Zero-Day Vulnerability in Output Messenger Exploited by Türkiye Hackers

Cybersecurity researchers have uncovered a concerning development where Türkiye-affiliated hackers successfully exploited a Zero-Day Vulnerability in Output Messenger. The attack, which began in April 2024, specifically targeted Kurdish military operations in Iraq. This Zero-Day Vulnerability in Output Messenger highlights the ongoing cybersecurity challenges faced by organisations using…

New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations

Source: https://thehackernews.com/2025/02/new-golang-based-backdoor-uses-telegram.html

More info: https://www.netskope.com/blog/telegram-abused-as-c2-channel-for-new-golang-backdoor

Türkiye Hackers Exploited Output Messenger Zero-Day to Drop Golang Backdoors on Kurdish Servers

http://i.securitythinkingcap.com/TKkRQK

APT41 Targets Taiwanese Government Research Institute with ShadowPad and Cobalt Strike

Cisco Talos researchers have reported a significant cyber attack on a Taiwanese government-affiliated research institute, attributing the breach to the China-linked group APT41 with medium confidence. The campaign began as early as July 2023 and involved deploying advanced malware tools including ShadowPad and Cobalt Strike. Attack Overview and Attribution The researchers identified several key aspects of the attack: - The campaign targeted a Taiwanese government-affiliated research institute - APT41, a group allegedly comprised of Chinese nationals, is believed to be responsible - Attribution is based on overlaps in tactics, techniques, and procedures (TTPs), infrastructure, and malware families exclusive to Chinese APT groups ShadowPad Malware Deployment A central component of the attack was the use of ShadowPad, a sophisticated modular remote access trojan (RAT): - ShadowPad is known to be sold exclusively to Chinese hacking groups - The malware exploited an outdated vulnerable version of Microsoft Office IME binary as a loader - A customized second-stage loader was used to launch the payload - Two distinct iterations of ShadowPad were encountered during the investigation Cobalt Strike and Custom Loaders The attackers also leveraged Cobalt Strike and developed custom loaders to evade detection: - A unique Cobalt Strike loader written in GoLang was used to bypass Windows Defender - The loader was derived from an anti-AV tool called CS-Avoid-Killing, found on GitHub - Simplified Chinese file and directory paths suggest the attackers' proficiency in the language - PowerShell commands were used to execute scripts for running ShadowPad directly in memory and fetching Cobalt Strike from command and control (C2) servers

The Github repository of Cobalt Strike loader. Exploitation of CVE-2018-0824 APT41 demonstrated advanced capabilities by exploiting a known vulnerability: - The group created a custom loader to inject a proof-of-concept for CVE-2018-0824 directly into memory - This remote code execution vulnerability was used to achieve local privilege escalation - A tool called UnmarshalPwn was employed in the exploitation process Attack Methodology and Persistence The attackers employed various techniques to maintain access and avoid detection: - Three hosts in the targeted environment were compromised - Documents were exfiltrated from the network - A web shell was used to maintain persistence and drop additional payloads - The "quser" command was executed to monitor for other logged-on users, allowing the attackers to pause activities if detected - After deploying backdoors, the web shell and guest account used for initial access were deleted Broader Implications and Ongoing Investigations Cisco Talos researchers emphasized the potential for further discoveries: - Analysis of artifacts from this campaign led to the identification of samples and infrastructure potentially used in different campaigns - Sharing these findings could help the cybersecurity community make connections and enhance ongoing investigations - Indicators of Compromise (IoCs) for this campaign have been released on Cisco Talos' GitHub repository This sophisticated cyber attack on a Taiwanese government research institute highlights the ongoing threat posed by advanced persistent threat (APT) groups like APT41. Complex malware such as ShadowPad, combined with custom loaders and exploitation of known vulnerabilities, demonstrates the evolving tactics employed by state-sponsored threat actors. Read the full article

New Cross-Platform Malware KTLVdoor Discovered in Attack on Chinese Trading Firm

The Hacker News : The Chinese-speaking threat actor known as Earth Lusca has been observed using a new backdoor dubbed KTLVdoor as part of a cyber attack targeting an unnamed trading company based in China. The previously unreported malware is written in Golang, and thus is a cross-platform weapon capable of targeting both Microsoft Windows and Linux systems. "KTLVdoor is a highly obfuscated malware that http://dlvr.it/TCrYWB Posted by : Mohit Kumar ( Hacker )

Redigo: New Backdoor Targeting Redis Servers

Redigo: New Backdoor Targeting Redis Servers

Home › Virus & Threats Redigo: New Backdoor Targeting Redis Servers By Ionut Arghire on December 05, 2022 Tweet Researchers at cloud security company Aqua Security are raising alarm on a newly identified backdoor targeting Redis servers. Dubbed Redigo, the malware is written in Go and was seen being deployed in an attack that exploited a known Redis vulnerability (CVE-2022-0543, CVSS score of 10)…

View On WordPress

New Golang botnet empties Windows users’ cryptocurrency wallets

A new Golang-based botnet under active development has been ensnaring hundreds of Windows devices each time its operators deploy a new command and control (C2) server.

First spotted in October 2021 by ZeroFox researchers who dubbed it Kraken, this previously unknown botnet uses the SmokeLoader backdoor and malware downloader to spread to new Windows systems.

After infecting a new Windows device, the botnet adds a new Registry key to achieve persistence between system restarts. It will also add a Microsoft Defender exclusion to ensure that its installation directory is never scanned and hides its binary in Window Explorer using the hidden attribute.

Kraken has a limited and simplistic feature set, allowing attackers to download and execute additional malicious payloads on compromised devices, including the RedLine Stealer malware.

RedLine is currently the most widely deployed information stealer capable of harvesting victims’ passwords, browser cookies, credit card info, and cryptocurrency wallet info.

“Monitoring commands sent to Kraken victims from October 2021 through December 2021 revealed that the operator had focused entirely on pushing information stealers – specifically RedLine Stealer,” ZeroFox said.

“It is currently unknown what the operator intends to do with the stolen credentials that have been collected or what the end goal is for creating this new botnet.”

Built-in crypto wallet theft capabilities

However, the botnet also features built-in information theft capabilities and can also steal crypto wallets before dropping other info stealers and cryptocurrency miners.

According to ZeroFox, Kraken can steal info from Zcash, Armory, Bytecoin, Electrum, Ethereum, Exodus, Guarda, Atomic, and Jaxx Liberty crypto wallets.

Based on info collected from the Ethermine cryptocurrency mining pool, this botnet seems to be adding roughly USD 3,000 every month to its masters’ wallets.

“While in development, Kraken C2s seem to disappear often. ZeroFox has observed dwindling activity for a server on multiple occasions, only for another to appear a short time later using either a new port or a completely new IP,” the researchers added.

Nevertheless, “by using SmokeLoader to spread, Kraken quickly gains hundreds of new bots each time the operator changes the C2.”

source https://usapangbitcoin.org/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/

source https://usapangbitcoin.wordpress.com/2022/02/19/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/

A new #malware — codenamed "Capoae" — scans the web for vulnerable #Linux machine and #WordPress sites in order to install a backdoored plugin that runs a #Golang-based crypto-mining #software. Read details: https://t.co/NQxTcVPkct #infosec #cybersecurity (via Twitter http://twitter.com/TheHackersNews/status/1440257820650205185)

New Golang-based backdoor relies on Telegram for C2 communication

http://i.securitythinkingcap.com/TJ28w3

Kimsuky's New Golang Stealer 'Troll' and 'GoBear' Backdoor Target South Korea

The Hacker News : The North Korea-linked nation-state actor known as Kimsuky is suspected of using a previously undocumented Golang-based information stealer called Troll Stealer. The malware steals "SSH, FileZilla, C drive files/directories, browsers, system information, [and] screen captures" from infected systems, South Korean cybersecurity company S2W said in a new technical report. Troll http://dlvr.it/T2bXnT Posted by : Mohit Kumar ( Hacker )

Original Post from Security Affairs Author: Pierluigi Paganini

Security experts at ESET have uncovered a new campaign carried out by Russia-linked Fancy Bear APT group aimed at political targets.

Security researchers at ESET have uncovered a new campaign carried out by Russia-linked Fancy Bear APT group (i.e. APT28, Sednit, Sofacy, Zebrocy, and Strontium) aimed at political targets.

In the recent attacks, the hackers used a new set of malicious payloads, including a backdoor written in a new language.

The Fancy Bear APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

“On August 20th, 2019, a new campaign was launched by the group targeting their usual victims – embassies of, and Ministries of Foreign Affairs in, Eastern European and Central Asian countries.” reads the analysis published by ESET.

“As predicted by other fellow researchers, the Sednit group added a new development language in their toolset, more precisely for their downloader: the Nim language. However, their developers were also busy improving their Golang downloader, as well as rewriting their backdoor from Delphi into Golang.”

The threat actors used phishing messages containing a malicious attachment that launches a long chain of downloaders, ending with a backdoor.

Figure 1. Chain of compromise overview – Source ESET

The phishing messages come with an attachment document that is blank and references a remote template, wordData.dotm hosted at Dropbox. Once the victim has opened the document in Word it will trigger the download wordData.dotm and incorporate it into the associated document’s working environment, including any active content the template may contain.

“The wordData.dotm file contains malicious macros that then are executed. (Depending on the Microsoft Word version, the VBA macros are disabled by default and user action is required to enable them.) It also contains an embedded ZIP archive that the macros dropped and extracted.” continues the report.

The attacks analyzed by ESET have involved several downloaders written in different languages, including a new one dubbed Nim. Nim is a statically typed compiled systems programming language. It combines successful concepts from mature languages like Python, Ada and Modula.

The downloader written in Nim is quite light in terms of its data-gathering capabilities, compared with previous Golangdownloaders.

In August, threat actors also used for the first time a new backdoor written in Golang, the malware has many similarities with the Delphi beckdoors used in previous attacks.  

Experts pointed out that six modules are fetched in the attack chain before the final Golang backdoor. The malware is able to steal sensitive data from the infected machine and take screenshots every 35 seconds during the first few minutes of infection. The backdoor is also able to install additional payloads.

“It seems that the Sednit group is porting the original code to, or reimplementing it in, other languages in the hope of evading detection,” ESET concludes. “It’s probably easier that way and it means they do not need to change their entire TTPs [Tactics, Techniques and Procedures]. The initial compromise vector stays unchanged, but using a service like Dropbox to download a remote template is unusual for the group.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199";

try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post A new Fancy Bear backdoor used to target political targets appeared first on Security Affairs.

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Pierluigi Paganini A new Fancy Bear backdoor used to target political targets Original Post from Security Affairs Author: Pierluigi Paganini Security experts at ESET have uncovered a new campaign carried out by Russia-linked Fancy Bear APT group aimed at political targets.

New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations

http://i.securitythinkingcap.com/TJ1flj

Kimsuky's New Golang Stealer 'Troll' and 'GoBear' Backdoor Target South Korea

http://i.securitythinkingcap.com/T2WRQz

A first-stage malware loader spotted in active campaigns has added additional exploits and a new backdoor capability.

Golang Worm Widens Scope to Windows, Adds Payload Capacity

Golang Worm Widens Scope to Windows, Adds Payload Capacity

Source: Threat Post Golang Worm Widens Scope to Windows, Adds Payload Capacity A first-stage malware loader spotted in active campaigns has added additional exploits and a new backdoor capability.

View On WordPress

Original Post from Security Affairs Author: Pierluigi Paganini

The APT24 group continues its cyber espionage activity, its members were posing as a researcher from Cambridge to infect victims with three new malware.

Experts at FireEye have uncovered a new espionage campaign carried out by APT34 APT group (OilRig, and HelixKitten.  Greenbug) through LinkedIn. Members of the cyberespionage group were posing as a researcher from Cambridge and asking victims to join their social network.

APT34 is an Iran-linked APT group that has been around since at least 2014, it targeted mainly organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.

According to FireEye, in the new campaign, the hackers masqueraded as a Cambridge lecturer asked the victims to join their networks to send them weaponized documents.

“In late June 2019, FireEye identified a phishing campaign conducted by APT34, an Iranian-nexus threat actor.” reads the analysis published by FireEye. “Three key attributes caught our eye with this particular campaign:

Masquerading as a member of Cambridge University to gain victims’ trust to open malicious documents,

The usage of LinkedIn to deliver malicious documents,

The addition of three new malware families to APT34’s arsenal.”

The hackers used three new malware families in the campaign that also involved the Pickpocket, a browser credential-theft tool exclusively linked to APT34 campaigns.

The phishing campaign primarily targeted organizations in the energy and oil and gas, along with government entities.

The fake profiles asked the victims to open the weaponized excel file named ERFT-Details.xls that was used as a dropper. The hackers sent to the victim a LinkedIn message from “Research Staff at University of Cambridge,” the conversation began with the solicitation of resumes for potential job opportunities.

The attack technique observed in this campaign is not new and was used by the cyberspies in other campaigns, threat actors use to exploit the concept of “trust” behind the social networks.

The three malware families involved in this campaign were tracked as for TONEDEAF, VALUEVAULT, and LONGWATCH.

The Tonedeaf malware is a backdoor which communicates with a single command-and-control (C2) server via HTTP GET and POST requests. It supports several commands for collecting system information, uploading and downloading files, and arbitrary shell command execution.

After the FireEye experts identifying the C2 domain, they discovered other two malware families tracked as ValueVault and Longwatch along with a variant of Pickpocket.

ValueVault is a Golang-compiled version of the Windows Vault Password Dumper browser credential theft tool from Massimiliano Montoro, the developer of Cain & Abel. Longwatch is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder.

“We suspect this will not be the last time APT34 brings new tools to the table. Threat actors are often reshaping their TTPs to evade detection mechanisms, especially if the target is highly desired.” concludes FireEye. “For these reasons, we recommend organizations remain vigilant in their defenses, and remember to view their environment holistically when it comes to information security.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199";

try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – APT34, cyberespionage)

The post New APT34 campaign uses LinkedIn to deliver fresh malware appeared first on Security Affairs.

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Pierluigi Paganini New APT34 campaign uses LinkedIn to deliver fresh malware Original Post from Security Affairs Author: Pierluigi Paganini The APT24 group continues its cyber espionage activity, its members were posing as a researcher from Cambridge to infect victims with three new malware.