malware captures sensitive information, including keystrokes and saved credentials, and transmits it to the attackers' servers. Sandworm exploits the prevalence of pirated software in Ukraine, posing a significant threat to national security and critical infrastructure. The group has been active since at least 2009 and operates under Military Unit 74455 of the GRU, focusing on disruptive attacks against Ukraine.

Tech Optimizer

February 11, 2025

Essential tips to protect your computer from malware

Malware includes various types of malicious software such as viruses, worms, Trojans, ransomware, and spyware. Email attachments and links are common methods for malware distribution, with cybercriminals often disguising malicious files as legitimate communications. Regular software updates are essential for protecting against security vulnerabilities. Pirated software frequently contains malware and poses risks to computer security. Installing antivirus and antimalware software is crucial for defense against attacks, with recommendations for programs like Windows Defender and Malwarebytes. Encrypting sensitive data can prevent unauthorized access, and maintaining cloud backups is vital for data recovery in case of ransomware attacks. Using a Virtual Private Network (VPN) is recommended when accessing the internet on public networks to protect personal information. Users should monitor their devices for suspicious activity, such as system slowdowns or unexpected pop-ups, and conduct malware scans if symptoms arise.

AppWizard

December 18, 2024

Google Play Store to remove peer-to-peer ‘app share’ functionality

Version 44.1 of the Google Play Store has removed the "Share apps" feature, which allowed users to share installed applications via Nearby Share. This feature was introduced in early 2021 and enabled app transfers without internet or mobile data usage. The change was noted by 9to5Google in the official changelog, and while Google has not commented on the removal, there are speculations about security concerns related to potential malware distribution. Users can still share apps using Files by Google or third-party file sharing applications.

Winsage

December 9, 2024

The Countdown to Windows 10 End of Life: What IT Teams Need to Know

Microsoft will discontinue support for Windows 10 on October 14, 2025. Extended Security Updates (ESUs) will be available for a maximum of three years at approximately per device. Windows 10 is currently the most targeted among older Windows operating systems, facing high-severity vulnerabilities. Organizations should conduct an asset audit, evaluate ESUs, migrate critical systems to the cloud, and establish a decommission plan for legacy systems. Morphisec offers a lightweight security solution for legacy systems, utilizing Automated Moving Target Defense (AMTD) technology to protect against advanced threats without the need for updates or internet connectivity.

AppWizard

December 6, 2024

New Android Spyware Alert—Delete All These Apps Now

Samsung is tightening security measures against apps from unofficial app stores due to a newly discovered threat from a sophisticated malware called DroidBot. Cleafy, a cybersecurity firm, describes DroidBot as an advanced Android Remote Access Trojan (RAT) that combines traditional hidden VNC and overlay functionalities with spyware capabilities, including keylogging and data exfiltration. The malware has infected 77 applications, including those from banking institutions and cryptocurrency exchanges, and is present in countries such as the UK, Italy, France, Spain, and Portugal, with potential expansion into Latin America and the United States. DroidBot operates as Malware as a Service, available for rent to various threat actors, with 17 identified affiliate groups. It disguises itself as popular applications to entice users into downloading it and exploits permissions to operate covertly, particularly using Accessibility Services. Its functionalities include intercepting SMS messages, keylogging, and creating fake login screens to capture user credentials. Users are advised to avoid installing banking apps from unofficial sources, delete any malicious applications, and ensure their devices are secure by enabling Play Protect and keeping the operating system updated. Key safety measures include using official app stores, verifying app developers, being cautious with permissions, avoiding direct download links, and checking the legitimacy of apps claiming to link to established services.

Tech Optimizer

December 3, 2024

Hackers are now using corrupted files to bypass your antivirus software — how to stay safe

Cybersecurity experts from ANY.RUN have discovered that hackers are using a new method to distribute malware on Windows PCs through phishing emails containing intentionally corrupted Microsoft Office or ZIP files. This tactic is designed to evade detection by users and antivirus software. The corrupted files complicate the identification of malicious content, as security tools fail to extract any files from them, leading to undetected malware. An example of this phishing tactic includes an email impersonating an HR department, which suggests a salary increase while concealing a malicious Word document and a QR code that may lead to a harmful domain. Users are advised to be cautious with emails from unknown senders, verify sender addresses, and ensure robust antivirus software is installed on all devices. It is also recommended to contact senders directly for verification and to avoid downloading attachments from unknown sources.