Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the accelerated-mobile-pages domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Deprecated: Optional parameter $options declared before required parameter $ad is implicitly treated as a required parameter in /www/cisomagcom_810/public/wp-content/plugins/advanced-ads/classes/display-conditions.php on line 208

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the easy-digital-downloads domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the edd_cfm domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the edds domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the edd-recurring domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Deprecated: Optional parameter $params declared before required parameter $secretWord is implicitly treated as a required parameter in /www/cisomagcom_810/public/wp-content/plugins/edd-2checkout/sdk/lib/Twocheckout/TwocheckoutReturn.php on line 6

Deprecated: Optional parameter $insMessage declared before required parameter $secretWord is implicitly treated as a required parameter in /www/cisomagcom_810/public/wp-content/plugins/edd-2checkout/sdk/lib/Twocheckout/TwocheckoutNotification.php on line 6

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the edd-recurring domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the Newsmag domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Warning: Cannot modify header information - headers already sent by (output started at /www/cisomagcom_810/public/wp-includes/functions.php:6121) in /www/cisomagcom_810/public/wp-content/themes/Newsmag/functions.php on line 616

Warning: Cannot modify header information - headers already sent by (output started at /www/cisomagcom_810/public/wp-includes/functions.php:6121) in /www/cisomagcom_810/public/wp-includes/feed-rss2.php on line 8
malware analysis Archives - CISO MAG | Cyber Security Magazine Beyond Cyber Security Wed, 24 Mar 2021 09:46:00 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.1 New Chinese Malware “CopperStealer” Thieving Credentials Saved by Browsers https://staging-cisomagcom.kinsta.cloud/new-chinese-malware-copperstealer-thieving-credentials-saved-by-browsers/ Wed, 24 Mar 2021 09:46:00 +0000 https://staging-cisomagcom.kinsta.cloud/?p=10986 Cybersecurity researchers discovered a new malware making rounds online via fake software sites that targeted popular service providers like Facebook, Google, Instagram, Amazon, and Apple. The undocumented malware, dubbed CopperStealer, is a specially crafted credentials and cookies stealer with a downloader that installs additional malicious payloads on targeted browsers. Possible Links to Chinese Hackers According […]

The post New Chinese Malware “CopperStealer” Thieving Credentials Saved by Browsers appeared first on CISO MAG | Cyber Security Magazine.

]]> Cybersecurity researchers discovered a new malware making rounds online via fake software sites that targeted popular service providers like Facebook, Google, Instagram, Amazon, and Apple. The undocumented malware, dubbed CopperStealer, is a specially crafted credentials and cookies stealer with a downloader that installs additional malicious payloads on targeted browsers.

Possible Links to Chinese Hackers

According to an investigation from ProofPoint, CopperStealer operates similar to SilentFade malware, which is linked to Chinese hackers that targeted Facebook’s ad platform between late 2018 and February 2019.  “Proofpoint believes CopperStealer to be a previously undocumented family within the same class of malware as SilentFade, StressPaint, FacebookRobot, and Scranos,” Proofpoint said.

How CopperStealer Spreads

It was found that threat actors behind the CopperStealer malware campaign are leveraging compromised accounts to run malicious ads and deliver additional malware on targeted sources.

The researchers identified certain suspicious websites, advertised as KeyGen, Crack, keygenninja, piratewares, startcrack, and crackheap, which hosted CopperStealer malware samples. All these sites have advertised themselves as software crack services to evade licensing restrictions and ultimately provide Potentially Unwanted Programs/Applications (PUP/PUA) or run malicious exploits to install additional malware payloads.

Proofpoint’s researchers stated that CopperStealer malware can find and send saved browser passwords. The multiple browsers searched by malware operators to get Facebook saved credentials are:

  • Chrome
  • Edge
  • Yandex
  • Opera
  • Firefox

Once downloaded, CopperStealer sends the exfiltrated data to the C2 server via a POST request to several targeted URIs. The exfiltrated data is then stored in the info key and is encrypted in the C2 Traffic encryption section.

“In addition to the saved browser passwords, the malware uses stored cookies to retrieve a User Access Token from Facebook.  Once the User Access Token is gathered, the malware requests several API endpoints for Facebook and Instagram to gather additional context, including a list of friends, any advertisement accounts configured for the user, and a list of pages the user has been granted access to,” Proofpoint explained.

Malware Analysis

The CopperStealer malware used various basic anti-analysis techniques to avoid running within researcher systems. These include:

  • IsDebuggerPresent() check
  • GetSystemDefaultLCID() == 0x804 (Chinese (Simplified, PRC)   zh-CN) check
  • Window/class enumeration looking for common analysis tools:
  • TCPViewClass
  • TStdHttpAnalyzerForm
  • HTTP Debugger
  • Telerik Fiddler
  • ASExplorer
  • Charles
  • Burp Suite
  • Device enumeration looking for indicators of virtualization
  • VMware
  • virtual
  • vbox

“While CopperStealer isn’t the most nefarious credential/account stealer in existence, it goes to show that even with basic capabilities, the overall impact can be large.  Findings from this investigation point towards CopperStealer being another piece of this ever-changing ecosystem. CopperStealer’s active development and use of DGA based C2 servers demonstrate operational maturity as well as redundancy,” Proofpoint added.

The post New Chinese Malware “CopperStealer” Thieving Credentials Saved by Browsers appeared first on CISO MAG | Cyber Security Magazine.

]]> 30,000 Macs Affected by “Silver Sparrow” Mystery Malware https://staging-cisomagcom.kinsta.cloud/silver-sparrow-malware/ Mon, 22 Feb 2021 09:51:24 +0000 https://staging-cisomagcom.kinsta.cloud/?p=10111 Apple is known for its airtight security across its product line. However, a mystery malware dubbed “Silver Sparrow” has broken this myth by infecting nearly 30,000 Macs (29,139 to be precise) in over 153 countries worldwide. Researchers are scratching their heads trying to understand this malware because it is hiding on the infected machines still […]

The post 30,000 Macs Affected by “Silver Sparrow” Mystery Malware appeared first on CISO MAG | Cyber Security Magazine.

]]> Apple is known for its airtight security across its product line. However, a mystery malware dubbed “Silver Sparrow” has broken this myth by infecting nearly 30,000 Macs (29,139 to be precise) in over 153 countries worldwide. Researchers are scratching their heads trying to understand this malware because it is hiding on the infected machines still waiting for a payload to arrive. Usually, post-compromise, a payload is dropped that then carries out malicious activities, however, this is not the case here.

Analyzing the Silver Sparrow Malware

Red Canary’s blog post offers an in-depth analysis of how the malware was discovered, its targets, operations, and how it affects Apple’s latest M1 chip. For those who want facts and figures, the Silver Sparrow malware is currently the second known malware targeting the Apple M1 silicon chip. The first one was incidentally discovered a week ago by security researcher Patrick Wardle from Objective-See.

As per Red Canary, the Silver Sparrow malware has two versions:

  1. Version 1 IOCs

File name: updater.pkg (installer package for v1)

MD5: 30c9bc7d40454e501c358f77449071aa

  1. Version 2 IOCs

File name: update.pkg (installer package for v2)

MD5: fdd6fb2b1dfe07b0e57d4cbfef9c8149

silver sparrow malware
Image Credit: Red Canary

As shown in the above image, one version is a binary in mach-object format compiled for Intel x86_64 processors and the other version is a Mach-O binary for the M1 chip. The researchers believe that these are “bystander binaries” as they only display messages like “Hello World!” and “You did it!” when executed. As precautionary measures, Apple has revoked the licenses of both the binaries effective immediately.

Related News:

TeamTNT Spreads Malware with New Detection Evasion Tool “Libprocesshider”

Silver Sparrow uses Apple’s system.run command for execution and is thus difficult to detect. Researchers found that every hour the malware contacts the command-and-control center (C2) for further actions, however, none have been observed until now keeping the malware in stealth mode. Another interesting mechanism that the Silver Sparrow malware contains is its self-destruct mode. It has a file check that causes removal of all persistence mechanisms and scripts on execution leaving behind no trail of the attack vectors. Researchers say that the presence of such a sophisticated mechanism for this malware is also a “mystery,” because it means that the attackers were getting ready for a stealthy persistent attack rather than a simple intrude, spread, and exfiltrate kind of attack.

Thankfully, there is still no known indication of any damages through this malware, but the fact that Red Canary’s researchers found these strains of malware on Macs in the wild is worrisome. For the complete list of IOCs of the Silver Sparrow malware, click here.

Related News:

Researcher Finds New Android Malware Spreading Via WhatsApp Messages

The post 30,000 Macs Affected by “Silver Sparrow” Mystery Malware appeared first on CISO MAG | Cyber Security Magazine.

]]> MicroWorld and CERT-In Collaborate to Enhance Overall Cybersecurity in India https://staging-cisomagcom.kinsta.cloud/microworld-and-cert-in-collaborate-to-enhance-overall-cybersecurity-in-india/ Tue, 03 Nov 2020 07:33:21 +0000 https://staging-cisomagcom.kinsta.cloud/?p=7585 Cybersecurity solutions provider MicroWorld Technologies announced that it has signed a Memorandum of Understanding (MoU) with the Indian Computer Emergency Response Team (CERT-In) and Ministry of Electronics and Information Technology (MeitY) for a cybersecurity collaboration. Both Microworld and CERT-In will work together to mitigate the evolving cyberthreats and further enhance the overall cybersecurity posture in […]

The post MicroWorld and CERT-In Collaborate to Enhance Overall Cybersecurity in India appeared first on CISO MAG | Cyber Security Magazine.

]]> Cybersecurity solutions provider MicroWorld Technologies announced that it has signed a Memorandum of Understanding (MoU) with the Indian Computer Emergency Response Team (CERT-In) and Ministry of Electronics and Information Technology (MeitY) for a cybersecurity collaboration. Both Microworld and CERT-In will work together to mitigate the evolving cyberthreats and further enhance the overall cybersecurity posture in the country.

As per the MoU, MicroWorld will facilitate cooperation for detecting latest cyberthreats like malware/botnet attacks. CERT-In will also provide a platform on its “Cyber Swachhta Kendra” (Botnet Cleaning and Malware Analysis Centre) website for users to access MicroWorld’s eScan antivirus bot removal toolkit, which enables users to scan their Windows-based systems and prevent viruses like adware, spyware, and other forms of malware. The Cyber Swachhta Kendra is a part of the Government of India’s Digital India initiative operated by CERT-In.

Sanjay Bahl, Director General, CERT-In said, “As the complexity, frequency, and sophistication of malware continues to increase impacting the end user digital devices, there is a need for appropriate tools in the hands of citizens to safeguard themselves. The eScan tool from MicroWorld will help towards the vision of making India cyber swachh and build technical capacities within the country while safeguarding citizens from malware threats.”

Govind Rammurthy, Managing Director and CEO of MicroWorld Technologies, said, “IT security is a matter of grave concern in these trying times. eScan Antivirus Toolkit – will be available through CERT-In’s Cyber Swachhta Kendra platform for users across the country to utilize for free and stay secure. We aim to secure the country’s cyberspace with our futuristic and proactive technology with the aim of defending against any malignant advances that would arise from the digital universe.”

The post MicroWorld and CERT-In Collaborate to Enhance Overall Cybersecurity in India appeared first on CISO MAG | Cyber Security Magazine.

]]>