Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape.
****
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, malware)
]]>
Aqua Nautilus researchers shed light on a Linux malware, dubbed perfctl malware, that over the past 3-4 years targeted misconfigured Linux servers.
The malicious code was used to drop cryptocurrency miners and proxyjacking software.
Perfctl is an elusive and persistent malware targeting Linux servers, it employs rootkits to conceal its presence and halts any “noisy” activities when a new user logs in, lying dormant until the server is idle again. For communication, it uses a Unix socket internally and TOR externally. Upon execution, perfctl deletes its binary and operates in the background as a service.
Despite the malware’s primary goal being to run cryptominers, experts warn that it also executes proxyjacking software. In one sandbox test, a threat actor accessed the malware’s backdoor for reconnaissance purposes. The attackers analyzed the server and deployed utilities to investigate its environment and better understand how their malware was being studied.
Once attackers exploited a vulnerability or misconfiguration, the perfctl malware downloads the main payload from an attacker-controlled HTTP server. The payload employs multiple layers to ensure persistence and evade detection. It moves itself to the /tmp directory, renames itself after the process that executed it (e.g., sh), and deletes the original binary to cover its tracks. The malware acts as both a dropper and a local command-and-control (C2) process, attempting to exploit the Polkit vulnerability (aka ) for root access.
The malicious code copies itself to various disk locations using deceptive names, establishes a backdoor on the server for TOR communications.
The malware drops a rootkit alongside modified Linux utilities (e.g., ldd, lsof) that function as user-land rootkits.
The Linux malware is packed and encrypted to evade detection. It uses advanced evasion techniques like halting activity when detecting new users, the malicious code could also terminate the competing malware to maintain exclusive access to the infected system.
“As part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the /tmp directory, and stores data there that influences its operation. This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information. Additionally, the malware uses environment variables to store data that further affects its execution and behavior.” . “All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain control over the infected system.”
To maintain persistence, the attacker modifies the ~/.profile script to execute malware upon user login, checking if /root/.config/cron/perfcc is executable. If so, the malware runs before the legitimate server workload. It also executes the ~/.bashrc file in Bash environments to maintain normal server operations while the malware work in the background. The script suppresses errors to avoid warnings.
A small binary called wizlmsh (12kb) is dropped into /usr/bin, running in the background to ensure the persistence of the perfctl malware, verifying the execution of the main payload (httpd).
“The main impact of the attack is resource hijacking. In all cases we observed a monero cryptominer (XMRIG) executed and exhausting the server’s CPU resources. The cryptominer is also packed and encrypted. Once unpacked and decrypted it communicates with cryptomining pools.” concludes the report. “To detect perfctl malware, you look for unusual spikes in CPU usage, or system slowdown if the rootkit has been deployed on your server,” the researchers said. “These may indicate crypto mining activities, especially during idle times.”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Linux)
]]>Sansec researchers reported that multiple threat actors have exploited a critical Adobe Commerce vulnerability, tracked as (aka CosmicSting, CVSS score of 9.8), to compromise more than 4,000 e-stores over the past three months.
The flaw is an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could result in arbitrary code execution. An attacker could exploit this issue by sending a crafted XML document that references external entities. The experts pointed out that the exploitation of this issue does not require user interaction. The flaw impacts Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier. Adobe warned that it is aware that CVE-2024-34102 has been exploited in the wild in limited attacks targeting Adobe Commerce merchants.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) the vulnerability to its Known Exploited Vulnerabilities catalog in July 2024.
According to Sansec, CosmicSting (CVE-2024-34102) is the most severe bug impacting Magento and Adobe Commerce stores in two years, with hacks occurring at a rate of 3 to 5 per hour. Merchants are urged to implement countermeasures immediately.
An attacker can also chain the flaw with the vulnerability CVE-2024-2961 to run code arbitrary code on the underlying server and install backdoors.
“CosmicSting targets a critical bug in the Adobe Commerce and Magento platforms. Bad actors use it to read any of your files, such as passwords and other secrets. The typical attack strategy is to steal your secret crypt key from app/etc/env.php and use that to modify your CMS blocks via the Magento API. Then, attackers inject malicious Javascript to steal your customer’s data.” reads the advisory published by Sansec. “Combined with another bug (CVE-2024-2961), attackers can also run code directly on your servers and use that to install backdoors.”
The exploitation has a severe impact on e-commerce, the researchers reported that cybercriminals have hacked 5% of all Adobe Commerce and Magento stores this summer. The attacker also compromised e-stores of major organizations, including Ray-Ban, National Geographic, Cisco, Whirlpool and Segway. Sansec experts reported that at least seven distinct groups are exploiting the vulnerability CosmicSting to deploy e-skimmers on victim stores.
“Sansec research shows that seven different groups have been hacking into 4275 online stores since the publication of CVE-2024-34102 (also known as CosmicSting) on June 11th. Despite ongoing warnings, five percent of Adobe Commerce and Magento stores ended up with a payment skimmer on their checkout page this summer.” reports Sansec.
Threat groups exploiting this vulnerability include Bobry, Polyovki (infecting over 650 stores), Surki, Burunduki, Ondatry, Khomyaki, and Belki. The Ondatry group compromised over 4,000 e-stores in 2022 using the TrojanOrder vulnerability, but they have now switched to CosmicSting.
Adobe issued a critical severity rating on July 8th after automated attacks began, stealing thousands of cryptographic keys. However, the experts noticed that updating systems didn’t automatically invalidate old keys, leaving stores vulnerable. Adobe provided a to remove old keys, but not all merchants followed it.
“Each group uses CosmicSting attacks to steal secret Magento cryptographic keys.” continues Sansec. “This key is then used to generate an API authorization token, enabling the attacker to access private customer data and insert payment skimmers into the checkout process through “CMS blocks”
Administrators of Adobe Commerce and Magento e-store are recommended to upgrade their installations as soon as possible.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, CVE-2024-34102)
]]>Researchers at the Recorded Future’s Insikt group have documented the evolution of the . The malware was first identified in 2022, and since then it has been upgraded with advanced features, the latest version 0.7.0 introduces AI-driven capabilities for extracting cryptocurrency seed phrases from images.
The infostealer can steal credentials, system information, and financial data from infected systems, it supports sophisticated evasion techniques, including MSI installer disguise. Threat actors offer the malware for sale on underground forums, however, they ban customers from targeting specific regions.
The latest version of the Rhadamanthys information stealer uses artificial intelligence (AI) for optical character recognition (OCR) to support “Seed Phrase Image Recognition.”
“This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in cryptocurrencies.” reads the published by Recorded Future’s Insikt Group. “The malware can recognize seed phrase images on the client side and send them back to the command-and-control (C2) server for further exploitation.”
The malware is developed by a threat actor known as “kingcrete2022ˮ that advertises the info stealer on multiple hacking forums, including XSS, Exploit, Best Dark, Opencard, and Center-Club. The malware allows operators to harvest a broad range of information, including system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data stored in various applications.
The subscription fee is $250 per month, or $550 for 90 days.
Version 0.6.0 was released in February 2024, while latest version 0.7.0 of Rhadamanthys was released in June 2024.
“Version0.7.0, the most recent version, includes a complete rewrite of both client-side and server-side frameworks, improving the program’s execution stability. Additionally, 30 wallet-cracking algorithms, AI-powered graphics, and PDF recognition for phrase extraction were added. The text extraction capability was enhanced to identify multiple saved phrases.” reads the report. “Bugs and issues from the previous version were resolved. The Telegram module was rewritten to support HTML formatting and multi-token polling, while the synchronization module now includes file transfer protocol (FTP) support for remote log transfers. The search filter module has been rewritten, and an application programming interface (API) interface with an open platform has been introduced.”
The Rhadamanthys malware infection chain remains unchanged across the various versions. The three stages composing the attack chain:
Rhadamanthys uses mutex objects to ensure only one instance runs on an infected host at a time, utilizing specific bytes for mutex creation.
“Knowing the mutex values and that Rhadamanthys will terminate if they are present enables the creation of a killswitch/vaccine.” continues the report.
Rhadamanthys has enhanced its functionality by implementing additional plugins, starting from version 0.5.0 and expanding in subsequent updates. The experts identify four main plugins, a Keylogger, DataSpyer, Clipper, and Reversed Proxy. In version 0.5.0, these plugins were implemented as .NET assemblies, loaded through the loader.dll file responsible for managing .NET assemblies. However, with the release of version 0.7.0, the plugin system was updated. The plugins are now packaged in ZIP files containing two components: classes.dex and manifest.json, which resemble the structure of an Android Package Kit (APK), although they are not actual APKs.
The report includes Tactics,Techniques,and Procedures (TTPs) associated with this threat.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Zimbra)
]]>Europol, the UK, and the US law enforcement authorities announced a new operation against the ransomware gang. The police arrested an alleged LockBit developer at France’s request while vacationing outside Russia and two individuals in the UK for supporting a LockBit affiliate. In Spain, the local police arrested the administrator of a bulletproof hosting service, they also seized nine servers belonging to the group’s infrastructure.
“Europol supported a new series of actions against LockBit actors, which involved 12 countries and Eurojust and led to four arrests and seizures of servers critical for LockBit’s infrastructure.” reads the press release published by Europol. “A suspected developer of LockBit was arrested at the request of the French authorities, while the British authorities arrested two individuals for supporting the activity of a LockBit affiliate.”
The arrests and sanctions are part of the third phase of the law enforcement operation code-named conducted by law enforcement bodies from 12 countries, Europol, and Eurojust. The operation aims at dismantling the LockBit ransomware group. This follows the in February 2024 and further actions against its administrators in May and beyond.
Europol, the UK and the US published press releases on the formed Tor leak site used by the ransomware gang.
Australia, the UK, and the US imposed sanctions on a key LockBit affiliate who is linked to the cybercrime group .
“Aleksandr Ryzhenkov DOB 26/05/1993 has been unmasked by the NCA as the specific member of Evil Corp who is a LockBit affiliate. Ryzhenkov used the affiliate name Beverley, made over 60 LockBit ransomware builds and sought to extort at least $100 million from victims in ransom demands. Ryzhenkov additionally has been linked to the alias mx1r and associated with UNC2165 (an evolution of Evil Corp affiliated actors).” reads the NCA’s announcement.
The UK also sanctioned 15 Russian citizens for ties to Evil Corp, while the US authorities sanctioned six, and Australia sanctioned two.
LockBit gang has been active since 2019, the list of victims is long and includes major organizations such as , and the . Over the years, law enforcement has arrested multiple individuals involved in the gang’s operation, including , , and .
Astamirov was arrested in Arizona in June 2023 and . Vasiliev, who was extradited to the United States in June, has already been .
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Europol)
]]>On September 27, 2024, US healthcare provider UMC Health System announced an investigation into an IT outage across its network. UMC diverted patients for several days after taking IT systems offline following a ransomware attack.
“However, out of an abundance of caution, we will continue to temporarily divert incoming emergency and non-emergency patients via ambulance to nearby health facilities until this issue is resolved. We are making accommodations wherever possible to minimize any disruption to our patients and our critical services.” . “Our investigation into this incident remains ongoing and will take time to complete. In the meantime, we are standing up this dedicated webpage to provide the latest information. We will continue to provide updates via this site as services are restored and additional information becomes available.”
UMC Health System is a healthcare provider based in Lubbock, Texas. It operates University Medical Center, a major teaching hospital affiliated with Texas Tech University Health Sciences Center. UMC Health System provides a wide range of medical services, including emergency care, specialized surgeries, and comprehensive treatment programs. It serves as a regional medical center, offering both inpatient and outpatient care, and is known for its trauma center and advanced healthcare technologies.
The company announced that the healthcare facilities remain open across all access points including Emergency Centers and Urgent Care Clinics. UMC Clinics also remained open
The company launched an investigation into the security breach with the help of third-party cybersecurity experts. The hospital disconnected its systems from the Internet to contain the threat.
By Monday, the hospital restored some systems and services, but a few patients were still being diverted.
“Third parties that have helped other hospitals address similar issues have been engaged to assist in our response and investigation. Our teams are working around the clock to safely restore systems as quickly as possible.” concludes the notice.
“We appreciate your patience. It remains our mission and our goal to ensure our patients continue to receive the best care.”
The company did not provide details about the attack, such as the family of ransomware that hit the hospital. It’s unclear if threat actors had exfiltrated patients’ data during the attack
Healthcare infrastructure in the US continues to be under attack, in July, the Lockbit ransomware gang the Fairfield Memorial Hospital in Illinois. Unfortunately, the ransomware group claimed the hack of other hospitals in the same period. The extortion group also claimed the hack of the Merryman House Domestic Crisis Center, and the Florida Department of Health.
In February the . The security incident severely impacted normal operations also causing the delay of medical care.
Lurie Children’s Hospital is one of the top pediatric hospitals in the United States.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, UMC)
]]>is a member-owned, not-for-profit credit union that serves Northern California, particularly the San Francisco Bay Area. Founded in 1936, it is one of the oldest and largest credit unions in the country. With more than $9 billion in assets, it is the 22nd-largest credit union in the country.
At the end of June, the American credit union Patelco Credit Union shut down several of its banking systems to contain a ransomware attack.
The credit union investigated the security breach and discovered that threat actors first gained access to its systems on May 23, 2024, and exfiltrated a database containing personal information.
The company initially to the Maine Attorney General’s Office that the security breach impacted 726,000 customers and employees. The company offered impacted individuals two years of free identity protection services.
Patelco Credit Union now provides an update on the incident and that the data breach impacted 1,009,472 people following the July ransomware attack.
“Following the investigation and a thorough review of the data involved, we confirmed on August 14, 2024, that the accessed databases contained your personal information. Although the investigation identified unauthorized access to some of our databases, the specific data that was accessed has not been determined.” reads the sent to the impacted individuals. “Accordingly, we are notifying individuals whose information was in those databases. The information in the accessed databases included first and last name with Social Security number, Driver’s License number, date of birth, and/or email address. Not every data element was present for every individual.”
Patelco did not reveal the ransomware group that breached its systems, however the RansomHub group added Patelco Credit Union to its Tor leak site in August.
“We conducted negotiations for up to 2 weeks, and unfortunately we were unable to reach an agreement.
The company’s management doesn’t care about the privacy of customers at all. We auction the sensitive data extracted from their network,We will update the data sample in the next few days” wrote the ransomware gang on its leak site.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, ransomware)
]]>In May, the Community Clinic of Maui that impacted thousands of patients following a cyber attack. In June, the gang took credit for the attack.
The Community Clinic of Maui, also known as Mālama I Ke Ola Health Center, is a nonprofit healthcare organization dedicated to serving the Maui community. The clinic provides a range of services including primary care, dental care, and mental health support. The clinic operates with a mission to deliver culturally sensitive healthcare, emphasizing education, prevention, and advocacy regardless of patients’ ability to pay.
The cyber attack impacted the systems at the health center in Wailuku for more than two weeks.
Mālama investigated the security breach with external cybersecurity professionals, and on August 7, 2024, the experts determined that personal data may ‘have been subject to unauthorized access and acquisition between May 4, 2024 and May 7, 2024.’
The Community Clinic of Maui now discloses a following the LockBit ransomware attack.
“The personal information that was potentially impacted included first and last names with one or more of the following identifiers: Social Security Number, Date Of Birth, Driver’s License Number / State Id Number, Passport Number, Financial Account Number, Routing Number, Bank Name, Credit / Debit Card Number, Card CVV Expiration Date, Pin/Security Code, Login Information, Medical Diagnosis, Clinical Information, Medical Treatment/Procedure Information, Treatment Type, Treatment Location, Treatment Cost Information, Doctor’s Name, Medical Record Number, Patient Account Number, Prescription Information and/ or Biometric Data. Mālama has no evidence that any personal information has been or will be misused for identity theft as a direct result of this incident.” reads the published by Malama.
Starting on September 26, 2024, Mālama notified affected individuals and offered complimentary credit monitoring to those whose Social Security numbers were potentially exposed.
“On May 7, 2024, Malama experienced a cybersecurity incident that impacted connectivity to our network.” reads the shared with the Maine Attorney General. “Upon learning of this issue, we immediately commenced a prompt and thorough investigation. We also notified law enforcement. As part of our investigation, we have been working very closely with external cybersecurity professionals experienced in handling these types of incidents. After an extensive forensic investigation and comprehensive document review, on August 7, 2024, we determined your personal data may have been subject to unauthorized access and acquisition between May 4, 2024 and May 7, 2024.”
The Community Clinic of Maui is unaware of any misuse of the compromised data.
In July, the Lockbit ransomware gang the Fairfield Memorial Hospital in Illinois. Unfortunately, the ransomware group claimed the hack of other hospitals in the same period. The extortion group also claimed the hack of the Merryman House Domestic Crisis Center, and the Florida Department of Health.
Healthcare infrastructure in the US continues to be under attack, in February the . The security incident severely impacted normal operations also causing the delay of medical care.
Lurie Children’s Hospital is one of the top pediatric hospitals in the United States.
In early November 2023, the Cogdell Memorial Hospital (Scurry County Hospital District) it was experiencing a computer network incident that prevented the hospital from accessing some of its systems and severely limiting the operability of its phone system. The hospital immediately removed network connectivity and continued to provide most routine services.
The facility operates as a Critical Access Hospital and a Rural Health Clinic serving rural West Texas.
In November 2023, the Lorenz extortion group .
Cyber attacks against hospitals are very dangerous, and despite major ransomware gangs imposing restrictions on their affiliates to avoid targeting them, many incidents have recently made headlines.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Lockbit ransomware)
]]>Researchers from Kaspersky discovered a new version of the in multiple apps uploaded to the Google Play store. The malware was hidden in popular applications and game mods.
Kaspersky researchers the Necro Trojan in 2019, the malicious code was in the free version of the popular PDF creator application CamScanner app.
The new version of the Necro loader infected both apps in Google Play and modified versions of Spotify, Minecraft, and other popular applications in unofficial sources.
The new version of the Necro loader uses obfuscation and steganography techniques to evade detection. It can perform various malicious actions, including displaying ads in invisible windows, downloading and executing DEX files, installing applications, opening links in hidden WebView windows, executing JavaScript, and creating tunnels through the victim’s device. The malicious code can also potentially subscribe to paid services.
According to the experts, the malicious apps in the Google Play Store have been downloaded 11 million times (Wuta Camera 10+ million downloads, Max Browser 1+ million downloads). The actual number of infected devices could be higher due to Necro’s spread through unofficial app sources.
“The new version of the Necro Trojan has infected various popular applications, including game mods, with some of them being available on Google Play at the time of writing this report.” reads the published by Kaspersky. “The combined audience of the latter exceeds 11 million Android devices.”
The researchers believe that the malware found its way to the Play Store through a tainted software developer kit (SDK) used to integrate advertising capabilities into the apps.
Necro malware is primarily delivered through modded versions of popular apps and games available on unofficial sites and app stores. These apps activate the Coral SDK, which sends an encrypted POST request to a command-and-control (C2) server, containing details about the compromised device and the host app. The C2 server responds with a JSON file that includes a link to a PNG image file and metadata like MD5 and version info. This PNG file contains a payload hidden via steganography. The SDK extracts the main payload, a Base64-encoded Java archive (JAR) file, from the image.
Necro has a modular structure, the plugins are downloaded from the C2 server to allow it to support multiple capabilities including:
The analysis of Happy SDK likely revealed a different variant of Necro that doesn’t have a modular architecture.
This indicates that Necro is highly adaptable, and capable of downloading new iterations of itself, potentially adding new features.
Between August 26th and September 15th, security solutions blocked over 10,000 Necro attacks globally, with most of the infections in Russia, Brazil, and Vietnam.
“The Necro Trojan has once again managed to attack tens of thousands of devices worldwide. This new version is a multi-stage loader that used steganography to hide the second-stage payload, a very rare technique for mobile malware, as well as obfuscation to evade detection.” concludes the report. “The modular architecture gives the Trojan’s creators a wide range of options for both mass and targeted delivery of loader updates or new malicious modules depending on the infected application.”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, malware)
]]>ThreatFabric researchers discovered a new version of the Android banking trojan Octo, called Octo2, that supports more advanced remote action capabilities needed for Device Takeover attacks.
The new malware has already targeted users in European countries, including Italy, Poland, Moldova, and Hungary.
Octo2 is linked to the malware, first identified in 2016, which also gave rise to another variant called in 2021.
In 2024, the Octo’s source code was leaked online, allowing other threat actors to create their own version. This leak likely prompted the original threat actor’s release of a new version, Octo2.
Over the years, Octo malware campaigns targeted regions worldwide, including Europe, the USA, Canada, the Middle East, Singapore, and Australia. Octo operates as Malware-as-a-Service, and its new version, Octo2, is being offered to existing users at the same price with early access. The researchers believe that many threat actors using Octo1 will switch to Octo2, expanding its global reach. Research indicates that Octo2 can block push notifications from specific apps, suggesting that cybercriminals are already targeting users of these apps as part of their attacks.
“These samples from the first campaigns observed were masquerading as Google Chrome, NordVPN, and “Enterprise Europe Network” applications.” . “However, as we said previously, we can expect threat actors behind Octo2 to not limit their activity and continue targeting users of mobile banking all over the world.”
ThreatFabric observed serving as the first stage of the installation in Octo2 campaigns they have monitored. Upon launch, Zombinder will request the installation of an additional “plugin” which is Octo2, thus successfully .
Octo2 has been significantly improved, the authors enhanced stability during remote control sessions and improved its anti-detection and anti-analysis techniques. Key improvements include:
There is presently no evidence to suggest that Octo2 is propagated via the Google Play Store, indicating that users are likely either downloading them from untrusted sources or being tricked into installing them via social engineering.
“The emergence of this Octo2 variant represents a significant evolution in mobile malware, particularly in the context of banking security. With enhanced remote access functionality, sophisticated obfuscation methods, and the wide availability of its predecessor’s source code, Octo2 is poised to remain a dominant force in the mobile malware landscape together with its older variants based on the leaked source code.” concludes the report. “This variant’s ability to invisibly perform on-device fraud and intercept sensitive data, coupled with the ease with which it can be customised by different threat actors, raises the stakes for mobile banking users globally. “
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Android)
]]>