Malicious browser extensions are not a novel threat; however, the year 2024 marks a notable resurgence in their use as effective tools in cybercrime arsenals. JsTimer, like the Funny Tool Redirect extension, is notorious for redirecting users during web browsing sessions and potentially harvesting extensive personal information, thereby posing a severe threat to user privacy.

Exploring the JsTimer Extension Virus

JsTimer is designed for Chrome and Chromium-based browsers and is categorized as a harmful plugin. On the surface, its actions might appear benign as it merely redirects users to Google Search’s main page anytime they attempt to access the Chrome Web Store. The mechanism behind this is straightforward yet invasive: JsTimer monitors and intercepts attempts to navigate to chromewebstore.google.com. This behavior mirrors the functionalities of traditional browser hijackers, making it a subtle yet significant threat.

Like many other malicious extensions, JsTimer exploits the “Managed by your organization” feature found in Chromium browsers. Typically, this setting is used by organizations to control browser setup and prevent users from modifying extensions and settings. However, in this scenario, cybercriminals manipulate this feature to thwart manual removal efforts by users.

Varied Effects of the JsTimer Malicious Plugin

The behavior of the JsTimer browser extension varies based on the IP address of the host computer. Under normal conditions, if the system’s IP address is from an area on the “operational” list, JsTimer engages in its primary malicious activities. Conversely, if the system is located in a “banned” region, the extension switches to a less aggressive mode.

Primarily, JsTimer’s main function is to redirect user searches from Google to alternative search engines. In its latest version, it redirects queries to findflarex.com, which then sends users to boyu.com.tr. Findflarex.com acts as an intermediary that not only captures the initial search request but also injects additional search tokens. Boyu.com.tr, a pseudo-search engine, uses these tokens to display an overwhelming number of advertisements. This redirection and ad-loading process are integral to the monetization strategy behind this malicious scheme.

Another facet of this scheme involves blocking access to the Chrome Web Store. Understandably, users frustrated by an extension that commandeers their search queries would naturally head to the Web Store to identify the offending extension, leave a critical review, and report the abuse. However, what this plugin cunningly does is redirect any attempts to visit chromewebstore.google.com back to the main Google search page. While this might seem minor initially, when combined with other malicious behaviors, it exacerbates the issues significantly.

If JsTimer detects that the system’s location is in what it deems the “wrong” region, it will restrict access to the Chrome Web Store. This tactic might go unnoticed by users who infrequently visit the store, yet it serves as a protective measure for the extension and any others that might be involved in the scheme.

Spreading Ways

Most of the time, junk extensions like JsTimer get into a browser through a fraudulent website that the user is getting redirected to. The latter often happens during interactions with questionable sites, typically ones with pirated content. On the page, the user sees an offer to install “the recommended extension” (text may vary depending on the case). Hackers’ hopes are on people clicking through the pages in a rush to get to the desired content. And that is it – after a single session on such a website, a user may end up with a handful of malicious extensions.

Another often situation that leads to the “install the extension” page is when there is an active adware in the system. Aside from injecting ads into all the pages that the user visits, it may also open additional tabs with more ads, or other questionable content. And since malware actors often stick to working with each other, it is not a big surprise to see adware opening a malicious extension installation page.

How to Remove JsTimer Extension?

It is possible to get rid of JsTimer in both manual and automated ways. I will recommend sticking to the automated due to the matters I’ve described above. Source malware, as well as other junk that could have gotten into the system in the same way will remain present even after you remove the extension. And for this purpose, I recommend you to use GridinSoft Anti-Malware.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Manual removal method

To get rid of the JsTimer extensions manually, you will need to get rid of the “Managed by your organization” thing. This trick stems from changes in the browser’s registry keys that are responsible for such deep configurations. Removing that registry key will do the job. Open Registry Editor by pressing Win+R and typing “regedit” into the appeared window. There, paste the registry address you see below:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome

You should delete this registry key: click it with the right mouse button and choose the corresponding option. That shall do the job – thereon, nothing will block you from removing the extension through the extension tab. After starting up, Chrome will recover its registry key, but without the malicious change.

You can also see the guides online that offer to change Group Policies. I will not share it here, as it is not possible to accomplish for all users of non-Pro Windows editions. And that is just another reason why removal with anti-malware software is preferable.

The post JsTimer Extension Virus – Easy Removal Instructions appeared first on Gridinsoft Blog.

Malicious browser extensions are far from being a new type of threat. Nonetheless, 2024 seems to be the year of their comeback as a widespread and rather potent cybercrime tool. During the unwanted redirect they are mainly known for, such extensions may also collect a lot of user information. This eventually makes the situation much more threatening for the user, primarily on the part of privacy.

What is a Funny Tool Redirect Extension Virus?

Funny Tool Redirect is a browser extension for Chrome and Chromium browsers that falls into a category of malicious plugins. Its visible behavior is not too threatening on the surface: all it does is redirect the user to the main page of Google Search should they try opening the Chrome Web Store. The way it works is pretty simple: it can track the URLs that the browser tries to open and simply intercepts every single call to the chromewebstore.google.com website. That functionality is identical to what browser hijackers can do.

Similar to all other extension viruses, Funny Tool abuses the “Managed by your organization” feature of Chromium browsers. As the name goes, this mode normally means that the company has set the browser up, and protects the extensions and other settings from user modifications. But in this case, con actors who design the extension take advantage of this feature to prevent manual removal attempts.

Effects of a Malicious Plugin

The Funny Tool Redirect browser extension appears to have distinct behavior depending on the IP address of the computer. It works in a rather simple manner: if the system is in the region from the “operational” list, it will go to its mainstream behavior. However, should the extension detect any of the “banned” country IPs, the behavior switches to a much less harmful mode.

So, the main activity of Funny Tool Redirect is redirecting the user from any Google search requests to a different search engine. In its current iteration, it routes everything to findflarex.com, which further throws the user to boyu.com.tr. The former is an intermediary website that, aside from intercepting the original request, also injects additional search tokens. The latter, in turn, is a wannabe search engine that uses the said search tokens to display huge amounts of ads. All this eventually forms the monetization form for that malicious scheme.

Another part of this scheme is blocking access to the Chrome Web Store. You see, people can get disgruntled with a thing that hijacks their search queries. The obvious reaction is to find the mischievous extension in the Web Store, leave a bitter comment, and report abuse to the administration. What the plugin does in this case is redirecting any requests to chromewebstore.google.com to the main Google page. This may look like not too much at first glance, but in combination with other malicious actions, it brings up a lot of problems.

When Funny Tool Redirect sees the “wrong” location of the system, it will only block the user out of the Chrome Web Store. Such tactics may remain unnoticed, if the user does not visit the store quite often, but may still be useful for other malicious extensions.

Spreading Ways

Most of the time, junk extensions like Funny Tool Redirect get into a user device through a fraudulent website that the user is getting redirected to. The latter often happens during interactions with questionable sites, typically ones with pirated content. On the page, the user sees an offer to install “the recommended extension” (text may vary depending on the case). Hackers’ hopes are on people clicking through the pages in a rush to get to the desired content. And that is it – after a single session on such a website, a user may end up with a handful of malicious extensions.

Another often situation that leads to the “install the extension” page is when there is an active adware in the system. Aside from injecting ads into all the pages that the user visits, it may also open additional tabs with more ads, or other questionable content. And since malware actors often stick to working with each other, it is not a big surprise to see adware opening a malicious extension installation page.

How to Remove Funny Tool Redirect Extension?

It is possible to get rid of Funny Tool Redirect in both manual and automated ways. I will recommend sticking to the automated due to the matters I’ve described above. Source malware, as well as other junk that could have gotten into the system in the same way will remain present even after you remove the extension. And for this purpose, I recommend you to use GridinSoft Anti-Malware.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Manual removal method

To get rid of the Funny Tool Redirect extensions manually, you will need to get rid of the “Managed by your organization” thing. This trick stems from changes in the browser’s registry keys that are responsible for such deep configurations. Removing that registry key will do the job. Open Registry Editor by pressing Win+R and typing “regedit” into the appeared window. There, paste the registry address you see below:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome

You should delete this registry key: click it with the right mouse button and choose the corresponding option. That shall do the job – thereon, nothing will block you from removing the extension through the extension tab. After starting up, Chrome will recover its registry key, but without the malicious change.

You can also see the guides online that offer to change Group Policies. I will not share it here, as it is not possible to accomplish for all users of non-Pro Windows editions. And that is just another reason why removal with anti-malware software is preferable.

The post Funny Tool Redirect Extension Virus – Easy Removal Instructions appeared first on Gridinsoft Blog.

EDRKillShifter Used in Ransomware Attacks

Research team from Sophos did a tremendous job analyzing the new toolkit. Being an element of targeted ransomware attacks, EDRKillShifter employs a lot of detection evasion techniques, as its usage is meant to be among the first attack steps. It is also worth noting that the tool is written in Golang, which appears to be a new trend among malware creators. And it adds for detection evasion, too, thanks to the availability of obfuscation utilities for this specific language.

One of the notable users of this anti-EDR tool is the RansomHub ransomware gang. Appeared in late February 2024, it quickly gained traction, attacking companies in Europe and the US. Nowadays, they are among the most active ransomware groups, claiming attacks on over 80 companies. Similar tools are also used by the LockBit ransomware group, namely the AuKill malware.

The execution of EDRKillShifter happens in three stages. First one requires direct interaction from adversaries: one should type the correct password when running the malware through the command line. Further steps happen automatically: malicious toolkit decrypts its resources and loads itself into the system memory. After that, the main course of the attack kicks in.

Key trick that this malicious toolkit pulls out is loading the vulnerable driver (BYOVD), which eventually does the main job of disabling EDRs. For this purpose, cybercriminals opt for a legitimate driver that has a known vulnerability. All the signatures and recognition of the latter allow the threat actors to do the trick under the nose of a still-working security solution. The driver allows the EDRKillShifter to methodically go through all the processes running in the environment, disabling ones that match with the hardcoded list.

How effective is EDRKillShifter?

Anti-EDR tools show a rather high efficiency in cyberattacks, and their growing popularity among threat actors confirms this. Disabling the security tool effectively unleashes adversaries in any further actions. EDRKillShifter is also rather hard to detect by itself, due to the obfuscation and BYOVD tactics it uses. Researchers also note that the list of EDR solutions that the toolkit may target is easy to expand. Since it is a hardcoded list, hackers simply add new or substitute older ones – is as easy as it sounds.

Fair enough, it is not the final payload, but it is what makes the deployment of one possible. Security analysts agree on the fact that such attack vectors will expand in future, with even more tricks and possibilities. Fortunately, BYOVD is not a new tactic and security vendors already have ways to detect the abuse.

Darknet Infrastructure of EDR Killer Tools

One more noteworthy thing about EDRKillShifter is the infrastructure built around this and similar toolkits. Obfuscation services and loaders for malware payloads were always a profitable Darknet business. And it applies to this anti-EDR solution, too: the loader that executes the first attack stage appears to be made by a different threat actor. Obfuscation is likely done by the third-party actor, too.

From a certain point of view, this may look like an unnecessary complication and extra costs of the attack. On the other hand, having a whole bunch of elements made by different cybercriminals makes it harder to detect and trace. And this is worth much more than a fee that the ransomware actors pay for all these operations.

The post EDRKillShifter Malware: New EDR Killer Tool in Ransomware Actors’ Toolkit appeared first on Gridinsoft Blog.

Fake Google Authenticator Downloading Page Promoted on Google Ads

On July 30, 2024 analysts noticed an advertisement on Google Search, that leads to a website mimicking the legit Google Authenticator downloading page. This is not the first ever abuse of a not ideal ad moderation in Google Ads, but this time frauds dare to fake Google itself. The exact scam advertisement uses fancy tricks that make the link in the ad look genuine. But upon clicking it, a chain of redirects is triggered, throwing the victim to chromeweb-authenticators.com website.

List of domains used in this scam

The website itself tries to copy the style of the original Authenticator page. It even contains links to genuine blog posts. What is different, however, is the presence of two tempting buttons that say “Download”. Thing is – Google never offered a desktop version of their MFA tool. And that is where the key part of the scheme happens.

Upon clicking any of two “Download” buttons, the site pulls the Authenticator.exe file from the GitHub repository. This way, hackers who stand behind the scheme prevent early detection: GitHub is considered safe, despite being used as a malware storage in a selection of attacks. But an unaware victim will confirm the download and run the fake Authenticator, launching the payload.

DeerStealer Inside of a Fake Google Authenticator

The payload is a sample of a rather new stealer malware, dubbed DeerStealer. It is rumored as a reworked variant of the XFiles infostealer, but that makes little to no difference for the user. Once the Authenticator.exe is running, it will launch the malicious payload via DLL hijacking. After that, DeerStealer effectively runs off-the-land, in the system memory, leaving no traces on the disk.

%SAMPLEPATH%\5d1e3b113e15fc5fd4a08f41e553b8fd0eaace74b6dc034e0f6237c5e10aa737.exe

Further, malware connects to one of several C2 addresses that it carries in the system memory, and sends the collected information. Aside from the stuff that is typical for infostealers – passwords, tokens, cryptowallets etc, it also collects a rather extensive system fingerprint: GUID, language, network configurations and computer name.

How to protect against malware scams?

The best protection against malware is to mitigate the problem proactively, so you won’t even get to the point when there is malware somewhere in your system. This, however, may be problematic: as you can see from the text above, threat actors have a lot of tricks to mess with people. That is why your attention, along with proper security software, is a key for avoiding malware infections.

Review sites you get the software from. Even if an ad from Google says the site is legit, it may be not, as you can see from this case. Always check the final URL, and, if not 100% sure, use trusted online URL scanner services. GridinSoft Online URL Scanner is a free service that will provide you with such capabilities.

Use reliable anti-malware software with proactive protection and network security. To avoid getting into next-level scams that are totally indistinguishable from legit sites, get yourself a protection that will detect such cases for you. GridinSoft Anti-Malware provides excellent protection against the most modern threats, and will cover you even during casual browsing.

The post Fake Google Authenticator Abuses Google Ads, Spreads Malware appeared first on Gridinsoft Blog.

Cyber Threats Facing the 2024 Paris Olympics

On July 26, the Olympic Games kicked off in Paris. However, as historical data shows, this is a significant challenge not only for athletes but also for the organizers. Specifically, the cybersecurity department needs to be particularly vigilant: 450 million attempted cyberattacks happened during the previous Olympic Games in Tokyo. These days, with all the advancement in technology, experts expect even more of them.

In 2024, 4 billion cyberattacks are expected, which is nearly eight times more than in the previous year. As the CEO of ANSSI (the organization responsible for managing the cybersecurity strategy for the Olympic Games) said, “We can’t prevent all the attacks, there will not be Games without attacks but we have to limit their impacts on the Olympics”.

2024 Olympics Cyber Threats: Who and Why?

There are a few factors to address before switching to actual threats: who may need to cause problems at a sporting event, and why. During these volatile times, a lot of countries have tensions between them. Though a few of them will certainly expand these disagreements to Olympic Games.

One of the key country that is interested in causing disruptions and chaos during Paris Olympics is Russia. This country, together with a handful of its tamed threat actors, has every reason to attempt to disrupt the Games. Sure enough, they mostly revolve around politics: at least grudges about participants supporting Ukraine in the war against them is enough. But be sure, they have even more pet peeves to pay off in such a sly way.

North Korea, a close ally of theirs, likely wants to take its bite, too. Their all-encompassing interest in gathering intelligence data ideally combines with such a massive event. And since NK threat actors are often forced into funding themselves with foreign currency, it will be a great feast for money-related phishing attacks.

Another country, well, even cluster of countries whose threat actors may take a look, is the Middle East. Although less numerous and more oriented towards regional conflicts and enemies, they fancy having such a source of data.

A more politically-agnostic threat comes from financially motivated actors. While this can overlap with the first two points, it is primarily unrelated to political or personal beliefs—it’s just a business. Malicious actors will attempt to attack every link in the chain and every area that can potentially be monetized, which I will elaborate on further.

Who is at Risk?

In reality, cybercriminals have boundless opportunities and a vast, untapped field in these year’s Olympic Games. This year, 84 companies have become official Olympic partners. Additionally, there are those connected through third-party services, such as hotel suppliers or those offering travel and leisure services.

Besides organizations and individuals directly and indirectly related to the event, critical infrastructure and other entities are at risk. These include telecommunications, energy, healthcare, and logistics in Paris. Individuals and fans must be particularly vigilant, as there is a high risk of scams, such as ticket fraud or fraudulent voting, which we will discuss further.

Key Cybersecurity Risks for the Paris 2024 Olympics

First, let me clarify that issues began a week before the event due to a global outage caused by an unsuccessful CrowdStrike update. Although not directly related to the event, this incident affected the preparations for the Games. But that is by far not the last problem during the event. With that being said, let’s dive into the threats that we will encounter in the nearest few weeks with a great probability.

Phishing

Phishing is rightly one of the most widespread and dangerous cyber threats, and it becomes particularly effective during major events. Scammers may send messages posing as official communications, such as notifications or announcements related to the Olympics. These messages are most often sent via email but can sometimes be sent as SMS messages.

Typically, these emails and SMS messages appear to come from the International Olympic Committee (IOC) or a related government agency. Red flags include links (often shortened using URL shorteners) or attached files (documents, archives, etc.). Clicking on these links or opening these files can eventually lead to fraud, malware attack and/or data theft. Nowadays, scammers might use various tricks, including sending messages purportedly from famous athletes or other officials. These messages might even request personal information, such as passwords or credit card details.

Malware Attacks

As an accompanying danger of phishing attacks there is a malware spreading risk. Frauds use email, SMS and other types of communications for different purposes, but only the former attracts them the most. The reason for this is its flexibility: one day you spread phishing links, and the other – malware-infused files. Just a single hasty click may separate you from getting the entirety of your online accounts compromised, bank accounts drained, and files encrypted.

Once again, the flexibility of email messages allow adversaries to exercise in social engineering. Celebrity endorsements, whaling, even a kind talk – all this fluently combines with malware delivery, making the attack tremendously effective.

Social Engineering

Amid the excitement surrounding the Olympic Games, scammers may try to manipulate people. For instance, con actors might pose as the IOC or a financial organization, asking people to support a particular athlete by sending a certain amount of money.

Of course, no sport is complete without betting. Scammers may impersonate betting companies, accepting bets on athletes at some unbelievably good coefficients. Naturally, no one will win anything except the scammers.

Another common scam involves charity collections. Scammers pose as a charitable organization (or an event partner/sponsor) and ask people to participate in a charitable donation. Considering how many wars and other disasters happen in the world, it may be problematic to distinguish the good from bad.

As I have mentioned multiple times, the political situation in the world heavily influences events, and the previous Games in Tokyo are an example. In 2018, Russian hackers launched a computer worm called “Olympic Destroyer.” It was used in an attack on the opening ceremony of the Winter Games in Pyeongchang, disrupting WiFi at the stadium, RFID systems, and the broadcast of the opening ceremony. Although Moscow denies involvement, the US Department of Justice in 2020 charged six hackers from Russian intelligence.

Fortunately, this year’s ceremony went smoothly, but that doesn’t mean threat actors won’t try to sabotage the event. There is a high likelihood that, in an attempt to disrupt the event, malicious actors will send provocative SMS messages, such as notifications of a terrorist threat. Although not a profitable endeavor, it can cause panic and interfere with the Olympic Games. This can also dull people’s vigilance or make them distrust official messages.

How to Stay Safe

The first recommendation is to exercise extreme caution when receiving any messages, especially those related to the Olympic Games. Carefully verify the sources of information and do not open suspicious attachments or links, even if they seem convincing. If you come across a fundraiser or advertisement related to the Olympics, do your own research. Investigate it thoroughly before participating, entering your information, or sending money.

Don’t fall for fakes. Scammers may launch advertising campaigns, such as offering to download an app or follow a link to watch a live broadcast in high quality. These sites are often placeholders that request you to send an SMS to receive an up-to-date link or ask you to download an app. In any case, after sending the SMS/payment, you will not receive a link to the broadcast, and in the worst case, you will download malicious software.

Use anti-malware solutions. In the era of AI and deepfakes, it is becoming increasingly difficult to distinguish fake from real. Malicious actors can convincingly promote phishing links through ads or the aforementioned methods. Using an anti-malware solution, such as GridinSoft Anti-Malware, will prevent malware from downloading and deploying on your device. Moreover, an Internet Security module can block suspicious or dangerous sites before they attempt to download a malicious file.

The post 2024 Olympic Cyberattack Risks: What Should We Expect appeared first on Gridinsoft Blog.

Infostealer Malware Market in 2024

Infostealer malware gained more and more popularity during the last decade. However, the biggest spike happened during the last few years. The first noticeable factor is the massive popularisation of cryptocurrencies. How is that related? Well, relatively big amounts of money always attracted the attention of hackers. Carding and banking fraud though is now less effective as banks implemented strict controlling measures back in the early ‘10s. Cryptocurrency wallets, on the other hand, have low to no control, making them ideal targets for Infostealer.

Another reason that made spyware and infostealers so popular and widespread is their massive application in attacks on corporations. Even when hackers break into the network to cipher the files and ask for a ransom for their decryption, they also drop an Infostealer malware that will exfiltrate as much valuable information as possible. Afterwards, hackers request an additional ransom to keep this data secret. Some attacks are based exclusively on stealers, and the result of their job is both sold on the Darknet or used for business email compromise (BEC) attacks. Additionally, some ransomware groups that aim at home users started adding spyware to their attack chain a while ago.

Infostealer Malware Market Leaders

As of May 2024, 3 major malware families dominate the market – RedLine, Raccoon, and Vidar. All of them are not new at that point of time, with Vidar being active for the longest time. Let’s have a closer look at them, starting with the youngest one.

RedLine Infostealer

RedLine infostealer appeared in 2020, and saw a pretty wide application in different cyberattacks. Most of the time, however, it was aimed against single users, as its functionality fits best for this purpose. Key targets for the RedLine are cryptocurrency wallet data, both from desktop versions and browser plugins. Still, it can gather other data, like FTP/VPN configurations and session tokens for apps like Discord or Steam. Having a pretty large market share at the edge of 2024, it became much less active starting from March 2024. Yet an enormous number of new samples that popped out recently may be the sign of another campaign getting ready. The RedLine developers find hackers who buy this malware is through Telegram groups and Darknet forums.

Raccoon Infostealer

Raccoon has key properties similar to ones RedLine offers, but is capable of capturing a much wider selection of data. In its scope are browser autofill files, cookies, and online banking credentials, on top of the ability to pluck cryptocurrency wallets. Since the emergence in early 2019, Raccoon was holding dominant positions on the market – and keeps holding them even now. In the summer 2022, its developers released a new version, promising faster and more reliable malware for a slightly bigger pay. Same as RedLine, Raccoon stealer is commonly spread through ads in Telegram channels and bots; Darknet platforms are less preferred, though are used for public communication.

Vidar Infostealer

Among top 3 Infostealer threats, Vidar is most definitely a dark horse. It is considered to be an offspring of Arkei stealer, malware that made quite an image back in early 10’s. After the launch in 2018, it never had a dominant share on the market, being at best #2. Nonetheless, its efficiency and unique design is hard to deny – Vidar offers a modular approach towards data stealing and has an uncommon way of C2 communication. It also performs self-destruction after the successful data exfiltration. Additionally, it is often spread in a bundle with other malware, such as STOP/Djvu ransomware. Methods of selling it to cybercriminals, however, are less unique – it uses Telegram channels dedicated to malware promotion.

Newbies

It would be quite reckless to deny the importance of new malware. For sure, not all of them will make it even to the 1-year milestone, but Raccoon and Vidar once were newbies as well – and you can see where they are. Among stealer families that popped out over the last year, there are a couple you should keep in mind.

Lumma

Also known as LummaC2, this infostealer appeared in December 2022. At the outset of familiarity with this malware, you can already see some fairly noteworthy details. At the “pricing plans” panel, developers mention the ability to configure the payload in a specific manner, and add network sniffer functionality. The presence of these functions depends on the price of the chosen plan – $250, $500 or $1,000. Additionally, masters offer access to malware and panel source codes and the right to sell them – for $20,000. Other functions, however, are available regardless of the plan. Lumma can grab browser cookies, autofill forms, data from 2FA plugins/apps, and crypto wallets credentials – from both apps and browser plugins.

Stealc

Stealc is another youngster, which was first mentioned on January 9, 2023, on several Darknet forums. It appears to utilise best practices from most popular stealers, which already makes it pretty potent. Among unusual practices is a free test and weekly releases of new features. As for other functions, malware has a classic set of a modern infostealer: it gathers data from web browsers (cookies, autofill forms etc), cryptocurrency wallets extensions and even email clients and messengers. Such extended functionality, especially compared to other new malware examples, will definitely be appreciated.

How to Protect Against Infostealer Malware?

Protection against threats like infostealer is always a tough question to answer. Thing is, malware like this is forced to evolve constantly, finding new ways to be more efficient and stealthy. This makes any advice that reacts to some malware features useless in the long-term. However, there are still some things Infostealer Malware developers can’t (or don’t want to) change.

Beware of spear phishing. It may have different forms – from email messages that are sent from a compromised business email to posts in social media from the hijacked account of a legit company. But even after all the sophistications, hackers can never make a check-proof legend. Most commonly, they attract victims by urgent events or exclusive deals. A simple source check will reveal any possible scam – if the impersonated company has nothing to do with such claims, ignore the spooking message.

Avoid using pirated software. Despite losing a significant portion of market share due to email spam expansion, software cracks are still used for malware spreading. Torrent-trackers and third party websites are flooded with numerous offers on a brand new software – and try to guess which one is infected. Using only licensed software will not make you clear before the law, but also nail any risk of malware injection. And, believe me – dealing with malware activity consequences will cost you way more than you can save on program licences.

Protect your system with proper anti-malware software. Yes, it is better to avoid muddy waters at all, but having a security tool that will take care of problems will make your life much easier. Not any utility will fit though, as infostealer malware have some tricks to avoid basic anti-malware software. GridinSoft Anti-Malware gives them no chances, thanks to its three-component detection system and constant updates that retain its databases’ relevance.

The post What is Infostealer Malware? Top 5 Stealers in 2024 appeared first on Gridinsoft Blog.

Docker API Vulnerability Exploited

Investigators have discovered a new malware campaign aimed at Docker API endpoints. The malware is called Commando Cat, and its purpose is to take advantage of misconfigured Docker APIs, allowing it to run harmful commands on the affected containers. According to a report, Commando Cat has nine distinct attack modules that can carry out several tasks. These include downloading and executing additional payloads, scanning for open ports and vulnerable services, stealing credentials and sensitive data, mining cryptocurrencies, launching distributed denial-of-service (DDoS) attacks, and spreading to other containers and hosts.

The malware campaign was first detected in January 2024. This marks the second Docker-related campaign identified in 2024, following the previous discovery of the malicious deployment of the 9hits traffic exchange application. Then, specialists observed a spike in malicious activity from a single IP address from China. The researchers traced the source of the attack to a Docker container running on a cloud server infected by Commando Cat. The malware had accessed the Docker API through an exposed port and executed a series of commands to download and run its modules.

Commando Cat Attacks Docker

Commando Cat delivers its payloads to exposed Docker API instances via the Internet. The attacker instructs Docker to fetch a Docker image known as “cmd.cat” from the project “Commando”, which generates Docker images with the necessary commands for execution. This choice of image is likely an attempt to appear benign and avoid suspicion. After creating a container, the attacker uses the “chroot” command to escape from the container onto the host’s operating system. The initial command looks for services “sys-kernel-debugger,” “gsc,” “c3pool_miner,” and “dockercache,” which are all created by the attacker after the infection.

Experts also believe the attacker avoids competing with another campaign by checking for the “sys-kernel-debugger” service. After these checks are passed, the attacker reruns the container with a different command, infecting it by copying specific binaries onto the host. This process involves renaming binaries to evade detection, a common tactic in cryptojacking campaigns. The attacker also deploys various payloads with parameters like “tshd,” “gsc,” and “aws.”

The final payload is delivered as a base64 encoded script. It deploys an XMRig crypto-miner and “secures” the Docker install on the infected host. Next, it removes all containers with a special command, and then it removes all containers without a command containing chroot. It kills other mining services before setting up its miner. Further, malware uses a systemd service to achieve persistence for the XMRig stager. It hides the docker-cache and docker-proxy services using the hid script. Finally, Commando Cat blackholes the Docker registry to eliminate the risk of competition.

Safety Tips

Protecting against a sophisticated threat, like Commando Cat is, appears to be a challenging affair. Its advanced detection evasion methods make it hard to detect for classic security solutions. But there are still enough tricks to make this malware less of a threat.

• Use Firewall. You can configure your firewall for strict packet filtering. Only allow necessary network connections and block all others. You can also limit outbound connections from containers to prevent unauthorized access.
• Employ XDR. Extended Detection and Response systems can analyze network traffic and identify anomalies. Suspicious activity should trigger warnings or alerts about potential intrusions. So, you can utilize network activity monitoring tools to detect unusual traffic related to the Docker API.
• Training and Awareness. Training users on secure Docker usage and basic cybersecurity practices is essential to prevent most problems. Educated users can help prevent social engineering and mishandling of data.

The post Docker API Vulnerability Exploited in Cryptojacking Campaign appeared first on Gridinsoft Blog.

Mispadu Trojan Uses SmartScreen Bypass

The extensive research regarding Mispadu malware done by Unit 42, among other things, underscores the use of a critical vulnerability in Windows to circumnavigate SmartScreen protection. The flaw, known as CVE-2023-36025, was detected and fixed by Microsoft back in November 2023. However, as of early February 2024, there are already several cases of malware exploiting that vulnerability, meaning that users hesitate to install a patch. Earlier, we wrote about a Phemedrone Stealer spreading campaign that uses the same detection evasion approach.

Said flaw is rather easy to exploit, as all that is needed is just a specifically crafted URL file. As such files are considered trusted by Microsoft Defender, the system will not pop up a SmartScreen banner warning about running the potentially dangerous file. In the background, this URL file forces the connection to the command server and downloads the payload in the form of a binary file.

Cybercriminals who stand behind Mispadu commonly use email spam to deliver these crafted URL files. However, other spreading ways may be even more successful, like, for example, sharing the file via social media, as Phemedrone masters do.

What is Mispadu Malware?

Mispadu itself is a rather unique example of a banking trojan that emerged back in 2019. It is distinctive by a peculiar region check method, persistent code encryption, and excessive obfuscation. For instance, to detect whether it runs in a prohibited region or not, it does not use a “traditional” IP address ban list. Instead, Mispadu checks the offset of the current system time from the UTC; it ceases further execution shall the value exceed the set limit.

This financial infostealer targets a range of financial websites, searching for the matches in the browsing history. Once Mispadu finds one present in its target list, it searches for the password in the browser’s AutoFill file and sends it to the command server. As a result, hackers get the full set of credentials related to financial services.

Despite having a flexible solution for targeting different banking and crypto services in different countries, the stealer focuses mainly on ones from both Americas and Western European countries. It is not clear whether such a selection is related to the location of malware masters or other factors.

How to Protect Yourself?

Malware like Mispadu is severe, though can rarely be called unavoidable. It exploits a well-known flaw, that is fixed in the latest Windows updates. There hence, by just updating the system you already demolish the primary injection vector this malware employs.

Nonetheless, it is worth keeping in mind that the file itself makes its way to the target system within a spam email. The latter remains the main propagation method for malware, scams , and phishing attacks. Know how to distinguish between a phishing email and a genuine one – and you will have much fewer chances to get into trouble at all.

Use a reliable anti-malware software as the additional protection layer. Everyone can make a mistake, and that’s completely normal – only those who do nothing will never make one. To get yourself backed up for such cases, I’d recommend using GridinSoft Anti-Malware – a reliable, lightweight, and easy-to-use anti-malware software. Its advanced detection mechanisms will be able to detect and stop any malware at its very beginning.

The post Mispadu Banking Trojan Exploits SmartScreen Flaw appeared first on Gridinsoft Blog.

What is CrackedCantil?

CrackedCantil is a dropper malware discovered and described by the malware analyst LambdaMamba. The name of this malware derives from two parts. “Cracked” for software cracks, is the primary spreading vector, and “Cantil” for the Cantil viper, a species of highly venomous viper, suggesting the malware’s harmful potential​​. By its nature, CrackedCantil is a loader/dropper malware that targets at delivering a lot of different malware samples, including stealers, ransomware, spyware and backdoors.

Overview of distribution ways

The main way to spread such malware is through the use of cracked software. People looking for free versions of paid software often resort to downloading “cracked” versions. These versions are often legitimate software modified to bypass licensing mechanisms. However, attackers use this demand for cracked software as a means to spread malware.

The process begins on questionable websites or forums. After downloading and running what looks like an installer, malware is installed on the user’s computer. This may be disguised as useful files or integrated into the installation executables. Once activated, the malware begins infecting the system, a process that may include several actions. Then it can install additional malware, steal data, encrypt files for ransom, and turn the infected device into part of a botnet.

CrackedCantil Delivers Droppers, Spyware and Ransomware

The tree of processes involved in the incident is quite complicated, and several infamous malware families were found to be involved. Let’s look at these families in the overall threat picture, focusing on the role of each in the symphony of cyberattacks.

PrivateLoader

PrivateLoader works as a polymorphic downloader that uses various obfuscation and packaging techniques to evade detection by antivirus programs. It is written in C++ and is often distributed with cracked software. It is also capable of downloading and executing additional malicious modules from remote control servers. Also, PrivateLoader often includes features to check the execution environment to avoid running in virtual machines or analysis environments, making it difficult for security researchers to investigate and analyze.

SmokeLoader

SmokeLoader, also known as Dofoil, is a “loader” type malware used to spread additional malware such as backdoors, keyloggers, and Trojans. It is also capable of stealing information. SmokeLoader can inject malicious code into system processes, thereby evading detection.

Lumma

Lumma is an infostealer that received quite a bit of attention over the last few months. It can extract personal and financial data from a variety of sources on infected computers, including web browsers, email clients, and cryptocurrency wallet files. Most commonly, Lumma Stealer propagates through social engineering and phishing attacks. It can also evade antivirus detection and transmit collected data to a remote command and control (C&C) server.

RedLine

RedLine Stealer is a malicious program designed to steal various types of sensitive information from infected computers. It is capable of extracting browser credentials, credit card data, e-wallet passwords, and system information. Appeared back in 2020, it has quickly become one of the most popular stealers on the malware market.

Socks5Systemz

Socks5Systemz is a malware that infects devices through PrivateLoader and Amadey. Infected devices are turned into traffic-forwarding proxies for malicious traffic, and the malware connects to its C2 server with a DGA.

STOP/Djvu Ransomware

STOP Ransomware is an encryptor characterized by adding unique extensions to encrypted files and creating ransom text files that contain instructions for the victim on how to make the payment and obtain the decryptor. Also, it encrypts files and adds its extensions to their ends – .hhaz, .cdaz, cdcc, and the like. DJVU is also a variant of the STOP ransomware that can include multiple levels of stealth, making it harder to analyze. STOP/DJVU encrypts files using AES-256 and Salsa20. It is known to collaborate with other malware, such as infostealer malware, to steal sensitive information before encryption.

How dangerous is CrackedCantil?

CrackedCantil is another player on the dropper malware market, but its unique ability to coordinate different types of malware sets it apart from the crowd. It makes a so-called “symphony of malware” where each element is carefully tuned for maximum impact. The growing popularity of CrackedCantil points to its effectiveness, in both detection evasion and malware delivery. Huge distribution through users’ desire to access paid software for free.

To avoid infection through cracked programs, the following precautions are recommended:

• Always purchase software from official vendors or directly from the developers. This not only ensures the legitimacy of your software, but also ensures that you receive all necessary security updates.
• Regularly update all installed programs and the operating system. This helps protect your system from vulnerabilities that can be exploited by malware.
• Use a reliable antivirus solution and scan your system regularly. Modern antivirus programs frequently update their databases to recognize new threats.
• Increase your and your employees’ knowledge of cyber threats and social engineering techniques. Knowing how threats spread can significantly reduce the risk of exposure.

The post CrackedCantil Dropper Delivers Numerous Malware appeared first on Gridinsoft Blog.

What is a Bootkit?

A bootkit is a sophisticated type of malware that starts and operates even before the operating system starts – during the boot process. Unlike many other malware types that target software vulnerabilities or user actions, bootkits embed themselves in the system’s boot process, making them exceptionally challenging to detect and remove.

One of the defining characteristics of a bootkit is its ability to load before the operating system (OS) itself. This gives the attacker a significant advantage, as they can intercept and manipulate the boot process, allowing them to gain control over the system even before the user logs in. Being integrated that close to the bare metal also opens the possibility of exploiting kernel-level vulnerabilities and hardware flaws.

Bootkits vs. Rootkits

While often confused, bootkits and rootkits operate at different levels of a system. Rootkits infect the OS after it loads, granting the max privileges possible to its master. At the same time bootkits are embedded in the system bootloader or even motherboard firmware. This, eventually, changes both the capabilities and the purpose of the bootkit. The two things in common between these two are both being advanced and high-severity threats.

Functionalities of Bootkits

Bootkits are versatile in their malicious functionalities. To understand and combat these malicious entities effectively, we must dissect the intricacies of their functionalities.

• Persistence. One of the primary functionalities of bootkits is their persistence. One of the primary functionalities of bootkits is their persistence. They can implant themselves in the GUID Partition Table (GPT), a more modern system architecture. This positioning allows bootkits to remain active and undetected through system reboots and even full operating system reinstalls, contributing to their prolonged presence and challenging removal from the infected system.
• Data Theft. Some bootkits are engineered to steal sensitive data from the compromised system. During the boot process, they may intercept and exfiltrate data such as login credentials, financial information, personal files, and any other valuable data they can access.
• Backdoor Access. Bootkits can create backdoors within the system, which provide unauthorized remote access to the compromised computer. Adversaries will be able to execute commands, upload additional malware, or manipulate the system as they see fit. It essentially grants them a persistent presence on the compromised device.
• Bypassing security measures. One of the key traits of bootkits is their ability to circumvent security measures. They load themselves into the system’s memory before any security software or antivirus programs have a chance to activate. As a result, they can operate undetected and unimpeded by security tools, allowing them to carry out their malicious activities without being stopped.

Can I detect and remove the bootkit?

Detecting a bootkit before it is injected into the firmware or the first partitions of the hard disk is the most effective way to prevent it from causing damage. However, detecting a bootkit infection is not an easy task, and even if it is detected, removing it can be even more challenging.

If the bootkit has been injected into the EFI partition, only a complete operating system reinstallation can remove the malicious bootkit code from the disk. However, this may not be enough if the malware managed to infect the firmware, which will result in a new system being compromised, too. In such cases, it is advisable to determine which bootkit has infected the system and use special LiveCD antivirus utilities to clean the system of any malicious code.

How to Prevent Bootkits

Preventing bootkit malware requires taking several measures to reduce the risk of infection. Here are some steps that can be taken:

1. Secure Boot and UEFI
   Secure Boot is a feature that is available in UEFI-enabled computers. Its purpose is to ensure that only trusted software is loaded during the boot process. UEFI itself is a more secure and modern technology that allows for a more firm control over the situation. This helps to prevent bootkit malware from infecting the computer. Still, recent developments have shown that the BlackLotus UEFI bootkit can bypass Secure Boot.
2. Update Your System
   Keeping your operating system and security software up-to-date can prevent bootkit malware from infecting your computer. Pay attention to firmware updates as well: although rare, UEFI/BIOS vulnerabilities exist, too, and may be exploited in different scenarios.
3. Use antivirus software
   While antivirus software can’t detect all bootkit malware, it can prevent such an infection in its early stage. Advanced control systems may also be useful for detecting the threats that integrate on such a low level.
4. Be cautious when downloading software
   It is crucial to download software from trusted sources only, especially when we talk about hardware control utilities and drivers. Those two integrate deep enough into the system to allow their exploitation for bootkit injection.
5. Use a hardware-based solution
   Hardware-based solutions, such as a Trusted Platform Module (TPM), can help prevent bootkit malware by ensuring that only trusted software is loaded during the boot process.

The post What is a Bootkit? Explanation & Protection Guide appeared first on Gridinsoft Blog.