-
Russian-occupied Ukraine was home to some of the worst abuses, according to new report.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Biden signed a law that extends Section 702 authorities into 2026βand lacks proposed limits on intelligence agencies’ right to gather and search Americans’ communications.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
User satisfaction “increased minimally” last year for MHS Genesis, the electronic-records system installed under a 2015 contract, a GAO survey found.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
U.S. could win a war with China today, but would suffer heavy losses, the official told reporters.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
An agreement between the departments of Defense and State aims to ease unemployment among the spouses of servicemembersβand increase military families’ quality of life.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Anduril says its Ghost Shark proves that UUVs can be designed and built quickly.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
The threat actor known as ToddyCat has been observed using a wide range of tools to retain access to compromised environments and steal valuable data. Russian cybersecurity firm Kaspersky characterized the adversary as relying on various programs to harvest data on an “industrial scale” from primarily governmental organizations, some of them defense related, located in
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Hackers often target PyPI packages to exploit vulnerabilities and inject malicious code into widely used Python libraries.
Recently, cybersecurity researchers at FortiGuard Labs identified a malicious PyPI package attacking Discord users to steal credentials.
The malicious PyPI package that was discovered is described as “discordpy_bypass-1.7,” published on March 10th, 2024, and detected on March 12, 2024.
The package, authored by Theaos and consisting of seven versions with almost similar characteristics, is intended to obtain sensitive information from the victims via persistence techniques, browser data extraction, and token harvesting.
Technical Analysis
The discordpy_bypass-1.7 PyPI package demonstrates persistent cyber-attacks by using malicious behavior designed to take sensitive data from user systems through code obfuscation and evasion techniques against analysis environments.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
This code employs different checks to detect and quit itself when it runs in a debug or analysis environment, showing attempts to avoid detection.
The coding involves three levels of obfuscation:-
- base64 encoding the original Python code
- Encoding with obfuscation techniques
- Compilation into an executable fetched from a remote URL by discordpy_bypass/discordpy_bypass.py
The code also contains debugging environment detection techniques like checking for blacklisted processes, and the system IP/MAC addresses are compared against blocklists.
This makes it critical for people to be alert right from the beginning and take initiative regarding such threats.
FortiGuard said that to detect debugging environments; the code quickly checks the system username, hostname, and hardware ID against some blocklists.
Initializing variables and setting up Socket.IO events for remote control and monitoring enable actions such as file operations, directory navigation, and command execution.
Authentication tokens, especially from Discord, are the target for harvesting sensitive browser data such as login credentials, cookies, and web history.
Before uploading them to a remote server, it also decrypts and validates any extracted tokens.
The discordpy_bypass-1.7 code is a smart and stealthy cyber threat that aims to steal crucial system data quietly by using evasive measures to avoid detection and analysis.
This artful βcostumeβ points out online threats and the necessity of being alert and having strong protections in place.
With knowledge of such threats, researchers can design more secure systems to enhance personal information and general safety for users through joint vigilance and cooperation.
Looking to Safeguard Your Company from Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP
.The post Malicious PyPI Package Attacking Discord Users To Steal Credentials appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
APT29, a Russian threat group, targeted German political parties with a new backdoor called WINELOADER using spear-phishing emails containing malicious links to ZIP files hosted on compromised websites.
The ZIP files deployed an HTA that initiated a multi-stage infection chain, delivering WINELOADER.
The backdoor has functionalities for communication with command and control servers and utilizes evasion techniques.
To defend against the APT29 campaign, security teams should understand these TTPs and the WINELOADER backdoor to improve detection capabilities.
APT29 uses spear-phishing emails with a malicious PDF attachment disguised as a wine-tasting invitation. The PDF tricks the victim into downloading a ZIP file containing an HTA (wine.hta or invite.hta).Β
The HTA uses obfuscated JavaScript (potentially obfuscated with obfuscator.io) to download and execute a legitimate but vulnerable Microsoft binary (sqlwriter.exe or sqldumper.exe) along with a malicious DLL (vcruntime140.dll), which is side-loaded by the legitimate binary establishes the initial foothold for the WINELOADER infection.Β
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
The Splunk Threat Research Team created an Atomic Red Team test to simulate the initial access of the WINELOADER campaign, excluding the data exfiltration tools, which involve an HTA triggering a base64 decoded payload (invite.zip) containing a DLL (gup.exe).Β
It mimics the side-loading behavior but uses a non-malicious DLL and to further emulate real-world attacks, the test injects sqlwriter.exe within a benign vcruntime140.dll.
Security teams can evaluate their capacity to identify these APT29 TTPs by running and analyzing this test, which will enable them to improve their analytics, response processes, and overall security posture.Β Β
The HTA file exploits a DLL side-loading vulnerability. It first writes the Base64-encoded content of a malicious ZIP file (invite.zip) to a text file (invite.txt) on the system, then decodes the text file back to a ZIP and extracts its contents.Β
It triggers a user prompt, “Are You Ready?” before executing the payload, likely a malicious DLL named gup.exe and if the user clicks “OK,” the DLL is loaded and likely spawns calc.exe as a test.
A final message box confirms successful DLL side-loading with the Atomic logo.
WINELOADER exploits legitimate applications like SQLWriter.exe or Sqldumper.exe through DLL side-loading by loading a malicious vcruntime140.dll that triggers code execution.
The code decrypts a hidden data block using the RC4 algorithm with a key stored within the malicious DLL itself, allowing WINELOADER to gain initial functionality on a compromised system.Β
Researchers analyzed a malicious DLL file (vcruntime140.dll) containing a variant of WINELOADER malware, which is encrypted with the RC4 algorithm and hides critical components like API names and strings to avoid detection
After decryption, the malware connects to its command and control server (C2) and downloads additional malicious components.
The report provides the C2 server addresses and user-agent strings used by the malware.Β
Looking to Safeguard Your Company from Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP
.Β ΒThe post Beware Of Weaponized Zip Files That Deliver WINELOADER Malware appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ