Vigilance Archives

Tech Optimizer

May 28, 2025

Watch out – that antivirus website could be a fake, and infecting your PC with malware

Researchers have discovered a fraudulent website, "bitdefender-download[.]com," posing as Bitdefender antivirus, which is used to distribute the VenomRAT Remote Access Trojan. The site, hosted on an Amazon S3 bucket, tricks users into downloading harmful software through an executable file named "StoreInstaller.exe," which is linked to VenomRAT and contains code from post-exploitation frameworks SilentTrinity and StormKitty stealer. VenomRAT allows cybercriminals to gain unauthorized control over Windows systems, steal sensitive information, log keystrokes, access webcams, and execute commands remotely. The primary goal of this campaign is to steal cryptocurrency by compromising credentials and crypto wallets. The investigation also found connections to other fraudulent operations impersonating banks and IT services, including the Armenian IDBank and the Royal Bank of Canada.

Tech Optimizer

May 28, 2025

M&S shoppers urged to set up security measure on ‘all accounts’

M&S shoppers are being urged to enhance their online security following a cyber attack that disrupted customer services. The retailer has acknowledged ongoing challenges, stating they cannot process online orders while stores remain open. Sensitive customer information, including phone numbers, email addresses, and order histories, was compromised in the breach. Security expert Luis Corrons from Norton recommends activating two-step verification for online accounts, being cautious about stored personal and payment information, deleting unused accounts, using strong passwords, and keeping devices and software updated to improve security. He emphasizes that cyber threats are increasingly targeting human behavior and that these security measures are essential for digital safety.

Tech Optimizer

May 26, 2025

This Stealthy Malware Takes Control of Your Computer to Steal Your Data

Skitnet is a new malware that targets personal data by stealthily infiltrating computer systems. It is used by hackers to steal sensitive information through advanced methods, including the insertion of invisible malicious code in emails and the creation of fraudulent websites. Cybersecurity experts from PRODAFT have revealed that Skitnet is often employed by ransomware groups and can remotely control infected computers using services like AnyDesk. The malware operates discreetly, monitoring user actions without detection for extended periods, making it difficult for victims to realize they are infected until after data theft occurs. To protect against such threats, security specialists recommend identifying suspicious emails, using reliable antivirus software, and enhancing account security with two-step verification and strong passwords.

Tech Optimizer

May 23, 2025

Hackers Exploit PyBitmessage Library to Evade Antivirus and Network Security Detection

The AhnLab Security Intelligence Center (ASEC) has identified a new strain of backdoor malware that works with a Monero coin miner, utilizing the PyBitmessage library for covert P2P communications. This malware uses encryption to secure data exchanges and anonymize identities, complicating detection by security tools. It decrypts resources using XOR operations to deploy a Monero miner and a backdoor component. The Monero miner exploits the cryptocurrency's anonymity, while the backdoor, created with PowerShell, installs PyBitmessage and retrieves files from GitHub or a Russian file-sharing platform. Commands are executed as PowerShell scripts, making detection difficult. The malware may be distributed as legitimate software or cracked files. ASEC advises caution with unverified files and recommends keeping security solutions updated. Indicators of Compromise (IOCs): - MD5: 17909a3f757b4b31ab6cd91b3117ec50 - MD5: 29d43ebc516dd66f2151da9472959890 - MD5: 36235f722c0f3c71b25bcd9f98b7e7f0 - MD5: 498c89a2c40a42138da00c987cf89388 - MD5: 604b3c0c3ce5e6bd5900ceca07d587b9 - URLs: - http://krb.miner.rocks:4444/ - http://krb.sberex.com:3333/ - http://pool.karbowanec.com:3333/ - http://pool.supportxmr.com:3333/ - https://spac1.com/files/view/bitmessage-6-3-2-80507747/

Winsage

May 22, 2025

Hackers can disable Windows Defender

A new tool called Defendnot can disable Windows Defender by masquerading as another antivirus program, exploiting a limitation of the Windows operating system that prevents multiple antivirus solutions from running simultaneously. When Defendnot is installed, Windows automatically disables Defender, leaving systems vulnerable. Cybersecurity experts recommend using robust antivirus solutions like TotalAV for additional security.

Winsage

May 22, 2025

Windows Server Flaw a Shortcut to Privilege Escalation

An unpatched vulnerability in Windows Server 2025, identified by Akamai researchers, is associated with a method called "BadSuccessor." This flaw, considered "trivial" to exploit and present in the default configuration, allows for privilege escalation and potential full domain compromise. The vulnerability arises from delegated managed service accounts (dMSA), which were intended to enhance security during the migration of legacy service accounts. However, dMSAs can inherit permissions from legacy accounts, enabling attackers to simulate a migration and gain access to the permissions and encryption keys of those accounts without verification. The attack requires prior permissions within an Active Directory organizational unit, indicating a previous breach. Akamai reported the vulnerability to Microsoft on April 1, but Microsoft classified its severity as "moderate." Akamai recommends organizations restrict the creation of dMSAs to mitigate risks associated with this vulnerability.

Winsage

May 21, 2025

Windows 10’s latest update packs a nasty bug, and while your system might be safe, it’s vital you check now

Windows 10 users are experiencing issues with the May update, which has a bug affecting business laptops with Intel vPro processors. This bug can cause update installation failures and repeated automatic repair attempts. Microsoft has released an emergency fix, KB5061768, which users should apply before installing the May update. The problem stems from the termination of the lsass.exe service, leading to automatic repair failures and potential lockouts for users with Device Encryption or BitLocker. To recover, users may need to disable Intel Trusted Execution Technology (TXT) and Intel VT for Direct I/O in BIOS settings, which typically requires the BitLocker recovery key. A workaround allows users to disable Intel TXT without changing Intel VT settings. Users can access BIOS by pressing keys like F2, F10, or F12 during startup, navigate to the Intel TXT setting, disable it, and then restart their PC to install the emergency patch. It is recommended to install the emergency fix before downloading the May update. Similar bugs have occurred in previous updates for Windows 10 and 11. Windows 11 users should note that a clean install of version 24H2 automatically applies Device Encryption, which requires careful management of Microsoft account credentials for recovery keys.

AppWizard

May 20, 2025

Preventing App-Based Threats on Android Devices

By 2025, the Android platform faces increasingly sophisticated app-based threats, including ransomware, fake apps, social engineering, and remote access attacks. Cybercriminals exploit Android's open architecture, prompting the need for advanced security measures. Android's security architecture includes: 1. Google Play Protect: Scans applications before installation using real-time machine learning to detect emerging malware and deceptive tactics. 2. Application Sandboxing: Isolates apps to prevent data access between them, utilizing Linux permissions and SELinux policies. 3. App Signing and Code Integrity: Requires cryptographic signatures for apps, complicating the introduction of rogue certificates and runtime modifications. Advanced protections include Runtime Application Self-Protection (RASP) for high-security apps, which monitors behavior in real time, and secure coding practices that encourage regular code reviews, strong authentication, and data encryption. User vigilance is crucial, emphasizing responsible downloading, limiting permissions, keeping software updated, enabling two-factor authentication, and being cautious with public Wi-Fi. Google continuously updates security measures, ensuring older devices receive new protections, while collaboration with the security community aids in identifying and countering emerging threats.

Tech Optimizer

May 19, 2025

This new Defendnot trojan can get Windows to disable its own antivirus software

A researcher using the pseudonym es3n1n has created a tool called Defendnot that manipulates Windows operating systems to disable Microsoft Defender, making devices vulnerable to malware. Defendnot simulates the presence of a legitimate antivirus by using an undocumented API in the Windows Security Center, convincing Windows that a valid antivirus is installed. This development raises concerns about cybersecurity, as it undermines the effectiveness of built-in antivirus protections like Windows Defender.

AppWizard

May 14, 2025

Google Will Prevent Unknown App Downloads During Calls On Android 16

Google has introduced Advanced Protection for Android devices, aimed at enhancing security for users, especially those in public-facing roles. This feature was showcased on May 13, 2025, and will be released with Android 16 in June. Key functionalities include an Offline Device Key, Theft Detection, and Play Protect. Advanced Protection will restrict sideloading applications and downloading from third-party sources. It also blocks downloads from unknown sources during active phone calls and restricts access to banking applications during calls. Users will be unable to share screens with third-party applications while on calls. The initiative is currently being tested in various countries.