Tuesday, May 20, 2025
Home Blog Page 924

Cybercriminals Exploit PHP Weathermap Vulnerability to Install Cryptocurrency Miner on Linux Servers

Cybercriminals Exploit PHP Weathermap Vulnerability to Install Cryptocurrency Miner on Linux Servers

An active cryptocurrency mining campaign targeting Linux servers via PHP Weathermap Vulnerability to deploy cryptocurrency mining malware. The campaign uses an outdated security flaw with “Network Weathermap” that allow a remote attacker to inject arbitrary codes in the server.

In the current campaign, cybercriminals deploy the XMRig miner as final payload in the target server. The attack primarily focuses on Japan, Taiwan, China, the U.S., and India.

cryptocurrency mining campaign

Security researchers from TrendMicro detected the active campaign cryptocurrency-mining campaign, according to researchers it associates with previous JenkinsMiner malware campaign.

How Cryptocurrency Mining Campaign Infects

With the cryptocurrency mining campaign attackers exploiting the outdated vulnerability CVE-2013-2618 in Cacti’s Network Weathermap plug-in that used by system administrators to visualize the network activity.

The persistent cross-site scripting vulnerability resides with “/plugins/weathermap/configs/conn.php” and attackers uses the vulnerability to execute the scripts remotely and downloads the watchd0g.sh file from attackers server. 

The main purpose of watchd0g.sh is to download the final payload dada.x86_64 from the same server where the watchd0g.sh is downloaded. The final payload is the modified XMRig miner.

Also Read Linux Backdoor that Creates Fully Encrypted Reverse Shell and Attack Unsecured Linux Systems

The configuration file “config.json” that executed along with XMRig contains the algorithm used for mining, maximum CPU usage, mining server, and login credentials of Monero wallets.

Researchers found two unique usernames matching Monero wallets and they said as of March 21, 2018, attackers mined approximately 320 XMR or about $74,677 based on the two wallets.

Attack Execution Requirements

A publicly accessible Linux web server running (x86-64), given the custom XMRig Miner 64-bit ELFs and Cacti needs to be implemented with the Plugin Architecture working and an outdated Network Weathermap 0.97a and prior is used.

The web server hosting Cacti does not require authentication to access the web site resource. For perfect execution, the web server should be running with ‘root’ permissions.

IP address and Domains used in the attack

222[.]184[.]79[.]11
bbc[.]servehalflife[.]com
190[.]60[.]206[.]11
182[.]18[.]8[.]69
jbos[.]7766[.]org
115[.]231[.]218[.]38

Nmap 7.70 Released With Better OS Detection, 9 new NSE scripts and Much More

Nmap 7.70 Released With Better OS Detection, 9 new NSE scripts and Much More

Nmap first release of 2018, “Nmap 7.70” includes hundreds of new OS and service fingerprints, improved version of the Npcap windows library, service detection and 9 NSE scripts.

Nmap (“Network Mapper”) is one of the best free and open source utility for network scanning and security auditing.

Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Nmap 7.70 Packages available for Linux, Windows, and Mac. To download the Nmap. It is a flexible, powerful and portable tool supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.

Changes with Nmap 7.70

Npcap Windows

A lot of improvements with packet capturing library and the Nmap 7.70 includes the recent version of Npcap version 0.93.

OS fingerprint

The new version of Nmap includes 298 fingerprints, so now in total Nmap holds 5,652 fingerprints. Also now it detects detect 1224 protocols and 33 of IPv6 OS fingerprint submissions.

Also Read How to perform Information Gathering in Kali using NMAP – A Detailed Explanation

9 New NSE scripts

deluge-rpc-brute: Performs Brute force attacks against BitTorrent RPC services by using the zlib library.

hostmap-crtsh: Lists subdomains by querying Google Certificate Transparency logs.

http-bigip-cookie: Decodes unencrypted F5 BIG-IP cookies.

http-jsonp-detection: Detects JSONP endpoints in web servers.

http-trane-info: Get’s information from Trane Tracer SC controllers.

nbd-info: Employees nbd.lua to query Network Block Devices.

RSA-vuln-Roca: Checks RSA key for Coppersmith Attack,

smb-enum-services: Lists services running on remote Windows machine.

tls-alpn: Checks TLS for Application layers.

Nmap was designed to rapidly scan large networks, but works fine against single hosts. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results in the viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Cybercrime-as-a-Service – DDoS Attack Services Available in Dark Web Markets for $10 per Hour

Cybercrime-as-a-Service – DDoS Attack Services Available in Dark Web Markets for  per Hour

The number of cyberattacks is increasing and cybercriminal evolving with new business models such as Cybercrime-as-a-service. Recent studies indicate cybercrime’s cost to businesses globally as high as hundreds of billions of dollars.

The cybercrime continues to be a big business even after the number of law enforcement and their sophistication makes it difficult to stop the dark web markets.

Researchers from Armor published a report on threat actors activity, the products, and Services in underground markets and forums.

Before exploring further let’s see the Layers of web

Surface web:

Everything that indexed by the search engines such as Google, Yahoo, and Bing.

Deep Web:

Part of the website that not indexed by the search engines. Example: Your website database.

Dark Web:

Part of the deep web that hosted in the encrypted network, we need tools such as Tor to access it.

The dark web markets remain as a place for selling stolen credit cards, the underground offers hacker-for-hire services, hacking tools, tutorials and more. These dark web markets are accessible through anonymization services such as Tor or I2P.

Cybercrime-as-a-service

The most profitable business for criminals is selling cybercrime-as-a-service and their services offerings are with flexible plans.

Want to DDoS an organization for an hour? $10. A day? $200. What about remote access to a machine via Remote Desktop Protocol (RDP) for three months? $35.

Cybercriminal selling exploits kits, botnets, hacked accounts in dark web markets to earn money on a regular basis. In some cases, they provide support at an additional cost.

According to Armor “A Microsoft Office exploit builder that targets CVE-2017-1099 was selling for as much as $1,000. Meanwhile, a banking Trojan license could be purchased for $3,000 to $5,000, and a remote access Trojan was seen selling for $200. “

Codesigning certificates that prove the integrity of the application was sold in dark web markets “standard codesigning for $400 & Extended Validation (EV) certificate for $2,500 according to Armor “.

Cybercrime-as-a-service

Stolen credit cards gain the major market share and the Major brands such as Master Card, Visa and American Express all make regular appearances. Armor spotted a seller offered U.S. credit card numbers for $10-$12 and the card information also sold in bundles.

Cybercriminals also offering bank login information as a part of Cybercrime-as-a-Service – including username, passwords, and email address – for prices ranging from $200 to $1,000 depends on the balance in the account.

Cybercrime-as-a-service

Armor said for $40 Cybercriminals offering all the Identity details such as social security numbers, dates of birth and addresses, as well as less sensitive, but no less personal, data like phone numbers, education level, and employment information.

Cybercrime-as-a-service

Also the social media accounts TRU team spotted offered 1,000 Instagram accounts for a price of $15, 2,500 for $25, 5,000 for $40 and 10,000 for $60. Another seller claimed could hack into accounts for Facebook, Netflix, Twitter and other services for $12.99.

Cybercrime-as-a-service

Armor published a paper on their investigation along with tips for security professionals and individuals. You find the detailed report here.

APT Hacking Groups are Targeting Vulnerable Medical Networks for Cyber Attack

APT Hacking Groups are Targeting Vulnerable Medical Networks for Cyber Attack

APT actors are currently showing more interest in medical networks and they are using various advanced threats such as PlugX RAT and Cobalt Strike to exfiltrate data from the pharmaceutical organizations.

Current research revealed that each and every year medical based cyber attacks are kept increasing and risk involvement not only for the medical devices but for Human life as well.

Advanced threat actors that targeting medical industries are able to do a lot of damages such as copy and modifying files, logging keystrokes, and Taking into account the fact that hackers placed their implants on the servers of pharmaceutical companies.

Medical infrastructure has a lot of medical devices, some of them portable. And devices like spirometers or blood pressure monitors support the MQTT protocol to communicate with other devices directly.

According to the Statistics,More than 60% of medical organizations had some kind of malware on their servers or computers.

Mass Scan with Global Medical Networks 

A Detailed research conducted in medical networks to find the vulnerable entry points through an approch using keywords such as keywords “medic”, “clinic”, “hospit”, “surgery” and “healthcare” in the organization’s name.

This Mass scan conducted by Security Firm Kaspersky based on the publically available information and performed a mass scan using advanced search engines  Shodan and Censys.

Scanning results revealed that there was a lot of trivial opened ports and services such as web-server, DNS-server, mail-server and this cause the result of attack can easily exploit the networks.

Most Interestingly non-trivial ports are already vulnerable and those services are out of date and need to be patched and the results of the scanned network are showing that some organizations web applications of electronic medical records are out of date.

The most popular opened ports on medical perimeters (18,723 live hosts; 27,716 opened ports)

Also, Researchers using ZTag tool and Censys to find the what kinds of services are hidden behind these ports and find the embedded tag that belongs to SCADA-type systems, NAS. which is one of the top services in medical networks.

According to Kaspersky, Excluding these trivial things, we found Building Management systems that out of date. Devices using the Niagara Fox protocol usually operate on TCP ports 1911 and 4911. They allow us to gather information remotely from them, such as application name, Java version, host OS, time zone, local IP address, and software versions involved in the stack.

Shodan said some of the medical organizations have an opened port 2000 that is extremely vulnerable to extract info about the current Wi-Fi connection.

These all are the flaws leads to compromise the medical network via malware, and ransomware that results will play with the medical organization and human life.

Fakebank Malware Variant that Intercepts Android user’s Banking Calls

Fakebank Malware Variant that Intercepts Android user’s Banking Calls

The Fakebank malware comes back, with its new Fakebank malware variant that intercepts the Android users’ banking incoming and outgoing calls. Attackers distributed the app through third-party Android markets and social media websites.

Security researchers from Symantec identified the malicious behavior of the apps infected with Android.Fakebank that intercepts the calls made by the users to their banks.

With the current variant it targets Korean bank clients, so far 22 apps have been identified infected with the Fakebank malware. The previous variant of the Fakebank malware intercepts the SMS applications to gather financial information.

The previous version of the Fakebank malware variant targets Russian speaking nations and Russian banks with high Obfuscation technique to steal highly sensitive information.

Fakebank Malware Variant

When the app triggered it collects the personal information from user’s phone and submits to the command and control servers. The server responds with the configuration that specifies the phone number.

Fakebank Malware
Researchers said “When users call a real banking phone number, the malware is able to intercept and transfer the call to the scammer’s configured phone number. When a call comes in from a scammer, the app will overlay a fake UI dialog that spoofs a legitimate bank caller ID and number”.

The API and associated permissions evolved based on the Android versions (android.permission.SYSTEM_ALERT_WINDOW). With Android version’s below 6 the permission needs to be declared in the manifest file and it requires permission at the time of installation.

With Android version 6 & 7 if the permission declared in the manifest file and the app downloaded from Google Play, it won’t prompt users for permission. From the Android version 8, the app is not allowed to overlay system so the malware will not execute.

Common Defences On Mobile Threats

  • Give careful consideration to the permission asked for by applications.
  • Download applications from trusted sources.
  • Stay up with the latest version.
  • Encrypt your devices.
  • Make frequent backups of important data.
  • Install anti-malware on their devices.
  • Stay strict with CIA Cycle.

Hackers Can Abuse Plugins for Popular Unix Text Editors to Escalate Privileges

Hackers Can Abuse Plugins for Popular Unix Text Editors to Escalate Privileges

Advanced Unix Text Editors offers extensibility by allowing users to install third-party plugins for ease of use and to enhance the Text Editors functionalities.

Server administrators often run text editors with elevated privileges “sudo gedit” to edit root-owned configuration files. If the text editor contains vulnerable third-party plugin it enlarges attack surface.

A vulnerable third-party text editor plugin could be abused by attackers to escalate the privileges of your system/server.

Also Read Top 5 Best Text Editors For Linux

According to recent safebreach research, “they found the inadequate separation of regular and elevated modes. Folder permissions integrity is not maintained and that opens the door for an attacker with regular user permissions to get the elevated execution of arbitrary code and to gain privilege escalation on the machine“.

Researchers tested the attacks the well known highly-ranked text editors Sublime, Vim, Emacs, Gedit, pico/nano. They have published a research paper with examples.

Here is the scenario “Imagine that an attacker can run the arbitrary code as a sudoer but not elevated, all he needs is to write the malicious plugin in user folder that uses the text editor and wait for the execution of plugin in elevated status”.

The vulnerability has been notified by researchers to vendors and it still remain’s unpatched. Researchers suggested monitoring modifications to the key files and folders presented by adding OSSEC rules.

Also Read Most Important Computer Forensics Tools for Hackers and Security Professionals

Below is the list of mitigations suggested – Unix Text Editors

  • Implement OSEC monitoring rules.
  • Deny write permissions for non-elevated users.
  • Change folders and file permission models to ensure separation between regular and elevated modes.
  • Prevent loading of 3rd party plugins when an editor is elevated.
  • Provide a manual interface to approve the elevated loading of plugins.

3 Dangerous Ransomware Families Author Arrested in Poland and Seized the All Decryption keys

3 Dangerous Ransomware Families Author Arrested in Poland and Seized the All Decryption keys

Authors of the 3 critical Ransomware Family Polski, Vortex, and Flotera has been arrested in Poland and authorities Seized their computer equipment including the Laptop and servers as well as the Private keys.

Tomasz T. – a Polish citizen who lives permanently in Belgium (known as Thomas or Armaged0n) responsible for conducting cybercrime such as DDOS attacks, sending malicious software to compromise the several computers and using ransomware to encrypt the files.

He used this ransomware to compromise thousands of computer on various Polish companies between 2013 and 2018.

Cybercrime official tracking him for several years since 2013 and he used payment cards linked to a technical bank account and he did many crime forms Belgium.

He was spreading this ransomware via email pretending to impersonate official correspondence from well-known companies, such as telecommunication providers, retailers, banks, etc.

Also Read: Hermes Ransomware Distributed Through Malicious Office Documents Embedded Flash Exploit

Earned $145,000 Using this Ransomware Family

Once victims infected with this ransomware, After the complete infection using this ransomware, all the victim’s files will be encrypted and her domain the ransom amount of USD 200 – 400.

He earned over $145,000 from various cybercrime by compromising the victim’s computer and all the payment has been made through bitcoins.

Later he exchanged the currency via Polish cryptocurrency exchange that is actually linked to his original bank account.

Seized all the equipment and prepared an Evidence

Polish Cybercrime has charged various compliant such as accepting and transferring funds from crimes, infecting the computer with malware such as Polish Ransomware, Vortex or Floter, influencing automatic data processing for financial benefits.

All these ransomware’s  Decryption keys have been collected from his computer and affected users form Polski, Vortex, and Flotera ransomware can large a complaint they can receive a decryption key for their files.

The suspect, questioned by the prosecutor, pleaded guilty to the charges he was charged with and made explanations.

After performing the procedural steps, the prosecutor filed a motion to apply to T. T. temporary detention for a period of three months. On March 16, 2018, the court upheld the motion of the prosecutor. Officials said.

Steps to Remotely Access Your Laptop from Mobile

Steps to Remotely Access Your Laptop from Mobile

A Remote access can help you in a lot more ways to reduce your time frame. In this super speedy workaholic world of today, you never know which file your boss might ask out for at any moment of the day!

If you have that with you, that’s great but what if you have it on your PC but you don’t have your pc with you? And this situation will be worsened if it’s urgent but relax you need not to panic as a wonderful solution to this problem exists on the planet.

And it is called remote access! By learning and following some easy steps, you can conveniently Remote access anything from your laptop on your mobile phone. Isn’t it amazing? It obviously is! The world has changed way more than you think and along with using your laptop from your mobile, it can also be used to check discount on electronics on various websites like Amazon, Flipkart, eBay while you have the other mobile Remote access facilities too!

Three Ways to Get Remote Access laptop remotely

The technology is upgrading day by day, so do we need to! While there are several options available for getting remote access to your laptop from your mobile phone, we are listing here some of the best and easiest way to establish remote access that will help you out in an impeccable manner without requiring too much of indulgence into technological factors. Check out all of them and choose the one that goes hand in hand with your requirements.

Also Read: Android Rat – TheFatRat to Hack Targeted Android Phone

THE FIRST WAY – Get Remote access through CHROME REMOTE DESKTOP

Are you searching for the simplest and safest way to get Remote access to your files on your mobile devices? If yes, here comes some great news for you! Google chrome has made remote access easier than never before, it has brought a revolution in this highly technical world of today by providing super quick service to establish remote access to your computer.

Most of you must have used Google Chrome for accessing the web; it’s high time to explore the facilities it offers.

If you don’t use this one, you can get it installed from the Google store and start reaping the benefits that follow! It is great to know that this fabulous service can be used on all sorts of systems like Linux, Mac, Windows, iPhone and Android.

STEPS TO BE FOLLOWED ON COMPUTER

  • Install Google chrome and once you are done with the process, download remote chrome desktop app on your computer
  • Several dialog boxes will be on the way, check out the instructions and follow them
  • You need to grant certain permissions to get the work done, so make sure that you grant the same when required
  • You will be asked to install an additional part of the app for enhanced service
  • After this, you need to choose between grant remote access or access your own computer option
  • It is preferable to choose the second one as that will be a safer option to opt for
  • Under this method you will be asked to enter a pin that needs to be entered every time you want remote access, so choose it wisely.

STEPS TO BE FOLLOWED ON MOBILE DEVICES

  • Download the Android version of the same app from Google play store
  • Make sure that you have signed in from the same Google account on both the devices
  • If you have signed up, you will be automatically shown the list of computers under your control
  • Choose the desired computer and here you need to enter the Pin used at the time of set up.
  • And once you proceed, you are done.

2.THE SECOND WAY- Use REMOTE CONTROL 

Getting Remote access to your computers from your Android devices isn’t something that needs an introduction today. It is all about granting remote access so as to fasten and smoothen up numerous activities in our day to day life. This is the best option if you were in search of a super safe remote access service that deems highly for professional use.

You can use it for personal use as well, but here you won’t get the services for free as on other options, you can Remote access the free trial but at the end of the day, you need to choose the most preferable subscription package.

It is a highly useful facility and comes packed up with other extraordinary features like screen sharing, chat support, file transfer, collaborations and a lot more.

HOW TO GET STARTED?

For accessing remote access through Bomgar or performing any other functions, you need to follow these quick steps-

  • You need to visit their website or download their app
  • Install it and simply create an account there
  • Sign in to the same and Remote access free trials and tutorials first
  • Then you are required to grant certain permissions and follow some instructions
  • You need to install the android app on your mobile phone
  • Sign in with the same account there and connect the computer you wish to establish remote access to, you are done.

3.THE THIRD WAY- OPT FOR TEAM VIEWER

Now, Team viewer is a really fantastic option to gain remote access to your computer if you don’t use Google Chrome or won’t prefer to switch to it now. Team Viewer allows you with the same facilities or it would not be incorrect to say that it is more advanced than Google Chrome’s remote facility in certain ways.

Though it is not as user-friendly as chrome but that doesn’t mean that it is too complex to use. All you need is a bit of technical guidance and support and you are ready to function.

It is supported by all the systems like Windows, Linux, Mac, Android, and iPhone. However, you need to be very cautious while using this, as if you didn’t follow the required steps in the desired manner, you may face the risk of losing your files to unauthentic sources.

STEPS TO GAIN REMOTE ACCESS FROM TEAM VIEWER

  • Download the latest version of TeamViewer and select installation type from personal or corporate as per your use.
  • Then create a team viewer account or log in if you already have one and connect the same to your computer
  • You need to allow different passwords for different computers you wish to gain remote access to
  • To establish the real mobile Remote access, you are required to download team viewer’s app on your android device as well.
  • Click on the computer button there, sign in to your account, you will be shown the list of computers you have connected to that specific account
  • Tap on the computer you wish to gain Remote access to and you are all set to proceed.

The Bottom line

Technology has enhanced our lives in innumerable appreciative ways that have proved to be an integral part of our lives! All of you must have come across a terrible situation whereby you wish to gain Remote access to your computer from your mobile or tablet devices but you could not establish that due to lack of know-how or super clumsy technical procedure.

But the best part is today everyone can! Now no more panicking anymore as you can literally get your laptop on your android devices at your fingertips. Thanks to these services that today we are able to Remote access something that we never imagined we would be able to in the near future.

Hermes Ransomware Distributed Through Malicious Office Documents Embedded Flash Exploit

Hermes Ransomware Distributed Through Malicious Office Documents Embedded Flash Exploit

After the public announcement of flash vulnerability CVE-2018-4878 massive malspam campaigns pumped up with malicious word documents that contain flash exploit and deliver Hermes ransomware.

With this campaign, attackers distributed Hermes ransomware through malicious Office documents embedded with the flash exploit and attacks targetted on South Korean users.

Security researchers from Malwarebytes spotted the campaign and according to their analysis, the first attacks have happened through a compromised Korean website.

Hermes Ransomware Analysis

Unlike other ransomware Hermes ransomware is not stealthy, once ransomware enters into the system it copies itself to the temp folder %TEMP% in name svchosta.exe and it delete’s the initial sample.

Malware Author’s forces the users into accepting the batch script by deploying it in a continuous loop. The batch script looks for the possible backup’s in the system, even if the batch script not executed the main module continues with encryption.

Before starting the encryption process it checks whether the file is already encrypted or not by checking the “HERMES” marker in the file and each file is encrypted with a new key.

Also Read Hacking vs Spying: How puzzling it is to Find the Hackers in Cyber World

Files encrypted via RSA public key and once encryption completed ransom note pops up. Like other ransomware, it used symmetric algorithm AES to encrypt files and RSA to protect AES key. Malwarebytes published an analysis report.

Hermes ransomware
Researchers said “Encrypted files don’t have their names changed. Each file is encrypted with a new key—the same plaintext produces various ciphertext. The entropy of the encrypted file is high, and no patterns are visible. Below, you can see a visualization of a BMP file before and after being encrypted by Hermes”.
Hermes ransomware

Attackers targetted the following File extensions

tif php 1cd 7z cd 1cd dbf ai arw txt doc docm docx zip rar xlsx xls xlsb xlsm
 jpg jpe jpeg bmp db eql sql adp mdf frm mdb odb odm odp ods dbc frx db2 dbs
 pds pdt pdf dt cf cfu mxl epf kdbx erf vrp grs geo st pff mft efd 3dm 3ds 
rib ma max lwo lws m3d mb obj x x3d c4d fbx dgn dwg 4db 4dl 4mp abs adn a3d
 aft ahd alf ask awdb azz bdb bib bnd bok btr bak cdb ckp clkw cma crd dad daf
 db3 dbk dbt dbv dbx dcb dct dcx ddl df1 dmo dnc dp1 dqy dsk dsn dta dtsx dxl
 eco ecx edb emd fcd fic fid fil fm5 fol fp3 fp4 fp5 fp7 fpt fzb fzv gdb gwi 
hdb his ib idc ihx itdb itw jtx kdb lgc maq mdn mdt mrg mud mwb s3m myd ndf 
ns2 ns3 ns4 nsf nv2 nyf oce oqy ora orx owc owg oyx p96 p97 pan pdb pdm phm 
pnz pth pwa qpx qry qvd rctd rdb rpd rsd sbf sdb sdf spq sqb stp str tcx tdt 
te tmd trm udb usr v12 vdb vpd wdb wmdb xdb xld xlgc zdb zdc cdr cdr3 ppt 
pptx abw act aim ans apt asc ase aty awp awt aww bad bbs bdp bdr bean bna 
boc btd cnm crwl cyi dca dgs diz dne docz dot dotm dotx dsv dvi dx eio eit 
emlx epp err etf etx euc faq fb2 fbl fcf fdf fdr fds fdt fdx fdxt fes fft 
flr fodt gtp frt fwdn fxc gdoc gio gpn gsd gthr gv hbk hht hs htc hwp hz 
idx iil ipf jis joe jp1 jrtf kes klg knt kon kwd lbt lis lit lnt lp2 lrc 
lst ltr ltx lue luf lwp lyt lyx man map mbox me mell min mnt msg mwp nfo 
njx now nzb ocr odo odt ofl oft ort ott p7s pfs pfx pjt prt psw pu pvj pvm 
pwi pwr qdl rad rft ris rng rpt rst rt rtd rtf rtx run rzk rzn saf sam scc 
scm sct scw sdm sdoc sdw sgm sig sla sls smf sms ssa stw sty sub sxg sxw 
tab tdf tex text thp tlb tm tmv tmx tpc tvj u3d u3i unx uof uot upd utf8 
utxt vct vnt vw wbk wcf wgz wn wp wp4 wp5 wp6 wp7 wpa wpd wpl wps wpt wpw 
wri wsc wsd wsh wtx xdl xlf xps xwp xy3 xyp xyw ybk yml zabw zw abm afx agif 
agp aic albm apd apm apng aps apx art asw bay bm2 bmx brk brn brt bss bti c4 
cal cals can cd5 cdc cdg cimg cin cit colz cpc cpd cpg cps cpx cr2 ct dc2 dcr 
dds dgt dib djv djvu dm3 dmi vue dpx wire drz dt2 dtw dvl ecw eip exr fal fax 
fpos fpx g3 gcdp gfb gfie ggr gif gih gim spr scad gpd gro grob hdp hdr hpi 
i3d icn icon icpr iiq info ipx itc2 iwi j j2c j2k jas jb2 jbig jbmp jbr jfif 
jia jng jp2 jpg2 jps jpx jtf jwl jxr kdc kdi kdk kic kpg lbm ljp mac mbm mef 
mnr mos mpf mpo mrxs myl ncr nct nlm nrw oc3 oc4 oc5 oci omf oplc af2 af3 asy 
cdmm cdmt cdmz cdt cgm cmx cnv csy cv5 cvg cvi cvs cvx cwt cxf dcs ded dhs dpp 
drw dxb dxf egc emf ep eps epsf fh10 fh11 fh3 fh4 fh5 fh6 fh7 fh8 fif fig fmv 
ft10 ft11 ft7 ft8 ft9 ftn fxg gem glox hpg hpgl hpl idea igt igx imd ink lmk 
mgcb mgmf mgmt mt9 mgmx mgtx mmat mat otg ovp ovr pcs pfv pl plt vrml pobj psid 
rdl scv sk1 sk2 ssk stn svf svgz sxd tlc tne ufr vbr vec vml vsd vsdm vsdx vstm 
stm vstx wpg vsm xar yal orf ota oti ozb ozj ozt pal pano pap pbm pc1 pc2 pc3 
pcd pdd pe4 pef pfi pgf pgm pi1 pi2 pi3 pic pict pix pjpg pm pmg pni pnm pntg 
pop pp4 pp5 ppm prw psdx pse psp ptg ptx pvr px pxr pz3 pza pzp pzs z3d qmg 
ras rcu rgb rgf ric riff rix rle rli rpf rri rs rsb rsr rw2 rwl s2mv sci 
sep sfc sfw skm sld sob spa spe sph spj spp sr2 srw ste sumo sva save ssfn 
t2b tb0 tbn tfc tg4 thm tjp tm2 tn tpi ufo uga vda vff vpe vst wb1 wbc wbd 
wbm wbmp wbz wdp webp wpb wpe wvl x3f y ysp zif cdr4 cdr6 cdrw ddoc css pptm 
raw cpt pcx pdn png psd tga tiff tif xpm ps sai wmf ani flc fb3 fli mng smil 
svg mobi swf html csv xhtm dat

The attack vector targetted only down to South Korea, but Hermes is a fully functional malware and real motivation of attackers is not identified.

Chinese Cyber Espionage Group Targeting United States Engineering & Academic Organizations With Advanced Hacking Tools

Chinese Cyber Espionage Group Targeting United States Engineering & Academic Organizations With Advanced Hacking Tools

Chinese cyber espionage actor actively distributing TEMP.Periscope malware campaign that used for set of powerful malware toolkit to compromise U.S Engineering and other  Organizations such as maritime industry, research institutes in the United States.

This malware actively distributing since 2017 along with other Chinese malware campaign but it used various infection approach with a revised toolkit.

This Chinese Cyber Espionage Group Primary focus on earlier stage was multiple targeting vectors including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities.

Most number of Identified infected victims by this group from the United States, also Europe and Hong Kong countries affected next to the U.S.

TEMP.Periscope also leveraging a large library of malware that used by other Chinese hacking groups. and its using tactics, techniques, and procedures (TTPs)

Also Read: OceanLotus APT Hacking Group Distributing Backdoor to Compromise Government Networks

List of Large Malware Library From Other Chinese Cyber Espionage Group

  • AIRBREAK  – JavaScript-based backdoor to compromise legitimate services by retrieves commands from hidden strings in compromised web pages.
  • BADFLICK – A Backdoor for generating a reverse shell, modifying the file system.
  • PHOTO –  A DLL backdoor creating a reverse shell to screen captures; recording video and audio.
  • HOMEFRY –  Windows password dumper/cracker using in other backdoor and revealed the password in cleartext credentials.
  • LUNCHMONEY- Dropbox file Exfiltration
  • MURKYTOP – command-line reconnaissance tool to delete files locally,  steal the information  OS, users, groups, and shares on remote hosts.
  • China Chopper: a simple code injection that allows the shell to upload and download files.

Also TEMP.Periscope leverage some of the old past operations and use it again.

  • Beacon –  a backdoor for injecting and executing arbitrary code, uploading and downloading files, and executing shell commands.
  • BLACKCOFFEE: a backdoor that obfuscates its communications
According to FireEye Report, this Chinese Cyber Espionage Group using aditional  TTPs such as,
  • Spear phishing, including the use of probably compromised email accounts.
  • Lure documents using CVE-2017-11882 to drop malware.
  • Stolen code signing certificates used to sign malware.
  • Use of bitsadmin.exe to download additional tools.
  • Use of PowerShell to download additional tools.
  • Using C:\Windows\Debug and C:\Perflogs as staging directories.
  • Leveraging Hyperhost VPS and Proton VPN exit nodes to access webshells on internet-facing systems.
  • Using Windows Management Instrumentation (WMI) for persistence.
  • Using Windows Shortcut files (.lnk) in the Startup folder that invoke the Windows Scripting Host (wscript.exe) to execute a Jscript backdoor for persistence.
  • Receiving C2 instructions from user profiles created by the adversary on legitimate websites/forums such as Github and Microsoft’s TechNet portal.

TEMP.Periscope Primarily focusing to steal research and development data, intellectual property.