New Browser-In-The Browser (BITB) Phishing Attacks
  • Advisory

In this attack, a hacker can use JavaScript code to display a pop-up window that is another phishing sham to trick you into entering your account information. It's difficult to tell whether it's real or not. The novel method makes use of third-party single sign-on (SSO) options embedded on websites that display popup windows for authentication, such as "Sign in with Google," Facebook, Apple, or Microsoft. While the default behavior when attempting to sign in via these methods is to be greeted by a pop-up window to complete the authentication process, the BitB attack aims to replicate this entire process using a mix of HTML and CSS code to create an entirely fabricated browser window. The created popups mimic a browser window within the browser, spoofing a legitimate domain and allowing for convincing phishing attacks. Furthermore, the BitB attack can deceive those who use the trick of hovering over a URL to determine whether it is legitimate or not. As a result, if JavaScript is allowed, the security safeguard becomes ineffective. As a result, the BitB technique undermines both the fact that a URL contains the "https" encryption designation as a trusted site and the hover-over-it security check. Potential victims must be redirected to a phishing domain that can display a fake authentication window in order to harvest credentials. However, once on the attacker's website, the user will feel at ease as they enter their credentials on what appears to be a legitimate website (because the trustworthy URL says so). 

Hackers Using Fake Windows 11 Upgrade to Install Malware & Steals Information
  • Advisory

The malicious website used in the campaign is https://windows11-upgrade11[.]com.

According to CloudSEK, the threat actors behind this campaign are using a new malware named “Inno Stealer” due to its use of the Inno Setup Windows installer. The loader file (Delphi-based) is the “Windows 11 setup” executable contained in the ISO, which, when launched, dumps a temporary file named is-PN131.tmp and creates another .TMP file where the loader writes 3,078KB of data. The loader spawns a new process using the CreateProcess Windows API that helps spawn new processes, establish persistence, and plant four files.

Two of the four dropped files are Windows Command Scripts to disable Registry security, add Defender exceptions, uninstall security products, and delete the shadow volume.

Two of the four dropped files are Windows Command Scripts to disable Registry security, add Defender exceptions, uninstall security products, and delete the shadow volume.

The third file is a command execution utility that runs with the highest system privileges; and the fourth is a VBA script required to run dfl.cmd.

At the second stage of the infection, a file with the .SCR extension is dropped into the C:\Users\\AppData\Roaming\Windows11InstallationAssistant directory of the compromised system.

That file is the agent that unpacks the info-stealer payload and executes it by spawning a new process called “Windows11InstallationAssistant.scr”, the same as itself.

FBI Warns of BlackCat Ransomware That Breached Over 60 Organisations Worldwide
  • Advisory

BlackCat/ALPHV ransomware leverages previously compromised user credentials to gain initial access to the victim system. Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial deployment of the malware leverages PowerShell scripts,
in conjunction with Cobalt Strike, and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise.

Joker Trojan-Infected Android Apps Reappear on Google Play Store
  • Advisory

Bad actors download legitimate apps from the Play Store, modify them by embedding the trojan malware and then uploading the app back to the Play Store with a new name. The malicious payload is only activated once the apps goes live on the Play Store -- which enables the apps to scale through Google’s strict evaluation process. Once installed, these apps request for permissions that once granted, enable the apps to have access to critical functions such as text messages and notifications.

Government-Targeted Attacks Trigger State of Emergency in Costa Rica Due to Sustained Cyberattacks
  • Advisory

Conti is a ransomware-as-a-service (RaaS) that is thought to be controlled by a cybercrime group based in Russia. The group is known for targeting organizations where attacks could be lethal, such as hospitals, emergency number dispatch carriers, emergency medical services, and law enforcement. The group gains initial access by stealing Remote Desktop Protocol (RDP) credentials and sending phishing emails with malicious attachments. Conti also scans networks for valuable targets automatically, encrypting every file it finds and infecting all Windows operating systems. Conti behaves similarly to most ransomware, but it has been designed to be more efficient and evasive. As is the case with many modern extortion gangs. The Conti ransomware group, according to the FBI, has been responsible for hundreds of ransomware incidents over the last two years. 

In this latest attack, the Costa Rica’s government agencies affected include the Ministry of Finance; the Ministry of Labor and Social Security; the Ministry of Science, Innovation, Technology and Telecommunications; the National Meteorological Institute; the Social Development and Family Allowances Fund; the Interuniversity Headquarters of Alajuela,  among others. However, the entire scope of the damage is not known.

Warning on a New Wave of Attacks Distributing Jester Malware
  • Advisory

The mass email campaign includes a link to a macro-laced Microsoft Excel file, which when opened infects computers with Jester Stealer. The attack requires potential victims to enable harmful macros by opening the link within the email, which will redirect them to a macro-enabled Microsoft Excel document, which will then infect them with Jester Stealer, which has the ability to exfiltrate login credentials, credit card data, and other sensitive information. Using statically configured proxy addresses, the hackers obtain the stolen data via Telegram (e.g., within TOR). They also employ anti-analysis methods (anti-VM/debug/sandbox). Because the malware has no persistence mechanism, it is deleted as soon as its operation is finished. The new campaign's Jester Stealer malware steals data via the HTTP protocol. Stolen authentication data will be sent via HTTP POST requests to a web resource deployed on the Pipedream platform.

Latest Articles