Tuesday, April 1, 2025
Follow us On Linkedin
Home Blog Page 3

Weaponized Zoom Installer Used by Hackers to Gain RDP Access and Deploy BlackSuit Ransomware

By
Aman Mishra
-
Zoom Installer

Cybersecurity researchers have uncovered a sophisticated attack campaign where threat actors utilized a trojanized Zoom installer to infiltrate systems, gain remote desktop protocol (RDP) access, and ultimately deploy the BlackSuit ransomware.

The operation demonstrates a highly coordinated, multi-stage malware delivery chain designed to evade detection and maximize impact.

Multi-Stage Malware Deployment

The attack began with a fake Zoom installer hosted on a cloned website resembling the legitimate Zoom application page.

Weaponized Zoom Installer
Initial Malicious Zoom via zoommanager[.]com

Users downloading the installer unknowingly executed a malicious program embedded with the “d3f@ckloader” downloader.

This loader initiated a series of steps, including disabling security measures, connecting to command-and-control (C2) servers via Pastebin, and downloading additional payloads.

Among these was SectopRAT malware, which was injected into legitimate processes like MSBuild.exe to establish persistence and facilitate further stages of the attack.

After an eight-day dwell period, SectopRAT deployed Brute Ratel and Cobalt Strike payloads for reconnaissance and credential harvesting.

According to the DFIR Report, these tools enabled lateral movement across the network using PsExec and RDP connections tunneled through a proxy malware called QDoor.

QDoor allowed attackers to bypass network defenses by routing traffic through compromised systems.

Data Exfiltration and Ransomware Deployment

Once inside the network, the attackers used WinRAR to compress sensitive files and exfiltrated them to a cloud-based storage service named Bublup.

Following data exfiltration, they staged BlackSuit ransomware for deployment. Using batch scripts and PsExec, the ransomware was distributed across all Windows hosts in the environment.

It encrypted files, deleted shadow copies using vssadmin, and left ransom notes demanding payment.

The entire operation spanned nine days, with a Time-to-Ransomware (TTR) of approximately 194 hours.

The attackers leveraged advanced techniques such as DLL hijacking, credential dumping from LSASS memory, and API abuse for stealthy execution.

Weaponized Zoom Installer
Execution graph

This incident highlights the increasing sophistication of ransomware campaigns that combine social engineering (via fake installers) with advanced post-exploitation frameworks like Brute Ratel and Cobalt Strike.

Organizations are urged to enhance endpoint detection capabilities, monitor for unusual network traffic patterns, and educate users on identifying phishing attempts involving cloned websites.

By employing multiple malware strains and leveraging legitimate tools like RDP and WinRAR, the attackers were able to evade traditional defenses while achieving their objectives.

This case underscores the need for proactive threat hunting and robust incident response mechanisms to mitigate similar attacks in the future.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Konni RAT Exploit Windows Explorer Limitations To Launches a Multi-Stage Attack & Steal Data

By
Aman Mishra
-
Konni RAT

Konni RAT, a highly advanced Remote Access Trojan (RAT), has emerged as a significant cybersecurity threat, leveraging Windows Explorer limitations to execute multi-stage attacks.

This malware employs a combination of batch files, PowerShell scripts, and VBScript to infiltrate systems, exfiltrate sensitive data, and maintain persistence.

Its ability to evade detection through obfuscation and stealth makes it a potent tool for cyber-espionage.

Exploitation of Windows Explorer Vulnerabilities

Konni RAT exploits inherent features of the Windows operating system to conceal its malicious activities.

It takes advantage of Windows Explorer’s 260-character path limit in LNK files and the default behavior of hiding file extensions for known file types.

Konni RAT
LNK file’s properties

These tactics allow the malware to mask its payloads, appearing as harmless files such as .docx documents while executing malicious commands in the background.

The malware’s initial infection vector often involves phishing campaigns or backdoored software installers.

Once deployed, it uses obfuscated PowerShell commands to initiate subsequent stages of attack.

According to the Report, these include data exfiltration, payload execution, and registry modifications for persistence.

Multi-Stage Attack Strategy

Konni RAT operates in several stages:

  1. Initial Execution: The malware executes commands via cmd.exe, searching for PowerShell executables and launching obfuscated scripts.
  2. Payload Deployment: It creates temporary files, extracts additional payloads, and deletes traces of its activity. For instance, it uses batch scripts to manipulate file paths, encode URLs dynamically, and transmit sensitive data to remote servers.
  3. Data Exfiltration: System information and user files from directories like Downloads and Documents are collected and transmitted to command-and-control (C2) servers using encrypted communication channels.
  4. Persistence Mechanisms: Konni RAT modifies the Windows registry to ensure its scripts are executed upon system startup, maintaining long-term access to compromised systems.
Konni RAT
Extracted files

The malware employs several sophisticated methods to avoid detection:

  • Obfuscation: Variable names and script logic are deliberately complex, hindering static analysis.
  • Dynamic URL Generation: URLs for data exfiltration are dynamically generated using timestamps and encryption functions, making them difficult to detect or block.
  • Stealthy File Operations: Temporary files are created and deleted during execution to minimize forensic traces.

Konni RAT has been linked to North Korean threat actors such as APT37 and has targeted entities across East Asia, Europe, and the Middle East.

Its evolving tactics underscore the increasing sophistication of modern cyber threats.

Organizations must adopt proactive defense strategies, including behavior-based monitoring, endpoint security solutions, and user awareness training, to mitigate risks associated with such advanced malware.

By exploiting Windows Explorer limitations and employing multi-stage attack strategies, Konni RAT poses a severe threat to system security, emphasizing the need for continuous vigilance in the face of evolving cyber threats.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Hewlett Packard RCE Vulnerability Allows Attackers to Bypass Authentication and Execute Remote Commands

By
Divya
-
Hewlett Packard RCE Vulnerability Allows Attackers to Bypass Authentication and Execute Remote Commands

A critical unauthenticated remote code execution (RCE) vulnerability in HPE Insight Cluster Management Utility (CMU) v8.2 allows attackers to bypass authentication and execute commands as root on high-performance computing (HPC) clusters, researchers revealed today.

Tracked as CVE-2024-13804, the flaw exposes HPC environments to full cluster compromise through weaponized Java client applications.

Anonymous access to the application
Anonymous access to the application

Technical Breakdown

The vulnerability stems from insecure client-side authorization controls in CMU’s Java Web Start (JNLP) application.

Opening the jar with JD-GUI
Opening the jar with JD-GUI

While the GUI client initially restricts administrative functions like cluster provisioning, threat actors can:

1. Decompile Critical JAR Components

Attackers reverse-engineered the cmugui_standalone.jar file using tools like JD-GUI, exposing client-side admin checks in the AdminUserModel.java class.

2. Forge Administrative Privileges

By modifying the isAdmin validation to always return true (shown below), attackers unlock restricted functions:

// Original code

public boolean isUserAdmin() { return this.isAdmin; } 

// Weaponized version

public boolean isUserAdmin() { return true; } 

3. Exploit RMI for Root Commands

The modified client leverages CMU’s Java Remote Method Invocation (RMI) on port 1099 to call the ExecuteCmdLine method, executing OS commands via:

java -jar weaponized_cmugui.jar

PoC attacks have demonstrated ifconfig and whoami execution with root privileges on cluster management nodes.

Saving decompiled source code
Saving decompiled source code

Attack Impact

Successful exploitation enables:
🟥 Full cluster control via management node access
🟥 Lateral movement to integrated iLO interfaces
🟥 Data theft/destruction in HPC environments

“Client-side authorization checks are security theater without server validation,” warned the researcher who discovered the flaw. “This lets attackers hijack cluster operations as root.”

Mitigation Challenges

HPE confirmed CMU v8.2 reached end-of-life (EOL) in Q4 2024, with no planned patches. Organizations must:

  1. Network-isolate CMU servers behind firewalls
  2. Block inbound traffic to port 1099/TCP
  3. Monitor for suspicious RMI connections

This flaw continues a pattern of RMI-related vulnerabilities in Java-based management tools:

YearCVEImpact
2021CVE-2021-44228Log4Shell RCE
2023CVE-2023-34050VMware Aria RCE
2025CVE-2024-13804HPE CMU Takeover

HPC operators are urged to accelerate migration to supported cluster managers and audit legacy CMU deployments immediately.

As one enterprise CISO noted: “Critical infrastructure tools hitting EOL without upgrade paths create ticking time bombs.”

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Windows 11 Insider Released – Microsoft Removes BypassNRO.cmd Script to Enhance Security

By
Divya
-
Windows 11 Insider Released – Microsoft Removes BypassNRO.cmd Script to Enhance Security

Microsoft has launched Windows 11 Insider Preview Build 26200.5516 to the Dev Channel with exciting new updates, including innovative features and a key security enhancement.

Among the major changes is the removal of the widely known BypassNRO.cmd script, a move aimed at bolstering Windows 11’s overall security and ensuring a seamless user experience.

Prioritizing Security and Connectivity

In a significant security update, Microsoft has officially removed the BypassNRO.cmd script from its latest Insider builds.

This script, widely used to bypass network requirements and sign-in processes during Windows setup, will no longer be supported.

As a result, all users will need to complete setup with active internet connectivity and a Microsoft Account.

This change reflects Microsoft’s broader objective to streamline the Windows onboarding experience and enhance security.

Use your own words to search for documents and images in File Explorer
Use your own words to search for documents and images in File Explorer

By ensuring that all devices are connected to the internet during setup, Microsoft can better ensure updates, features, and fixes are available to users from the start.

Additionally, linking devices to a Microsoft Account creates a unified ecosystem, unlocking key features like OneDrive integration, Microsoft Store access, and cloud-powered capabilities like Copilot on Windows.

The removal highlights Microsoft’s focus on protecting its users while aligning with its policy of creating a cohesive Windows environment.

Use your own words to change settings on your Copilot+ PC in Settings
Use your own words to change settings on your Copilot+ PC in Settings

Although this decision may raise concerns for offline users, the stance reinforces Microsoft’s commitment to reducing exploits and improving the overall security posture of Windows 11.

New Features in Build 26200.5516

Microsoft continues to innovate with Windows 11, introducing several powerful features in its latest build, particularly tailored for Copilot+ PCs powered by AMD and Intel®. Key updates include:

1. Improved Windows Search with Local Semantic Indexing

Windows 11 now enhances search capabilities for documents, photos, and settings.

By leveraging semantic indexing along with traditional indexing, users can search for files using natural language descriptions like “bridge at sunset” or “Europe trip budget.”

This advanced local search functionality is seamlessly integrated into File Explorer, the taskbar search box, and the Settings app.

2. Cloud-Enabled Photo Search

Windows Search now incorporates cloud-based photo finding functionality. Users can describe images stored in OneDrive using descriptive terms like “summer picnics” or “European castles,” and the search results will display both local and cloud-hosted content.

While this feature is currently available for personal accounts, support for work or school accounts will soon expand, along with third-party cloud provider integration.

3. Speech Recap for Narrator

The new speech recap feature in Narrator empowers users by retaining the last 500 spoken strings, enabling quick reference and transcription.

Users can re-hear, copy speech, or view live transcriptions, making it an invaluable tool for assistive technology trainers, students, and professionals with accessibility needs.

The new speech recap window in Narrator
The new speech recap window in Narrator

4. Refined User Interfaces

Windows 11 now introduces a more streamlined design for unexpected restart notifications, aligning with its polished aesthetic.

Additionally, the Windows Share feature now includes in-line image editing tools, such as cropping, filters, and compression, enhancing the sharing experience for locally stored images.

5. Copilot Enhancements

Microsoft advances Copilot on Windows with improved voice interactions through the “Press to Talk” feature and expanded support for Click to Do actions now available in English, Spanish, and French.

These updates aim to expand productivity-enhancing tools, making voice and text actions integral to daily tasks.

As with past Insider updates, these features are rolling out gradually to ensure a smooth adoption process.

Users are encouraged to provide feedback through the Feedback Hub (Win + F), contributing to the continual improvement of Windows 11’s user experience.

The removal of the BypassNRO.cmd script marks another step in Microsoft’s shift toward a more tightly integrated Windows ecosystem.

While the transition may pose challenges for users accustomed to offline setups, it underscores Microsoft’s emphasis on security, connectivity, and cloud-first capabilities.

With features like semantic search, cloud-enabled photo retrieval, and assistive technology improvements, Windows 11 Insider Preview Build 26200.5516 promises to redefine how users interact with their devices.

By prioritizing innovation and security, Microsoft is paving the way for a smarter, safer, and more connected Windows experience.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

A New Microsoft Tool Automatically Detects, Diagnoses, and Resolves Boot Issues in Windows

By
Divya
-
A New Microsoft Tool Automatically Detects, Diagnoses, and Resolves Boot Issues in Windows

Microsoft has unveiled a transformational tool aimed at addressing one of the most frustrating challenges in modern computing: boot failures.

Aptly named “Quick Machine Recovery,” this new feature automatically detects, diagnoses, and resolves critical system issues that prevent Windows devices from starting properly.

Currently available in the Windows Insider Preview Beta Channel for Windows 11, version 24H2, the tool promises to revolutionize how IT administrators and users manage system recovery.

First announced at Microsoft Ignite 2024 by CEO Satya Nadella as part of the Windows Resiliency Initiative, Quick Machine Recovery is designed to mitigate downtime caused by system failures.

Devices encountering boot issues often require manual intervention from IT professionals—a time-intensive process that disrupts productivity.

This new feature streamlines recovery by leveraging the Windows Recovery Environment (Windows RE) to deliver automated fixes, enabling users to regain access to their devices.

Simplified Recovery for IT Administrators

Quick Machine Recovery drastically reduces the burden on IT teams by automating the diagnostic and remediation process.

When Windows 11 systems experience widespread outages, Microsoft can deploy targeted fixes directly to affected devices through Windows RE.

The feature eliminates the need for complex troubleshooting, sparing IT administrators the hassle of manually restoring devices and minimizing downtime for end-users.

Key capabilities of the tool include:

  • Automated Remediation: When critical failures occur, the system automatically diagnoses the issue using real-time crash data and applies targeted fixes.
  • Admin Customization: IT professionals can enable or disable the feature, preconfigure network credentials for seamless operation, and set scanning intervals and remediation timeouts.
  • Test Mode: Administrators can simulate recovery processes before deployment, ensuring readiness and reliability.

How It Works

The process begins when a device enters Windows RE due to a boot failure. Using an established network connection—via ethernet or WPA-secured Wi-Fi—Windows RE communicates with Microsoft’s recovery services.

Crash data is analyzed to identify patterns and root causes, enabling Microsoft’s internal response team to develop tailored remediation packages.

These fixes are securely rolled out via Windows Update, adhering to device-specific update policies.

By automating incident analysis and remediation, Quick Machine Recovery strengthens system resilience while reducing downtime.

Future updates will expand support for additional networking configurations, enhancing the feature’s functionality.

Currently, Quick Machine Recovery is available to Windows Insiders testing Windows 11, version 24H2, in the Beta Channel.

While it is enabled by default for Windows 11 Home users, IT administrators managing Pro and Enterprise devices have full control over feature deployment and customization.

Microsoft encourages testers to provide feedback through the Feedback Hub to refine the feature before its broader release. Detailed instructions and insights can be found on the Windows Insider Blog.

With Quick Machine Recovery, Microsoft sets a bold precedent for automated system recovery, empowering users and IT professionals alike to overcome boot issues with unprecedented efficiency.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Beware! A Fake Zoom Installer Drops BlackSuit Ransomware on Your Windows Systems

By
Divya
-
Beware! A Fake Zoom Installer Drops BlackSuit Ransomware on Your Windows Systems

Cybersecurity analysts have uncovered a sophisticated campaign exploiting a fake Zoom installer to deliver BlackSuit ransomware across Windows-based systems.

The attack, documented by DFIR experts, highlights how threat actors are leveraging popular software to deceive unsuspecting victims into installing malware capable of crippling entire networks.

The Fake Zoom Installer

The malicious activity began with a website mimicking Zoom’s legitimate domain, enticing users to download a file named “Zoom_v_2.00.4.exe.”

Initial Malicious Zoom via zoommanager[.]com
Initial Malicious Zoom via zoommanager[.]com

This website, cleverly crafted to resemble the legitimate Zoom interface, fooled users into believing they were downloading the popular teleconferencing software.

Behind the scenes, however, the installer functioned as a delivery mechanism for a multi-stage malware attack chain.

The fake installer was built using Inno Setup—a legitimate installer creation tool. Its payload included “d3f@ckloader,” a sophisticated downloader designed in Pascal scripting language.

Upon execution, the malicious code leveraged multiple stages to bypass security, install additional payloads, and execute nefarious activities.

The Multi-Stage Attack Chain

Stage 1: Initial Access and Defense Evasion

After downloading the fake installer, victims unknowingly executed a series of batch scripts that:

  1. Disabled Windows Defender by adding malicious directories to exclusion lists.
  2. Downloaded additional payloads from remote sources, including Steam Community pages and Pastebin, to initiate the malware chain.
Obtain the IP address hosting the second-stage malware.
Obtain the IP address hosting the second-stage malware.

Stage 2: Malware Deployment

The fake installer simultaneously deployed two executables:

  • A legitimate Zoom installer to reduce suspicion.
  • IDAT loader that eventually injected SectopRAT, a malicious remote access trojan (RAT), into the “MSBuild.exe” process.

For nine days, the SectopRAT trojan remained dormant, enabling the threat actor to avoid detection while gathering intelligence.

Execution graph
Execution graph

On the ninth day, it activated additional payloads, including Brute Ratel, and later deployed the widely recognized Cobalt Strike post-exploitation toolkit.

Lateral Movement and Data Theft

Using tools like QDoor malware and RDP (Remote Desktop Protocol), the attacker achieved lateral movement across the compromised environment.

Sophisticated proxies enabled secure tunneling of commands and data between infected systems, ensuring continued control over the network.

Once access to sensitive file servers and domain controllers was achieved, the attacker used WinRAR to compress files and exfiltrated them to a SaaS application called Bublup.

Deployment of BlackSuit Ransomware

In the final stage, the attacker executed BlackSuit ransomware—an advanced strain capable of encrypting files and rendering systems inoperable.

Credential Access
Credential Access

Using the PsExec utility, the ransomware was deployed across multiple remote systems. Once executed, BlackSuit:

  1. Deleted shadow copies to prevent recovery.
  2. Encrypted all files, locking users out of their data.
  3. Dropped ransom notes, demanding payment in exchange for decryption.

The entire operation, from initial access to ransomware deployment, took approximately nine days.

Fake Zoom End call
Fake Zoom End call

How to Protect Yourself

This campaign underscores the critical importance of vigilance when downloading software, especially from unofficial sources. Here are actionable steps for defense:

  1. Download software only from verified sources—always double-check website URLs to ensure legitimacy.
  2. Enable advanced malware detection tools that can identify multi-stage attacks like BlackSuit ransomware.
  3. Regularly update your security protocols and train employees to recognize phishing attempts and suspicious downloads.
  4. Maintain backups of sensitive data and implement offline storage solutions to safeguard against ransomware.
  5. Monitor network traffic for unusual communication patterns (e.g., connections to external IPs or platforms like Telegram and Steam).

The discovery of this campaign serves as a sobering reminder that threat actors are becoming increasingly innovative in their attack strategies.

By exploiting the global popularity of software like Zoom, they have created a trap capable of paralyzing organizations and extorting significant financial gains.

Security teams must be proactive and responsive to protect systems against such evolving threats. Awareness, vigilance, and robust cybersecurity measures remain the best defense against becoming the next victim of ransomware attacks like BlackSuit.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Linux Distribution Nitrux3.9.1  Releaed – What’s New

By
Divya
-
Linux Distribution Nitrux3.9.1  Releaed – What’s New

Nitrux Linux, renowned for its innovative approach to desktop computing, has unveiled its latest release, Nitrux 3.9.1, codenamed “mk.”

This distribution, rooted in Ubuntu and utilizing Nomad as its desktop environment, brings substantial updates to its framework, apps, and system.

Designed with an eye toward performance improvements, bug fixes, and new features, the release caters to both seasoned Linux users and newcomers.

Nitrux 3.9.1 build.310325.mk uses Linux 6.13.8-4 (Liquorix)
Nitrux 3.9.1 build.310325.mk uses Linux 6.13.8-4 (Liquorix)

Key Highlights of Nitrux 3.9.1

1. Updated Core Technology
Nitrux 3.9.1 ships with Linux Kernel 6.13.8-4 (Liquorix), ensuring enhanced performance and stability. Several frameworks have been upgraded:

  • Qt 6 libraries (version 6.7.2) and KDE Frameworks 6 libraries (version 6.8.0) ensure compatibility and advanced features.
  • Updates to MESA, PipeWire, and GRUB, among others, enhance system functionality for developers and gamers alike.

2. MauiKit and Maui Apps: Foundation Updates
The MauiKit framework and related Maui Apps have been bumped to version 4.0.1, introducing a slew of fixes and new features:

  • Toast notifications now support contextual actions.
  • New controls such as TextField, Popup, and DropDownIndicator simplify user interface creation.
  • Apps receive updates for better functionality, including fixes in Station, Index, Vvave, and more.

3. Redesigned Desktop Experience

The desktop settings have been updated to include automatic power profile adjustments for laptops.

Refresh rates dynamically adjust depending on power sources, improving battery life and responsiveness. Additionally, new configurations for NVIDIA and AMD GPUs improve performance in demanding applications.

4. Hardware Support

The release brings updated firmware for a wide array of devices, including AMD GPUs, Intel Bluetooth adapters, Qualcomm Wi-Fi chips, and Realtek wireless devices.

These enhancements ensure optimal performance across more hardware.

5. Fiery Browser: A New Addition

Nitrux introduces Fiery, a new web browser built using MauiKit. While still in its early stages, Fiery offers features such as split-view mode but lacks functionality like incognito tabs, plugin support, and bookmark imports—a promising addition, albeit with notable limitations.

Fiery, our web browser built using Mauikit in split view mode
Fiery, our web browser built using Mauikit in split view mode

Enhancements and Fixes

Nitrux 3.9.1 incorporates numerous fixes:

  • Improved AppArmor profile for Samba.
  • Enhanced wireless connection behavior post-sleep mode.
  • Bug fixes in MauiKit apps for smoother operation across platforms.

Additionally, deprecated components such as the NX Software Center and zap CLI have been removed due to maintenance issues.

Firefox has also been replaced as the default browser in favor of Fiery, reflecting Nitrux’s shift toward its own ecosystem.

Known Issues

While the update is robust, a few quirks persist:

  • Fiery’s browser tabs require workarounds for closing.
  • History and certain UI functionalities remain underdeveloped.

How to Download

Nitrux 3.9.1 is available via direct HTTP download, torrent, and ISO verification tools. Users are encouraged to perform fresh installations for optimal results.

The Nitrux development team welcomes contributions through GitHub, offering opportunities for users to assist in bug tracking, feature requests, and community support.

Nitrux 3.9.1 solidifies its position as a forward-thinking Linux distribution, blending modern tools with creative frameworks. While some features are still evolving, this release signals exciting progress for the Nitrux ecosystem and its commitment to empowering open-source innovation.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Hackers Distributing Phishing Malware Via SVG Format To Bypass File Detection

By
Divya
-
Hackers Distributing Phishing Malware Via SVG Format To Bypass File Detection

Cybersecurity experts at the AhnLab Security Intelligence Center (ASEC) have uncovered a novel phishing malware distribution method leveraging the Scalable Vector Graphics (SVG) file format to bypass detection mechanisms.

SVG, an XML-based vector image format widely used for icons, logos, charts, and graphs, enables the embedding of CSS and JavaScript scripts.

However, attackers are now exploiting its versatile design to craft and distribute malware undetected.

ASEC first reported this technique in November 2024, identifying the abuse of SVG files to deliver malicious content. Since then, threat actors have refined their malware, embedding advanced techniques to evade detection.

The malicious SVG files typically masquerade under common filenames such as Play Voicemail Transcription. (387.KB).svg, MT103_0296626389_.svg, and Access Document Remittance_RECEIPT6534114638.svg, enticing victims into opening seemingly harmless attachments.

Technical Breakdown of the Malware

The malware employs Base64 encoding to embed malicious scripts within the file using the <script> tag’s src attribute.

Malicious script encoded in Base64
Malicious script encoded in Base64

While this method is often utilized for legitimate purposes, such as embedding images to reduce server requests, hackers have repurposed it to bypass security filters.

Upon decoding, the malware reveals obfuscated redirect URLs, which lead victims to phishing pages.

For instance, a decoded URL like hxxp://oK2Nv4ZWX6.moydow[.]de/[malicious_code] serves as a link to redirect users further into the attack chain.

Decoded code
Decoded code

At the final stage, it lands victims on a phishing URL, such as hxxps://[account domain].islaxw[.]es/#EmailAccount, designed to harvest sensitive information.

Sophisticated Anti-Analysis Techniques

Once redirected, the attackers employ several advanced countermeasures to hinder malware analysis:

  1. Blocking Automation Tools: Using detection scripts that identify automation tools like PhantomJS or web proxies like Burp Suite, the malware redirects users employing these tools to blank pages.
  2. Preventing Specific Keyboard Actions: Critical key combinations, such as F12 (Developer Tools) and Ctrl+U (View Source), are blocked to prevent inspecting the suspicious webpage.
  3. Disabling Right-Click: Scripts disable the right-click function to ensure analysts cannot interact with the page contextually.
  4. Debugging Detection: The malware measures code execution times using performance.now() to detect debugging activity. If debugging is detected, users are redirected to legitimate content to avoid suspicion.

Phishing Page and Malicious Actions

The phishing page mimics a CAPTCHA verification system, urging users to click a button to proceed.

CAPTCHA phishing page
CAPTCHA phishing page

This interaction secretly sends a GET request to malicious URLs like hxxps://w2cc.pnkptj[.]ru/kella@aok5y, enabling attackers to initiate further actions, including redirecting users to phishing sites disguised as Microsoft login pages.

With attackers increasingly exploiting SVG files for malware distribution, users must adopt security best practices:

  • Avoid Opening Suspicious Attachments: Avoid files, especially in SVG format, received from unknown sources.
  • Exercise Email Vigilance: Verify the legitimacy of emails before interacting with their contents.
  • Update Antivirus Solutions: Ensure robust malware detection systems to prevent threats.

ASEC urges users to remain vigilant against this growing trend, as hackers continuously refine their techniques to stay ahead of detection mechanisms.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

CrushFTP Vulnerability Lets Hackers Bypass Security and Seize Server Control

By
Divya
-
CrushFTP Vulnerability Lets Hackers Bypass Security and Seize Server Control

A newly disclosed authentication bypass vulnerability (CVE-2025-2825) in CrushFTP file transfer software enables attackers to gain complete control of servers without valid credentials.

The vulnerability affects versions 10.0.0 through 11.3.0 of the popular enterprise file transfer solution, exposing organizations to data theft and system compromise.

The Exploit: Bypassing Security in 3 Steps

Security researchers have revealed how attackers can exploit this vulnerability using a simple HTTP request:

GET /WebInterface/function/?command=getUserList&c2f=1111 HTTP/1.1

Host: target-server:8081

Cookie: CrushAuth=1743113839553_vD96EZ70ONL6xAd1DAJhXMZYMn1111

Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/

This attack combines three critical components:

  1. Spoofed AWS Header: Uses CrushFTP’s S3 protocol handling with a crushadmin username
  2. Fabricated Cookie: Requires a 44-character CrushAuth value with matching 4-digit code (1111 in this example)
  3. Parameter Manipulation: Leverages the c2f parameter to bypass password checks

The vulnerability stems from flawed authentication logic when processing S3-style requests:

  • System mistakes crushadmin/ credential as valid without password verification
  • Special cookie format tricks servers into accepting unauthenticated sessions
  • Attackers can then execute admin commands, including:
    • Downloading sensitive files
    • Creating new administrator accounts
    • Uploading malicious payloads

Security analysts confirm that 75% of CrushFTP instances remain unpatched as of March 31, 2025, despite fixes being available since March 26.

Detection and Mitigation

CrushFTP released version 11.3.1 with crucial fixes:

  • Disabled insecure S3 password lookup by default
  • Added security parameter s3_auth_lookup_password_supported=false
  • Implemented proper authentication flow checks

Immediate Action Required:

  1. Upgrade to CrushFTP ≥11.3.1 or ≥10.8.3
  2. Use ProjectDiscovery’s free detection tool:
nuclei -t https://cloud.projectdiscovery.io/public/CVE-2025-2825
  1. Audit server logs for suspicious GET requests to /WebInterface/function/

This vulnerability highlights three critical security lessons:

  1. Protocol Interaction Risks: Mixed authentication methods (S3 + cookies) create attack surfaces
  2. Default Configuration Dangers: Overly permissive defaults remain a systemic issue
  3. Response Time Gaps: 5-day patch adoption window leaves organizations exposed

Security teams should implement web application firewalls to block malformed S3 headers while patching. CrushFTP servers exposed to the internet should be considered high-risk until updated.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

New Android Malware “TsarBot” Targeting 750 Banking, Finance & Crypto Apps

By
Aman Mishra
-
Android Malware

A newly identified Android malware, dubbed TsarBot, has emerged as a potent cyber threat targeting over 750 applications across banking, finance, cryptocurrency, and e-commerce sectors.

Discovered by Cyble Research and Intelligence Labs (CRIL), this banking Trojan employs sophisticated overlay attacks to steal sensitive user credentials, including banking details, login information, and credit card data.

Global Reach and Advanced Techniques

TsarBot’s operations span multiple regions, including North America, Europe, Asia-Pacific, and the Middle East.

The malware spreads via phishing sites that impersonate legitimate financial platforms.

Once installed on a victim’s device through a dropper disguised as Google Play Services, TsarBot activates overlay attacks by displaying fake login pages over legitimate apps.

Android Malware
Phishing site distributing TsarBot

This technique enables it to capture sensitive user data seamlessly.

Beyond overlay attacks, TsarBot demonstrates advanced capabilities such as screen recording and remote control of infected devices.

It can simulate user actions like swiping and tapping while concealing malicious activities using a black overlay screen.

Additionally, the malware employs lock-grabbing techniques to capture device PINs or passwords using fake lock screens.

Command-and-Control Mechanism

TsarBot communicates with its command-and-control (C&C) server via WebSocket connections across multiple ports.

According to the Report, these connections facilitate the transmission of stolen data and enable dynamic execution of fraudulent activities on the victim’s device.

Commands issued by the server allow the malware to manipulate screen controls, execute gestures, and interact with targeted apps.

Android Malware
Screen capture service

The malware maintains a list of targeted application package names retrieved from its C&C server.

These include banking apps from countries like India, France, Poland, and Australia, as well as cryptocurrency platforms and social media applications.

When users interact with these apps, TsarBot overlays phishing pages that mimic legitimate interfaces to trick victims into entering their credentials.

The stolen data is then transmitted back to the C&C server for exploitation.

TsarBot’s ability to target a vast array of applications highlights the growing sophistication of Android banking Trojans.

By leveraging Accessibility services and advanced communication protocols, it executes on-device fraud while remaining undetected.

Cybersecurity experts recommend users exercise caution when installing apps from untrusted sources and avoid interacting with suspicious links or phishing sites.

Enabling Google Play Protect and regularly updating devices can also mitigate risks associated with such threats.

This development underscores the persistent challenge posed by mobile malware in today’s interconnected digital landscape.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

1234...911Page 3 of 911

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved