New malware found using Google Drive as its command-and-control server
Since most security tools also keep an eye on the network traffic to detect malicious IP addresses, attackers are increasingly adopting infrastructure of legitimate services in their attacks to hide their malicious activities.
Cybersecurity researchers have now spotted a new malware attack campaign linked to the notorious DarkHydrus APT group that uses Google Drive as its command-and-control (C2) server.
DarkHydrus first came to light in August last year when the APT group was leveraging the open-source Phishery tool to carry out credential-harvesting campaign against government entities and educational institutions in the Middle East.
The latest malicious campaign conducted by the DarkHydrus APT group was also observed against targets in the Middle East, according to reports published by the 360 Threat Intelligence Center (360TIC) and Palo Alto Networks.
This time the advanced threat attackers are using a new variant of their backdoor Trojan, called RogueRobin, which infects victims' computers by tricking them into opening a Microsoft Excel document containing embedded VBA macros, instead of exploiting any Windows zero-day vulnerability.
Enabling the macro drops a malicious text (.txt) file in the temporary directory and then leverages the legitimate 'regsvr32.exe' application to run it, eventually installing the RogueRobin backdoor written in C # programming language on the compromised system. According to Palo Alto researchers, RogueRobin includes many stealth functions to check whether it is executed in the sandbox environment, including checking for virtualized environments, low memory, processor counts, and common analysis tools running on the system. It also contains anti-debug code.
Like the original version, the new variant of RogueRobin also uses DNS tunneling—a technique of sending or retrieving data and commands through DNS query packets—to communicate with its command-and-control server.
WordPress Plugin Hacked By Former Employee
In the past few days, a popular WordPress plugin has had to contact all of its customers after its plugin was hacked. Named, WPML (WP MultiLingual), the plugin is one of the most popular for translating sites into multiple languages.
According to the company itself, WPML has over 600,000 paying customers. They have built such a good reputation, that they don’t need to offer a free version of their plugin.
On Saturday 19th January, the WordPress plugin suffered its first major incident since 2007 when it was created.
The company claims that a former employee sent an email to all the plugin’s customers. The email claimed that he was a security researcher, and had found many vulnerabilities. He also claimed that his warnings were ignored by the WPML team. He urged all customers of the plugin to check their sites for any breaches.
Following this email, several customers took to social media to ask WPML about the email. Some were amazed at how the hacker got access to the site and sent the email so easily. The WPML team released its own mass email to customers, disputing the claims.
WPML claim that the email came from a former employee, who left a backdoor on their official website. They were then able to access the companies database and sent the mass email.
No Other Data Accessed
Website developers stated that the employee didn’t get access to any financial data. However, they didn’t rule out the possibility of the hacker logging into customers WPML.org accounts.
The company has said it will rebuild the server and remove the backdoor. They are also resetting all customer passwords as a precaution. They confirmed that the hacker had no access to the plugin’s code.
It is unclear if WPML has reported the former employee to the authorities.
Hacker Alexander Zhukov Extradited to US After Infecting Over 1.7 Million Computers
News disclosed on the Russian version of Facebook, VK, states that Bulgaria has extradited Russian hacker Alexander Zhukov to the US on 18th January. The news was released by the Russian Embassy in Washington and stated that Zhukov is held at a jail in Brooklyn, New York.
Accused of Fraud
Alexander Zhukov has been accused of taking part in a fraud scheme that’s thought to have infected over 1.7 million computers. The fraud scheme used advertisement and malware to compromise computer networks.
In November 2018, firms such as Google, WhiteOps, and the police, took down the fraud campaign known as 3ve. The United States Department of Justice indicted eight people in all, one of them being Zhukov.
The Use of 3ve
3ve is a set of three operations that use different measures to avoid detection. Each of the measures was specifically built with different components to make them tough to detect.
It has been called one of the largest and most sophisticated fraud campaigns of its type. Although active since 2014, 3ve saw a peak in activity in 2017. At this time, it was thought the campaign earned more than $30 million for the operators.
How 3ve Operated
The people who operated 3ve used many techniques to build the fraud work. They created fake websites, then used botnets to simulate visitor activity. They could then offer ad space to advertisers, and use Protocol hijacking to redirect traffic.
The final part of the fraud was to use malicious code to generate fake clicks. This would then earn money for the operators.
Huge Scale Operation
Experts have suggested that the size of the fraud campaign was huge. Over 1.7 million computers were infected with malware, and 10,000 fake websites created. These sites were used to impersonate legitimate web publishers.
A newspaper reported that Zhukov was earning $20,000 per month with his campaign. He was only exposed when a conflict developed with a US client.