Remus Leung / Red Team Penetration Tester on LinkedIn: New Golang-based Skuld Malware Stealing Discord and Browser Data from… (2024)

Malicious PyPI Packages Slip WhiteSnake InfoStealer Malware onto Windows Machines.Cybersecurity researchers have identified malicious packages on the open-source Python Package Index (PyPI) repository that deliver an information stealing malware called WhiteSnake Stealer on Windows systems.The malware-laced packages are named nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. They have been uploaded by a threat actor named "WS.""These packages incorporate Base64-encoded source code of PE or other Python scripts within their setup.py files," Fortinet FortiGuard Labs said in an analysis published last week."Depending on the victim devices' operating system, the final malicious payload is dropped and executed when these Python packages are installed."While Windows systems are infected with WhiteSnake Stealer, compromised Linux hosts are served a Python script designed to harvest information. The activity, which predominantly targets Windows users, overlaps with a prior campaign that JFrog and Checkmarx disclosed last year."The Windows-specific payload was identified as a variant of the [...] WhiteSnake malware, which has an Anti-VM mechanism, communicates with a C&C server using the Tor protocol, and is capable of stealing information from the victim and executing commands," JFrog noted in April 2023.It's also designed to capture data from web browsers, cryptocurrency wallets, and apps like WinSCP, CoreFTP, Windscribe, Filezilla, AzireVPN, Snowflake, Steam, Discord, Signal, and Telegram.Checkmarx is tracking the threat actor behind the campaign under the monikerPYTA31, stating the end goal is to exfiltrate sensitive and particularly crypto wallet data from the target machines.Some of the newly published rogue packages have also been observed incorporating clipper functionality to overwrite clipboard content with attacker-owned wallet addresses to carry out unauthorized transactions. A few others have been configured to steal data from browsers, applications, and crypto services.Fortinet said the finding "demonstrates the ability of a single malware author to disseminate numerous info-stealing malware packages into the PyPI library over time, each featuring distinct payload intricacies."The disclosure comes as ReversingLabs discoveredtwo malicious packageson the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed.

3

ICYMI: CTI Roundup: An XLoader macOS variant, Lazarus Group Update, and Hackers Abuse Facebook AdsXLoader macOS variant poses as a productivity app, Lazarus Group uses new malware, and threat actors abuse Facebook promotions to spread malicious codehttps://lnkd.in/gK8g-msx

1

Atomic Stealer malware strikes macOS via fake browsThe 'ClearFake' fake browser update campaign has expanded to macOS, targeting Apple computers with Atomic Stealer (AMOS) malware.The ClearFake campaignstarted in Julythis year to target Windows users with fake Chrome update prompts that appear on breached sites via JavaScript injections.https://lnkd.in/eG2RXeQ4

🔴 Developers, beware! Malicious packages "nigpal" and "figflix" on PyPI contain WhiteSnake info-stealer. Targets Windows and Linux systems to steal passwords, browser data, wallets, and app logins. 🔘 The malware-laced packages are named nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. They have been uploaded by a threat actor named "WS."🔘 “These packages incorporate Base64-encoded source code of PE or other Python scripts within their setup.py files," Fortinet FortiGuard Labs said in an analysis published last week.🔘 “Depending on the victim devices' operating system, the final malicious payload is dropped and executed when these Python packages are installed."🔘 While Windows systems are infected with WhiteSnake Stealer, compromised Linux hosts are served a Python script designed to harvest information. The activity, which predominantly targets Windows users, overlaps with a prior campaign that JFrog and Checkmarx disclosed last year.🔘 “The Windows-specific payload was identified as a variant of the [...] WhiteSnake malware, which has an Anti-VM mechanism, communicates with a C&C server using the Tor protocol, and is capable of stealing information from the victim and executing commands," JFrog noted in April 2023.🔘 It's also designed to capture data from web browsers, cryptocurrency wallets, and apps like WinSCP, CoreFTP, Windscribe, Filezilla, Azirevpn, Snowflake, Steam, Discord, Signal, and Telegram Messenger.🔘 Checkmarx is tracking the threat actor behind the campaign under the moniker PYTA31, stating the end goal is to exfiltrate sensitive and particularly crypto wallet data from the target machines.🔘 Some of the newly published rogue packages have also been observed incorporating clipper functionality to overwrite clipboard content with attacker-owned wallet addresses to carry out unauthorized transactions. A few others have been configured to steal data from browsers, applications, and crypto services.🔘 Fortinet said the finding "demonstrates the ability of a single malware author to disseminate numerous info-stealing malware packages into the PyPI library over time, each featuring distinct payload intricacies."🔘 The disclosure comes as ReversingLabs discovered two malicious packages on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed.#rcc #new #malware #zeroday #news #linux #windows #infect #ssh #systems #apps #crypto #hack #github #telegram

The article discusses a malicious Nuget package that is targeting .NET applications. The package, called "FlubuCore", is a fake version of the popular Nuget package "FlubuCore". It contains a malicious payload that allows attackers to execute arbitrary code on the targeted machine. The fake package has been uploaded to the official Nuget repository and has been downloaded over 10,000 times. Nuget has since removed the package from their repository.#FlubuCore #cybersecurity

Operation Triangulation: Experts Uncover Deeper Insights into iOS Zero-Day Attacks#vt360 #triangulation #zeroday #vulnerability #icloud #sqlite #apple #ios #cybersecurity #cybersecurityawareness #infosec #infotech https://lnkd.in/dkdiFBAs

📰 InQuest in the News: New Mystic Stealer Malware Targets 40 Web Browsers and 70 Browser Extensions via The Hacker News.Mystic Stealer, a crimeware solution that is offered for sale, focuses on pilfering data and is implemented in the C programming language. Learn more ➡️ https://lnkd.in/gNTfE4z9#MysticStealer #InformationStealer #MalwareThreat #CyberSecurity #DataBreach

14

⚠️ Critical Security Update: Mozilla is urgently fixing a zero-day #vulnerability (CVE-2023-4863), actively exploited in browsers. It can be triggered by tricking victims into opening a malicious WebP image.#cybersecurity #cyberattack #cyberawareness #cyberprotection #cybercriminals #zeroday#vulnerability #vulnerabilitymanagement #vulnerabilities #zerodayvulnerability

Silver RAT Evades Anti-viruses to Hack Windows MachinesHackers use Remote Access Trojans (RATs) to gain unauthorized access and control over a victim’s computer remotely.These malicious tools allow hackers to perform various malicious activities like the following without the user’s knowledge:-Execute commandsSteal sensitive informationUnauthorized accessUnauthorized manipulationRecently, cybersecurity researchers at CyfirmadiscoveredSilver RAT, which evades anti-virus software to hack Windows machines.Silver RAT, which is written in C sharp, has the following capabilities:-Bypass anti-virusesCovertly launch hidden applicationsCovertly launch browsersCovertly launch keyloggersSilver RAT Evades Anti-virusesDevelopers active on hacker forums and social media, especially on Telegram, to offer services like:-Cracked RATsLeaked databasesCardingSocial media bot salesThe cracked version surfaced in October 2023 on Telegram and GitHub.Silver RAT’s builder allows threat actors to customize payloads up to 50kb. Once connected, the victim’s logs appear on the attacker’s panel.The final payload is a Windows executable file delivered throughsocial engineering.Apart from this, the sale announcement first appeared on the following hacking forums among the several ones:-TurkHackTeam1877A successful connection grants the attacker control over the target system. Through the ‘Manager’ option, they can do the following things:-Handle applicationsNavigate the file managerModify registry keysCheck startup itemsMonitor system performanceHere below, we have mentioned all the other malicious activities that threat actors can leverage:-Hidden AppsHidden BrowsersHidden VNCFunctionalities of Silver RATHere below, we have mentioned all the functionalities of the Silver RAT:-Command and control via IP address/port or webpage.Windows Defender exclusion for post-launch stealth.Configuration to erase all system restore points.Delayed execution option for the payload.Hidden process and installation in task manager.Custom process name to conceal payload in folders.Antivirus bypass through FUD Crypters.Researchers discovered two Telegram channels used by the Silver RAT devs, which show high engagement. While CYFIRMA finds they use a known Crypto wallet with diverse addresses (Bitcoin, Ethereum, USDT):-Bitcoin wallet is emptyEthereum shows 8 transactions totaling 2,275.67 USD (Dec 24-25, 2023)Researchers trace PayPal purchases and obtain threat actors’ Gmail. Further investigation links a hacktivist Facebook account supporting the “Syrian Revolution” to a Silver RAT developer known for FPS game hacks.RecommendationsHere below, we have mentioned all the recommendations offered by the cybersecurity analysts:-Security Awareness TrainingRegular UpdatesData EncryptionIncident Response PlanUser SupportRegular BackupsApp ReviewNetwork SecurityBehavioral AnalysisEndpoint Detection and Response (EDR)Firewall Configuration

12

“It is hard to prepare for organizations to prevent zero-day exploits, similar to a decent social engineering attempt – the best you can do is shore up your logfiles and ensure that forensic evidence exists that can be traced back for months (if not years on critical systems). Some tools can detect zero-days on the fly, including detections built into the operating system, but many of these sometimes degrade system performance.”Thank you, TechRepublic, for sharing my thoughts.

10