Tag: uses

Magniber Ransomware Uses JavaScript to Attack Individual Users

Posted on by Kernel

A recent analysis shows that Magniber ransomware has been targeting home users by masquerading as software updates.

Reports have shown a ransomware campaign isolated by HP Wolf Security in September 2022 saw Magniber ransomware spread. The malware is known as a single-client ransomware family that demands $2,500 from victims.

In previous news, Magniber was primarily spread through MSI and EXE files, but in September 2022 HP Wolf Security began seeing campaigns distributing the ransomware in JavaScript files.

“Some malware families, such as Vjw0rm and GootLoader, rely exclusively on JavaScript, but have done so for some time,” Patrick Schläpfer, malware analyst at HP Wolf Security, told Infosecurity. “Currently, we are also seeing more HTML smuggling, such as with Qakbot and IcedID. This technique also makes use of JavaScript to decode malicious content. The only difference is that the HTML file is executed in the context of the browser and therefore usually requires further user interaction”

Remarkably , HP Wolf Security said, the attackers used clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries.

It appears that with the UAC bypass, the malware deletes the infected system’s shadow copy files and disables backup and recovery features, preventing the victim from recovering their data using Windows tools.

Having recently described the ransomware campaign in a recent interview, HP Wolf noted that the infection chain starts with a web download from an attacker-controlled website.

In addition, the user is asked to download a ZIP file containing a JavaScript file that purports to be an important anti-virus or Windows 10 software update.

Furthermore, for Magniber to access and block files, it needs to be executed on a Windows account with administrator privileges – a level of access which is much more commonplace in personal systems.

“Consumers can protect themselves by following ‘least-privilege’ principles – only logging on with their administrator account when strictly needed, and creating another account for everyday use,” explained Schläpfer. “Users can also reduce risk by making sure updates are only installed from trusted sources, checking URLs to ensure official vendor websites are used, and backing up data regularly to minimize the impact of a potential data breach.”

To conclude, the company noted that this ransomware does not fall into the category of Big Game Hunting but can still cause significant damage.

“This is not a shift away from big game hunting, but rather demonstrates that not only enterprises are the focus of ransomware groups, but home users as well,” Schläpfer said.

The post Magniber Ransomware Uses JavaScript to Attack Individual Users appeared first on IT Security Guru.

Pandora Radio Client Pithos 1.6.0 Now Uses CSD Header bar [Ubuntu PPA]

Posted on by Kernel

Pithos, native Linux client for Pandora Radio, got a new release update few days ago. Here’s how to install it in Ubuntu 22.04, Ubuntu 20.04 & Ubuntu 18.04 via PPA.

It’s been almost 2 years since the last release update. The new Pithos 1.6.0 now uses the GNOME style client-side decorations (CSD) for its header bar, instead of the old title bar. So, the app UI will look like the screenshot below:

Pithos 1.6.0

Plus rounded window corner extension, it now looks good in recent Ubuntu releases.

This release also adds Ctrl+r shortcut to open stations popover, removes access to host keyring when in flatpak. And, libappindicator is no longer required as dependency as it now supports status notifier directly.

How to Install Pithos 1.6.0 in Ubuntu:

For current 3 Ubuntu LTS releases and their based systems, I’ve uploaded the software package into this unofficial Ubuntu PPA.

1. First, press Ctrl+Alt+T key combination on keyboard to open terminal. When it opens, run the command below to add the PPA:

sudo add-apt-repository ppa:ubuntuhandbook1/apps

Type user password when it asks (no asterisk feedback) and hit Enter to continue.

2. Then, run command to fresh the package cache for old Ubuntu 18.04 and Linux Mint:

sudo apt update

3. Finally, install or update the lightweight Pandora Radio client to listen online music:

sudo apt install pithos

As the application does not update frequently, you may also download & install the .deb package directly from this page.

Uninstall Pithos

To remove the Ubuntu PPA, open terminal and run command:

sudo add-apt-repository --remove ppa:ubuntuhandbook1/apps

Or, open ‘Software & Updates’ utility and remove the source line under ‘Other Software’ tab.

To remove Pithos, use command:

sudo apt remove --autoremove pithos

PayPal Phishing Scam Uses Invoices Sent Via PayPal

Posted on by Kernel

Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives — which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.

KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message’s subject read, “Billing Department of PayPal updated your invoice.”

A copy of the phishing message included in the PayPal.com invoice.

While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com.

Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.

Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” The message continues:

“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”

Here’s the invoice that popped up when the “View and Pay Invoice” button was clicked:

The phony PayPal invoice, which was sent and hosted by PayPal.com.

The reader who shared this phishing email said he logged into his PayPal account and could find no signs of the invoice in question. A call to the toll-free number listed in the invoice was received by a man who answered the phone as generic “customer service,” instead of trying to spoof PayPal or Walmart. Very quickly into the conversation he suggested visiting a site called globalquicksupport[.]com to download a remote administration tool. It was clear then where the rest of this call was going.

I can see this scam tricking a great many people, especially since both the email and invoice are sent through PayPal’s systems — which practically guarantees that the message will be successfully delivered. The invoices appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above. Details of this scam were shared Wednesday with PayPal’s anti-abuse (phish@paypal.com) and media relations teams.

It’s remarkable how well today’s fraudsters have adapted to hijacking the very same tools that financial institutions have long used to make their customers feel safe transacting online. It’s no accident that one of the most prolific scams going right now — the Zelle Fraud Scam — starts with a text message about an unauthorized payment that appears to come from your bank. After all, financial institutions have spent years encouraging customers to sign up for mobile alerts via SMS about suspicious transactions, and to expect the occasional inbound call about possibly fraudulent transactions.

Also, today’s scammers are less interested in stealing your PayPal login than they are in phishing your entire computer and online life with remote administration software, which seems to be the whole point of so many scams these days. Because why rob just one online account when you can plunder them all?

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.