Google’s new ZIP and MOV domains could pose a problem.

May 19 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that sees straight through cybercrime’s lies… Like Harry and Meghan’s 2 hour high speed pursuit in notoriously chockablock Downtown Manhattan 🙄 #WorldWidePrivacyTour

Starting today’s mail with patch of the week

Apple users, be aware,  Apple has issued emergency patches for 3 new zero-day vulnerabilities

Now on to today’s hottest cyber security stories:

  • Google’s new ZIP and MOV domains could pose a problem…
  • XWorm gon’ give it to ya 🎶: Follina vuln.-exploiting malware, that is
  • Google announces new cybersecurity features across its services. Hooray!

I LIKE TO .mov IT, .mov IT

We’ve said it before and we’ll say it again: loose ZIPs sink ships. So, despite the silly headline, maybe think twice before you ‘.mov it’, when it comes clicking on a URL with an .mov ending.

So, here’s the story: Google’s just introduced eight new top-level domains (TLD) that could be purchased for hosting websites or email addresses.

The new domains are .dad, .esq, .prof, .phd, .nexus, .foo, and for the topic of this article, the .zip and .mov TLDs.

To be clear, .zip and .mov TLDs have been available since 2014, but it wasn’t until this month that they became generally available, allowing anyone to purchase a domain.

So if it was yours truly, we could be Gonephishing.dad (hmm weird), or Gonephshing.zip, or Gonephishing.mov.

Just FYI, we’re Gonephishing.xyz. Ahead of the curve or what? Anyway, back to it…

The problem with this is the potential confusion that could arise. Indeed, the move has raised eyebrows with cybersecurity researchers and IT admins alike who, like us, are concerned about the possibility for exploitation by cybercriminals.

How so? Well, as you may well be aware, zip archive files, and MPEG 4 videos, are also file types that are commonly seen online and whose file names end in .zip (ZIP archive) or .mov (video file), respectively.

On top of that, scammers often will hide their nasty malware inside types of this kind. So, the worry is that users will think they are visiting a website that’s using one of these new TLDs when in fact they’re clicking on a dodgy file link.

Indeed, if a threat actor owned a .zip domain with the same name as a linkified filename, a person may mistakenly visit the site and fall for a phishing scam or download malware, thinking the URL is safe because it came from a trusted source.

And this has apparently already happened, with cyber intel firm Silent Push Labs discovering what appears to be a phishing page at microsoft-office.zip (don’t click – it’s not hyperlinked for a reason!) attempting to steal Microsoft Account credentials.

One to watch out for, going forward, folks! Don’t get caught zipping. I mean slipping 😉

XWORM MARKS THE SCAM

F*ck waiting for you to get it on your own, XWorm gon’ deliver to ya! 🎶

XWorm is back, people, and this time cybersecurity researchers have discovered it rearing its ugly head in an ongoing phishing campaign that makes use of a unique attack chain to deliver the malware on targeted systems.

MEME#4CHAN

Securonix, which is tracking the activity cluster under the name MEME#4CHAN (no kidding!), said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany.

“The attack campaign has been leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims,” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a new analysis.

Technical stuff

The attacks begin with phishing attacks to distribute decoy Microsoft Word documents that, instead of using macros, weaponize the Follina vulnerability (CVE-2022-30190, CVSS score: 7.8) to drop an obfuscated PowerShell script.

From there, the threat actors abuse the PowerShell script to bypass Antimalware Scan Interface (AMSI), disable Microsoft Defender, establish persistence, and ultimately launch the .NET binary containing XWorm.

Always be super careful when clicking on PDFs, MS Word docs, along with contracts and agreements that you come across on Google.

These are commonly used for phishing by threat actors, as seems to be the case in this instance with MS docs the offending party this time around.

MIDJOURNEY: PLEASE STOP… DECEEEIVING 🎶

The now infamous ChatGPT ai engine, launched in November of last year, along with Midjourney, a lesser known but similar product, are being spoofed by the notorious Batloader threat actor.

These AIs have consistently split opinion as to whether they’ll be good or bad for cybersecurity. As far as we can determine, these tools are basically a two-edged sword: useful to both cybersecurity professionals but also cybercriminals.

“[ChatGPT and Midjourney] are extremely popular but lack first-party standalone apps (i.e., users interface with ChatGPT via their web interface while Midjourney uses Discord),” reads the technical write-up.

“This vacuum has been exploited by threat actors looking to drive AI app-seekers to imposter web pages promoting fake apps.”

Judging by this, it seems like a good fix in both instances would be for the company’s to develop apps for their products.

In the meantime, we would suggest you just make damn sure you’re clicking on the correctly spelt URL when you use these services.

That’s all for today, true believers. Enjoy the weekend and stay safe online! And offline lol.

So long and thanks for reading all the phish!

Cyber Dawgs top picks from the week, he’s your Dawg, he got you.

MONDAY: Don’t take the bait!

TUESDAY: ex-Ubiquiti employees gets 6 years

WEDNESDAY: emerging info-stealers

THURSDAY: Apple gave cybercriminals hell in 2022

footer graphic cyber security newsletter

Recent articles