Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Thursday, April 22, 2021

Hackers Are Using Telegram to Spread Malware and Control the System

Check Point researchers identified more than 130 cyber attacks using a Remote Access Trojan called ToxicEye. This malware is managed by cybercriminals through Telegram messenger app.

As per Check Point Research, there is a new trend of attack among cybercriminals, where Telegram is used as a control-and-command system to spread malware even popular application is not installed or is not used, the system allows attackers to send malicious commands and operations remotely.

Check Point Research explained that they identified more than 130 cyber attacks that resorted to a Remote Access Trojan (RAT) called ToxicEye, communicating with their servers and sending all the data collected there.

ToxicEye is spread via phishing emails embedded with malicious .exe files. Once it open by victim, these files start installing the malware on the it's equipment and increase a series of operations that go undetected.

The Malware can execute the range of exploits without the victim’s knowledge:

  • ·         Data theft
  • ·         Delete or transfer files
  • ·         Encrypt files for a ransom (Ransomware)
  • ·         Remote control and I/O hijacking
  • ·         Installation of a Keylogger
  • ·         Hijack the computer's microphone and camera to record audio and video from the computer.

How This Attack Infection Chain Works -

The researcher mentioned “ The attacker first creates a Telegram account and a Telegram ‘bot.’ A Telegram bot account is a special remote account with which users can interact by Telegram chat or by adding them to Telegram groups, or by sending requests directly from the input field by typing the bot’s Telegram username and a query.

Attacker embeds The Telegram bot into the ToxicEye RAT configuration file then compile into an executable file and this executable file (.exe) can be injected into a Word document also. When victim open this doc file or email , this .exe get installed into this computer and make the same infected. Now victim’s computer can be attacked via the Telegram bot and attackers control this system.




Cybercriminals find Telegram as an essential part of their attacks and it  allows attackers to remain anonymous as the registration process only requires a mobile number, The messaging app Telegram is not blocked by antivirus solutions or network security tools.

Attackers can easily extract data from users equipment or transfer new malicious files to infected devices. Hackers can use their mobile phone to access infected computers from any location in the world.

Identify if your system is compromised and tips to strengthen security

  1. Search for RAT file - First of all you should search your computer for the file (rat.exe) in location (without quotes): “C: \ Users \ ToxicEye \ rat.exe if this file exists on your computer, you must immediately contact your helpdesk and delete this file.
  2. Traffic Monitoring - You can monitor the traffic generated from your personal or organization's system to Telegram C&C accounts. If you see such traffic and Telegram is not installed as a business solution, this is an indication that system has been compromised.
  3. Identify Phishing or Malicious Emails - It is very important to beware of any kind of attachments files that have usernames because malicious/spam emails often use the your username as the subject line or name of the file. These could be suspicious emails and you should not open these attachments,  delete the email immediately and not reply to the sender. If you receive an email from unlisted or undisclosed  sender it indicates that the email is malicious or phishing.
  4. Anti-Phishing Software - In order to minimize the risks phishing attacks for an organization, it is AI-based anti-phishing software  that is able to identify and block malicious content from all communication services (i.e. emails )and platforms (i.e. computers, handheld devices)

Thursday, November 17, 2016

Hack Locked Computer using $5 Device (PoisionTap)



If you think that your computer is safe when it is locked with a strong password, then Samy Kamkar’s device PoisionTap will make you wrong. This cheap exploit tool takes just 30 seconds to install a privacy-invading backdoor into your computer.

PoisionTap, a tiny $5 Raspberry Pi Zero microcomputer loaded with Node.js code and attached to a USB adapter. Inventor has publicly released the source code to PoisionTap, so that any would-be hacker can try it out for themselves.

If you are a hacker and want to hack or get information of any of your coworker in your office. All you need is to plug this device in the target computer and wait. PoisonTap targets the victim’s browser cache and injects the malicious code there.

Once the hacking tool is recognized by the target machine, it is loaded as a low-priority network device that starts impersonating a new Ethernet connection and runs a DHCP request across it. The machine sends a DHCP request to the tool that in response tells it that the entire IPv4 address space is part of PoisonTap’s local network. In this way, the entire traffic it routed through the PoisonTap device before reaching the legitimate gateway to the Internet. With this trick, it intercepts all unencrypted Web traffic and steals any HTTP authentication cookies used to log into private accounts as well as sessions for the Alexa top 1 Million sites.

PoisonTap will give you an invisible position on the local network to connect to the intranet site and send data to a remote server. Now this computer will be in your control even after this tool is unplugged from the targeted computer. Since it uses siphons cookies, you can also hijack the target user's online accounts even they are secured with two-factor authentication (2FA).

Inventor says “it can also bypass many other security mechanisms, including same-origin policy (SOP), HttpOnly cookies, X-Frame-Options HTTP response headers, DNS pinning and cross-origin resource sharing (CORS). Whenever the websocket is open, the attacker can remotely send commands to the victim and force their browser to execute JavaScript code

There is no easy fix available for users as long as a web browser application is running in the background.





Thursday, November 3, 2016

Google’s Disclosure Makes Microsoft Unhappy





Now Google has started a new war by publishing details about a critical vulnerability in Windows and that makes Microsoft angry. Google claimed that it reported the bug to Microsoft 10 days ago but company did nothing to address this issue.

In its official Security Blog , Google wrote:

"After seven days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released.

Google confirmed that it repaired the vulnerability for its Chrome users, and Adobe issued an update for Flash last week.

Google describes the vulnerability, CVE-2016-7855, as:

“A local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”

Microsoft shows his anger by below statements:

"We believe in coordinated vulnerability disclosure, and today's disclosure by Google could put customers at potential risk,"

“We disagree with Google's characterization of a local elevation of privilege as 'critical' and 'particularly serious,' since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week. Additionally, our analysis indicates that this specific attack was never effective in the Windows 10 Anniversary Update due to security enhancements previously implemented."

It’s not first time, Google exposed bug in Microsoft. In 2015, Google published bug report 90 days after informing MS company.

Microsoft’s Chris Betz said at the time “The decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers.”