Jochen Michels’ Post

🔍 APT Research, Year-End Reviews, and Other Cybersecurity News of the Week 👮♀️ The new Ymir ransomware family employs advanced evasion techniques and robust encryption. The attackers follow up RustyStealer infections. https://lnkd.in/gKwFdRmk 🧭 A review of financially motivated threats in 2024 and predictions for 2025. https://lnkd.in/d5cnvFYG 👀 A detailed analysis of the complex modular Windows implant by APT41. DeepData malware is an evolution of LightSpy framework. https://lnkd.in/djkNAQjq 🔍 A detailed overview of industrial cybersecurity incidents in Q2 2024. https://lnkd.in/druzcue2 🔎 Ransomware targets cloud infrastructure: TTPs of gangs Indosec, Pandora, and RansomES. https://lnkd.in/dpQejhKA ➡️ The new Python malware PXA Stealer, likely linked to CoralRaider APT, has been detected in government and educational institutions in India and Europe. Interestingly, its targeting contradicts the malware's "interests," as it collects passwords for crypto wallets & gaming services. https://lnkd.in/gebMUs6B 🍏 Analysis of the new Lazarus technique used in RustyAttr malware for macOS: code is hidden in extended attributes of the app bundle for stealth. https://lnkd.in/gh_kyuv7 🔄 Detailed technical analysis of how infostealers bypass Chrome app-bound encryption. As a reminder, Google released a new method to protect cookies from theft this year, which infostealers have overcome (at the cost of reduced stealth). https://lnkd.in/d9JvtbXh 👩💻 Domain delegation errors are being widely exploited by criminals. Misconfigured DNS allows phishing and scam sites to be hosted on reputable company domains. Researchers found 800,000 vulnerable domains, with 70,000 actually compromised. https://lnkd.in/dDgZR-QV 📥 Technical analysis of Strela stealer, primarily targeting Europe. It spreads through phishing, notably using genuine emails about sent invoices—criminals use emails they previously stole. https://lnkd.in/gQhPVBnK Malicious QR codes now in the mail: Swiss residents received paper letters, allegedly from the local meteorological agency, inviting them to install a new weather app. The link distributed the Coper banking trojan. https://lnkd.in/dUxePZ7g #news #digest #APT #cybersecurity

Crypto-stealing malware campaign infects 28,000 people Over 28,000 people from Russia, Turkey, Ukraine, and other countries in the Eurasian region were impacted by a large-scale cryptocurrency-stealing malware campaign. The malware campaign disguises itself as legitimate software promoted via YouTube videos and fraudulent GitHub repositories where victims download password-protected archives that initiate the infection. According to cybersecurity firm Dr. Web, the campaign uses pirated office-related software, game cheats and hacks, and even automated trading bots to deceive users into downloading malicious files. Stay Connected to Sidharth Sharma, CPA, CISA, CISM, CFE, CDPSE for content related to Cyber Security. #CyberSecurity #JPMC #Technology #InfoSec #DataProtection #DataPrivacy #ThreatIntelligence #CyberThreats #NetworkSecurity #CyberDefense #SecurityAwareness #ITSecurity #SecuritySolutions #CyberResilience #DigitalSecurity #SecurityBestPractices #CyberRisk #SecurityOperations 

Beware the allure of AI! Kaspersky uncovers malware campaigns that are exploiting the popularity of AI voice generators. Phishing websites lure victims with fake downloads and then steal passwords and data. This highlights the growing threat of AI-based cyberattacks. Learn how to protect yourself; #CyberSecurity #AI #Malware #Phishing

New Octo Android malware version impersonates NordVPN, Google Chrome A new version of the Octo Android malware, named "Octo2," has been seen spreading across Europe under the guise of NordVPN, Google Chrome, and an app called Europe Enterprise. The new variant, analyzed by ThreatFabric, features better operational stability, more advanced anti-analysis and anti-detection mechanisms, and a domain generation algorithm (DGA) system for resilient command and control (C2) communications. Ultimately, its appearance in the wild confirms that the project is alive and evolving despite the turbulence it went through recently. Stay Connected to Sidharth Sharma, CPA, CISA, CISM, CFE, CDPSE for content related to Cyber Security. #CyberSecurity #JPMC #Technology #InfoSec #DataProtection #DataPrivacy #ThreatIntelligence #CyberThreats #NetworkSecurity #CyberDefense #SecurityAwareness #ITSecurity #SecuritySolutions #CyberResilience #DigitalSecurity #SecurityBestPractices #CyberRisk #SecurityOperations 

“CISA has ordered U.S. federal agencies to secure their systems against a recently patched Windows MSHTML spoofing zero-day bug exploited by the Void Banshee APT hacking group. The vulnerability (CVE-2024-43461) was disclosed during this month's Patch Tuesday, and Microsoft initially classified it as not exploited in attacks. However, Microsoft updated the advisory on Friday to confirm that it had been exploited in attacks before being fixed. … The vulnerability enables remote attackers to execute arbitrary code on unpatched Windows systems by tricking the targets into visiting a maliciously crafted webpage or opening a malicious file.” https://gag.gl/XyqzqZ Visit our website to learn how you can protect IP, PII, and PHI against malware and ransomware by reducing and defending the number of entry points a malicious file can enter their networks. #cybersecurity #kiteworks #cyberattack #ransomware #malware #contentprotection #contentsecurity

“CISA has ordered U.S. federal agencies to secure their systems against a recently patched Windows MSHTML spoofing zero-day bug exploited by the Void Banshee APT hacking group. The vulnerability (CVE-2024-43461) was disclosed during this month's Patch Tuesday, and Microsoft initially classified it as not exploited in attacks. However, Microsoft updated the advisory on Friday to confirm that it had been exploited in attacks before being fixed. … The vulnerability enables remote attackers to execute arbitrary code on unpatched Windows systems by tricking the targets into visiting a maliciously crafted webpage or opening a malicious file.” https://gag.gl/kKlFOD Visit our website to learn how you can protect IP, PII, and PHI against malware and ransomware by reducing and defending the number of entry points a malicious file can enter their networks. #cybersecurity #kiteworks #cyberattack #ransomware #malware #contentprotection #contentsecurity

article about hacking The articles from Kaspersky[1], Malwarebytes[2], BBC News[3], and SecurityTrails[4] provide comprehensive insights into hacking. They discuss the evolution of hacking from its early days at MIT to the rise of cybercrime in the 1980s and the notoriety it gained in the 1990s. The articles highlight various hacking techniques such as social engineering, password hacking, malware infiltration, exploiting insecure networks, and gaining backdoor access. Additionally, they categorize hackers into black hat, white hat, and gray hat hackers based on their ethical stance. Furthermore, the articles from SecurityTrails[4] delve into different aspects of hacking, including trojans, cybercriminals, hacktivism, internet search engines used by security researchers, hacker movies, cybersecurity legends, and the differences between hackers and crackers. They also cover common network security threats, the impact of web cryptominers, and the top Google hacking techniques. In summary, these articles collectively provide a detailed overview of hacking, its history, motivations, techniques, and the different types of hackers. They shed light on the evolution of hacking from a curiosity-driven activity to a significant cybersecurity threat, emphasizing the importance of understanding hacking for effective prevention and cybersecurity measures. Citations: [1] What is hacking? And how to prevent it - Kaspersky https://lnkd.in/g9WAHwCd [2] Hacker | Who are Hackers? What is Hacking? - Malwarebytes https://lnkd.in/gWNW4hv6 [3] Computer hacking - BBC News https://lnkd.in/gcmd4XWC [4] Hacking Articles, Tips and Tools - SecurityTrails https://lnkd.in/gjqXci32 [5] The Dangers of Hacking and What a Hacker Can Do to Your Computer | Webroot https://lnkd.in/gYTq48x3 #snsinstutions #snsdegsinthinkers #degsinthinking

||||Lumma , C based Malware Strikes Again with Go-Based Injector|||| New malware delivery chain involving a Go-based Injector that ultimately led to the execution of Lumma Stealer, a well-known information-stealing malware. operates as a Malware-as-a-Service (MaaS) on Russian-speaking forums. Written in C, this stealer is designed to exfiltrate sensitive information from victims’ systems, including cryptocurrency wallets, 2FA browser extension data, and other critical credentials. The attack observed by eSentire begins with users unknowingly navigating to a malicious website that presents a fake CAPTCHA page. This page copies a Base64 encoded PowerShell command to the user’s clipboard and instructs the victim to execute it via the Windows Run shortcut as part of a supposed verification step. This deceptive approach is designed to trick users into executing malicious commands under the guise of legitimate activity. Once executed, the PowerShell command retrieves and runs a file named smart1.exe, which acts as a decoy but secretly executes the Go Injector payload. This injector, known as 0klevgrand.exe, is hidden within a seemingly harmless archive, smart1.zip, which contains legitimate DLL files to avoid raising suspicion. Upon execution, the Go Injector performs several key actions to execute its malicious payload. It begins by collecting initial data about the host system, such as the hostname, username, and directory locations. From there, the injector employs a three-step process to deploy Lumma Stealer:    CreateProcess: The Go Injector creates a new process, typically using BitLockerToGo.exe, in suspended mode.    WriteProcessMemory: The injector writes the Lumma Stealer module into the memory space of the suspended process.    ResumeThread: Finally, the process is resumed, but it now contains the malicious Lumma Stealer code, allowing the attacker to gain control over the victim’s system. The entire injection process is designed to bypass detection, with encrypted payloads and the use of legitimate processes helping to evade traditional endpoint security solutions. Once Lumma Stealer is executed, it targets a wide range of sensitive data on the victim’s system. The decrypted PE data shows typical Lumma Stealer behavior, including strings encoded in Base64, which it uses to communicate with its command-and-control (C2) servers. eSentire’s analysis was able to decrypt these strings, identifying several new C2 domains, allowing the team to track and investigate ongoing Lumma Stealer operations. This malware is particularly dangerous due to its focus on stealing cryptocurrency and 2FA credentials, making it a significant threat to both individual users and organizations. The financial loss potential is high, and the use of Lumma Stealer in combination with Pay-Per-Install (PPI) services suggests that cybercriminals are increasingly using scalable, automated methods to distribute this malware to as many victims as possible.

Cybercriminals are exploiting trust in browser updates to deploy malware, a new report by eSentire warns. Fake update pop-ups lead to downloads containing malicious scripts. These scripts install information stealers and RATs, granting attackers access to sensitive data and remote control of the device. https://lnkd.in/e-G-p5xw #cybersecurity #infostealer #malware #trojan Want to provide your business with professional protection but don’t know where to start? Contact DigVel!

A new version of a sneaky malware known as Lndn Posty has been discovered by cybersecurity researchers. This updated variant, named Lndn Posty 3.0, is causing a stir with its ability to adapt and avoid detection. The team at Palo Alto Networks Unit 42, who keep a close watch on cyber threats, highlighted how Lndn Posty isn't your typical malware. It's like a shape-shifter, always changing its tactics to steal valuable information, such as passwords and cryptocurrency, from unsuspecting victims. Player_Bunny, the individual behind this digital mischief, unveiled the latest version of Lndn Posty on February 11, 2024. They've made significant improvements, like making the malware more efficient and enhancing its ability to log keystrokes. This isn't the first time Lndn Posty has made headlines. It made its debut back in September 2023, when Zscaler ThreatLabz first brought it to our attention. Initially, it was offered as a subscription service for $250 a month, catering to cybercriminals looking to make a quick profit. Since then, Lndn Posty has been constantly evolving. With each update, it becomes more elusive, slipping past antivirus programs and expanding its arsenal of tricks. Version 2.0 was released shortly after its initial debut, demonstrating how quickly these threats can change. The latest version, Lndn Posty 3.0, takes things up a notch. It's not just stealing information anymore; it's also capable of launching denial-of-service attacks to overwhelm websites. And it's not just one monolithic piece of software anymore; it's been broken down into smaller, more manageable components, giving cybercriminals even more flexibility. To make matters worse, Lndn Posty isn't the only threat out there. There's also SmokeLoader, a notorious malware used by a group of cybercriminals known as UAC-006. They've been targeting government agencies and financial institutions in Ukraine for years, using SmokeLoader to infiltrate their systems. And if that wasn't enough, there's also a new entrant called GlorySprout. Developed in C++, it's a clone of another malware called Taurus Stealer, but with a few key differences. Unlike its predecessor, GlorySprout doesn't rely on external servers to carry out its malicious activities, making it even harder to track down. In a world where cyber threats are constantly evolving, staying one step ahead is more important than ever. With malware like Lndn Posty, SmokeLoader, and GlorySprout lurking in the shadows, it's up to cybersecurity experts to keep us safe from harm.