There is a new phishing spam campaign making headlines in the cybersecurity world that delivers malware onto compromised machines. The malware is initiated by a phishing attack and delivered by “Matanbuchus,” specially designed to deliver DLL payloads, launch malicious PowerShell commands, and persist via additional task schedules. The attack is highly sophisticated and makes the use of malicious MSI installer files leading to an Adobe Acrobat installer running a beacon for Cobalt Strike in the background.
The following sections delve deeper into how the latest malware attack takes place.
Phishing is one of the most formidable threats in the cyber world today. Even though various news, reports, and anti-phishing campaigns attempt to spread awareness and knowledge, people still fall victim to novel phishing methods. This article seeks to summarize key statistics observed so far in 2022 by various cybersecurity organizations and present them in a useful and comprehensive manner. It is also a warning for all organizations and individuals for the rest of the year. Continue reading “Phishing Trends in 2022 So Far, And What You Can Learn From Them” »
As the conflict between Russia and Ukraine escalates, the potential of utilizing more lethal weapons, which was previously merely a fear, may now take on a new form. The Ukrainian Computer Emergency Response Team (CERT-UA) has issued a warning about a huge distribution campaign based on the concept of a “chemical attack.” Receiving an email like this in Ukraine’s invasion-affected regions is sure to generate widespread panic. Jester Stealer, a malicious file capable of large-scale data theft, is back on the hunt.
What the Warning is About and How it Works
Recently, via its official website, CERT-UA (Center of Excellence for Applied Research and Training) issued a warning about the upcoming wave of cyberattacks on Ukrainians that shall distribute Jester Stealer.
It says, “The hackers obtain the stolen data over Telegram using statically established proxy addresses (e.g., within TOR),” and “They also employ anti-analysis methods (anti-VM/debug/sandbox).” The virus does not have a persistence mechanism and is removed as soon as its activity is accomplished.
Details as Issued by CERT-UA
The Ukrainian government’s unit for reacting to computer emergencies, CERT-UA, discovered the widespread circulation of emails with the subject “chemical attack” and a link to an XLS document containing a macro.
When you open the document and activate the macro, it will download and launch the EXE file, infecting your computer with the dangerous malware JesterStealer.
Another Phishing Campaign
CERT-UA has linked the Jester Stealer campaign with another phishing campaign their system identified as the work of Russian state actors linked to APT28 (aka Fancy Bear aka Strontium).
These emails, titled “Кіберaтака” (cyber-attack in Ukrainian), are disguised as a security alert from CERT-UA. They contain a RAR file titled “UkrScanner.rar” attached to them, and when opened, the files deploy a malware called CredoMap_v2.
Sources Through Which Jester Stealer Can Attack Your System
The files are obtained from compromised web pages, according to the CERT-UA.
JesterStealer extracts authentication and other information from Internet browsers, MAIL/FTP/VPN clients, crypto wallets, password managers, messengers, game programs, and other applications.
The stolen information is then sent back to the attackers via Telegram. When the malicious action is finished, the virus deletes itself.
In What Manner Does it Infiltrate Systems?
The Jester Stealer is a Net-based malware that generally infects target computers via phishing emails masquerading as a txt, jar, ps1, bat, png, doc, Xls, pdf, mp3, mp4, or ppt file attachment.
Threat actors may also use random distribution routes, such as pirated material and hacking tools marketed on YouTube.
What is Jester Stealer?
Jester Stealer is an Information Stealer who takes your sensitive information, including login passwords, cookies, credit card information, etc., and passes it to a Threat Actor (TA). TAs collect and use stolen data by uploading it to a remote server, which in turn is sold on dark web markets or used in future attacks. Jester Stealer is a new threat that surfaced on cybercrime forums in July 2021. It has been upgraded seven times since then, with each version offering new features.
In addition to the Stealer’s anti-sandbox and anti-VM capabilities also allow data exfiltration through various platforms, including browsers, VPN clients, password managers, chat messengers, email clients, and crypto-wallets. Data is exfiltrated via TOR as logs to Telegram Bot.
Its unique characteristics
Jester Stealer has the following features:
The AES-CBC-256 algorithm is used to encrypt the connection.
Tor servers may be found around the network.
All logs are sent to your Telegram bot.
Swift log collecting in memory with no data written to the disc.
For lifetime access, Jester Stealer can be purchased for $99 a month or $249.
What is at Stake?
Since it encrypts connections with AES-CBC-256, integrates Tor network servers, redirects logs to Telegram bots, and bundles stolen material in memory before exfiltration, its attack vector is vast:
Passwords, credit cards, cookies, autofill information, browsing histories, and bookmarks/favorites for more than 20 web browsers.
Password managers such as KeePass, NordPass, LastPass, BitWarden, 1Password, RoboForm, and others.
Software for gaming: Steam sessions, Twitch streams, and OBS profiles with broadcast keys.
Thunderbird, Outlook, and FoxMail as potential email clients.
Apps for instant messaging: Telegram, Discord, WhatsApp, Signal, and Pidgin
The most popular digital wallets include Electrum, Exodus, Guarda, Atomic, Coinomi, Jaxx, Wasabi, Zcash, etc.
Guidelines to Safeguard Your Information Systems
Avoid Unreliable Websites: Keeping info-stealing infections to a minimum can be done by not downloading executable files from untrustworthy websites or torrent swarms.
Use official news sources: Stick to official news sources for breaking news in impacted areas. A true warning on the President’s website, or comparable message from official sources on Twitter, is more likely to be trusted than random emails.
Up-to-date Anti-Virus: It is always best to avoid downloading and executing files that arrive in unsolicited emails and check downloaded files on an up-to-date anti-virus program.
Avoid persuading emails that ask to download macros: Attackers frequently use deceptive messages, e.g., asking you to cancel an order or read a legal document. They will somehow make you download a document and then attempt to convince you to let macros execute. No reputable and legitimate organization will ask you to open an Excel file to cancel an order, and also, you don’t need macros to read a Word page.
Upgrading Overall Security: Develop a security attitude among your staff. Enable multi-factor authentication, ensuring strong passwords, and remember that phishing is still the most common attack vector, even for sophisticated adversaries.
The conflict between Ukraine and Russia is not the only reason for the cyberattack warning; phishing attempts have taken over the digital world. There is no hard and fast rule for protecting oneself against such cyber assaults; the only golden rule is to follow the fundamental cyber protection principles to avoid financial and reputational damages to your business.
Phishing has been one of the most widespread cyber threats and a significant challenge for security solutions for almost three decades. According to this phishing report, in 2021, 35% of all data breaches included scams trying to rob users of their sensitive information and login credentials. Over the past year, phishing attacks have increased by 29% globally. The menace of phishing poses a threat to organizations worldwide. Continue reading “Evolving Phishing Attack Trends: A Nightmare for Security Solutions” »
Cybercrimes have escalated significantly in the past couple of years owing to the mass adoption of online services. Threat actors have exhibited their affinity towards social media profiles and emails, targeting innocent people to scam them out of their finances and private data using phishing to sell on the dark web, to be spread and used in impersonation scams. As per recent reports, social media is the most recent category that cybercrime groups are exploiting for malicious purposes. Continue reading “Social Media Impersonation in Phishing: 2022’s Latest Wave of Cybercrime” »
Researchers at Armorblox found a malicious campaign that targeted WhatsApp users. The attackers have reached over 27,660 email addresses through targeted phishing attacks appearing to be from WhatsApp. When receiving attachments over email, you might be tricked by the threat actor into downloading other forms of malicious software. The following sections discuss more details about the latest phishing scheme. Continue reading “Voice Phishing: Surfacing of a New Cyber Threat on Whatsapp” »
Recently, according to a Google report, Russian and Belarusian cybercriminals have attacked Ukrainian citizens, using the ongoing conflict as an opportunity to benefit from it. The recent Russia-Ukraine war has become an opportunity for cyberattackers. CSIS reported that in February of 2022, the Ukrainian Ministries, Education, and Infrastructures were attacked. This led to a massive loss for the Ukrainian government. Grasping the understanding of the Ukrainian system gave the cybercriminals a clear understanding of how to proceed with their activities.
The rising threat of cyberattacks and data breaches, in particular, can cripple any organization, especially a small business. SMBs and SMEs are the top targets for threat actors owing to their lack of proper cybersecurity defenses and risk mitigation practices.
SMBs and SMEs need to understand the risks of data breaches and take proactive measures to ensure the security of their enterprise if they wish to maintain a strong market position. They need to evolve their cybersecurity practices with time to grow well for the future.
Phishing remains the top method that cybercriminals use to target individuals and employees worldwide to lure them in and lead them to fake applications, websites, and payment portals to steal information and hard-earned money.
VadeSecure’s latest report highlights how financial services is the most impersonated sector today, along with Facebook and Microsoft taking the crown for the most impersonated brands by phishing criminals. It is imperative to understand the rising threat of phishing, the latest phishing scams, and how you can ensure your organization’s protection against phishing.
Cybercriminals have always been actively looking for methods to breach security and acquire information that can be used as leverage over the victims. Due to the recent transition in the job market where individuals are always on the lookout for new and better opportunities, attackers have found a new method to exploit the vulnerabilities of jobseekers. The recent LinkedIn phishing attacks have proven how unguarded LinkedIn users are to such attacks.
The RLO technique is a simple technique that disguises malicious files making them seem like simple text files. When downloaded by the user, these files could damage their device or could be used to acquire sensitive information. Although this technique became outdated, recently, attackers started using it again as people lowered their guard against cyber attacks.
The most significant hazards to investors in 2022, according to NASAA (North American Securities Administrators Association), are cryptocurrency and digital asset-related frauds. Investors should be aware of the current cryptocurrency phishing scams getting more attention worldwide.
According to the FTC’s research, threat actors exploit popular social media platforms like Instagram and Facebook as a playground for pulling investment-related scams. Due to their popularity and excellent profits, crypto assets and stablecoins make appealing targets, making cryptocurrency one of the most vulnerable marketplaces for investors globally.