This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-12T01:27:03+00:00 www.secnews.physaphae.fr The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korean threat actor tracked as Kimsuky has been observed deploying a previously undocumented Golang-based malware dubbed Durian as part of highly-targeted cyber attacks aimed at South Korean cryptocurrency firms. "Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads and exfiltration of files," Kaspersky&]]> 2024-05-10T20:24:00+00:00 https://thehackernews.com/2024/05/north-korean-hackers-deploy-new-golang.html www.secnews.physaphae.fr/article.php?IdArticle=8497283 False Malware,Threat None None RiskIQ - cyber risk firms (now microsoft) ## Snapshot SocGholish (also known as FakeUpdates), a malware known for its stealth and the intricacy of its delivery mechanisms, is targeting enterprises with deceptive browser update prompts. ## Description As reported by eSentire, compromised legitimate websites serve as the infection vector, where malicious JavaScript code is injected to prompt users to download browser updates. The downloaded files contain SocGholish malware, initiating the infection process upon execution.  The script employs various techniques to avoid detection and evade analysis. First, it checks if the browser is being controlled by automation tools and terminates execution if detected. Subsequently, it scrutinizes if the browser window has undergone significant manipulation to determine if the environment is being monitored. Additionally, it inspects for specific WordPress cookies to halt further actions if the user is logged into a WordPress site. If none of these conditions apply, it establishes a mouse movement event listener, tr]]> 2024-05-10T16:50:08+00:00 https://community.riskiq.com/article/c5bf96a0 www.secnews.physaphae.fr/article.php?IdArticle=8497333 False Malware,Tool,Threat None None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Malicious Android apps masquerading as Google, Instagram, Snapchat, WhatsApp, and X (formerly Twitter) have been observed to steal users\' credentials from compromised devices. "This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their devices," the SonicWall Capture Labs threat research team said in a recent report. The]]> 2024-05-10T15:51:00+00:00 https://thehackernews.com/2024/05/malicious-android-apps-pose-as-google.html www.secnews.physaphae.fr/article.php?IdArticle=8497141 False Malware,Threat,Mobile None 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Polish government institutions have been targeted as part of a large-scale malware campaign orchestrated by a Russia-linked nation-state actor called APT28. "The campaign sent emails with content intended to arouse the recipient\'s interest and persuade him to click on the link," the computer emergency response team, CERT Polska, said in a Wednesday bulletin. Clicking on the link]]> 2024-05-09T20:50:00+00:00 https://thehackernews.com/2024/05/kremlin-backed-apt28-targets-polish.html www.secnews.physaphae.fr/article.php?IdArticle=8496647 False Malware APT 28 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-09T16:44:05+00:00 https://community.riskiq.com/article/1db83f2c www.secnews.physaphae.fr/article.php?IdArticle=8496697 False Malware,Vulnerability,Threat,Cloud None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Researchers at Zscaler have published a report about the evolution of HijackLoader, a malware loader, and its new evasion tactics. ## Description HijackLoader, also known as IDAT Loader, emerged in 2023 as a malware loader equipped with versatile modules for injecting and executing code. HijackLoader has modular architecture, an attribute that sets it apart from typical loaders.  Zscaler researchers analyzed a new HijackLoader variant that features upgraded evasion techniques. These enhancements aim to aid in the malware\'s stealth, prolonging its ability to evade detection. The latest version of HijackLoader introduces modules to bypass Windows Defender Antivirus, circumvent User Account Control (UAC), evade inline API hooking commonly used by security tools, and utilize process hollowing. HijackLoader\'s delivery mechanism involves utilizing a PNG image, decrypted and parsed to load the subsequent stage of the attack. HijackLoader has been observed serving as a delivery mechinism for various malware families, including Amadey, [Lumma Stealer](https://sip.security.microsoft.com/intel-profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad), Racoon Stealer v2, and Remcos RAT. ## Detections Microsoft Defender Antivirus detects threat components as the following malware: - [Trojan:Win32/HijackLoader](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/HijackLoader.AHJ!MTB&threatId=-2147058662) ## References [HijackLoader Updates](https://www.zscaler.com/blogs/security-research/hijackloader-updates). Zscaler (accessed 2024-05-09)]]> 2024-05-09T16:11:06+00:00 https://community.riskiq.com/article/8c997d7c www.secnews.physaphae.fr/article.php?IdArticle=8496698 False Malware,Tool,Threat None 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Afghanistan, Turkmenistan and Tajikistan victims experienced the highest share of banking Trojans]]> 2024-05-09T15:00:00+00:00 https://www.infosecurity-magazine.com/news/mobile-banking-malware-surges-32/ www.secnews.physaphae.fr/article.php?IdArticle=8496614 False Malware,Mobile None 3.0000000000000000 Checkpoint - Fabricant Materiel Securite Les chercheurs ont récemment identifié un pic dans les attaques AndroxGH0st, un Troie qui cible les plates-formes Windows, Mac et Linux, qui l'ont vu sauter directement à la deuxième place de la liste des logiciels malveillants.Pendant ce temps, Lockbit3 reste étroitement le premier groupe de ransomwares, malgré une réduction de sa prévalence, notre dernier indice de menace mondial pour avril 2024 SAW, les chercheurs ont révélé une augmentation significative de l'utilisation des attaques AndroxGH0st, le malware étant utilisé comme un outil pour voler des informations sensibles à l'aidebotnets.Parallèlement, Lockbit3 est resté le groupe de ransomware le plus répandu en avril, malgré une baisse de 55% de son taux de détection depuis le début [& # 8230;]

---

>Researchers recently identified a spike in Androxgh0st attacks, a Trojan that targets Windows, Mac and Linux platforms, which saw it jump straight into second place in the top malware list. Meanwhile, LockBit3 narrowly remains the top ransomware group, despite a reduction in its prevalence Our latest Global Threat Index for April 2024 saw researchers revealed a significant increase in the use of Androxgh0st attacks, with the malware being used as a tool for stealing sensitive information using botnets. Meanwhile, LockBit3 remained the most prevalent ransomware group in April, despite a 55% drop in its rate of detection since the beginning […] ]]> 2024-05-09T13:00:21+00:00 https://blog.checkpoint.com/security/april-2024s-most-wanted-malware-surge-in-androxgh0st-attacks-and-the-decline-of-lockbit3/ www.secnews.physaphae.fr/article.php?IdArticle=8496582 False Ransomware,Malware,Tool,Threat None 3.0000000000000000 Kaspersky - Kaspersky Research blog The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.]]> 2024-05-09T10:00:28+00:00 https://securelist.com/apt-trends-report-q1-2024/112473/ www.secnews.physaphae.fr/article.php?IdArticle=8496467 False Malware None 3.0000000000000000 Global Security Mag - Site de news francais rapports spéciaux

---

Latest VIPRE Security Group Email Threat Trends Research Exposes Global Phishing and Malware Threat Landscape The US, UK, Ireland, and Japan emerge as the main source of spam; manufacturing, government, and IT sectors are most victimised; Pikabot top malware family - Special Reports]]> 2024-05-09T07:50:58+00:00 https://www.globalsecuritymag.fr/latest-vipre-security-group-email-threat-trends-research-exposes-global.html www.secnews.physaphae.fr/article.php?IdArticle=8496459 False Spam,Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-09T00:49:06+00:00 https://community.riskiq.com/article/1f1ae96f www.secnews.physaphae.fr/article.php?IdArticle=8496261 False Ransomware,Malware,Tool,Threat,Prediction,Cloud None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Juniper Threat Labs has reported that attackers are actively exploiting vulnerabilities in Ivanti Pulse Secure VPN appliances.  **Read more about Microsoft\'s coverage of [CVE-2023-46805 and CVE-2024-21887 here.](https://sip.security.microsoft.com/intel-profiles/cve-2023-46805)** ## Description The vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, have been exploited to deliver the Mirai botnet, among other malware, posing a significant threat to network security worldwide. CVE-2023-46805 is a critical security flaw affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways. This vulnerability allows remote attackers to bypass authentication mechanisms and gain unauthorized access to restricted resources. The second vulnerability, CVE-2024-21887, is a command injection flaw found in the web components of Ivanti Connect Secure and Ivanti Policy Secure. This vulnerability allows attackers to send specially crafted requests to execute arbitrary commands on the appliance. Attackers have used these vulnerabilities to deliver Mirai payloads through shell scripts.  Organizations using Ivanti Pulse Secure appliances are urged to apply the provided patches immediately and review their security posture to protect against these and future vulnerabilities. ## Recommendations As of January 31, 2024 Ivanti has released patches via the standard download portal for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. Follow the [vendor\'s guide](https://forums.ivanti.com/s/article/How-to-The-Complete-Upgrade-Guide) to upgrade to a patched version. ## References "[Hackers Actively Exploiting Ivanti Pulse Secure Vulnerabilities](https://gbhackers.com/hackers-actively-exploiting/)" GBHackers. (Accessed 2024-05-08)]]> 2024-05-08T19:42:50+00:00 https://community.riskiq.com/article/2d95eb1b www.secnews.physaphae.fr/article.php?IdArticle=8496119 False Malware,Vulnerability,Threat None 3.0000000000000000 McAfee Labs - Editeur Logiciel Rédigé par Yashvi Shah et Preksha Saxena Asyncrat, également connu comme & # 8220; Trojan à accès à distance asynchrone, & # 8221;représente un malware très sophistiqué ...

---

> Authored by Yashvi Shah and Preksha Saxena AsyncRAT, also known as “Asynchronous Remote Access Trojan,” represents a highly sophisticated malware... ]]> 2024-05-08T18:14:14+00:00 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats/ www.secnews.physaphae.fr/article.php?IdArticle=8496073 False Spam,Malware None 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A newer version of a malware loader called Hijack Loader has been observed incorporating an updated set of anti-analysis techniques to fly under the radar. "These enhancements aim to increase the malware\'s stealthiness, thereby remaining undetected for longer periods of time," Zscaler ThreatLabz researcher Muhammed Irfan V A said in a technical report. "Hijack]]> 2024-05-08T16:28:00+00:00 https://thehackernews.com/2024/05/hijack-loader-malware-employs-process.html www.secnews.physaphae.fr/article.php?IdArticle=8495847 False Malware,Technical None 3.0000000000000000 ProofPoint - Cyber Firms 2024-05-08T06:00:27+00:00 https://www.proofpoint.com/us/blog/email-and-cloud-threats/spoofed-email-greater-impersonation-risk www.secnews.physaphae.fr/article.php?IdArticle=8495932 False Ransomware,Malware,Tool,Threat,Cloud None 3.0000000000000000 The State of Security - Magazine Américain The Rolling Stones wanted to protect their space; we, as security practitioners, need to protect ours. Data \'castles\' in the cloud are out there, and they\'re constantly under siege. By drawing inspiration from a band that embodied personal freedom, we can draw some – okay, very stretched - parallels to modern cloud security . Nonetheless, they work. And we all knew this blog was coming. And if you read the blog backward you can hear the name of the latest malware family... Maybe. "Hey, you. Get off of my cloud!" We\'re quite certain the real meaning of the Stones\' pinnacle lyric was the...]]> 2024-05-08T02:44:47+00:00 https://www.tripwire.com/state-of-security/hey-you-get-my-cloud www.secnews.physaphae.fr/article.php?IdArticle=8495759 False Malware,Cloud None 2.0000000000000000 AhnLab - Korean Security Firm Ahnlab Security Intelligence Center (ASEC) a récemment découvert les circonstances d'une souche malveillante CHM qui vole les informations utilisateur étantdistribué aux utilisateurs coréens.Le CHM distribué est un type qui a été constamment distribué dans divers formats tels que LNK, DOC et Onenote du passé.Un léger changement dans le processus d'opération a été observé dans les échantillons récents.Le flux d'exécution global est illustré à la figure 1. Le malware est un type qui utilise plusieurs scripts pour finalement envoyer ...

---

AhnLab SEcurity intelligence Center (ASEC) has recently discovered circumstances of a CHM malware strain that steals user information being distributed to Korean users. The distributed CHM is a type that has been constantly distributed in various formats such as LNK, DOC, and OneNote from the past. A slight change to the operation process was observed in the recent samples. The overall execution flow is shown in Figure 1. The malware is a type that uses multiple scripts to ultimately send... ]]> 2024-05-08T01:16:38+00:00 https://asec.ahnlab.com/en/65245/ www.secnews.physaphae.fr/article.php?IdArticle=8495602 False Malware None 3.0000000000000000 AhnLab - Korean Security Firm Ahnlab Security Intelligence Center (ASEC) a découvert des preuves d'une souche malveillante distribuée aux serveurs Web au sudLa Corée, conduisant les utilisateurs à un site de jeu illégal.Après avoir initialement infiltré un serveur Web Windows Information (IIS) des services d'information sur Internet (IIS) mal gérés en Corée, l'acteur de menace a installé la porte arrière de METERPRETRER, un outil de transfert de port et un outil de logiciel malveillant du module IIS.Ils ont ensuite utilisé ProCDump pour exfiltrater les informations d'identification du compte du serveur.Les modules IIS prennent en charge les fonctionnalités d'extension des serveurs Web tels que ...

---

AhnLab SEcurity intelligence Center (ASEC) has discovered evidence of a malware strain being distributed to web servers in South Korea, leading users to an illegal gambling site. After initially infiltrating a poorly managed Windows Internet Information Services (IIS) web server in Korea, the threat actor installed the Meterpreter backdoor, a port forwarding tool, and an IIS module malware tool. They then used ProcDump to exfiltrate account credentials from the server. IIS modules support expansion features of web servers such as... ]]> 2024-05-08T00:59:58+00:00 https://asec.ahnlab.com/en/65131/ www.secnews.physaphae.fr/article.php?IdArticle=8495572 False Malware,Tool,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot JFrog Security Research has discovered three large-scale malware campaigns that targeted Docker Hub, planting millions of "imageless" repositories with malicious metadata. ## Description Docker Hub is a platform that delivers many functionalities to developers, presenting numerous opportunities for development, collaboration, and distribution of Docker images. Currently, it is the number one container platform of choice for developers worldwide. Yet, a significant concern arises when considering the content of these public repositories. The research reveals that nearly 20% of these public repositories actually hosted malicious content.  These repositories do not contain container images but instead contain metadata that is malicious. The content ranged from simple spam that promotes pirated content, to extremely malicious entities such as malware and phishing sites, uploaded by automatically generated accounts. Prior to this publication, the JFrog research team disclosed all findings to the Docker security team, including 3.2M repositories that were suspected as hosting malicious or unwanted content. The Docker security team quickly removed all of the malicious and unwanted repositories from Docker Hub ## Recommendations JFrog Security Research reccommends Users should prefer using Docker images that are marked in Docker Hub as “Trusted Content”. ## References ["JFrog Security Research Discovers Coordinated Attacks on Docker Hub that Planted Millions of Malicious Repositories"](https://jfrog.com/blog/attacks-on-docker-with-millions-of-malicious-repositories-spread-malware-and-phishing-scams/#new_tab) JFrog. (Accessed 2024-05-07)]]> 2024-05-07T20:14:06+00:00 https://community.riskiq.com/article/64465418 www.secnews.physaphae.fr/article.php?IdArticle=8495482 False Spam,Malware None 3.0000000000000000 SecurityWeek - Security News Mitre a partagé plus de détails sur le hack récent, y compris les nouveaux logiciels malveillants impliqués dans l'attaque et un calendrier des activités de l'attaquant. .

---

>MITRE has shared more details on the recent hack, including the new malware involved in the attack and a timeline of the attacker\'s activities. ]]> 2024-05-07T07:33:53+00:00 https://www.securityweek.com/mitre-hack-china-linked-group-breached-systems-in-december-2023/ www.secnews.physaphae.fr/article.php?IdArticle=8495094 False Malware,Hack None 2.0000000000000000 AhnLab - Korean Security Firm Ahnlab Security Intelligence Center (ASEC) a confirmé la distribution continue des fichiers de raccourci (* .lnk) detailles anormales qui diffusent des logiciels malveillants de type porte-porte.Les fichiers de raccourcis récemment confirmés (* .lnk) visent les utilisateurs sud-coréens, en particulier ceux liés à la Corée du Nord.Les noms de fichiers LNK confirmés sont les suivants: les fichiers LNK confirmés contiennent une commande pour exécuter PowerShell via CMD, et leur type est similaire au type trouvé dans & # 8220; ROKRAT MALWWare distribué via des fichiers LNK (* .lnk): redeedes (redeedes (Scarcruft) & # 8221; ...

---

AhnLab SEcurity intelligence Center (ASEC) has confirmed the continuous distribution of shortcut files (*.LNK) of abnormal sizes that disseminate backdoor-type malware. The recently confirmed shortcut files (*.LNK) are found to be targeting South Korean users, particularly those related to North Korea. The confirmed LNK file names are as follows: The confirmed LNK files contain a command to execute PowerShell via CMD, and their type is similar to the type found in “RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)”... ]]> 2024-05-07T00:50:55+00:00 https://asec.ahnlab.com/en/65076/ www.secnews.physaphae.fr/article.php?IdArticle=8494900 False Malware None 2.0000000000000000 HackRead - Chercher Cyber Par deeba ahmed Cuckoo Malware cible les utilisateurs de macOS, le vol de mots de passe, l'historique de navigation, les détails du portefeuille crypto & # 038;plus.Déguisé en convertisseur musical, il présente un risque de sécurité majeur.Apprenez à vous protéger de cet infosteller sophistiqué. Ceci est un article de HackRead.com Lire la publication originale: CUCKOO Mac Malware imite le convertisseur musical en mot de passe et crypto

---

>By Deeba Ahmed Cuckoo malware targets macOS users, stealing passwords, browsing history, crypto wallet details & more. Disguised as a music converter, it poses a major security risk. Learn how to protect yourself from this sophisticated infostealer. This is a post from HackRead.com Read the original post: Cuckoo Mac Malware Mimics Music Converter to Steals Passwords and Crypto]]> 2024-05-06T22:09:34+00:00 https://www.hackread.com/cuckoo-mac-malware-music-converter-passwords-crypto/ www.secnews.physaphae.fr/article.php?IdArticle=8494851 False Malware None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-06T19:54:46+00:00 https://community.riskiq.com/article/7c5aa156 www.secnews.physaphae.fr/article.php?IdArticle=8494794 False Malware,Vulnerability,Threat,Patching,Cloud APT 42 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-06T16:26:54+00:00 https://community.riskiq.com/article/157eab98 www.secnews.physaphae.fr/article.php?IdArticle=8494726 False Ransomware,Malware,Tool,Vulnerability,Threat None 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Cybersecurity researchers have discovered a new information stealer targeting Apple macOS systems that\'s designed to set up persistence on the infected hosts and act as a spyware. Dubbed Cuckoo by Kandji, the malware is a universal Mach-O binary that\'s capable of running on both Intel- and Arm-based Macs. The exact distribution vector is currently unclear, although there are]]> 2024-05-06T13:18:00+00:00 https://thehackernews.com/2024/05/new-cuckoo-persistent-macos-spyware.html www.secnews.physaphae.fr/article.php?IdArticle=8494492 False Malware None 2.0000000000000000 Kaspersky - Kaspersky Research blog In this report, we share our insights into the 2023 trends and statistics on financial threats, such as phishing, PC and mobile banking malware.]]> 2024-05-06T10:00:31+00:00 https://securelist.com/financial-threat-report-2023/112526/ www.secnews.physaphae.fr/article.php?IdArticle=8494518 False Malware,Mobile None 3.0000000000000000 ProofPoint - Cyber Firms 2024-05-06T05:52:32+00:00 https://www.proofpoint.com/us/blog/email-and-cloud-threats/email-security-now-redefined-adaptive-threat-protection-capabilities www.secnews.physaphae.fr/article.php?IdArticle=8494489 False Ransomware,Malware,Threat,Conference None 3.0000000000000000 Bleeping Computer - Magazine Américain Finland\'s Transport and Communications Agency (Traficom) has issued a warning about an ongoing Android malware campaign targeting banking accounts. [...]]]> 2024-05-05T10:19:38+00:00 https://www.bleepingcomputer.com/news/security/finland-warns-of-android-malware-attacks-breaching-bank-accounts/ www.secnews.physaphae.fr/article.php?IdArticle=8494115 False Malware,Mobile None 3.0000000000000000 IndustrialCyber - cyber risk firms for industrial Les environnements industriels sont confrontés à une menace croissante des logiciels malveillants et des attaques de ransomwares, posant des risques importants à l'infrastructure critique, à la fabrication ...

---

>Industrial environments face a growing threat from malware and ransomware attacks, posing significant risks to critical infrastructure, manufacturing... ]]> 2024-05-05T06:13:39+00:00 https://industrialcyber.co/features/growing-threat-of-malware-and-ransomware-attacks-continues-to-put-industrial-environments-at-risk/ www.secnews.physaphae.fr/article.php?IdArticle=8493927 False Ransomware,Malware,Threat,Industrial None 3.0000000000000000 SecurityWeek - Security News Vincent StruBel, qui dirige l'agence nationale de cybersécurité de France \\, a appelé le niveau des cyber-starts aux Jeux olympiques sans précédent.

---

>Vincent Strubel, who heads France\'s national cybersecurity agency, called the cyberthreats level facing the Olympic Games unprecedented. ]]> 2024-05-04T11:06:55+00:00 https://www.securityweek.com/french-cyberwarriors-ready-to-test-their-defense-against-hackers-and-malware-during-the-olympics/ www.secnews.physaphae.fr/article.php?IdArticle=8493539 False Malware None 3.0000000000000000 Bleeping Computer - Magazine Américain The Iranian state-backed threat actor tracked as APT42 is employing social engineering attacks, including posing as journalists, to breach corporate networks and cloud environments of Western and Middle Eastern targets. [...]]]> 2024-05-04T10:17:34+00:00 https://www.bleepingcomputer.com/news/security/iranian-hackers-pose-as-journalists-to-push-backdoor-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8493646 False Malware,Threat,Cloud APT 42 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Researchers at Zscaler have published a report about the evolution of ZLoader, a modular banking trojan, and its new evasion tactics. Check out Microsoft\'s write-up on ZLoader [here](https://sip.security.microsoft.com/intel-profiles/cbcac2a1de4e52fa5fc4263829d11ba6f2851d6822569a3d3ba9669e72aff789). ## Description ZLoader, also known as Terdot, DELoader, or Silent Night, is a modular Trojan derived from leaked ZeuS source code. After nearly two years of absence, ZLoader resurfaced in September 2023 with a new version incorporating changes to its obfuscation methods, domain generation algorithm (DGA), and network communication. Recently, it has reintroduced an anti-analysis mechanism reminiscent of the original ZeuS 2.x code. This feature limits ZLoader\'s binary execution to the infected system, a trait that had been abandoned by many malware strains derived from the leaked source code until this recent development. ## Detections Microsoft Defender Antivirus detects threat components as the following malware: - Trojan:Win64/ZLoader - Trojan:Win32/ZLoader ## References [ZLoader Learns Old Tricks](https://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks#indicators-of-compromise--iocs-). Zscaler (accessed (2024-05-03) [ZLoader](https://sip.security.microsoft.com/intel-profiles/cbcac2a1de4e52fa5fc4263829d11ba6f2851d6822569a3d3ba9669e72aff789). Microsoft (accessed 2024-05-03) # ZLZLoaderoader]]> 2024-05-03T21:17:42+00:00 https://community.riskiq.com/article/0d7c21ec www.secnews.physaphae.fr/article.php?IdArticle=8493230 False Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot FortiGuard Labs has identified the emergence of the "Goldoon" botnet, which targets D-Link devices by exploiting the CVE-2015-2051 vulnerability. This allows attackers to gain complete control of vulnerable systems and launch further attacks, including distributed denial-of-service (DDoS). ## Description The botnet\'s initial infiltration involves the exploitation of CVE-2015-2051 to download a file "dropper" from a specific URL, which then downloads the botnet file using an XOR key to decrypt specific strings. The "dropper" script is programmed to automatically download, execute, and clean up potentially malicious files across various Linux system architectures. After execution, the script removes the executed file and then deletes itself to erase any trace of its activity. Once executed, Goldoon establishes a persistent connection with its Command and Control (C2) server and waits for commands to launch related behaviors, including various denial-of-service attacks. The malware contains 27 different methods related to various attacks, posing a significant threat to affected organizations. These methods include ICMP Flooding, TCP Flooding, UDP Flooding, DNS Flooding, HTTP Bypass, HTTP Flooding, and Minecraft DDoS Attack. ## References "[New Goldoon Botnet Targeting D-Link Devices](https://www.fortinet.com/blog/threat-research/new-goldoon-botnet-targeting-d-link-devices)" FortiGuard Labs. (Accessed 2024-05-03)]]> 2024-05-03T20:21:03+00:00 https://community.riskiq.com/article/de08653e www.secnews.physaphae.fr/article.php?IdArticle=8493201 False Malware,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Cybersecurity professionals at GBHackers have discovered a series of cyberattacks targeting poorly managed Microsoft SQL (MS-SQL) servers to install Mallox Ransomware on systems. **Read more about Microsoft\'s coverage for [Mallox Ransomware here.](https://sip.security.microsoft.com/intel-profiles/7fbe39c998c8a495a1652ac6f8bd34852c00f97dc61278cafc56dca1d443131e)** ## Description The threat actor group\'s modus operandi involves exploiting vulnerabilities in improperly managed MS-SQL servers. By employing brute force and dictionary attacks, the attackers gain unauthorized access, primarily targeting the SA (System Administrator) account.  Once inside, they deploy the Remcos Remote Access Tool (RAT) to take control of the infected system. Remcos RAT, initially used for system breach and control, has been repurposed by attackers for malicious activities, featuring capabilities such as keylogging, screenshot capture, and control over webcams and microphones.  Additionally, a custom-made remote screen control malware is deployed, allowing attackers to gain access to the infected system using the AnyDesk ID obtained from the command and control server. Mallox ransomware, known for targeting MS-SQL servers, was then installed to encrypt the system.  Mallox ransomware, utilizes AES-256 and SHA-256 encryption algorithms, appending a ".rmallox" extension to encrypted files. The attack patterns observed in this campaign bear a striking resemblance to ]]> 2024-05-03T20:14:15+00:00 https://community.riskiq.com/article/f5f3ecc6 www.secnews.physaphae.fr/article.php?IdArticle=8493202 False Ransomware,Malware,Tool,Vulnerability,Threat,Technical None 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Threat actors have been increasingly weaponizing Microsoft Graph API for malicious purposes with the aim of evading detection. This is done to "facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.]]> 2024-05-03T18:05:00+00:00 https://thehackernews.com/2024/05/hackers-increasingly-abusing-microsoft.html www.secnews.physaphae.fr/article.php?IdArticle=8492991 False Malware,Threat,Cloud None 3.0000000000000000 Recorded Future - FLux Recorded Future 2024-05-02T19:38:30+00:00 https://therecord.media/cuttlefish-malware-routers-turkey www.secnews.physaphae.fr/article.php?IdArticle=8492573 False Malware None 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Like antivirus software, vulnerability scans rely on a database of known weaknesses. That\'s why websites like VirusTotal exist, to give cyber practitioners a chance to see whether a malware sample is detected by multiple virus scanning engines, but this concept hasn\'t existed in the vulnerability management space. The benefits of using multiple scanning engines Generally speaking]]> 2024-05-02T15:55:00+00:00 https://thehackernews.com/2024/05/when-is-one-vulnerability-scanner-not.html www.secnews.physaphae.fr/article.php?IdArticle=8492325 False Malware,Vulnerability None 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A new malware called Cuttlefish is targeting small office and home office (SOHO) routers with the goal of stealthily monitoring all traffic through the devices and gather authentication data from HTTP GET and POST requests. "This malware is modular, designed primarily to steal authentication material found in web requests that transit the router from the adjacent]]> 2024-05-02T10:34:00+00:00 https://thehackernews.com/2024/05/new-cuttlefish-malware-hijacks-router.html www.secnews.physaphae.fr/article.php?IdArticle=8492194 False Malware,Cloud None 2.0000000000000000 AhnLab - Korean Security Firm While monitoring attacks targeting MS-SQL servers, AhnLab SEcurity intelligence Center (ASEC) recently identified cases of theTargetCompany Ransomware Group Installation du ransomware Mallox.Le groupe Ransomware TargetCompany cible principalement les serveurs MS-SQL mal gérés pour installer le ransomware Mallox.Bien que ces attaques soient en cours depuis plusieurs années, nous allons ici décrire la corrélation entre les logiciels malveillants nouvellement identifiés et les cas d'attaque antérieurs impliquant la distribution du Coinmin Tor2Mine et des ransomwares bluesky.Semblable aux cas précédents, cette attaque a ciblé mal ...

---

While monitoring attacks targeting MS-SQL servers, AhnLab SEcurity intelligence Center (ASEC) recently identified cases of the TargetCompany ransomware group installing the Mallox ransomware. The TargetCompany ransomware group primarily targets improperly managed MS-SQL servers to install the Mallox ransomware. While these attacks have been ongoing for several years, here we will outline the correlation between the newly identified malware and previous attack cases involving the distribution of the Tor2Mine CoinMiner and BlueSky ransomware. Similar to previous cases, this attack targeted improperly... ]]> 2024-05-02T00:15:52+00:00 https://asec.ahnlab.com/en/64921/ www.secnews.physaphae.fr/article.php?IdArticle=8492099 False Ransomware,Malware None 2.0000000000000000 Techworm - News avertir dans un article de blog . «La seiche est en attente, reniflant passivement les paquets, n'agissant que lorsqu'il est déclenché par un ensemble de règles prédéfini.Le renifleur de paquets utilisé par la seiche a été conçu pour acquérir du matériel d'authentification, en mettant l'accent sur les services publics basés sur le cloud. » ]]> 2024-05-01T23:25:26+00:00 https://www.techworm.net/2024/05/malware-target-router-steal-password.html www.secnews.physaphae.fr/article.php?IdArticle=8491968 False Malware,Threat,Cloud,Technical APT 32 4.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-01T20:56:45+00:00 https://community.riskiq.com/article/e27d7355 www.secnews.physaphae.fr/article.php?IdArticle=8492041 False Ransomware,Malware,Tool,Threat None 2.0000000000000000 Techworm - News 2024-05-01T20:17:03+00:00 https://www.techworm.net/2024/05/google-bounty-rce-bugs-android-apps.html www.secnews.physaphae.fr/article.php?IdArticle=8491889 False Malware,Vulnerability,Threat,Mobile,Cloud None 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Cybersecurity researchers have discovered a previously undocumented malware targeting Android devices that uses compromised WordPress sites as relays for its actual command-and-control (C2) servers for detection evasion. The malware, codenamed Wpeeper, is an ELF binary that leverages the HTTPS protocol to secure its C2 communications. "Wpeeper is a typical backdoor Trojan for Android]]> 2024-05-01T19:11:00+00:00 https://thehackernews.com/2024/05/android-malware-wpeeper-uses.html www.secnews.physaphae.fr/article.php?IdArticle=8491840 False Malware,Mobile None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-01T19:01:06+00:00 https://community.riskiq.com/article/9a596ba8 www.secnews.physaphae.fr/article.php?IdArticle=8492017 False Malware,Tool,Threat,Medical,Commercial None 3.0000000000000000 Dark Reading - Informationweek Branch The newly discovered malware, which has so far mainly targeted Turkish telcos and has links to HiatusRat, infects routers and performs DNS and HTTP hijacking attacks on connections to private IP addresses.]]> 2024-05-01T17:34:12+00:00 https://www.darkreading.com/cloud-security/cuttlefish-zero-click-malware-steals-private-cloud-data www.secnews.physaphae.fr/article.php?IdArticle=8491941 False Malware,Cloud None 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The authors behind the resurfaced ZLoader malware have added a feature that was originally present in the Zeus banking trojan that it\'s based on, indicating that it\'s being actively developed. "The latest version, 2.4.1.0, introduces a feature to prevent execution on machines that differ from the original infection," Zscaler ThreatLabz researcher Santiago]]> 2024-05-01T15:57:00+00:00 https://thehackernews.com/2024/05/zloader-malware-evolves-with-anti.html www.secnews.physaphae.fr/article.php?IdArticle=8491763 False Malware None 2.0000000000000000 SecurityWeek - Security News Plate-forme de logiciels malveillants semi-ruisseaux errant autour des routeurs SOHO d'entreprise capables de récolter secrètement les données d'authentification du cloud public à partir du trafic Internet.

---

>Cuttlefish malware platform roaming around enterprise SOHO routers capable of covertly harvesting public cloud authentication data from internet traffic. ]]> 2024-05-01T14:33:31+00:00 https://www.securityweek.com/cuttlefish-malware-targets-routers-harvests-cloud-authentication-data/ www.secnews.physaphae.fr/article.php?IdArticle=8491900 False Malware,Cloud None 3.0000000000000000 Bleeping Computer - Magazine Américain A new malware named \'Cuttlefish\' has been spotted infecting enterprise-grade and small office/home office (SOHO) routers to monitor data that passes through them and steal authentication information. [...]]]> 2024-05-01T09:00:00+00:00 https://www.bleepingcomputer.com/news/security/new-cuttlefish-malware-infects-routers-to-monitor-traffic-for-credentials/ www.secnews.physaphae.fr/article.php?IdArticle=8491839 False Malware None 2.0000000000000000 Bleeping Computer - Magazine Américain Latrodectus malware is now being distributed in phishing campaigns using Microsoft Azure and Cloudflare lures to appear legitimate while making it harder for email security platforms to detect the emails as malicious. [...]]]> 2024-04-30T18:08:49+00:00 https://www.bleepingcomputer.com/news/security/new-latrodectus-malware-attacks-use-microsoft-cloudflare-themes/ www.secnews.physaphae.fr/article.php?IdArticle=8491506 False Malware None 2.0000000000000000 Dark Reading - Informationweek Branch USBs have something the newest, hottest attack techniques lack: the ability to bridge air gaps.]]> 2024-04-30T17:28:56+00:00 https://www.darkreading.com/ics-ot-security/to-damage-ot-systems-hackers-tap-usbs-old-bugs-and-malware www.secnews.physaphae.fr/article.php?IdArticle=8491396 False Malware,Industrial None 3.0000000000000000 SecurityWeek - Security News JFROG s’alarme après avoir trouvé trois campagnes de logiciels malveillants à grande échelle ciblant Docker Hub avec des référentiels sans image.

---

>JFrog raises an alarm after finding three large-scale malware campaigns targeting Docker Hub with imageless repositories. ]]> 2024-04-30T17:08:48+00:00 https://www.securityweek.com/docker-hub-users-targeted-with-imageless-malicious-repositories/ www.secnews.physaphae.fr/article.php?IdArticle=8491393 False Malware None 3.0000000000000000 Bleeping Computer - Magazine Américain Three large-scale campaigns have targeted Docker Hub users, planting millions of repositories designed to push malware and phishing sites since early 2021. [...]]]> 2024-04-30T13:32:10+00:00 https://www.bleepingcomputer.com/news/security/millions-of-docker-repos-found-pushing-malware-phishing-sites/ www.secnews.physaphae.fr/article.php?IdArticle=8491395 False Malware None 4.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine According to JFrog, approximately 25% of all repositories lack useful functionality and serve as vehicles for spam and malware]]> 2024-04-30T13:30:00+00:00 https://www.infosecurity-magazine.com/news/malicious-containers-found-docker/ www.secnews.physaphae.fr/article.php?IdArticle=8491277 False Spam,Malware None 2.0000000000000000 Bleeping Computer - Magazine Américain A new Android backdoor malware named \'Wpeeper\' has been spotted in at least two unofficial app stores mimicking the Uptodown App Store, a popular third-party app store for Android devices with over 220 million downloads. [...]]]> 2024-04-30T12:41:57+00:00 https://www.bleepingcomputer.com/news/security/new-wpeeper-android-malware-hides-behind-hacked-wordpress-sites/ www.secnews.physaphae.fr/article.php?IdArticle=8491367 False Malware,Mobile None 2.0000000000000000 GoogleSec - Firm Security Blog dbsc Cela aidera à perturber l'industrie du vol de cookies car l'exfiltration de ces cookies n'aura plus de valeur. Lorsqu'il n'est pas possible d'éviter le vol d'identification et de cookies par malware, la prochaine meilleure chose est de rendre l'attaque plus observable par antivirus, d'agents de détection de terminaux ou d'administrateurs d'entreprise avec des outils d'analyse de journaux de base. Ce blog décrit un ensemble de signaux à utiliser par les administrateurs système ou les agents de détection de point de terminaison qui devraient signaler de manière fiable tout accès aux données protégées du navigateur d'une autre application sur le système.En augmentant la probabilité d'une attaque détectée, cela modifie le calcul pour les attaquants qui pourraient avoir un fort désir de rester furtif et pourraient les amener à repenser ces types d'attaques contre nos utilisateurs. arrière-plan Les navigateurs basés sur le chrome sur Windows utilisent le DPAPI (API de protection des données) pour sécuriser les secrets locaux tels que les cookies, le mot de passe, etc.La protection DPAPI est basée sur une clé dérivée des informations d'identification de connexion de l'utilisateur et est conçue pour se protéger contre l'accès non autorisé aux secrets des autres utilisateurs du système ou lorsque le système est éteint.Étant donné que le secret DPAPI est lié à l'utilisateur connecté, il ne peut pas protéger contre les attaques de logiciels malveillants locaux - l'exécution de logiciels malveillants en tant qu'utilisateur ou à un niveau de privilège plus élevé peut simplement appeler les mêmes API que le navigateur pour obtenir le secret DPAPI. Depuis 2013, Chromium applique l'indicateur CryptProtect_Audit aux appels DPAPI pour demander qu'un journal d'audit soit généré lorsque le décryptage se produit, ainsi que le marquage des données en tant que détenue par le navigateur.Parce que tout le stockage de données crypté de Chromium \\ est soutenu par une clé sécurisée DPAPI, toute application qui souhaite décrypter ces données, y compris les logiciels malveillants, devrait toujours générer de manière fiable un journal d'événements clairement observable, qui peut être utilisé pour détecter ces typesd'attaques. Il y a trois étapes principales impliquées dans le profit de ce journal: Activer la connexion sur l'ordinateur exécutant Google Chrome, ou tout autre navigateur basé sur le chrome. Exporter les journaux des événements vers votre système backend. Créer une logique de détection pour détecter le vol. Ce blog montrera également comment la journalisation fonctionne dans la pratique en la testant contre un voleur de mot de passe Python. Étape 1: Activer la connexion sur le système Les événements DPAPI sont connectés à deux endroits du système.Premièrement, il y a le 4693 Événement qui peut être connecté au journal de sécurité.Cet événement peut être activé en activant "Audit l'activité DPAPI" et les étapes pour ce faire sont d]]> 2024-04-30T12:14:48+00:00 http://security.googleblog.com/2024/04/detecting-browser-data-theft-using.html www.secnews.physaphae.fr/article.php?IdArticle=8493535 False Malware,Tool,Threat None 2.0000000000000000 LogPoint - Blog Secu En bref :Le chargement latéral de DLL (Dynamic Link Library) est une technique permettant d'exécuter des charges virales malveillantes dans une DLL masquée en exploitant le processus d'exécution d'une application légitime.Des groupes de malware, tels que les groupes APT chinois et les malwares Darkgate, exploitent sur le terrain une vulnérabilité de chargement latéral de DLL Zero-Day [...] ]]> 2024-04-30T08:33:11+00:00 https://www.logpoint.com/fr/blog/decouvrez-le-cote-obscur-des-dll-dynamic-link-library/ www.secnews.physaphae.fr/article.php?IdArticle=8492987 False Malware,Vulnerability,Threat None 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Google on Monday revealed that almost 200,000 app submissions to its Play Store for Android were either rejected or remediated to address issues with access to sensitive data such as location or SMS messages over the past year. The tech giant also said it blocked 333,000 bad accounts from the app storefront in 2023 for attempting to distribute malware or for repeated policy violations. "In 2023,]]> 2024-04-29T22:37:00+00:00 https://thehackernews.com/2024/04/google-prevented-228-million-malicious.html www.secnews.physaphae.fr/article.php?IdArticle=8490784 False Malware,Mobile None 2.0000000000000000 Techworm - News said in an analysis published on Thursday. According to ThreatFabric, Brokewell poses a significant threat to the banking industry, providing attackers with remote access to all assets available through mobile banking. The malware was discovered by the researchers while investigating a fake Google Chrome web browser “update” page, commonly used by cybercriminals to lure victims into downloading and installing malware. Looking at prior campaigns, the researchers found that Brokewell was used to target a popular “buy now, pay later” financial service and an Austrian digital authentication application. The malware is said to be in active development, with new commands added almost daily to capture every event on the device, from keystrokes and information displayed on screen to text entries and apps launched by the victim. Once downloaded, Brokewell creates an overlay screen on a targeted application to capture user credentials. It can also steal browser cookies by launching its own WebView, overriding the onPageFinished method, and dumping the session cookies after the user completes the login process. “Brokewell is equipped with “accessibility logging,” capturing every event happening on the device: touches, swipes, information displayed, text input, and applications opened. All actions are logged and sent to the command-and-control server, effectively stealing any confidential data displayed or entered on the compromised device,” the ThreatFabric researchers point out. “It\'s important to highlight that, in this case, any application is at risk of data compromise: Brokewell logs every event, posing a threat to all applications installed on the device. This piece of malware also supports a variety of “spyware” functionalities: it can collect information about the device, call history, geolocation, and record audio.” After stealing the credentials, the attackers can initiate a Device Takeover attack using remote control capabilities to perform screen streaming. It also provides the threat actor with a range of various commands that can be executed on the controlled device, such as touches, swipes, and clicks on specified elements. ThreatFabric discovered that one of the servers used as a command and control (C2) point for Brokewell was also used to host a repository called “Brokewell Cyber Labs,” created by a threat actor called “Baron Samedit.” This repository comprised the source code for the “Brokewell Android Loader,” another tool from the same developer designed to bypass restrictions Google introduced in Android 13 and later to prevent exploitation of Accessibility Service for side-loaded apps (APKs). According to ThreatFabric, Baron Samedit has been active for at least two years, providing tools to other cybercriminals to check stolen accounts from multiple services, which could still be improved to support a malware-as-a-service operation. “We anticipate further evolution of this malware family, as we’ve already observed almost daily updates to the malware. Brokewell will likely be promoted on underground channels as a rental service, attracting the interest of other cybercriminals and sparking new campaigns targeting different regions,” the researchers conclude. Hence, the only way to effectively identify and prevent potential fraud from malware families like the newly discovered Brokewell is to use a comprehensive]]> 2024-04-29T22:01:20+00:00 https://www.techworm.net/2024/04/android-malware-hack-bank-account-chrome-update.html www.secnews.physaphae.fr/article.php?IdArticle=8490777 False Malware,Tool,Threat,Mobile None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot The DFIR report provides a detailed account of a sophisticated intrusion that began with a phishing campaign using PrometheusTDS to distribute IcedID malware in August 2023. ## Description The IcedID malware established persistence, communicated with C2 servers, and dropped a Cobalt Strike beacon, which was used for lateral movement, data exfiltration, and ransomware deployment. The threat actor also utilized a suite of tools such as Rclone, Netscan, Nbtscan, AnyDesk, Seatbelt, Sharefinder, and AdFind. The intrusion culminated in the deployment of Dagon Locker ransomware after 29 days. The threat actors employed various techniques to obfuscate the JavaScript file and the Cobalt Strike shellcode, evade detection, maintain persistence, and perform network enumeration activities. The threat actor\'s activities included the abuse of lateral movement functionalities such as PsExec and Remote Desktop Protocol (RDP), exfiltration of files, dumping and exfiltration of Windows Security event logs, and the use of PowerShell commands executed from the Cobalt Strike beacon. Additionally, the threat actor employed multiple exfiltration techniques, including the use of Rclone and AWS CLI to exfiltrate data from the compromised infrastructure. The deployment of the Dagon Locker ransomware was facilitated through the use of a custom PowerShell script, AWScollector, and a locker module, with a specific PowerShell command run from a domain controller to deploy the ransomware to different systems. The impact of this incident resulted in all systems being affected by the Dagon Locker ransomware. ## References [https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/](https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/)]]> 2024-04-29T20:07:15+00:00 https://community.riskiq.com/article/55e96eb8 www.secnews.physaphae.fr/article.php?IdArticle=8490876 False Ransomware,Malware,Tool,Threat,Technical None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-29T16:05:58+00:00 https://community.riskiq.com/article/aa388c3b www.secnews.physaphae.fr/article.php?IdArticle=8490778 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Industrial None 3.0000000000000000 SecurityWeek - Security News Une analyse menée par Honeywell montre qu'une grande partie des logiciels malveillants transmis par l'USB ciblant les organisations industrielles peut toujours provoquer des perturbations.

---

>An analysis conducted by Honeywell shows that much of the USB-borne malware targeting industrial organizations can still cause OT disruption. ]]> 2024-04-29T13:00:00+00:00 https://www.securityweek.com/honeywell-usb-malware-attacks-on-industrial-orgs-becoming-more-sophisticated/ www.secnews.physaphae.fr/article.php?IdArticle=8490671 False Malware,Industrial None 3.0000000000000000 GoogleSec - Firm Security Blog 1 in part thanks to our investment in new and improved security features, policy updates, and advanced machine learning and app review processes. We have also strengthened our developer onboarding and review processes, requiring more identity information when developers first establish their Play accounts. Together with investments in our review tooling and processes, we identified bad actors and fraud rings more effectively and banned 333K bad accounts from Play for violations like confirmed malware and repeated severe policy violations. Additionally, almost 200K app submissions were rejected or remediated to ensure proper use of sensitive permissions such as background location or SMS access. To help safeguard user privacy at scale, we partnered with SDK providers to limit sensitive data access and sharing, enhancing the privacy posture for over 31 SDKs impacting 790K+ apps. We also significantly expanded the Google Play SDK Index, which now covers the SDKs used in almost 6 million apps across the Android ecosystem. This valuable resource helps developers make better SDK choices, boosts app quality and minimizes integration risks. Protecting the Android Ecosystem Building on our success with the App Defense Alliance (ADA), we partnered with Microsoft and Meta as steering committee members in the newly restructured ADA under the Joint Development Foundation, part of the Linux Foundation family. The Alliance will support industry-wide adoption of app security best practices and guidelines, as well as countermeasures against emerging security risks. Additionally, we announced new Play Store transparency labeling to highlight VPN apps that have completed an independent security review through App Defense Alliance\'s Mobile App Security Assessment (MASA). When a user searches for VPN apps, they will now see a banner at the top of Google Play that educates them about the “Independent security review” badge in the Data safety section. This helps users see at-a-glance that a developer has prioritized security and privacy best practices and is committed to user safety. ]]> 2024-04-29T11:59:47+00:00 http://security.googleblog.com/2024/04/how-we-fought-bad-apps-and-bad-actors-in-2023.html www.secnews.physaphae.fr/article.php?IdArticle=8493536 False Malware,Tool,Threat,Mobile None 3.0000000000000000 HackRead - Chercher Cyber Par deeba ahmed Nouvelle alerte de logiciels malveillants Android!Brokewell vole les données, prend en charge les appareils & # 038;cible votre banque.Apprenez comment fonctionne ce malware sournois & # 038;Ce que vous pouvez faire pour vous protéger.Arrêtez Brokewell avant de vous arrêter! Ceci est un article de HackRead.com Lire le post original: Les fausses mises à jour Chrome cachent des logiciels malveillants Android Brokewell ciblant votre banque

---

>By Deeba Ahmed New Android malware alert! Brokewell steals data, takes over devices & targets your bank. Learn how this sneaky malware works & what you can do to protect yourself. Stop Brokewell before it stops you! This is a post from HackRead.com Read the original post: Fake Chrome Updates Hide Android Brokewell Malware Targeting Your Bank]]> 2024-04-29T10:25:22+00:00 https://www.hackread.com/fake-chrome-updates-android-brokewell-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8490594 False Malware,Mobile None 2.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC millions of dollars due to fraud every year, according to the FTC. Online shopping is the number one avenue where this money is lost, with bad investments and illegitimate businesses falling close behind. There is an increasing amount of ways that scammers can have access to your information or social engineer you into spending money. Some examples include phishing emails, password attacks, and malware. Often, hackers will also target people whom they profile as gullible. Charity scams are unfortunately rampant, including scammers pretending to be charitable organizations like the Red Cross. These crop up when disaster strikes, and they masquerade as legitimate ways to donate. Other scammers will pretend to be individuals in need, family members, or even government organizations. Instead, the money goes to illegitimate scammers. To avoid this, you should always double-check links and, more importantly, log in to a reputable site when entering any credit card or banking information. Financial institutions are surprisingly not the most targeted, but they are still rife with sensitive info that can be vulnerable to hackers if not guarded correctly. Cybersecurity in online banking is extremely important. There can be data breaches, customer phishing scams, and even offshore banking transparency issues. Enhanced security must be in place to prevent these scams, including encryption, multi-factor authentication, threat detection, and biometrics. Why Stronger Biometrics Are Necessary Physical biometrics are the most common form of biometrics employed for financial security currently. However, bad actors have learned how to bypass these physical barriers. Printed-out photos can work for face identification, and fingerprints and palm prints can be stolen and imprinted onto soft surfaces and then used for sign-ins. Evolving threats demand cybersecurity measures that are as far advanced as possible. Behavioral biometrics takes things a step further by analyzing the behavior patterns of device users. Then, these patterns can be developed over time and set to be recognized by the device. These behaviors can be digital or in-person and include factors like: Gait; Posture; Signatures;]]> 2024-04-29T10:00:00+00:00 https://cybersecurity.att.com/blogs/security-essentials/enhancing-financial-security-through-behavioral-biometrics www.secnews.physaphae.fr/article.php?IdArticle=8490698 False Malware,Threat Deloitte 2.0000000000000000 HackRead - Chercher Cyber Par deeba ahmed Méfiez-vous!Agent Tesla & # 038;Taskun malware ciblez l'éducation américaine & # 038;Gov. Cette cyberattaque vole les données & # 038;exploite les vulnérabilités.Apprenez à protéger les écoles & # 038;agences gouvernementales de cette double menace! Ceci est un article de HackRead.com Lire la publication originale: L'agent Tesla et les logiciels malveillants de Taskun ciblant l'éducation américaine et les entités gouvernementales

---

>By Deeba Ahmed Beware! Agent Tesla & Taskun Malware are targeting US Education & Gov. This cyberattack steals data & exploits vulnerabilities. Learn how to protect schools & government agencies from this double threat! This is a post from HackRead.com Read the original post: Agent Tesla and Taskun Malware Targeting US Education and Govt Entities]]> 2024-04-29T09:25:44+00:00 https://www.hackread.com/agent-tesla-taskun-malware-us-education-govt/ www.secnews.physaphae.fr/article.php?IdArticle=8490566 False Malware,Vulnerability None 2.0000000000000000 Techworm - News a dit chercheurs en sécurité den iuzvyk, tim peck et oleg kolesnikov dans un article de blog. Cependant, l'objectif de l'acteur de menace est de tromper les cibles dans le téléchargement de logiciels malveillants qui collecte les informations système et permet l'accès à distance à l'hôte. Dans la première étape, une archive zip de GitHub déguisée en une offre pour combler des positions de développeur de logiciels est envoyée à la personne interrogée (dans ce cas, le développeur) pour le téléchargement par l'intervieweur (l'attaquant).L'archive contient un package de gestion de nœuds (NPM) à l'aspect légitime contenant un répertoire Readme.md et Frontend et Backend. Une fois que le développeur exécute le package NPM malveillant, un fichier JavaScript obscurci ("iMageDetails.js") est exécuté via le processus NodeJS (Node.exe) à l'aide de commandes \\ 'curl \'.Le but malveillant du script dans la première étape est simplement de télécharger une archive supplémentaire («p.zi») à partir d'un serveur externe. À l'intérieur de l'archive se trouve la charge utile de l'étape suivante, un fichier python caché (".npl") qui fonctionne comme un rat.Selon leurs paramètres de système d'exploitation, ce fichier Python peut être caché ou non de la vue à l'utilisateur. Une fois que le rat est actif sur le système de la victime, il collecte les informations du système et du réseau à partir d'un ordinateur infecté, puis envoie ces données au serveur de commande et de contrôle (C2), y compris le type de système d'exploitation, le nom d'hôte, la version du système d'exploitationVersion, version du système d'exploitation, nom d'utilisateur de l'utilisateur connecté et un identifiant unique pour l'appareil (UUID) généré par hachage de l'adresse MAC et du nom d'utilisateur. Selon les analystes de Securonix, le rat prend en charge les capacités suivantes: Le réseautage et la création de session sont utilisés pour les connexions persistantes. Fonctions du système de fichiers pour traverser les répertoires, filtrer les fichiers en fonction des extensions et des répertoires spécifiques à exclure, et rechercher et voler des fichiers ou des données spécifiques. Exécution des commandes distantes qui permet l'exécution de commandes et de scripts de shell système, y compris la navigation sur le système de fichiers et l'exécution des commandes de shell. Exfiltration des données FTP directes à partir de divers répertoires d'utilisateurs comme les documents et les téléchargements. La journalisation du presse-papiers et des clés comprend des capacités pour surveiller et exfiltrater le contenu du presse-papiers et les touches. "En ce qui concerne les attaques qui proviennent de l'ingénierie sociale, il est essentiel de m]]> 2024-04-28T22:30:11+00:00 https://www.techworm.net/2024/04/developers-with-fake-job-offer-malware.html www.secnews.physaphae.fr/article.php?IdArticle=8490198 False Malware,Threat None 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) An ongoing social engineering campaign is targeting software developers with bogus npm packages under the guise of a job interview to trick them into downloading a Python backdoor. Cybersecurity firm Securonix is tracking the activity under the name DEV#POPPER, linking it to North Korean threat actors. "During these fraudulent interviews, the developers are often asked]]> 2024-04-27T10:42:00+00:00 https://thehackernews.com/2024/04/bogus-npm-packages-used-to-trick.html www.secnews.physaphae.fr/article.php?IdArticle=8489428 False Malware,Threat None 2.0000000000000000 HackRead - Chercher Cyber Par deeba ahmed Les pirates époussetent les vieux trucs!Une attaque récente a exploité des vulnérabilités dans les systèmes qui s'exécutent sur Microsoft Office pour livrer des logiciels malveillants de grève de cobalt.Apprenez à vous protéger! Ceci est un article de HackRead.com Lire la publication originale: 7 ans à Microsoft Office exploité pour laisser tomber Cobalt Strike

---

>By Deeba Ahmed Hackers are dusting off old tricks! A recent attack exploited vulnerabilities in systems running outdates Microsoft Office to deliver Cobalt Strike malware. Learn how to protect yourself! This is a post from HackRead.com Read the original post: 7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike]]> 2024-04-26T19:53:53+00:00 https://www.hackread.com/microsoft-office-0-day-exploited-cobalt-strike/ www.secnews.physaphae.fr/article.php?IdArticle=8489219 False Malware,Vulnerability None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-26T19:12:08+00:00 https://community.riskiq.com/article/2641df15 www.secnews.physaphae.fr/article.php?IdArticle=8489234 False Ransomware,Spam,Malware,Tool,Threat,Industrial,Cloud None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - Central Asia - East Asia - North America - Northern Europe - South America - South Asia - Southeast Asia - Southern Europe - Western Europe - Eastern Europe - Central America and the Caribbean ## Snapshot Researchers at Securonix have discovered an ongoing attack campaign using phishing emails to deliver a malware called SSLoad.  The campaign, named FROZEN#SHADOW, also involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software. ## Description According to Securonix, FROZEN#SHADOW victim organizations appear to be targeted randomly, but are concentrated in Europe, Asia, and the Americas. The attack methodology involves the distribution of phishing emails that contain links leading to the retrieval of a JavaScript file that initiates the infection process. Subsequently, the MSI installer connects to an attacker-controlled domain to fetch and execute the SSLoad malware payload, followed by beaconing to a command-and-control (C2) server along with system information. The initial reconnaissance phase sets the stage for the deployment of Cobalt Strike, a legitimate adversary simulation software, which is then leveraged to download and install ScreenConnect. This enables the threat actors to remotely commandeer the compromised host and achieve extensive persistence in the target environment. ## References [https://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/](https://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/) [https://thehackernews.com/2024/04/researchers-detail-multistage-attack.html](https://thehackernews.com/2024/04/researchers-detail-multistage-attack.html)]]> 2024-04-26T17:25:03+00:00 https://community.riskiq.com/article/e39d9bb3 www.secnews.physaphae.fr/article.php?IdArticle=8489190 False Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-26T17:23:14+00:00 https://community.riskiq.com/article/ff848e92 www.secnews.physaphae.fr/article.php?IdArticle=8489191 False Ransomware,Malware,Tool,Threat None 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Fake browser updates are being used to push a previously undocumented Android malware called Brokewell. "Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware," Dutch security firm ThreatFabric said in an analysis published Thursday. The malware is said to be in active development,]]> 2024-04-26T16:12:00+00:00 https://thehackernews.com/2024/04/new-brokewell-android-malware-spread.html www.secnews.physaphae.fr/article.php?IdArticle=8489006 False Malware,Mobile None 2.0000000000000000 SecurityWeek - Security News Plus de 90 000 IPS uniques sont toujours infectés par une variante de vers Plugx qui se propage via des disques flash infectés.

---

>More than 90,000 unique IPs are still infected with a PlugX worm variant that spreads via infected flash drives. ]]> 2024-04-26T13:41:29+00:00 https://www.securityweek.com/self-spreading-plugx-usb-drive-malware-plagues-over-90k-ip-addresses/ www.secnews.physaphae.fr/article.php?IdArticle=8489109 False Malware None 3.0000000000000000 Recorded Future - FLux Recorded Future 2024-04-26T11:44:56+00:00 https://therecord.media/plugx-malware-infections-more-than-170-countries www.secnews.physaphae.fr/article.php?IdArticle=8489033 False Malware None 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korea-linked threat actor known as Lazarus Group employed its time-tested fabricated job lures to deliver a new remote access trojan called Kaolin RAT. The malware could, "aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from [command-and-control] server," Avast security researcher Luigino]]> 2024-04-25T22:17:00+00:00 https://thehackernews.com/2024/04/north-koreas-lazarus-group-deploys-new.html www.secnews.physaphae.fr/article.php?IdArticle=8488646 False Malware,Threat APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot ThreatFabric analysts have discovered a new mobile malware family called "Brokewell" that poses a significant threat to the banking industry. The malware is equipped with both data-stealing and remote-control capabilities, allowing attackers to gain remote access to all assets available through mobile banking. ## Description Brokewell uses overlay attacks to capture user credentials and can steal cookies by launching its own WebView. The malware also supports a variety of "spyware" functionalities, including collecting information about the device, call history, geolocation, and recording audio. After stealing the credentials, the actors can initiate a Device Takeover attack using remote control capabilities, giving them full control over the infected device. The malware is in active development, with new commands added almost daily.  ThreatFabric analysts discovered a fake browser update page designed to install an Android application that was used to distribute the malware. The malware is believed to be promoted on underground channels as a rental service, attracting the interest of other cybercriminals and sparking new campaigns targeting different regions. ## References [https://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware](https://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware) [https://www.bleepingcomputer.com/news/security/new-brokewell-malware-takes-over-android-devices-steals-data/](https://www.bleepingcomputer.com/news/security/new-brokewell-malware-takes-over-android-devices-steals-data/)]]> 2024-04-25T18:53:33+00:00 https://community.riskiq.com/article/99a5deee www.secnews.physaphae.fr/article.php?IdArticle=8488684 False Malware,Threat,Mobile None 2.0000000000000000 Bleeping Computer - Magazine Américain Researchers have sinkholed a command and control server for a variant of the PlugX malware and observed in six months more than 2.5 million connections from unique IP addresses. [...]]]> 2024-04-25T15:20:30+00:00 https://www.bleepingcomputer.com/news/security/researchers-sinkhole-plugx-malware-server-with-25-million-unique-ips/ www.secnews.physaphae.fr/article.php?IdArticle=8488691 False Malware None 3.0000000000000000 Securonix - Siem The rise of AI-powered attacks presents a significant challenge. Adversaries are wielding machine learning to automate tasks, craft hyper-realistic phishing lures, and develop self-propagating malware. Traditional security, reliant on manual analysis and signature-based detection, is simply outmatched. Read More.]]> 2024-04-25T12:58:17+00:00 https://www.securonix.com/blog/ai-reinforced-the-engine-powering-the-securonix-cyberops-revolution/ www.secnews.physaphae.fr/article.php?IdArticle=8488639 False Malware None 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments. Cisco Talos, which dubbed the activity ArcaneDoor, attributing it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft). "]]> 2024-04-25T11:20:00+00:00 https://thehackernews.com/2024/04/state-sponsored-hackers-exploit-two.html www.secnews.physaphae.fr/article.php?IdArticle=8488387 False Malware,Vulnerability,Threat None 3.0000000000000000 Bleeping Computer - Magazine Américain Security researchers have discovered a new Android banking trojan they named Brokewell that can capture every event on the device, from touches and information displayed to text input and the applications the user launches. [...]]]> 2024-04-25T06:00:00+00:00 https://www.bleepingcomputer.com/news/security/new-brokewell-malware-takes-over-android-devices-steals-data/ www.secnews.physaphae.fr/article.php?IdArticle=8488547 False Malware,Mobile None 2.0000000000000000 The Register - Site journalistique Anglais Don\'t get too comfortable: \'Line Dancer\' malware may be targeting other vendors, too A previously unknown and "sophisticated" nation-state group compromised Cisco firewalls as early as November 2023 for espionage purposes - and possibly attacked network devices made by other vendors including Microsoft, according to warnings from the networking giant and three Western governments.…]]> 2024-04-24T23:11:06+00:00 https://go.theregister.com/feed/www.theregister.com/2024/04/24/spies_cisco_firewall/ www.secnews.physaphae.fr/article.php?IdArticle=8488259 False Malware None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Cisco Talos reports on the ArcaneDoor campaign, attributed to the state-sponsored actor UAT4356 (Tracked by Microsoft as Storm-1849), targets perimeter network devices from multiple vendors, particularly Cisco Adaptive Security Appliances (ASA).  Microsoft tracks this actor as Storm-1849, [read more about them here.](https://sip.security.microsoft.com/intel-profiles/f3676211c9f06910f7f1f233d81347c1b837bddd93292c2e8f2eb860a27ad8d5) #]]> 2024-04-24T19:34:05+00:00 https://community.riskiq.com/article/a0cf0328 www.secnews.physaphae.fr/article.php?IdArticle=8488184 False Malware,Tool,Vulnerability,Threat None 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Cybersecurity researchers have discovered an ongoing attack campaign that\'s leveraging phishing emails to deliver malware called SSLoad. The campaign, codenamed FROZEN#SHADOW by Securonix, also involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software. "SSLoad is designed to stealthily infiltrate systems, gather sensitive]]> 2024-04-24T19:06:00+00:00 https://thehackernews.com/2024/04/researchers-detail-multistage-attack.html www.secnews.physaphae.fr/article.php?IdArticle=8488010 False Malware None 3.0000000000000000 SecurityWeek - Security News Cisco avertit que les pirates de pays nationaux exploitent au moins deux vulnérabilités de zéro jour dans ses plates-formes de pare-feu ASA pour planter des logiciels malveillants sur les télécommunications et les réseaux du secteur de l'énergie.

---

>Cisco warns that nation state-backed hackers are exploiting at least two zero-day vulnerabilities in its ASA firewall platforms to plant malware on telecommunications and energy sector networks. ]]> 2024-04-24T17:25:24+00:00 https://www.securityweek.com/cisco-raises-alarm-for-arcanedoor-zero-days-hitting-asa-firewall-platforms/ www.secnews.physaphae.fr/article.php?IdArticle=8488146 False Malware,Vulnerability,Threat None 3.0000000000000000 SecurityWeek - Security News Un acteur de menace lié à la Corée du Nord a détourné le mécanisme de mise à jour de l'antivirus ESCAN pour déployer des délais et des mineurs de crypto-monnaie.

---

>A North Korea-linked threat actor hijacked the update mechanism of eScan antivirus to deploy backdoors and cryptocurrency miners. ]]> 2024-04-24T14:44:17+00:00 https://www.securityweek.com/north-korean-hackers-hijack-antivirus-updates-for-malware-delivery/ www.secnews.physaphae.fr/article.php?IdArticle=8488071 False Malware,Threat None 2.0000000000000000 Security Intelligence - Site de news Américain Les chercheurs ont créé un nouveau type de logiciel malveillant, jamais vu auparavant, ils appellent le & # 8220; Morris II & # 8221;Worm, qui utilise des services d'IA populaires pour se propager, infecter de nouveaux systèmes et voler des données. & # 160; Le nom fait référence au ver d'ordinateur Morris qui a fait des ravages sur Internet en 1988. Le ver démontre les dangers potentiels des menaces de sécurité de l'IA et[& # 8230;]

---

>Researchers have created a new, never-seen-before kind of malware they call the “Morris II” worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988. The worm demonstrates the potential dangers of AI security threats and […] ]]> 2024-04-24T13:00:00+00:00 https://securityintelligence.com/articles/malicious-ai-worm-targeting-generative-ai/ www.secnews.physaphae.fr/article.php?IdArticle=8488002 False Malware None 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A new malware campaign has been exploiting the updating mechanism of the eScan antivirus software to distribute backdoors and cryptocurrency miners like XMRig through a long-standing threat codenamed GuptiMiner targeting large corporate networks. Cybersecurity firm Avast said the activity is the work of a threat actor with possible connections to a North Korean hacking group dubbed ]]> 2024-04-24T12:32:00+00:00 https://thehackernews.com/2024/04/escan-antivirus-update-mechanism.html www.secnews.physaphae.fr/article.php?IdArticle=8487847 False Malware,Threat None 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A new ongoing malware campaign has been observed distributing three different stealers, such as CryptBot, LummaC2, and Rhadamanthys hosted on Content Delivery Network (CDN) cache domains since at least February 2024. Cisco Talos has attributed the activity with moderate confidence to a threat actor tracked as CoralRaider, a suspected Vietnamese-origin]]> 2024-04-24T10:20:00+00:00 https://thehackernews.com/2024/04/coralraider-malware-campaign-exploits.html www.secnews.physaphae.fr/article.php?IdArticle=8487798 False Malware,Threat None 3.0000000000000000 Securonix - Siem The Securonix Threat Research team (STR) observed an interesting attack campaign dubbed FROZEN#SHADOW which leveraged SSLoad malware and Cobalt Strike implants resulting in the attackers being able to pivot and take over the entire network domain. Read more.]]> 2024-04-24T08:45:12+00:00 https://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/ www.secnews.physaphae.fr/article.php?IdArticle=8487996 False Malware,Threat None 3.0000000000000000 AhnLab - Korean Security Firm Ahnlab Security Intelligence Center (ASEC) a découvert une souche d'infosteller fabriquée avec un électron.Electron est un cadre qui permet de développer des applications à l'aide de JavaScript, HTML et CSS.Discord et Microsoft Vscode sont des exemples majeurs d'applications faites avec un électron.Les applications faites avec des électrons sont emballées et généralement distribuées au format d'installation du système d'installation scriptable Nullsoft (NSIS).L'acteur de menace de ce cas d'attaque a appliqué ce format d'installation au malware.[1] CAS # 1 Lorsque l'on exécute le malware, l'électron ...

---

AhnLab SEcurity intelligence Center (ASEC) has discovered an Infostealer strain made with Electron. Electron is a framework that allows one to develop apps using JavaScript, HTML, and CSS. Discord and Microsoft VSCode are major examples of applications made with Electron. Apps made with Electron are packaged and usually distributed in Nullsoft Scriptable Install System (NSIS) installer format. The threat actor in this attack case applied this installer format to the malware. [1] Case #1 When one runs the malware, the Electron... ]]> 2024-04-24T00:09:33+00:00 https://asec.ahnlab.com/en/64445/ www.secnews.physaphae.fr/article.php?IdArticle=8487701 False Malware,Threat None 2.0000000000000000 TrendMicro - Security Firm Blog In this blog entry, we discuss Trend Micro\'s contributions to an Interpol-coordinated operation to help Brazilian and Spanish law enforcement agencies analyze malware samples of the Grandoreiro banking trojan.]]> 2024-04-24T00:00:00+00:00 https://www.trendmicro.com/en_us/research/24/d/trend-micro-collaborated-with-interpol-in-cracking-down-grandore.html www.secnews.physaphae.fr/article.php?IdArticle=8487839 False Malware,Legislation,Prediction None 3.0000000000000000 Techworm - News son avis . Microsoft a observé APT28 en utilisant GooseEgg dans le cadre des activités post-compromis contre diverses cibles, y compris les organisations gouvernementales, non gouvernementales, de l'éducation et des transports en Ukraine, en Europe occidentale et en Amérique du Nord. Bien que Gooseegg soit une application de lanceur simple, il peut engendrer d'autres applications sur la ligne de commande avec des autorisations élevées. Cela permet aux acteurs de menace de prendre en charge les activités malveillantes telles que l'exécution du code distant, l'installation d'une porte dérobée et le déplacement latéralement à travers des réseaux compromis. Les gouvernements américains et britanniques ont lié Forest Blizzard à l'unité 26165 de la Fédération de Russie \'s Military Intelligence Agency, la principale Direction du renseignement de l'état-major général des Forces armées de la Fédération de Russie (GRU). «Microsoft a observé qu'après avoir obtenu l'accès à un appareil cible, Forest Blizzard utilise GooseEgg pour élever les privilèges dans l'environnement.GooseEgg est généralement déployé avec un script de lot, que nous avons observé en utilisant le nom execute.bat et doit.bat .Ce script de lot écrit le fichier servtask.bat, qui contient des commandes pour enregistrer / compresser les ruches de registre.Le script de lot invoque l'exécutable de GooseEgg apparié et configure la persistance en tant que tâche planifiée conçue pour exécuter servtask.bat », lit le Advisory publié par Microsoft lundi. Les chercheurs de Microsoft ont noté qu'un fichier DLL malveillant intégré généralement, qui comprend l'expression « wayzgoose»; par exemple, wayzgoose23.dll , est une application de lanceur utilisée par la menaceLes acteurs doivent lancer d'autres charges utiles avec des autorisations au niveau du système et installer une porte dérobée, se déplacer latéralement dans le réseau de la victime et exécuter à distance le code sur les systèmes violés. Comme mentionné précédemment, la société a corrigé le défaut de sécurité des spouleurs imprimés en 2022. Il a également corrigé les vulnérabilités imprimées précédemment exploitées en 2021. «Les clients qui n'ont pas encore mis en œuvre ces correctifs sont invités à le faire dès que possible pour la sécurité de leur organisation», a déclaré Microsoft dans son avis. De plus, la société recommande également de dé]]> 2024-04-23T22:47:49+00:00 https://www.techworm.net/2024/04/russia-apt28-hackers-exploit-windows-flaw.html www.secnews.physaphae.fr/article.php?IdArticle=8487554 False Malware,Tool,Vulnerability,Threat APT 28 3.0000000000000000 Dark Reading - Informationweek Branch An utterly innocuous feature in popular Git CDNs allows anyone to conceal malware behind brand names, without those brands being any the wiser.]]> 2024-04-23T19:33:37+00:00 https://www.darkreading.com/threat-intelligence/hackers-create-legit-phishing-links-with-ghost-github-gitlab-comments www.secnews.physaphae.fr/article.php?IdArticle=8487585 False Malware None 3.0000000000000000 Netskope - etskope est une société de logiciels américaine fournissant une plate-forme de sécurité informatique Netskope Threat Labs publie un article de blog de résumé mensuel des principales menaces que nous suivons sur la plate-forme NetSkope.Cet article vise à fournir une intelligence stratégique et exploitable sur les menaces actives contre les utilisateurs d'entreprise du monde entier.Le résumé OneDrive et SharePoint étaient en haut de la liste des principales applications cloud utilisées pour les téléchargements de logiciels malveillants.Les attaquants continuent [& # 8230;]

---

>Netskope Threat Labs publishes a monthly summary blog post of the top threats we track on the Netskope platform. This post aims to provide strategic, actionable intelligence on active threats against enterprise users worldwide. Summary OneDrive and SharePoint were on the top of the list of top cloud apps used for malware downloads. Attackers continue […] ]]> 2024-04-23T18:32:40+00:00 https://www.netskope.com/blog/netskope-threat-labs-stats-for-march-2024 www.secnews.physaphae.fr/article.php?IdArticle=8487560 False Malware,Threat,Cloud None 3.0000000000000000 Bleeping Computer - Magazine Américain A threat actor has been using a content delivery network cache to store information-stealing malware in an ongoing campaign targeting systems U.S., the U.K., Germany, and Japan. [...]]]> 2024-04-23T17:27:54+00:00 https://www.bleepingcomputer.com/news/security/coralraider-attacks-use-cdn-cache-to-push-info-stealer-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8487636 False Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - Ukraine - Estonia - Eastern Europe ## Snapshot WithSecure has published research about a backdoor called "Kapeka," tracked by Microsoft as "KnuckleTouch," used in attacks in Eastern Europe since mid-2022. Kapeka functions as a versatile backdoor, providing both initial toolkit capabilities and long-term access to victims. Its sophistication suggests involvement by an APT group. WithSecure links Kapeka to Sandworm, tracked by Microsoft as Seashell Blizzard, a notorious Russian nation-state threat group associated with the GRU known for destructive attacks in Ukraine. **Microsoft tracks Sandworm as Seashell Blizzard.** [Read more about Seashell Blizzard here.](https://sip.security.microsoft.com/intel-profiles/cf1e406a16835d56cf614430aea3962d7ed99f01ee3d9ee3048078288e5201bb) **Microsoft tracks Kapeka as KnuckleTouch. **[Read more about Knuckletouch here.](https://sip.security.microsoft.com/intel-profiles/cdbe72d9f5f1ee3b3f8cd4e78a4a07f76addafdcc656aa2234a8051e8415d282) ## Description Kapeka overlaps with GreyEnergy and Prestige ransomware attacks, all attributed to Sandworm. WithSecure assesses it\'s likely that Kapeka is a recent addition to Sandworm\'s arsenal. The malware\'s dropper installs the backdoor, collecting machine and user information for the threat actor. However, the method of Kapeka\'s distribution remains unknown. Kapeka\'s emergence coincides with the Russia-Ukraine conflict, suggesting targeted attacks across Central and Eastern Europe since 2022. It may have been involved in the deployment of Prestige ransomware in late 2022. Kapeka is speculated to succeed GreyEnergy in Sandworm\'s toolkit, possibly replacing BlackEnergy. ## References [https://labs.withsecure.com/publications/kapeka](https://labs.withsecure.com/publications/kapeka)]]> 2024-04-23T16:31:06+00:00 https://community.riskiq.com/article/364efa92 www.secnews.physaphae.fr/article.php?IdArticle=8487526 False Ransomware,Malware,Threat None 3.0000000000000000 HackRead - Chercher Cyber Par deeba ahmed Les pirates exploitent les commentaires de GitHub pour répandre les logiciels malveillants déguisés en téléchargements de logiciels Microsoft incitant les utilisateurs à télécharger des logiciels malveillants. Ceci est un article de HackRead.com Lire le post original: Les commentaires GitHub ont maltraité pour répandre les logiciels malveillants dans de faux référentiels Microsoft

---

>By Deeba Ahmed Hackers are exploiting GitHub comments to spread malware disguised as Microsoft software downloads tricking users into downloading malware. This is a post from HackRead.com Read the original post: GitHub Comments Abused to Spread Malware in Fake Microsoft Repositories]]> 2024-04-23T13:24:36+00:00 https://www.hackread.com/github-comment-malware-fake-microsoft-repositories/ www.secnews.physaphae.fr/article.php?IdArticle=8487415 False Malware None 3.0000000000000000 GoogleSec - Firm Security Blog The Reporting API is an emerging web standard that provides a generic reporting mechanism for issues occurring on the browsers visiting your production website. The reports you receive detail issues such as security violations or soon-to-be-deprecated APIs, from users\' browsers from all over the world. Collecting reports is often as simple as specifying an endpoint URL in the HTTP header; the browser will automatically start forwarding reports covering the issues you are interested in to those endpoints. However, processing and analyzing these reports is not that simple. For example, you may receive a massive number of reports on your endpoint, and it is possible that not all of them will be helpful in identifying the underlying problem. In such circumstances, distilling and fixing issues can be quite a challenge. In this blog post, we\'ll share how the Google security team uses the Reporting API to detect potential issues and identify the actual problems causing them. We\'ll also introduce an open source solution, so you can easily replicate Google\'s approach to processing reports and acting on them. How does the Reporting API work? Some errors only occur in production, on users\' browsers to which you have no access. You won\'t see these errors locally or during development because there could be unexpected conditions real users, real networks, and real devices are in. With the Reporting API, you directly leverage the browser to monitor these errors: the browser catches these errors for you, generates an error report, and sends this report to an endpoint you\'ve specified. How reports are generated and sent. Errors you can monitor with the Reporting API include: Security violations: Content-Security-Policy (CSP), Cross-Origin-Opener-Policy (COOP), Cross-Origin-Embedder-Policy (COEP) Deprecated and soon-to-be-deprecated API calls Browser interventions Permissions policy And more For a full list of error types you can monitor, see use cases and report types. The Reporting API is activated and configured using HTTP response headers: you need to declare the endpoint(s) you want the browser to send reports to, and which error types you want to monitor. The browser then sends reports to your endpoint in POST requests whose payload is a list of reports. Example setup:#]]> 2024-04-23T13:15:47+00:00 http://security.googleblog.com/2024/04/uncovering-potential-threats-to-your.html www.secnews.physaphae.fr/article.php?IdArticle=8493538 False Malware,Tool,Vulnerability,Mobile,Cloud None 3.0000000000000000 SecurityWeek - Security News Russia-linked APT28 deploys the GooseEgg post-exploitation tool against numerous US and European organizations. ]]> 2024-04-23T12:50:57+00:00 https://www.securityweek.com/russian-cyberspies-deliver-gooseegg-malware-to-government-organizations/ www.secnews.physaphae.fr/article.php?IdArticle=8487450 False Malware,Tool APT 28 3.0000000000000000 Bleeping Computer - Magazine Américain North Korean hackers have been exploiting the updating mechanism of the eScan antivirus to plant backdoors on big corporate networks and deliver cryptocurrency miners through GuptiMiner malware. [...]]]> 2024-04-23T10:56:24+00:00 https://www.bleepingcomputer.com/news/security/hackers-hijack-antivirus-updates-to-drop-guptiminer-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8487448 False Malware None 3.0000000000000000