Similarities have been unearthed between the Dridex general-purpose malware and a little-known ransomware strain called Entropy, suggesting that the operators are continuing to rebrand their extortion operations under a different name.

“The similarities are in the software packer used to conceal the ransomware code, in the malware subroutines designed to find and obfuscate commands (API calls), and in the subroutines used to decrypt encrypted text,” cybersecurity firm Sophos said in a report shared with The Hacker News.

The commonalities were uncovered following two unrelated incidents targeting an unnamed media company and a regional government agency. In both cases, the deployment of Entropy was preceded by infecting the target networks with Cobalt Strike Beacons and Dridex, granting the attackers remote access.

Despite consistency in some aspects of the twin attacks, they also varied significantly with regards to the initial access vector used to worm their way inside the networks, the length of time spent in each of the environments, and the malware employed to launch the final phase of the invasion.

The attack on the media organization used the ProxyShell exploit to strike a vulnerable Exchange Server with the goal of installing a web shell that, in turn, was utilized to spread Cobalt Strike Beacons on the network. The adversary is said to have spent four months carrying out reconnaissance and data theft, ultimately paving the way for the ransomware attack in early December 2021.

The second attack on the regional government organization, on the other hand, was facilitated through a malicious email attachment containing the Dridex malware, using it to deploy additional payloads for lateral movement.

Notably, redundant exfiltration of sensitive data to more than one cloud storage provider – in the form of compressed RAR archives – transpired within 75 hours after the initial detection of a suspicious login attempt on a single machine, prior to encrypting the files on the compromised computers.

images from Hacker News

Researchers from China’s Pangu Lab have disclosed details of a “top-tier” backdoor put to use by the Equation Group, an advanced persistent threat (APT) with alleged ties to the cyber-warfare intelligence-gathering unit of the U.S. National Security Agency (NSA).

Dubbed “Bvp47” owing to numerous references to the string “Bvp” and the numerical value “0x47” used in the encryption algorithm, the backdoor was extracted from Linux systems “during an in-depth forensic investigation of a host in a key domestic department” in 2013.

The defense research group codenamed the attacks involving the deployment of Bvp47 “Operation Telescreen,” with the implant featuring an “advanced covert channel behavior based on TCP SYN packets, code obfuscation, system hiding, and self-destruction design.”

Bvp47 is said to have been used on more than 287 targets in the academia, economic development, military, science, and telecom sectors located in 45 countries, mainly in China, Korea, Japan, Germany, Spain, India, and Mexico, all the while going largely undetected for over a decade.

The elusive backdoor is also equipped with a remote control function that’s protected using an encryption algorithm, activating which requires the attacker’s private key – something the researchers said they found in the leaks published by the Shadow Brokers hacker group in 2016.

images from Hacker News

Users of Horde Webmail are being urged to disable a feature to contain a nine-year-old unpatched security vulnerability in the software that could be abused to gain complete access to email accounts simply by previewing an attachment.

“This gives the attacker access to all sensitive and perhaps secret information a victim has stored in their email account and could allow them to gain further access to the internal services of an organization,” SonarSource vulnerability researcher, Simon Scannell, said in a report.

An “all volunteer project,” the Horde Project is a free, browser-based communication suite that allows users to read, send, and organize email messages as well as manage and share calendars, contacts, tasks, notes, files, and bookmarks.

The flaw, which was introduced as part of a code change pushed on November 30, 2012, relates to a case of an “unusual” stored cross-site scripting flaw (aka persistent XSS) that allows an adversary to craft an OpenOffice document in such a manner that when it’s previewed, it automatically executes arbitrary JavaScript payload.

Stored XSS attacks arise when a malicious script is injected directly into a vulnerable web application’s server, such as a comment field of a website, causing the untrusted code to be retrieved and transmitted to the victim’s browser every time the stored information is requested.

“The vulnerability triggers when a targeted user views an attached OpenOffice document in the browser,” Scannell said. “As a result, an attacker can steal all emails the victim has sent and received.”

Even worse, should an administrator account with a personalized, malicious email is successfully compromised, the attacker could abuse this privileged access to take over the entire webmail server.

images from Hacker News

Another batch of 25 malicious JavaScript libraries have made their way to the official NPM package registry with the goal of stealing Discord tokens and environment variables from compromised systems, more than two months after 17 similar packages were taken down.

The libraries in question leveraged typosquatting techniques and masqueraded as other legitimate packages such as colors.js, crypto-js, discord.js, marked, and noblox.js, DevOps security firm JFrog said, attributing the packages as the work of “novice malware authors.”

The complete list of packages is below –

• node-colors-sync (Discord token stealer)
• color-self (Discord token stealer)
• color-self-2 (Discord token stealer)
• wafer-text (Environment variable stealer)
• wafer-countdown (Environment variable stealer)
• wafer-template (Environment variable stealer)
• wafer-darla (Environment variable stealer)
• lemaaa (Discord token stealer)
• adv-discord-utility (Discord token stealer)
• tools-for-discord (Discord token stealer)
• mynewpkg (Environment variable stealer)
• purple-bitch (Discord token stealer)
• purple-bitchs (Discord token stealer)
• noblox.js-addons (Discord token stealer)
• kakakaakaaa11aa (Connectback shell)
• markedjs (Python remote code injector)
• crypto-standarts (Python remote code injector)
• discord-selfbot-tools (Discord token stealer)
• discord.js-aployscript-v11 (Discord token stealer)
• discord.js-selfbot-aployscript (Discord token stealer)
• discord.js-selfbot-aployed (Discord token stealer)
• discord.js-discord-selfbot-v4 (Discord token stealer)
• colors-beta (Discord token stealer)
• vera.js (Discord token stealer)
• discord-protection (Discord token stealer)

Discord tokens have emerged as lucrative means for threat actors to gain unauthorized access to accounts sans a password, enabling the operators to exploit the access to propagate malicious links via Discord channels.

Environment variables, stored as key-value pairs, are used to save information pertaining to the programming environment on the development machine, including API access tokens, authentication keys, API URLs, and account names.

Two rogue packages, named markedjs and crypto-standarts, stand out for their role as duplicate trojan packages in that they completely replicate the original functionality of well-known libraries marked and crypto-js, but feature additional malicious code to remotely inject arbitrary Python code.

images from Hacker News

Malicious actors took advantage of a smart contract upgrade process in the OpenSea NFT marketplace to carry out a phishing attack against 17 of its users that resulted in the theft of virtual assets worth about $1.7 million.

NFTs, short for non-fungible tokens, are digital tokens that act like certificates of authenticity for, and in some cases represent ownership of, assets that range from expensive illustrations to collectibles and physical goods.

The opportunistic social engineering scam swindled the users by using the same email from OpenSea notifying users about the upgrade, with the copycat email redirecting the victims to a lookalike webpage, prompting them to sign a seemingly legitimate transaction, only to steal all the NFTs in one go.

“By signing the transaction, an atomicMatch_ request would be sent to the attacker contract,” Check Point researchers explained. “From there, the atomicMatch_ would be forwarded to the OpenSea contract,” leading to the transfer of the NFTs from the victim to the attacker.

images from Hacker News