HMD Skyline offers removable back cover, Qi2 wireless charging

andreasc
-
0
HMD Skyline offers removable back cover, Qi2 wireless charging
[ad_1]

Human Mobile Devices, popularly known as HMD and the maker of Nokia phones, has launched a new mid-range Android phone. The HMD Skyline resembles Samsung’s Galaxy S24 Ultra thanks to its sharp corners but isn’t as powerful. However, it has some specialties. First, the device has a user-removable back plate for enhanced repairability. It is also the world’s first Android phone to support Qi2 wireless charging.

HMD Skyline launched with a 108MP camera and Qi2 wireless charging

Powered by Qualcomm’s Snapdragon 7s Gen 2, the HMD Skyline packs some amazing specs for a mid-range phone. It sports a 6.55-inch Full HD+ OLED display (1080×2400 pixels resolution) with 1,000 nits of brightness, a 144Hz refresh rate, and Corning Gorilla Glass 3. The phone is available in 8GB and 12GB RAM variants with 128GB and 256GB storage options. It supports 1TB microSD cards.

Cameras are one of the HMD Skyline’s strengths. Its 108MP primary rear camera boasts OIS (Optical Image Stabilization) and supports 4K video recording with spatial audio capture and wind noise reduction. The phone also has a 13MP ultrawide lens and a 50MP telephoto camera with up to 4x optical zoom. You don’t often see a zoom camera on a mid-range phone. There’s a 50MP selfie camera on the front.

This 5G-ready HMD phone boasts Wi-Fi 6E, Bluetooth v5.2, NFC, and GPS connectivity options. It is fueled by a 4,600mAh battery with 33W wired charging, 15W Qi2 wireless charging, and 5W reverse wireless charging. The latter two technologies are a rarity in this segment. Other highlights include a side-mounted fingerprint scanner, a programmable custom button, an IP54 rating, and Android 14.

With a thickness of 8.9mm, the HMD Skyline is quite bulky, particularly when you consider the battery capacity. It appears this is a compromise we must make for a removable back plate. A screw holds the back cover, so you don’t need a heat gun, pry tool, and other equipment to remove it. If you aren’t comfortable opening it up yourself, HMD has partnered with iFixit for easy repairability of the phone.

Price and availability

HMD’s Skyline comes in Neon Pink and Twisted Black colors. It is currently available in the UK at £399.99 for the 8GB+128GB model and £499.99 for the 12GB/256GB model. The phone will also come to the US but the company hasn’t revealed prices yet. Replacement parts and repair kits are available from iFixit for the display, back cover, sub-board/charging port, and battery. It’s unclear if HMD plans to release this phone outside of the US and Europe.


[ad_2]
Source link

iPhone 15 sales drop more than expected; iPhone 14 resurges

andreasc
-
0
iPhone 15 sales drop more than expected; iPhone 14 resurges
[ad_1]

The iPhone 16 series is close, and Apple wants to reduce the iPhone 15 series stock, but the sales figures do not match those expectations. Instead, previous-generation models are still capturing the interest of users. The only exception is the iPhone 15 Pro Max.

Lower sales of the current generation of iPhones are normal when there is little left until the launch of a new one. However, the drop in iPhone 15 series sales seems more pronounced than estimated. CIRP published its latest market research on the commercial performance of iPhones during the third quarter after the launch of the previous generation. The report shows that even the iPhone 13 outsold one of the iPhone 15 models.

iPhone 15 sales during its third quarter were disappointing; users turned to older models

For the period studied, the iPhone 14 and iPhone 14 Plus took 17% of Apple’s smartphone sales. This is the same as the iPhone 15 Pro sold (17%) and only 2% less than the sales of the vanilla iPhone 15 (19%). The Plus model was the least sold in the iPhone 15 series during its third quarter of existence, reaching only 8%. On the other hand, sales of the iPhone 15 Pro Max showed better performance, reaching 22% of the total.

However, it is interesting that models even older than the iPhone 14 series have a notable presence on the list. More specifically, the vanilla iPhone 13 captured 10% of iPhone sales during the period studied. This is more than what the most modern iPhone 15 Plus sold. The latest iPhone SE (5%) and the iPhone 13 Mini (1%) also appear in the ranking.

iphone 15 series sales third quarter

Lack of innovation would be one of the reasons behind

As mentioned before, the drop in sales of current-gen iPhones is normal when the new ones are close. However, there are more factors that could be behind users’ greater interest in older models. For example, the conservative line in terms of innovation that Apple has been following in its devices. Meanwhile, the iPhone 15 Pro Max’s healthier sales could be due to its tetraprism periscope camera. Apple is said to keep the same sensor on the iPhone 16 Pro Max, so there are users who will turn to the previous model to save some money.

Meanwhile, Apple wants to attract users to the iPhone 16 series by adding Gen-AI capabilities with its Apple Intelligence suite. The company would even implement the latest Bionic Pro chips in the vanilla and Plus models as well. The report claims that Apple has ordered the production of 90 million iPhone 16 devices by 2024 alone. So, sales expectations seem quite high.


[ad_2]
Source link

Russian National Jailed for Smuggling US Military Tech to Russia

andreasc
-
0
Russian National Jailed for Smuggling US Military Tech to Russia
[ad_1]

Russian businessman sentenced to 3 years for smuggling military-grade microelectronics to Russia via Hong Kong. Maxim Marchenko used shell companies to illegally procure OLED displays for Russian military applications.

A Hong Kong-based Russian national, Maxim Marchenko, has been sentenced to three years in prison for his role in a sophisticated scheme to illegally procure US-made military-grade microelectronics and funnel them to Russia.

Marchenko, 52, operated a network of shell companies that disguised the true destination of sensitive OLED micro-displays, crucial components used in advanced weaponry like night vision goggles and rifle scopes. He and his co-conspirators, also Russian nationals, deceived US distributors by falsely claiming the microelectronics were destined for legitimate uses in China, Hong Kong, and other countries.

According to the U.S. Department of Justice’s (DOJ) press release, The scheme, which ran from May 2022 to August 2023, saw Marchenko’s shell companies, including Alice Components, Neway Technologies Limited, and RG Solutions Limited, purchase over $1.6 million worth of these sensitive technologies. The microelectronics were then transshipped through third countries, ultimately reaching Russian end users.

“This sentence sends a clear message that we will not tolerate the illicit procurement of US technology that ultimately ends up fueling Russia’s aggression,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division.

The FBI, the Commerce Department’s Bureau of Industry and Security, and the State Department’s Diplomatic Security Service collaborated on the investigation, with assistance from the Justice Department’s Office of International Affairs.

This case was prosecuted by the Southern District of New York and the National Security Division’s Counterintelligence and Export Control Section. It was coordinated through the Justice Department’s Task Force KleptoCapture and the Disruptive Technology Strike Force, both dedicated to combating Russia’s efforts to acquire critical technology.

  1. FBI arrests Russian hacker behind 117M LinkedIn 2012 Breach
  2. 4 Arrested as Operation Endgame Disrupts Ransomware Botnets
  3. Russian Hacker Wanted for Cyberattacks on Ukraine, $10M Reward
  4. Ukraine Arrests Cryptor Specialist Aiding Conti, LockBit Ransomware
  5. Russian Pair Charged with JFK Airport Taxi System Hack for Over 2 Years

[ad_2]
Source link

Italy opens antitrust investigation into Google for unfair practices

andreasc
-
0
Italy opens antitrust investigation into Google for unfair practices
[ad_1]

Italy has launched an antitrust investigation into Google and its parent company Alphabet. The Italian Competition Authority (Autorita Garante della Concorrenza e del Mercato or AGCM) has accused the tech titan of unfair business practices, including misleading its consumers. If found guilty, the company faces a fine of up to €10 million (approx. $10.9 million). Google says it will cooperate with the authorities.

Google faces antitrust investigation in Italy

According to Italy’s competition agency, Google resorted to unfair business practices for its benefit in the country. Among other things, the government agency overseeing consumer rights accused the company of misleading its consumers with incomplete information about how it uses their data. AGCM said Google’s request for consent for users to connect its multiple services “could constitute misleading and aggressive commercial practice.”

The search giant allegedly provides users with “incomplete and misleading” information that doesn’t properly clarify how the consent may impact the use of their personal data. The Italian watchdog said Google doesn’t give users freedom of choice when sending requests for consent. As reported by Reuters, the company limits users’ choices “by inducing them to agree to a combined usage of personal data by different Google services.”

“Indeed, it appears to be accompanied by inadequate, incomplete and misleading information and it could influence the choice of whether and to what extent consent should be given,” AGCM’s official complaint says about Google’s consent requests. The company offers a wide range of online products, including YouTube, Gmail, Maps, and a search engine. It requests consent from users to aggregate and use their personal data across all products.

AGCM also accused Google of using “techniques and methods for requesting consent, and also for setting up the mechanisms for obtaining consent itself, which could condition the freedom of choice of the average consumer”. If the investigation finds the company breaching Italy’s consumer rights rules, it faces fines ranging from €5,000 to €10 million. Google said it will “analyze the details” of the case and “work cooperatively with the authority.”

Italy has previously fined the internet giant

This isn’t the first antitrust case against Google in Italy. AGCM has previously fined the internet giant. In 2021, the Italian watchdog fined Google and Apple €10 million each for similar violations. It said the firms failed to properly inform users about how they use their data for commercial purposes. AGCM also fined Google €102 million for unfairly barring EV (electric vehicle) charging station finder JuicePass from Android Auto.


[ad_2]
Source link

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Organizations

andreasc
-
0
TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Organizations
[ad_1]

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and often have extensive community support, making them easy to modify and deploy. 

Besides this, open-source tools can be customized to evade detection, automate tasks, and leverage existing vulnerabilities, enabling threat actors to conduct sophisticated attacks efficiently.

Recorded Future’s Insikt Group uncovered a new cyber-espionage campaign, dubbed TAG-100, targeting high-profile organizations globally.

The group takes advantage of internet-facing appliances and employs open-source tools such as Pantegana backdoor, a trend that features weaponized PoC exploits combined with open-source frameworks.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Such an approach simplifies entry for less capable actors and enables more advanced groups to hide their tracks.

However, they remain attractive to attackers since only a few security measures have been put in place despite global efforts to fix vulnerabilities on internet-facing devices.

Researchers discovered the victim organizations in the following countries:-

  • Cambodia
  • Djibouti
  • The Dominican Republic
  • Fiji
  • Indonesia
  • Netherlands
  • Taiwan
  • The United Kingdom
  • The United States
  • Vietnam
Geographical breakdown of TAG-100 targeting and victimology (Source – Recorded Future)

Some of the recommendations made to organizations include operationalizing intelligence-led patching, increasing attack surfaces, and enhancing defense-in-depth measures.

Open-source tools will continue to be used more frequently by state-sponsored actors who may contract out to proxy groups, leading to rising cyber threats overall.

Since February 2024, TAG-100, a group of cyber spies, has been attacking organizations from ten countries ranging from governments to intergovernmental and private sectors.

The researchers found that the gang uses various internet-facing appliances, including Citrix NetScaler, Zimbra, and Microsoft Exchange.

Overview of TAG-100 operations (Source – Recorded Future)

Noteworthy targets include Southeast Asian and Oceanian intergovernmental organizations, foreign ministries, embassies, religious groups as well as semiconductor companies.

By March TAG-100 was in at least fifteen countries with a major focus on Cuban Embassies. Overlapping with the CVE-2024-3400 exploit release in April they targeted Palo Alto Networks GlobalProtect appliances.

This group’s reliance on publicly available exploits like those used for Zimbra (CVE-2019-9621) reveals their initiative in the domain of cyber espionage.

TAG-100 combines open-source post-exploitation frameworks like Pantegana, SparkRAT, LESLIELOADER, Cobalt Strike, and CrossC2 with various public exploits.

This is evident in their targets’ profiles, which include national governments, religious institutions, and intergovernmental agencies.

Besides utilizing CloudFlare CDN for C2 communication and ExpressVPN to manage its services, the group has been seen employing self-signed TLS certificates.

Although some of the targets tended to overlap with previous China-sponsored operations, TAG-100 makes it difficult to attribute using off-the-shelf tools and unique modes of operation.

The activities linked to this group’s attacks that have been observed since at least November 2023 are indicative of the changing cyber threat landscape where basic operational security strategies fuse with easily accessible tools.

Mitigations

Here below we have mentioned all the mitigations:-

  • Configure IDS/IPS to alert on and potentially block connections to known malicious IP addresses and domains.
  • Implement robust monitoring for external-facing services and devices.
  • Watch for post-exploitation activities like web shells, backdoors, or lateral movement.
  • Prioritize patching high-risk vulnerabilities, especially RCE in external-facing appliances.
  • Implement network segmentation and multi-factor authentication for sensitive information.
  • Use threat intelligence to detect and block malicious infrastructure in real-time.
  • Monitor third-party vendors and partners for potential intrusion activity.
  • Utilize Malicious Traffic Analysis to monitor communications with known C2 servers proactively.

IoCs

IoCs (Source – Recorded Future)

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.


[ad_2]
Source link

Octo Tempest Attacking VMWare ESXi Servers Added new Ransom Tools

andreasc
-
0
Octo Tempest Attacking VMWare ESXi Servers Added new Ransom Tools
[ad_1]

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which link to a variety of systems via one breach. 

Compromising an ESXi server can bring the targeted services down. Additionally, valuable resources and data are stored in the ESXi servers, which makes them lucrative targets for hackers.

Cybersecurity researchers at Microsoft Threat Intelligence recently discovered that Octo Tempest, which is known for Attacking VMWare ESXi servers, has recently added RansomHub and Qilin to its arsenal.

In early to mid-2024, the ransomware group Octo Tempest expanded its harmful activities. This group, which the cybersecurity researchers at Microsoft Threat Intelligence watch very closely, started using two new types of ransomware called RansomHub and Qilin.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo 

Octo Tempest is known for several dangerous tactics, such as using clever tricks to fool people into giving away information, stealing people’s online identities, finding ways to stay hidden in computer systems for a long time, often attacking VMWare ESXi servers, frequently using ransomware called BlackCat.

Octo Tempest is responsible for many cyber attacks researchers have investigated and helped fix. Their new use of RansomHub and Qilin makes them an even bigger threat than before.

RansomHub, a rapidly growing ransomware-as-a-service (RaaS) payload, is becoming one of the most widespread ransomware families. 

It’s being adopted by various threat actors, including those previously using other ransomware like BlackCat. 

Manatee Tempest deployed RansomHub following Mustard Tempest’s initial access via FakeUpdates and Socgholish. 

Other active ransomware families include:-

  • Qilin
  • BlackSuit
  • LockBit
  • Medusa
  • Black Basta
  • Play

Besides this, a new ransomware, Fog, emerged this quarter, and was used by Storm-0844, which previously favored Akira. 

Storm-0844 is a group of malicious actors that first enter through VPN clients with potentially breached accounts.

They do so via their employed open-source tools such as ADFind, Rubeus, and Advanced IP Scanner for network surveillance, lateral movement, and stage data exfiltration rclone.

The new ransomware called “FakePenny” can be traced back to the North Korean group Moonstone Sleet associated with. This actor also uses an insidious tank game as one of its tactics.

The Octo Tempest and Storm-0501 concentrate mainly on identity compromise. The latter has been using open-source platforms such as “AADInternals” in its attempts to establish domain federations, culminating in Embargo ransomware.

Different hackers use several tactics and tools, which demonstrates how this cyber-threat environment has become more sophisticated across many actor groups.

Ransomware actors misuse remote management tools, such as Storm-1811’s exploitation of Quick Assist, leading to Black Basta attacks. 

To combat this growing threat, users should stick to security best practices like credential hygiene, least privilege, and Zero Trust.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.


[ad_2]
Source link

These Amazon Prime Day Deals are still running!

andreasc
-
0
These Amazon Prime Day Deals are still running!
[ad_1]

Amazon’s Prime Day is over. However, not every product has gone back up to its regular price. These are the best Amazon Prime Day deals that you can still find, after Prime Day has ended. Spoiler alert, there’s quite a few.

Best Amazon Prime Day 2024 Deals

Prime Day is over, but we’re still rounding up the very best deals that you can get after Prime Day, here in this post. That includes deals from brands like Amazon, Ring, Google, Blink, Instant Pot, Keurig, and so much more. So you’ll be able to save loads this year on Prime Day and get just what you need.

We’re still finding some really good deals on the latest Apple Watch models, iPads, the Samsung Galaxy S24 series and so much more. And the good majority of these do not require a Prime membership to get these deals.

Without further ado, here are the best Prime Day deals you can still get.


[ad_2]
Source link

Huawei executive gets candid about US sanctions and their effects

andreasc
-
0
Huawei executive gets candid about US sanctions and their effects
[ad_1]

Huawei has faced significant challenges over the past few years due to stringent US sanctions. Its smartphone sales have nosedived while the company also lost business in other tech industries. The beleaguered Chinese firm’s senior executive Richard Yu Chengdong recently got candid about the situation, sharing insights into the “incredibly difficult” days that Huawei endured.

Huawei executive discusses its fall and fight for survival after US sanctions

In May 2019, the US government placed Huawei on its Entity List, effectively blocking its access to all modern technologies originating from the US or developed using US-origin equipment over the next few years. The company could no longer do business with any American firm. It couldn’t use Qualcomm’s most advanced smartphone chipsets and Google Mobile Services (GMS) on its Android phones, among other things.

The sanctions have seen several reforms over the years, with the US government also allowing special export licenses to some companies. These licenses enabled Huawei to remain afloat in the smartphone industry, but only just. With no GMS and powerful 5G chipsets, it couldn’t compete in the global market. From selling over 240 million phones in 2019 to just 28 million in 2022, the Chinese firm experienced an unimaginable fall.

In a live-streamed interview with Chinese influencer Dong Yuhui earlier this week, Richard Yu Chengdong, Huawei’s chairman of the consumer business group, discussed the effects of the US sanctions. “My team wasn’t able to start operations,” the executive said. “As the global leader in 5G technology, we didn’t even have 5G [smartphones] ourselves. Our days were incredibly difficult,” the highly outspoken Yu added.

Known for his off-the-cuff comments that have earned him the nickname”Big Mouth Yu” on Chinese online platforms, Yu was a driving force behind Huawei’s success before the US sanctions started showing their effects. The firm overtook Samsung to become the world’s largest smartphone vendor in the second quarter of 2020. That was its peak moment in the pre-Entity List era. It is starting to grow again, but those heights are now a distant dream.

The US government is tightening its restrictions on the firm

After hitting rock bottom between 2020 and 2022, Huawei started emerging from the ashes in 2023. Backed by a robust domestic supply chain, it launched its first 5G phone in over three years. The firm hasn’t looked back since and is now on track to ship over 50 million smartphones in its home country this year. It is expected to emerge as the biggest smartphone vendor in mainland China with a market share of 19%.

Since Huawei is using home-grown technology, Chinese people are increasingly buying its products. “Huawei smartphones use domestically made chips instead of integrating Western chips, so our users are also making a contribution to the rise of China’s electronics supply chain,” Yu said during the interview. The company recently constructed a $15 billion R&D center to work on semiconductors, wireless networks, and IoT (Internet of Things).

In the meantime, the US government is tightening its restrictions on the Chinese firm. The Biden administration recently revoked eight special export licenses. Intel and Qualcomm are among the companies that have lost Huawei’s export licenses. This move may hinder the firm’s progress but if we look back at its path over the past three or four years, US trade restrictions may no longer affect Huawei as much as they did in the past.

Huawei might soon be back on the global scene, riding on a domestic supply chain. As they say, you cannot contain technology. The other company will figure it out sooner or later. Rumors say it will launch the world’s first tri-fold foldable smartphone. Time will tell whether this device will have a global launch.


[ad_2]
Source link

FIN7 Cybercrime Gang Evolves with Ransomware and Hacking Tools

andreasc
-
0
FIN7 Cybercrime Gang Evolves with Ransomware and Hacking Tools
[ad_1]

FIN7, a notorious cybercrime gang, is back with a new bag of tricks! Learn about FIN7’s evolving tactics, including ransomware and custom EDR bypass tools like AvNeutralizer. Discover how to fortify your defences against FIN7 with expert tips from Sentinel Labs’ research.

Russian hackers are shifting their tactics, now opting for paid tools instead of the custom tools they have traditionally been known for. This trend is evident in the activities of the Russian cybercrime gang FIN7, which has been targeting financial institutions and businesses worldwide for over a decade.

Notorious for its initial focus on point-of-sale (POS) system breaches, FIN7 has continuously evolved its tactics to maximize its gains. Sentinel Labs’ latest report analyzes the gang’s shift towards ransomware attacks, highlighting their preferred weapons and modus operandi.

According to researchers, FIN7 shifted its focus to ransomware operations in 2020, affiliating with RaaS groups like REvil and Conti and launching its own programs under Darkside and BlackMatter. They created fraudulent infosec firms like Combi Security and Bastion Secure to deceive security researchers. Despite setbacks, FIN7’s activities continue. 

Shedding light on FIN7‘s sophisticated toolbox, Sentinel Labs’ found one particularly concerning tool, AvNeutralizer, an EDR impairment tool designed to neutralize security software, rendering systems vulnerable to further attacks.

In November 2022, SentinelLabs reported a connection between FIN7 and the Black Basta group on using AvNeutralizer (AuKill) in ransomware attacks, which they are selling on underground forums now.

Other tools include Powertrash, a heavily obfuscated PowerShell script used by FIN7 to stealthily execute backdoor payloads in their malicious campaigns. Diceloader, aka Lizar or IceBot, is a backdoor that allows attackers to establish a C2 channel, controlling the system by sending position-independent code modules. Diceloader is typically deployed through Powertrash loaders in FIN7 operations.

A helper UI client, the “Remote System Client,” is used to interact with Diceloader C2 servers and control its victims whereas an SSH-based backdoor was found on a server attributed to FIN7, which exposed an open directory web server used as a staging server to serve payloads.

FIN7 uses multiple pseudonyms to hide its identity and sustain its underground criminal operations. Users “goodsoft”, “lefroggy”, and “killerAV” advertised their “PentestSoftware” for $6,500 monthly on the exploitin forum, “Stupor” advertised an AV killer targeting security solutions for $10,000 on the xssis forum. Based on evidence researchers claim that all these users belong to the FIN7 cluster, likely using multiple pseudonyms to maintain their illicit operations.

FIN7 Cybercrime Gang Evolves with Ransomware and Hacking Tools
FIN7 on Exploit Forum (Credit: Sentinel Labs)

Fin7 uses automated SQL injection attacks to exploit public-facing applications. They employ a multi-layered approach, including obfuscating their malware code, leveraging legitimate tools for malicious purposes, and exploiting vulnerabilities in popular software. This constant innovation makes it challenging for cybersecurity researchers to track FIN7’s activities and develop effective defences.

To protect against such threats, businesses should regularly update systems and software, implement a layered security approach, educate employees on cybersecurity best practices, and have a data backup and recovery plan.

  1. TeamViewer Confirms Security Breach by Russian Midnight Blizzard
  2. Russian Midnight Blizzard Hackers Breached Microsoft Source Code
  3. Russian APT28 Exploiting Windows Vulnerability with GooseEgg Tool
  4. Russian Hackers Hit Mail Servers in Europe for Political and Military Intel
  5. Russian Ministry Software Backdoored with North Korean KONNI Malware

[ad_2]
Source link

MacOS Users Beware Of Weaponized Meeting App From North Korean Hackers

andreasc
-
0
MacOS Users Beware Of Weaponized Meeting App From North Korean Hackers
[ad_1]

Meeting apps are often targeted and turned into weapons by hackers as they are largely employed for communication and collaboration, frequently carrying sensitive data and user groups that are wide. 

Such platforms gain trust among their users as of their pervasiveness as well as high level of acceptance, enabling the hackers to take advantage of such factors and spread malware, steal information, tap conversations, or even break into various organizations. 

Cybersecurity analysts (Patrick Wardle) at Objective-See discovered that North Korean hackers had been actively weaponizing a meeting app, Miro Talk, to target macOS users.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Besides this, the malwarehunterteam also tweeted about this new Mac malware.

Weaponized Meeting App

A malicious disk image (MiroTalk.dmg), undetected by VirusTotal’s AV engines, was analyzed to reveal its capabilities and North Korean (DPRK) attribution. 

The malware, likely part of a job-related phishing campaign, was hosted on a clone of the legitimate Miro Talk site. This tactic aligns with known DPRK hacker methods of targeting victims by posing as job hunters.

The analysis demonstrates how open-source tools like BlockBlock and LuLu can help counter such threats. 

The malware’s connection to a previously documented DPRK campaign by Palo Alto Network’s Unit42 suggests an evolving strategy in North Korean cyber operations.

The analysis result of MiroTalk.dmg file is an unsigned 64-bit Intel Mach-O executable named Jami, which was not detected by VirusTotal. 

The malicious disk image is currently undetected by any of the AV engines on VirusTotal (Source – Objective-See)
The application is not signed (Source – Objective-See)

Symbols and strings embedded inside suggest that it could be used for exfiltration, download, and execution with a possible C2 server at 95.164.17.24:1224. 

The malware may also target crypto-wallet browser extensions, browser data, and the macOS keychain.

It’s likely to be cross-platform (Qt/QMake), written in Python, and contains malicious Python scripts.

Methods of the executable like setBaseBrowserUrl directly reference sensitive browser paths that indicate complex data collection and exfiltration capabilities.

The Jami executable is malware that tries to access the user’s keychain and steal sensitive browser data to a C2 server (95.164.17.24:1224).

Application displays an UI (Source – Objective-See)

Although the initial attempts to exfiltrate failed, the malware API endpoints are similar to those of BeaverTail, which was previously linked with North Korean hackers.

This implies a shift from JavaScript-based threats to native QT variations that have similar targets like cryptocurrency wallets.

The DPRK-linked C2 server also hosts other payloads including client/5346 which is a Python downloader and InvisibleFerret, a cross-platform backdoor.

These findings link this new malware variant with the earlier campaign of BeaverTail indicating the continued maturity of DPRK cyber capabilities.

The analyzed malware, masquerading as MiroTalk, is a new native variant of BeaverTail.

This new variant is capable of stealing information and executing additional Python-based payloads like InvisibleFerret. 

This is evidence of DPRK cyber capability development, as shown by key IoCs like the MiroTalk.dmg file (SHA-256: 0F5F0A3AC843DF675168F82021C24180EA22F764F87F82F9F77FE8F0BA0B7132) C2 server (95.164.17.24).

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.


[ad_2]
Source link
1...222324...1,452Page 23 of 1,452