Hackers Using Weaponized Invoice to Deliver LUMMA Malware

0
[ad_1]

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious links within seemingly legitimate payment requests. 

This tactic aims to deceive recipients into opening the invoice, leading to:-

  • Potential data breaches
  • Financial fraud
  • Unauthorized access to sensitive information

Cybersecurity researchers at Perception Point recently discovered and analyzed a sophisticated malware dubbed “LUMMA” malware.

Perception Point’s cutting-edge sandboxing technology was able to identify and isolate malicious software with precision and accuracy, thereby protecting the system from potentially harmful malware.

Document
Protect Your Storage With SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Invoice to Deliver LUMMA Malware

Cybersecurity analysts identified that the attacker, posing as a financial services company in this campaign, tricks the target with a fake invoice email. 

Fake Invoice (Source – Perception Point)

The user is urged to click “View & Download Invoice,” but the provided website is unavailable. To maintain legitimacy, a valid website link is included that redirects users after the failed button click.

The attacker dodges detection using a fake page and a real link. Security scans miss malicious payload hidden behind error pages and innocent URLs. 

Clicking the link redirects to harmful URLs triggering automatic download of malicious files. The attacker breached a legitimate site to host a redirect. 

Besides this, the website code reveals multiple redirects to dangerous URLs, like hxxps://robertoscaia[.]com/eco, downloading malware through the “.exe” file generator.

Website code (Source – Perception Point)

LUMMA is an InfoStealer malware that is written in C language and spreads through Malware-as-a-Service. 

The attack features three processes, and here below, we have mentioned those processes: –

  • 1741[.]exe
  • RegSvcs[.]exe
  • wmpnscfg[.]exe

Notably, the “1741[.]exe” process runs from the user’s temp folder, raising suspicions due to legitimate programs not using this location.

Processes ‘RegSvcs[.]exe’ and ‘wmpnscfg.exe’ from unusual folders suggest suspicious behavior linked to malware. 

Parent processes with PIDs 1388, 3428, and 1388 add complexity, aiming to hide malicious activities.

Increasingly sophisticated threats demand constant security system evaluation.

This incident highlights the need for advanced prevention, continuous monitoring, and a multi-layered approach to detecting and countering evolving cyber threats.

IOCs

Main object – 3827.exe

  • md5 0563076ebdeaa2989ec50da564afa2bb
  • sha1 ac14e7468619ed486bf6c3d3570bea2cee082fbc
  • sha256 515ad6ad76128a8ba0f005758b6b15f2088a558c7aa761c01b312862e9c1196b

Dropped executable file

  • sha256 C:\Users\admin\AppData\Local\Temp\Protect544cd51a.dll dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

DNS requests

Connections

  • ip 104[.]21[.]21[.]50
  • ip 224[.]0[.]0[.]252

HTTP/HTTPS requests:

  • url hxxp://taretool[.]pw/api
  • url hxxp://www[.]patrickforeilly[.]com/eco/
  • url hxxps://www[.]patrickforeilly[.]com/eco/
  • url hxxps://www[.]robertoscaia[.]com/eco/
  • url hxxps://fuelrescue[.]ie/eco/
  • url hxxps://www[.]7-zip[.]org/a/7zr[.]exe

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.


[ad_2]
Source link

Associated Press, ESPN, CBS among top sites serving fake virus alerts

0
[ad_1]

ScamClub is a threat actor who’s been involved in malvertising activities since 2018. Chances are you probably ran into one of their online scams on your mobile device.

Confiant, the firm that has tracked ScamClub for years, released a comprehensive report in September while also disrupting their activities. However, ScamClub has been back for several weeks, and more recently they were behind some very high profile malicious redirects.

The list of affected publishers includes the Associated Press, ESPN and CBS, where unsuspecting readers are automatically redirected to a fake security alert connected to a malicious McAfee affiliate.

ScamClub is resourceful and continues to have a deep impact on the ad ecosystem. While we could not identify precisely which entity served the ad, we have reported the website used to run the fake scanner to Cloudflare which immediately took action and flagged it as phishing.

Forced redirects

Mastodon user Blair Strater (@r000t@fosstodon.org) was simply browsing the Associated Press website on his phone when he was suddenly redirected to a fake security scan page:

Malicious redirect from APnews.com (credit Blair Strater)

This fake scanner is not run by McAfee, but the domain name systemmeasures[.]life that we see in the address bar is the landing page that redirects to one of its affiliates. That affiliate was previously reported but continues unabated.

Web traffic between malicious page and McAfee site

Based on public data, several ad exchanges were abused to deliver this fake antivirus campaign via real-time bidding (RTB) in the past few weeks Most of the telemetry we saw from our Malwarebytes user base was related to smaller websites with ‘risky’ advertisers. However, a different campaign was targeting mobile users with malicious ads slipping by on top publishers (note: this data comes from VirusTotal):

ESPN.COM (1.585B monthly visits)

systemmeasures[.]life/avs/en/mob/mcafee-2.php?c=5uz3hbaiz7oz2&k=b47648817b492be8ba9c7dc97addefb6&country_code=US&carrier=Verizon&country_name=United%20States&region=New%20York&city=Bronx&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=en&ref_domain=www.espn.com&os=iOS&osv=17&browser=Chrome&browserv=119&brand=Apple&model=iPhone&marketing_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5

APNEWS.COM (307.2M monthly visits)

systemmeasures[.]life/avs/en/mob/mcafee-2.php?c=59z40b4g6z7oz2&k=506222e0611d62c3261b9ba847063faa&country_code=US&carrier=-&country_name=United%20States&region=Virginia&city=Alexandria&isp=Comcast%20Cable%20Communications,%20LLC&lang=en&ref_domain=apnews.com&os=Android&osv=10.&browser=Chrome&browserv=119&brand=unknown&model=unknown&marketing_name=K&tablet=2&rheight=0&rwidth=0&e=5

CBSSPORTS.COM (265.1M monthly visits)

systemmeasures[.]life/avs/en/mob/mcafee-2.php?c=5uz16jptz7oz2&k=d2761f12fed2ce8472ab704fd55d49e1&country_code=US&carrier=-&country_name=United%20States&region=Colorado&city=Greenwood%20Village&isp=Charter%20Communications%20Inc&lang=en&ref_domain=www.cbssports.com&os=Android&osv=10.&browser=Chrome&browserv=119&brand=unknown&model=unknown&marketing_name=K&tablet=2&rheight=0&rwidth=0&e=5

Most of the public reports ([1], [2], [3]) indicate this campaign was at its peak around November 19. To be clear, AP, ESPN, CBS and other sites were not hacked, but rather showed malicious ads. It appears that this high profile campaign stopped shortly after, as we haven’t seen new telemetry data coming from these publishers. However, the other campaign we are also monitoring that is affecting smaller sites is still ongoing (via eu[.]vulnerabilityassessments.life and us.vulnerabilityassessments[.]life).

Connection with ScamClub

We were able to connect this campaign to the ScamClub infrastructure because of another domain (trackmaster[.]cc) that was previously mentioned as belonging to the threat actor. We can see the relationship between systemmeasures[.]life (the landing page) and trackmaster[.]cc (the intermediary domain) in the urlscanio submission below:

urlscanio scan showing the relationship between two domains

Fingerprinting

Like other malvertising threat actors, ScamClub dabbles in obfuscation and evasion techniques. However, as previously detailed by Confiant, they are using much more advanced tricks. Their JavaScript uses obfuscation with changing variable names, making identification harder.

Previously, the malicious JavaScripts were hosted on Google’s cloud but they have now moved to Azure’s CDN.

ScamClub’s malicious JavaScript

Malvertising and mobile users

On this blog, we have covered a number of malvertising campaigns targeting Desktop, both consumer and enterprise. This is in part because we hunt for Windows malware and the occasional Mac ones too.

ScamClub is a good example of targeting a big market segment, Mobile Web, where security software is often an afterthought, in particular on iOS, in part due to restrictions imposed by Apple. Clearly, malvertising is flourishing on Mobile and users are just as likely, if not more, to get tricked into downloading malware or get scammed.

Malwarebytes for Android protects users from this campaign:

Indicators of Compromise

ScamClub URLs

octob[.]azureedge[.]net/oc.js
lzi[.]azureedge[.]net/lz.js
tinlc[.]azureedge[.]net/pt.js
bm-rb[.]azureedge.net/rb.js
foluo[.]azureedge[.]net/fo.js
vpv-ger[.]azureedge[.]net/VpaidVideoAd1.js

ScamClub JavaScript hashes

c01716e23f633b206147efbe70fb37945e3857d6575fd088ea50106fb541cf1e
899cbfbd676159201b2281d9e0e66f3ac200ac58b674375bde04083ff87650ad
451b48c8f247f25cd09a1bf4a52fc195a74830d88bd2ffed7a5d4b7830e10621
495304b489cecd33188ca2a7407d397996fd82ea99966e7c145f0dc67ab2dfb5
a616fc2c1a075170d4decdb9d3c9ad15f2cfbcfda78dbe4c60d72132b9d006c9
34f15ec739df72f5ac245db3fff11ea56407e95b94e24bbb820d7999032866d8
a7a73d3bc716346808b2ee8070dfe5842bb01e10aee1fa9ba87fb975d71d0f4f
de2f1745cdfbe58266b804961bdbd5be8f533843ed7fdf4b5fe6eb0060876b56
1614786dd6ff4189975e8226ab7e68d258817b435c3c4e145951f5147699878e
52cd9f2ff282354c77087b204d5cb32cee9066e8eea4e3c3b8f7cf4d3d3fa20f
df03df284bfbbe006383f26c0c91394f4c4c8d915d04b868a00954f63e6163e0
2f3867d33c448b941278671df9a2b8d3d6b29dec5d74b67654f5edfcc6771575
243d9d70703644f3df148e7633f3ec461a9c43149ea58fd547e2e6fd0c47cce5

Redirectors

trackmaster[.]cc
protectsystemtools[.]life
securitypatch[.]life
real-time-system-monitoring[.]life
threatdetectorhub[.]life
threatdetectorhub[.]online
vulnerabilityassessments[.]life
strike-it-lucky[.]space
golden-opportunity[.]xyz
stroke-of-luck[.]xyz
blessed-with-luck[.]space
system-scan-tool[.]space
system-security-scan[.]buzz
system-security-scan[.]net
system-scan-tool[.]online
trk6[.]kokamedia[.]com
tracklinker[.]space
trackmenow[.]life
trackify[.]world
trackinghub[.]info
trkmyclk[.]xyz
trk-server[.]xyz
34.74.68[.]195

Scam landing pages

systemmeasures[.]life
xyzcreators[.]xyz

[ad_2]
Source link

Meta to launch Threads in Europe in December

0
[ad_1]

Meta’s Threads was one of the biggest Twitter competitors after the company was acquired by Elon Musk. Unfortunately, the microblogging service was missing so many critical features that it lost more than half of its initial users just a few weeks after launch.

Speaking of launch, Threads is still not available in Europe due to the EU’s stiff regulations. One compromise that may allow Meta to launch Threads in Europe is to provide customers with the option to use it without needing a profile.

According to people familiar with Meta’s plans, the company plans to launch Threads in Europe as early as December, The Wall Street Journal reports. If that information proves to be accurate, it would be Threads’ biggest expansion since its initial release this summer.

Meta has been working hard to make Threads as appealing as possible in comparison with the competition, but the app was still missing important features not long ago.

It has taken Meta a few months to actually allow those who created Threads accounts to delete them without losing their Instagram accounts too.

That being said, it looks like Threads still has a lot fans. According to Mark Zukerberg, Threads had “just under 100 million monthly active” users as of October 2023, an impressive number considering the app has been hemorrhaging users since July.

However, with the new shift in the advertising industry, Threads expansion to Europe makes perfect sense. As some of you probably know already, Twitter lost most of its biggest advertisers after Elon Musk’s antisemitic posts, including Apple, Disney and IBM. Meta hopes to redirect their money to Threads and what better way to do that than tapping in a new, very important market: EU.


[ad_2]
Source link

What It Is & Where to Find It

0
[ad_1]

On November 30, 2023, YouTube Music began to roll out its annual Year in Review feature called “2023 Recap”. It’s not as straightforward as some of the other streaming music services, which brings it front-and-center, so we’re here to help you find out where it is, as well as what is included in the 2023 recap.

What is YouTube Music Recap?

YouTube Music’s recap feature is exactly what it sounds like. It’s a recap of the music, artists, and genres that you listened to over the past year. Technically, it’s just January through November. Since the recap comes out right at the beginning of December, So obviously, December is not included in the Recap.

The recap starts by showing you how many minutes you spent listening to music and the different artists that you listened to the most in 2023. Your recap will show you the top 5 artists and some more details about them. This includes how many hours you listened, songs, and the “longest listening streak.” This will also tell you if you’re one of the top listeners for that particular artist.

One of the new features for 2023 includes “Your Album Cover” which YouTube Music will pull colors from your top tracks, making it look a bit like dynamic color theming. And it’s matched with a font and image to inform the creation.

The auto-generated playlist of the top songs for 2023 is not live just yet, but it should be in the coming days. As this is starting to roll out pretty slowly.

How to find your Year in Review Recap on YouTube Music

In the YouTube Music app. You can find the YouTube Music Recap pretty easily. Here’s how to do it:

Tap on your profile picture in the upper-right corner.

Screenshot 2023 11 30 09 23 52 27 801c3494cc30bc6d615367769f98046d

Next, tap on “Your Recap.”

Or you can search “2023 Recap.”

Screenshot 2023 11 30 09 23 59 61 801c3494cc30bc6d615367769f98046d

From here, you should see your 2023 Recap. If you see “Nothing to hear here,” then it’s not yet available for your account.

And that’s it. You can check out your Recap as many times as you’d like and even add these playlists to your library.


[ad_2]
Source link

Elon Musk unfazed by advertiser boycott, says “go f*** yourself”

0
[ad_1]

Elon Musk doesn’t seem to care about the ongoing advertiser boycott on X, triggered by his public endorsement of an antisemitic conspiracy theory. While he apologized for the post, the multi-billionaire lashed out at advertisers using profanity-laced words. He accused the firms of blackmailing him by pulling ads from the social media app.

“I hope they stop. Don’t advertise,” Musk told interviewer Andrew Ross Sorkin at the DealBook conference on Wednesday evening. “If somebody is going to try to blackmail me with advertising, blackmail me with money, go f**k yourself. Go. F**k. Yourself. Is that clear? I hope it is.” The X owner singled out Disney CEO Bob Iger as he said that. Iger was on the stage earlier in the day and said Disney doesn’t want to associate itself with Musk.

Elon Musk lashes out at advertisers amid a widespread boycott

The latest advertiser boycott on X/Twitter began about two weeks ago when Musk called a post attacking Jewish people the “actual truth.” More than 100 brands have pulled out their ads from the platform since his comments. This brand exodus is estimated to cause the company a loss of $75 million by the end of the year. However, Musk seemingly doesn’t care a bit.

For a moment, he appeared to have realized his mistake. “I should in retrospect not have replied to that one person,” Musk said. He even tried clarifying what he actually meant by that post—his belief that Jewish people are funding causes meant to “annihilate” them. He blamed the media for not covering his clarifications, though the clarification seemed to be supporting the antisemitic conspiracy theory.

“Essentially I handed a loaded gun to those who hate me, and arguably to those who are antisemitic,” Musk said about media backlash and advertiser boycott triggered by his comments. “For that, I’m quite sorry. That was not my intention.” However, despite occasionally sounding apologetic, Musk made it clear that he doesn’t care about advertisers fleeing X.

“What this advertising boycott is gonna do is it’s gonna kill the company,” the Tesla CEO said. “That is what everybody on Earth will know. We’ll be gone, and it’ll be gone because of an advertiser boycott.” As The Verge noted, “Musk seemed alternatingly apologetic and defiant” over the matter. He gave the most nonchalant answers to questions about the advertiser issue on X.

X CEO said it was a temporary pause from advertisers

Musk’s comments came a couple of weeks after X CEO Linda Yaccarino said that this advertiser exodus was temporary. She suggested that companies paused investments because of the misleading and manipulated report published by Media Matters earlier this month. X has already sued Media Matters, but advertisers haven’t returned to the platform yet. It remains to be seen how the scenario changes following Musk’s interview. Yaccarino was in the audience as Musk launched a profane attack on advertisers.


[ad_2]
Source link

Galaxy Enhance-X: Even older Galaxy A series phones get Samsung’s AI image editor app

0
[ad_1]

Even older, non-premium Samsung phones are getting the popular Galaxy Enhance-X app!

The image editor app that relies on AI to deliver some stunning results in the retouching art can now be played with on the Galaxy A53 and Galaxy A34 (via SamMobile). Of course, it’s a must that the phones have already installed the recently released Android 14 and One UI 6.

A few weeks ago, Samsung announced that Galaxy Enhance-X would be coming to some Galaxy A series devices with One UI 6, and the Galaxy A54 was the first to get support for it. The addition of the aforementioned two models is a welcomed one.

The Galaxy A34 (which gets access to Android 14 in some markets) was also listed as an eligible device, so users can now download the AI image editor app from the Galaxy Store.

The report states that even the Galaxy A53 can download and use Galaxy Enhance-X, even though Samsung didn’t officially say that 2022’s Galaxy A smartphones would be eligible.

All of this brings us to the logical assumption that the Galaxy A33 will also support Galaxy Enhance-X once it gets One UI 6, though it’s not confirmed right now as it is still running Android 13/One UI 5. Overall, Samsung could gift Galaxy Enhance-X to other A series phones, but that’s for users to check in the Galaxy Store once their Galaxy A series device has received Android 14.


What’s Galaxy Enhance-X?


As the Samsung team puts it, Galaxy Enhance-X is powered by AI and offers “comprehensive one-tap image enhancement” as well as the flexibility to adjust specific features, including HDR.

There’s a broad range of tools available for photo customization. HDR, for example, analyzes highlights, shading, brightness and contrast, expanding the dynamic range of the image and making its lighting richer without sacrificing quality. Like many of Galaxy Enhance-X’s features, it also offers different levels of intensity — from 0 to 4 in HDR’s case.

Furthermore, the images we receive via social media or other messaging apps often come to us compressed after having been uploaded online. For such cases, the Upscale tool boosts the resolution of images under 1MP by up to four times for consistent, sharp detail.

[ad_2]
Source link

The 2023 YouTube Music yearly Recap is now live

0
[ad_1]

You’re inundated with yearly recaps from all of the services you love. Either you’re tired of the constant banners in the apps… or you just don’t want to come to terms with your obsession with Taylor Swift. Either way you slice it, YouTube Music has its 2023 recap for you. You’ll be able to see what music made your 2023 one to remember (via 9To5Google).

If you want to look at your 2023 recap for Spotify, you can do so. This company is also telling people about their listening habits over 2023. It’s pretty easy to do that, so if you want some help, you can read How To Find Your Spotify Wrapped For 2023. You might find similarities between your listening habits in YouTube Music.

Check out your 2023 YouTube recap now

You should see the prompt to check out your recap when you open the app. It will fill the screen when you open the app. Tap on the Get your Recap button at the bottom of the screen, and you’ll see the Recap screen. The first tile you see will take you to your recap.

You’ll see it in a Story style with a succession of pages. It will show you information like how many minutes throughout the year you listened to music on the platform, how many different songs and artists you listened to, and so on. It will give you a recap of the top track you listened to and how many times you listened to it.

It’s all standard yearly recap stuff, but YouTube Music added a neat twist to its recap. The app platform uses the music you listened to to construct an album cover for you. It will take the color scheme from your top track’s album cover, choose a style of text, and an image from the mood of music you listened to the most, and create a unique album cover.

It’s always fun to see what music brought you joy, tears, good vibes, and so on this year, so you should definitely give it a look.


[ad_2]
Source link

Apple unveiled its App Store Award winners for 2023: check out the best apps and games

0
[ad_1]
In the ever-evolving competition among tech giants, the recent unveiling of the Google Play Store and Apple App Store’s best apps and games for 2023 showcased the industry’s ongoing strive for excellence. Google and Apple both stepped into the spotlight on the same day to present their respective winners, providing users with a glimpse into the most innovative and impactful apps of the year.Apple, acknowledging 14 outstanding apps and games, celebrated those that “empowered users to unleash their creativity, discover a world of new adventures, and have fun with family and friends.” Developers from around the globe were recognized for delivering meaningful experiences that inspire cultural change, with the App Store’s Editorial team carefully selecting winners from nearly 40 finalists.Tim Cook, Apple’s CEO, expressed admiration for the developers, noting, “It’s inspiring to see the ways developers continue to build incredible apps and games that are redefining the world around us.”

Taking center stage, the iPhone App of the Year for 2023 is AllTrails, fostering “community through comprehensive trail guides and outdoor exploration.” Meanwhile, Prêt-à-Makeup claimed the title of the best app for iPad, providing a true-to-life makeup sketchpad for professional artists and casual users, promoting “inclusivity and self-expression.”

The Apple Watch App of the Year, SmartGym by Mateus Abras, stood out with its extensive library of exercises, routines, and robust fitness reporting.

In the realm of games, Honkai: Star Rail, from COGNOSPHERE PTE. LTD. earned the prestigious title of the best game for iPhone, a recognition also shared with Google. The iPad Game of the Year, Lost in Play, invites players into a charming, childlike imagination during an epic point-and-click adventure.

Beyond individual categories, Apple’s App Store Editors highlighted five Cultural Impact winners, lauded for driving positive change through apps and games. Noteworthy recipients include Pok Pok, Proloquo, Too Good To Go, Unpacking, and Finding Hannah.

Reflecting broader trends, generative AI emerged as a dominant force in this year’s App Store Awards. Alongside the official winners, App Store Editors worldwide showcased a collection of generative AI apps exemplifying the Trend of the Year, with ChatGPT leading the way.


[ad_2]
Source link

North Korean Hackers Attacking macOS Weaponized Documents

0
[ad_1]

Hackers often use weaponized documents to exploit vulnerabilities in software, which enables the execution of malicious code.

All these documents contain malicious code or macros, often disguised as familiar files, which help hackers gain unauthorized access and deliver malware to their targets.

Recently, the cybersecurity researchers at SentinelOne reported that North Korean hackers are actively attacking the macOS using weaponized documents.

Document
Protect Your Storage With SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Hackers Attacking macOS

North Korean threat actors focused on macOS in 2023 with two major campaigns, and here below, we have mentioned those major campaigns:-

RustBucket employed ‘SwiftLoader,’ disguising itself as a PDF Viewer, to deliver a Rust-written second-stage malware. 

While in the KandyKorn campaign, Python scripts targeted blockchain engineers, delivering a C++ backdoor RAT named ‘KandyKorn’ after hijacking the Discord app on hosts.

A five-stage attack targeted users through Discord, using social engineering to trick them into downloading a malicious Python app.

This Python app is disguised as a crypto arbitrage bot that is distributed as Cross-Platform “Bridges.zip,” and the app contains several harmless Python scripts.

Bridges.zip contents (Source - SentinelOne)
Bridges.zip contents (Source – SentinelOne)

Here below, we have mentioned all the stages:-

  • Stage 0: In this stage, the Discord user is tricked into downloading a malicious Python app, Cross-Platform Bridges.zip. Then, the malware links are sent via direct message and hosted on Google Drive. Then, as a module, the app’s Main.py script imports Watcher.py.
  • Stage 1: In this stage, Watcher.py verifies the Python version and runs testSpeed.py, which downloads and executes FinderTools. After execution, testSpeed.py is removed, and then the “FinderTools” is saved at /Users/Shared/FinderTools.
  • Stage 2: In this stage, the FinderTools runs SUGARLOADER from /Users/Shared/.sld, copying it as .log and appname in /Applications/Discord.app/Contents/MacOS/. SUGARLOADER, coded in C++, looks for a config file at /Library/Caches/com.apple.safari.ck, downloading from C2 if absent. After that, the FinderTools links C2 tp.globa.xyz in the intrusion observed by the cybersecurity researchers.
  • Stage 3: In this stage, the SUGARLOADER downloads HLOADER, replaces genuine Discord, and sets up a stealthy persistence mechanism in /Applications/Discord.app/Contents/MacOS/Discord. HLOADER cleverly disguises itself as MacOS.tmp, ensuring continuous undetected execution alongside Discord. Apple’s login item monitoring remains unaware to this smart renaming/reloading strategy, enhancing persistence.
  • Stage 4: In this stage, from the com.apple.safari.ck the SUGARLOADER grabs the C2 URL to fetch and run the KANDYKORN via NSCreateObjectFileImageFromMemory and NSLinkModule. It’s a North Korean macOS malware technique seen in UnionCryptoTrader (2019). 

North Korean threat actors have an evolving campaign named RustBucket, using the Swift-based app SecurePDF Viewer.app. It’s signed by “BBQ BAZAAR PRIVATE LIMITED” and reaches out to docs-send.online. 

Another variant, Crypto-assets app.zip, signed by “Northwest Tech-Con Systems Ltd,” connects to on-global.xyz, dropping an executable at /Users/Shared/.pw. 

This .pw file, associated with KandyKorn, references /Users/Shared/.pld, matching KandyKorn RAT, indicating shared infrastructure, objectives, and TTPs.

IOCs

SUGARLOADER

  • d28830d87fc71091f003818ef08ff0b723b3f358

HLOADER

  • 43f987c15ae67b1183c4c442dc3b784faf2df090

KANDYKORN RAT

  • 26ec4630b4d1116e131c8e2002e9a3ec7494a5cf
  • 46ac6dc34fc164525e6f7886c8ed5a79654f3fd3
  • 62267b88fa6393bc1f1eeb778e4da6b564b7011e
  • 8d5d214c490eae8f61325839fcc17277e514301e
  • 8f6c52d7e82fbfdead3d66ad8c52b372cc9e8b18
  • 9f97edbc1454ef66d6095f979502d17067215a9d
  • ac336c5082c2606ab8c3fb023949dfc0db2064d5
  • c45f514a252632cb3851fe45bed34b175370d594
  • ce3705baf097cd95f8f696f330372dd00996d29a
  • e244ff1d8e66558a443610200476f98f653b8519
  • e68bfa72a4b4289a4cc688e81f9282b1f78ebc1f
  • e77270ac0ea05496dd5a2fbccba3e24eb9b863d9

ObjCShell

  • 79337ccda23c67f8cfd9f43a6d3cf05fd01d1588

SecurePDF Viewer

  • a1a8a855f64a6b530f5116a3785a693d78ec09c0
  • e275deb68cdff336cb4175819a09dbaf0e1b68f6

Crypto-assets and their risks for financial stability.app

  • 09ade0cb777f4a4e0682309a4bc1d0f7d4d7a036
  • 5c93052713f317431bf232a2894658a3a4ebfad9
  • 884cebf1ad0e65f4da60c04bc31f62f796f90d79
  • be903ded39cbc8332cefd9ebbe7a66d95e9d6522

Downloader

  • 060a5d189ccf3fc32a758f1e218f814f6ce81744

Remotely-hosted AppleScript

  • 3c887ece654ea46b1778d3c7a8a6a7c7c7cfa61c
  • c806c7006950dea6c20d3d2800fe46d9350266b6

Network Communications

  • http[:]//docs-send.online/getBalance/usdt/ethereum
  • https[:]//drive.google[.]com/file/d1KW5nQ8MZccug6Mp4QtKyWLT3HIZzHNIL2
  • http[:]//on-global[.]xyz/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A%3D%3D
  • http[:]//tp-globa[.]xyz/OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
  • http[:]//swissborg[.]blog/zxcv/bnm
  • 23.254.226[.]90
  • 104.168.214[.]151
  • 142.11.209[.]144
  • 192.119.64[.]43

File paths

  • /Applications/Discord.app/Contents/MacOS/.log
  • /Applications/Discord.app/Contents/MacOS/appname
  • /Library/Caches/com.apple.safari.ck
  • /tmp/tempXXXXXX
  • /Users/Shared/.pld
  • /Users/Shared/.pw
  • /Users/Shared/.sld

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.


[ad_2]
Source link

OnePlus 10 Pro starts getting Android 14 with OxygenOS 14

0
[ad_1]

Following the rollout to the OnePlus 11, the OnePlus 10 Pro is now getting Android 14 with OxygenOS 14 as well. The OnePlus 10 Pro, for those of you who are out of the loop, is the company’s flagship smartphone for 2022. It is the OnePlus 11’s predecessor.

Android 14 starts rolling out to the OnePlus 10 Pro

That device launched back in January 2022, and the firmware version of this update is NE2211_14.0.0.202(EX01). The update weighs around 790MB, and the rollout is starting in India. Open Beta testers are the first to get the update.

The rollout is expected to spread to other markets soon, though, if major problems don’t rear their head during the initial rollout. The update in other regions will be basically the same,
without a couple of India-specific changes, of course.

The update delivers Fluid Cloud, File Dock, Content Extraction & more

This update brings a number of changes, of course. A full changelog has been shared by people who have received the update. Android 14 and OxygenOS 14 bring Fluid Cloud, File Dock, Content Extraction, and Smart Cutout to the phone.

On top of that, an improved Shelf experience is also being added, with more widget recommendations. Security and privacy get a boost too, and the same goes for overall performance improvements.

The company’s Aquamorphic Design has been upgraded too

OnePlus has also upgraded the Aquamorphic Design with “a natural, gentle, and clearer color style for a more comfortable color experience”. Aquamorphic-themed ringtones have been added too, and revamped system notifications sounds as well.

On top of all that, the OnePlus 10 Pro gets improved system animations, and also a carbon tracking AOD which visualizes the carbon emissions you avoid by walking, instead of driving.

As per usual, the update is rolling out OTA (Over-The-Air). Once again, it’s limited to Open Beta testers in India for now, even though it’s a stable update. It will spread very soon, though, both in India and globally.


[ad_2]
Source link