A novel phishing technique called browser-in-the-browser (BitB) attack can be exploited to simulate a browser window within the browser in order to spoof a legitimate domain, thereby making it possible to stage convincing phishing attacks.

According to penetration tester and security researcher, who goes by the handle mrd0x on Twitter, the method takes advantage of third-party single sign-on (SSO) options embedded on websites such as “Sign in with Google” (or Facebook, Apple, or Microsoft).

While the default behaviour when a user attempts to sign in via these methods is to be greeted by a pop-up window to complete the authentication process, the BitB attack aims to replicate this entire process using a mix of HTML and CSS code to create an entirely fabricated browser window.

images from Hacker News

Researchers have exposed a new targeted email campaign aimed at French entities in the construction, real estate, and government sectors that leverages the Chocolatey Windows package manager to deliver a backdoor called Serpent on compromised systems.

Enterprise security firm Proofpoint attributed the attacks to a likely advanced threat actor based on the tactics and the victimology patterns observed. The ultimate objective of the campaign remains presently unknown.

“The threat actor attempted to install a backdoor on a potential victim’s device, which could enable remote administration, command and control (C2), data theft, or deliver other additional payloads,” Proofpoint researchers said in a report shared with The Hacker News.

The phishing lure that triggers the infection sequence makes use of a resume-themed subject line, with the attached macro-embedded Microsoft Word document masquerading as information related to the European Union’s General Data Protection Regulation (GDPR).

Enabling the macros results in its execution, which retrieves a seemingly harmless image file hosted on a remote server but actually contains a Base64-encoded PowerShell script that’s obscured using steganography, a little-used method of concealing malicious code within an image or audio in order to circumvent detection.

images from Hacker News

Social engineering attacks leveraging a combination of romantic lures and cryptocurrency fraud have been luring unsuspecting victims into installing fake apps by taking advantage of legitimate iOS features like TestFlight and Web Clips.

Cybersecurity company Sophos, which has named the organized crime campaign “CryptoRom,” characterized it as a wide-ranging global scam.

“This style of cyber-fraud, known as sha zhu pan (杀猪盘) — literally ‘pig butchering plate’ — is a well-organized, syndicated scam operation that uses a combination of often romance-cantered social engineering and fraudulent financial applications and websites to ensnare victims and steal their savings after gaining their confidence,” Sophos analyst Jagadeesh Chandraiah said in a report published last week.

The campaign works by approaching potential targets through dating apps like Bumble, Tinder, Facebook Dating, and Grindr, before moving the conversation to messaging apps such as WhatsApp and urging the victims to install a cryptocurrency trading application that’s designed to mimic popular brands and lock people out of their accounts and freeze their funds.

images from Hacker News

Luxury hotels in the Chinese special administrative region of Macau were the target of a malicious spear-phishing campaign from the second half of November 2021 and through mid-January 2022.

Cybersecurity firm Trellix attributed the campaign with moderate confidence to a suspected South Korean advanced persistent threat (APT) tracked as DarkHotel, building on research previously published by Zscaler in December 2021.

Believed to be active since 2007, DarkHotel has a history of striking “senior business executives by uploading malicious code to their computers through infiltrated hotel Wi-Fi networks, as well as through spear-phishing and P2P attacks,” Zscaler researchers Sahil Antil and Sudeep Singh said. Prominent sectors targeted include law enforcement, pharmaceuticals, and automotive manufacturers.

The attack chains involved distributing email messages directed to individuals in executive roles in the hotel, such as the vice president of human resources, assistant manager, and front office manager, indicating that the intrusions were aimed at staff who were in possession of access to the hotel’s network.

In one phishing lure sent to 17 different hotels on December 7, the email purported to be from the Macau Government Tourism Office and urged the victims to open an Excel file named “信息.xls” (“information.xls”). In another case, the emails were faked to gather details about people staying in the hotels.

images from Hacker News

A financially motivated threat actor has been observed deploying a previously unknown rootkit targeting Oracle Solaris systems with the goal of compromising Automatic Teller Machine (ATM) switching networks and carrying out unauthorized cash withdrawals at different banks using fraudulent cards.

Threat intelligence and incident response firm Mandiant is tracking the cluster under the moniker UNC2891, with some of the group’s tactics, techniques, and procedures sharing overlaps with that of another cluster dubbed UNC1945.

The intrusions staged by the actor involve “a high degree of OPSEC and leverage both public and private malware, utilities, and scripts to remove evidence and hinder response efforts,” Mandiant researchers said in a new report published this week.

Even more concerningly, the attacks spanned several years in some cases, during the entirety of which the actor remained undetected by taking advantage of a rootkit called CAKETAP, whic is designed to conceal network connections, processes, and files.

Mandiant, which was able to recover memory forensic data from one of the victimized ATM switch servers, noted that one variant of the kernel rootkit came with specialized features that enabled it to intercept card and PIN verification messages and use the stolen data to perform fraudulent cash withdrawals from ATM terminals.

images from Hacker News