- Over 600000 Android users infected with malware on Google Play — delete these apps now Tom’s Guide
- Billions of Android users warned about apps secretly signing them up for paid subscriptions – here’s what t… The US Sun
- New Android malware infects over 620000 users, including Malaysians TechNave
- Delete these Google Play apps now! HD 4K Wallpaper to Fingertip Graffiti-check full list HT Tech
- Billions of Android users warned to delete eight types of apps – here’s how to check for them right now… The US Sun
- View Full Coverage on Google News
Tag Archives: malware
New malware variant has “radio silence” mode to evade detection – BleepingComputer
- New malware variant has “radio silence” mode to evade detection BleepingComputer
- Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities Check Point Research
- Sharp Panda Using New Soul Framework Version to Target Southeast Asian Governments The Hacker News
- Sharp Panda Target Southeast Asia in Espionage Campaign Expansion Infosecurity Magazine
- “Sharp Panda”: Check Point Research puts a spotlight on Chinese origined espionage attacks against southeast asian government entities Check Point Blog
- View Full Coverage on Google News
FBI seizes website used by notorious ransomware gang
CNN
—
The FBI has seized the computer infrastructure used by a notorious ransomware gang which has extorted more than $100 million from hospitals, schools and other victims around the world, US officials announced Thursday.
FBI officials since July have had extraordinary access to the so-called Hive ransomware group’s computer networks, FBI Director Christopher Wray said at a news conference, allowing the bureau to pass computer “keys” to victims so that they could decrypt their systems and thwart $130 million in ransom payments.
As of November, Hive ransomware had been used to extort about $100 million from over 1,300 companies worldwide – many of them in health care, according to US officials.
The dark-web website on which Hive listed its victims displayed a message in Russian and English Thursday that it had been taken over “as part of a coordinated law enforcement action” against the group by the FBI, Secret Service and numerous European government agencies.
“Simply put, using lawful means, we hacked the hackers,” Deputy Attorney General Lisa Monaco told reporters.
The Hive ransomware has been particularly rampant in the health care sector. One ransomware attack using Hive malicious software, in August 2021, forced a hospital in the US Midwest to turn away patients as Covid-19 surged, Attorney General Merrick Garland said.
Other reported US victim organizations of Hive include a 314-bed hospital in Louisiana. The hospital said it thwarted a ransomware attack in October, but that the hackers still stole personal data on nearly 270,000 patients.
“Hive compromised the safety and health of patients in hospitals – who are among our most vulnerable population,” said Errol Weiss, chief security officer for the Health Information Sharing and Analysis Center, a cyber threat sharing group for big health care providers worldwide. “When hospitals are attacked and medical systems go down, people can die.”
Thursday’s announcement is the latest in a series of Justice Department efforts to crack down on overseas ransomware groups that lock up US companies’ computers, disrupt their operations and demand millions of dollars to unlock the systems. Justice officials have seized millions of dollars in ransomware payments and urged companies not to pay off the criminals.
The ransomware epidemic grew more urgent for US officials after Colonial Pipeline, the major pipeline operator for sending fuel to the East Coast, shut down for days in May 2021 due to a ransomware attack from a suspected Russian cybercriminal. The disruption led to long lines at gas stations in multiple states as people hoarded fuel.
While the ransomware economy remains lucrative, there are signs that the US and international law enforcement stings are making a dent in the hackers’ earnings. Ransomware revenue fell to about $457 million in 2022, down from $766 million in 2021, according to data from cryptocurrency-tracking firm Chainalysis.
Cybersecurity professionals welcomed the Hive takedown, but some worried that another group would soon fill the void left by Hive.
“The disruption of the Hive service won’t cause a serious drop in overall ransomware activity but it is a blow to a dangerous group that has endangered lives by attacking the healthcare system,” John Hultquist, a vice president at Google-owned cybersecurity firm Mandiant, told CNN.
“Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals,” Hultquist said.
Wray said the FBI would continue to track the people behind Hive ransomware and try to arrest them. It was not immediately clear where those people were located. The Department of Health and Human Services has descried Hive as a “possibly Russian speaking” group.
This story has been updated with additional details.
Banking malware Dridex attacking Mac, MacBook computers with sneaky infection method
If you use a Mac or MacBook, beware that a banking malware known as Dridex is moving on from attacking Windows computers and is now going after Macs using email attachments that look like regular documents.
CLICK TO GET KURT’S CYBERGUY NEWSLETTER WITH QUICK TIPS, TECH REVIEWS, SECURITY ALERTS AND EASY HOW-TO’S TO MAKE YOU SMARTER
It is an information stealer malware attributed to the cybercriminal group Evil Corp that is used to harvest sensitive data from infected machines. Cybersecurity software company Trend Micro analyzed the malware and found that the file can run on both macOS and iOS systems.
Here’s what to know about the banking malware known as Dridex.
What is Dridex malware and what does it do?
Dridex malware has been around for many years, and cybersecurity firms have been targeting it since its conception. This malware’s goal is to target and obtain private information from people’s bank accounts. Dridex is classified as Trojan malware, a type of malware that disguises its malicious coding within seemingly harmless data to catch people off guard. Cyber hackers typically spread it via spam email, posing as official-looking emails.
SMALLER VS. LARGER TABLETS: IS BIGGER BETTER?
Dridex is now known to be hitting Mac and MacBook computers.
How does this macOS Dridex malware work?
This version of Dridex malware contains a malicious document that will run automatically as soon as a user opens it. Once it begins to run, it overrides all Microsoft Word files contained within the infected macOS computer and will contact a remote server to download more files. One of those files is a Windows executable file that runs on Dridex.
If you have a Mac, you may not be immediately aware that your files are corrupted, which is why Dridex is specifically targeting Word documents. Since people regularly share Word documents, folks with Mac can share their overridden, malicious files with others and unknowingly infect those devices, creating a malware domino effect.
ARE APPLE AIRPODS PRO AN ALTERNATIVE TO PRICEY HEARING AIDS?
In this case, the malware itself cannot infect targeted Macs since it is contained within an executable Windows file. However, if you were to download the corrupted file, it can cause files on a Mac to be overwritten with malicious ones. It has the potential when shared online to unwittingly infect your family, friends and coworkers with malware.
To protect your computer against Dridex, follow these steps.
How do I prevent malware from attacking my laptop?
My biggest desire is to educate and inform you about the increased real threat to each of our connected devices and encourage you to use strong antivirus security protection on everything in your life connected to the rest of the world.
ASK KURT: APPLE WATCH 7 VS. 8 – WORTH THE UPGRADE?
See my expert review of the best antivirus protection for your Windows, Mac, Android & iOS devices by searching “Best Antivirus” at CyberGuy.com by clicking the magnifying glass icon at the top of my website.
Go here for more tips on keeping your computers safe.
(CyberGuy.com)
CLICK HERE TO GET THE FOX NEWS APP
For more of my Security tips, head over to CyberGuy.com and be sure to subscribe to my free CyberGuy Report Newsletter by clicking the “Free newsletter” link at the top of my website.
Copyright 2023 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.
Why Windows is #1 target for malware: 2 easy ways to stay safe
Wanna know just how bad the problem of malware is? According to a study by Atlas VPN, there were a staggering 62.29 million malware threats across the first three quarters of 2022, averaging roughly 228,164 malware threats a day.
However, there is some good news; malware threats were down by nearly 34% from last year. Malware threats steadily decreased quarter by quarter as the year progressed, with cases lowering by 4% between the first and second quarters and a further 14% from the second to third.
It was still no comfort to Windows users, as Windows earned the unwanted distinction of being the most malware-prone operating system in 2022.
CLICK TO GET KURT’S CYBERGUY NEWSLETTER WITH QUICK TIPS, TECH REVIEWS, SECURITY ALERTS AND EASY HOW-TO’S TO MAKE YOU SMARTER
Read on to keep yourself safe from malware on Windows.
(Fox News)
The most targeted award goes to Windows
According to Atlas VPN, 59.8 million malware samples were detected on Windows operating systems in the first three quarters of 2022. This makes up for roughly 95.6% of all malware cases detected during the same time frame.
Distantly following Windows for malware detections during the same period were:
- Linux – 1.76 malware samples detected
- Android – 938,379 malware samples detected
- macOS – 8,329 malware samples detected.
HOW SCAMMERS ARE POSING AS YOUR CABLE AND INTERNET PROVIDERS
Windows users could be vulnerable to certain malware.
(Fox News)
Why is Windows so vulnerable to Malware
The simplest answer to this question is that Windows is by far the most common operating system on devices worldwide; therefore, Windows is the operating system most targeted by bad guys, simply from an efficiency standpoint. Also, since so many devices around the world are running Windows, when malware spreads, the number of systems infected can quickly become enormous.
Additionally, Windows users are far more likely to inadvertently download malware to their devices when installing applications sourced from the internet. This is because, compared to an operating system like Mac with a dedicated and safe library for application downloads, Windows users must, for the most part, download applications via a standard internet browser, a connection that is much more vulnerable to attack.
If you want to understand from a more technical standpoint, read on.
From its original inception (well before we all had easy access to the internet), Windows was designed to be used by only one user per device, which meant that the ability to password-protect multiple user accounts like we do now was not built into its original framework. Therefore, from the beginning, Windows was built without crucial security measures, which included proper user accounts and restricted file permissions that protected vital system components. Even though today, Windows does employ a multi-user framework (i.e., multiple accounts with separate passwords), it has never set up a firewall that is natively built into the operating framework.
This means that unless a Windows user purchases third-party security software and sets it up properly, their Windows system is still wide open to attacks from bad guys once they connect to the internet.
HOW YOUR IPHONE OR ANDROID CAN PROTECT YOUR CHILDREN 24/7
How do I protect myself from malware
Malware comes in various physical and virtual means to infect your devices and networks. However, there are several steps one could take to stay one step ahead of hackers.
1. Keep your device’s software up to date
To make sure your iPhone is up to date:
- Go to the Apple icon in the upper left-hand corner of your screen
- Click “About this Mac”
- Click the “Software Updates” button
- Click “Update Now.”
To make sure your Android is up to date:
- Click Settings app
- Scroll to the bottom and click System
- Click System update. If there is an update it will display” Update available”. Click it and follow the prompts to install it onto your device.
2. Lock up your tech
My biggest desire is to educate and inform you about the increased real threat to each of our connected devices and encourage you to use strong antivirus security protection on everything in your life connected to the rest of the world. The best way to protect yourself is to install antivirus software on your devices.
See my expert review of the best antivirus protection for your Windows, Mac, Android & iOS devices by searching ‘Best Antivirus’ at CyberGuy.com.
ONE CLICK AND NEW NASTY MALWARE AZOV COULD WIPE OUT ALL YOUR DATA
Here’s how to keep your privacy locked up.
(Fox News)
For more of my security tips, head over to CyberGuy.com and be sure to sign up for my free newsletter by clicking the “Free newsletter” link at the top of my website.
CLICK HERE TO GET THE FOX NEWS APP
Copyright 2023 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.
Samsung’s Android app-signing key has leaked, is being used to sign malware
A developer’s cryptographic signing key is one of the major linchpins of Android security. Any time Android updates an app, the signing key of the old app on your phone needs to match the key of the update you’re installing. The matching keys ensure the update actually comes from the company that originally made your app and isn’t some malicious hijacking plot. If a developer’s signing key got leaked, anyone could distribute malicious app updates and Android would happily install them, thinking they are legit.
On Android, the app-updating process isn’t just for apps downloaded from an app store, you can also update bundled-in system apps made by Google, your device manufacturer, and any other bundled apps. While downloaded apps have a strict set of permissions and controls, bundled-in Android system apps have access to much more powerful and invasive permissions and aren’t subject to the usual Play Store limitations (this is why Facebook always pays to be a bundled app). If a third-party developer ever lost their signing key, it would be bad. If an Android OEM ever lost their system app signing key, it would be really, really bad.
Guess what has happened! Łukasz Siewierski, a member of Google’s Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google’s VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart’s Onn tablets.
These companies somehow had their signing keys leaked to outsiders, and now you can’t trust that apps that claim to be from these companies are really from them. To make matters worse, the “platform certificate keys” that they lost have some serious permissions. To quote the AVPI post:
A platform certificate is the application signing certificate used to sign the “android” application on the system image. The “android” application runs with a highly privileged user id—android.uid.system—and holds system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system.
Esper Senior Technical Editor Mishaal Rahman, as always, has been posting great info about this on Twitter. As he explains, having an app grab the same UID as the Android system isn’t quite root access, but it’s close and allows an app to break out of whatever limited sandboxing exists for system apps. These apps can directly communicate with (or, in the case of malware, spy on) other apps across your phone. Imagine a more evil version of Google Play Services, and you get the idea.
Medibank data breach: Australia blames cyber criminals in Russia for attack
Brisbane, Australia
CNN
—
Cyber criminals in Russia are behind a ransomware attack on one of Australia’s largest private health insurers that’s seen sensitive personal data published to the dark web, the Australian Federal Police (AFP) said Friday.
In a short press conference, AFP Commissioner Reece Kershaw told reporters investigators know the identity of the individuals responsible for the attack on health insurer Medibank, but he declined to name them.
“The AFP is undertaking covert measures and working around the clock with our domestic agencies and international networks including Interpol. This is important because we believe those responsible for the breach are in Russia,” he said.
Medibank says the stolen data belongs to 9.7 million past and present customers, including 1.8 million international customers. The files include health claims data for almost half a million people, including 20,000 based overseas.
This week, the group started releasing curated tranches of customer data onto the dark web, in files with titles including good-list, naughty-list, abortions and boozy, which included those who sought help for alcohol dependency.
Kershaw said police intelligence points to a “group of loosely affiliated cyber criminals” who are likely responsible for previous significant data breaches around the world, without naming specific examples.
“These cyber criminals are operating like a business with affiliates and associates who are supporting the business. We also believe some affiliates may be in other countries,” said Kershaw, who declined to take questions due to the sensitivity of the investigation.
Cyber security experts have said the criminals are likely linked to REvil, a Russian ransomware gang notorious for large attacks on targets in the United States and elsewhere, including major international meat supplier JBS Foods last June.
That breach shut down the company’s entire US beef processing operation and prompted the company to pay an $11 million ransom. Last November, the US State Department offered a $10 million reward for information leading to the identification or location of key leaders of REvil, also known as the Sodinokibi organized crime group.
In mid-January, Russian state news agency TASS reported that at least eight REvil ransomware hackers had been detained by Russia’s Federal Security Service (FSB) at the request of the US.
They were facing charges of committing “illegal circulation of payments,” a crime punishable by up to seven years in prison, TASS reported, citing Moscow’s Tverskoi Court.
In March, Ukrainian national Yaroslav Vasinskyi, one of the chief suspects linked to an attack on US software vendor, Kaseya, was extradited from Poland to the US to face charges, according to a statement from the Justice Department.
Jeffrey Foster, associate professor in cyber security studies at Macquarie University, said there’s one major link between the REvil network and the group suspected of hacking the Medibank network.
“The biggest link is that the REvil dark web website now redirects to this website. So that’s the biggest link we have between them, and the only link we have between them,” said Foster, who is monitoring the blog where the group is posting their demands.
“As Russia has stated that they’ve arrested and disbanded REvil, it seems likely this is a case of maybe a former REvil member, who had access to the dark web website to be able to do the redirect which requires access to the hardware,” he said. “Whether or not REvil has returned, we don’t know.”
Medibank first detected unusual activity in its network almost a month ago. On October 20, the company issued a statement saying a “criminal” had stolen information from its ahm health insurance and international student systems, including names, addresses, phone numbers and some claims data for procedures and diagnoses.
An initial ransom demand was made for $10 million (15 million Australian dollars), but the company said after extensive consultation with cybercrime experts it had decided not to pay. It was later lowered to $9.7 million – one for every customer affected, according to Foster.
At the time, Medibank said there was only a “limited chance” that paying the ransom would stop the data being published or returned to the company.
In his statement on Friday, Kershaw, the AFP Commissioner, said Australian government policy did not condone paying ransoms to cyber criminals.
“Any ransom payment small or large fuels the cybercrime business model, putting other Australians at risk,” he said.
Kershaw said investigators at the Australian Interpol National Central Bureau would be talking with their Russian counterparts about the individuals, who he addressed directly with a threat to see them charged in Australia.
“To the criminals, we know who you are. And moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system,” he said.
Earlier Friday, Australian Prime Minister Anthony Albanese said he was “disgusted” by the attacks and, without naming Russia, said the government of the country they come from should be held accountable.
“The nation where these attacks are coming from should also be held accountable for the disgusting attacks, and the release of information including very private and personal information,” Albanese said.
In a statement Friday, Medibank CEO David Koczkar said it was clear the criminal gang behind the breach was “enjoying the notoriety,” and it was likely they would release more information each day.
“The relentless nature of this tactic being used by the criminal is designed to cause distress and harm,” he said. “These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care.”
VMware bug with 9.8 severity rating exploited to install witch’s brew of malware
Hackers have been exploiting a now-patched vulnerability in VMware Workspace ONE Access in campaigns to install various ransomware and cryptocurrency miners, a researcher at security firm Fortinet said on Thursday.
CVE-2022-22954 is a remote code execution vulnerability in VMware Workspace ONE Access that carries a severity rating of 9.8 out of a possible 10. VMware disclosed and patched the vulnerability on April 6. Within 48 hours, hackers reverse-engineered the update and developed a working exploit that they then used to compromise servers that had yet to install the fix. VMware Workspace ONE access helps administrators configure a suite of apps employees need in their work environments.
In August, researchers at Fortiguard Labs saw a sudden spike in exploit attempts and a major shift in tactics. Whereas before the hackers installed payloads that harvested passwords and collected other data, the new surge brought something else—specifically, ransomware known as RAR1ransom, a cryptocurrency miner known as GuardMiner, and Mirai, software that corrals Linux devices into a massive botnet for use in distributed denial-of-service attacks.
FortiGuard
“Although the critical vulnerability CVE-2022-22954 is already patched in April, there are still multiple malware campaigns trying to exploit it,” Fortiguard Labs researcher Cara Lin wrote. Attackers, she added, were using it to inject a payload and achieve remote code execution on servers running the product.
The Mirai sample Lin saw getting installed was downloaded from http[:]//107[.]189[.]8[.]21/pedalcheta/cutie[.]x86_64 and relied on a command and control server at “cnc[.]goodpackets[.]cc. Besides delivering junk traffic used in DDoSes, the sample also attempted to infect other devices by guessing the administrative password they used. After decoding strings in the code, Lin found the following list of credentials the malware used:
|
hikvision |
1234 |
win1dows |
S2fGqNFs |
|
root |
tsgoingon |
newsheen |
12345 |
|
default |
solokey |
neworange88888888 |
guest |
|
bin |
user |
neworang |
system |
|
059AnkJ |
telnetadmin |
tlJwpbo6 |
iwkb |
|
141388 |
123456 |
20150602 |
00000000 |
|
adaptec |
20080826 |
vstarcam2015 |
v2mprt |
|
Administrator |
1001chin |
vhd1206 |
support |
|
NULL |
xc3511 |
QwestM0dem |
7ujMko0admin |
|
bbsd-client |
vizxv |
fidel123 |
dvr2580222 |
|
par0t |
hg2x0 |
samsung |
t0talc0ntr0l4! |
|
cablecom |
hunt5759 |
epicrouter |
zlxx |
|
pointofsale |
nflection |
admin@mimifi |
xmhdipc |
|
icatch99 |
password |
daemon |
netopia |
|
3com |
DOCSIS_APP |
hagpolm1 |
klv123 |
|
OxhlwSG8 |
In what appears to be a separate campaign, attackers also exploited CVE-2022-22954 to download a payload from 67[.]205[.]145[.]142. The payload included seven files:
- phpupdate.exe: Xmrig Monero mining software
- config.json: Configuration file for mining pools
- networkmanager.exe: Executable used to scan and spread infection
- phpguard.exe: Executable used for guardian Xmrig miner to keep running
- init.ps1: Script file itself to sustain persistence via creating scheduled task
- clean.bat: Script file to remove other cryptominers on the compromised host
- encrypt.exe: RAR1 ransomware
In the event RAR1ransom has never been installed before, the payload would first run the encrypt.exe executable file. The file drops the legitimate WinRAR data compression executable in a temporary Windows folder. The ransomware then uses WinRAR to compress user data into password-protected files.
The payload would then start the GuardMiner attack. GuardMiner is a cross-platform mining Trojan for the Monero currency. It has been active since 2020.
The attacks underscore the importance of installing security updates in a timely manner. Anyone who has yet to install VMware’s April 6 patch should do so at once.
How a Microsoft blunder opened millions of PCs to potent malware attacks
Getty Images
For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.
Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for “bring your own vulnerable driver”—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.
It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.
As attacks surge, Microsoft countermeasures languish
Drivers typically allow computers to work with printers, cameras, or other peripheral devices—or to do other things such as provide analytics about the functioning of computer hardware. For many drivers to work, they need a direct pipeline into the kernel, the core of an operating system where the most sensitive code resides. For this reason, Microsoft heavily fortifies the kernel and requires all drivers to be digitally signed with a certificate that verifies they have been inspected and come from a trusted source.
Even then, however, legitimate drivers sometimes contain memory corruption vulnerabilities or other serious flaws that, when exploited, allow hackers to funnel their malicious code directly into the kernel. Even after a developer patches the vulnerability, the old, buggy drivers remain excellent candidates for BYOVD attacks because they’re already signed. By adding this kind of driver to the execution flow of a malware attack, hackers can save weeks of development and testing time.
BYOVD has been a fact of life for at least a decade. Malware dubbed “Slingshot” employed BYOVD since at least 2012, and other early entrants to the BYOVD scene included LoJax, InvisiMole, and RobbinHood.
Over the past couple of years, we have seen a rash of new BYOVD attacks. One such attack late last year was carried out by the North Korean government-backed Lazarus group. It used a decommissioned Dell driver with a high-severity vulnerability to target an employee of an aerospace company in the Netherlands and a political journalist in Belgium.
In a separate BYOVD attack a few months ago, cybercriminals installed the BlackByte ransomware by installing and then exploiting a buggy driver for Micro-Star’s MSI AfterBurner 4.6.2.15658, a widely used graphics card overclocking utility.
In July, a ransomware threat group installed the driver mhyprot2.sys—a deprecated anti-cheat driver used by the wildly popular game Genshin Impact—during targeted attacks that went on to exploit a code execution vulnerability in the driver to burrow further into Windows.
A month earlier, criminals spreading the AvosLocker ransomware likewise abused the vulnerable Avast anti-rootkit driver aswarpot.sys to bypass virus scanning.
Entire blog posts have been devoted to enumerating the growing instances of BYOVD attacks, with this post from security firm Eclypsium and this one from ESET among the most notable.
Microsoft is acutely aware of the BYOVD threat and has been working on defenses to stop these attacks, mainly by creating mechanisms to stop Windows from loading signed-but-vulnerable drivers. The most common mechanism for driver blocking uses a combination of what’s called memory integrity and HVCI, short for Hypervisor-Protected Code Integrity. A separate mechanism for preventing bad drivers from being written to disk is known as ASR, or Attack Surface Reduction.
Unfortunately, neither approach seems to have worked as well as intended.
A Webb Telescope image is being used to push malware
One of the first images taken by the James Webb Telescope that was released by NASA was the “sharpest infrared image of the distant universe to date.” It’s a wondrous photo showing a detailed cluster of galaxies. It’s also currently being used by bad actors to infect systems with malware. Security analytics platform Securonix has identified a new malware campaign that uses the image, and the company is calling it the GO#WEBBFUSCATOR.
The attack starts with a phishing email containing a Microsoft Office attachment. Hidden within the document’s metadata is a URL that downloads a file with a script, which runs if certain Word macros are enabled. That, in turn, downloads a copy of Webb’s First Deep Field photo (pictured above) that contains as a malicious code masquerading as a certificate. In its report about the campaign, the company said all anti-virus programs were unable to detect the malicious code in the image.
Securonix VP Augusto Barros told Popular Science that there are a couple of possible reasons why the bad actors chose to use the popular James Webb photo. One is that the high-resolution images NASA had released come in massive file sizes and can evade suspicion in that regard. Also, even if an anti-malware program flags it, reviewers might pass it over since it’s been widely shared online in the past couple of months.
Another interesting thing of note about the campaign is that it uses Golang, Google’s open-source programming language, for its malware. Securonix says Golang-based malware are rising in popularity, because they have flexible cross-platform support and are more difficult to analyze and reverse engineer than malware based on other programming languages. Like other malware campaign that starts with a phishing email, though, the best way to avoid being a victim of this attack is to avoid downloading attachments from untrusted sources.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.