As days go by, cyber defenders are looking for ways to safeguard the systems that they are charged to protect. Meanwhile, malicious actors or cyber criminals are also looking for ways to compromise these systems using well and trusted methods or coming up with a novel attack technique. It's a never-ending cat-and-mouse race. But for the good of humanity and the Internet users as a whole, we always pray that the defenders come out on top all the time. No ifs, no buts.
Stealth in Layers: Unmasking the Loader used in Targeted Email Campaigns
If you are going to take anything away from this article, it should be the following: always be suspicious of emails that have attachments. Like, always and especially if the files have a weird extension. Mind you, I am not saying that PDF files are "safe"; they are far from it.
From the article:
The operation’s sophistication is further evidenced by the use of steganography and the trojanization of open-source libraries. Adding their stealth is a custom-engineered, four-stage evasion pipeline designed to minimize their forensic footprint.
By masquerading as legitimate Purchase Order communications, these phishing attacks ultimately deliver Remote Access Trojans (RATs) and Infostealers.
NPM Package With 56,000 Downloads Steals WhatsApp Credentials, Data
A package might promise some functionality, work as expected, and still be malicious. Yes, you read that right. This npm package in question does exactly that.
From the article:
When you use this library to authenticate, you’re not just linking your application – you’re also linking the threat actor’s device. They have complete, persistent access to your WhatsApp account, and you have no idea they’re there.
Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites
Be careful of the web browser extensions that you add to your web browser.
From the article:
"Users pay subscriptions ranging from ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD), believing they're purchasing a legitimate VPN service, but both variants perform identical malicious operations," Socket security researcher Kush Pandya said.
"Behind the subscription facade, the extensions execute complete traffic interception through authentication credential injection, operate as man-in-the-middle proxies, and continuously exfiltrate user data to the threat actor's C2 [command-and-control] server."
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.
Top comments (1)
A bit of Halloween on Christmas 😅🎃