Leaderboard

A new information-stealing malware called Mystic Stealer has been found to steal data from about 40 different web browsers and over 70 web browser extensions. First advertised on April 25, 2023, for $150 per month, the malware also targets cryptocurrency wallets, Steam, and Telegram, and employs extensive mechanisms to resist analysis. "The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants," InQuest and Zscaler researchers said in an analysis published last week. Mystic Stealer, like many other crimeware solutions that are offered for sale, focuses on pilfering data and is implemented in the C programming language. The control panel has been developed using Python. Updates to the malware in May 2023 incorporate a loader component that allows it to retrieve and execute next-stage payloads fetched from a command-and-control (C2) server, making it a more formidable threat. C2 communications are achieved using a custom binary protocol over TCP. As many as 50 operational C2 servers have been identified to date. The control panel, for its part, serves as the interface for buyers of the stealer to access data logs and other configurations. Cybersecurity firm Cyfirma, which published a concurrent analysis of Mystic, said, "the author of the product openly invites suggestions for additional improvements in the stealer" through a dedicated Telegram channel, indicating active efforts to court the cybercriminal community. "It seems clear that the developer of Mystic Stealer is looking to produce a stealer on par with the current trends of the malware space while attempting to focus on anti-analysis and defense evasion," the researchers said. The findings come as infostealers have emerged as a hot commodity in the underground economy, often serving as the precursor by facilitating the collection of credentials to enable initial access into target environments. Put differently, stealers are used as a foundation by other cybercriminals to launch financially motivated campaigns that employ ransomware and data extortion elements. The spike in popularity notwithstanding, off-the-shelf stealer malware are not being marketed at affordable prices to appeal to a wider audience, they are also evolving to become more lethal, packing in advanced techniques to fly under the radar. The ever-evolving and volatile nature of the stealer universe is best exemplified by the steady introduction of new strains such as Album Stealer, Bandit Stealer, Devopt, Fractureiser, and Rhadamanthys in recent months. In a further sign of threat actor's attempts to evade detection, information stealers and remote access trojans have been observed packaged within crypters like AceCryptor, ScrubCrypt (aka BatCloak), and Snip3. The development also comes as HP Wolf Security detailed a March 2023 ChromeLoader campaign codenamed Shampoo that's engineered to install a malicious extension in Google Chrome and steal sensitive data, redirect searches, and inject ads into a victim's browser session. "Users encountered the malware mainly from downloading illegal content, such as movies (Cocaine Bear.vbs), video games, or other," security researcher Jack Royer said. "These websites trick victims into running a malicious VBScript on their PCs that triggers the infection chain." The VBScript then proceeds to launch PowerShell code capable of terminating all existing Chrome windows and opening a new session with the unpacked rogue extension using the "--load-extension" command line argument. It also follows the discovery of a new modular malware trojan christened Pikabot that has the ability to execute arbitrary commands and inject payloads that are provided by a C2 server, such as Cobalt Strike. The implant, active since early 2023, has been found to share resemblances with QBot with regard to distribution methods, campaigns, and malware behaviors, although there is no conclusive evidence connecting the two families. "Pikabot is a new malware family that implements an extensive set of anti-analysis techniques and offers common backdoor capabilities to load shellcode and execute arbitrary second-stage binaries," Zscaler said. Source: https://thehackernews.com/2023/06/new-mystic-stealer-malware-targets-40.html Alternative: https://www.zscaler.com/blogs/security-research/mystic-stealer

Over 100,000 compromised OpenAI ChatGPT account credentials have found their way on illicit dark web marketplaces between June 2022 and May 2023, with India alone accounting for 12,632 stolen credentials. The credentials were discovered within information stealer logs made available for sale on the cybercrime underground, Group-IB said in a report shared with The Hacker News. "The number of available logs containing compromised ChatGPT accounts reached a peak of 26,802 in May 2023," the Singapore-headquartered company said. "The Asia-Pacific region has experienced the highest concentration of ChatGPT credentials being offered for sale over the past year." Other countries with the most number of compromised ChatGPT credentials include Pakistan, Brazil, Vietnam, Egypt, the U.S., France, Morocco, Indonesia, and Bangladesh. A further analysis has revealed that the majority of logs containing ChatGPT accounts have been breached by the notorious Raccoon info stealer, followed by Vidar and RedLine. Information stealers have become popular among cybercriminals for their ability to hijack passwords, cookies, credit cards, and other information from browsers, and cryptocurrency wallet extensions. "Logs containing compromised information harvested by info stealers are actively traded on dark web marketplaces," Group-IB said. "Additional information about logs available on such markets includes the lists of domains found in the log as well as the information about the IP address of the compromised host." Typically offered based on a subscription-based pricing model, they have not only lowered the bar for cybercrime, but also serve as a conduit for launching follow-on attacks using the siphoned credentials. "Many enterprises are integrating ChatGPT into their operational flow," Dmitry Shestakov, head of threat intelligence at Group-IB, said. "Employees enter classified correspondences or use the bot to optimize proprietary code. Given that ChatGPT's standard configuration retains all conversations, this could inadvertently offer a trove of sensitive intelligence to threat actors if they obtain account credentials." To mitigate such risks, it's recommended that users follow appropriate password hygiene practices and secure their accounts with two-factor authentication (2FA) to prevent account takeover attacks. The development comes amid an ongoing malware campaign that's leveraging fake OnlyFans pages and adult content lures to deliver a remote access trojan and an information stealer called DCRat (or DarkCrystal RAT), a modified version of AsyncRAT. "In observed instances, victims were lured into downloading ZIP files containing a VBScript loader which is executed manually," eSentire researchers said, noting the activity has been underway since January 2023. "File naming convention suggests the victims were lured using explicit photos or OnlyFans content for various adult film actresses." It also follows the discovery of a new VBScript variant of a malware called GuLoader (aka CloudEyE) that employs tax-themed decoys to launch PowerShell scripts capable of retrieving and injecting Remcos RAT into a legitimate Windows process. "GuLoader is a highly evasive malware loader commonly used to deliver info-stealers and Remote Administration Tools (RATs)," the Canadian cybersecurity company said in a report published earlier this month. "GuLoader leverages user-initiated scripts or shortcut files to execute multiple rounds of highly obfuscated commands and encrypted shellcode. The result is a memory-resident malware payload operating inside a legitimate Windows process." Source: https://thehackernews.com/2023/06/over-100000-stolen-chatgpt-account.html

Taiwanese company ASUS on Monday released firmware updates to address, among other issues, nine security bugs impacting a wide range of router models. Of the nine security flaws, two are rated Critical and six are rated High in severity. One vulnerability is currently awaiting analysis. The list of impacted products are GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400. Topping the list of fixes are CVE-2018-1160 and CVE-2022-26376, both of which are rated 9.8 out of a maximum of 10 on the CVSS scoring system. CVE-2018-1160 concerns a nearly five-year-old out-of-bounds write bug in Netatalk versions before 3.1.12 that could allow a remote unauthenticated attacker to achieve arbitrary code execution. CVE-2022-26376 has been described as a memory corruption vulnerability in the Asuswrt firmware that could be triggered by means of a specially-crafted HTTP request. The seven other flaws are as follows - CVE-2022-35401 (CVSS score: 8.1) - An authentication bypass vulnerability that could permit an attacker to send malicious HTTP requests to gain full administrative access to the device. CVE-2022-38105 (CVSS score: 7.5) - An information disclosure vulnerability that could be exploited to access sensitive information by sending specially-crafted network packets. CVE-2022-38393 (CVSS score: 7.5) - A denial-of-service (DoS) vulnerability that could be triggered by sending a specially-crafted network packet. CVE-2022-46871 (CVSS score: 8.8) - The use of an out-of-date libusrsctp library that could open targeted devices to other attacks. CVE-2023-28702 (CVSS score: 8.8) - A command injection flaw that could be exploited by a local attacker to execute arbitrary system commands, disrupt system, or terminate service. CVE-2023-28703 (CVSS score: 7.2) - A stack-based buffer overflow vulnerability that could be exploited by an attacker with admin privileges to execute arbitrary system commands, disrupt system, or terminate service. CVE-2023-31195 (CVSS score: N/A) - An adversary-in-the-middle (AitM) flaw that could lead to a hijack of a user's session. ASUS is recommending that users apply the latest updates as soon as possible to mitigate security risks. As a workaround, it's advising users to disable services accessible from the WAN side to avoid potential unwanted intrusions. "These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, [and] port trigger," the company said, urging customers to periodically audit their equipment as well as set up separate passwords for the wireless network and the router-administration page. Source: https://thehackernews.com/2023/06/asus-releases-patches-to-fix-critical.html

😅😅

Si mama scrie cod mai secure decat developerii de routere. Si nu, nu e developer.

🤣 Acelasi synscan facut de bios in 2001. In 22 de ani, nu a mai facut vreunul ceva. Aceleasi tools rescrise si adaugati pupicei, sorcove si balarii in bash

Nu prea inteleg ce se intampla in lumea asta, porcarii dinastea se fac de zeci de ani...