Connect with us

Published

on

China discovers Blackwood, new China-linked APT group using advanced implant to attack Japan and UK

While distributing the implant, Blackwood uses man-in-the-middle techniques to intercept update requests from legitimate software. It carries out cyberespionage operations against individuals and companies from China, Japan and the United Kingdom.

The NSPX30 implant is distributed through the update mechanisms of legitimate software such as Tencent QQ, WPS Office and Sogou Pinyin. The research traces the development of NSPX30 to a small backdoor in 2005 called Project Wood, designed to collect data from its victims.

NSPX30 is a multi-stage implant containing various components such as dropper, loaders, orchestrator and backdoor. NSPX30 also has the ability to whitelist itself in various Chinese anti-malware solutions.

 Blackwood

Blackwood and the backdoor Project Wood is based on a recurring theme called mutex. Mutex, or mutual exclusion, a synchronization tool used to control access to a shared resource. The Project Wood implant in 2005 appears to be the work of developers experienced in developing malware, given the techniques employed.

The NSPX30 implant was recently detected in a small number of systems. The victims included unidentified individuals based in China and Japan, an unidentified Chinese speaker affiliated with the network of a high-profile public research university in the United Kingdom, a large manufacturing and trading company based in China, and a Japanese company in the engineering and manufacturing sector in China. It has headquartered offices.

It was also observed that attackers tried to retake systems in case of loss of access.

 Blackwood

NSPX30 is a multi-stage implant containing various components such as dropper, loaders, orchestrator and backdoor. Both of the latter components have their own set of plugins that implement spying capabilities for various applications such as Skype, Telegram, Tencent QQ and WeChat.

It also has the ability to evade various Chinese antivirus solutions.

It determined that machines were compromised when legitimate software tried to download updates from legitimate servers using the (unencrypted) HTTP protocol. Among the compromised software updates are popular Chinese software such as Tencent QQ, Sogou Pinyin and WPS Office.

The main purpose of the backdoor is to communicate with its controller and exfiltrate the collected data. It can take screenshots, perform keylogging and collect various information.

The attackers’ ability to intercept also allows them to anonymize their actual infrastructure while the orchestrator and backdoor communicate with legitimate networks owned by Baidu to download new components or exfiltrate collected information.

It is believed that the malicious but legitimate-looking traffic generated by NSPX30 is forwarded to the real attackers’ infrastructure by the unknown interception mechanism that also performs the hostile attacks in the middle.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Security

Everything You Need to Know About IP Theft

IP phishing is usually a link that, when clicked, records and stores your IP address. Someone could use another tool to track IP across the web and note their interactions with various web pages.

Published

on

IP phishing is usually a link that, when clicked, records and stores your IP address. Someone could use another tool to track IP across the web and note their interactions with various web pages.

Although the amount of information an IP can provide is quite low, it is still an identifiable piece of data and can be used for illegal purposes if someone devotes the time and resources to do so. Even if it seems like innocent users are sending you random links, you can stay one step ahead of attackers by being wary of online threats.

Why would anyone want to record their IP address?

There are several reasons why the IP address may be wanted to be recorded. Some online stores may find it easier to target their guests with ads. Because IP gives a general location, stores can customize ads to be more personal. This is also done by social media websites to record your interests when you click on an affiliate link. It also helps prevent fraud by asking users to re-authenticate when their connection appears unusual.

IP Theft

An online store or website ROPE While your address can be determined, malicious actors can also capture your IP address (IP theft). It may use your IP address, along with other information it obtains, for different purposes.

Targeting and tracking IP address, when combined with other information, can make it easier to target a person or company for malicious purposes because IP gives away a person’s approximate geographic location. Additionally, if connected to, say, a compromised public Wi-Fi, a fraudster could track the user’s online activity with it.

DDOS attacks A malicious actor can hijack an individual or company’s IP address (IP hijacking) and use it to crash the owner’s internet connection.

social engineering -A clever fraudster can use IP as a means to obtain more information from an individual or even a company. This will likely be followed or accompanied by another phishing method, potentially escalating into a larger cyber attack.

Abuse of IP A clever criminal can misuse your IP address by spoofing your connection and committing illegal activities without your permission. In essence, it’s as if the scammer has used your IP like a VPN and masked his or her connection with yours.

IP Theft

How to protect against IP theft?

There are many ways for users to protect themselves, but three basic issues that need to be considered can be summarized as follows;

Never click on random links on the internet. This needs to be repeated frequently, and the link you click may not always be an IP capturer but another form of a malicious link, which may lead to a malware infection.

Use VPN. Probably the best way to protect yourself is to use a premium VPN service, which masks your own address by routing your traffic through other nodes, hiding your IP and location. We recommend staying away from free VPN services because these services are risky due to the possibility of containing malware, causing a security hazard due to poor security protection, or harming one’s privacy by recording and selling one’s data to third-party advertisers.

Secure your firewall. Set strong passwords for your router and other devices, and use solutions that can enhance your firewall protection to create a protective barrier between you and the internet.

Continue Reading

Security

Spam Emails Used as a Weapon of War This Time

Threat actors affiliated with Russia tried to influence Ukrainian citizens and convince them that Russia had won the war with SPAM messages sent in two waves. The first wave occurred in November 2023, and the second at the end of December 2023.

Published

on

Threat actors affiliated with Russia tried to influence Ukrainian citizens and convince them that Russia had won the war with SPAM messages sent in two waves. The first wave occurred in November 2023, and the second at the end of December 2023.

The content of the SPAM e-mails was about natural gas outages, medicine and food shortages, which are familiar themes of Russian propaganda.

A phishing campaign targeting a Ukrainian defense company was detected in October 2023, and a campaign targeting the EU agency using standard-looking fake Microsoft login pages was detected in November 2023.

The aim of both was to steal credentials for Microsoft Office 365 accounts. Security research indicates that PSYOPs and phishing operations are most likely related due to similarities in the network infrastructure used.

Since the start of the war in Ukraine, Russia-affiliated groups such as Sandworm have been busy disrupting Ukraine’s IT infrastructure using wipers. Recent months have seen an increase in cyber espionage operations, particularly by the notorious Gamaredon group.

Operation Texonto demonstrates another use of technologies to influence warfare. The strange mix of espionage, information operations, and counterfeit drug messages can only remind us of Callisto, a well-known cyberespionage group affiliated with Russia, some of whose members were the subject of an indictment by the US Department of Justice in December 2023.

Callisto targets government officials, staff at think tanks, and military-related organizations through spearphishing websites designed to impersonate common cloud providers. The group has also carried out disinformation operations, such as a document leak just ahead of the 2019 UK general election. Finally, it creates fake pharmaceutical domains using legacy network infrastructure.

spam

An email server operated by the attackers and used to send PSYOPs SPAM emails was reused two weeks later to send typical Canadian pharmacy spam.

This category of illegal business has long been very popular within the Russian cybercrime community. Several investigations also revealed domain names related to internal Russian issues, such as the prominent Russian opposition leader Alexei Navalny, who was part of Operation Texonto and died on February 16, 2024, while serving a prison sentence.

This means that Operation Texonto likely involved spearphishing or information operations targeting Russian dissidents.

First wave disinformation SPAM The purpose of his emails was to sow doubt in the minds of Ukrainians; for example, one email says, “There may be natural gas outages this winter.”

Other e-mails allegedly coming from the Ministry of Health mention drug shortages. There doesn’t appear to be any malicious links or malware in this wave, just disinformation.

A domain name that appears to be the Ukrainian Ministry of Agricultural Policy and Food recommends replacing unavailable drugs with herbs. In another SPAM e-mail “coming” from the Ministry, it is recommended to eat “pigeon risotto” with a photo of a live pigeon and a cooked pigeon.

These documents were deliberately created to anger and demoralize readers. Overall, these fake messages are in line with common Russian propaganda themes. They are trying to convince the Ukrainian people that they will not have medicine, food and heating facilities due to the Russia-Ukraine war.

About a month after the first wave, a second PSYOPs email campaign was detected targeting not only Ukrainians but also people in other European countries. The targets range from the Ukrainian government to an Italian shoe manufacturer.

The second wave contains darker messages, with attackers suggesting people cut off a leg or arm to avoid military deployment. In general, it has all the features of wartime PSYOPs.

Continue Reading

Security

How does digital forensics reveal the truth?

As technology becomes increasingly intertwined with various aspects of our lives, the importance of digital forensics in different fields increases even more.

Published

on

As technology becomes increasingly intertwined with various aspects of our lives, the importance of digital forensics in different fields increases even more.

The art of uncovering, analyzing and interpreting digital evidence is seeing significant growth, especially in investigations of various fraud and cyber crimes, tax evasion, stalking, child exploitation, intellectual property theft and even terrorism.

Digital forensics techniques help organizations understand the scope and impact of data breaches and prevent further damage from these incidents.

Digital forensics; It plays a role in a variety of contexts, including criminal investigations, incident response, divorce and other legal proceedings, employee misconduct investigations, counterterrorism efforts, fraud detection and data recovery.

We explain exactly how digital forensics investigators size up a digital crime scene, look for clues, and piece together the story the data has to tell.

Digital forensics

collection of evidence

This step involves identifying and collecting sources of digital evidence, as well as creating full copies of information that may be linked to the incident. Avoid altering original data; It is important to create bit-by-bit copies with the help of appropriate tools and devices.

Analysts can then recover deleted files or hidden disk partitions, resulting in an image equal in size to the disk. Samples labeled with date, time, and time zone should be isolated in containers that protect them from external influences and prevent spoilage or intentional tampering.

Photographs and notes documenting the physical condition of devices and their electronic components often help provide additional context and understand the circumstances under which evidence was collected.

data protection

To lay the foundations for a successful analysis, the information collected must be protected from damage and tampering. Analysts need to create forensic images (or exact copies or replicas) of the data on which analysis will then be performed.

This phase revolves around the “chain of custody,” a meticulous record that documents the location and date of the sample, as well as who exactly interacted with it. Analysts use hashing techniques to precisely identify files that may be useful for investigation.

By assigning unique identifiers to files through hashes, they create a digital footprint that helps track and verify the authenticity of evidence.

Digital forensics

Analysis

This is where specialized hardware and software come into play as investigators examine the evidence collected to draw meaningful insights and conclusions about the incident or crime.

Analysts must closely follow emerging technologies and cyber threats to remain effective in the highly dynamic field of digital forensics. Examining timesheets and access logs is common practice at this stage.

This helps reconstruct events, create action sequences, and identify anomalies that may be indicative of malicious activity.

Documentation

All actions, artifacts, anomalies and any patterns detected before this stage should be documented in as much detail as possible. In fact, the documentation should be detailed enough that another computer forensics expert can repeat the analysis.

Digital forensics

Documenting the methods and tools used throughout the research is very important for transparency and reproducibility. It allows others to verify results and understand the procedures followed.

Professionals should also document the reasons behind their decisions, especially when faced with unexpected challenges. This helps justify the actions taken during the investigation.

Reporting

A typical digital forensic report provides background information about the case. It defines the scope of the research along with its objectives and limitations. Explains the methods and techniques used.

Digital It details the process of obtaining and preserving evidence.

It presents the results of the analysis, including discovered artifacts, timelines, and models, and summarizes the findings and their significance to the objectives of the research.

Continue Reading

Trending

Copyright © 2022 RAZORU NEWS.
Project by V