Cyber Drishti

    New macOS and Linux-targeting variants of the infamous FinFisher-made spyware family FinSpy.   FinFisher’s FinSpy malware for macOS is a commercially produced and distributed product aimed at infecting Mac users for spying, stealing data, and remotely controlling the target machine. FinSpy is produced by Munich- based company FinFisher Gmbh and sold to law enforcement and government agencies around the world. Based on the publicly available information, FinSpy used to target HRDs and civil society in many countries, including Bahrain, Turkey, and Ethiopia and tied to the attacker group commonly known as NilePhish. likely to be state-sponsored. The FinSpy tool was written with multiple capabilities in mind, with everything from keylogger, audio recording, camera and screenshot tools to a remote access shell, file enumeration, and exfiltration functions. Indicators of Compromise Domain flash.browserupdate.download current.browserupdate.download files.browserupdate.downl...

    Malicious Shell Scripts Evolution   Malicious actors constantly improve and optimize their routines and techniques, such as their shell scripts capability to obfuscate and deliver payloads. To maximize profits and evade improving detection and mitigation technologies,cybercriminals will employ even previously documented and discovered techniques for other operating systems or combine them with new ones. The Unix-programming community commonly uses shell scripts as a simple way to execute multiple Linux commands within a single file. Many users do this as part of a regular operational workload manipulating files, executing programs,and printing text. A shell interpreter is available in every Unix machine, it is also an interesting and dynamic tool abused like- Redis instances, expose Docker APIs or remove rival cryptocurrency miners by malicious actors. Indicators of Compromise File Hash   1aaf7bc48ff75e870db4fe6ec0b3ed9d99876d7e2fb3d5c4613cca92bbb95e1b bea4008c0f...

  Cybercriminals Distribute Backdoor With VPN Installer   Today, many companies use VPNs for their WFH setups. Although the home is a place for relaxation, users should never let their guard down when it comes to the security of their devices. Virtual Private Networks (VPNs) are also used by cybercriminals as bait for spreading threats and in this attack, threat actors are bundling Windscribe VPN installers with backdoors i.e. known as Backdoor.MSIL.BLADABINDI.THA. Backdoors allow cybercriminals to gain access and control of computers remotely without the need for proper authentication. The use of a VPN secures the communication between a user’s computer and the internet by encrypting the connection, thus keeping data secure from spying attempts. VPNs have always been useful but are now relied on more than ever as many companies remain in work-from-home (WFH), away from the presumably more secure office network environment. Indicators of Compromise URLs gamezer1hack[.]sytes[.]...

   Rudeminer, Blacksquid and Lucifer Walk into a Bar   Lucifer is a Windows crypto miner and DDOS hybrid malware and started as a miner with self-spreading capabilities that targeted the Windows system. Now it evolved into a multi-platform and multi-architecture malware targeting Linux, and IoT devices as well. It targets over 25 organizations in the US, Ireland, the Netherlands Turkey, and India. Attacks have come from a variety of domains including manufacturing, legal, insurance, and the banking industry. The current main attack vector for IoT devices is through the exploitation of the vulnerability known as CVE-2018-10561, which targets unpatched Dasan GPON router devices. The malware has several capabilities: multiple types of DDOS attacks, full command-and-control operations able to download and execute files, remote command execution, Monero mining using the Xmrig miner, and self-spreading in Windows systems through various exploitation techniques. Indicators of Co...

  After TikTok Ban TikTok Spyware Target Users with fake App name TikTok Pro   Generally, after an application gets banned from an official app store, such as Google Play, users try to find alternative ways to download the app. In doing so, users can become victims of malicious apps portraying themselves as the original app. This TikTok spyware to be developed by a framework like Spynote and Spymax, meaning this could be an updated version of these Trojan builders, which allow anyone, even with limited knowledge, to develop full-fledged spyware. This framework allows anyone to develop a malicious app with the desired icon and communication address.Recently there was a huge wave of SMS messages, as well as WhatsApp messages, making the rounds asking users to download the latest version of TikTok. This downloaded app is a fake app that asks for credentials and Android permissions (including camera and phone permissions), resulting in the user being bombarded with advertisements....

  EVILNUM UNLEASHES PYVIL RAT   The Evilnum group use different components written in JavaScript and C# as well as tools bought from the Malware-as-a-Service provider Golden Chickens. Among the tools used by the Evilnum group are More_eggs, TerraPreter, TerraStealer, and TerraTV too. The group is known to target FinTech companies and is abusing the usage of the Know Your Customer(KYC) procedure to start the infection. The Evilnum group release a new Python-scripted RAT which is known as a PyVil RAT that was compiled with py2exe, which can download new modules to expand functionality.PyVil RAT possesses different functionalities and enables the attackers to exfiltrate data, perform keylogging and the taking of screenshots, and the deployment of more tools such as LaZagne to steal credentials. Indicators of Compromise Domains voipasst[.]com voipreq12[.]com telecomwl[.]com crm-domain[.]net leads-management[.]net fxmt4x[.]com xlmfx[.]com telefx[.]net voipssupport[.]com trquotesys[...

  Domains Mimicking of Major Brands Including Facebook, Apple, Amazon and Netflix done by Attackers to Scam Consumers   When Cybercriminals take advantage of the essential role that domain names play on the internet by registering names that appear related to existing domains or brands, with the intent of profiting from user mistakes. This is known as cybersquatting. The purpose of squatting domains is to confuse users into believing that the targeted brands own these domain names or to profit from users’ typing mistakes. While cybersquatting is not always malicious toward users, it is illegal in the U.S and squatting domains are often used or repurposed for attacks.      Indicator Of Compromise(IOC) IP 217.182.227[.]117 File Hashes 5acd6d9ac235104f90f9a39c11807c37cdfb103d6c151cc1a2e4e38bf3dbe41f fa28b59eb0ccd21d3994b0778946679497399b72c2e256ebf2434553cb7bf373 e7fb436bf7d8784da092315bce1d3511a6055da41fe67362bad7a4c5d3f0294e 4192c0a946c5bd9b544b465...