What is HijackLoader?

According to the researchers’ report, the HijackLoader malware, or IDAT Loader, has recently included advanced evasion techniques. This malware has gained immense popularity as a loader with outstanding flexibility. The attackers frequently use this malware to introduce various payloads and tools. Its structure not only facilitates the seamless integration of new functionalities but also comprises a variety of dynamic anti-analysis methods.

First observed in July 2023, the malware employs some techniques to fly under the radar. Although HijackLoader is not a highly advanced malware, it has a modular architecture. This means it can use different modules for code injection and execution – a feature that most loaders do not have. The loader downloads an encrypted configuration block that varies from one sample to another, indicating that the threat actors can change or update it quickly. This adaptability makes it a difficult target, making the development of effective countermeasures challenging.

HijackLoader Enhanced Detection Evasion Techniques

The HijackLoader follows a complex infection chain, employing multi-stage behavior to obfuscate its activities. Initially, the malware utilizes WinHTTP APIs to check for an active internet connection before proceeding with its malicious operations. Upon successful connectivity, it downloads a second-stage configuration blob from a remote address, initiating decryption and decompression processes to retrieve essential payloads. The subsequent stages involve loading legitimate Windows DLLs specified in the configuration blob, followed by the execution of position-independent shellcode.

This shellcode orchestrates various evasion activities, including injecting subsequent payloads into child processes, such as cmd.exe and logagent.exe. HijackLoader uses advanced hook bypass methods, including Heaven’s Gate, to evade user mode hooks and security monitoring. It also uses process hollowing, injecting malicious shellcodes into legitimate processes to gain persistence. The malware employs interactive and transacted hollowing techniques to enhance stealthiness. These new defense evasion capabilities for HijackLoader may make it healthier and more complex to detect than traditional security solutions.

Safety Recommendations

To protect against HijackLoader and other malware, we recommend following several cybersecurity tips:

• Educate yourself. Stay informed about the latest malware threats. They constantly seek for new ways to trick users into revealing sensitive information or downloading malicious files. Educating users about these threats and the importance of avoiding opening suspicious attachments or clicking on dubious links is crucial in cybersecurity.
• Keep software updated. You should regularly update your operating system, applications, and software to ensure you have the latest versions. Malware often exploits known vulnerabilities that have been fixed in newer versions.
• Use anti-malware software. This is a complex measure to protect you against threats. Install a reputable anti-malware solution and keep it updated. These programs can detect and remove known malware strains, including variants of HijackLoader.

The post HijackLoader Malware Comes With New Evasion Methods appeared first on Gridinsoft Blog.

SugarGh0st Uses Spear Phishing to Attack Governments

Researchers have uncovered a new wave of cyber threats targeting government entities in Uzbekistan and South Korea in recent cybersecurity developments. Utilizing a customized variant of the infamous Gh0st RAT, dubbed SugarGh0st, the campaign displays a sophisticated and multi-stage infection chain.

Targets were focused on foreign ministry personnel based on lures about investment projects, account credentials, and internal memos. These topics were selected as likely to entice victims to enable the malware unknowingly while viewing what seemed like legitimate work documents. Overall, the pick of targets point at the relationship of SugarGh0st’s masters to Chinese government.

Multi-stage infection chain

Once delivered through emails, the malicious documents trigger a multi-stage process to install SugarGh0st on systems.It is performed using JavaScript and shortcut files execute commands to drop the RAT executable, decrypt it, and activate full functionality in the background. Techniques like LotL binaries, side-loading DLLs, and abusing legitimate Windows utilities help mask the deployment from defenses and user detection. Aimed at foreign ministry networks, the operational security exhibits an adversary carefully honing its tradecraft before targeting sensitive agencies.

Following the installation, SugarGh0st offers advanced monitoring, exfiltration, and manipulation capabilities. This surpasses typical malware in commodity cybercrime operations. Functions allow recording keystrokes, activating webcams, executing files, or killing processes – all directed dynamically by attacker commands. Such comprehensive access risks the integrity of infected government agencies through unconstrained internal spying.

Depending on operational security practices, lateral movement could also jeopardize more comprehensive departments and ministry networks. While assessing the total damage remains challenging, the implications are clearly severe. Moreover, this has allowed stolen secrets to impact international affairs or relations.

A Gh0st RAT Variant and Potential Chinese Connection

While the attribution remains speculative, artifacts in the decoy documents hint at a potential Chinese-speaking actor. Two files within the campaign contain Chinese characters in their “last modified by” names, suggesting a linguistic connection to China. As the name suggests, SugarGh0st represents an evolution of existing Chinese-linked Gh0st RAT variants in circulation for over 15 years. Developed by the Chinese group 红狼小组 (C.Rufus Security Team), Gh0st RAT has been active since 2008.

SugarGh0st retains the core functionalities of its predecessor but features customized reconnaissance capabilities and a modified communication protocol. The malware granted threat actors total remote control to pillage confidential data from infected networks. Enhancements include:

• expanded anti-detection tactics
• reconnaissance commands tailored to harvest documents and credentials
• new communications disguising C2 servers as Google Drive domains

Attacks on government entities, particularly embassies and ministries, is not a new phenomenon. Countries spied on each other all the time, and the tools were the only difference. While other countries do not expose their software, Asian government-sponsored hackers seem to not be ashamed of their software. And Chinese and North Korean hackers appear to be among the most public ones.

The post SugarGh0st RAT Targets Uzbekistan and South Korea appeared first on Gridinsoft Blog.

US DoD and Taiwan Companies Cyberattacks

First, let’s clear out the attacks upon quite famed organisations and companies. The long-going cyberattack upon Taiwanese companies and at least one government organisation was detected as early as in August 2023. Lumen researchers who studied the botnet established by the HiatusRAT in the past noticed a new flow of connections that comes from Taiwan IP address zones. Soon after, =cyberattacks on chemical production facilities, semiconductor manufacturers and one municipality were uncovered.

The story around the U.S. Department of Defence is a bit different. Same research group detected traffic coming to the IP addresses associated with the botnet not only from Taiwan but also from the US. Specifically, they discovered that crooks who stand behind the RAT used one of its Tier 2 servers to connect to the DoD server dedicated to work with defence contracts. Fortunately, no deep penetration happened here, and hackers were most probably performing reconnaissance before further actions.

HiatusRAT Analysis

First thing that comes into view when you check the Hiatus is its network architecture. Instead of infecting endpoints, it targets networking devices – at least it was doing so since its emergence in late 2021. Routers are gateways for humongous amounts of information – and having complete control over it may sometimes give you much more than hacking the computers in the network. Though, nothing stops Hiatus from delivering additional payloads to the target systems. Aside from sniffing, such a network of compromised routers can also serve as a network of proxy servers that conceal the real IP address from the target server.

To spread the payload, hackers seek business-grade network routers with vulnerable firmware installed. Firstlings of the botnet were amongst Draytek routers, specifically Vigor 2960 and 3900. Nowadays, malware has builds capable of infecting routers with chipsets based on Arm, i386, x86-64 and MIPS/MIPS64 architectures. This sets up quite a large number of devices, as network infrastructure firmware updates are implemented even more reluctantly than patches to regular software.

Execution flow

The attack chain that enables the RAT injection into the router is not clear even nowadays. Though it is clear that upon gaining initial access, attackers execute a batch script that downloads the payload and an auxiliary utility. The latter is a specific version of a tcpdump, a command-line tool that allows for packet analysis.

Upon execution, the first thing to do for HiatusRAT is kicking out other processes that may be listening to the same 8816 port. If there are any, malware jams one first and proceeds with normal launching. Then, a kind-of-classic step comes: malware gathers basic information about the device it has started on. Among such data is information about its MAC address, architecture, firmware and kernel versions. It also gets precise information about the file system and all files that can potentially be stored in the internal memory.

Once malware is done with these checks, it reads a tiny JSON that contains what appears to be malware config. There, malware retrieves a C2 servers address. Aside from the “main” server, there is one used to receive all the packages gathered with the modified tcpdump tool. The first request to the control server is a classic HTTP POST that contains several fields, with basic system info gathered the step before.

HiatusRAT Functionality

I’ve already mentioned the tcpdump-like tool that supplies a significant part of the RAT functionality. However, it does not stop at this point. Hiatus can receive different commands from the command server, which alter its functionality or even force the malware to melt down. Thing is, some of these functions were not used to the moment, despite being available since the first release of the malware back in 2021.

How to protect against network infrastructure attacks?

Well, Hiatus used to aim at routers with some specific architecture and series, but now it covers quite a bit of possible variants. The ways hackers use to deploy this malware are still unclear, so there are not many reactive measures to figure out. Instead, I have several proactive advice for you to stick to.

Use advanced network protection solutions. Well, antivirus programs are not greatly effective at preventing this RAT infection. Meanwhile, network protection solutions, especially ones that are designed to bear on heuristics, can effectively detect and dispatch the intruder just by its behaviour. Network Detection and Response systems, conjoined with SOAR and UBA solutions, can show excellent results at protecting the environment against tricky malware attacks.

Update (or upgrade) your networking devices regularly. Since the key point of the malware injection is vulnerable router firmware, it is essential to keep it updated. Keep an eye on malware attacks that were executed with or via vulnerabilities in networking devices. Usually, device manufacturers release updates in a matter of weeks. Though, there could be unfortunate cases when some really old devices reach end-of-life and are not supported in any form. In this case, you are out for device updating – this is the best and most definite way to get rid of the hazard.

Keep a well-done anti-malware software on hand. I’ve just said that anti-malware programs are not very effective in this case, and I say it is nice to have – so inconsistent of me, isn’t it? The answer is no, as anti-malware programs will serve as a preventive mechanism for malware that HiatusRAT can deliver through its functionality. Multi-layer security structures are always harder to penetrate, at least without triggering the alarm.

The post HiatusRAT Used in Attacks on Taiwan Companies and U.S. Military appeared first on Gridinsoft Blog.

Who are Conti and FIN7?

First of all, let’s explain why the presence of actors from FIN7 and the ceased Conti gang is so noteworthy. FIN7 is a cybercrime gang that likely operates from Russia and Ukraine. It is also known under the names of Carbanak (after the backdoor they use), ITG14 and ALPHV/BlackCat. They are most notorious for collaborations with widely-known threat actors, like Ruyk and REvil ransomware, and the release of their own ransomware, called ALPHV. It is still running, and had a couple of noteworthy attacks the past year.

Conti is a similar and different story simultaneously. They have built their image around an eponymous ransomware sample. Same as FIN7, this group of cybercriminals consists of actors from ex-USSR countries. However, the start of the war in February 2022 led to a quarrel among the group’s top-management and further publication of its source code. That, eventually, led to the group’s dissolution. Previous to these events, Conti was a prolific ransomware gang with a major share on the market.

Their collaboration is an expected thing. Nature abhors a vacuum, so after the gang breakup its members promptly joined other groups, or started new ones. However, the collaboration with other gangs on the creation of brand-new malware is a pretty outstanding case. That may be a great start of a new character on the scene, a new threat actor, or just a powerful boost to the FIN7 gang.

Domino Backdoor Description

Domino is a classic example of a modern backdoor that is capable of malware delivery. It is noticed for spreading a separate malware dropper, coined Domino Loader. The former provides only remote access to the targeted system, while the latter serves for malware deployment. This duo is spotted for being used in a pretty unique multi-step malware spreading campaign.

Dave Loader is a classic dropper malware example – the one which serves only to deliver other malware. Its presence in this scheme, however, gives an interesting clue about the possible relations between Domino and Conti ransomware gang. The infection proceeds with the delivery of Domino backdoor and, in a quick succession, its dropper module. Then, at the final stage, Domino drops a Project Nemesis stealer. The latter aims generally at credentials from social networks, VPN clients and cryptocurrency services.

Why, Exactly, a Collaboration?

The key things that point to the fact that Domino backdoor is a collaboration rather than a stand-alone development is the use of Dave Loader as a delivery way, and sharing certain code elements with FIN7’s brainchild Lizar Malware. Dave is an internal product of Conti gang, used exclusively in its cyberattacks. It never leaked, contrary to the Conti ransomware code, thus there’s no way that a third party uses it. Lizar Loader a.k.a Tirion/DiceLoader, on the other hand, is an auxiliary malware used by FIN7. Domino malware shares major parts of code with this loader, including bot ID generation and data package encryption mechanisms. Moreover, the IPs range where Domino’s command servers are hosted is pretty close to the one FIN7 uses for their C2s; both ranges belong to MivoCloud hosting.

Domino Backdoor & Loader Analysis

Analysts from IBM Security Intelligence already got their hands on Domino samples, both backdoor and dropper. First things first – so let’s start from a backdoor.

Domino Backdoor

It arrives to the infected system as a C++ 64-bit DLL file. The form of DLL file makes it easier for crooks to perform a stealth execution. Droppers Domino generally rely on running it using the shellcode embedded into the payload retrieved from the command server. Once executed, Domino starts hashing the system data in order to generate a bot ID value. Primarily, it looks for username and system name; additionally, malware takes its process ID and adds it to the hash. Its final form looks like a648628c13d928dc-3250.

Hashing proceeds with further decryption of the Domino’s code. It carries an XOR-encrypted code in a data section of its binary; the 16-bit decryption XOR key is placed right before this section. This part contains not only further execution instructions, but also C2 communication data.

C2 Communications

To secure the data transfer, it generates a 32-bit key and uses an embedded RSA public key to encrypt it. This, however, is used only for an initial connection. After that, malware continues with collecting information about the system. For further C2 connections, the malware uses the AES-256-CBC key, which also comes into the initial package. Same as in the first case, Domino generates a public key on the run and uses it to cipher the data package.

It is also interesting how Domino backdoor picks the C2 address it will use as primary. By design, there are only two C2 addresses in the malware configuration section. If the parent system for the malware belongs to a domain (i.e. LAN or WAN), it uses the second IP as a primary. When the computer is stand-alone, Domino chooses the first one.

To guide the malware, C2 sends it a set of commands and a payload. Same as data that goes from the client, they are encrypted. Commands instruct not only about the action, but also about the preferred way to run the payload. The set of commands is like the following:

Domino Loader

Domino Loader resembles the Domino Backdoor in many ways, so the naming convention there is quite obvious. This malware uses the same methods of C2 requests encryption. However, the amount of data gathered about the system is way less; its capabilities are concentrated around retrieving and running the payload’s DLL. It uses an infamous ReflectiveDLLInjection project – a concept of DLL injection technique. This, however, is not the only possible way of the Loader operations – it can change its behaviour depending on the command from the C2 that comes as a supplementary to a payload. It most definitely depends on the form the payload arrives in.

The commands convention is pretty much the same as in the Domino Backdoor. A single-byte blob that precedes the payload indicates what exactly the malware should do. Aside from that, the payload is succeeded with a value that notifies malware about the preferred method of loading. If the value is >0, malware allocates memory within the process it runs in, and runs the DLL payload at the offset that equals the value. That method, actually, requires the aforementioned ReflectiveDLLInjection technique.

Value 0 corresponds to running the payload as a .NET assembly. This supposes calling for VirtualAlloc for memory allocation, and a PAGE_EXECUTE_READWRITE for securing this area. Assembly.Load function finishes the job by making the payload run.

Once the value is -1, Domino Loader runs a PE loading procedure. First, it allocates memory in its current process – same as in the case of DLL loading. Then, however, it copies the headers and sections to the newly allocated memory area, loads the imports of the PE file, and finally runs it. In this case, malware applies the offsets present within the payload PE sections.

Protection against Domino Backdoor/Domino Loader

This malware is rare enough, so it is quite hard to judge on its counteraction ways. Nonetheless, they are definitely needed, as it promises to be pretty dangerous. First and foremost sources of such instructions – spreading ways – are unclear. It may possibly become more obvious in future when Domino will see more popularity. Thus now only common steps may have significant efficiency.

Use a security solution that features a zero-trust protection policy. Only having no trusted programs at all you can be sure that your security tool will not miss a new cunning malware that hides behind a benign program. Zero-trust has its downsides, but they’re much less critical than a paralysed workflow after a ransomware attack.

Improve your network security. This is Domino-specific advice, as this malware features a pretty limited list of only two C2 servers. It may be changed in future, but currently it is not a big deal to block them. This, however, will be much easier to accomplish by having a Network Detection and Response solution. It automatically weeds out potentially malicious requests, and also offers a lot of analytics information. Stopping malware from contacting the C2 makes it useless, as it cannot deliver payloads and do other unpleasant things.

The post Domino Backdoor is Lead by FIN7 and Conti Actors appeared first on Gridinsoft Blog.

The commercial element makes the danger more tangible and serious. Let us list and describe the nastiest and most dangerous malware attacks in all areas likely to cause trouble in 2022.

#1. Attacks by Nation-State Threat Actors

Nation-state threat actors are the most dangerous cyber criminals on the Web. There are several reasons for thinking so. Nation-state hackers are professionals. They possess the best available technology. They work together with the countries’ secret services and can afford long-term preparations. They are legal in their own countries, and finally, they stake on stealth, so it is hard to detect them.

For example, the malware used by nation-state hackers recently discovered Pipedream is not targeting private computers. The aim of such attacks is industrial objects and programmable logic controllers on plants, factories, gasworks, etc.

These actors can also target banks or state registries. However, the most shocking news was the warning by the US authorities about Pipedream-armed hackers being ready to strike the electricity and natural gas supply facilities with the possibility of damaging real industrial objects.

#2. Clop Ransomware Attacks

Like any other ransomware, Clop encodes the targeted data files, making them inaccessible. Then the user finds a ransom note wherein racketeers tell where to send money (in the form of cryptocurrency) to get a decryption key. Clop ransomware is extremely dangerous as it works on most versions of Windows, highly evasive regarding security programs.

Note: Clop ransomware (sometimes stylized as “Cl0p”) has been one of the most prolific ransomware families in the last three years.

After the malware infiltrates the system, it gets escalated privileges and gains permission to alter and overwrite system files. Clop creates an entry in the Windows registry that broadens its capabilities.

Afterward, it sends data about the system right to the crooks. Clop then begins to scan the computer looking for files to encode. The target is images, videos, text documents, mp3, and other data files. The malware settings may vary, though.

Since Clop ransomware aims mainly at corporations, the range of ways it infiltrates the victim’s devices can probably be narrowed to links and attachments in messages and emails pretending to be sent by recognizable companies. Theoretically, ransomware can penetrate the system in many ways, though.

#3. Agent Tesla Malware Attacks

Agent Tesla is a highly elusive multifunctional malware complex combining features of spyware and stealers. It is an example of a harmful program that can be ordered as a service. That means Agent Tesla is a highly targeted weapon.

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. On a special website that sells this malware, it is incorrectly positioned as legitimate software. Unpacking the final payload after the malware’s primary injection is a sophisticated process that involves steganography and unfolds in several stages. Such complexity allows Agent Tesla to avoid signature-based detection by security software.

The list of malicious functions of Agent Tesla is impressive: collecting and stealing device and system data, keylogging, screen capture, form-grabbing, stealing credentials, stealing browser data, etc.

#4. Ransomware-as-a-service (RaaS)

Ransomware-as-a-service (RaaS) is not anything that substantially differs from the usual ransomware. What makes the difference is what happens behind the scenes. RaaS is a business model wherein one side provides the software and the infrastructure for paying the ransom (bitcoin wallet and technical support for victims). In contrast, the other side deals with delivering ransomware and provides the prey likely to fall victim to ransomware.

AS A FACT: I want to remind you that the introduction of ransomware is one of the most dangerous forms of cyberattacks. These include: Conti ransomware, Matrix ransomware, Makop ransomware, STOP/Djvu ransomware, etc.

RaaS does not guarantee the campaign’s success as it works just as usual in a software-as-a-service scheme. However, such a commercial attack is more likely to succeed because it is less random. The one who orders a service has a better approach to the victim, unlike a ransomware author trying to perform an attack by guesswork.

#5. AlienBot Malware Attacks

AlienBot malware is a password stealer targeting Android devices. It is a part of a malware-as-a-service scheme. AlienBot compromises legitimate banking applications, and although its primary goal is to harvest logins, passwords, banking credentials, and other fillable forms data, AlienBot provides criminals with a much broader range of possible malfeasance.

If Alienbot infiltrates the system, it lets criminals download any applications, backup data, control the device via TeamViewer, etc. .

Alienbot inhabited nine applications that crooks distributed via Google Play. This vulnerability has been fixed, and such a flagrant campaign is impossible with this malware. Nevertheless, users are still endangered if they carelessly follow dubious links and download unchecked applications onto their Android devices.

#6. Cryptojacking Malware Attacks

Cryptojacking is a state-of-the-art and relatively light type of attack. The already mentioned coin miners are a type of cryptojacking. However, we are talking now about a different case – when victims receive no malicious code on their computers.

Cryptojackers perform their attacks by luring users to click on banners and links, leading them to the script-wired web pages. The security software will not allow malicious scripts to run if the victim uses an antivirus program. It will simply block the dangerous webpage from opening.

However, if the victim has no protection – the enslaved processor will keep working for the sake of criminals until the end of the session. The crooks count on the massive quantities of people who will click this dangerous link.

#7. Social Engineering Attacks

Social engineering is an indispensable tool in a wide range of frauds aimed at fishing critical data such as logins and passwords for social media accounts from the victims without even employing malware. These campaigns are called phishing, and they most often use deceptive emails that make people think they are dealing with an actual company. Frauds disguise themselves as social media platforms, delivery services, banks, money transfer services, etc.

Phishing attacks are often combined with spoofing – the visual design of emails and fake websites that aims at the same goal – to make a person believe that the site they are viewing is what it tells it is.

Then the victim does not fear inputting their credentials in the signup form or any other trap. The login and password, or it might be the banking data or credit card details, go right to the crooks.

#8. Gameover ZeuS Virus

Zeus Gameover is a botnet that steals banking information from browsers by keylogging and form-grabbing executed by a Trojan. The main danger of malware attacks is its antivirus-evasion method.

NOTE: Often, botnets will launch a spam campaign on someone’s social media page or do it under someone’s YouTube video.

Unlike its predecessor, ZeuS, Zeus Gameover connects to its command and control servers via an encrypted peer-to-peer communication system. That makes the Trojan much harder to detect.

As the connection is established, besides stealing their victims’ credentials, hackers can control the system of the infected device up to installing and removing programs. Another menace comes from an extra function of Zeus Gameover – distribution of the Cryptolocker ransomware.

#9. Browser Hijacking

Browser hijackers are not a new phenomenon, but they are still active and dangerous throughout the web. The main characteristic of this type of malware is that it modifies the settings of the infected PCs’ web browsers. Usually, the user notices that the browser homepage and default search engine are suddenly changed. Other effects may vary.

A browser hijacker is a vehicle for the malicious payload, most likely spyware, adware, or both. Spyware collects data from the user and sends it to the threat actors. The consequences range from the data sold to third parties to identity theft and tangible harm.

Adware is a different thing – it throws pop-up banners with advertising right over webpages, opens unwanted pop-ups, and adds hyperlinks on webpages where they have not existed initially. It might seem that adware is comparatively harmless, but it is not so since any ad banner rendered by adware is also a menace.

Avoiding Virs Malware Attacks: Choosing a Security Solution

Modern security software is a must-have for today’s Internet users. Despite not being a panacea, for the malware is constantly transforming and antiviruses have to catch up, a decent security program protects its user from most malware specimens. GridinSoft Anti-Malware is a technically masterful and economically beneficial solution. It is a versatile program that can serve as a primary antivirus or an auxiliary scanning utility alongside another security system.

GridinSoft Anti-Malware features on-run defense (background protection,) Internet protection (blocks dangerous and warns about suspicious webpages) and deep scanning. The program is regularly updated, especially paying attention to the latest ransomware.The World Wide Web is not a hostile realm by itself, but any Internet user should be aware of the dangers lurking on the Net. If earlier harmful software was just fun for the hackers or vandalism in the worst case, today, malware attacks are a viable business model.

The commercial element makes the danger more tangible and more serious. Let us list and describe the nastiest and most dangerous malware attacks in all areas likely to cause trouble in 2022.

#1. Attacks by Nation-State Threat Actors

Nation-state threat actors are the most dangerous cyber criminals on the Web. There are several reasons for thinking so. Nation-state hackers are professionals. They possess the best available technology. They work together with the countries’ secret services and can afford long-term preparations. They are legal in their own countries, and finally, they stake on stealth, so it is hard to detect them.

For example, the malware used by nation-state hackers recently discovered Pipedream is not targeting private computers. The aim of such attacks is industrial objects and programmable logic controllers on plants, factories, gasworks, etc.

These actors can also target banks or various state registries. However, the most shocking news was the warning by the US authorities about Pipedream-armed hackers being ready to strike the electricity and natural gas supply facilities with the possibility of damaging real industrial objects.

#2. Clop Ransomware Attacks

Like any other ransomware, Clop encodes the targeted data files, making them inaccessible. Then the user finds a ransom note wherein racketeers tell where to send money (in the form of cryptocurrency) to get a decryption key. Clop ransomware is extremely dangerous as it works on most versions of Windows, highly evasive regarding security programs.

Note: Clop ransomware (sometimes stylized as “Cl0p”) has been one of the most prolific ransomware families in the last three years.

After the malware infiltrates the system, it gets escalated privileges and gains permission to alter and overwrite system files. Clop creates an entry in the Windows registry that broadens its capabilities.

Afterward, it sends data about the system right to the crooks. Clop then begins to scan the computer looking for files to encode. The target is images, videos, text documents, mp3, and other data files. The malware settings may vary, though.

Since Clop ransomware aims mainly at corporations, the range of ways it infiltrates the victim’s devices can probably be narrowed to links and attachments in messages and emails pretending to be sent by recognizable companies. Theoretically, ransomware can penetrate the system in many ways, though.

#3. Agent Tesla Malware Analysis

Agent Tesla is a highly elusive multifunctional malware complex combining features of spyware and stealers. It is an example of a harmful program that can be ordered as a service. That means Agent Tesla is a highly targeted weapon.

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. On a special website that sells this malware, it is incorrectly positioned as legitimate software. Unpacking the final payload after the malware’s primary injection is a sophisticated process that involves steganography and unfolds in several stages. Such complexity allows Agent Tesla to avoid signature-based detection by security software.

The list of malicious functions of Agent Tesla is impressive: collecting and stealing device and system data, keylogging, screen capture, form-grabbing, stealing credentials, stealing browser data, etc.

#4. Ransomware-as-a-service (RaaS)

Ransomware-as-a-service (RaaS) is not anything that substantially differs from the usual ransomware. What makes the difference is what happens behind the scenes. RaaS is a business model wherein one side provides the software and the infrastructure for paying the ransom (bitcoin wallet and technical support for victims). In contrast, the other side deals with delivering ransomware and provides the prey likely to fall victim to ransomware.

AS A FACT: I want to remind you that the introduction of ransomware is one of the most dangerous forms of cyberattacks. These include:Conti ransomware, Matrix ransomware, Makop ransomware,STOP/Djvu ransomware, etc.

RaaS does not guarantee the campaign’s success as it works just as usual in a software-as-a-service scheme. However, such a commercial attack is more likely to succeed because it is less random. The one who orders a service has a better approach to the victim, unlike a ransomware author trying to perform an attack by guesswork.

#5. AlienBot Malware

AlienBot malware is a password stealer targeting Android devices. It is a part of a malware-as-a-service scheme. AlienBot compromises legitimate banking applications, and although its primary goal is to harvest logins, passwords, banking credentials, and other fillable forms data, AlienBot provides criminals with a much broader range of possible malfeasance.

If Alienbot infiltrates the system, it lets criminals download any applications, backup data, control the device via TeamViewer, etc. .

Alienbot inhabited nine applications that crooks distributed via Google Play. This vulnerability has been fixed, and such a flagrant campaign is impossible with this malware. Nevertheless, users are still endangered if they carelessly follow dubious links and download unchecked applications onto their Android devices.

#6. Cryptojacking Malware

Cryptojacking is a state-of-the-art and relatively light type of attack. The already mentioned coin miners are a type of cryptojacking. However, we are talking now about a different case – when victims receive no malicious code on their computers.

Cryptojackers perform their attacks by luring users to click on banners and links, leading them to the script-wired web pages. The security software will not allow malicious scripts to run if the victim uses an antivirus program. It will simply block the dangerous webpage from opening.

However, if the victim has no protection – the enslaved processor will keep working for the sake of criminals until the end of the session. The crooks count on the massive quantities of people who will click this dangerous link.

#7. Social Engineering Attacks

Social engineering is an indispensable tool in a wide range of frauds aimed at fishing critical data such as logins and passwords for social media accounts from the victims without even employing malware. These campaigns are called phishing, and they most often use deceptive emails that make people think they are dealing with an actual company. Frauds disguise themselves as social media platforms, delivery services, banks, money transfer services, etc.

Phishing attacks are often combined with spoofing – the visual design of emails and fake websites that aims at the same goal – to make a person believe that the site they are viewing is what it tells it is.

Then the victim does not fear inputting their credentials in the signup form or any other trap. The login and password, or it might be the banking data or credit card details, go right to the crooks.

#8. Gameover ZeuS Virus

Zeus Gameover is a botnet that steals banking information from browsers by keylogging and form-grabbing executed by a Trojan. The main danger of this malware attacks is its antivirus-evasion method.

NOTE: Often, botnets will launch a spam campaign on someone’s social media page or do it under someone’s YouTube video.

Unlike its predecessor, ZeuS, Zeus Gameover connects to its command and control servers via an encrypted peer-to-peer communication system. That makes the Trojan much harder to detect.

As the connection is established, besides stealing their victims’ credentials, hackers can control the system of the infected device up to installing and removing programs. Another menace comes from an extra function of Zeus Gameover – distribution of the Cryptolocker ransomware.

#9. Browser Hijacking

Browser hijacker is not a new phenomenon, but they are still active and dangerous throughout the web. The main characteristic of this type of malware is that it modifies the settings of the infected PCs’ web browsers. Usually, the user notices that the browser homepage and default search engine are suddenly changed. Other effects may vary.

A browser hijacker is a vehicle for the malicious payload, most likely spyware, adware, or both. Spyware collects data from the user and sends it to the threat actors. The consequences range from the data sold to third parties to identity theft and tangible harm.

Adware is a different thing – it throws pop-up banners with advertising right over webpages, opens unwanted pop-ups, and adds hyperlinks on webpages where they have not existed initially. It might seem that adware is comparatively harmless, but it is not so since any ad banner rendered by adware is also a menace.

Avoiding Malware: Choosing a Security Solution

Modern security software is a must-have for today’s Internet users. Despite not being a panacea, for malware attacks are constantly transforming and antiviruses have to catch up, a decent security program protects its user from most malware specimens. GridinSoft Anti-Malware is a technically masterful and economically beneficial solution. It is a versatile program that can serve as a primary antivirus or an auxiliary scanning utility alongside another security system.

GridinSoft Anti-Malware features on-run defense (background protection,) Internet protection (blocks dangerous and warns about suspicious webpages) and deep scanning. The program is regularly updated, especially paying attention to the latest ransomware.

The post TOP 9 Malware Attacks: Compilation 2022 appeared first on Gridinsoft Blog.