Hackers use fake ChatGPT apps to push Windows, Android malware

Threat actors are exploiting the popularity of OpenAI’s ChatGPT chatbot to distribute malware for Windows and Android, or direct unsuspecting victims to phishing pages.

ChatGPT gained immense traction since its launch in November 2022, becoming the most rapidly growing consumer application in modern history with more than 100 million users by January 2023. This massive popularity and rapid growth forced OpenAI to throttle the use of the tool and launched a $20/month paid tier (ChatGPT Plus) for individuals who want to use the chatbot with no availability restrictions.

The move created conditions for threat actors to take advantage of the tool’s popularity by promising uninterrupted and free-of-charge access to premium ChatGPT. The offers are false, and the goal is to lure users into installing malware or to provide account credentials. One such example used the domain “chat-gpt-pc.online” to infect visitors with the Redline info-stealing malware under the guise of a download for a ChatGPT Windows desktop client. That website was promoted by a Facebook page that used official ChatGPT logos to trick users into getting redirected to the malicious site. Other examples discovered included “chatgpt-go.online” which distributes malware that steals clipboard contents and the Aurora stealer, “chat-gpt-pc[.]online” which delivered Lumma stealer and “openai-pc-pro[.]online,” that drops an unknown malware family.

ChatGPT is exclusively an online-based tool available only at “chat.openai.com” and does not offer any mobile or desktop apps for any operating systems at the moment. Any other apps or sites claiming to be ChatGPT are fakes attempting to scam or infect with malware and should be considered at least suspicious and users should avoid them.

Source – https://www.bleepingcomputer.com/news/security/hackers-use-fake-chatgpt-apps-to-push-windows-android-malware/

New S1deload Stealer malware hijacks Youtube, Facebook accounts

An ongoing malware campaign targets YouTube and Facebook users, infecting their computers with a new information stealer that will hijack their social media accounts and use their devices to mine for cryptocurrency. The new malware has been dubbed S1deload Stealer due to its extensive use of DLL sideloading for evading detection. Between July and December 2022, more than 600 unique users were infected.

Victims are tricked into infecting themselves using social engineering and comments on FaceBook pages that push archives with adult themes (e.g., AlbumGirlSexy.zip, HDSexyGirl.zip, SexyGirlAlbum.zip, and more). If the user downloads one of the linked archives, they will instead get an executable signed with a valid Western Digital digital signature and a malicious DLL (WDSync.dll) containing the final payload. ​

Once installed on victims’ devices, S1deload Stealer can be instructed by its operators to perform one of several tasks after connecting to the command-and-control (C2) server. It can download and run additional components, including a headless Chrome web browser that runs in the background and emulates human behavior to artificially boost view counts on YouTube videos and Facebook posts. On other systems, it can also deploy a stealer that decrypts and exfiltrates saved credentials and cookies from the victim’s browser and the Login Data SQLite database or a cryptojacker that will mine BEAM cryptocurrency.

If it manages to steal a Facebook account, the malware will also attempt to estimate its actual value by leveraging the Facebook Graph API to find out if the victim is the admin of a Facebook page or group, if it pays for ads, or is linked to a business manager account. ​To avoid getting infected and having your social media accounts hijacked, you should never run executables from unknown sources and always keep your anti-malware software up to date.

Source – https://www.bleepingcomputer.com/news/security/new-s1deload-stealer-malware-hijacks-youtube-facebook-accounts/

Hydrochasma: New Threat Actor Targets Shipping Companies and Medical Labs in Asia

Shipping companies and medical laboratories in Asia have been the subject of a suspected espionage campaign carried out by a never-before-seen threat actor dubbed Hydrochasma. The activity, which has been ongoing since October 2022, relies exclusively on publicly available and living-off-the-land tools.

There is no evidence available as yet to determine its origin or affiliation with known threat actors, but the group may be having an interest in industry verticals that are involved in COVID-19-related treatments or vaccines. The standout aspects of the campaign is the absence of data exfiltration and custom malware, with the threat actor employing open source tools for intelligence gathering. By using already available tools, the goal, it appears, is to not only confuse attribution efforts, but also to make the attacks stealthier.

The start of the infection chain is most likely a phishing message containing a resume-themed lure document that, when launched, grants initial access to the machine. From there, the attackers have been observed deploying a trove of tools like Fast Reverse Proxy (FRP), Meterpreter, Cobalt Strike Beacon, Fscan, BrowserGhost, and Gost proxy. The tools deployed by Hydrochasma indicate a desire to achieve persistent and stealthy access to victim machines, as well as an effort to escalate privileges and spread laterally across victim networks.

The abuse of FRP by hacking groups is well-documented. In October 2021, Positive Technologies disclosed attacks mounted by ChamelGang that involved using the tool to control compromised hosts. Then last September, AhnLab Security Emergency response Center (ASEC) uncovered attacks targeting South Korean companies that leveraged FRP to establish remote access from already compromised servers in order to conceal the adversary’s origins.

Hydrochasma is not the only threat actor in recent months to completely eschew bespoke malware. This includes a cybercrime group dubbed OPERA1ER (aka Bluebottle) that makes extensive use of living-off-the-land, dual-use tools, and commodity malware in intrusions aimed at Francophone countries in Africa.

Source – https://thehackernews.com/2023/02/hydrochasma-new-threat-actor-targets.html

Activision confirms data breach exposing employee and game info

Activision has confirmed that it suffered a data breach in early December 2022 after hackers gained access to the company’s internal systems by tricking an employee with an SMS phishing text. The video game maker says that the incident has not compromised game source code or player details.

“On December 4, 2022, our information security team swiftly addressed an SMS phishing attempt and quickly resolved it. Following a thorough investigation, we determined that no sensitive employee data, game code, or player data was accessed,” a company spokesperson stated.

The threat actor did, however, exfiltrate sensitive workplace documents along with the content release schedule until November 17, 2023. Screenshots show that the hackers had gained access to the Slack account of an Activision employee on December 2 and tried to trick other employees into clicking malicious links.

Video game publication ‘Insider Gaming’ obtained and analysed the entire leak, reporting that the cache contains full names, email addresses, phone numbers, salaries, work locations, and other employee details. Moreover, the publication claims that the hacked employee was from the Human Resources department and had access to swaths of sensitive employee details.

‘Insider-Gaming’ has listed all the game title-related content revealed by this breach, which includes upcoming content bundles for the ‘Call of Duty Modern Warfare II’ franchise. Since the breach occurred in December 2022, some information obtained by Activision is likely to appear outdated now.

Source – https://www.bleepingcomputer.com/news/security/activision-confirms-data-breach-exposing-employee-and-game-info/

MyloBot Botnet Spreading Rapidly Worldwide: Infecting Over 50,000 Devices Daily

A sophisticated botnet known as MyloBot has compromised thousands of systems, with most of them located in India, the U.S., Indonesia, and Iran.

New findings are currently seeing more than 50,000 unique infected systems every day, down from a high of 250,000 unique hosts in 2020. Furthermore, an analysis of MyloBot’s infrastructure has found connections to a residential proxy service called BHProxies, indicating that the compromised machines are being used by the latter.

MyloBot, which emerged on the threat landscape in 2017, was first documented in 2018, displaying its anti-analysis techniques and its ability to function as a downloader. MyloBot’s ability to download and execute any type of payload after it infects a host makes it very dangerous. This means at any time it could download any other type of malware the attacker desires. Last year, the malware was observed sending extortion emails from hacked endpoints as part of a financially motivated campaign seeking over $2,700 in Bitcoin.

MyloBot is known to employ a multi-stage sequence to unpack and launch the bot malware. Notably, it also sits idle for 14 days before attempting to contact the command-and-control (C2) server to sidestep detection. The primary function of the botnet is to establish a connection to a hard-coded C2 domain embedded within the malware and await further instructions. When Mylobot receives an instruction from the C2, it transforms the infected computer into a proxy. The infected machine will be able to handle many connections and relay traffic sent through the command-and-control server.

Subsequent iterations of the malware have leveraged a downloader that, in turn, contacts a C2 server, which responds with an encrypted message containing a link to retrieve the MyloBot payload. The evidence that MyloBot could be a part of something bigger stems from a reverse DNS lookup of one of the IP addresses associated with the botnet’s C2 infrastructure has revealed ties to a domain named “clients.bhproxies[.]com.”

Source – https://thehackernews.com/2023/02/mylobot-botnet-spreading-rapidly.html

Coinbase Employee Falls for SMS Scam in Cyber Attack, Limited Data Exposed

Popular cryptocurrency exchange platform Coinbase disclosed that it experienced a cybersecurity attack that targeted its employees. The company said its “cyber controls prevented the attacker from gaining direct system access and prevented any loss of funds or compromise of customer information.”

The incident, which took place on February 5, 2023, resulted in the exposure of a “limited amount of data” from its directory, including employee names, e-mail addresses, and some phone numbers. As part of the attack, several employees were targeted in an SMS phishing campaign urging them to sign in to their company accounts to read an important message. One employee is said to have fallen for the scam, who entered their username and password in a fake login page set up by the threat actors to harvest the credentials.

After logging in the employee is prompted to disregard the message and thanked for complying. What happened next was that the attacker made repeated attempts to gain remote access to Coinbase. These attempts to log in to the systems using the captured credentials proved to be unsuccessful owing to the multi-factor authentication protections that were enabled for the account.

Undeterred, the threat actor called the employee claiming to be from the Coinbase corporate Information Technology (IT) team and directed the individual to log into their workstation and follow a set of instructions. That began a back and forth between the attacker and an increasingly suspicious employee. As the conversation progressed, the requests got more and more suspicious.

The company said it was alerted within the first 10 minutes of the attack and that its incident responders reached out to the victim to inquire about the suspicious activity from their account, prompting the person to sever all communications with the adversary.

Coinbase did not elaborate on the exact instructions the threat actor gave to the employee, but urged other companies to be on the lookout for potential attempts to install remote desktop software such as AnyDesk or ISL Online as well as a legitimate Google Chrome extension called EditThisCookie.

It also warned of incoming phone calls and text messages from specific providers like Google Voice, Skype, Vonage/Nexmo, and Bandwidth. Coinbase further noted that the attack is likely linked to the sophisticated phishing campaign known as 0ktapus (aka Scatter Swine) that targeted over 130 companies, including Twilio, Cloudflare, MailChimp, and Signal, among others, last year.

Source – https://thehackernews.com/2023/02/coinbase-employee-falls-for-sms-scam-in.html

New Stealc malware emerges with a wide set of stealing capabilities

A new information stealer called Stealc has emerged on the dark web gaining traction due to aggressive promotion of stealing capabilities and similarities with malware of the same kind like Vidar, Raccoon, Mars, and Redline. The new strain was identified in January and started to gain traction in early February.

Stealc has been advertised on hacking forums by a user called “Plymouth,” who presented the malware as a piece of malware with extensive data-stealing capabilities and an easy-to-use administration panel. According to the advertiser, apart from the typical targeting of web browser data, extensions, and cryptocurrency wallets, Stealc also has a customisable file grabber that can be set to target whatever file types the operator wishes to steal.

After the initial post, Plymouth started to promote the malware on other hacking forums and on private Telegram channels, offering test samples to potential customers. The seller also set up a Telegram channel dedicated to publishing Stealc’s new version changelogs, the most recent being v1.3.0, released on February 11, 2023. The malware is actively developed, and a new version appears on the channel every week. Plymouth also said that Stealc was not developed from scratch but instead relied on Vidar, Raccoon, Mars and Redline stealers.

One commonality found between Stealc and Vidar, Raccoon and Mars infostealers is that they all download legitimate third-party DLLs (e.g. sqlite3.dll, nss3.dll) to help with pilfering sensitive data. More than 40 C2 servers for Stealc were discovered and several dozens of samples in the wild, indicating that the new malware has attracted the interest of the cybercriminal community. This popularity may be accounted for by the fact that customers with access to the administration panel can generate new stealer samples, which increases the chances of the malware leaking to a broader audience.

Stealc has added new features since its first release in January, including a system to randomise C2 URLs, a better logs (stolen files) searching and sorting system, and an exclusion for victims in Ukraine.

Some of the features include the following:

● Lightweight build of only 80KB

● Use of legitimate third-party DLLs

● Written in C and abusing Windows API functions

● Most strings are obfuscated with RC4 and base64

● The malware exfiltrates stolen data automatically

● It targets 22 web browsers, 75 plugins, and 25 desktop wallets

When deployed, the malware deobfuscates its strings and performs anti-analysis checks to ensure it doesn’t run in a virtual environment or sandbox. Next, it dynamically loads WinAPI functions and initiates communication with the C2 server, sending the victim’s hardware identifier and build name in the first message, and receiving a configuration in response. Stealc then collects data from the targeted browsers, extensions, and apps, and also executes its custom file grabber if active, and finally exfiltrates everything to the C2. Once this step is over, the malware removes itself and the downloaded DLL files from the compromised host to wipe the traces of the infection.

One distribution method observed is via YouTube videos describing how to install cracked software and linking to a download website. The software download embeds the Stealc info stealer. Once the installer is executed, the malware begins its routine and communicates with its server.

Source – https://www.bleepingcomputer.com/news/security/new-stealc-malware-emerges-with-a-wide-set-of-stealing-capabilities/

GoDaddy Discloses Multi-Year Security Breach Causing Malware Installations and Source Code Theft

Web hosting services provider GoDaddy on Friday disclosed a multi-year security breach that enabled unknown threat actors to install malware and siphon source code related to some of its services. The company attributed the campaign to a sophisticated and organised group targeting hosting services.

GoDaddy said in December 2022, it received an unspecified number of customer complaints about their websites getting sporadically redirected to malicious sites, which it later found was due to the unauthorised third party gaining access to servers hosted in its cPanel environment. The threat actor installed malware causing the intermittent redirection of customer websites.

The ultimate objective of the intrusions, GoDaddy said, is to “infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities.” In a related 10-K filing with the U.S. Securities and Exchange Commission (SEC), the company said the December 2022 incident is connected to two other security events it encountered in March 2020 and November 2021.

The 2020 breach entailed the compromise of hosting login credentials of about 28,000 hosting customers and a small number of its personnel. Then in 2021, GoDaddy said a rogue actor used a compromised password to access a provisioning system in its legacy code base for Managed WordPress (MWP), affecting close to 1.2 million active and inactive MWP customers across multiple GoDaddy brands.

Source – https://thehackernews.com/2023/02/godaddy-discloses-multi-year-security.html

New WhiskerSpy malware delivered via trojanized codec installer

A new backdoor called WhiskerSpy has been discovered being used in a campaign from a relatively new advanced threat actor tracked as Earth Kitsune, known for targeting individuals showing an interest in North Korea.

The actor used a tried and tested method and picked victims from visitors to a pro North Korea website, a tactic known as a watering hole attack. The new operation was discovered at the end of last year after Earth Kitsune activity had been tracked since 2019.

WhiskerSpy was delivered when visitors tried to watch videos on the website. The attacker compromised the website and injected a malicious script that asked the victim to install a video codec for the media to run. To avoid suspicions, the threat actor modified a legitimate codec installer so that it ultimately loaded “a previously unseen backdoor” on the victim’s system.

The threat actor targeted only visitors to the website with IP addresses from Shenyang, China; Nagoya, Japan; and Brazil. It is likely that Brazil was used only for testing the watering hole attack using a VPN connection and the real targets were visitors from the two cities in China and Japan. Relevant victims would be served the fake error message below that prompts them to install a codec to watch the video.

In reality, the codec is an MSI executable that installs on the victim’s computer shellcode that triggers a series PowerShell commands that lead to deploying the WhiskerSpy backdoor. One persistence technique that Earth Kitsune used in this campaign abuses the native messaging host in Google Chrome and installs a malicious Google Chrome extension called Google Chrome Helper. The role of the extension is to allow execution of the payload every time the browser starts. The other method to achieve persistence is by leveraging OneDrive side-loading vulnerabilities that allow dropping a malicious file (fake “vcruntime140.dll”) in the OneDrive directory.

WhiskerSpy is the main payload used in the latest ‘Earth Kitsune’ campaign, giving remote operators the following capabilities:

● Interactive shell

● Download file

● Upload File

● Delete file

● List Files

● Take screenshot

● Load executable and call its export

● Inject shellcode into a process

The backdoor communicates with the command and control (C2) server using a 16-byte AES key for encryption. WhiskerSpy periodically connects to the C2 for updates about its status and the server may respond with instructions for the malware, such as execute shell commands, inject code to another process, exfiltrate specific files, take screenshots.

An earlier version of WhiskerSpy was also discovered that use the FTP protocol instead of HTTP for C2 communication. This older variant also checks for the presence of a debugger upon execution and informs the C2 with the appropriate status code.

Source – https://www.bleepingcomputer.com/news/security/new-whiskerspy-malware-delivered-via-trojanized-codec-installer/

Atlassian Investigating Security Breach After Hackers Leak Data

Enterprise software giant Atlassian launched an investigation after a hacker group leaked information belonging to the company.  A threat actor named SiegedSec, whose members have claimed to be hacktivists, announced on its Telegram channel and hacking forums that it “hacked the software company Atlassian”.

They made 35 Mb of files public. This includes two image files apparently storing floor plans of Atlassian buildings in San Francisco and Sydney, and one file allegedly containing the information of 13,000 Atlassian employees, including names, email addresses, and phone numbers.

Initially it appeared that the data stolen by the hackers was associated with workplace platform Envoy, which the software giant uses to coordinate in-office resources. Atlassian pointed out that product and customer data was not at risk as it’s not accessible through the Envoy application.

Following collaboration between the two organisations to identify the source of the data compromise. Evidence was found in the logs of requests confirming the hackers obtained valid user credentials from an Atlassian employee account and used that access to download the affected data from Envoy’s app. Envoy’s systems were not compromised or breached and no other customer’s data was accessed.

In addition, Atlassian explained that the credentials abused by the hackers were obtained from a public repository, where they had been mistakenly posted.

SiegedSec has been around since February 2022, targeting dozens of organisations around the world. The hackers have defaced websites, hijacked online accounts, and leaked data allegedly stolen from victims. It’s not uncommon for hacker groups like SiegedSec to make exaggerated claims about their attacks.

Source – https://www.securityweek.com/atlassian-investigating-security-breach-after-hackers-leak-data/

New Mirai Botnet Variant ‘V3G4’ Exploiting 13 Flaws to Target Linux and IoT Devices

A new variant of the notorious Mirai botnet has been found leveraging several security vulnerabilities to propagate itself to Linux and IoT devices. Observed during the second half of 2022, the new version has been dubbed V3G, with three different campaigns likely conducted by the same threat actor.

Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet. The threat actor has the capability to utilise those devices to conduct further attacks, such as distributed denial-of-service (DDoS) attacks. The attacks primarily single out exposed servers and networking devices running Linux, with the adversary weaponising as many as 13 flaws that could lead to remote code execution (RCE).

Some of the notable flaws relate to critical flaws in Atlassian Confluence Server and Data Center, DrayTek Vigor routers, Airspan AirSpot, and Geutebruck IP cameras, among others. The oldest flaw in the list is CVE-2012-4869, an RCE bug in FreePBX. Following a successful compromise, the botnet payload is retrieved from a remote server using the wget and cURL utilities.

The botnet, in addition to checking if it’s already running on the infected machine, also takes steps to terminate other competing botnets such as Mozi, Okami, and Yakuza. V3G4 further packs a set of default or weak login credentials that it uses to carry out brute-force attacks through Telnet/SSH and proliferate to other machines. It also establishes contact with a command-and-control server to await commands for launching DDoS attacks against targets via UDP, TCP, and HTTP protocols.

To stave off such attacks, it’s recommended that users apply necessary patches and updates as and when they become applicable, and secure the devices with strong passwords.

Source – https://thehackernews.com/2023/02/new-mirai-botnet-variant-v3g4.html

Smarttech247