Cyber Security Weekly Recap (06-12 March)

Cyber Security Weekly Recap 06 12.03 1024x632

The BATLOADER malware uses Google advertisements to spread additional malware.

A malware downloader named BATLOADER has been seen misusing Google Ads to spread additional malware such as Vidar Stealer and Ursnif.

The cybersecurity firm eSentire claims that companies like Adobe, OpenAPI’s ChatGPT, Spotify, Tableau, and Zoom are just some of the targets that are being spoofed by the malicious ads.

BATLOADER is a loader that is used to spread other types of malware, like information stealers, banking malware, Cobalt Strike, and even ransomware. What is specific about this loader is that it uses software impersonation techniques in order to achieve its malicious goals.

The people behind BATLOADER make fake websites that store Windows installation files disguised as real products. When someone looking for the software clicks on a fake ad on Google’s search results page, the infection process begins.

Analysis of BATLOADER samples by eSentire has found new features that make it easier for the malware to get into corporate networks.The apps that BATLOADER tries to impersonate vary, but most of them are quite popular on corporate networks and, as such, provide more fruitful entry points for monetization through fraud or hands-on-keyboard invasions.

An updated version of the Prometei Botnet has infected over 10,000 systems around the world.

Since November 2022, the updated version of a botnet called Prometei has been running on tens of thousands of computers around the world.The bulk of reported victims are from Brazil, Indonesia, and Turkey, indicating that the infections are both globally random and opportunistic.

Prometei was found for the first time in 2016. It is a modular botnet with many different parts and many ways to spread, including taking advantage of ProxyLogon vulnerabilities in Microsoft Exchange Server.Furthermore, it is noteworthy that Russia was not directly targeted, which suggests that the threat actors behind the operation are headquartered in Russia.

According to a study by Cisco Talos, the newest version of Prometei (named v3) enhances its current functionality to bypass forensic analysis and establishes access to target PCs. Financial gain is the driving force behind the cross-platform botnet, which uses its compromised machines for things like bitcoin mining and credential harvesting.

Spyware aimed against unpatched SonicWall SMA devices is being spread by China-linked hackers.

SonicWall Secure Mobile Access (SMA) devices without the latest security patches have been the focus of a hacking effort that may have originated in China. According to a technical analysis published by cybersecurity firm Mandiant, the malware may collect user passwords, allow shell access, and persist through firmware updates. The incident response and threat intelligence organization owned by Google is keeping tabs on the hacking campaign under the codename UNC4540.

The malicious software is designed to give the attacker administrative access to SonicWall devices; it consists of a set of bash scripts and a single ELF file recognized as a TinyShell backdoor. Further details reveal that credential theft appears to be the overarching goal of the bespoke toolkit, since the malware allows the attackers to steal cryptographically hashed credentials from all logged-in users.

While the attack’s original point of entry remains a mystery, it is believed that the malware was likely placed on the devices as early as 2021 by exploiting well-documented security holes.

In relation to the disclosure, new security features, such as File Integrity Monitoring (FIM) and anomalous process detection, have been introduced in SonicWall version 10.2.1.7.

PlugX Malware is being disseminated by flaws in remote desktop software.

According to a report from AhnLab’s Security Emergency Response Center (ASEC), malicious actors are exploiting flaws in remote desktop clients like Sunlogin and AweSun to install malicious software on compromised machines.

The selection of malware includes the post-exploitation framework Sliver, the bitcoin miner XMRig, the Gh0st RAT, and the Paradise ransomware with the most recent addition to this set being PlugX.

From what has been revealed, it seems that Chinese threat actors have made considerable use of the modular malware, and new functionalities are constantly being added to make system control and data theft easier.

The attacks that are observed indicate that, after the vulnerabilities are exploited, the attackers then use a PowerShell command to download an executable and a DLL file from a remote server. In order to load the DLL file and execute the PlugX payload in memory, the executable masquerades as a genuine HTTP Server Service from cybersecurity firm ESET.

A report published by Security Joes in September 2022 reveals that, PlugX operators rely on a wide range of trusted binaries that are susceptible to DLL Side-Loading. This includes a large number of anti-virus executables.

New HiatusRAT malware secretly spies on victims using business-grade routers.

A never-before-seen strain of malware that specifically targets business-grade routers has been secretly spying on victims in South America, Europe, and North America. It is suspected that the malware has been operational since at least July 2022 as part of the stealthy campaign known as Hiatus.

According to Lumen Black Lotus Laboratories, the campaign has been found to deploy a remote access Trojan known as HiatusRAT and a modified version of tcpdump that allows packet capture on the target device. The company’s report reveals that once a targeted system is infected with HiatusRAT, the threat actor can remotely interact with the system and use prebuilt features to turn the hacked computer into a covert proxy. Using the packet-capture binary, the attacker can keep tabs on the router’s email and file-transfer activity.

It is thought that the goal of the attack campaign is to spy on targets and set up a secret proxy network, since the devices that are being attacked are high-bandwidth routers that can handle hundreds of VPN connections at once.

Researchers share the opinion that that the fact that Hiatus exists indicates that hackers are still looking for new ways to break into routers. This highlights the need for securing the router ecosystem, periodically monitoring and rebooting them, applying any available updates, and replacing any routers that have reached the end of their useful lives.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment