The cybersecurity landscape is constantly evolving, and attackers are always finding new ways to breach security systems. Recently, a new malware called AuKill has been discovered, which is actively being used to disable Endpoint Detection and Response (EDR) systems in ongoing attacks.

EDR is a crucial security tool used by many organizations to detect and respond to cyber threats in real-time. It monitors endpoints like computers and mobile devices for any suspicious activity and alerts security teams if it detects anything unusual. However, AuKill malware is specifically designed to evade EDR systems, making it a significant threat to organizations.

How does AuKill malware work?

AuKill malware is typically delivered through a phishing email, a fake software update, or a malicious website. Once it infects a system, it immediately starts to disable EDR systems by killing their processes and deleting their files. This allows the attackers to carry out their activities without being detected by the EDR system.

AuKill malware is also designed to avoid detection by traditional antivirus software. It uses several techniques, including encryption and code obfuscation, to evade detection and bypass security measures.

What can organizations do to protect themselves?

The best way for organizations to protect themselves from AuKill malware is to implement a multi-layered security approach. This includes:

1. User education: Educate employees on how to identify phishing emails, fake software updates, and malicious websites. Conduct regular security awareness training sessions to keep employees informed about the latest threats.

2. Endpoint protection: Implement endpoint protection software that can detect and block malware, including AuKill. This software should be regularly updated to ensure that it can detect the latest threats.

3. Network segmentation: Segment your network to prevent the spread of malware in case of a breach. This can help contain the damage and limit the impact of the attack.

4. Incident response plan: Develop an incident response plan to guide your organization’s response to a cyber attack. This plan should include procedures for isolating infected systems, restoring data, and communicating with stakeholders.

Conclusion

AuKill malware is a serious threat to organizations that use EDR systems. It is highly effective at evading detection and disabling security measures, allowing attackers to carry out their activities undetected. By implementing a multi-layered security approach that includes user education, endpoint protection, network segmentation, and an incident response plan, organizations can better protect themselves from this and other cyber threats.

The post How does AuKill malware work? appeared first on Vednam.

The malware GoldenSpy was observed by the Trustwave SpiderLabs is a threat hunting operation on the behalf of its UK technology-based client.

Tax Software GoldenSpy Malware Hidden

Trustwave observed when, in April 2020, the GoldenSpy backdoor was found embedded in the Aisino Intelligent Tax software suite.

The tax software suite is mandatory for all the corporations which are operating their business in China and conduct this software suite that would enable payment of local taxes.

The Intelligent tax software are expected to handle tax operations but in the background after the download of 2hours and executes a file called svminstaller.exe which can download the other two executables called svm.exe and svmm.exe

The File which they download from the URL download.ningzhidata.com,Svm.exe(GoldenSpy) which is responsible for gathering information and send the data to www.ningzhidata [.] com via port 9006

The svm and svmm are installed as auto-start services and they execute with the system-level privileges if the process killed it will get restarted automatically.

A point where we came and unable to differentiate how widespread this software is. We currently know of one targeted technology /software vendor and a similar incident occurring at a major financial institution but the main issue will be leveraged against countless companies operating and the paying taxes in china or may be targeted at only a select few organizations with the access to the vital information as the report says.

The Corporations that have installed the tax software are at the high peak of risk and that also affects the privacy because backdoor into their network which can be used by the cyber threat actor to compromise the network and leads to the data breach and many companies may lose the sensitive information.

NETWORK COMMUNICATIONS

A GoldenSpy (svm.exe) communicate with the ningzhidata [.] com for sending the data and receive the commands which the researcher observed  that ” Domains and subdomains have resolved to a number of IP addresses.however, it also based on their certificate where most of the part of the cloud CDN and appear to only host download”

There are some ports which are used for communications :

• Port 9005,9006: used for svm.exe network traffic
• Port 9002: used for the update service which requests the link to download svm.exe malware
• Port 8090: This is to observe us directly in our analysis so there are indicators on public scan sites which svm is downloaded for the port in some circumstances.
• Port 33666: This port is used to establish the Golden Tax Software on installation.

Trustwave SpiderLabs published this complete report.

Found this article informative? Follow Vednam on Facebook, Twitter, Mix, Tumbler, and Linkedin to know more exclusive content we post.

The post Chinese bank: Malware Embedded Tax Software are Forcefully Installed appeared first on Vednam.

A computer worm is the family member of malware and that spreads the copies of itself from computer to computer. This Worms can active and do the jobs itself without any human interaction and do not need to attach it with any software program in order to cause damage.

How Does it work?

Worms can be transmitted from the software vulnerabilities where some Worms could arrive as an attachment in spam emails or instant messages. When the file is open you could find a link to a malicious website or then automatically download the Worms. After that, the installation process started and it worked silently and the machine without the user’s knowledge.

The Worms can modify and delete the files and even it can inject the additional malicious software onto a computer. Sometimes we found that that the computer worm’s purpose is only to make copies of itself over and over which can block the size and speed of the hard drive space or bandwidth and create overloading tasks in a shared network. Some Worms can steal data and install a backdoor and allow hackers to gain the control of entire system setting.

Famous Computer Worm

Around July 2010, The first computer worm was found and used as the cyber weapon and discovered by the security researcher after a long string of incidents in Iran.

 The name of the worm is “Stuxnet”. This attracts the interest of high profile specialists around the world. After finding the details about this worm it comes that the “Worm” is designed to attack an Iranian power plant with the ultimate goal of sabotaging nuclear weapon production. But at last, it failed and the vulnerabilities are found.

How do you know about the Computer Worm in your system?

If you feel that your system is infected by the computer worm, run a scan immediately with an anti-virus. Even if the scan is not useful and the result is negative and then follow some steps below :

1. Keep an eye on your hard drive space: The worm can utilize the free space of your computer.
2. If you find some files are missing: Computer worm can delete and replace files on a computer.
3. Monitor the performance and speed: If you find lagging and crashing issues in the computer even the processing speed feels slow.

Found this article informative ? Follow Vednam on Facebook, Twitter, Mix, Tumbler and Linkedin to know more exclusive content we post.

The post What is Computer Worm? How does it work ? appeared first on Vednam.

Malware affects the entire system of airports.

Suspected Malware

According to researchers, the malware was discovered while installing Endpoint detection and response(EDR). EDR is the advanced behavioral detection and threat hunting platform which helps to detect the issues.

When the Endpoint Detection and Response (EDR) were rolled out from the International Airport in Europe then the researcher identified an interesting crypto mining infection where the cryptocurrency mining software was installed on more than 50% of the international airport workstation as the media reported.

The malware we are talking about is detected and it was associated with the anti-coinminer campaign as reported by the Zscaler in 2018. The behavior of implementing multiple processes over a short time frame and the malware was presumed to be the bitcoin miner.

The main path was not traceable right now and how the malware got into the workstations even though all the workstations at the airports run an industry-standard AV solution that also doesn’t detect the malicious activity.

The threat actor used the reflective DLL loading which is a typical evasion tactic that can mask the loading or installing of the malware files. The malware that was found is used for months before the installation of EDR.

According to the media “ the malware happens to be the cryptocurrency miner that can impact the business was relatively minor and also limited to the performance degradations which can lead to quality service and service interruptions which increase in power consumption through the airport.

Modified attackers

The Highest privileges that were possible to take emphasis on any application for the user of workstation resources. The threat actors are modified by malware techniques that they would be more challenging to get identified from the infected computer.

Followed

The best way to protect the systems, the company may have AV with EDR for the prevention and detection of malware rather than using AV alone.

If you find any suggestions for this Cryptocurrency Miners article. Let me know in the comment section. Thank You

The post Cryptocurrency Miners : Affect European Airport Workstation by 50% appeared first on Vednam.

The Whole Scenario

1. In May, the researcher from cybersecurity firms “RiskIQ” team discovered three compromised website which was owned by the Endeavor Business Media, Hosting javascript skimming code. The classic methods which is embraced by the magecart in the association with several hackers group that target the online shopping cart systems.
2. Three affected websites host content and the chat forums related to the emergency services provided by the police officer, firefighter, and security professionals.
3. Using the methods and involvement of Virtual credit card skimming attacks also called form jacking. The magecart operator secretly inserts Javascript code into a compromised website-usually on payment pages which can steal; customer’ card details which can later be transferred to a remote hacker-controlled server.

S3 Bucket Misconfigured 

1. In July 2019, Magecart conducted a similar campaign that exploited AWS insecure S3 bucket to feed virtual credit card skimmers on 17,000 domains.
2. It was started in April 2019, where a malicious script named “jqueryapi1oad” was employed in the malvertising operation which has impacted on 277 unique hosts so far. The threat actors behind the code were misconfigured S3 buckets.
3. This is featured in the top 30,000 of global Alexa ranking futbolred[.]com, a Colombian soccer news site which had a misconfigured AWS S3 storage buckets.

Credit card skimming

1. A company named as NutriBullet has suffered from Mageattack in February 2020. After a week, RiskIQ has discovered a javaScript skimmer placed in the NutriBullet website. You can ensure that the skimmer is inserted on the payment pages. Mage cart targeted a resource -JQuery javascript library.
2. During March 2020, the researcher from the Malwarebytes spotted a credit card skimmer which is embedded in the website of Tupperware which is a food storage company. The magecart attackers exploited the vulnerabilities on the website which you can insert their malicious module that can siphon the credit card details in which shoppers filled the payment forms to complete transactions.

Needless

Malicious actors have been exploiting misconfigured AWS S3 Buckets to insert their code into multiple websites for quite some time now.

If you have any suggestions for this. You can drop a comment below

The post AWS S3 Buckets again Exploit by the Hackers appeared first on Vednam.

API services have changed and taken the digital world works API helped to make digital coins to make payments wallets to all the e-commerce websites and social networks. API is the best way for anything. There are two teams of APIs: the red team and the blue team that are responsible for making hard security in the field of the cybersecurity market.

Best API services that are available in the market of cybersecurity in 2020.

Google API Safe Browsing 

Safe browsing is Google’s highly respected cybersecurity program which helps to protect users from accessing the phishing domains, challenging sites, and web pages that are infected with malware/virus.

Automatically test pages that are against the safe browsing database by using the safe browsing API which allows detecting the type of threat affecting the webpage. This feature is useful for the user to detect and warn the user before moving to any dangerous website which can avoid the sharing of infected links within their own company.

Features You Get : 

• Proactive scanning and monitoring
• It has the ability to check for other Sites URLs in the Quttera database.
• Hosted and Run in the cloud
• Full-in-depth scan results.
• Integrations REST API returning XML,JSON and YAML based responses.
• Run the multithreading for faster scan speed.

GreyNosie API

The mind behind the GreyNoise is Andrew Morris was interviewed a few days back and they discuss the whole insight. The security researcher as well as the private and public entity which are using GreyNoise to analyze the security-related data from the internet. The system which is developed by Andrew himself has capabilities to collect and analyze the data from several scanners included Shodan.io which palace above several data centers in the world by their own network scanner.

Cloudflare API

When we talk about Cloudflare it was a tremendous job by this company and it influences the cybersecurity sector because it builds a list of cybersecurity APIs without including them. As you read or use Cloudflare on your server basically it uses a proxy-based service that can allow you to improve the company’s site efficiency and protect the device by the cyber attackers.

It provides security to  Domain, DNS and SSL encryption, VPN and successful anti-DDoS solution to concentrate o the powerful high-end DNS and web application firewalls(WAF)

Features of Cloudflare APIs:

• SSL management feature
• Adjust the account security level
• WAF rule configuration
• Tweak ANtiDDoS setting
• DNS firewall management
• Manage the user accounts, role, member, and the subscriber.
• Adjust the account security level
• You set up customs filters.

AlienVault API

This company is the most relied -on threat intelligence firm which is used by security researchers. The API service which provides direct access from their OTX to all critical threat intelligence. You can use all its features which you got online applications.

The Alienvault OTX API is the part of the ALienVAult project which allows you to find threats to your environment with regular threats indicator modified.

Features of Alien APIs :

• The Entries over 19 million threat indicators.
• DirectConnect SDKs(Python, Java, Go)
• Support for Direct Connect Agents
• The support which can old-fashioned HTTP API requests, such as using curl
• Thousands of live API usage examples.

The post Popular Cyber Security APIs for 2020 | What are benefits ? appeared first on Vednam.

After discussing the new propagation module you might be in deep thought about what is new in this? This malware is the same as general malware functionality in that it steals sensitive information, which can contribute backdoor access and later used by several cyber attacker’s groups to disseminate different malware.

The First discovered in 2016 as per news circulate but maybe it comes earlier but the security system of the machine did not detect it well. This program basically runs in the background and starts with accessing the data and using current activities.

Once this malware enters your Machine then it gradually starts the activities to download various modules to perform different malicious tasks first in the machine and then after entire networks.

How TrickBot Modules spread?

The TrickBot Module is specially developed to steal sensitive data and then perform different malicious infections. It is totally different from the other malware in the spreading and activities performed in the background because it uses a different binary to perform the particular tasks during the activities it performs.

The first work TrickBot does is that it saves the windows executable malicious file in the hard drive which is known as the “TrickBot Loader”

Let’s take an example of Windows 7 and 10 because lots of users are very familiar with it.

If you are Windows 7, users can see the artifacts associated modules that are saved in the disk but in case of windows 10, the TrickBot modules can only be found in system memory.

Have you heard some of the ransomware cases in the last year, as sources say the TrickBot and ransomware operators have joined hands and do the work together to compromise the network so that ransomware can complete the work.

In research it was also mentioned, “ The artifacts which we discuss in windows 7 point are encrypted binaries and later during the operation, the encrypted TrickBot get decrypted and operated whole memories as TrickBot.”

How is the module used by TrickBot?

• Tab Module
• Mworm Module
• Mshare module

You can see the below chart on how to exploit the SMB vulnerabilities in the domain controller. The whole chart shows the flow and spread of the TrickBot modules.

Finally, The “mworm” is no longer usable and everyone is using “nworm”.The worm module activates the infections and spreads in the memory of the domain controller which are more complex and remain undetectable which is executed in background without any issue.

In 2020, The TrickBot is introduced with the new module “Nworm” propagation module and TrickBot stopped using “Mworm” module in the same environment.

A most important point the new module,”Nworm does not appear until the TrickBot infection don’t harm the AD atmosphere with DC as similar to the “Mworm”

If you have any suggestion let me know in the comment box. Thank you!!

The post Nworm : New TrickBot malware updates appeared first on Vednam.

What is Chafer APT?

A few days back cyber experts found the traces in new cybercrime campaigns known as chafer advanced persistent threats (APT) group. This group has been active since 2014 and has done many middle east cyber attacks. This group has a recent record of 2018 and last was 2019 targeted many Saudi and Kuwait organizations.

Whole Uncovered Story of attack :

According to cyber experts, this group has been active since 2014 but recently he has targeted middle east countries like Saudi and Kuwait. The last attack was in 2018 and 2019 targeted several unnamed organizations based in Kuwait and Saudi Arabia. The campaigns used custom-built tools known as bevy as well as “living off the land “ tactics used. 

The “Living off the land tools” has the feature of a target environment that is abused by the cyber attacker to achieve persistence. 

According to Bitdefender’s analysis “Researcher have found threat conducted by this actor in the middle east region back in 2018”.The campaigns based on several tools, including “living off the land” tools, which makes the attribution difficult, there are different hacking tools and a custom-built backdoor. The attackers find the victims affected by the air transport and government sector in the middle east the whole attack is based on proper analysis.

The researcher at work and find out how many companies are going to affect each country. They also say the data is more than we expect and what we get after the analysis report.

Let’s find the campaign Strategies :

A particular way of doing something behind the cyberattacks against the companies of Kuwait and Saudi Arabia finds some same track as the researcher says. According to the source the cyberattacks on the victims from Kuwait were more sophisticated as the cybercriminals were able to move on the network. As the researcher believes that the attackers infarct the victims by sending infected documents with shellcode and that was potentially sent via spear-phishing emails.

The attacker managed to create a user account on the victim’s machine and perform several malicious actions inside the network using the account that they created on victims machine that was an unusual behavior performed on some account that basically the attackers plan to make us believe that they are doing this. Basically their plan was to engage us at that certain point.

Once the attacker has access inside the company server then they install the backdoor (imjpuexa.exe) that was act like service of that machine but it was basically backdoor for the attacker. Even the attackers have done several exercises like network-scanning and credential gathering which helps the attacker to move inside the network. The attacker used the tool name as CrackMapExec.exe , these tools work multifunctioning like network scanning, credential sumping, account discovery, and code injection.

They also use the custom tool like the PLINK tool (known as wehsvc.exe).PLINK is the command-line connection tool mostly used for automated operations. This tool is mostly used to preserve campaign original functionality with some advanced key features such as the possibility to uninstall any service and run as a window service.

The researcher said that the attack on victims in Saudi Arabia was not as elaborate because the attackers did not manage to exploit the victim or they didn’t’ get information of interest.

According to the Research team” we believe initial compromise was achieved through social engineering and a RAT was loaded and executed twice in different name forms (Drivers.exe and driver_x64.exe). The researcher said the user is being tricked into running these applications.

How RAT is involved in attacks?

RAT program is written in Python language and converted into a standalone executable. It is similar to the other RATs tools which security researchers documented previously but this time it is customized for the particular attack. This is not common for the cyber attacker to create and modify according to victims or user needs. It needs a whole analysis of that particular victim. They may change the way the RAT communicates with the server C2C and they can add the other feature that was not necessary.

Different RAT components that were used at the different process. The First component (snmp.exe) works as a backdoor and second (imjpuexa.exe) as you see the target attacks in Kuwait.

As the source says the cyber attacker used “living off the land “ tools in both campaigns.

The post Middle East Government hits by Chapher APT with latest Cyber-Espionage Attack appeared first on Vednam.

Messenger Apps of Android are targeted by WolfRAT Malware

The team of Cisco Talos Intelligence has found this android malware in the wild. This malware especially targets the Messenger apps of android phones. The most popular apps are used these days as a messenger are Facebook, Messenger, WhatsApp, and line.

The details shared by researchers on their blog is this malware loosely based on the leaked malware DenDroid.Time to time the malware seems to have gone in the improvement stage to target the users. Time to time the improvement is done in the code script of this malware but the old code blocks, classes are still inside the android package.

How?

Firstly the malware targets the messaging and chat apps on android. The data steal being done by the screenshot of the chats whenever the apps are open. Most new Malware that exploits Android Accessibility suite to access data. The Screenshots are then uploaded to the C2 Server of the Malware.

The virus reaches the devices through fake and malicious updates done on the targeted devices. There are tricks to mimic the Google service to install the malware in the victim machine.

If Fail, what next?

The Malware will start the main service if all the request permissions and the devices admin privileges are granted. If not, then it launches an ACTION_APPLICATION_SETTING to activate the Plan B access to the user permissions.

Which Country Affected Right Now?

According to the researcher and news, It is currently active in Thailand. The researcher thinks that WolfRAT malware is still active but from the organization it was declared Inactive. 

At present, the malware is actively targeting the android user in Thailand. The threat actors have released open-source platforms for codes and packages. After finding the roots of this malware we consider that it has capabilities of data-stealing in larger mass and it will be a big threat in the future.

The post WolfRAT Malware affects Android Apps target Messenger Apps appeared first on Vednam.

DDoS attack on ESET

From the sources, ESET researcher Lukas revealed details about an android app that used to target the ESET website with DDoS attacks.

The app appeared  “updates for android which seems like a new update. The main thing it was linked with a website i-updater.com that was really fascinating. It seems that it is not harmful and that may cause thousands of downloads.”

According to ESET analysis, the malicious app has an inbuilt ability to load and execute malicious JS on the target device. This may really not happen it appeared online in late 2019. Hence, it was avoided by the google play store’s security.

What really it effect

As the result came, it turned the devices of all its users into its “botnet”.The interesting part is that it displayed the ads on the devices which helps to hide app icons and in between the app start downloading malicious javascript from the attacker’s server to run on user’s devices.

However, the availability to execute JS is what the attackers used to wages a DDoS attack

“The DDoS attack starts with the machines who compromised while receiving a command to load the vulnerable script that specifies the targeted domain. When the script is loaded, the machine starts making requests to the targeted domain.”

This all happens till they don’t reach the ESET website, the team of ESET detected the source behind the attack.

Take Down the App

After finding the threat, the ESET team got in touch with Google who eventually removed the app from the play store. The researcher also checks the website i-updater.com remained up as it was not malicious. When the team checks the website it appeared as a blank page. The site is fully cleaned and no traces are found of threat and malicious script.

Conclusions came after that the attacker may go underground and rebuild the site in a new manner.

The post ESET Website under DDoS attack by Malicious Android App appeared first on Vednam.