Hackers use fake Windows error logs to hide malicious payload
Hackers have been using fake error logs to store ASCII characters disguised as hexadecimal values that decode to a malicious payload designed to prepare the ground for script-based attacks.
The trick is part of a longer chain with intermediary PowerShell commands that ultimately delivers a script for reconnaissance purposes.
Reading between the lines
MSP threat detection provider Huntress Labs discovered an attack scenario where a threat actor with persistence on a target machine tried to run an unusual trick to carry on with their attack routine.
The attacker had already gained access to the target system and achieved persistence. From this position, they used a file called โa.chkโ that imitates a Windows error log for an application. The last column shows what seem to be hexadecimal values.
https://www.bleepingcomputer.com/news/security/hackers-use-fake-windows-error-logs-to-hide-malicious-payload/
#trojan
Hackers have been using fake error logs to store ASCII characters disguised as hexadecimal values that decode to a malicious payload designed to prepare the ground for script-based attacks.
The trick is part of a longer chain with intermediary PowerShell commands that ultimately delivers a script for reconnaissance purposes.
Reading between the lines
MSP threat detection provider Huntress Labs discovered an attack scenario where a threat actor with persistence on a target machine tried to run an unusual trick to carry on with their attack routine.
The attacker had already gained access to the target system and achieved persistence. From this position, they used a file called โa.chkโ that imitates a Windows error log for an application. The last column shows what seem to be hexadecimal values.
https://www.bleepingcomputer.com/news/security/hackers-use-fake-windows-error-logs-to-hide-malicious-payload/
#trojan
Chinese bank forced western companies to install malware-laced tax software
GoldenSpy backdoor trojan found in a Chinese bank's official tax software, which the bank has been forcing western companies to install.
A Chinese bank has forced at least two western companies to install malware-laced tax software on their systems, cyber-security firm Trustwave said in a report published today.
The two companies are a UK-based technology/software vendor and a major financial institution, both of which had recently opened offices in China.
"Discussions with our client revealed that [the malware] was part of their bank's required tax software," Trustwave said today.
https://www.zdnet.com/article/chinese-bank-forced-western-companies-to-install-malware-laced-tax-software/
#china #malware #trojan
GoldenSpy backdoor trojan found in a Chinese bank's official tax software, which the bank has been forcing western companies to install.
A Chinese bank has forced at least two western companies to install malware-laced tax software on their systems, cyber-security firm Trustwave said in a report published today.
The two companies are a UK-based technology/software vendor and a major financial institution, both of which had recently opened offices in China.
"Discussions with our client revealed that [the malware] was part of their bank's required tax software," Trustwave said today.
https://www.zdnet.com/article/chinese-bank-forced-western-companies-to-install-malware-laced-tax-software/
#china #malware #trojan
New German law will force ISPs to allow secret service to install trojans on user devices
https://www.privateinternetaccess.com/blog/new-german-law-would-force-isps-to-allow-secret-service-to-install-trojans-on-user-devices/
https://www.theregister.com/2021/06/07/in_brief_security/
https://www.euractiv.com/section/digital/news/civil-society-tech-giants-oppose-germanys-state-trojans-plans
#Germany #Trojan #spyware #gov #why
https://www.privateinternetaccess.com/blog/new-german-law-would-force-isps-to-allow-secret-service-to-install-trojans-on-user-devices/
https://www.theregister.com/2021/06/07/in_brief_security/
https://www.euractiv.com/section/digital/news/civil-society-tech-giants-oppose-germanys-state-trojans-plans
#Germany #Trojan #spyware #gov #why
PIA VPN Blog
New German law would force ISPs to allow secret service to install trojans on user devices
A new law being proposed in Germany would see all 19 federal state intelligence agencies in Germany granted the power to spy on German citizens through
FinSpy: unseen findings
FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset. Kaspersky has been tracking deployments of this spyware since 2011. Historically, its Windows implant was distributed through a single-stage installer. This version was detected and researched several times up to 2018. Since that year, we observed a decreasing detection rate of FinSpy for Windows. While the nature of this anomaly remained unknown, we began detecting some suspicious installers of legitimate applications, backdoored with a relatively small obfuscated downloader. We were unable to cluster those packages until the middle of 2019 when we found a host that served these installers among FinSpy Mobile implants for Android. Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan.
Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit are publicly revealed in this article for the first time.
We decided to share some of our unseen findings about the actual state of FinSpy implants. We will cover not only the version for Windows, but also the Linux and macOS versions, since they have a lot of internal structure and code similarities.
The full details of this research, as well as future updates on FinSpy, are available to customers of the APT reporting service through our Threat Intelligence Portal.
https://securelist.com/finspy-unseen-findings/104322/
#FinSpy #FinFisher #Wingbird #surveillance #malware #trojan
FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset. Kaspersky has been tracking deployments of this spyware since 2011. Historically, its Windows implant was distributed through a single-stage installer. This version was detected and researched several times up to 2018. Since that year, we observed a decreasing detection rate of FinSpy for Windows. While the nature of this anomaly remained unknown, we began detecting some suspicious installers of legitimate applications, backdoored with a relatively small obfuscated downloader. We were unable to cluster those packages until the middle of 2019 when we found a host that served these installers among FinSpy Mobile implants for Android. Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan.
Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit are publicly revealed in this article for the first time.
We decided to share some of our unseen findings about the actual state of FinSpy implants. We will cover not only the version for Windows, but also the Linux and macOS versions, since they have a lot of internal structure and code similarities.
The full details of this research, as well as future updates on FinSpy, are available to customers of the APT reporting service through our Threat Intelligence Portal.
https://securelist.com/finspy-unseen-findings/104322/
#FinSpy #FinFisher #Wingbird #surveillance #malware #trojan
Securelist
FinSpy: unseen findings
FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset that has been tracking since 2011. We decided to share our unseen findings about the actual state of FinSpy implants.
#HIV #PASSPORTS ARE THE NEW GLOBALIST #TROJAN HORSE
#AIDS is the new trojan horse for digital IDs, now linked to sex and HIV status.
First they used travel bans and Covid19 fearmongering, but it didn't work to get a large enough numbers of the young hooked on digital IDs to balance those resisting them, so now they are using sex and the fear of AIDS to usher in their digital ID system for the next generations.
You heard it here first.
And yes, repeated boosters will compromise the immune system leading to V-AIDS (vaccine acquired immuno-deficiency syndrome) which will be misdiagnosed as HIV caused AIDS, and splices of HIV in the "vaccine" mRNA spike protein coding will make it more likely for the "vaccinated" to PCR test positive for HIV, starting the new PCR pseudoepidemic of false testing.
Robin Monotti & Cory Morningstar
t.me/robinmg
2015 gain of function research confirming HIV pseudovirus used in SARSCOV made in Wuhan https://t.me/robinmggroup/635262
Montagnier confirming HIV RNA is in the SARSCOV2 virus itself https://t.me/robinmg/15545
HIV "clamp" in C19 "vaccine" attempt they claim was paused yet was it any different to other mRNA injections?
https://t.me/robinmg/15601
Pzifer-Biontech & HIV protein in the C19 injections
https://t.me/robinmg/15605
P.S.
For the record, the HIV virus and the AIDS disease are separate issues, as what was called AIDS was the result of the overdosing of the pharmaceutical "cure" called "AZT", which was instead a toxin, in pretty much the same way that the C19 "vaccine" and repeated "boosters" are toxins which make SARSCOV2 infection both more likely and worse in outcome.
Reference article:
"The rise and fall of AZT: It was the drug that had to work. It brought hope to people with HIV and Aids, and millions for the company that developed it. It had to work. There was nothing else. But for many who used AZT - it didn't"
https://www.independent.co.uk/arts-entertainment/the-rise-and-fall-of-azt-it-was-the-drug-that-had-to-work-it-brought-hope-to-people-with-hiv-and-aids-and-millions-for-the-company-that-developed-it-it-had-to-work-there-was-nothing-else-but-for-many-who-used-2320491.html
#id
#AIDS is the new trojan horse for digital IDs, now linked to sex and HIV status.
First they used travel bans and Covid19 fearmongering, but it didn't work to get a large enough numbers of the young hooked on digital IDs to balance those resisting them, so now they are using sex and the fear of AIDS to usher in their digital ID system for the next generations.
You heard it here first.
And yes, repeated boosters will compromise the immune system leading to V-AIDS (vaccine acquired immuno-deficiency syndrome) which will be misdiagnosed as HIV caused AIDS, and splices of HIV in the "vaccine" mRNA spike protein coding will make it more likely for the "vaccinated" to PCR test positive for HIV, starting the new PCR pseudoepidemic of false testing.
Robin Monotti & Cory Morningstar
t.me/robinmg
2015 gain of function research confirming HIV pseudovirus used in SARSCOV made in Wuhan https://t.me/robinmggroup/635262
Montagnier confirming HIV RNA is in the SARSCOV2 virus itself https://t.me/robinmg/15545
HIV "clamp" in C19 "vaccine" attempt they claim was paused yet was it any different to other mRNA injections?
https://t.me/robinmg/15601
Pzifer-Biontech & HIV protein in the C19 injections
https://t.me/robinmg/15605
P.S.
For the record, the HIV virus and the AIDS disease are separate issues, as what was called AIDS was the result of the overdosing of the pharmaceutical "cure" called "AZT", which was instead a toxin, in pretty much the same way that the C19 "vaccine" and repeated "boosters" are toxins which make SARSCOV2 infection both more likely and worse in outcome.
Reference article:
"The rise and fall of AZT: It was the drug that had to work. It brought hope to people with HIV and Aids, and millions for the company that developed it. It had to work. There was nothing else. But for many who used AZT - it didn't"
https://www.independent.co.uk/arts-entertainment/the-rise-and-fall-of-azt-it-was-the-drug-that-had-to-work-it-brought-hope-to-people-with-hiv-and-aids-and-millions-for-the-company-that-developed-it-it-had-to-work-there-was-nothing-else-but-for-many-who-used-2320491.html
#id
Telegram
Robin Monotti + Cory Morningstar
Official Robin Monotti & Cory Morningstar channel. Group is @robinmggroup -
www.patreon.com/RobinMonotti -
www.patreon.com/CoryMorningstar
We don't DM from this channel account.
Destructive commentators not welcome & will be banned.
www.patreon.com/RobinMonotti -
www.patreon.com/CoryMorningstar
We don't DM from this channel account.
Destructive commentators not welcome & will be banned.
Mystic Stealer | Zscaler โ June 2023
#Malware #MysticStealer #Trojan
Mystic Stealer, a fresh stealer lurking in the cyber sphere, noted for its data theft capabilities, obfuscation, and an encrypted binary protocol to enable it to stay under the radar and evade defenses.
Key data theft functionality includes the ability to capture history and auto-fill data, bookmarks, cookies, and stored credentials from nearly 40 different web browsers. In addition, it collects Steam and Telegram credentials as well as data related to installed cryptocurrency wallets. The malware targets more than 70 web browser extensions for cryptocurrency theft and uses the same functionality to target two-factor authentication (2FA) applications. The approach used by Mystic Stealer is similar to what was reported for Arkei Stealer.#Malware #MysticStealer #Trojan
Forwarded from Pegasus NSO & other spyware
When Governments Attack: Nation-State Malware Exposed โ 2015
#spyware #malware #trojan
#cyberwar
Cyberwar takes place every single day, all around us. We don't see it and we're not always directly affected by it, but we share the cost of every attack. Be that through monetary loss, services we cannot use, or even with the omnipresent backdrop that something might go down somewhere, malicious cyber activities perpetrated by nation-state threat-actors are on the rise.
It makes sense, really. You see how stupendously effective "regular" malware is. How easy is it to pick up an infection from an errant spam email, or for someone to plug an infected USB stick into a computer?
It stands to reason that governments with access to vast pools of knowledge, colossal funding, and an insurmountable desire to be one step ahead of both ally and enemy would realize the value in deploying incredible sophisticated spyware and malware variants.
Let's take a look at some of the most famous nation-state threats we're aware of.#spyware #malware #trojan
#cyberwar
Forwarded from Pegasus NSO & other spyware
Securonix Threat Labs Security Advisory: New MULTI#STORM Attack Campaign Involving Python-based Loader Masquerading as OneDrive Utilities Dropping Multiple RAT Payloads Using Security Analytics - Securonix โ June 2023
#RAT #MultiStorm #Trojan #JS #Python #malware #India #US
An interesting phishing campaign was recently analyzed by the Securonix Threat Research Team. The attack kicks off when the user clicks on a heavily obfuscated JavaScript file contained in a password protected zip file. Some of the victims targeted by the MULTI#STORM campaign appear to be in the US and India.
The attack chain ends with the victim machine infected with multiple unique RAT (remote access trojan) malware instances, such as Warzone RAT and Quasar RAT. Both are used for command and control during different stages of the infection chain.#RAT #MultiStorm #Trojan #JS #Python #malware #India #US
This media is not supported in your browser
VIEW IN TELEGRAM
Cyberkid1987@defcon.social - Near-Ultrasound Inaudible Trojan: Exploit smartphone speaker voice assistants with inaudible sound to perform commands
NUIT Attack โ https://sites.google.com/view/nuitattack/home
#NUIT #Trojan
NUIT is a novel inaudible attack against voice assistants (Siri, Google Assistant, Alexa, Cortana) that can be waged remotely through internet. Nuit appears as a sound clip in near-ultrasound frequency range (16kHz-20kHz), thus can be played on the victim's COTS speaker to attack the voice assistant (i) on the same device (NUIT-1)๏ผ(ii) on victim's other devices (NUIT-2).
Note that Nuit2 is between two phones (Device 1: performs as the attacking device or the speaker. Device 2 is the victim device, which voice assistants are the NUIT2 attacksโ target)
NUIT Attack โ https://sites.google.com/view/nuitattack/home
#NUIT #Trojan
Forwarded from Pegasus NSO & other spyware
Evasive Panda leverages Monlam Festival to target Tibetans | ESET
#EvasivePanda (also known as #BronzeHighland and #Daggerfly)
#APT #Trojan #Tibet
ESET researchers discovered a #cyberespionage campaign that, since at least September 2023, has been victimizing Tibetans through a targeted watering hole, and a supply-chain compromise to deliver trojanized installers of Tibetan language translation software. The attackers aimed to deploy malicious downloaders for Windows and macOS to compromise website visitors with MgBot and a backdoor that, to the best of our knowledge, has not been publicly documented yet; we have named it #Nightdoor.#EvasivePanda (also known as #BronzeHighland and #Daggerfly)
is a Chinese-speaking APT group, active since at least 2012. ESET Research has observed the group conducting cyberespionage against individuals in mainland China, Hong Kong, Macao, and Nigeria. Government entities were targeted in Southeast and East Asia, specifically China, Macao, Myanmar, The Philippines, Taiwan, Vietnam,China and Hong Kong, India, and Malaysia#APT #Trojan #Tibet
Forwarded from Pegasus NSO & other spyware
Playing Possum: What's the Wpeeper Backdoor Up To? | XLab_qianxin
Via @androidmalware
#Android #Trojan #Possum #Wpeeper
#WordPress
On April 18, 2024, XLab's threat hunting system detected an ELF file with zero detections on VirusTotal being distributed through two different domains. One of the domains was marked as malicious by three security firms, while the other was recently registered and had no detections, drawing our attention. Upon analysis, we confirmed that this ELF was malware targeting Android systems, utilizing compromised WordPress sites as relay C2 servers, and we named it Wpeeper.
Wpeeper is a typical backdoor Trojan for Android systems, supporting functions such as collecting sensitive device information, managing files and directories, uploading and downloading, and executing commands.Via @androidmalware
#Android #Trojan #Possum #Wpeeper
#WordPress
Forwarded from Pegasus NSO & other spyware
Arid Viper poisons Android apps with AridSpy | WeLiveSecurity
Via @androidmalware
#Palestine #Egypt #AridSpy #Android
#Trojan #AridViper #APT
ESET researchers have identified five campaigns targeting Android users with trojanized apps. Most probably carried out by the Arid Viper APT group, these campaigns started in 2022 and three of them are still ongoing at the time of the publication of this blogpost. They deploy multistage Android spyware, which we named AridSpy, that downloads first- and second-stage payloads from its C&C server to assist it avoiding detection.
The malware is distributed through dedicated websites impersonating various messaging apps, a job opportunity app, and a Palestinian Civil Registry app. Often these are existing applications that had been trojanized by the addition of AridSpyโs malicious code.
Via @androidmalware
#Palestine #Egypt #AridSpy #Android
#Trojan #AridViper #APT