ZIP archives Archives

Winsage

March 8, 2025

Lumma Stealer Launch “Click Fix” Style Attack via Fake Google Meet & Windows Update Sites

Recent investigations from Palo Alto have revealed the use of "click fix" campaigns for distributing Lumma Stealer malware, which exploit user interaction by embedding malicious scripts into the copy-paste buffer. Victims are tricked into executing harmful commands through seemingly benign instructions on malicious web pages. Key tactics include: - Domain Impersonation: Registering domains that resemble legitimate services (e.g., windows-update[.]site). - Abuse of Trusted Platforms: Hosting malicious pages on reputable platforms like Google Sites. - PowerShell Script Delivery: Using data binaries that execute as PowerShell scripts. - DLL Side-Loading: Distributing zip archives with decoy files alongside legitimate executables for side-loading Lumma Stealer DLLs. Examples of malicious activity include: 1. Fake Google Meet Page: A fraudulent page instructs users to execute a PowerShell command that downloads a script from tlgrm-redirect[.]icu, leading to the download of Lumma Stealer files from plsverif[.]cfd/1.zip and executing a DLL file (DuiLib_u.dll) through side-loading. 2. Fake Windows Update Site: The site windows-update[.]site prompts users to run a PowerShell command that downloads a file from overcoatpassably[.]shop/Z8UZbPyVpGfdRS/maloy[.]mp4, which functions as a PowerShell script. Malicious traffic patterns include HTTP POST requests to tlgrmverif[.]cyou/log.php and downloads from plsverif[.]cfd and overcoatpassably[.]shop. Active command-and-control (C2) domains for Lumma Stealer are: - web-security3[.]com - techspherxe[.]top Inactive C2 domains include: - hardswarehub[.]today - earthsymphzony[.]today Key files associated with these campaigns are: - A PowerShell script from tlgrm-redirect[.]icu/1.txt (SHA256: 909ed8a135…). - A zip archive from plsverif[.]cfd/1.zip (SHA256: 0608775a345…). - A side-loaded DLL (DuiLib_u.dll, SHA256: b3e8b610ef…). Indicators of compromise include active domains like windows-update[.]site and sites[.]google[.]com/view/get-access-now-test/verify-your-account, and associated domains such as authentication-safeguard[.]com, plsverif[.]cfd, and tlgrmverif[.]cyou.

Winsage

February 18, 2025

Windows 11 24H2’s latest bug turns a simple file move into a total nightmare, and you could be its next victim

Moving program files from .ZIP files in Windows 11 can cause File Explorer to freeze. Users can restart File Explorer via Task Manager to resolve the issue temporarily. Microsoft has not acknowledged this bug, and it is recommended to avoid using drag-and-drop for moving files to prevent the freeze.

Tech Optimizer

December 5, 2024

Hackers bypass antivirus using corrupted files

Researchers at ANY.RUN have identified a zero-day attack campaign operational since at least August 2024, which employs corrupted files to bypass security measures. Attackers use corrupted files, often disguised as ZIP archives or DOCX documents, to exploit vulnerabilities in file-handling processes, allowing them to evade antivirus software, sandbox environments, and email spam filters. These files execute malicious code when opened, despite their damaged appearance. Conventional antivirus solutions struggle to scan these files effectively, static analysis tools fail to process them, and advanced email filters cannot intercept them. ANY.RUN’s interactive sandbox can dynamically analyze these corrupted files in real-time, identifying malicious activity that traditional security tools miss. The attack process involves delivering a corrupted file via email, leading to detection failure by security tools, execution through built-in recovery mechanisms in applications, and identification of malicious behavior by the sandbox. This highlights the need for advanced threat detection techniques to maintain robust cybersecurity.

Winsage

September 26, 2024

Alert on illegal movie download: This new virus can ‘destroy’ your Windows PC/laptop – Times of India

A sophisticated malware known as Peaklight targets individuals who visit illegal movie download sites, specifically designed to infiltrate Windows computers and deploy information stealers and loaders. Peaklight operates solely within a computer's memory, leaving no trace on the hard drive, making detection difficult. It uses a PowerShell-based downloader to retrieve additional malware, such as Lumma Stealer, Hijack Loader, and CryptBot. Cybercriminals distribute Peaklight through deceptive movie downloads, hiding harmful Windows shortcut files within ZIP folders. When opened, these files connect to a content delivery network (CDN) to execute malicious JavaScript code, which activates the Peaklight downloader and retrieves further threats from a remote server.

Tech Optimizer

September 26, 2024

Illegal movie downloads could be hiding dangerous new malware

Illegal movie sites pose a significant risk to internet users due to the potential for malware infections. A report from Mandiant has identified a new malware called Peaklight, which targets individuals downloading pirated content. Peaklight operates solely in a computer's memory, leaving no trace on the hard drive, making it difficult for traditional antivirus programs to detect. The malware is activated when users download a Windows shortcut file (LNK) disguised as a movie download, which connects to a content delivery network (CDN) to execute harmful JavaScript code and a PowerShell script known as PEAKLIGHT. This script communicates with a remote server to download additional malicious software. Mandiant researchers note that Peaklight is part of a multi-stage execution chain that checks for ZIP archives in specific file paths before downloading more harmful content. To protect against malware, users are advised to avoid pirated content, keep their operating systems and software updated, use strong antivirus software, be cautious of suspicious links and files, utilize strong passwords and two-factor authentication, and be wary of compressed files.

Winsage

September 21, 2024

New Microsoft Windows Warning—You Must Never Do This On Your PC

A global cyber attack is targeting Windows users, particularly those on Windows 10, as they approach a period without security updates. The campaign involves fraudulent CAPTCHA popups designed to distribute Lumma Stealer malware. Users are tricked into clicking buttons that prompt them to paste a PowerShell script, which then executes a malicious EXE file. McAfee researchers have issued an alert about these deceptive tactics, which target individuals downloading pirated games and software developers through phishing emails. The ClickFix infection chain exploits common user behaviors, leading to the installation of malware. Users are advised to be cautious and avoid executing commands from within CAPTCHAs. As Windows 10 support ends in October 2024, users may need to consider upgrading to Windows 11 for continued security.

Winsage

September 17, 2024

New Microsoft Windows Deadline—You Have 3 Weeks To Update Your PC

Microsoft has revealed a security vulnerability, CVE-2024-43461, related to the MSHTML Platform in Windows, which allows attackers to spoof web pages. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog and set an update deadline of October 7 for Windows PCs. This vulnerability has been exploited alongside CVE-2024-38112, which was reported in July. Check Point noted that attackers have been using Windows Internet Shortcut files to exploit this vulnerability, even on the latest Windows versions. Microsoft recommends that users apply both Security Only updates and Internet Explorer Cumulative updates for comprehensive protection. The exploitation of these vulnerabilities has been linked to the advanced persistent threat group Void Banshee, which uses tactics like luring victims with malicious files. CISA emphasizes the importance of applying mitigations or discontinuing the use of affected products, urging users to update their systems or power them down to avoid vulnerabilities.

AppWizard

July 17, 2024

Google’s Files Apps Will Soon Let You Create ZIP Archives – Talk Android

Google Files now allows users to create ZIP archives directly from their smartphones, in addition to being able to extract them.

Winsage

July 17, 2024

Void Banshee Group Used ‘Windows Relic’ IE in Phishing Campaign

The ZDI threat hunting team discovered and analyzed samples exploiting CVE-2024-38112, which allowed attackers to run and execute files and websites through the disabled IE process by exploiting MSHTML. The vulnerability was used in a spearfishing campaign by the operators behind Void Banshee, targeting victims in North America, Europe, and Southeast Asia. The campaign distributed malicious files disguised as PDFs through cloud sharing websites, Discord servers, and online libraries. The malware used in the campaign, Atlantida stealer, targets sensitive information from various applications and can collect system information and geolocation data. The exploitation tactic is similar to another MSHTML vulnerability, CVE-2021-40444, and both have been patched by Microsoft. Unsupported Windows relics like Internet Explorer are an overlooked attack surface that can still be exploited by threat actors. Organizations should keep their software updated to protect themselves from security vulnerabilities.